[JSC] sizeof(JSString) should be 16
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] sizeof(JSString) should be 16
4         https://bugs.webkit.org/show_bug.cgi?id=194375
5
6         Reviewed by Saam Barati.
7
8         * microbenchmarks/make-rope.js: Added.
9         (makeRope):
10         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
11         (returnRope.helper): Deleted.
12         (returnRope): Deleted.
13
14 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
15
16         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
17         https://bugs.webkit.org/show_bug.cgi?id=195144
18
19         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
20         Change the number from 1e8 to 1e5.
21
22         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
23         (foo):
24
25 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         Test times out on ARM/MIPS
28         https://bugs.webkit.org/show_bug.cgi?id=195168
29
30         Unreviewed. Skip test on ARM/MIPS.
31
32         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
33
34 2019-02-27  Mark Lam  <mark.lam@apple.com>
35
36         The parser is failing to record the token location of new in new.target.
37         https://bugs.webkit.org/show_bug.cgi?id=195127
38         <rdar://problem/39645578>
39
40         Reviewed by Yusuke Suzuki.
41
42         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
43
44 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
47         https://bugs.webkit.org/show_bug.cgi?id=195144
48         <rdar://problem/47595961>
49
50         Reviewed by Mark Lam.
51
52         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
53         (bar):
54         (foo):
55         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
56         (bar):
57         (foo):
58
59 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
60
61         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
62         https://bugs.webkit.org/show_bug.cgi?id=194677
63         <rdar://problem/48112492>
64
65         Reviewed by Mark Lam.
66
67         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
68         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
69         it immediately fails due the large size.
70
71         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
72         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
73         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
74         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
75
76         This patch changes the test to produce 16bit string from String.fromCharCode.
77
78         * stress/regress-178386.js:
79
80 2019-02-26  Mark Lam  <mark.lam@apple.com>
81
82         wasmToJS() should purify incoming NaNs.
83         https://bugs.webkit.org/show_bug.cgi?id=194807
84         <rdar://problem/48189132>
85
86         Reviewed by Saam Barati.
87
88         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
89
90 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
91
92         [JSC] Repeat string created from Array.prototype.join() take too much memory
93         https://bugs.webkit.org/show_bug.cgi?id=193912
94
95         Reviewed by Saam Barati.
96
97         Added a test and a microbenchmark for corner cases of
98         Array.prototype.join() with an uninitialized array.
99
100         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
101         * stress/array-prototype-join-uninitialized.js: Added.
102         (testArray):
103         (testABC):
104         (B):
105         (C):
106
107 2019-02-22  Robin Morisset  <rmorisset@apple.com>
108
109         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
110         https://bugs.webkit.org/show_bug.cgi?id=194953
111         <rdar://problem/47595253>
112
113         Reviewed by Saam Barati.
114
115         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
116
117         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
118
119 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
120
121         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
122         https://bugs.webkit.org/show_bug.cgi?id=172848
123         <rdar://problem/25709212>
124
125         Reviewed by Mark Lam.
126
127         * typeProfiler/inheritance.js:
128         Rewrite the test slightly for clarity. The hoisting was confusing.
129
130         * heapProfiler/class-names.js: Added.
131         (MyES5Class):
132         (MyES6Class):
133         (MyES6Subclass):
134         Test object types and improved class names.
135
136         * heapProfiler/driver/driver.js:
137         (CheapHeapSnapshotNode):
138         (CheapHeapSnapshot):
139         (createCheapHeapSnapshot):
140         (HeapSnapshot):
141         (createHeapSnapshot):
142         Update snapshot parsing from version 1 to version 2.
143
144 2019-02-19  Truitt Savell  <tsavell@apple.com>
145
146         Unreviewed, rolling out r241784.
147
148         Broke all OpenSource builds.
149
150         Reverted changeset:
151
152         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
153         instances view"
154         https://bugs.webkit.org/show_bug.cgi?id=172848
155         https://trac.webkit.org/changeset/241784
156
157 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
158
159         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
160         https://bugs.webkit.org/show_bug.cgi?id=172848
161         <rdar://problem/25709212>
162
163         Reviewed by Mark Lam.
164
165         * typeProfiler/inheritance.js:
166         Rewrite the test slightly for clarity. The hoisting was confusing.
167
168         * heapProfiler/class-names.js: Added.
169         (MyES5Class):
170         (MyES6Class):
171         (MyES6Subclass):
172         Test object types and improved class names.
173
174         * heapProfiler/driver/driver.js:
175         (CheapHeapSnapshotNode):
176         (CheapHeapSnapshot):
177         (createCheapHeapSnapshot):
178         (HeapSnapshot):
179         (createHeapSnapshot):
180         Update snapshot parsing from version 1 to version 2.
181
182 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
183
184         [ARM] Fix crash with sampling profiler
185         https://bugs.webkit.org/show_bug.cgi?id=194772
186
187         Reviewed by Mark Lam.
188
189         Do not skip test since crash with sampling profiler is now fixed.
190
191         * stress/sampling-profiler-richards.js:
192
193 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
194
195         [JSC] Add LazyClassStructure::getInitializedOnMainThread
196         https://bugs.webkit.org/show_bug.cgi?id=194784
197         <rdar://problem/48154820>
198
199         Reviewed by Mark Lam.
200
201         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
202         (getProperties):
203         (getRandomProperty):
204         (i.catch):
205
206 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
207
208         [ARM] Test gardening: Test running out of executable memory
209         https://bugs.webkit.org/show_bug.cgi?id=194771
210
211         Unreviewed. Do not run test without LLInt, test is running out of executable
212         memory on ARM otherwise.
213
214         * stress/tagged-template-object-collect.js:
215
216 2019-02-18  Tomas Popela  <tpopela@redhat.com>
217
218         Unreviewed, skip the test on platforms without sampling profiler
219
220         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
221         (platformSupportsSamplingProfiler.foo):
222         (platformSupportsSamplingProfiler.test):
223         (platformSupportsSamplingProfiler):
224         (foo): Deleted.
225         (test): Deleted.
226
227 2019-02-17  Saam Barati  <sbarati@apple.com>
228
229         Deadlock when adding a Structure property transition and then doing incremental marking
230         https://bugs.webkit.org/show_bug.cgi?id=194767
231
232         Reviewed by Mark Lam.
233
234         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
235
236 2019-02-15  Michael Saboff  <msaboff@apple.com>
237
238         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
239         https://bugs.webkit.org/show_bug.cgi?id=194558
240
241         Reviewed by Saam Barati.
242
243         New regression test.
244
245         * stress/regexp-unicode-within-string.js: Added.
246
247 2019-02-15  Mark Lam  <mark.lam@apple.com>
248
249         SamplingProfiler::stackTracesAsJSON() should escape strings.
250         https://bugs.webkit.org/show_bug.cgi?id=194649
251         <rdar://problem/48072386>
252
253         Reviewed by Saam Barati.
254
255         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
256         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
257         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
258         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
259
260 2019-02-15  Robin Morisset  <rmorisset@apple.com>
261         CodeBlock::jettison should clear related watchpoints
262         https://bugs.webkit.org/show_bug.cgi?id=194544
263
264         Reviewed by Mark Lam.
265
266         * stress/regexp-replace-double-watchpoint.js: Added.
267         (foo):
268
269 2019-02-15  Saam barati  <sbarati@apple.com>
270
271         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
272         https://bugs.webkit.org/show_bug.cgi?id=194036
273
274         Reviewed by Yusuke Suzuki.
275
276         * stress/tail-call-many-arguments.js: Added.
277         (foo):
278         (bar):
279
280 2019-02-14  Saam Barati  <sbarati@apple.com>
281
282         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
283         https://bugs.webkit.org/show_bug.cgi?id=194583
284         <rdar://problem/48028140>
285
286         Reviewed by Yusuke Suzuki.
287
288         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
289
290 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
291
292         [JSC] String.fromCharCode's slow path always generates 16bit string
293         https://bugs.webkit.org/show_bug.cgi?id=194466
294
295         Reviewed by Keith Miller.
296
297         * stress/string-from-char-code-slow-path.js: Added.
298         (shouldBe):
299         (testWithLength):
300
301 2019-02-08  Saam barati  <sbarati@apple.com>
302
303         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
304         https://bugs.webkit.org/show_bug.cgi?id=194334
305         <rdar://problem/47844327>
306
307         Reviewed by Mark Lam.
308
309         * stress/check-in-bounds-should-be-a-child-use.js: Added.
310         (func):
311
312 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
313
314         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
315         https://bugs.webkit.org/show_bug.cgi?id=194369
316         <rdar://problem/47813087>
317
318         Reviewed by Saam Barati.
319
320         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
321         (A):
322
323 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
324
325         [JSC] PrivateName to PublicName hash table is wasteful
326         https://bugs.webkit.org/show_bug.cgi?id=194277
327
328         Reviewed by Michael Saboff.
329
330         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
331
332         * ChakraCore.yaml:
333
334 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
335
336         [ARM] Test running out of executable memory
337         https://bugs.webkit.org/show_bug.cgi?id=194285
338
339         Unreviewed. Do no execute test with LLInt disabled, test runs out of
340         executable memory otherwise.
341
342         * stress/class-subclassing-function.js:
343
344 2019-02-04  Robin Morisset  <rmorisset@apple.com>
345
346         when lowering AssertNotEmpty, create the value before creating the patchpoint
347         https://bugs.webkit.org/show_bug.cgi?id=194231
348
349         Reviewed by Saam Barati.
350
351         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
352         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
353         So even tiny changes to this test can change the path code taken.
354
355         * stress/assert-not-empty.js: Added.
356         (foo):
357
358 2019-02-01  Mark Lam  <mark.lam@apple.com>
359
360         Remove invalid assertion in DFG's compileDoubleRep().
361         https://bugs.webkit.org/show_bug.cgi?id=194130
362         <rdar://problem/47699474>
363
364         Reviewed by Saam Barati.
365
366         * stress/constant-fold-double-rep-into-double-constant.js: Added.
367
368 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
369
370         Import latest Test262 updates.
371
372         Rubber-stamped by Keith Miller.
373
374         * test262.yaml: Deleted.
375         * test262/config.yaml:
376         * test262/expectations.yaml:
377         * test262/latest-changes-summary.txt:
378         * test262/test/:
379         * test262/test262-Revision.txt:
380
381 2019-01-30  Robin Morisset  <rmorisset@apple.com>
382
383         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
384         https://bugs.webkit.org/show_bug.cgi?id=194050
385         <rdar://problem/47595592>
386
387         Reviewed by Yusuke Suzuki.
388
389         * stress/object-keys-osr-exit.js: Added.
390         (foo):
391         (catch):
392
393 2019-01-29  Mark Lam  <mark.lam@apple.com>
394
395         ValueRecovery::recover() should purify NaN values it recovers.
396         https://bugs.webkit.org/show_bug.cgi?id=193978
397         <rdar://problem/47625488>
398
399         Reviewed by Saam Barati.
400
401         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
402
403 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
404
405         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
406         https://bugs.webkit.org/show_bug.cgi?id=193713
407
408         * stress/try-get-by-id-should-spill-registers-dfg.js:
409         (let.f.createBuiltin):
410
411 2019-01-28  Mark Lam  <mark.lam@apple.com>
412
413         ToString node actually does GC.
414         https://bugs.webkit.org/show_bug.cgi?id=193920
415         <rdar://problem/46695900>
416
417         Reviewed by Yusuke Suzuki.
418
419         * stress/dfg-to-string-on-int-does-gc.js: Added.
420         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
421         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
422
423 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
424
425         [JSC] NativeErrorConstructor should not have own IsoSubspace
426         https://bugs.webkit.org/show_bug.cgi?id=193713
427
428         Reviewed by Saam Barati.
429
430         Remove @Error use.
431
432         * stress/try-get-by-id-should-spill-registers-dfg.js:
433         (let.f.createBuiltin):
434
435 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
436
437         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
438         https://bugs.webkit.org/show_bug.cgi?id=190693
439
440         Reviewed by Michael Saboff.
441
442         * stress/regress-190693.js: Added.
443         (truth):
444         (assert):
445         (shouldThrowInvalidConstAssignment):
446         (taz):
447
448 2019-01-24  Saam Barati  <sbarati@apple.com>
449
450         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
451         https://bugs.webkit.org/show_bug.cgi?id=193751
452         <rdar://problem/47280215>
453
454         Reviewed by Michael Saboff.
455
456         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
457         (let.thing):
458         (foo.let.hello):
459         (foo):
460
461 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
462
463         [JSC] Reenable baseline JIT on mips
464         https://bugs.webkit.org/show_bug.cgi?id=192983
465
466         Reviewed by Mark Lam.
467
468         Added a new test for a case that was triggering a RELEASE_ASSERT when
469         testing.
470         Disable some slow tests that were already disabled for arm and x86.
471
472         * stress/json-parse-big-object.js: Added.
473         * stress/new-largeish-contiguous-array-with-size.js:
474         * stress/op_add.js:
475         * stress/op_bitand.js:
476         * stress/op_bitor.js:
477         * stress/op_bitxor.js:
478         * stress/op_lshift-ConstVar.js:
479         * stress/op_lshift-VarConst.js:
480         * stress/op_lshift-VarVar.js:
481         * stress/op_mod-ConstVar.js:
482         * stress/op_mod-VarConst.js:
483         * stress/op_mod-VarVar.js:
484         * stress/op_mul-ConstVar.js:
485         * stress/op_mul-VarConst.js:
486         * stress/op_mul-VarVar.js:
487         * stress/op_rshift-ConstVar.js:
488         * stress/op_rshift-VarConst.js:
489         * stress/op_rshift-VarVar.js:
490         * stress/op_sub-ConstVar.js:
491         * stress/op_sub-VarConst.js:
492         * stress/op_sub-VarVar.js:
493         * stress/op_urshift-ConstVar.js:
494         * stress/op_urshift-VarConst.js:
495         * stress/op_urshift-VarVar.js:
496         * stress/sampling-profiler-richards.js:
497         * stress/spread-forward-call-varargs-stack-overflow.js:
498
499 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
500
501         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
502         https://bugs.webkit.org/show_bug.cgi?id=193711
503         <rdar://problem/47250262>
504
505         Reviewed by Saam Barati.
506
507         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
508         (shouldBe):
509         (foo):
510         (bar):
511         (baz):
512
513 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
514
515         Unreviewed, fix initial global lexical binding epoch
516         https://bugs.webkit.org/show_bug.cgi?id=193603
517         <rdar://problem/47380869>
518
519         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
520         (f1.f2.f3.f4):
521         (f1.f2.f3):
522         (f1.f2):
523         (f1):
524
525 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
526
527         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
528         https://bugs.webkit.org/show_bug.cgi?id=193709
529         <rdar://problem/47363838>
530
531         Unreviewed, rollout to watch the tests.
532
533         * stress/object-tostring-changed-proto.js: Removed.
534         * stress/object-tostring-changed.js: Removed.
535         * stress/object-tostring-misc.js: Removed.
536         * stress/object-tostring-other.js: Removed.
537         * stress/object-tostring-untyped.js: Removed.
538
539 2019-01-22  Saam Barati  <sbarati@apple.com>
540
541         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
542
543         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
544         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
545         (testUncheckedLessThanZero):
546         (testUncheckedLessThanOrEqualZero):
547         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
548         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
549
550 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
551
552         [JSC] Invalidate old scope operations using global lexical binding epoch
553         https://bugs.webkit.org/show_bug.cgi?id=193603
554         <rdar://problem/47380869>
555
556         Reviewed by Saam Barati.
557
558         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
559         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
560         (shouldThrow):
561         (bar):
562         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
563         (shouldBe):
564         (get1):
565         (get2):
566         (get1If):
567         (get2If):
568         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
569         (shouldThrow):
570         (foo):
571
572 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
573
574         Unreviewed, roll out r240220 due to date-format-xparb regression
575         https://bugs.webkit.org/show_bug.cgi?id=193603
576
577         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
578         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
579         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
580         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
581
582 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
583
584         DoesGC rule is wrong for nodes with BigIntUse
585         https://bugs.webkit.org/show_bug.cgi?id=193652
586
587         Reviewed by Saam Barati.
588
589         * stress/big-int-value-op-update-gc-rules.js: Added.
590         (assert):
591         (doesGCAdd):
592         (doesGCSub):
593         (doesGCDiv):
594         (doesGCMul):
595         (doesGCBitAnd):
596         (doesGCBitOr):
597         (doesGCBitXor):
598
599 2019-01-20  Saam Barati  <sbarati@apple.com>
600
601         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
602         https://bugs.webkit.org/show_bug.cgi?id=193644
603         <rdar://problem/46209745>
604
605         Reviewed by Yusuke Suzuki.
606
607         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
608         (foo):
609         * stress/data-view-set-intrinsic-undefined-result.js: Added.
610         (foo):
611         (bar):
612
613 2019-01-20  Saam Barati  <sbarati@apple.com>
614
615         MovHint must merge NodeBytecodeUsesAsValue for its child
616         https://bugs.webkit.org/show_bug.cgi?id=186916
617         <rdar://problem/41396612>
618
619         Reviewed by Yusuke Suzuki.
620
621         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
622         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
623
624 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
625
626         [JSC] Invalidate old scope operations using global lexical binding epoch
627         https://bugs.webkit.org/show_bug.cgi?id=193603
628         <rdar://problem/47380869>
629
630         Reviewed by Saam Barati.
631
632         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
633         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
634         (shouldThrow):
635         (bar):
636         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
637         (shouldBe):
638         (get1):
639         (get2):
640         (get1If):
641         (get2If):
642         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
643         (shouldThrow):
644         (foo):
645
646 2019-01-17  Saam barati  <sbarati@apple.com>
647
648         StringObjectUse should not be a structure check for the original string object structure
649         https://bugs.webkit.org/show_bug.cgi?id=193483
650         <rdar://problem/47280522>
651
652         Reviewed by Yusuke Suzuki.
653
654         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
655         (foo):
656         (a.valueOf.0):
657
658 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
659
660         [JSC] ToThis omission in DFGByteCodeParser is wrong
661         https://bugs.webkit.org/show_bug.cgi?id=193513
662         <rdar://problem/45842236>
663
664         Reviewed by Saam Barati.
665
666         * stress/to-this-omission-with-different-strict-modes.js: Added.
667         (thisA):
668         (thisAStrictWrapper):
669
670 2019-01-15  Mark Lam  <mark.lam@apple.com>
671
672         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
673         https://bugs.webkit.org/show_bug.cgi?id=193423
674         <rdar://problem/46209355>
675
676         Reviewed by Saam Barati.
677
678         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
679         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
680         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
681         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
682
683 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
684
685         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
686         https://bugs.webkit.org/show_bug.cgi?id=193438
687         <rdar://problem/45581249>
688
689         Reviewed by Saam Barati and Keith Miller.
690
691         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
692         Then, GetByVal(String) crashed.
693
694         * stress/string-get-by-val-lowering.js: Added.
695         (shouldBe):
696         (test):
697         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
698         (Hello):
699         (foo):
700
701 2019-01-15  Tomas Popela  <tpopela@redhat.com>
702
703         Unreviewed, skip JIT tests if it's not enabled
704
705         * stress/bit-op-with-object-returning-int32.js:
706
707 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
708
709         DFGByteCodeParser rules for bitwise operations should consider type of their operands
710         https://bugs.webkit.org/show_bug.cgi?id=192966
711
712         Reviewed by Yusuke Suzuki.
713
714         * stress/bit-op-with-object-returning-int32.js: Added.
715
716 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
717
718         Skip a slow test and a flakey test on arm
719
720         Unreviewed gardening.
721
722         * typeProfiler/getter-richards.js:
723         this test always times out, it used to be always skipped on arm and
724         mips, but got accidentally enabled by r237919 now that we have DFG on
725         arm. Also skipping on mips as we plan to soon enable DFG for it too.
726
727 2019-01-14  Keith Miller  <keith_miller@apple.com>
728
729         Skip type-check-hoisting-phase-hoist... with no jit
730         https://bugs.webkit.org/show_bug.cgi?id=193421
731
732         Reviewed by Mark Lam.
733
734         It's timing out the 32-bit bots and takes 330 seconds
735         on my machine when run by itself.
736
737         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
738
739 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
740
741         [JSC] AI should check the given constant's array type when folding GetByVal into constant
742         https://bugs.webkit.org/show_bug.cgi?id=193413
743         <rdar://problem/46092389>
744
745         Reviewed by Keith Miller.
746
747         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
748         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
749         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
750         but GetByVal does not have appropriate ArrayModes, JSC crashes.
751
752         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
753         (compareArray):
754
755 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
756
757         [BigInt] Literal parsing is crashing when used inside a Object Literal
758         https://bugs.webkit.org/show_bug.cgi?id=193404
759
760         Reviewed by Yusuke Suzuki.
761
762         * stress/big-int-literal-inside-literal-object.js: Added.
763
764 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
765
766         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
767         https://bugs.webkit.org/show_bug.cgi?id=193372
768
769         Reviewed by Saam Barati.
770
771         * stress/typed-array-array-modes-profile.js: Added.
772         (foo):
773
774 2019-01-14  Mark Lam  <mark.lam@apple.com>
775
776         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
777         https://bugs.webkit.org/show_bug.cgi?id=193402
778         <rdar://problem/46012309>
779
780         Reviewed by Keith Miller.
781
782         * stress/regexp-compile-oom.js:
783         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
784           is enabled.  As a result, it will fail on cloop builds though there is no bug.
785
786 2019-01-11  Saam barati  <sbarati@apple.com>
787
788         DFG combined liveness can be wrong for terminal basic blocks
789         https://bugs.webkit.org/show_bug.cgi?id=193304
790         <rdar://problem/45268632>
791
792         Reviewed by Yusuke Suzuki.
793
794         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
795
796 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
797
798         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
799         https://bugs.webkit.org/show_bug.cgi?id=193308
800         <rdar://problem/45546542>
801
802         Reviewed by Saam Barati.
803
804         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
805         (shouldThrow):
806         (shouldBe):
807         (foo):
808         (get shouldThrow):
809         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
810         (shouldThrow):
811         (shouldBe):
812         (foo):
813         (get shouldBe):
814         (get shouldThrow):
815         (get return):
816         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
817         (shouldThrow):
818         (shouldBe):
819         (foo):
820         (get shouldBe):
821         (get shouldThrow):
822         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
823         (shouldThrow):
824         (shouldBe):
825         (foo):
826         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
827         (shouldThrow):
828         (shouldBe):
829         (foo):
830         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
831         (shouldThrow):
832         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
833         (shouldThrow):
834         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
835         (shouldThrow):
836         (shouldBe):
837         (foo):
838         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
839         (shouldThrow):
840         (shouldBe):
841         (foo):
842         (get shouldBe):
843         (get shouldThrow):
844         (get return):
845         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
846         (shouldThrow):
847         (shouldBe):
848         (foo):
849         (get shouldBe):
850         (get shouldThrow):
851         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
852         (shouldThrow):
853         (shouldBe):
854         (foo):
855         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
856         (shouldThrow):
857         (shouldBe):
858         (foo):
859
860 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
861
862         Enable DFG on ARM/Linux again
863         https://bugs.webkit.org/show_bug.cgi?id=192496
864
865         Reviewed by Yusuke Suzuki.
866
867         Test wasn't really skipped before moving the line with skip
868         to the top.
869
870         * stress/regress-192717.js:
871
872 2019-01-10  Commit Queue  <commit-queue@webkit.org>
873
874         Unreviewed, rolling out r239825.
875         https://bugs.webkit.org/show_bug.cgi?id=193330
876
877         Broke tests on armv7/linux bots (Requested by guijemont on
878         #webkit).
879
880         Reverted changeset:
881
882         "Enable DFG on ARM/Linux again"
883         https://bugs.webkit.org/show_bug.cgi?id=192496
884         https://trac.webkit.org/changeset/239825
885
886 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
887
888         Enable DFG on ARM/Linux again
889         https://bugs.webkit.org/show_bug.cgi?id=192496
890
891         Reviewed by Yusuke Suzuki.
892
893         Test wasn't really skipped before moving the line with skip
894         to the top.
895
896         * stress/regress-192717.js:
897
898 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
899
900         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
901         https://bugs.webkit.org/show_bug.cgi?id=193127
902
903         Reviewed by Saam Barati.
904
905         * stress/array-species-create-should-handle-masquerader.js: Added.
906         (shouldThrow):
907         * stress/is-undefined-or-null-builtin.js: Added.
908         (shouldBe):
909         (isUndefinedOrNull.vm.createBuiltin):
910
911 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
912
913         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
914         https://bugs.webkit.org/show_bug.cgi?id=193221
915
916         Reviewed by Mark Lam.
917
918         * stress/put-by-id-flags.js: Added.
919         (f):
920         (g):
921         (numberOfDFGCompiles):
922
923 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
924
925         Baseline version of get_by_id may corrupt metadata
926         https://bugs.webkit.org/show_bug.cgi?id=193085
927         <rdar://problem/23453006>
928
929         Reviewed by Saam Barati.
930
931         * stress/get-by-id-change-mode.js: Added.
932         (forEach):
933
934 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
935
936         [JSC] Optimize Object.prototype.toString
937         https://bugs.webkit.org/show_bug.cgi?id=193031
938
939         Reviewed by Saam Barati.
940
941         * stress/object-tostring-changed-proto.js: Added.
942         (shouldBe):
943         (test):
944         * stress/object-tostring-changed.js: Added.
945         (shouldBe):
946         (test):
947         * stress/object-tostring-misc.js: Added.
948         (shouldBe):
949         (test):
950         (i.switch):
951         * stress/object-tostring-other.js: Added.
952         (shouldBe):
953         (test):
954         * stress/object-tostring-untyped.js: Added.
955         (shouldBe):
956         (test):
957         (i.switch):
958
959 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
960
961         test262-runner misbehaves when test file YAML has a trailing space
962         https://bugs.webkit.org/show_bug.cgi?id=193053
963
964         Reviewed by Yusuke Suzuki.
965
966         * test262/expectations.yaml:
967         Mark two dozen tests as passing (and correct the output of another).
968
969 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
970
971         Unreviewed, JSTests gardening with memoryLimited
972
973         * stress/string-overflow-createError.js:
974
975 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
976
977         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
978         https://bugs.webkit.org/show_bug.cgi?id=193050
979
980         Reviewed by Yusuke Suzuki.
981
982         * test262.yaml:
983         * test262/expectations.yaml:
984         Mark 16 tests as passing.
985
986 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
987
988         [BigInt] Support BigInt in JSON.stringify
989         https://bugs.webkit.org/show_bug.cgi?id=192624
990
991         Reviewed by Saam Barati.
992
993         * stress/big-int-json-stringify-to-json.js: Added.
994         (shouldBe):
995         (shouldThrow):
996         (BigInt.prototype.toJSON):
997         (shouldBe.JSON.stringify):
998         * stress/big-int-json-stringify.js: Added.
999         (shouldBe):
1000         (shouldThrow):
1001
1002 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1003
1004         [JSC] Implement "well-formed JSON.stringify" proposal
1005         https://bugs.webkit.org/show_bug.cgi?id=191677
1006
1007         Reviewed by Darin Adler.
1008
1009         * stress/json-surrogate-pair.js: Added.
1010         (shouldBe):
1011         * test262/expectations.yaml:
1012
1013 2018-12-20  Keith Miller  <keith_miller@apple.com>
1014
1015         Add support for globalThis
1016         https://bugs.webkit.org/show_bug.cgi?id=165171
1017
1018         Reviewed by Mark Lam.
1019
1020         * test262/config.yaml:
1021
1022 2018-12-19  Keith Miller  <keith_miller@apple.com>
1023
1024         Update test262 configuration to not run tests dependent on ICU version.
1025         https://bugs.webkit.org/show_bug.cgi?id=192920
1026
1027         Reviewed by Saam Barati.
1028
1029         * test262/expectations.yaml:
1030
1031 2018-12-20  Mark Lam  <mark.lam@apple.com>
1032
1033         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1034         https://bugs.webkit.org/show_bug.cgi?id=192939
1035         <rdar://problem/46869516>
1036
1037         Reviewed by Keith Miller.
1038
1039         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1040
1041 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1042
1043         WTF::String and StringImpl overflow MaxLength
1044         https://bugs.webkit.org/show_bug.cgi?id=192853
1045         <rdar://problem/45726906>
1046
1047         Reviewed by Mark Lam.
1048
1049         * stress/string-16bit-repeat-overflow.js: Added.
1050         (catch):
1051
1052 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1053
1054         Unreviewed follow-up to r192914.
1055
1056         * test262/expectations.yaml:
1057         Add the last 20 missing expectations.
1058
1059 2018-12-19  Keith Miller  <keith_miller@apple.com>
1060
1061         Fix test262 expectations
1062         https://bugs.webkit.org/show_bug.cgi?id=192914
1063
1064         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1065
1066         * test262/expectations.yaml:
1067
1068 2018-12-19  Keith Miller  <keith_miller@apple.com>
1069
1070         Update test262 tests.
1071         https://bugs.webkit.org/show_bug.cgi?id=192907
1072
1073         Rubber stamped by Mark Lam.
1074
1075         * test262/*: Omitted because prepare-changelog crashes.
1076
1077 2018-12-19  Mark Lam  <mark.lam@apple.com>
1078
1079         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1080         https://bugs.webkit.org/show_bug.cgi?id=192464
1081         <rdar://problem/46519455>
1082
1083         Reviewed by Saam Barati.
1084
1085         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1086         microbenchmark.
1087
1088         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1089         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1090
1091 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1092
1093         String overflow in JSC::createError results in ASSERT in WTF::makeString
1094         https://bugs.webkit.org/show_bug.cgi?id=192833
1095         <rdar://problem/45706868>
1096
1097         Reviewed by Mark Lam.
1098
1099         * stress/string-overflow-createError.js: Added.
1100
1101 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1102
1103         Error message for `-x ** y` contains a typo.
1104         https://bugs.webkit.org/show_bug.cgi?id=192832
1105
1106         Reviewed by Saam Barati.
1107
1108         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1109         (assert.assert.return.throws):
1110         * stress/pow-expects-update-expression-on-lhs.js:
1111         (throw.new.Error):
1112         Update test expectations which match against the exact error message.
1113
1114 2018-12-18  Mark Lam  <mark.lam@apple.com>
1115
1116         Gardening: test options fix.
1117         https://bugs.webkit.org/show_bug.cgi?id=192822
1118
1119         Unreviewed.
1120
1121         * stress/json-stringify-string-builder-overflow.js:
1122
1123 2018-12-18  Mark Lam  <mark.lam@apple.com>
1124
1125         JSON.stringify() should throw OOM on StringBuilder overflows.
1126         https://bugs.webkit.org/show_bug.cgi?id=192822
1127         <rdar://problem/46670577>
1128
1129         Reviewed by Saam Barati.
1130
1131         * stress/json-stringify-string-builder-overflow.js: Added.
1132
1133 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1134
1135         Redeclaration of var over let/const/class should be a syntax error.
1136         https://bugs.webkit.org/show_bug.cgi?id=192298
1137
1138         Reviewed by Keith Miller.
1139
1140         * test262.yaml:
1141         * test262/expectations.yaml:
1142         Mark 46 tests as passing.
1143
1144         * stress/block-scope-redeclarations.js:
1145         Add some new tests.
1146
1147         * stress/for-in-invalidate-context-weird-assignments.js:
1148         * stress/for-in-tests.js:
1149         Replace tests for outdated behavior with tests for SyntaxError.
1150
1151         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1152         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1153         Update expectations.
1154
1155 2018-12-18  Mark Lam  <mark.lam@apple.com>
1156
1157         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1158         https://bugs.webkit.org/show_bug.cgi?id=191374
1159         <rdar://problem/46525447>
1160
1161         Reviewed by Yusuke Suzuki.
1162
1163         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1164
1165         * stress/elidable-new-object-roflcopter-then-exit.js:
1166
1167 2018-12-17  Mark Lam  <mark.lam@apple.com>
1168
1169         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1170         https://bugs.webkit.org/show_bug.cgi?id=192019
1171         <rdar://problem/46525456>
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         The test runs too slow on 32-bit.
1176
1177         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1178
1179 2018-12-17  Mark Lam  <mark.lam@apple.com>
1180
1181         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1182         https://bugs.webkit.org/show_bug.cgi?id=191373
1183         <rdar://problem/46525458>
1184
1185         Reviewed by Yusuke Suzuki.
1186
1187         The test is already slow running with a JIT on 64-bit.  It will always timeout
1188         on 32-bit without a JIT.
1189
1190         * stress/materialize-regexp-cyclic-regexp.js:
1191
1192 2018-12-17  Mark Lam  <mark.lam@apple.com>
1193
1194         Array unshift/shift should not race against the AI in the compiler thread.
1195         https://bugs.webkit.org/show_bug.cgi?id=192795
1196         <rdar://problem/46724263>
1197
1198         Reviewed by Saam Barati.
1199
1200         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1201
1202 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1203
1204         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1205         https://bugs.webkit.org/show_bug.cgi?id=190047
1206
1207         Reviewed by Saam Barati.
1208
1209         * stress/object-keys-cached-zero.js: Added.
1210         (shouldBe):
1211         (test):
1212         * stress/object-keys-changed-attribute.js: Added.
1213         (shouldBe):
1214         (test):
1215         * stress/object-keys-changed-index.js: Added.
1216         (shouldBe):
1217         (test):
1218         * stress/object-keys-changed.js: Added.
1219         (shouldBe):
1220         (test):
1221         * stress/object-keys-indexed-non-cache.js: Added.
1222         (shouldBe):
1223         (test):
1224         * stress/object-keys-overrides-get-property-names.js: Added.
1225         (shouldBe):
1226         (test):
1227         (noInline):
1228
1229 2018-12-17  Mark Lam  <mark.lam@apple.com>
1230
1231         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1232         https://bugs.webkit.org/show_bug.cgi?id=192779
1233         <rdar://problem/46775869>
1234
1235         Reviewed by Saam Barati.
1236
1237         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1238
1239 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1240
1241         Unreviewed test gardening, address a syntax error in a new test.
1242
1243         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1244
1245 2018-12-17  Mark Lam  <mark.lam@apple.com>
1246
1247         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1248         https://bugs.webkit.org/show_bug.cgi?id=192776
1249         <rdar://problem/46772368>
1250
1251         Reviewed by Keith Miller.
1252
1253         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1254
1255 2018-12-17  Mark Lam  <mark.lam@apple.com>
1256
1257         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1258         https://bugs.webkit.org/show_bug.cgi?id=192770
1259         <rdar://problem/46449037>
1260
1261         Reviewed by Keith Miller.
1262
1263         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1264
1265 2018-12-14  Mark Lam  <mark.lam@apple.com>
1266
1267         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1268         https://bugs.webkit.org/show_bug.cgi?id=192717
1269         <rdar://problem/46660677>
1270
1271         Reviewed by Saam Barati.
1272
1273         * stress/regress-192717.js: Added.
1274
1275 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1276
1277         Unreviewed, rolling out r239153, r239154, and r239155.
1278         https://bugs.webkit.org/show_bug.cgi?id=192715
1279
1280         Caused flaky GC-related crashes seen with layout tests
1281         (Requested by ryanhaddad on #webkit).
1282
1283         Reverted changesets:
1284
1285         "[JSC] Optimize Object.keys by caching own keys results in
1286         StructureRareData"
1287         https://bugs.webkit.org/show_bug.cgi?id=190047
1288         https://trac.webkit.org/changeset/239153
1289
1290         "Unreviewed, build fix after r239153"
1291         https://bugs.webkit.org/show_bug.cgi?id=190047
1292         https://trac.webkit.org/changeset/239154
1293
1294         "Unreviewed, build fix after r239153, part 2"
1295         https://bugs.webkit.org/show_bug.cgi?id=190047
1296         https://trac.webkit.org/changeset/239155
1297
1298 2018-12-14  Keith Miller  <keith_miller@apple.com>
1299
1300         Callers of JSString::getIndex should check for OOM exceptions
1301         https://bugs.webkit.org/show_bug.cgi?id=192709
1302
1303         Reviewed by Mark Lam.
1304
1305         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1306
1307 2018-12-13  Mark Lam  <mark.lam@apple.com>
1308
1309         Add a missing exception check.
1310         https://bugs.webkit.org/show_bug.cgi?id=192626
1311         <rdar://problem/46662163>
1312
1313         Reviewed by Keith Miller.
1314
1315         * stress/regress-192626.js: Added.
1316
1317 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1318
1319         [BigInt] Add ValueDiv into DFG
1320         https://bugs.webkit.org/show_bug.cgi?id=186178
1321
1322         Reviewed by Yusuke Suzuki.
1323
1324         * stress/big-int-div-jit-osr.js: Added.
1325         * stress/big-int-div-jit-untyped.js: Added.
1326         * stress/value-div-fixup-int32-big-int.js: Added.
1327
1328 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1329
1330         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1331         https://bugs.webkit.org/show_bug.cgi?id=190047
1332
1333         Reviewed by Keith Miller.
1334
1335         * stress/object-keys-cached-zero.js: Added.
1336         (shouldBe):
1337         (test):
1338         * stress/object-keys-changed-attribute.js: Added.
1339         (shouldBe):
1340         (test):
1341         * stress/object-keys-changed-index.js: Added.
1342         (shouldBe):
1343         (test):
1344         * stress/object-keys-changed.js: Added.
1345         (shouldBe):
1346         (test):
1347         * stress/object-keys-indexed-non-cache.js: Added.
1348         (shouldBe):
1349         (test):
1350         * stress/object-keys-overrides-get-property-names.js: Added.
1351         (shouldBe):
1352         (test):
1353         (noInline):
1354
1355 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1356
1357         [DFG][FTL] Add NewSymbol
1358         https://bugs.webkit.org/show_bug.cgi?id=192620
1359
1360         Reviewed by Saam Barati.
1361
1362         * microbenchmarks/symbol-creation.js: Added.
1363         (test):
1364         * stress/symbol-description-identity.js: Added.
1365         (shouldBe):
1366         (test):
1367         * stress/symbol-identity.js: Added.
1368         (shouldBe):
1369         (test):
1370         * stress/symbol-with-description-throw-error.js: Added.
1371         (shouldBe):
1372         (shouldThrow):
1373         (test):
1374         (object.toString):
1375
1376 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1377
1378         [BigInt] Implement DFG/FTL typeof for BigInt
1379         https://bugs.webkit.org/show_bug.cgi?id=192619
1380
1381         Reviewed by Keith Miller.
1382
1383         * stress/big-int-boolean-proven-type.js: Added.
1384         (assert):
1385         (bool):
1386         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1387         (assert):
1388         (typeOf):
1389         (i.switch):
1390         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1391         (assert):
1392         (typeOf):
1393         * stress/big-int-type-of.js:
1394         (typeOf):
1395         (func):
1396
1397 2018-12-10  Mark Lam  <mark.lam@apple.com>
1398
1399         PropertyAttribute needs a CustomValue bit.
1400         https://bugs.webkit.org/show_bug.cgi?id=191993
1401         <rdar://problem/46264467>
1402
1403         Reviewed by Saam Barati.
1404
1405         * stress/regress-191993.js: Added.
1406
1407 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1408
1409         [BigInt] Add ValueMul into DFG
1410         https://bugs.webkit.org/show_bug.cgi?id=186175
1411
1412         Reviewed by Yusuke Suzuki.
1413
1414         * stress/big-int-mul-jit-osr.js: Added.
1415         * stress/big-int-mul-jit-untyped.js: Added.
1416         * stress/value-mul-fixup-int32-big-int.js: Added.
1417
1418 2018-12-06  Keith Miller  <keith_miller@apple.com>
1419
1420         stress/big-wasm-memory tests failing on 32-bit JSC bot
1421         https://bugs.webkit.org/show_bug.cgi?id=192020
1422
1423         Reviewed by Saam Barati.
1424
1425         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1426         the wasm stress tests if the WebAssembly object does not exist.
1427
1428         * stress/big-wasm-memory-grow-no-max.js:
1429         (test.foo):
1430         (test):
1431         (foo): Deleted.
1432         (catch): Deleted.
1433         * stress/big-wasm-memory-grow.js:
1434         (test.foo):
1435         (test):
1436         (foo): Deleted.
1437         (catch): Deleted.
1438         * stress/big-wasm-memory.js:
1439         (test.foo):
1440         (test):
1441         (foo): Deleted.
1442         (catch): Deleted.
1443
1444 2018-12-05  Mark Lam  <mark.lam@apple.com>
1445
1446         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1447         https://bugs.webkit.org/show_bug.cgi?id=192441
1448         <rdar://problem/46480355>
1449
1450         Reviewed by Saam Barati.
1451
1452         * stress/regress-192441.js: Added.
1453
1454 2018-12-04  Mark Lam  <mark.lam@apple.com>
1455
1456         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1457         https://bugs.webkit.org/show_bug.cgi?id=192386
1458         <rdar://problem/46445516>
1459
1460         Reviewed by Saam Barati.
1461
1462         * stress/regress-192386.js: Added.
1463
1464 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1465
1466         [ESNext][BigInt] Support logic operations
1467         https://bugs.webkit.org/show_bug.cgi?id=179903
1468
1469         Reviewed by Yusuke Suzuki.
1470
1471         * stress/big-int-branch-usage.js: Added.
1472         * stress/big-int-logical-and.js: Added.
1473         * stress/big-int-logical-not.js: Added.
1474         * stress/big-int-logical-or.js: Added.
1475
1476 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1477
1478         Unreviewed, rolling out r238833.
1479
1480         Breaks macOS and iOS debug builds.
1481
1482         Reverted changeset:
1483
1484         "[ESNext][BigInt] Support logic operations"
1485         https://bugs.webkit.org/show_bug.cgi?id=179903
1486         https://trac.webkit.org/changeset/238833
1487
1488 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1489
1490         [ESNext][BigInt] Support logic operations
1491         https://bugs.webkit.org/show_bug.cgi?id=179903
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         * stress/big-int-branch-usage.js: Added.
1496         * stress/big-int-logical-and.js: Added.
1497         * stress/big-int-logical-not.js: Added.
1498         * stress/big-int-logical-or.js: Added.
1499
1500 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1501
1502         [ESNext][BigInt] Implement support for "<<" and ">>"
1503         https://bugs.webkit.org/show_bug.cgi?id=186233
1504
1505         Reviewed by Yusuke Suzuki.
1506
1507         * stress/big-int-left-shift-general.js: Added.
1508         * stress/big-int-left-shift-range-error.js: Added.
1509         * stress/big-int-left-shift-type-error.js: Added.
1510         * stress/big-int-left-shift-wrapped-value.js: Added.
1511         * stress/big-int-right-shift-general.js: Added.
1512         * stress/big-int-right-shift-type-error.js: Added.
1513         * stress/big-int-right-shift-wrapped-value.js: Added.
1514         * stress/left-shift-to-primitive-precedence.js: Added.
1515         * stress/right-shift-to-primitive-precedence.js: Added.
1516
1517 2018-11-30  Dean Jackson  <dino@apple.com>
1518
1519         Add first-class support for .mjs files in jsc binary
1520         https://bugs.webkit.org/show_bug.cgi?id=192190
1521         <rdar://problem/46375715>
1522
1523         Reviewed by Keith Miller.
1524
1525         * stress/simple-module.mjs: Added.
1526         * stress/simple-script.js: Added.
1527
1528 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1529
1530         [BigInt] Implement ValueBitXor into DFG
1531         https://bugs.webkit.org/show_bug.cgi?id=190264
1532
1533         Reviewed by Yusuke Suzuki.
1534
1535         * stress/big-int-bitwise-xor-jit.js: Added.
1536         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1537         * stress/big-int-bitwise-xor-untyped.js: Added.
1538
1539 2018-11-27  Saam barati  <sbarati@apple.com>
1540
1541         r238510 broke scopes of size zero
1542         https://bugs.webkit.org/show_bug.cgi?id=192033
1543         <rdar://problem/46281734>
1544
1545         Reviewed by Keith Miller.
1546
1547         * stress/r238510-bad-loop.js: Added.
1548         (foo):
1549
1550 2018-11-27  Mark Lam  <mark.lam@apple.com>
1551
1552         [Re-landing] NaNs read from Wasm code needs to be be purified.
1553         https://bugs.webkit.org/show_bug.cgi?id=191056
1554         <rdar://problem/45660341>
1555
1556         Reviewed by Filip Pizlo.
1557
1558         * wasm/regress/regress-191056.js: Added.
1559
1560 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1561
1562         Unreviewed, rolling out r238509.
1563
1564         Causes JSC tests to fail on iOS.
1565
1566         Reverted changeset:
1567
1568         "NaNs read from Wasm code needs to be be purified."
1569         https://bugs.webkit.org/show_bug.cgi?id=191056
1570         https://trac.webkit.org/changeset/238509
1571
1572 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1573
1574         Re-introduce op_bitnot
1575         https://bugs.webkit.org/show_bug.cgi?id=190923
1576
1577         Reviewed by Yusuke Suzuki.
1578
1579         * stress/bit-not-must-generate.js: Added.
1580         * stress/bitwise-not-no-int32.js: Added.
1581
1582 2018-11-26  Saam barati  <sbarati@apple.com>
1583
1584         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1585         https://bugs.webkit.org/show_bug.cgi?id=191956
1586         <rdar://problem/45665806>
1587
1588         Reviewed by Yusuke Suzuki.
1589
1590         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1591         (bar):
1592         (foo):
1593
1594 2018-11-26  Saam barati  <sbarati@apple.com>
1595
1596         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1597         https://bugs.webkit.org/show_bug.cgi?id=191958
1598         <rdar://problem/46221877>
1599
1600         Reviewed by Yusuke Suzuki.
1601
1602         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1603         (x):
1604         (foo):
1605
1606 2018-11-26  Mark Lam  <mark.lam@apple.com>
1607
1608         NaNs read from Wasm code needs to be be purified.
1609         https://bugs.webkit.org/show_bug.cgi?id=191056
1610         <rdar://problem/45660341>
1611
1612         Reviewed by Filip Pizlo.
1613
1614         * wasm/regress/regress-191056.js: Added.
1615
1616 2018-11-26  Michael Saboff  <msaboff@apple.com>
1617
1618         32-bit JSC test failure: stress/regexp-compile-oom.js
1619         https://bugs.webkit.org/show_bug.cgi?id=191375
1620
1621         Reviewed by Mark Lam.
1622
1623         Disabled the test for 32 bit platforms.
1624
1625         * stress/regexp-compile-oom.js:
1626
1627 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1628
1629         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1630         https://bugs.webkit.org/show_bug.cgi?id=191716
1631         <rdar://problem/45723878>
1632
1633         Reviewed by Saam Barati.
1634
1635         * stress/regress-187373.js: Added.
1636         (async.fn):
1637
1638 2018-11-21  Saam barati  <sbarati@apple.com>
1639
1640         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1641         https://bugs.webkit.org/show_bug.cgi?id=191897
1642         <rdar://problem/45871998>
1643
1644         Reviewed by Mark Lam.
1645
1646         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1647         (bar):
1648         (foo):
1649
1650 2018-11-21  Saam barati  <sbarati@apple.com>
1651
1652         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1653         https://bugs.webkit.org/show_bug.cgi?id=191895
1654         <rdar://problem/46167406>
1655
1656         Reviewed by Mark Lam.
1657
1658         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1659         (foo):
1660         (bar):
1661
1662 2018-11-21  Mark Lam  <mark.lam@apple.com>
1663
1664         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1665         https://bugs.webkit.org/show_bug.cgi?id=191776
1666         <rdar://problem/46152851>
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/big-wasm-memory-grow-no-max.js:
1671         * stress/big-wasm-memory-grow.js:
1672         * stress/big-wasm-memory.js:
1673         - updated these to expect an OutOfMemoryError.
1674
1675         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1676         (Binary.prototype.emit_u8):
1677         (Binary.prototype.emit_u32v):
1678         (Binary.prototype.emit_header):
1679         (Binary.prototype.emit_section):
1680         (Binary):
1681         (WasmModuleBuilder):
1682         (WasmModuleBuilder.prototype.addMemory):
1683         (WasmModuleBuilder.prototype.toArray):
1684         (WasmModuleBuilder.prototype.toBuffer):
1685         (WasmModuleBuilder.prototype.instantiate):
1686         (catch):
1687         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1688         (catch):
1689
1690 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1691
1692         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1693         https://bugs.webkit.org/show_bug.cgi?id=190836
1694
1695         Reviewed by Saam Barati and Yusuke Suzuki.
1696
1697         * stress/big-int-out-of-memory-tests.js: Added.
1698
1699 2018-11-20  Mark Lam  <mark.lam@apple.com>
1700
1701         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1702         https://bugs.webkit.org/show_bug.cgi?id=191856
1703         <rdar://problem/46089992>
1704
1705         Reviewed by Yusuke Suzuki.
1706
1707         * stress/regress-191856.js: Added.
1708         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1709
1710 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1711
1712         Enable JIT on ARM/Linux
1713         https://bugs.webkit.org/show_bug.cgi?id=191548
1714
1715         Reviewed by Yusuke Suzuki.
1716
1717         Disable test on system with limited memory. Program was killed by
1718         the OS before the exception was thrown.
1719
1720         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1721
1722 2018-11-20  Saam barati  <sbarati@apple.com>
1723
1724         Merging an IC variant may lead to the IC status containing overlapping structure sets
1725         https://bugs.webkit.org/show_bug.cgi?id=191869
1726         <rdar://problem/45403453>
1727
1728         Reviewed by Mark Lam.
1729
1730         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1731
1732 2018-11-19  Mark Lam  <mark.lam@apple.com>
1733
1734         globalFuncImportModule() should return a promise when it clears exceptions.
1735         https://bugs.webkit.org/show_bug.cgi?id=191792
1736         <rdar://problem/46090763>
1737
1738         Reviewed by Michael Saboff.
1739
1740         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1741
1742 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1743
1744         Skip new memory-hungry tests on memory limited devices
1745
1746         Unreviewed gardening.
1747
1748         * stress/big-wasm-memory-grow-no-max.js:
1749         * stress/big-wasm-memory-grow.js:
1750         * stress/big-wasm-memory.js:
1751
1752 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1753
1754         Unreviewed, rolling in the rest of r237254
1755         https://bugs.webkit.org/show_bug.cgi?id=190340
1756
1757         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1758         * stress/function-cache-with-parameters-end-position.js: Added.
1759         (shouldBe):
1760         (shouldThrow):
1761         (i.anonymous):
1762         * stress/function-constructor-name.js: Added.
1763         (shouldBe):
1764         (GeneratorFunction):
1765         (AsyncFunction.async):
1766         (AsyncGeneratorFunction.async):
1767         (anonymous):
1768         (async.anonymous):
1769         * test262/expectations.yaml:
1770
1771 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1772
1773         All users of ArrayBuffer should agree on the same max size
1774         https://bugs.webkit.org/show_bug.cgi?id=191771
1775
1776         Reviewed by Mark Lam.
1777
1778         * stress/big-wasm-memory-grow-no-max.js: Added.
1779         (foo):
1780         (catch):
1781         * stress/big-wasm-memory-grow.js: Added.
1782         (foo):
1783         (catch):
1784         * stress/big-wasm-memory.js: Added.
1785         (foo):
1786         (catch):
1787
1788 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1789
1790         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1791         run for each JSC config since they're regression tests for runtime bugs.
1792
1793         * stress/json-stringified-overflow-2.js:
1794         * stress/json-stringified-overflow.js:
1795
1796 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1797
1798         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1799         config since they're regression tests for runtime bugs.
1800
1801         * stress/large-unshift-splice.js:
1802         * stress/regress-185888.js:
1803
1804 2018-11-16  Saam Barati  <sbarati@apple.com>
1805
1806         KnownCellUse should also have SpecCellCheck as its type filter
1807         https://bugs.webkit.org/show_bug.cgi?id=191729
1808         <rdar://problem/45872852>
1809
1810         Reviewed by Filip Pizlo.
1811
1812         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1813         (C):
1814
1815 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1816
1817         Fix assertion failure on BytecodeGenerator::recordOpcode
1818         https://bugs.webkit.org/show_bug.cgi?id=191724
1819         <rdar://problem/45724395>
1820
1821         Reviewed by Saam Barati.
1822
1823         * stress/regress-187373-2.js: Added.
1824         (foo):
1825
1826 2018-11-15  Mark Lam  <mark.lam@apple.com>
1827
1828         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1829         https://bugs.webkit.org/show_bug.cgi?id=191730
1830         <rdar://problem/46048517>
1831
1832         Reviewed by Saam Barati.
1833
1834         * stress/regress-187006.js: Removed.
1835           - this test is invalid because its sole purpose is to test for the non-spec
1836             compliant behavior that we just fixed.
1837
1838         * stress/regress-191730.js: Added.
1839
1840 2018-11-15  Mark Lam  <mark.lam@apple.com>
1841
1842         RegExp operations should not take fast patch if lastIndex is not numeric.
1843         https://bugs.webkit.org/show_bug.cgi?id=191731
1844         <rdar://problem/46017305>
1845
1846         Reviewed by Saam Barati.
1847
1848         * stress/regress-191731.js: Added.
1849
1850 2018-11-13  Saam Barati  <sbarati@apple.com>
1851
1852         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1853         https://bugs.webkit.org/show_bug.cgi?id=191600
1854
1855         Reviewed by Mark Lam.
1856
1857         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1858         (foo):
1859         (test):
1860         (bar):
1861
1862 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1863
1864         Unreviewed, rolling out r238132.
1865
1866         The test added with this change is timing out on Debug JSC
1867         bots.
1868
1869         Reverted changeset:
1870
1871         "[BigInt] JSBigInt::createWithLength should throw when length
1872         is greater than JSBigInt::maxLength"
1873         https://bugs.webkit.org/show_bug.cgi?id=190836
1874         https://trac.webkit.org/changeset/238132
1875
1876 2018-11-13  Mark Lam  <mark.lam@apple.com>
1877
1878         Add OOM detection to StringPrototype's substituteBackreferences().
1879         https://bugs.webkit.org/show_bug.cgi?id=191563
1880         <rdar://problem/45720428>
1881
1882         Reviewed by Saam Barati.
1883
1884         * stress/regress-191563.js: Added.
1885
1886 2018-11-13  Mark Lam  <mark.lam@apple.com>
1887
1888         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1889         https://bugs.webkit.org/show_bug.cgi?id=191579
1890         <rdar://problem/45942472>
1891
1892         Reviewed by Saam Barati.
1893
1894         * stress/regress-191579.js: Added.
1895
1896 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1897
1898         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1899         https://bugs.webkit.org/show_bug.cgi?id=190836
1900
1901         Reviewed by Saam Barati.
1902
1903         * stress/big-int-out-of-memory-tests.js: Added.
1904
1905 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1906
1907         U+180E is no longer a whitespace character
1908         https://bugs.webkit.org/show_bug.cgi?id=191415
1909
1910         Reviewed by Saam Barati.
1911
1912         * ChakraCore/test/es5/regexSpace.baseline:
1913         * ChakraCore/test/es6/unicode_whitespace.js:
1914         Update tests to latest version.
1915         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1916
1917         * test262.yaml:
1918         * test262/config.yaml:
1919         * test262/expectations.yaml:
1920         Update expectations.
1921
1922 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1923
1924         [BigInt] Add support to BigInt into ValueAdd
1925         https://bugs.webkit.org/show_bug.cgi?id=186177
1926
1927         Reviewed by Keith Miller.
1928
1929         * stress/big-int-negate-jit.js:
1930         * stress/value-add-big-int-and-string.js: Added.
1931         * stress/value-add-big-int-prediction-propagation.js: Added.
1932         * stress/value-add-big-int-untyped.js: Added.
1933
1934 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1935
1936         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1937         https://bugs.webkit.org/show_bug.cgi?id=191184
1938
1939         Reviewed by Saam Barati.
1940
1941         Most tests were failing due to timeouts, since they are too slow to
1942         run on CLoop. The exceptions are:
1943
1944         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1945         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1946         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1947         to change the stack size since CLoop requires it to be page aligned.
1948
1949         * microbenchmarks/array-push-1.js:
1950         * microbenchmarks/array-push-2.js:
1951         * microbenchmarks/elidable-new-object-dag.js:
1952         * microbenchmarks/elidable-new-object-roflcopter.js:
1953         * microbenchmarks/elidable-new-object-tree.js:
1954         * microbenchmarks/getter-richards.js:
1955         * microbenchmarks/sinkable-new-object-dag.js:
1956         * microbenchmarks/string-concat-long-convert.js:
1957         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1958         * slowMicrobenchmarks/array-push-3.js:
1959         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1960         * slowMicrobenchmarks/spread-small-array.js:
1961         * slowMicrobenchmarks/undefined-property-access.js:
1962         * stress/activation-sink-default-value-tdz-error.js:
1963         * stress/activation-sink-default-value.js:
1964         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1965         * stress/activation-sink-osrexit-default-value.js:
1966         * stress/activation-sink-osrexit.js:
1967         * stress/activation-sink.js:
1968         * stress/allow-math-ic-b3-code-duplication.js:
1969         * stress/array-push-multiple-int32.js:
1970         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1971         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1972         * stress/arrowfunction-lexical-this-activation-sink.js:
1973         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1974         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1975         * stress/elide-new-object-dag-then-exit.js:
1976         * stress/materialize-regexp-cyclic.js:
1977         * stress/new-regex-inline.js:
1978         * stress/op_add.js:
1979         * stress/op_bitand.js:
1980         * stress/op_bitor.js:
1981         * stress/op_bitxor.js:
1982         * stress/op_div-ConstVar.js:
1983         * stress/op_div-VarConst.js:
1984         * stress/op_div-VarVar.js:
1985         * stress/op_lshift-ConstVar.js:
1986         * stress/op_lshift-VarConst.js:
1987         * stress/op_lshift-VarVar.js:
1988         * stress/op_mod-ConstVar.js:
1989         * stress/op_mod-VarConst.js:
1990         * stress/op_mod-VarVar.js:
1991         * stress/op_mul-ConstVar.js:
1992         * stress/op_mul-VarConst.js:
1993         * stress/op_mul-VarVar.js:
1994         * stress/op_rshift-ConstVar.js:
1995         * stress/op_rshift-VarConst.js:
1996         * stress/op_rshift-VarVar.js:
1997         * stress/op_sub-ConstVar.js:
1998         * stress/op_sub-VarConst.js:
1999         * stress/op_sub-VarVar.js:
2000         * stress/op_urshift-ConstVar.js:
2001         * stress/op_urshift-VarConst.js:
2002         * stress/op_urshift-VarVar.js:
2003         * stress/proxy-get-set-correct-receiver.js:
2004         * stress/regress-179562.js:
2005         * stress/rest-parameter-many-arguments.js:
2006         * stress/sampling-profiler-richards.js:
2007         * stress/splay-flash-access-1ms.js:
2008         * stress/tailCallForwardArguments.js:
2009         * stress/typed-array-get-by-val-profiling.js:
2010         * typeProfiler/getter-richards.js:
2011
2012 2018-11-06  Michael Saboff  <msaboff@apple.com>
2013
2014         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2015         https://bugs.webkit.org/show_bug.cgi?id=191271
2016
2017         Reviewed by Saam Barati.
2018
2019         Added more test cases and made all test cases run with the same deeply recursive stack
2020         instead of finding that same point for each test case.
2021
2022         * stress/regexp-compile-oom.js:
2023         (prototype.runTest):
2024         (recurseAndTest):
2025         (testList.push.new.TestAndExpectedException):
2026
2027 2018-11-05  Michael Saboff  <msaboff@apple.com>
2028
2029         Unreviewed build fix for linux.
2030
2031         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2032
2033 2018-11-02  Michael Saboff  <msaboff@apple.com>
2034
2035         Rolling in r237753 with unreviewed build fix.
2036
2037         Fixed issues with DECLARE_THROW_SCOPE placement.
2038
2039 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2040
2041         Unreviewed, rolling out r237753.
2042
2043         Introduced JSC test failures
2044
2045         Reverted changeset:
2046
2047         "Running out of stack space not properly handled in
2048         RegExp::compile() and its callers"
2049         https://bugs.webkit.org/show_bug.cgi?id=191206
2050         https://trac.webkit.org/changeset/237753
2051
2052 2018-11-02  Michael Saboff  <msaboff@apple.com>
2053
2054         Running out of stack space not properly handled in RegExp::compile() and its callers
2055         https://bugs.webkit.org/show_bug.cgi?id=191206
2056
2057         Reviewed by Filip Pizlo.
2058
2059         New regression test.
2060
2061         * stress/regexp-compile-oom.js: Added.
2062         (recurseAndTest):
2063
2064 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2065
2066         Skip tests on arm/mips that time out now we're running on CLoop
2067
2068         Unreviewed gardening.
2069
2070         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2071         time out on the bots and need to be disabled. There's more tests
2072         disabled on arm because the timeout is longer on the mips bot (as the
2073         device is slower to start with), so many of the tests don't time out
2074         there.
2075
2076         * microbenchmarks/getter-richards.js: disable on arm and mips.
2077         * stress/op_add.js: disable on arm.
2078         * stress/op_bitand.js: disable on arm.
2079         * stress/op_bitor.js: disable on arm.
2080         * stress/op_bitxor.js: disable on arm.
2081         * stress/op_lshift-ConstVar.js: disable on arm.
2082         * stress/op_lshift-VarConst.js: disable on arm.
2083         * stress/op_lshift-VarVar.js: disable on arm.
2084         * stress/op_mod-ConstVar.js: disable on arm.
2085         * stress/op_mod-VarConst.js: disable on arm.
2086         * stress/op_mod-VarVar.js: disable on arm.
2087         * stress/op_mul-ConstVar.js: disable on arm.
2088         * stress/op_mul-VarConst.js: disable on arm.
2089         * stress/op_mul-VarVar.js: disable on arm.
2090         * stress/op_rshift-ConstVar.js: disable on arm.
2091         * stress/op_rshift-VarConst.js: disable on arm.
2092         * stress/op_rshift-VarVar.js: disable on arm.
2093         * stress/op_sub-ConstVar.js: disable on arm.
2094         * stress/op_sub-VarConst.js: disable on arm.
2095         * stress/op_sub-VarVar.js: disable on arm.
2096         * stress/op_urshift-ConstVar.js: disable on arm.
2097         * stress/op_urshift-VarConst.js: disable on arm.
2098         * stress/op_urshift-VarVar.js: disable on arm.
2099         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2100         * stress/value-to-boolean.js: disable on arm and mips.
2101
2102 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2103
2104         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2105         https://bugs.webkit.org/show_bug.cgi?id=191108
2106         <rdar://problem/45690700>
2107
2108         Reviewed by Saam Barati.
2109
2110         * stress/wide-op_catch.js: Added.
2111         (catch):
2112
2113 2018-10-29  Mark Lam  <mark.lam@apple.com>
2114
2115         Correctly detect string overflow when using the 'Function' constructor.
2116         https://bugs.webkit.org/show_bug.cgi?id=184883
2117         <rdar://problem/36320331>
2118
2119         Reviewed by Saam Barati.
2120
2121         I've verified that this passes on 32-bit as well.
2122
2123         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2124
2125 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2126
2127         Add support for GetStack FlushedDouble
2128         https://bugs.webkit.org/show_bug.cgi?id=191012
2129         <rdar://problem/45265141>
2130
2131         Reviewed by Saam Barati.
2132
2133         * stress/get-stack-double.js: Added.
2134         (bar):
2135         (noInline):
2136
2137 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2138
2139         New bytecode format for JSC
2140         https://bugs.webkit.org/show_bug.cgi?id=187373
2141         <rdar://problem/44186758>
2142
2143         Reviewed by Filip Pizlo.
2144
2145         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2146
2147         * stress/maximum-inline-capacity.js: Added.
2148         (test1):
2149         (test3.Foo):
2150         (test3):
2151
2152 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2153
2154         Unreviewed, rolling out r237479 and r237484.
2155         https://bugs.webkit.org/show_bug.cgi?id=190978
2156
2157         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2158
2159         Reverted changesets:
2160
2161         "New bytecode format for JSC"
2162         https://bugs.webkit.org/show_bug.cgi?id=187373
2163         https://trac.webkit.org/changeset/237479
2164
2165         "Gardening: Build fix after r237479."
2166         https://bugs.webkit.org/show_bug.cgi?id=187373
2167         https://trac.webkit.org/changeset/237484
2168
2169 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2170
2171         New bytecode format for JSC
2172         https://bugs.webkit.org/show_bug.cgi?id=187373
2173         <rdar://problem/44186758>
2174
2175         Reviewed by Filip Pizlo.
2176
2177         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2178
2179         * stress/maximum-inline-capacity.js: Added.
2180         (test1):
2181         (test3.Foo):
2182         (test3):
2183
2184 2018-10-26  Mark Lam  <mark.lam@apple.com>
2185
2186         Fix missing edge cases with JSGlobalObjects having a bad time.
2187         https://bugs.webkit.org/show_bug.cgi?id=189028
2188         <rdar://problem/45204939>
2189
2190         Reviewed by Saam Barati.
2191
2192         * stress/regress-189028.js: Added.
2193
2194 2018-10-22  Mark Lam  <mark.lam@apple.com>
2195
2196         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2197         https://bugs.webkit.org/show_bug.cgi?id=190515
2198         <rdar://problem/45222379>
2199
2200         Rubber-stamped by Saam Barati.
2201
2202         Adding another test.
2203
2204         * stress/regress-190515-2.js: Added.
2205
2206 2018-10-22  Mark Lam  <mark.lam@apple.com>
2207
2208         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2209         https://bugs.webkit.org/show_bug.cgi?id=190515
2210         <rdar://problem/45222379>
2211
2212         Reviewed by Saam Barati.
2213
2214         * stress/regress-190515.js: Added.
2215
2216 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2217
2218         Unreviewed, rolling out r237254.
2219         https://bugs.webkit.org/show_bug.cgi?id=190760
2220
2221         "It regresses JetStream 2 by 5% on some iOS devices"
2222         (Requested by saamyjoon on #webkit).
2223
2224         Reverted changeset:
2225
2226         "[JSC] JSC should have "parseFunction" to optimize Function
2227         constructor"
2228         https://bugs.webkit.org/show_bug.cgi?id=190340
2229         https://trac.webkit.org/changeset/237254
2230
2231 2018-10-19  Saam Barati  <sbarati@apple.com>
2232
2233         vmCall should check if we exit before emitting an OSR exit due to exceptions
2234         https://bugs.webkit.org/show_bug.cgi?id=190740
2235         <rdar://problem/45220139>
2236
2237         Reviewed by Mark Lam.
2238
2239         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2240         (foo):
2241
2242 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2243
2244         [ESNext][BigInt] Implement support for "^"
2245         https://bugs.webkit.org/show_bug.cgi?id=186235
2246
2247         Reviewed by Yusuke Suzuki.
2248
2249         * stress/big-int-bitwise-xor-general.js: Added.
2250         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2251         * stress/big-int-bitwise-xor-type-error.js: Added.
2252         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2253
2254 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2255
2256         [BigInt] Add ValueSub into DFG
2257         https://bugs.webkit.org/show_bug.cgi?id=186176
2258
2259         Reviewed by Yusuke Suzuki.
2260
2261         * stress/big-int-subtraction-jit.js:
2262         * stress/value-sub-big-int-prediction-propagation.js: Added.
2263         * stress/value-sub-big-int-untyped.js: Added.
2264         * stress/value-sub-spec-none-case.js: Added.
2265
2266 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2267
2268         [JSC] JSC should have "parseFunction" to optimize Function constructor
2269         https://bugs.webkit.org/show_bug.cgi?id=190340
2270
2271         Reviewed by Mark Lam.
2272
2273         This patch fixes the line number of syntax errors raised by the Function constructor,
2274         since we now parse the final code only once. And we no longer use block statement
2275         for Function constructor's parsing.
2276
2277         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2278         * stress/function-cache-with-parameters-end-position.js: Added.
2279         (shouldBe):
2280         (shouldThrow):
2281         (i.anonymous):
2282         * stress/function-constructor-name.js: Added.
2283         (shouldBe):
2284         (GeneratorFunction):
2285         (AsyncFunction.async):
2286         (AsyncGeneratorFunction.async):
2287         (anonymous):
2288         (async.anonymous):
2289         * test262/expectations.yaml:
2290
2291 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2292
2293         Unreviewed, rolling out r237242.
2294         https://bugs.webkit.org/show_bug.cgi?id=190701
2295
2296         it breaks "stress/sampling-profiler-basic.js" (Requested by
2297         caiolima on #webkit).
2298
2299         Reverted changeset:
2300
2301         "[BigInt] Add ValueSub into DFG"
2302         https://bugs.webkit.org/show_bug.cgi?id=186176
2303         https://trac.webkit.org/changeset/237242
2304
2305 2018-10-17  Keith Miller  <keith_miller@apple.com>
2306
2307         AI does not clear Phantom allocation nodes.
2308         https://bugs.webkit.org/show_bug.cgi?id=190694
2309
2310         Reviewed by Saam Barati.
2311
2312         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2313         (Day):
2314         (DaysInYear):
2315         (TimeInYear):
2316         (TimeFromYear):
2317         (DayFromYear):
2318         (InLeapYear):
2319         (YearFromTime):
2320         (WeekDay):
2321         (DaylightSavingTA):
2322         (GetSecondSundayInMarch):
2323         (TimeInMonth):
2324
2325 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2326
2327         [BigInt] Add ValueSub into DFG
2328         https://bugs.webkit.org/show_bug.cgi?id=186176
2329
2330         Reviewed by Yusuke Suzuki.
2331
2332         * stress/big-int-subtraction-jit.js:
2333         * stress/value-sub-big-int-prediction-propagation.js: Added.
2334         * stress/value-sub-big-int-untyped.js: Added.
2335
2336 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2337
2338         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2339         https://bugs.webkit.org/show_bug.cgi?id=190611
2340
2341         Reviewed by Saam Barati.
2342
2343         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2344         to improve test runtime. On ARM/MIPS this test even timed out when running all
2345         tests.
2346
2347         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2348         (test):
2349
2350 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2351
2352         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2353
2354         Unreviewed gardening.
2355
2356         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2357
2358 2018-10-15  Saam barati  <sbarati@apple.com>
2359
2360         Emit fjcvtzs on ARM64E on Darwin
2361         https://bugs.webkit.org/show_bug.cgi?id=184023
2362
2363         Reviewed by Yusuke Suzuki and Filip Pizlo.
2364
2365         * stress/double-to-int32-NaN.js: Added.
2366         (assert):
2367         (foo):
2368
2369 2018-10-15  Saam Barati  <sbarati@apple.com>
2370
2371         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2372         https://bugs.webkit.org/show_bug.cgi?id=190262
2373         <rdar://problem/44986241>
2374
2375         Reviewed by Mark Lam.
2376
2377         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2378         (test):
2379         * stress/slice-array-storage-with-holes.js: Added.
2380         (main):
2381
2382 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2383
2384         Unreviewed, rolling out r237054.
2385         https://bugs.webkit.org/show_bug.cgi?id=190593
2386
2387         "this regressed JetStream 2 by 6% on iOS" (Requested by
2388         saamyjoon on #webkit).
2389
2390         Reverted changeset:
2391
2392         "[JSC] JSC should have "parseFunction" to optimize Function
2393         constructor"
2394         https://bugs.webkit.org/show_bug.cgi?id=190340
2395         https://trac.webkit.org/changeset/237054
2396
2397 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2398
2399         [JSC] JSON.stringify can accept call-with-no-arguments
2400         https://bugs.webkit.org/show_bug.cgi?id=190343
2401
2402         Reviewed by Mark Lam.
2403
2404         * stress/json-stringify-no-arguments.js: Added.
2405         (shouldBe):
2406
2407 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2408
2409         [JSC] JSC should have "parseFunction" to optimize Function constructor
2410         https://bugs.webkit.org/show_bug.cgi?id=190340
2411
2412         Reviewed by Mark Lam.
2413
2414         This patch fixes the line number of syntax errors raised by the Function constructor,
2415         since we now parse the final code only once. And we no longer use block statement
2416         for Function constructor's parsing.
2417
2418         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2419         * stress/function-cache-with-parameters-end-position.js: Added.
2420         (shouldBe):
2421         (shouldThrow):
2422         (i.anonymous):
2423         * stress/function-constructor-name.js: Added.
2424         (shouldBe):
2425         (GeneratorFunction):
2426         (AsyncFunction.async):
2427         (AsyncGeneratorFunction.async):
2428         (anonymous):
2429         (async.anonymous):
2430         * test262/expectations.yaml:
2431
2432 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2433
2434         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2435         https://bugs.webkit.org/show_bug.cgi?id=190426
2436
2437         Unreviewed gardening.
2438
2439         * stress/sampling-profiler-richards.js:
2440
2441 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2442
2443         [ESNext][BigInt] Implement support for "|"
2444         https://bugs.webkit.org/show_bug.cgi?id=186229
2445
2446         Reviewed by Yusuke Suzuki.
2447
2448         * stress/big-int-bitwise-and-jit.js:
2449         * stress/big-int-bitwise-or-general.js: Added.
2450         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2451         * stress/big-int-bitwise-or-jit.js: Added.
2452         * stress/big-int-bitwise-or-memory-stress.js: Added.
2453         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2454         * stress/big-int-bitwise-or-type-error.js: Added.
2455         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2456
2457 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2458
2459         Skip test on systems with limited memory
2460         https://bugs.webkit.org/show_bug.cgi?id=190310
2461
2462         Invoking runDefault adds test to runlist, skipping the test in the next
2463         line does not prevent the test from executing. Change order of lines such
2464         that runDefault is only executed if test is not executed.
2465
2466         Reviewed by Mark Lam.
2467
2468         * stress/regress-190187.js:
2469
2470 2018-10-03  Saam barati  <sbarati@apple.com>
2471
2472         lowXYZ in FTLLower should always filter the type of the incoming edge
2473         https://bugs.webkit.org/show_bug.cgi?id=189939
2474         <rdar://problem/44407030>
2475
2476         Reviewed by Michael Saboff.
2477
2478         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2479         (foo):
2480         (test):
2481
2482 2018-10-03  Mark Lam  <mark.lam@apple.com>
2483
2484         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2485         https://bugs.webkit.org/show_bug.cgi?id=190187
2486         <rdar://problem/42512909>
2487
2488         Reviewed by Michael Saboff.
2489
2490         * stress/regress-190187.js: Added.
2491
2492 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2493
2494         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2495         https://bugs.webkit.org/show_bug.cgi?id=190033
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * stress/big-int-to-string.js:
2500
2501 2018-10-01  Mark Lam  <mark.lam@apple.com>
2502
2503         Function.toString() should also copy the source code Functions that are class definitions.
2504         https://bugs.webkit.org/show_bug.cgi?id=190186
2505         <rdar://problem/44733360>
2506
2507         Reviewed by Saam Barati.
2508
2509         * stress/regress-190186.js: Added.
2510
2511 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2512
2513         Split NaN-check into separate test
2514         https://bugs.webkit.org/show_bug.cgi?id=190010
2515
2516         Reviewed by Saam Barati.
2517
2518         DataView exposes NaN-representation, which is not necessarily the same on each
2519         architecture. Therefore move the check of the NaN-representation into its own
2520         file such that we can disable this test on MIPS where NaN-representation can be
2521         different on older CPUs.
2522
2523         * stress/dataview-jit-set-nan.js: Added.
2524         (assert):
2525         (test.storeLittleEndian):
2526         (test.storeBigEndian):
2527         (test.store):
2528         (test):
2529         * stress/dataview-jit-set.js:
2530         (test5):
2531
2532 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2533
2534         Unreviewed, rolling out r236647.
2535         https://bugs.webkit.org/show_bug.cgi?id=190124
2536
2537         Breaking test stress/big-int-to-string.js (Requested by
2538         caiolima_ on #webkit).
2539
2540         Reverted changeset:
2541
2542         "[BigInt] BigInt.proptotype.toString is broken when radix is
2543         power of 2"
2544         https://bugs.webkit.org/show_bug.cgi?id=190033
2545         https://trac.webkit.org/changeset/236647
2546
2547 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2548
2549         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2550         https://bugs.webkit.org/show_bug.cgi?id=190033
2551
2552         Reviewed by Yusuke Suzuki.
2553
2554         * stress/big-int-to-string.js:
2555
2556 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2557
2558         [ESNext][BigInt] Implement support for "&"
2559         https://bugs.webkit.org/show_bug.cgi?id=186228
2560
2561         Reviewed by Yusuke Suzuki.
2562
2563         * stress/big-int-bitwise-and-general.js: Added.
2564         (assert):
2565         (assert.sameValue):
2566         * stress/big-int-bitwise-and-jit.js: Added.
2567         (let.assert.sameValue):
2568         (bigIntBitAnd):
2569         * stress/big-int-bitwise-and-memory-stress.js: Added.
2570         (assert):
2571         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2572         (assert.sameValue):
2573         (let.o.Symbol.toPrimitive):
2574         (catch):
2575         * stress/big-int-bitwise-and-type-error.js: Added.
2576         (assert):
2577         (assertThrowTypeError):
2578         (let.o.valueOf):
2579         (o.valueOf):
2580         (o.toString):
2581         (o.Symbol.toPrimitive):
2582         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2583         (assert.sameValue):
2584         (testBitAnd):
2585         (let.o.Symbol.toPrimitive):
2586         (o.valueOf):
2587         (o.toString):
2588
2589 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2590
2591         JSC test stress/jsc-read.js doesn't support CRLF
2592         https://bugs.webkit.org/show_bug.cgi?id=190063
2593
2594         Reviewed by Yusuke Suzuki.
2595
2596         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2597
2598         * stress/jsc-read.js:
2599         (test):
2600
2601 2018-09-27  Saam barati  <sbarati@apple.com>
2602
2603         Verify the contents of AssemblerBuffer on arm64e
2604         https://bugs.webkit.org/show_bug.cgi?id=190057
2605         <rdar://problem/38916630>
2606
2607         Reviewed by Mark Lam.
2608
2609         * stress/regress-189132.js:
2610
2611 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2612
2613         Disable test without LLInt on ARMv7
2614         https://bugs.webkit.org/show_bug.cgi?id=190037
2615
2616         Reviewed by Mark Lam.
2617
2618         Test runs out of executable memory on ARMv7, do not run
2619         this test without LLInt enabled.
2620
2621         * stress/regress-169445.js:
2622
2623 2018-09-26  Keith Miller  <keith_miller@apple.com>
2624
2625         We should zero unused property storage when rebalancing array storage.
2626         https://bugs.webkit.org/show_bug.cgi?id=188151
2627
2628         Reviewed by Michael Saboff.
2629
2630         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2631
2632 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2633
2634         [JSC] Optimize Array#lastIndexOf
2635         https://bugs.webkit.org/show_bug.cgi?id=189780
2636
2637         Reviewed by Saam Barati.
2638
2639         * stress/array-lastindexof-array-prototype-trap.js: Added.
2640         (shouldBe):
2641         (AncestorArray.prototype.get 2):
2642         (AncestorArray):
2643         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2644         (shouldBe):
2645         * stress/array-lastindexof-hole-nan.js: Added.
2646         (shouldBe):
2647         (throw.new.Error):
2648         * stress/array-lastindexof-infinity.js: Added.
2649         (shouldBe):
2650         (throw.new.Error):
2651         * stress/array-lastindexof-negative-zero.js: Added.
2652         (shouldBe):
2653         (throw.new.Error):
2654         * stress/array-lastindexof-own-getter.js: Added.
2655         (shouldBe):
2656         (throw.new.Error.get array):
2657         (get array):
2658         * stress/array-lastindexof-prototype-trap.js: Added.
2659         (shouldBe):
2660         (DerivedArray.prototype.get 2):
2661         (DerivedArray):
2662
2663 2018-09-25  Saam Barati  <sbarati@apple.com>
2664
2665         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2666         https://bugs.webkit.org/show_bug.cgi?id=189940
2667         <rdar://problem/43640987>
2668
2669         Reviewed by Mark Lam.
2670
2671         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2672
2673 2018-09-24  Saam Barati  <sbarati@apple.com>
2674
2675         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2676         https://bugs.webkit.org/show_bug.cgi?id=189922
2677         <rdar://problem/44651275>
2678
2679         Reviewed by Mark Lam.
2680
2681         * stress/array-indexof-fast-path-effects.js: Added.
2682         * stress/array-indexof-cached-length.js: Added.
2683
2684 2018-09-24  Saam barati  <sbarati@apple.com>
2685
2686         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2687         https://bugs.webkit.org/show_bug.cgi?id=189682
2688         <rdar://problem/43557315>
2689
2690         Reviewed by Mark Lam.
2691
2692         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2693         (foo):
2694
2695 2018-09-22  Saam barati  <sbarati@apple.com>
2696
2697         The sampling should not use Strong<CodeBlock> in its machineLocation field
2698         https://bugs.webkit.org/show_bug.cgi?id=189319
2699
2700         Reviewed by Filip Pizlo.
2701
2702         * stress/sampling-profiler-richards.js: Added.
2703
2704 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2705
2706         [JSC] Optimize Array#indexOf in C++ runtime
2707         https://bugs.webkit.org/show_bug.cgi?id=189507
2708
2709         Reviewed by Saam Barati.
2710
2711         * stress/array-indexof-array-prototype-trap.js: Added.
2712         (shouldBe):
2713         (AncestorArray.prototype.get 2):
2714         (AncestorArray):
2715         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2716         (shouldBe):
2717         * stress/array-indexof-hole-nan.js: Added.
2718         (shouldBe):
2719         (throw.new.Error):
2720         * stress/array-indexof-infinity.js: Added.
2721         (shouldBe):
2722         (throw.new.Error):
2723         * stress/array-indexof-negative-zero.js: Added.
2724         (shouldBe):
2725         (throw.new.Error):
2726         * stress/array-indexof-own-getter.js: Added.
2727         (shouldBe):
2728         (throw.new.Error.get array):
2729         (get array):
2730         * stress/array-indexof-prototype-trap.js: Added.
2731         (shouldBe):
2732         (DerivedArray.prototype.get 2):
2733         (DerivedArray):
2734
2735 2018-09-19  Saam barati  <sbarati@apple.com>
2736
2737         AI rule for MultiPutByOffset executes its effects in the wrong order
2738         https://bugs.webkit.org/show_bug.cgi?id=189757
2739         <rdar://problem/43535257>
2740
2741         Reviewed by Michael Saboff.
2742
2743         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2744         (foo):
2745         (Foo):
2746         (g):
2747
2748 2018-09-17  Mark Lam  <mark.lam@apple.com>
2749
2750         Ensure that ForInContexts are invalidated if their loop local is over-written.
2751         https://bugs.webkit.org/show_bug.cgi?id=189571
2752         <rdar://problem/44402277>
2753
2754         Reviewed by Saam Barati.
2755
2756         * stress/regress-189571.js: Added.
2757
2758 2018-09-17  Saam barati  <sbarati@apple.com>
2759
2760         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2761         https://bugs.webkit.org/show_bug.cgi?id=189676
2762         <rdar://problem/39682897>
2763
2764         Reviewed by Michael Saboff.
2765
2766         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2767         (A):
2768         (K):
2769         (i.catch):
2770
2771 2018-09-14  Saam barati  <sbarati@apple.com>
2772
2773         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2774         https://bugs.webkit.org/show_bug.cgi?id=189628
2775         <rdar://problem/39481690>
2776
2777         Reviewed by Mark Lam.
2778
2779         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2780         (foo):
2781
2782 2018-09-11  Mark Lam  <mark.lam@apple.com>
2783
2784         Test for array initialization in arrayProtoFuncSplice.
2785         https://bugs.webkit.org/show_bug.cgi?id=170253
2786         <rdar://problem/31328773>
2787
2788         Rubber-stamped by Saam Barati.
2789
2790         * stress/regress-170253.js: Added.
2791
2792 2018-09-11  Mark Lam  <mark.lam@apple.com>
2793
2794         Test for IntlObject initialization.
2795         https://bugs.webkit.org/show_bug.cgi?id=170251
2796         <rdar://problem/31328419>
2797
2798         Rubber-stamped by Saam Barati.
2799
2800         * stress/regress-170251.js: Added.
2801
2802 2018-09-11  Mark Lam  <mark.lam@apple.com>
2803
2804         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2805         https://bugs.webkit.org/show_bug.cgi?id=169889
2806         <rdar://problem/31155607>
2807
2808         Reviewed by Saam Barati.
2809
2810         * stress/regress-169889-array-concat.js: Added.
2811         * stress/regress-169889-array-concat1.js: Added.
2812         * stress/regress-169889-array-slice.js: Added.
2813
2814 2018-09-11  Mark Lam  <mark.lam@apple.com>
2815
2816         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2817         https://bugs.webkit.org/show_bug.cgi?id=169445
2818         <rdar://problem/30957435>
2819
2820         Reviewed by Saam Barati.
2821
2822         * stress/regress-169445.js: Added.
2823         (let.gun.eval.A):
2824         (let.gun.eval.B.C):
2825         (let.gun.eval.B.C.prototype.trigger):
2826         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2827         (let.gun.eval.B):
2828         (let.gun.eval):
2829
2830 == Rolled over to ChangeLog-2018-09-11 ==