Assertion failed in JSC::createError
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Assertion failed in JSC::createError
4         https://bugs.webkit.org/show_bug.cgi?id=196305
5         <rdar://problem/49387382>
6
7         Reviewed by Saam Barati.
8
9         * stress/create-error-out-of-memory-rope-string-2.js: Added.
10         (assert):
11         (catch):
12
13 2019-03-28  Saam Barati  <sbarati@apple.com>
14
15         BackwardsGraph needs to consider back edges as the backward's root successor
16         https://bugs.webkit.org/show_bug.cgi?id=195991
17
18         Reviewed by Filip Pizlo.
19
20         * stress/map-b3-licm-infinite-loop.js: Added.
21
22 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
23
24         CodeBlock::jettison() should disallow repatching its own calls
25         https://bugs.webkit.org/show_bug.cgi?id=196359
26         <rdar://problem/48973663>
27
28         Reviewed by Saam Barati.
29
30         * stress/call-link-info-osrexit-repatch.js: Added.
31         (foo):
32
33 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
34
35         [JSC] imports-oom.js intermittently fails
36         https://bugs.webkit.org/show_bug.cgi?id=196373
37
38         Reviewed by Saam Barati.
39
40         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
41         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
42         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
43         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
44         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
45
46         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
47         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
48
49         * wasm/lowExecutableMemory/imports-oom.js:
50
51 2019-03-27  Saam Barati  <sbarati@apple.com>
52
53         validateOSREntryValue with Int52 should box the value being checked into double format
54         https://bugs.webkit.org/show_bug.cgi?id=196313
55         <rdar://problem/49306703>
56
57         Reviewed by Yusuke Suzuki.
58
59         * stress/validate-int-52-ai-state.js: Added.
60
61 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
62
63         [JSC] Owner of watchpoints should validate at GC finalizing phase
64         https://bugs.webkit.org/show_bug.cgi?id=195827
65
66         Reviewed by Filip Pizlo.
67
68         * stress/gc-should-reap-dead-watchpoints.js: Added.
69         (foo):
70         (A.prototype.y):
71         (A):
72
73 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
74
75         Skip WebAssembly test on 32-bit systems
76         https://bugs.webkit.org/show_bug.cgi?id=196206
77
78         Reviewed by Saam Barati.
79
80         Invoking runDefault executes test immediately even though
81         that test should be skipped due to missing WASM support.
82         Therefore remove runDefault.
83
84         * wasm/regress/web-assembly-link-error-exception-check.js:
85
86 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
87
88         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
89         https://bugs.webkit.org/show_bug.cgi?id=196217
90
91         Reviewed by Saam Barati.
92
93         Re-enable all NaN tests for f32.min, f64.min and f64.max.
94
95         * wasm/spec-tests/f32.wast.js:
96         * wasm/spec-tests/f64.wast.js:
97         * wasm/wasm.json:
98
99 2019-03-25  Keith Miller  <keith_miller@apple.com>
100
101         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
102         https://bugs.webkit.org/show_bug.cgi?id=196176
103
104         Reviewed by Saam Barati.
105
106         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
107         (main.v10):
108         (main):
109
110 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
111
112         WebAssembly: f32.max with NaN generates incorrect result
113         https://bugs.webkit.org/show_bug.cgi?id=175691
114         <rdar://problem/33952228>
115
116         Reviewed by Saam Barati.
117
118         Enable all f32.max NaN tests
119
120         * wasm/spec-tests/f32.wast.js:
121         * wasm/wasm.json:
122
123 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
124
125         [JSC] Move test into directory for WASM tests
126         https://bugs.webkit.org/show_bug.cgi?id=196187
127
128         Reviewed by Mark Lam.
129
130         Move Test into wasm-directory. Otherwise this test
131         is also executed on systems without WASM support.
132
133         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
134
135 2019-03-23  Mark Lam  <mark.lam@apple.com>
136
137         Rolling out r243032 and r243071 because the fix is incorrect.
138         https://bugs.webkit.org/show_bug.cgi?id=195892
139         <rdar://problem/48981239>
140
141         Not reviewed.
142
143         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
144
145 2019-03-22  Mark Lam  <mark.lam@apple.com>
146
147         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
148         https://bugs.webkit.org/show_bug.cgi?id=196154
149         <rdar://problem/49145307>
150
151         Reviewed by Filip Pizlo.
152
153         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
154         There's no need to run this test on more than 1 test configuration.
155
156         * stress/typed-array-lastIndexOf-exception-check.js: Added.
157         * stress/web-assembly-link-error-exception-check.js:
158
159 2019-03-22  Mark Lam  <mark.lam@apple.com>
160
161         Placate exception check validation in constructJSWebAssemblyLinkError().
162         https://bugs.webkit.org/show_bug.cgi?id=196152
163         <rdar://problem/49145257>
164
165         Reviewed by Michael Saboff.
166
167         * stress/web-assembly-link-error-exception-check.js: Added.
168
169 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
170
171         Skip tests running out of memory on ARM/MIPS
172         https://bugs.webkit.org/show_bug.cgi?id=196131
173
174         Unreviewed. Skip test if memory is limited.
175
176         * microbenchmarks/put-by-val-direct-large-index.js:
177
178 2019-03-21  Mark Lam  <mark.lam@apple.com>
179
180         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
181         https://bugs.webkit.org/show_bug.cgi?id=196116
182         <rdar://problem/48976951>
183
184         Reviewed by Filip Pizlo.
185
186         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
187
188 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
189
190         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
191         https://bugs.webkit.org/show_bug.cgi?id=196078
192         <rdar://problem/35925380>
193
194         Reviewed by Mark Lam.
195
196         Add a new benchmark that allocates several objects and invokes put_by_val_direct
197         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
198
199         * microbenchmarks/put-by-val-direct-large-index.js: Added.
200
201 2019-03-21  Mark Lam  <mark.lam@apple.com>
202
203         Placate exception check validation in operationArrayIndexOfString().
204         https://bugs.webkit.org/show_bug.cgi?id=196067
205         <rdar://problem/49056572>
206
207         Reviewed by Michael Saboff.
208
209         * stress/string-equal-exception-check.js: Added.
210
211 2019-03-21  Mark Lam  <mark.lam@apple.com>
212
213         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
214         https://bugs.webkit.org/show_bug.cgi?id=196055
215         <rdar://problem/49067448>
216
217         Reviewed by Yusuke Suzuki.
218
219         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
220
221 2019-03-20  Saam Barati  <sbarati@apple.com>
222
223         typeOfDoubleSum is wrong for when NaN can be produced
224         https://bugs.webkit.org/show_bug.cgi?id=196030
225
226         Reviewed by Filip Pizlo.
227
228         * stress/double-add-sub-mul-can-produce-nan.js: Added.
229         (assert):
230         (noInline.sub):
231         (noInline):
232         (assert.mul):
233         (assert.add):
234
235 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
236
237         Update the test to ensure OutOfMemoryError is thrown as intended
238         https://bugs.webkit.org/show_bug.cgi?id=196032
239         <rdar://problem/46842740>
240
241         Rubber stamped by Saam Barati.
242
243         * stress/create-error-out-of-memory-rope-string.js:
244         (assert):
245         (catch):
246
247 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
248
249         JSC::createError needs to check for OOM in errorDescriptionForValue
250         https://bugs.webkit.org/show_bug.cgi?id=196032
251         <rdar://problem/46842740>
252
253         Reviewed by Mark Lam.
254
255         * stress/create-error-out-of-memory-rope-string.js: Added.
256
257 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
258
259         Unreviewed, reduce # of iterations to avoid timing out after r242991
260         https://bugs.webkit.org/show_bug.cgi?id=195791
261
262         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
263
264         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
265
266 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
267
268         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
269         https://bugs.webkit.org/show_bug.cgi?id=195950
270
271         Unreviewed, reducing the amount of memory used on this test to avoid
272         OOM on devices with memory restrictions.
273
274         * microbenchmarks/generate-multiple-llint-entrypoints.js:
275
276 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
277
278         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
279         https://bugs.webkit.org/show_bug.cgi?id=194648
280
281         Reviewed by Keith Miller.
282
283         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
284
285 2019-03-18  Mark Lam  <mark.lam@apple.com>
286
287         Missing a ThrowScope release in JSObject::toString().
288         https://bugs.webkit.org/show_bug.cgi?id=195893
289         <rdar://problem/48970986>
290
291         Reviewed by Michael Saboff.
292
293         * stress/to-string-exception-check-release.js: Added.
294
295 2019-03-18  Mark Lam  <mark.lam@apple.com>
296
297         Structure::flattenDictionary() should clear unused property slots.
298         https://bugs.webkit.org/show_bug.cgi?id=195871
299         <rdar://problem/48959497>
300
301         Reviewed by Michael Saboff.
302
303         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
304
305 2019-03-15  Mark Lam  <mark.lam@apple.com>
306
307         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
308         https://bugs.webkit.org/show_bug.cgi?id=195827
309         <rdar://problem/48845513>
310
311         Reviewed by Filip Pizlo.
312
313         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
314
315 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
316
317         [ARM,MIPS] Skip slow tests
318         https://bugs.webkit.org/show_bug.cgi?id=195799
319
320         Unreviewed, test does not finish on ARM and MIPS within the
321         timeout limit.
322
323         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
324
325 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
326
327         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
328         https://bugs.webkit.org/show_bug.cgi?id=195791
329         <rdar://problem/48806130>
330
331         Reviewed by Mark Lam.
332
333         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
334         (foo):
335
336 2019-03-14  Saam barati  <sbarati@apple.com>
337
338         We can't remove code after ForceOSRExit until after FixupPhase
339         https://bugs.webkit.org/show_bug.cgi?id=186916
340         <rdar://problem/41396612>
341
342         Reviewed by Yusuke Suzuki.
343
344         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
345         (foo):
346         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
347         (foo):
348
349 2019-03-13  Michael Saboff  <msaboff@apple.com>
350
351         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
352         https://bugs.webkit.org/show_bug.cgi?id=195735
353
354         Reviewed by Mark Lam.
355
356         New regression test.
357
358         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
359         (foo):
360         (bar):
361
362 2019-03-14  Saam barati  <sbarati@apple.com>
363
364         Fixup uses KnownInt32 incorrectly in some nodes
365         https://bugs.webkit.org/show_bug.cgi?id=195279
366         <rdar://problem/47915654>
367
368         Reviewed by Yusuke Suzuki.
369
370         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
371         (foo):
372
373 2019-03-14  Keith Miller  <keith_miller@apple.com>
374
375         DFG liveness can't skip tail caller inline frames
376         https://bugs.webkit.org/show_bug.cgi?id=195715
377
378         Reviewed by Saam Barati.
379
380         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
381         (i.foo):
382
383 2019-03-13  Mark Lam  <mark.lam@apple.com>
384
385         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
386         https://bugs.webkit.org/show_bug.cgi?id=195415
387
388         Not reviewed.
389
390         Changed these tests to only run the default configuration.
391         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
392         There's no strong need to run this test on that variant.
393
394         * stress/dfg-to-string-on-int-does-gc.js:
395         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
396
397 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
398
399         String overflow when using StringBuilder in JSC::createError
400         https://bugs.webkit.org/show_bug.cgi?id=194957
401
402         Reviewed by Mark Lam.
403
404         Add test string-overflow-createError-bulder.js that overflows
405         StringBuilder in notAFunctionSourceAppender. The second new test
406         string-overflow-createError-fit.js has an error message that doesn't
407         overflow, it still failed since the String's capacity can't be doubled.
408         Run test string-overflow-createError.js only in the default
409         configuration to reduce memory consumption when running the test
410         in all configurations on multiple CPUs in parallel.
411
412         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
413         (catch):
414         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
415         (catch):
416         * stress/string-overflow-createError.js:
417
418 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
419
420         [JSC] OSR entry should respect abstract values in addition to flush formats
421         https://bugs.webkit.org/show_bug.cgi?id=195653
422
423         Reviewed by Mark Lam.
424
425         * stress/osr-entry-locals-none.js: Added.
426
427 2019-03-12  Michael Saboff  <msaboff@apple.com>
428
429         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
430         https://bugs.webkit.org/show_bug.cgi?id=195613
431
432         Reviewed by Mark Lam.
433
434         New regression test.
435
436         * stress/regexp-backref-inbounds.js: Added.
437         (testRegExp):
438
439 2019-03-12  Mark Lam  <mark.lam@apple.com>
440
441         The HasIndexedProperty node does GC.
442         https://bugs.webkit.org/show_bug.cgi?id=195559
443         <rdar://problem/48767923>
444
445         Reviewed by Yusuke Suzuki.
446
447         * stress/HasIndexedProperty-does-gc.js: Added.
448
449 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
450
451         [ESNext][BigInt] Implement "~" unary operation
452         https://bugs.webkit.org/show_bug.cgi?id=182216
453
454         Reviewed by Keith Miller.
455
456         * stress/big-int-bit-not-general.js: Added.
457         * stress/big-int-bitwise-not-jit.js: Added.
458         * stress/big-int-bitwise-not-wrapped-value.js: Added.
459         * stress/bit-op-with-object-returning-int32.js:
460         * stress/bitwise-not-fixup-rules.js: Added.
461         * stress/value-bit-not-ai-rule.js: Added.
462
463 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
464
465         Invalid flags in a RegExp literal should be an early SyntaxError
466         https://bugs.webkit.org/show_bug.cgi?id=195514
467
468         Reviewed by Darin Adler.
469
470         * test262/expectations.yaml:
471         Mark 4 test cases as passing.
472
473         * stress/regexp-syntax-error-invalid-flags.js:
474         * stress/regress-161995.js: Removed.
475         Update existing test, merging in an older test for the same behavior.
476
477 2019-03-08  Mark Lam  <mark.lam@apple.com>
478
479         Stack overflow crash in JSC::JSObject::hasInstance.
480         https://bugs.webkit.org/show_bug.cgi?id=195458
481         <rdar://problem/48710195>
482
483         Reviewed by Yusuke Suzuki.
484
485         * stress/stack-overflow-in-custom-hasInstance.js: Added.
486
487 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
488
489         op_check_tdz does not def its argument
490         https://bugs.webkit.org/show_bug.cgi?id=192880
491         <rdar://problem/46221598>
492
493         Reviewed by Saam Barati.
494
495         * microbenchmarks/let-for-in.js: Added.
496         (foo):
497
498 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
499
500         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
501         https://bugs.webkit.org/show_bug.cgi?id=195429
502
503         Reviewed by Saam Barati.
504
505         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
506         (foo):
507         * stress/string-from-char-code-255.js: Added.
508
509 2019-03-06  Mark Lam  <mark.lam@apple.com>
510
511         Fix incorrect handling of try-finally completion values.
512         https://bugs.webkit.org/show_bug.cgi?id=195131
513         <rdar://problem/46222079>
514
515         Reviewed by Saam Barati and Yusuke Suzuki.
516
517         Added many permutations of new test case to test-finally.js.  test-finally.js has
518         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
519         tests passes there as well.
520
521         * stress/test-finally.js:
522
523 2019-03-06  Saam Barati  <sbarati@apple.com>
524
525         Air::reportUsedRegisters must padInterference
526         https://bugs.webkit.org/show_bug.cgi?id=195303
527         <rdar://problem/48270343>
528
529         Reviewed by Keith Miller.
530
531         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
532
533 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
534
535         [JSC] AI should not propagate AbstractValue relying on constant folding phase
536         https://bugs.webkit.org/show_bug.cgi?id=195375
537
538         Reviewed by Saam Barati.
539
540         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
541         (let.array):
542
543 2019-03-05  Saam barati  <sbarati@apple.com>
544
545         op_switch_char broken for rope strings after JSRopeString layout rewrite
546         https://bugs.webkit.org/show_bug.cgi?id=195339
547         <rdar://problem/48592545>
548
549         Reviewed by Yusuke Suzuki.
550
551         * stress/switch-on-char-llint-rope.js: Added.
552
553 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
554
555         [JSC] Store bits for JSRopeString in 3 stores
556         https://bugs.webkit.org/show_bug.cgi?id=195234
557
558         Reviewed by Saam Barati.
559
560         * stress/null-rope-and-collectors.js: Added.
561
562 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
563
564         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
565         https://bugs.webkit.org/show_bug.cgi?id=195207
566
567         Unreviewed. After test runtime was reduced in r242213, test can be
568         run again on ARM/MIPS.
569
570         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
571
572 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
573
574         [JSC] sizeof(JSString) should be 16
575         https://bugs.webkit.org/show_bug.cgi?id=194375
576
577         Reviewed by Saam Barati.
578
579         * microbenchmarks/make-rope.js: Added.
580         (makeRope):
581         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
582         (returnRope.helper): Deleted.
583         (returnRope): Deleted.
584
585 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
586
587         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
588         https://bugs.webkit.org/show_bug.cgi?id=195144
589
590         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
591         Change the number from 1e8 to 1e5.
592
593         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
594         (foo):
595
596 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
597
598         Test times out on ARM/MIPS
599         https://bugs.webkit.org/show_bug.cgi?id=195168
600
601         Unreviewed. Skip test on ARM/MIPS.
602
603         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
604
605 2019-02-27  Mark Lam  <mark.lam@apple.com>
606
607         The parser is failing to record the token location of new in new.target.
608         https://bugs.webkit.org/show_bug.cgi?id=195127
609         <rdar://problem/39645578>
610
611         Reviewed by Yusuke Suzuki.
612
613         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
614
615 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
616
617         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
618         https://bugs.webkit.org/show_bug.cgi?id=195144
619         <rdar://problem/47595961>
620
621         Reviewed by Mark Lam.
622
623         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
624         (bar):
625         (foo):
626         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
627         (bar):
628         (foo):
629
630 2019-02-27  Robin Morisset  <rmorisset@apple.com>
631
632         DFG: Loop-invariant code motion (LICM) should not hoist dead code
633         https://bugs.webkit.org/show_bug.cgi?id=194945
634         <rdar://problem/48311657>
635
636         Reviewed by Mark Lam.
637
638         * stress/licm-dead-code.js: Added.
639
640 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
641
642         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
643         https://bugs.webkit.org/show_bug.cgi?id=194677
644         <rdar://problem/48112492>
645
646         Reviewed by Mark Lam.
647
648         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
649         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
650         it immediately fails due the large size.
651
652         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
653         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
654         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
655         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
656
657         This patch changes the test to produce 16bit string from String.fromCharCode.
658
659         * stress/regress-178386.js:
660
661 2019-02-26  Mark Lam  <mark.lam@apple.com>
662
663         wasmToJS() should purify incoming NaNs.
664         https://bugs.webkit.org/show_bug.cgi?id=194807
665         <rdar://problem/48189132>
666
667         Reviewed by Saam Barati.
668
669         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
670
671 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
672
673         [JSC] Repeat string created from Array.prototype.join() take too much memory
674         https://bugs.webkit.org/show_bug.cgi?id=193912
675
676         Reviewed by Saam Barati.
677
678         Added a test and a microbenchmark for corner cases of
679         Array.prototype.join() with an uninitialized array.
680
681         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
682         * stress/array-prototype-join-uninitialized.js: Added.
683         (testArray):
684         (testABC):
685         (B):
686         (C):
687
688 2019-02-22  Robin Morisset  <rmorisset@apple.com>
689
690         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
691         https://bugs.webkit.org/show_bug.cgi?id=194953
692         <rdar://problem/47595253>
693
694         Reviewed by Saam Barati.
695
696         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
697
698         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
699
700 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
701
702         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
703         https://bugs.webkit.org/show_bug.cgi?id=172848
704         <rdar://problem/25709212>
705
706         Reviewed by Mark Lam.
707
708         * typeProfiler/inheritance.js:
709         Rewrite the test slightly for clarity. The hoisting was confusing.
710
711         * heapProfiler/class-names.js: Added.
712         (MyES5Class):
713         (MyES6Class):
714         (MyES6Subclass):
715         Test object types and improved class names.
716
717         * heapProfiler/driver/driver.js:
718         (CheapHeapSnapshotNode):
719         (CheapHeapSnapshot):
720         (createCheapHeapSnapshot):
721         (HeapSnapshot):
722         (createHeapSnapshot):
723         Update snapshot parsing from version 1 to version 2.
724
725 2019-02-19  Truitt Savell  <tsavell@apple.com>
726
727         Unreviewed, rolling out r241784.
728
729         Broke all OpenSource builds.
730
731         Reverted changeset:
732
733         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
734         instances view"
735         https://bugs.webkit.org/show_bug.cgi?id=172848
736         https://trac.webkit.org/changeset/241784
737
738 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
739
740         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
741         https://bugs.webkit.org/show_bug.cgi?id=172848
742         <rdar://problem/25709212>
743
744         Reviewed by Mark Lam.
745
746         * typeProfiler/inheritance.js:
747         Rewrite the test slightly for clarity. The hoisting was confusing.
748
749         * heapProfiler/class-names.js: Added.
750         (MyES5Class):
751         (MyES6Class):
752         (MyES6Subclass):
753         Test object types and improved class names.
754
755         * heapProfiler/driver/driver.js:
756         (CheapHeapSnapshotNode):
757         (CheapHeapSnapshot):
758         (createCheapHeapSnapshot):
759         (HeapSnapshot):
760         (createHeapSnapshot):
761         Update snapshot parsing from version 1 to version 2.
762
763 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
764
765         [ARM] Fix crash with sampling profiler
766         https://bugs.webkit.org/show_bug.cgi?id=194772
767
768         Reviewed by Mark Lam.
769
770         Do not skip test since crash with sampling profiler is now fixed.
771
772         * stress/sampling-profiler-richards.js:
773
774 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
775
776         [JSC] Add LazyClassStructure::getInitializedOnMainThread
777         https://bugs.webkit.org/show_bug.cgi?id=194784
778         <rdar://problem/48154820>
779
780         Reviewed by Mark Lam.
781
782         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
783         (getProperties):
784         (getRandomProperty):
785         (i.catch):
786
787 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
788
789         [ARM] Test gardening: Test running out of executable memory
790         https://bugs.webkit.org/show_bug.cgi?id=194771
791
792         Unreviewed. Do not run test without LLInt, test is running out of executable
793         memory on ARM otherwise.
794
795         * stress/tagged-template-object-collect.js:
796
797 2019-02-18  Tomas Popela  <tpopela@redhat.com>
798
799         Unreviewed, skip the test on platforms without sampling profiler
800
801         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
802         (platformSupportsSamplingProfiler.foo):
803         (platformSupportsSamplingProfiler.test):
804         (platformSupportsSamplingProfiler):
805         (foo): Deleted.
806         (test): Deleted.
807
808 2019-02-17  Saam Barati  <sbarati@apple.com>
809
810         Deadlock when adding a Structure property transition and then doing incremental marking
811         https://bugs.webkit.org/show_bug.cgi?id=194767
812
813         Reviewed by Mark Lam.
814
815         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
816
817 2019-02-15  Michael Saboff  <msaboff@apple.com>
818
819         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
820         https://bugs.webkit.org/show_bug.cgi?id=194558
821
822         Reviewed by Saam Barati.
823
824         New regression test.
825
826         * stress/regexp-unicode-within-string.js: Added.
827
828 2019-02-15  Mark Lam  <mark.lam@apple.com>
829
830         SamplingProfiler::stackTracesAsJSON() should escape strings.
831         https://bugs.webkit.org/show_bug.cgi?id=194649
832         <rdar://problem/48072386>
833
834         Reviewed by Saam Barati.
835
836         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
837         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
838         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
839         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
840
841 2019-02-15  Robin Morisset  <rmorisset@apple.com>
842         CodeBlock::jettison should clear related watchpoints
843         https://bugs.webkit.org/show_bug.cgi?id=194544
844
845         Reviewed by Mark Lam.
846
847         * stress/regexp-replace-double-watchpoint.js: Added.
848         (foo):
849
850 2019-02-15  Saam barati  <sbarati@apple.com>
851
852         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
853         https://bugs.webkit.org/show_bug.cgi?id=194036
854
855         Reviewed by Yusuke Suzuki.
856
857         * stress/tail-call-many-arguments.js: Added.
858         (foo):
859         (bar):
860
861 2019-02-14  Saam Barati  <sbarati@apple.com>
862
863         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
864         https://bugs.webkit.org/show_bug.cgi?id=194583
865         <rdar://problem/48028140>
866
867         Reviewed by Yusuke Suzuki.
868
869         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
870
871 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
872
873         [JSC] String.fromCharCode's slow path always generates 16bit string
874         https://bugs.webkit.org/show_bug.cgi?id=194466
875
876         Reviewed by Keith Miller.
877
878         * stress/string-from-char-code-slow-path.js: Added.
879         (shouldBe):
880         (testWithLength):
881
882 2019-02-08  Saam barati  <sbarati@apple.com>
883
884         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
885         https://bugs.webkit.org/show_bug.cgi?id=194334
886         <rdar://problem/47844327>
887
888         Reviewed by Mark Lam.
889
890         * stress/check-in-bounds-should-be-a-child-use.js: Added.
891         (func):
892
893 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
894
895         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
896         https://bugs.webkit.org/show_bug.cgi?id=194369
897         <rdar://problem/47813087>
898
899         Reviewed by Saam Barati.
900
901         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
902         (A):
903
904 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
905
906         [JSC] PrivateName to PublicName hash table is wasteful
907         https://bugs.webkit.org/show_bug.cgi?id=194277
908
909         Reviewed by Michael Saboff.
910
911         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
912
913         * ChakraCore.yaml:
914
915 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
916
917         [ARM] Test running out of executable memory
918         https://bugs.webkit.org/show_bug.cgi?id=194285
919
920         Unreviewed. Do no execute test with LLInt disabled, test runs out of
921         executable memory otherwise.
922
923         * stress/class-subclassing-function.js:
924
925 2019-02-04  Robin Morisset  <rmorisset@apple.com>
926
927         when lowering AssertNotEmpty, create the value before creating the patchpoint
928         https://bugs.webkit.org/show_bug.cgi?id=194231
929
930         Reviewed by Saam Barati.
931
932         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
933         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
934         So even tiny changes to this test can change the path code taken.
935
936         * stress/assert-not-empty.js: Added.
937         (foo):
938
939 2019-02-01  Mark Lam  <mark.lam@apple.com>
940
941         Remove invalid assertion in DFG's compileDoubleRep().
942         https://bugs.webkit.org/show_bug.cgi?id=194130
943         <rdar://problem/47699474>
944
945         Reviewed by Saam Barati.
946
947         * stress/constant-fold-double-rep-into-double-constant.js: Added.
948
949 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
950
951         Import latest Test262 updates.
952
953         Rubber-stamped by Keith Miller.
954
955         * test262.yaml: Deleted.
956         * test262/config.yaml:
957         * test262/expectations.yaml:
958         * test262/latest-changes-summary.txt:
959         * test262/test/:
960         * test262/test262-Revision.txt:
961
962 2019-01-30  Robin Morisset  <rmorisset@apple.com>
963
964         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
965         https://bugs.webkit.org/show_bug.cgi?id=194050
966         <rdar://problem/47595592>
967
968         Reviewed by Yusuke Suzuki.
969
970         * stress/object-keys-osr-exit.js: Added.
971         (foo):
972         (catch):
973
974 2019-01-29  Mark Lam  <mark.lam@apple.com>
975
976         ValueRecovery::recover() should purify NaN values it recovers.
977         https://bugs.webkit.org/show_bug.cgi?id=193978
978         <rdar://problem/47625488>
979
980         Reviewed by Saam Barati.
981
982         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
983
984 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
985
986         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
987         https://bugs.webkit.org/show_bug.cgi?id=193713
988
989         * stress/try-get-by-id-should-spill-registers-dfg.js:
990         (let.f.createBuiltin):
991
992 2019-01-28  Mark Lam  <mark.lam@apple.com>
993
994         ToString node actually does GC.
995         https://bugs.webkit.org/show_bug.cgi?id=193920
996         <rdar://problem/46695900>
997
998         Reviewed by Yusuke Suzuki.
999
1000         * stress/dfg-to-string-on-int-does-gc.js: Added.
1001         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1002         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1003
1004 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1005
1006         [JSC] NativeErrorConstructor should not have own IsoSubspace
1007         https://bugs.webkit.org/show_bug.cgi?id=193713
1008
1009         Reviewed by Saam Barati.
1010
1011         Remove @Error use.
1012
1013         * stress/try-get-by-id-should-spill-registers-dfg.js:
1014         (let.f.createBuiltin):
1015
1016 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1017
1018         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1019         https://bugs.webkit.org/show_bug.cgi?id=190693
1020
1021         Reviewed by Michael Saboff.
1022
1023         * stress/regress-190693.js: Added.
1024         (truth):
1025         (assert):
1026         (shouldThrowInvalidConstAssignment):
1027         (taz):
1028
1029 2019-01-24  Saam Barati  <sbarati@apple.com>
1030
1031         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1032         https://bugs.webkit.org/show_bug.cgi?id=193751
1033         <rdar://problem/47280215>
1034
1035         Reviewed by Michael Saboff.
1036
1037         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1038         (let.thing):
1039         (foo.let.hello):
1040         (foo):
1041
1042 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1043
1044         [JSC] Reenable baseline JIT on mips
1045         https://bugs.webkit.org/show_bug.cgi?id=192983
1046
1047         Reviewed by Mark Lam.
1048
1049         Added a new test for a case that was triggering a RELEASE_ASSERT when
1050         testing.
1051         Disable some slow tests that were already disabled for arm and x86.
1052
1053         * stress/json-parse-big-object.js: Added.
1054         * stress/new-largeish-contiguous-array-with-size.js:
1055         * stress/op_add.js:
1056         * stress/op_bitand.js:
1057         * stress/op_bitor.js:
1058         * stress/op_bitxor.js:
1059         * stress/op_lshift-ConstVar.js:
1060         * stress/op_lshift-VarConst.js:
1061         * stress/op_lshift-VarVar.js:
1062         * stress/op_mod-ConstVar.js:
1063         * stress/op_mod-VarConst.js:
1064         * stress/op_mod-VarVar.js:
1065         * stress/op_mul-ConstVar.js:
1066         * stress/op_mul-VarConst.js:
1067         * stress/op_mul-VarVar.js:
1068         * stress/op_rshift-ConstVar.js:
1069         * stress/op_rshift-VarConst.js:
1070         * stress/op_rshift-VarVar.js:
1071         * stress/op_sub-ConstVar.js:
1072         * stress/op_sub-VarConst.js:
1073         * stress/op_sub-VarVar.js:
1074         * stress/op_urshift-ConstVar.js:
1075         * stress/op_urshift-VarConst.js:
1076         * stress/op_urshift-VarVar.js:
1077         * stress/sampling-profiler-richards.js:
1078         * stress/spread-forward-call-varargs-stack-overflow.js:
1079
1080 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1081
1082         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1083         https://bugs.webkit.org/show_bug.cgi?id=193711
1084         <rdar://problem/47250262>
1085
1086         Reviewed by Saam Barati.
1087
1088         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1089         (shouldBe):
1090         (foo):
1091         (bar):
1092         (baz):
1093
1094 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1095
1096         Unreviewed, fix initial global lexical binding epoch
1097         https://bugs.webkit.org/show_bug.cgi?id=193603
1098         <rdar://problem/47380869>
1099
1100         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1101         (f1.f2.f3.f4):
1102         (f1.f2.f3):
1103         (f1.f2):
1104         (f1):
1105
1106 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1107
1108         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1109         https://bugs.webkit.org/show_bug.cgi?id=193709
1110         <rdar://problem/47363838>
1111
1112         Unreviewed, rollout to watch the tests.
1113
1114         * stress/object-tostring-changed-proto.js: Removed.
1115         * stress/object-tostring-changed.js: Removed.
1116         * stress/object-tostring-misc.js: Removed.
1117         * stress/object-tostring-other.js: Removed.
1118         * stress/object-tostring-untyped.js: Removed.
1119
1120 2019-01-22  Saam Barati  <sbarati@apple.com>
1121
1122         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1123
1124         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1125         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1126         (testUncheckedLessThanZero):
1127         (testUncheckedLessThanOrEqualZero):
1128         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1129         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1130
1131 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1132
1133         [JSC] Invalidate old scope operations using global lexical binding epoch
1134         https://bugs.webkit.org/show_bug.cgi?id=193603
1135         <rdar://problem/47380869>
1136
1137         Reviewed by Saam Barati.
1138
1139         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1140         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1141         (shouldThrow):
1142         (bar):
1143         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1144         (shouldBe):
1145         (get1):
1146         (get2):
1147         (get1If):
1148         (get2If):
1149         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1150         (shouldThrow):
1151         (foo):
1152
1153 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1154
1155         Unreviewed, roll out r240220 due to date-format-xparb regression
1156         https://bugs.webkit.org/show_bug.cgi?id=193603
1157
1158         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1159         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1160         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1161         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1162
1163 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1164
1165         DoesGC rule is wrong for nodes with BigIntUse
1166         https://bugs.webkit.org/show_bug.cgi?id=193652
1167
1168         Reviewed by Saam Barati.
1169
1170         * stress/big-int-value-op-update-gc-rules.js: Added.
1171         (assert):
1172         (doesGCAdd):
1173         (doesGCSub):
1174         (doesGCDiv):
1175         (doesGCMul):
1176         (doesGCBitAnd):
1177         (doesGCBitOr):
1178         (doesGCBitXor):
1179
1180 2019-01-20  Saam Barati  <sbarati@apple.com>
1181
1182         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1183         https://bugs.webkit.org/show_bug.cgi?id=193644
1184         <rdar://problem/46209745>
1185
1186         Reviewed by Yusuke Suzuki.
1187
1188         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1189         (foo):
1190         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1191         (foo):
1192         (bar):
1193
1194 2019-01-20  Saam Barati  <sbarati@apple.com>
1195
1196         MovHint must merge NodeBytecodeUsesAsValue for its child
1197         https://bugs.webkit.org/show_bug.cgi?id=186916
1198         <rdar://problem/41396612>
1199
1200         Reviewed by Yusuke Suzuki.
1201
1202         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1203         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1204
1205 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1206
1207         [JSC] Invalidate old scope operations using global lexical binding epoch
1208         https://bugs.webkit.org/show_bug.cgi?id=193603
1209         <rdar://problem/47380869>
1210
1211         Reviewed by Saam Barati.
1212
1213         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1214         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1215         (shouldThrow):
1216         (bar):
1217         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1218         (shouldBe):
1219         (get1):
1220         (get2):
1221         (get1If):
1222         (get2If):
1223         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1224         (shouldThrow):
1225         (foo):
1226
1227 2019-01-17  Saam barati  <sbarati@apple.com>
1228
1229         StringObjectUse should not be a structure check for the original string object structure
1230         https://bugs.webkit.org/show_bug.cgi?id=193483
1231         <rdar://problem/47280522>
1232
1233         Reviewed by Yusuke Suzuki.
1234
1235         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1236         (foo):
1237         (a.valueOf.0):
1238
1239 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1240
1241         [JSC] ToThis omission in DFGByteCodeParser is wrong
1242         https://bugs.webkit.org/show_bug.cgi?id=193513
1243         <rdar://problem/45842236>
1244
1245         Reviewed by Saam Barati.
1246
1247         * stress/to-this-omission-with-different-strict-modes.js: Added.
1248         (thisA):
1249         (thisAStrictWrapper):
1250
1251 2019-01-15  Mark Lam  <mark.lam@apple.com>
1252
1253         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1254         https://bugs.webkit.org/show_bug.cgi?id=193423
1255         <rdar://problem/46209355>
1256
1257         Reviewed by Saam Barati.
1258
1259         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1260         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1261         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1262         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1263
1264 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1265
1266         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1267         https://bugs.webkit.org/show_bug.cgi?id=193438
1268         <rdar://problem/45581249>
1269
1270         Reviewed by Saam Barati and Keith Miller.
1271
1272         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1273         Then, GetByVal(String) crashed.
1274
1275         * stress/string-get-by-val-lowering.js: Added.
1276         (shouldBe):
1277         (test):
1278         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1279         (Hello):
1280         (foo):
1281
1282 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1283
1284         Unreviewed, skip JIT tests if it's not enabled
1285
1286         * stress/bit-op-with-object-returning-int32.js:
1287
1288 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1289
1290         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1291         https://bugs.webkit.org/show_bug.cgi?id=192966
1292
1293         Reviewed by Yusuke Suzuki.
1294
1295         * stress/bit-op-with-object-returning-int32.js: Added.
1296
1297 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1298
1299         Skip a slow test and a flakey test on arm
1300
1301         Unreviewed gardening.
1302
1303         * typeProfiler/getter-richards.js:
1304         this test always times out, it used to be always skipped on arm and
1305         mips, but got accidentally enabled by r237919 now that we have DFG on
1306         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1307
1308 2019-01-14  Keith Miller  <keith_miller@apple.com>
1309
1310         Skip type-check-hoisting-phase-hoist... with no jit
1311         https://bugs.webkit.org/show_bug.cgi?id=193421
1312
1313         Reviewed by Mark Lam.
1314
1315         It's timing out the 32-bit bots and takes 330 seconds
1316         on my machine when run by itself.
1317
1318         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1319
1320 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1321
1322         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1323         https://bugs.webkit.org/show_bug.cgi?id=193413
1324         <rdar://problem/46092389>
1325
1326         Reviewed by Keith Miller.
1327
1328         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1329         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1330         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1331         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1332
1333         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1334         (compareArray):
1335
1336 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1337
1338         [BigInt] Literal parsing is crashing when used inside a Object Literal
1339         https://bugs.webkit.org/show_bug.cgi?id=193404
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * stress/big-int-literal-inside-literal-object.js: Added.
1344
1345 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1346
1347         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1348         https://bugs.webkit.org/show_bug.cgi?id=193372
1349
1350         Reviewed by Saam Barati.
1351
1352         * stress/typed-array-array-modes-profile.js: Added.
1353         (foo):
1354
1355 2019-01-14  Mark Lam  <mark.lam@apple.com>
1356
1357         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1358         https://bugs.webkit.org/show_bug.cgi?id=193402
1359         <rdar://problem/46012309>
1360
1361         Reviewed by Keith Miller.
1362
1363         * stress/regexp-compile-oom.js:
1364         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1365           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1366
1367 2019-01-11  Saam barati  <sbarati@apple.com>
1368
1369         DFG combined liveness can be wrong for terminal basic blocks
1370         https://bugs.webkit.org/show_bug.cgi?id=193304
1371         <rdar://problem/45268632>
1372
1373         Reviewed by Yusuke Suzuki.
1374
1375         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1376
1377 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1378
1379         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1380         https://bugs.webkit.org/show_bug.cgi?id=193308
1381         <rdar://problem/45546542>
1382
1383         Reviewed by Saam Barati.
1384
1385         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1386         (shouldThrow):
1387         (shouldBe):
1388         (foo):
1389         (get shouldThrow):
1390         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1391         (shouldThrow):
1392         (shouldBe):
1393         (foo):
1394         (get shouldBe):
1395         (get shouldThrow):
1396         (get return):
1397         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1398         (shouldThrow):
1399         (shouldBe):
1400         (foo):
1401         (get shouldBe):
1402         (get shouldThrow):
1403         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1404         (shouldThrow):
1405         (shouldBe):
1406         (foo):
1407         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1408         (shouldThrow):
1409         (shouldBe):
1410         (foo):
1411         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1412         (shouldThrow):
1413         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1414         (shouldThrow):
1415         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1416         (shouldThrow):
1417         (shouldBe):
1418         (foo):
1419         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1420         (shouldThrow):
1421         (shouldBe):
1422         (foo):
1423         (get shouldBe):
1424         (get shouldThrow):
1425         (get return):
1426         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1427         (shouldThrow):
1428         (shouldBe):
1429         (foo):
1430         (get shouldBe):
1431         (get shouldThrow):
1432         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1433         (shouldThrow):
1434         (shouldBe):
1435         (foo):
1436         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1437         (shouldThrow):
1438         (shouldBe):
1439         (foo):
1440
1441 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1442
1443         Enable DFG on ARM/Linux again
1444         https://bugs.webkit.org/show_bug.cgi?id=192496
1445
1446         Reviewed by Yusuke Suzuki.
1447
1448         Test wasn't really skipped before moving the line with skip
1449         to the top.
1450
1451         * stress/regress-192717.js:
1452
1453 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1454
1455         Unreviewed, rolling out r239825.
1456         https://bugs.webkit.org/show_bug.cgi?id=193330
1457
1458         Broke tests on armv7/linux bots (Requested by guijemont on
1459         #webkit).
1460
1461         Reverted changeset:
1462
1463         "Enable DFG on ARM/Linux again"
1464         https://bugs.webkit.org/show_bug.cgi?id=192496
1465         https://trac.webkit.org/changeset/239825
1466
1467 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1468
1469         Enable DFG on ARM/Linux again
1470         https://bugs.webkit.org/show_bug.cgi?id=192496
1471
1472         Reviewed by Yusuke Suzuki.
1473
1474         Test wasn't really skipped before moving the line with skip
1475         to the top.
1476
1477         * stress/regress-192717.js:
1478
1479 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1480
1481         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1482         https://bugs.webkit.org/show_bug.cgi?id=193127
1483
1484         Reviewed by Saam Barati.
1485
1486         * stress/array-species-create-should-handle-masquerader.js: Added.
1487         (shouldThrow):
1488         * stress/is-undefined-or-null-builtin.js: Added.
1489         (shouldBe):
1490         (isUndefinedOrNull.vm.createBuiltin):
1491
1492 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1493
1494         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1495         https://bugs.webkit.org/show_bug.cgi?id=193221
1496
1497         Reviewed by Mark Lam.
1498
1499         * stress/put-by-id-flags.js: Added.
1500         (f):
1501         (g):
1502         (numberOfDFGCompiles):
1503
1504 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1505
1506         Baseline version of get_by_id may corrupt metadata
1507         https://bugs.webkit.org/show_bug.cgi?id=193085
1508         <rdar://problem/23453006>
1509
1510         Reviewed by Saam Barati.
1511
1512         * stress/get-by-id-change-mode.js: Added.
1513         (forEach):
1514
1515 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1516
1517         [JSC] Optimize Object.prototype.toString
1518         https://bugs.webkit.org/show_bug.cgi?id=193031
1519
1520         Reviewed by Saam Barati.
1521
1522         * stress/object-tostring-changed-proto.js: Added.
1523         (shouldBe):
1524         (test):
1525         * stress/object-tostring-changed.js: Added.
1526         (shouldBe):
1527         (test):
1528         * stress/object-tostring-misc.js: Added.
1529         (shouldBe):
1530         (test):
1531         (i.switch):
1532         * stress/object-tostring-other.js: Added.
1533         (shouldBe):
1534         (test):
1535         * stress/object-tostring-untyped.js: Added.
1536         (shouldBe):
1537         (test):
1538         (i.switch):
1539
1540 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1541
1542         test262-runner misbehaves when test file YAML has a trailing space
1543         https://bugs.webkit.org/show_bug.cgi?id=193053
1544
1545         Reviewed by Yusuke Suzuki.
1546
1547         * test262/expectations.yaml:
1548         Mark two dozen tests as passing (and correct the output of another).
1549
1550 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1551
1552         Unreviewed, JSTests gardening with memoryLimited
1553
1554         * stress/string-overflow-createError.js:
1555
1556 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1557
1558         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1559         https://bugs.webkit.org/show_bug.cgi?id=193050
1560
1561         Reviewed by Yusuke Suzuki.
1562
1563         * test262.yaml:
1564         * test262/expectations.yaml:
1565         Mark 16 tests as passing.
1566
1567 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1568
1569         [BigInt] Support BigInt in JSON.stringify
1570         https://bugs.webkit.org/show_bug.cgi?id=192624
1571
1572         Reviewed by Saam Barati.
1573
1574         * stress/big-int-json-stringify-to-json.js: Added.
1575         (shouldBe):
1576         (shouldThrow):
1577         (BigInt.prototype.toJSON):
1578         (shouldBe.JSON.stringify):
1579         * stress/big-int-json-stringify.js: Added.
1580         (shouldBe):
1581         (shouldThrow):
1582
1583 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1584
1585         [JSC] Implement "well-formed JSON.stringify" proposal
1586         https://bugs.webkit.org/show_bug.cgi?id=191677
1587
1588         Reviewed by Darin Adler.
1589
1590         * stress/json-surrogate-pair.js: Added.
1591         (shouldBe):
1592         * test262/expectations.yaml:
1593
1594 2018-12-20  Keith Miller  <keith_miller@apple.com>
1595
1596         Add support for globalThis
1597         https://bugs.webkit.org/show_bug.cgi?id=165171
1598
1599         Reviewed by Mark Lam.
1600
1601         * test262/config.yaml:
1602
1603 2018-12-19  Keith Miller  <keith_miller@apple.com>
1604
1605         Update test262 configuration to not run tests dependent on ICU version.
1606         https://bugs.webkit.org/show_bug.cgi?id=192920
1607
1608         Reviewed by Saam Barati.
1609
1610         * test262/expectations.yaml:
1611
1612 2018-12-20  Mark Lam  <mark.lam@apple.com>
1613
1614         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1615         https://bugs.webkit.org/show_bug.cgi?id=192939
1616         <rdar://problem/46869516>
1617
1618         Reviewed by Keith Miller.
1619
1620         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1621
1622 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1623
1624         WTF::String and StringImpl overflow MaxLength
1625         https://bugs.webkit.org/show_bug.cgi?id=192853
1626         <rdar://problem/45726906>
1627
1628         Reviewed by Mark Lam.
1629
1630         * stress/string-16bit-repeat-overflow.js: Added.
1631         (catch):
1632
1633 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1634
1635         Unreviewed follow-up to r192914.
1636
1637         * test262/expectations.yaml:
1638         Add the last 20 missing expectations.
1639
1640 2018-12-19  Keith Miller  <keith_miller@apple.com>
1641
1642         Fix test262 expectations
1643         https://bugs.webkit.org/show_bug.cgi?id=192914
1644
1645         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1646
1647         * test262/expectations.yaml:
1648
1649 2018-12-19  Keith Miller  <keith_miller@apple.com>
1650
1651         Update test262 tests.
1652         https://bugs.webkit.org/show_bug.cgi?id=192907
1653
1654         Rubber stamped by Mark Lam.
1655
1656         * test262/*: Omitted because prepare-changelog crashes.
1657
1658 2018-12-19  Mark Lam  <mark.lam@apple.com>
1659
1660         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1661         https://bugs.webkit.org/show_bug.cgi?id=192464
1662         <rdar://problem/46519455>
1663
1664         Reviewed by Saam Barati.
1665
1666         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1667         microbenchmark.
1668
1669         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1670         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1671
1672 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1673
1674         String overflow in JSC::createError results in ASSERT in WTF::makeString
1675         https://bugs.webkit.org/show_bug.cgi?id=192833
1676         <rdar://problem/45706868>
1677
1678         Reviewed by Mark Lam.
1679
1680         * stress/string-overflow-createError.js: Added.
1681
1682 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1683
1684         Error message for `-x ** y` contains a typo.
1685         https://bugs.webkit.org/show_bug.cgi?id=192832
1686
1687         Reviewed by Saam Barati.
1688
1689         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1690         (assert.assert.return.throws):
1691         * stress/pow-expects-update-expression-on-lhs.js:
1692         (throw.new.Error):
1693         Update test expectations which match against the exact error message.
1694
1695 2018-12-18  Mark Lam  <mark.lam@apple.com>
1696
1697         Gardening: test options fix.
1698         https://bugs.webkit.org/show_bug.cgi?id=192822
1699
1700         Unreviewed.
1701
1702         * stress/json-stringify-string-builder-overflow.js:
1703
1704 2018-12-18  Mark Lam  <mark.lam@apple.com>
1705
1706         JSON.stringify() should throw OOM on StringBuilder overflows.
1707         https://bugs.webkit.org/show_bug.cgi?id=192822
1708         <rdar://problem/46670577>
1709
1710         Reviewed by Saam Barati.
1711
1712         * stress/json-stringify-string-builder-overflow.js: Added.
1713
1714 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1715
1716         Redeclaration of var over let/const/class should be a syntax error.
1717         https://bugs.webkit.org/show_bug.cgi?id=192298
1718
1719         Reviewed by Keith Miller.
1720
1721         * test262.yaml:
1722         * test262/expectations.yaml:
1723         Mark 46 tests as passing.
1724
1725         * stress/block-scope-redeclarations.js:
1726         Add some new tests.
1727
1728         * stress/for-in-invalidate-context-weird-assignments.js:
1729         * stress/for-in-tests.js:
1730         Replace tests for outdated behavior with tests for SyntaxError.
1731
1732         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1733         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1734         Update expectations.
1735
1736 2018-12-18  Mark Lam  <mark.lam@apple.com>
1737
1738         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1739         https://bugs.webkit.org/show_bug.cgi?id=191374
1740         <rdar://problem/46525447>
1741
1742         Reviewed by Yusuke Suzuki.
1743
1744         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1745
1746         * stress/elidable-new-object-roflcopter-then-exit.js:
1747
1748 2018-12-17  Mark Lam  <mark.lam@apple.com>
1749
1750         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1751         https://bugs.webkit.org/show_bug.cgi?id=192019
1752         <rdar://problem/46525456>
1753
1754         Reviewed by Yusuke Suzuki.
1755
1756         The test runs too slow on 32-bit.
1757
1758         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1759
1760 2018-12-17  Mark Lam  <mark.lam@apple.com>
1761
1762         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1763         https://bugs.webkit.org/show_bug.cgi?id=191373
1764         <rdar://problem/46525458>
1765
1766         Reviewed by Yusuke Suzuki.
1767
1768         The test is already slow running with a JIT on 64-bit.  It will always timeout
1769         on 32-bit without a JIT.
1770
1771         * stress/materialize-regexp-cyclic-regexp.js:
1772
1773 2018-12-17  Mark Lam  <mark.lam@apple.com>
1774
1775         Array unshift/shift should not race against the AI in the compiler thread.
1776         https://bugs.webkit.org/show_bug.cgi?id=192795
1777         <rdar://problem/46724263>
1778
1779         Reviewed by Saam Barati.
1780
1781         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1782
1783 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1784
1785         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1786         https://bugs.webkit.org/show_bug.cgi?id=190047
1787
1788         Reviewed by Saam Barati.
1789
1790         * stress/object-keys-cached-zero.js: Added.
1791         (shouldBe):
1792         (test):
1793         * stress/object-keys-changed-attribute.js: Added.
1794         (shouldBe):
1795         (test):
1796         * stress/object-keys-changed-index.js: Added.
1797         (shouldBe):
1798         (test):
1799         * stress/object-keys-changed.js: Added.
1800         (shouldBe):
1801         (test):
1802         * stress/object-keys-indexed-non-cache.js: Added.
1803         (shouldBe):
1804         (test):
1805         * stress/object-keys-overrides-get-property-names.js: Added.
1806         (shouldBe):
1807         (test):
1808         (noInline):
1809
1810 2018-12-17  Mark Lam  <mark.lam@apple.com>
1811
1812         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1813         https://bugs.webkit.org/show_bug.cgi?id=192779
1814         <rdar://problem/46775869>
1815
1816         Reviewed by Saam Barati.
1817
1818         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1819
1820 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1821
1822         Unreviewed test gardening, address a syntax error in a new test.
1823
1824         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1825
1826 2018-12-17  Mark Lam  <mark.lam@apple.com>
1827
1828         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1829         https://bugs.webkit.org/show_bug.cgi?id=192776
1830         <rdar://problem/46772368>
1831
1832         Reviewed by Keith Miller.
1833
1834         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1835
1836 2018-12-17  Mark Lam  <mark.lam@apple.com>
1837
1838         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1839         https://bugs.webkit.org/show_bug.cgi?id=192770
1840         <rdar://problem/46449037>
1841
1842         Reviewed by Keith Miller.
1843
1844         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1845
1846 2018-12-14  Mark Lam  <mark.lam@apple.com>
1847
1848         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1849         https://bugs.webkit.org/show_bug.cgi?id=192717
1850         <rdar://problem/46660677>
1851
1852         Reviewed by Saam Barati.
1853
1854         * stress/regress-192717.js: Added.
1855
1856 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1857
1858         Unreviewed, rolling out r239153, r239154, and r239155.
1859         https://bugs.webkit.org/show_bug.cgi?id=192715
1860
1861         Caused flaky GC-related crashes seen with layout tests
1862         (Requested by ryanhaddad on #webkit).
1863
1864         Reverted changesets:
1865
1866         "[JSC] Optimize Object.keys by caching own keys results in
1867         StructureRareData"
1868         https://bugs.webkit.org/show_bug.cgi?id=190047
1869         https://trac.webkit.org/changeset/239153
1870
1871         "Unreviewed, build fix after r239153"
1872         https://bugs.webkit.org/show_bug.cgi?id=190047
1873         https://trac.webkit.org/changeset/239154
1874
1875         "Unreviewed, build fix after r239153, part 2"
1876         https://bugs.webkit.org/show_bug.cgi?id=190047
1877         https://trac.webkit.org/changeset/239155
1878
1879 2018-12-14  Keith Miller  <keith_miller@apple.com>
1880
1881         Callers of JSString::getIndex should check for OOM exceptions
1882         https://bugs.webkit.org/show_bug.cgi?id=192709
1883
1884         Reviewed by Mark Lam.
1885
1886         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1887
1888 2018-12-13  Mark Lam  <mark.lam@apple.com>
1889
1890         Add a missing exception check.
1891         https://bugs.webkit.org/show_bug.cgi?id=192626
1892         <rdar://problem/46662163>
1893
1894         Reviewed by Keith Miller.
1895
1896         * stress/regress-192626.js: Added.
1897
1898 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1899
1900         [BigInt] Add ValueDiv into DFG
1901         https://bugs.webkit.org/show_bug.cgi?id=186178
1902
1903         Reviewed by Yusuke Suzuki.
1904
1905         * stress/big-int-div-jit-osr.js: Added.
1906         * stress/big-int-div-jit-untyped.js: Added.
1907         * stress/value-div-fixup-int32-big-int.js: Added.
1908
1909 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1910
1911         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1912         https://bugs.webkit.org/show_bug.cgi?id=190047
1913
1914         Reviewed by Keith Miller.
1915
1916         * stress/object-keys-cached-zero.js: Added.
1917         (shouldBe):
1918         (test):
1919         * stress/object-keys-changed-attribute.js: Added.
1920         (shouldBe):
1921         (test):
1922         * stress/object-keys-changed-index.js: Added.
1923         (shouldBe):
1924         (test):
1925         * stress/object-keys-changed.js: Added.
1926         (shouldBe):
1927         (test):
1928         * stress/object-keys-indexed-non-cache.js: Added.
1929         (shouldBe):
1930         (test):
1931         * stress/object-keys-overrides-get-property-names.js: Added.
1932         (shouldBe):
1933         (test):
1934         (noInline):
1935
1936 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1937
1938         [DFG][FTL] Add NewSymbol
1939         https://bugs.webkit.org/show_bug.cgi?id=192620
1940
1941         Reviewed by Saam Barati.
1942
1943         * microbenchmarks/symbol-creation.js: Added.
1944         (test):
1945         * stress/symbol-description-identity.js: Added.
1946         (shouldBe):
1947         (test):
1948         * stress/symbol-identity.js: Added.
1949         (shouldBe):
1950         (test):
1951         * stress/symbol-with-description-throw-error.js: Added.
1952         (shouldBe):
1953         (shouldThrow):
1954         (test):
1955         (object.toString):
1956
1957 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1958
1959         [BigInt] Implement DFG/FTL typeof for BigInt
1960         https://bugs.webkit.org/show_bug.cgi?id=192619
1961
1962         Reviewed by Keith Miller.
1963
1964         * stress/big-int-boolean-proven-type.js: Added.
1965         (assert):
1966         (bool):
1967         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1968         (assert):
1969         (typeOf):
1970         (i.switch):
1971         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1972         (assert):
1973         (typeOf):
1974         * stress/big-int-type-of.js:
1975         (typeOf):
1976         (func):
1977
1978 2018-12-10  Mark Lam  <mark.lam@apple.com>
1979
1980         PropertyAttribute needs a CustomValue bit.
1981         https://bugs.webkit.org/show_bug.cgi?id=191993
1982         <rdar://problem/46264467>
1983
1984         Reviewed by Saam Barati.
1985
1986         * stress/regress-191993.js: Added.
1987
1988 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1989
1990         [BigInt] Add ValueMul into DFG
1991         https://bugs.webkit.org/show_bug.cgi?id=186175
1992
1993         Reviewed by Yusuke Suzuki.
1994
1995         * stress/big-int-mul-jit-osr.js: Added.
1996         * stress/big-int-mul-jit-untyped.js: Added.
1997         * stress/value-mul-fixup-int32-big-int.js: Added.
1998
1999 2018-12-06  Keith Miller  <keith_miller@apple.com>
2000
2001         stress/big-wasm-memory tests failing on 32-bit JSC bot
2002         https://bugs.webkit.org/show_bug.cgi?id=192020
2003
2004         Reviewed by Saam Barati.
2005
2006         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2007         the wasm stress tests if the WebAssembly object does not exist.
2008
2009         * stress/big-wasm-memory-grow-no-max.js:
2010         (test.foo):
2011         (test):
2012         (foo): Deleted.
2013         (catch): Deleted.
2014         * stress/big-wasm-memory-grow.js:
2015         (test.foo):
2016         (test):
2017         (foo): Deleted.
2018         (catch): Deleted.
2019         * stress/big-wasm-memory.js:
2020         (test.foo):
2021         (test):
2022         (foo): Deleted.
2023         (catch): Deleted.
2024
2025 2018-12-05  Mark Lam  <mark.lam@apple.com>
2026
2027         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2028         https://bugs.webkit.org/show_bug.cgi?id=192441
2029         <rdar://problem/46480355>
2030
2031         Reviewed by Saam Barati.
2032
2033         * stress/regress-192441.js: Added.
2034
2035 2018-12-04  Mark Lam  <mark.lam@apple.com>
2036
2037         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2038         https://bugs.webkit.org/show_bug.cgi?id=192386
2039         <rdar://problem/46445516>
2040
2041         Reviewed by Saam Barati.
2042
2043         * stress/regress-192386.js: Added.
2044
2045 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2046
2047         [ESNext][BigInt] Support logic operations
2048         https://bugs.webkit.org/show_bug.cgi?id=179903
2049
2050         Reviewed by Yusuke Suzuki.
2051
2052         * stress/big-int-branch-usage.js: Added.
2053         * stress/big-int-logical-and.js: Added.
2054         * stress/big-int-logical-not.js: Added.
2055         * stress/big-int-logical-or.js: Added.
2056
2057 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2058
2059         Unreviewed, rolling out r238833.
2060
2061         Breaks macOS and iOS debug builds.
2062
2063         Reverted changeset:
2064
2065         "[ESNext][BigInt] Support logic operations"
2066         https://bugs.webkit.org/show_bug.cgi?id=179903
2067         https://trac.webkit.org/changeset/238833
2068
2069 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2070
2071         [ESNext][BigInt] Support logic operations
2072         https://bugs.webkit.org/show_bug.cgi?id=179903
2073
2074         Reviewed by Yusuke Suzuki.
2075
2076         * stress/big-int-branch-usage.js: Added.
2077         * stress/big-int-logical-and.js: Added.
2078         * stress/big-int-logical-not.js: Added.
2079         * stress/big-int-logical-or.js: Added.
2080
2081 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2082
2083         [ESNext][BigInt] Implement support for "<<" and ">>"
2084         https://bugs.webkit.org/show_bug.cgi?id=186233
2085
2086         Reviewed by Yusuke Suzuki.
2087
2088         * stress/big-int-left-shift-general.js: Added.
2089         * stress/big-int-left-shift-range-error.js: Added.
2090         * stress/big-int-left-shift-type-error.js: Added.
2091         * stress/big-int-left-shift-wrapped-value.js: Added.
2092         * stress/big-int-right-shift-general.js: Added.
2093         * stress/big-int-right-shift-type-error.js: Added.
2094         * stress/big-int-right-shift-wrapped-value.js: Added.
2095         * stress/left-shift-to-primitive-precedence.js: Added.
2096         * stress/right-shift-to-primitive-precedence.js: Added.
2097
2098 2018-11-30  Dean Jackson  <dino@apple.com>
2099
2100         Add first-class support for .mjs files in jsc binary
2101         https://bugs.webkit.org/show_bug.cgi?id=192190
2102         <rdar://problem/46375715>
2103
2104         Reviewed by Keith Miller.
2105
2106         * stress/simple-module.mjs: Added.
2107         * stress/simple-script.js: Added.
2108
2109 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2110
2111         [BigInt] Implement ValueBitXor into DFG
2112         https://bugs.webkit.org/show_bug.cgi?id=190264
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         * stress/big-int-bitwise-xor-jit.js: Added.
2117         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2118         * stress/big-int-bitwise-xor-untyped.js: Added.
2119
2120 2018-11-27  Saam barati  <sbarati@apple.com>
2121
2122         r238510 broke scopes of size zero
2123         https://bugs.webkit.org/show_bug.cgi?id=192033
2124         <rdar://problem/46281734>
2125
2126         Reviewed by Keith Miller.
2127
2128         * stress/r238510-bad-loop.js: Added.
2129         (foo):
2130
2131 2018-11-27  Mark Lam  <mark.lam@apple.com>
2132
2133         [Re-landing] NaNs read from Wasm code needs to be be purified.
2134         https://bugs.webkit.org/show_bug.cgi?id=191056
2135         <rdar://problem/45660341>
2136
2137         Reviewed by Filip Pizlo.
2138
2139         * wasm/regress/regress-191056.js: Added.
2140
2141 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2142
2143         Unreviewed, rolling out r238509.
2144
2145         Causes JSC tests to fail on iOS.
2146
2147         Reverted changeset:
2148
2149         "NaNs read from Wasm code needs to be be purified."
2150         https://bugs.webkit.org/show_bug.cgi?id=191056
2151         https://trac.webkit.org/changeset/238509
2152
2153 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2154
2155         Re-introduce op_bitnot
2156         https://bugs.webkit.org/show_bug.cgi?id=190923
2157
2158         Reviewed by Yusuke Suzuki.
2159
2160         * stress/bit-not-must-generate.js: Added.
2161         * stress/bitwise-not-no-int32.js: Added.
2162
2163 2018-11-26  Saam barati  <sbarati@apple.com>
2164
2165         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2166         https://bugs.webkit.org/show_bug.cgi?id=191956
2167         <rdar://problem/45665806>
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2172         (bar):
2173         (foo):
2174
2175 2018-11-26  Saam barati  <sbarati@apple.com>
2176
2177         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2178         https://bugs.webkit.org/show_bug.cgi?id=191958
2179         <rdar://problem/46221877>
2180
2181         Reviewed by Yusuke Suzuki.
2182
2183         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2184         (x):
2185         (foo):
2186
2187 2018-11-26  Mark Lam  <mark.lam@apple.com>
2188
2189         NaNs read from Wasm code needs to be be purified.
2190         https://bugs.webkit.org/show_bug.cgi?id=191056
2191         <rdar://problem/45660341>
2192
2193         Reviewed by Filip Pizlo.
2194
2195         * wasm/regress/regress-191056.js: Added.
2196
2197 2018-11-26  Michael Saboff  <msaboff@apple.com>
2198
2199         32-bit JSC test failure: stress/regexp-compile-oom.js
2200         https://bugs.webkit.org/show_bug.cgi?id=191375
2201
2202         Reviewed by Mark Lam.
2203
2204         Disabled the test for 32 bit platforms.
2205
2206         * stress/regexp-compile-oom.js:
2207
2208 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2209
2210         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2211         https://bugs.webkit.org/show_bug.cgi?id=191716
2212         <rdar://problem/45723878>
2213
2214         Reviewed by Saam Barati.
2215
2216         * stress/regress-187373.js: Added.
2217         (async.fn):
2218
2219 2018-11-21  Saam barati  <sbarati@apple.com>
2220
2221         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2222         https://bugs.webkit.org/show_bug.cgi?id=191897
2223         <rdar://problem/45871998>
2224
2225         Reviewed by Mark Lam.
2226
2227         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2228         (bar):
2229         (foo):
2230
2231 2018-11-21  Saam barati  <sbarati@apple.com>
2232
2233         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2234         https://bugs.webkit.org/show_bug.cgi?id=191895
2235         <rdar://problem/46167406>
2236
2237         Reviewed by Mark Lam.
2238
2239         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2240         (foo):
2241         (bar):
2242
2243 2018-11-21  Mark Lam  <mark.lam@apple.com>
2244
2245         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2246         https://bugs.webkit.org/show_bug.cgi?id=191776
2247         <rdar://problem/46152851>
2248
2249         Reviewed by Saam Barati.
2250
2251         * stress/big-wasm-memory-grow-no-max.js:
2252         * stress/big-wasm-memory-grow.js:
2253         * stress/big-wasm-memory.js:
2254         - updated these to expect an OutOfMemoryError.
2255
2256         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2257         (Binary.prototype.emit_u8):
2258         (Binary.prototype.emit_u32v):
2259         (Binary.prototype.emit_header):
2260         (Binary.prototype.emit_section):
2261         (Binary):
2262         (WasmModuleBuilder):
2263         (WasmModuleBuilder.prototype.addMemory):
2264         (WasmModuleBuilder.prototype.toArray):
2265         (WasmModuleBuilder.prototype.toBuffer):
2266         (WasmModuleBuilder.prototype.instantiate):
2267         (catch):
2268         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2269         (catch):
2270
2271 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2272
2273         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2274         https://bugs.webkit.org/show_bug.cgi?id=190836
2275
2276         Reviewed by Saam Barati and Yusuke Suzuki.
2277
2278         * stress/big-int-out-of-memory-tests.js: Added.
2279
2280 2018-11-20  Mark Lam  <mark.lam@apple.com>
2281
2282         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2283         https://bugs.webkit.org/show_bug.cgi?id=191856
2284         <rdar://problem/46089992>
2285
2286         Reviewed by Yusuke Suzuki.
2287
2288         * stress/regress-191856.js: Added.
2289         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2290
2291 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2292
2293         Enable JIT on ARM/Linux
2294         https://bugs.webkit.org/show_bug.cgi?id=191548
2295
2296         Reviewed by Yusuke Suzuki.
2297
2298         Disable test on system with limited memory. Program was killed by
2299         the OS before the exception was thrown.
2300
2301         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2302
2303 2018-11-20  Saam barati  <sbarati@apple.com>
2304
2305         Merging an IC variant may lead to the IC status containing overlapping structure sets
2306         https://bugs.webkit.org/show_bug.cgi?id=191869
2307         <rdar://problem/45403453>
2308
2309         Reviewed by Mark Lam.
2310
2311         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2312
2313 2018-11-19  Mark Lam  <mark.lam@apple.com>
2314
2315         globalFuncImportModule() should return a promise when it clears exceptions.
2316         https://bugs.webkit.org/show_bug.cgi?id=191792
2317         <rdar://problem/46090763>
2318
2319         Reviewed by Michael Saboff.
2320
2321         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2322
2323 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2324
2325         Skip new memory-hungry tests on memory limited devices
2326
2327         Unreviewed gardening.
2328
2329         * stress/big-wasm-memory-grow-no-max.js:
2330         * stress/big-wasm-memory-grow.js:
2331         * stress/big-wasm-memory.js:
2332
2333 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2334
2335         Unreviewed, rolling in the rest of r237254
2336         https://bugs.webkit.org/show_bug.cgi?id=190340
2337
2338         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2339         * stress/function-cache-with-parameters-end-position.js: Added.
2340         (shouldBe):
2341         (shouldThrow):
2342         (i.anonymous):
2343         * stress/function-constructor-name.js: Added.
2344         (shouldBe):
2345         (GeneratorFunction):
2346         (AsyncFunction.async):
2347         (AsyncGeneratorFunction.async):
2348         (anonymous):
2349         (async.anonymous):
2350         * test262/expectations.yaml:
2351
2352 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2353
2354         All users of ArrayBuffer should agree on the same max size
2355         https://bugs.webkit.org/show_bug.cgi?id=191771
2356
2357         Reviewed by Mark Lam.
2358
2359         * stress/big-wasm-memory-grow-no-max.js: Added.
2360         (foo):
2361         (catch):
2362         * stress/big-wasm-memory-grow.js: Added.
2363         (foo):
2364         (catch):
2365         * stress/big-wasm-memory.js: Added.
2366         (foo):
2367         (catch):
2368
2369 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2370
2371         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2372         run for each JSC config since they're regression tests for runtime bugs.
2373
2374         * stress/json-stringified-overflow-2.js:
2375         * stress/json-stringified-overflow.js:
2376
2377 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2378
2379         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2380         config since they're regression tests for runtime bugs.
2381
2382         * stress/large-unshift-splice.js:
2383         * stress/regress-185888.js:
2384
2385 2018-11-16  Saam Barati  <sbarati@apple.com>
2386
2387         KnownCellUse should also have SpecCellCheck as its type filter
2388         https://bugs.webkit.org/show_bug.cgi?id=191729
2389         <rdar://problem/45872852>
2390
2391         Reviewed by Filip Pizlo.
2392
2393         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2394         (C):
2395
2396 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2397
2398         Fix assertion failure on BytecodeGenerator::recordOpcode
2399         https://bugs.webkit.org/show_bug.cgi?id=191724
2400         <rdar://problem/45724395>
2401
2402         Reviewed by Saam Barati.
2403
2404         * stress/regress-187373-2.js: Added.
2405         (foo):
2406
2407 2018-11-15  Mark Lam  <mark.lam@apple.com>
2408
2409         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2410         https://bugs.webkit.org/show_bug.cgi?id=191730
2411         <rdar://problem/46048517>
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/regress-187006.js: Removed.
2416           - this test is invalid because its sole purpose is to test for the non-spec
2417             compliant behavior that we just fixed.
2418
2419         * stress/regress-191730.js: Added.
2420
2421 2018-11-15  Mark Lam  <mark.lam@apple.com>
2422
2423         RegExp operations should not take fast patch if lastIndex is not numeric.
2424         https://bugs.webkit.org/show_bug.cgi?id=191731
2425         <rdar://problem/46017305>
2426
2427         Reviewed by Saam Barati.
2428
2429         * stress/regress-191731.js: Added.
2430
2431 2018-11-13  Saam Barati  <sbarati@apple.com>
2432
2433         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2434         https://bugs.webkit.org/show_bug.cgi?id=191600
2435
2436         Reviewed by Mark Lam.
2437
2438         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2439         (foo):
2440         (test):
2441         (bar):
2442
2443 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2444
2445         Unreviewed, rolling out r238132.
2446
2447         The test added with this change is timing out on Debug JSC
2448         bots.
2449
2450         Reverted changeset:
2451
2452         "[BigInt] JSBigInt::createWithLength should throw when length
2453         is greater than JSBigInt::maxLength"
2454         https://bugs.webkit.org/show_bug.cgi?id=190836
2455         https://trac.webkit.org/changeset/238132
2456
2457 2018-11-13  Mark Lam  <mark.lam@apple.com>
2458
2459         Add OOM detection to StringPrototype's substituteBackreferences().
2460         https://bugs.webkit.org/show_bug.cgi?id=191563
2461         <rdar://problem/45720428>
2462
2463         Reviewed by Saam Barati.
2464
2465         * stress/regress-191563.js: Added.
2466
2467 2018-11-13  Mark Lam  <mark.lam@apple.com>
2468
2469         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2470         https://bugs.webkit.org/show_bug.cgi?id=191579
2471         <rdar://problem/45942472>
2472
2473         Reviewed by Saam Barati.
2474
2475         * stress/regress-191579.js: Added.
2476
2477 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2478
2479         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2480         https://bugs.webkit.org/show_bug.cgi?id=190836
2481
2482         Reviewed by Saam Barati.
2483
2484         * stress/big-int-out-of-memory-tests.js: Added.
2485
2486 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2487
2488         U+180E is no longer a whitespace character
2489         https://bugs.webkit.org/show_bug.cgi?id=191415
2490
2491         Reviewed by Saam Barati.
2492
2493         * ChakraCore/test/es5/regexSpace.baseline:
2494         * ChakraCore/test/es6/unicode_whitespace.js:
2495         Update tests to latest version.
2496         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2497
2498         * test262.yaml:
2499         * test262/config.yaml:
2500         * test262/expectations.yaml:
2501         Update expectations.
2502
2503 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2504
2505         [BigInt] Add support to BigInt into ValueAdd
2506         https://bugs.webkit.org/show_bug.cgi?id=186177
2507
2508         Reviewed by Keith Miller.
2509
2510         * stress/big-int-negate-jit.js:
2511         * stress/value-add-big-int-and-string.js: Added.
2512         * stress/value-add-big-int-prediction-propagation.js: Added.
2513         * stress/value-add-big-int-untyped.js: Added.
2514
2515 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2516
2517         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2518         https://bugs.webkit.org/show_bug.cgi?id=191184
2519
2520         Reviewed by Saam Barati.
2521
2522         Most tests were failing due to timeouts, since they are too slow to
2523         run on CLoop. The exceptions are:
2524
2525         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2526         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2527         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2528         to change the stack size since CLoop requires it to be page aligned.
2529
2530         * microbenchmarks/array-push-1.js:
2531         * microbenchmarks/array-push-2.js:
2532         * microbenchmarks/elidable-new-object-dag.js:
2533         * microbenchmarks/elidable-new-object-roflcopter.js:
2534         * microbenchmarks/elidable-new-object-tree.js:
2535         * microbenchmarks/getter-richards.js:
2536         * microbenchmarks/sinkable-new-object-dag.js:
2537         * microbenchmarks/string-concat-long-convert.js:
2538         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2539         * slowMicrobenchmarks/array-push-3.js:
2540         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2541         * slowMicrobenchmarks/spread-small-array.js:
2542         * slowMicrobenchmarks/undefined-property-access.js:
2543         * stress/activation-sink-default-value-tdz-error.js:
2544         * stress/activation-sink-default-value.js:
2545         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2546         * stress/activation-sink-osrexit-default-value.js:
2547         * stress/activation-sink-osrexit.js:
2548         * stress/activation-sink.js:
2549         * stress/allow-math-ic-b3-code-duplication.js:
2550         * stress/array-push-multiple-int32.js:
2551         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2552         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2553         * stress/arrowfunction-lexical-this-activation-sink.js:
2554         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2555         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2556         * stress/elide-new-object-dag-then-exit.js:
2557         * stress/materialize-regexp-cyclic.js:
2558         * stress/new-regex-inline.js:
2559         * stress/op_add.js:
2560         * stress/op_bitand.js:
2561         * stress/op_bitor.js:
2562         * stress/op_bitxor.js:
2563         * stress/op_div-ConstVar.js:
2564         * stress/op_div-VarConst.js:
2565         * stress/op_div-VarVar.js:
2566         * stress/op_lshift-ConstVar.js:
2567         * stress/op_lshift-VarConst.js:
2568         * stress/op_lshift-VarVar.js:
2569         * stress/op_mod-ConstVar.js:
2570         * stress/op_mod-VarConst.js:
2571         * stress/op_mod-VarVar.js:
2572         * stress/op_mul-ConstVar.js:
2573         * stress/op_mul-VarConst.js:
2574         * stress/op_mul-VarVar.js:
2575         * stress/op_rshift-ConstVar.js:
2576         * stress/op_rshift-VarConst.js:
2577         * stress/op_rshift-VarVar.js:
2578         * stress/op_sub-ConstVar.js:
2579         * stress/op_sub-VarConst.js:
2580         * stress/op_sub-VarVar.js:
2581         * stress/op_urshift-ConstVar.js:
2582         * stress/op_urshift-VarConst.js:
2583         * stress/op_urshift-VarVar.js:
2584         * stress/proxy-get-set-correct-receiver.js:
2585         * stress/regress-179562.js:
2586         * stress/rest-parameter-many-arguments.js:
2587         * stress/sampling-profiler-richards.js:
2588         * stress/splay-flash-access-1ms.js:
2589         * stress/tailCallForwardArguments.js:
2590         * stress/typed-array-get-by-val-profiling.js:
2591         * typeProfiler/getter-richards.js:
2592
2593 2018-11-06  Michael Saboff  <msaboff@apple.com>
2594
2595         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2596         https://bugs.webkit.org/show_bug.cgi?id=191271
2597
2598         Reviewed by Saam Barati.
2599
2600         Added more test cases and made all test cases run with the same deeply recursive stack
2601         instead of finding that same point for each test case.
2602
2603         * stress/regexp-compile-oom.js:
2604         (prototype.runTest):
2605         (recurseAndTest):
2606         (testList.push.new.TestAndExpectedException):
2607
2608 2018-11-05  Michael Saboff  <msaboff@apple.com>
2609
2610         Unreviewed build fix for linux.
2611
2612         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2613
2614 2018-11-02  Michael Saboff  <msaboff@apple.com>
2615
2616         Rolling in r237753 with unreviewed build fix.
2617
2618         Fixed issues with DECLARE_THROW_SCOPE placement.
2619
2620 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2621
2622         Unreviewed, rolling out r237753.
2623
2624         Introduced JSC test failures
2625
2626         Reverted changeset:
2627
2628         "Running out of stack space not properly handled in
2629         RegExp::compile() and its callers"
2630         https://bugs.webkit.org/show_bug.cgi?id=191206
2631         https://trac.webkit.org/changeset/237753
2632
2633 2018-11-02  Michael Saboff  <msaboff@apple.com>
2634
2635         Running out of stack space not properly handled in RegExp::compile() and its callers
2636         https://bugs.webkit.org/show_bug.cgi?id=191206
2637
2638         Reviewed by Filip Pizlo.
2639
2640         New regression test.
2641
2642         * stress/regexp-compile-oom.js: Added.
2643         (recurseAndTest):
2644
2645 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2646
2647         Skip tests on arm/mips that time out now we're running on CLoop
2648
2649         Unreviewed gardening.
2650
2651         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2652         time out on the bots and need to be disabled. There's more tests
2653         disabled on arm because the timeout is longer on the mips bot (as the
2654         device is slower to start with), so many of the tests don't time out
2655         there.
2656
2657         * microbenchmarks/getter-richards.js: disable on arm and mips.
2658         * stress/op_add.js: disable on arm.
2659         * stress/op_bitand.js: disable on arm.
2660         * stress/op_bitor.js: disable on arm.
2661         * stress/op_bitxor.js: disable on arm.
2662         * stress/op_lshift-ConstVar.js: disable on arm.
2663         * stress/op_lshift-VarConst.js: disable on arm.
2664         * stress/op_lshift-VarVar.js: disable on arm.
2665         * stress/op_mod-ConstVar.js: disable on arm.
2666         * stress/op_mod-VarConst.js: disable on arm.
2667         * stress/op_mod-VarVar.js: disable on arm.
2668         * stress/op_mul-ConstVar.js: disable on arm.
2669         * stress/op_mul-VarConst.js: disable on arm.
2670         * stress/op_mul-VarVar.js: disable on arm.
2671         * stress/op_rshift-ConstVar.js: disable on arm.
2672         * stress/op_rshift-VarConst.js: disable on arm.
2673         * stress/op_rshift-VarVar.js: disable on arm.
2674         * stress/op_sub-ConstVar.js: disable on arm.
2675         * stress/op_sub-VarConst.js: disable on arm.
2676         * stress/op_sub-VarVar.js: disable on arm.
2677         * stress/op_urshift-ConstVar.js: disable on arm.
2678         * stress/op_urshift-VarConst.js: disable on arm.
2679         * stress/op_urshift-VarVar.js: disable on arm.
2680         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2681         * stress/value-to-boolean.js: disable on arm and mips.
2682
2683 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2684
2685         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2686         https://bugs.webkit.org/show_bug.cgi?id=191108
2687         <rdar://problem/45690700>
2688
2689         Reviewed by Saam Barati.
2690
2691         * stress/wide-op_catch.js: Added.
2692         (catch):
2693
2694 2018-10-29  Mark Lam  <mark.lam@apple.com>
2695
2696         Correctly detect string overflow when using the 'Function' constructor.
2697         https://bugs.webkit.org/show_bug.cgi?id=184883
2698         <rdar://problem/36320331>
2699
2700         Reviewed by Saam Barati.
2701
2702         I've verified that this passes on 32-bit as well.
2703
2704         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2705
2706 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2707
2708         Add support for GetStack FlushedDouble
2709         https://bugs.webkit.org/show_bug.cgi?id=191012
2710         <rdar://problem/45265141>
2711
2712         Reviewed by Saam Barati.
2713
2714         * stress/get-stack-double.js: Added.
2715         (bar):
2716         (noInline):
2717
2718 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2719
2720         New bytecode format for JSC
2721         https://bugs.webkit.org/show_bug.cgi?id=187373
2722         <rdar://problem/44186758>
2723
2724         Reviewed by Filip Pizlo.
2725
2726         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2727
2728         * stress/maximum-inline-capacity.js: Added.
2729         (test1):
2730         (test3.Foo):
2731         (test3):
2732
2733 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2734
2735         Unreviewed, rolling out r237479 and r237484.
2736         https://bugs.webkit.org/show_bug.cgi?id=190978
2737
2738         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2739
2740         Reverted changesets:
2741
2742         "New bytecode format for JSC"
2743         https://bugs.webkit.org/show_bug.cgi?id=187373
2744         https://trac.webkit.org/changeset/237479
2745
2746         "Gardening: Build fix after r237479."
2747         https://bugs.webkit.org/show_bug.cgi?id=187373
2748         https://trac.webkit.org/changeset/237484
2749
2750 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2751
2752         New bytecode format for JSC
2753         https://bugs.webkit.org/show_bug.cgi?id=187373
2754         <rdar://problem/44186758>
2755
2756         Reviewed by Filip Pizlo.
2757
2758         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2759
2760         * stress/maximum-inline-capacity.js: Added.
2761         (test1):
2762         (test3.Foo):
2763         (test3):
2764
2765 2018-10-26  Mark Lam  <mark.lam@apple.com>
2766
2767         Fix missing edge cases with JSGlobalObjects having a bad time.
2768         https://bugs.webkit.org/show_bug.cgi?id=189028
2769         <rdar://problem/45204939>
2770
2771         Reviewed by Saam Barati.
2772
2773         * stress/regress-189028.js: Added.
2774
2775 2018-10-22  Mark Lam  <mark.lam@apple.com>
2776
2777         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2778         https://bugs.webkit.org/show_bug.cgi?id=190515
2779         <rdar://problem/45222379>
2780
2781         Rubber-stamped by Saam Barati.
2782
2783         Adding another test.
2784
2785         * stress/regress-190515-2.js: Added.
2786
2787 2018-10-22  Mark Lam  <mark.lam@apple.com>
2788
2789         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2790         https://bugs.webkit.org/show_bug.cgi?id=190515
2791         <rdar://problem/45222379>
2792
2793         Reviewed by Saam Barati.
2794
2795         * stress/regress-190515.js: Added.
2796
2797 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2798
2799         Unreviewed, rolling out r237254.
2800         https://bugs.webkit.org/show_bug.cgi?id=190760
2801
2802         "It regresses JetStream 2 by 5% on some iOS devices"
2803         (Requested by saamyjoon on #webkit).
2804
2805         Reverted changeset:
2806
2807         "[JSC] JSC should have "parseFunction" to optimize Function
2808         constructor"
2809         https://bugs.webkit.org/show_bug.cgi?id=190340
2810         https://trac.webkit.org/changeset/237254
2811
2812 2018-10-19  Saam Barati  <sbarati@apple.com>
2813
2814         vmCall should check if we exit before emitting an OSR exit due to exceptions
2815         https://bugs.webkit.org/show_bug.cgi?id=190740
2816         <rdar://problem/45220139>
2817
2818         Reviewed by Mark Lam.
2819
2820         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2821         (foo):
2822
2823 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2824
2825         [ESNext][BigInt] Implement support for "^"
2826         https://bugs.webkit.org/show_bug.cgi?id=186235
2827
2828         Reviewed by Yusuke Suzuki.
2829
2830         * stress/big-int-bitwise-xor-general.js: Added.
2831         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2832         * stress/big-int-bitwise-xor-type-error.js: Added.
2833         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2834
2835 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2836
2837         [BigInt] Add ValueSub into DFG
2838         https://bugs.webkit.org/show_bug.cgi?id=186176
2839
2840         Reviewed by Yusuke Suzuki.
2841
2842         * stress/big-int-subtraction-jit.js:
2843         * stress/value-sub-big-int-prediction-propagation.js: Added.
2844         * stress/value-sub-big-int-untyped.js: Added.
2845         * stress/value-sub-spec-none-case.js: Added.
2846
2847 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2848
2849         [JSC] JSC should have "parseFunction" to optimize Function constructor
2850         https://bugs.webkit.org/show_bug.cgi?id=190340
2851
2852         Reviewed by Mark Lam.
2853
2854         This patch fixes the line number of syntax errors raised by the Function constructor,
2855         since we now parse the final code only once. And we no longer use block statement
2856         for Function constructor's parsing.
2857
2858         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2859         * stress/function-cache-with-parameters-end-position.js: Added.
2860         (shouldBe):
2861         (shouldThrow):
2862         (i.anonymous):
2863         * stress/function-constructor-name.js: Added.
2864         (shouldBe):
2865         (GeneratorFunction):
2866         (AsyncFunction.async):
2867         (AsyncGeneratorFunction.async):
2868         (anonymous):
2869         (async.anonymous):
2870         * test262/expectations.yaml:
2871
2872 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2873
2874         Unreviewed, rolling out r237242.
2875         https://bugs.webkit.org/show_bug.cgi?id=190701
2876
2877         it breaks "stress/sampling-profiler-basic.js" (Requested by
2878         caiolima on #webkit).
2879
2880         Reverted changeset:
2881
2882         "[BigInt] Add ValueSub into DFG"
2883         https://bugs.webkit.org/show_bug.cgi?id=186176
2884         https://trac.webkit.org/changeset/237242
2885
2886 2018-10-17  Keith Miller  <keith_miller@apple.com>
2887
2888         AI does not clear Phantom allocation nodes.
2889         https://bugs.webkit.org/show_bug.cgi?id=190694
2890
2891         Reviewed by Saam Barati.
2892
2893         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2894         (Day):
2895         (DaysInYear):
2896         (TimeInYear):
2897         (TimeFromYear):
2898         (DayFromYear):
2899         (InLeapYear):
2900         (YearFromTime):
2901         (WeekDay):
2902         (DaylightSavingTA):
2903         (GetSecondSundayInMarch):
2904         (TimeInMonth):
2905
2906 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2907
2908         [BigInt] Add ValueSub into DFG
2909         https://bugs.webkit.org/show_bug.cgi?id=186176
2910
2911         Reviewed by Yusuke Suzuki.
2912
2913         * stress/big-int-subtraction-jit.js:
2914         * stress/value-sub-big-int-prediction-propagation.js: Added.
2915         * stress/value-sub-big-int-untyped.js: Added.
2916
2917 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2918
2919         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2920         https://bugs.webkit.org/show_bug.cgi?id=190611
2921
2922         Reviewed by Saam Barati.
2923
2924         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2925         to improve test runtime. On ARM/MIPS this test even timed out when running all
2926         tests.
2927
2928         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2929         (test):
2930
2931 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2932
2933         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2934
2935         Unreviewed gardening.
2936
2937         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2938
2939 2018-10-15  Saam barati  <sbarati@apple.com>
2940
2941         Emit fjcvtzs on ARM64E on Darwin
2942         https://bugs.webkit.org/show_bug.cgi?id=184023
2943
2944         Reviewed by Yusuke Suzuki and Filip Pizlo.
2945
2946         * stress/double-to-int32-NaN.js: Added.
2947         (assert):
2948         (foo):
2949
2950 2018-10-15  Saam Barati  <sbarati@apple.com>
2951
2952         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2953         https://bugs.webkit.org/show_bug.cgi?id=190262
2954         <rdar://problem/44986241>
2955
2956         Reviewed by Mark Lam.
2957
2958         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2959         (test):
2960         * stress/slice-array-storage-with-holes.js: Added.
2961         (main):
2962
2963 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2964
2965         Unreviewed, rolling out r237054.
2966         https://bugs.webkit.org/show_bug.cgi?id=190593
2967
2968         "this regressed JetStream 2 by 6% on iOS" (Requested by
2969         saamyjoon on #webkit).
2970
2971         Reverted changeset:
2972
2973         "[JSC] JSC should have "parseFunction" to optimize Function
2974         constructor"
2975         https://bugs.webkit.org/show_bug.cgi?id=190340
2976         https://trac.webkit.org/changeset/237054
2977
2978 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2979
2980         [JSC] JSON.stringify can accept call-with-no-arguments
2981         https://bugs.webkit.org/show_bug.cgi?id=190343
2982
2983         Reviewed by Mark Lam.
2984
2985         * stress/json-stringify-no-arguments.js: Added.
2986         (shouldBe):
2987
2988 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2989
2990         [JSC] JSC should have "parseFunction" to optimize Function constructor
2991         https://bugs.webkit.org/show_bug.cgi?id=190340
2992
2993         Reviewed by Mark Lam.
2994
2995         This patch fixes the line number of syntax errors raised by the Function constructor,
2996         since we now parse the final code only once. And we no longer use block statement
2997         for Function constructor's parsing.
2998
2999         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3000         * stress/function-cache-with-parameters-end-position.js: Added.
3001         (shouldBe):
3002         (shouldThrow):
3003         (i.anonymous):
3004         * stress/function-constructor-name.js: Added.
3005         (shouldBe):
3006         (GeneratorFunction):
3007         (AsyncFunction.async):
3008         (AsyncGeneratorFunction.async):
3009         (anonymous):
3010         (async.anonymous):
3011         * test262/expectations.yaml:
3012
3013 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3014
3015         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3016         https://bugs.webkit.org/show_bug.cgi?id=190426
3017
3018         Unreviewed gardening.
3019
3020         * stress/sampling-profiler-richards.js:
3021
3022 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3023
3024         [ESNext][BigInt] Implement support for "|"
3025         https://bugs.webkit.org/show_bug.cgi?id=186229
3026
3027         Reviewed by Yusuke Suzuki.
3028
3029         * stress/big-int-bitwise-and-jit.js:
3030         * stress/big-int-bitwise-or-general.js: Added.
3031         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3032         * stress/big-int-bitwise-or-jit.js: Added.
3033         * stress/big-int-bitwise-or-memory-stress.js: Added.
3034         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3035         * stress/big-int-bitwise-or-type-error.js: Added.
3036         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3037
3038 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3039
3040         Skip test on systems with limited memory
3041         https://bugs.webkit.org/show_bug.cgi?id=190310
3042
3043         Invoking runDefault adds test to runlist, skipping the test in the next
3044         line does not prevent the test from executing. Change order of lines such
3045         that runDefault is only executed if test is not executed.
3046
3047         Reviewed by Mark Lam.
3048
3049         * stress/regress-190187.js:
3050
3051 2018-10-03  Saam barati  <sbarati@apple.com>
3052
3053         lowXYZ in FTLLower should always filter the type of the incoming edge
3054         https://bugs.webkit.org/show_bug.cgi?id=189939
3055         <rdar://problem/44407030>
3056
3057         Reviewed by Michael Saboff.
3058
3059         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3060         (foo):
3061         (test):
3062
3063 2018-10-03  Mark Lam  <mark.lam@apple.com>
3064
3065         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3066         https://bugs.webkit.org/show_bug.cgi?id=190187
3067         <rdar://problem/42512909>
3068
3069         Reviewed by Michael Saboff.
3070
3071         * stress/regress-190187.js: Added.
3072
3073 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3074
3075         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3076         https://bugs.webkit.org/show_bug.cgi?id=190033
3077
3078         Reviewed by Yusuke Suzuki.
3079
3080         * stress/big-int-to-string.js:
3081
3082 2018-10-01  Mark Lam  <mark.lam@apple.com>
3083
3084         Function.toString() should also copy the source code Functions that are class definitions.
3085         https://bugs.webkit.org/show_bug.cgi?id=190186
3086         <rdar://problem/44733360>
3087
3088         Reviewed by Saam Barati.
3089
3090         * stress/regress-190186.js: Added.
3091
3092 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3093
3094         Split NaN-check into separate test
3095         https://bugs.webkit.org/show_bug.cgi?id=190010
3096
3097         Reviewed by Saam Barati.
3098
3099         DataView exposes NaN-representation, which is not necessarily the same on each
3100         architecture. Therefore move the check of the NaN-representation into its own
3101         file such that we can disable this test on MIPS where NaN-representation can be
3102         different on older CPUs.
3103
3104         * stress/dataview-jit-set-nan.js: Added.
3105         (assert):
3106         (test.storeLittleEndian):
3107         (test.storeBigEndian):
3108         (test.store):
3109         (test):
3110         * stress/dataview-jit-set.js:
3111         (test5):
3112
3113 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3114
3115         Unreviewed, rolling out r236647.
3116         https://bugs.webkit.org/show_bug.cgi?id=190124
3117
3118         Breaking test stress/big-int-to-string.js (Requested by
3119         caiolima_ on #webkit).
3120
3121         Reverted changeset:
3122
3123         "[BigInt] BigInt.proptotype.toString is broken when radix is
3124         power of 2"
3125         https://bugs.webkit.org/show_bug.cgi?id=190033
3126         https://trac.webkit.org/changeset/236647
3127
3128 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3129
3130         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3131         https://bugs.webkit.org/show_bug.cgi?id=190033
3132
3133         Reviewed by Yusuke Suzuki.
3134
3135         * stress/big-int-to-string.js:
3136
3137 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3138
3139         [ESNext][BigInt] Implement support for "&"
3140         https://bugs.webkit.org/show_bug.cgi?id=186228
3141
3142         Reviewed by Yusuke Suzuki.
3143
3144         * stress/big-int-bitwise-and-general.js: Added.
3145         (assert):
3146         (assert.sameValue):
3147         * stress/big-int-bitwise-and-jit.js: Added.
3148         (let.assert.sameValue):
3149         (bigIntBitAnd):
3150         * stress/big-int-bitwise-and-memory-stress.js: Added.
3151         (assert):
3152         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3153         (assert.sameValue):
3154         (let.o.Symbol.toPrimitive):
3155         (catch):
3156         * stress/big-int-bitwise-and-type-error.js: Added.
3157         (assert):
3158         (assertThrowTypeError):
3159         (let.o.valueOf):
3160         (o.valueOf):
3161         (o.toString):
3162         (o.Symbol.toPrimitive):
3163         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3164         (assert.sameValue):
3165         (testBitAnd):
3166         (let.o.Symbol.toPrimitive):
3167         (o.valueOf):
3168         (o.toString):
3169
3170 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3171
3172         JSC test stress/jsc-read.js doesn't support CRLF
3173         https://bugs.webkit.org/show_bug.cgi?id=190063
3174
3175         Reviewed by Yusuke Suzuki.
3176
3177         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3178
3179         * stress/jsc-read.js:
3180         (test):
3181
3182 2018-09-27  Saam barati  <sbarati@apple.com>
3183
3184         Verify the contents of AssemblerBuffer on arm64e
3185         https://bugs.webkit.org/show_bug.cgi?id=190057
3186         <rdar://problem/38916630>
3187
3188         Reviewed by Mark Lam.
3189
3190         * stress/regress-189132.js:
3191
3192 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3193
3194         Disable test without LLInt on ARMv7
3195         https://bugs.webkit.org/show_bug.cgi?id=190037
3196
3197         Reviewed by Mark Lam.
3198
3199         Test runs out of executable memory on ARMv7, do not run
3200         this test without LLInt enabled.
3201
3202         * stress/regress-169445.js:
3203
3204 2018-09-26  Keith Miller  <keith_miller@apple.com>
3205
3206         We should zero unused property storage when rebalancing array storage.
3207         https://bugs.webkit.org/show_bug.cgi?id=188151
3208
3209         Reviewed by Michael Saboff.
3210
3211         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3212
3213 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3214
3215         [JSC] Optimize Array#lastIndexOf
3216         https://bugs.webkit.org/show_bug.cgi?id=189780
3217
3218         Reviewed by Saam Barati.
3219
3220         * stress/array-lastindexof-array-prototype-trap.js: Added.
3221         (shouldBe):
3222         (AncestorArray.prototype.get 2):
3223         (AncestorArray):
3224         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3225         (shouldBe):
3226         * stress/array-lastindexof-hole-nan.js: Added.
3227         (shouldBe):
3228         (throw.new.Error):
3229         * stress/array-lastindexof-infinity.js: Added.
3230         (shouldBe):
3231         (throw.new.Error):
3232         * stress/array-lastindexof-negative-zero.js: Added.
3233         (shouldBe):
3234         (throw.new.Error):
3235         * stress/array-lastindexof-own-getter.js: Added.
3236         (shouldBe):
3237         (throw.new.Error.get array):
3238         (get array):
3239         * stress/array-lastindexof-prototype-trap.js: Added.
3240         (shouldBe):
3241         (DerivedArray.prototype.get 2):
3242         (DerivedArray):
3243
3244 2018-09-25  Saam Barati  <sbarati@apple.com>
3245
3246         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3247         https://bugs.webkit.org/show_bug.cgi?id=189940
3248         <rdar://problem/43640987>
3249
3250         Reviewed by Mark Lam.
3251
3252         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3253
3254 2018-09-24  Saam Barati  <sbarati@apple.com>
3255
3256         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3257         https://bugs.webkit.org/show_bug.cgi?id=189922
3258         <rdar://problem/44651275>
3259
3260         Reviewed by Mark Lam.
3261
3262         * stress/array-indexof-fast-path-effects.js: Added.
3263         * stress/array-indexof-cached-length.js: Added.
3264
3265 2018-09-24  Saam barati  <sbarati@apple.com>
3266
3267         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3268         https://bugs.webkit.org/show_bug.cgi?id=189682
3269         <rdar://problem/43557315>
3270
3271         Reviewed by Mark Lam.
3272
3273         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3274         (foo):
3275
3276 2018-09-22  Saam barati  <sbarati@apple.com>
3277
3278         The sampling should not use Strong<CodeBlock> in its machineLocation field
3279         https://bugs.webkit.org/show_bug.cgi?id=189319
3280
3281         Reviewed by Filip Pizlo.
3282
3283         * stress/sampling-profiler-richards.js: Added.
3284
3285 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3286
3287         [JSC] Optimize Array#indexOf in C++ runtime
3288         https://bugs.webkit.org/show_bug.cgi?id=189507
3289
3290         Reviewed by Saam Barati.
3291
3292         * stress/array-indexof-array-prototype-trap.js: Added.
3293         (shouldBe):
3294         (AncestorArray.prototype.get 2):
3295         (AncestorArray):
3296         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3297         (shouldBe):
3298         * stress/array-indexof-hole-nan.js: Added.
3299         (shouldBe):
3300         (throw.new.Error):
3301         * stress/array-indexof-infinity.js: Added.
3302         (shouldBe):
3303         (throw.new.Error):
3304         * stress/array-indexof-negative-zero.js: Added.
3305         (shouldBe):
3306         (throw.new.Error):
3307         * stress/array-indexof-own-getter.js: Added.
3308         (shouldBe):
3309         (throw.new.Error.get array):
3310         (get array):
3311         * stress/array-indexof-prototype-trap.js: Added.
3312         (shouldBe):
3313         (DerivedArray.prototype.get 2):
3314         (DerivedArray):
3315
3316 2018-09-19  Saam barati  <sbarati@apple.com>
3317
3318         AI rule for MultiPutByOffset executes its effects in the wrong order
3319         https://bugs.webkit.org/show_bug.cgi?id=189757
3320         <rdar://problem/43535257>
3321
3322         Reviewed by Michael Saboff.
3323
3324         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3325         (foo):
3326         (Foo):
3327         (g):
3328
3329 2018-09-17  Mark Lam  <mark.lam@apple.com>
3330
3331         Ensure that ForInContexts are invalidated if their loop local is over-written.
3332         https://bugs.webkit.org/show_bug.cgi?id=189571
3333         <rdar://problem/44402277>
3334
3335         Reviewed by Saam Barati.
3336
3337         * stress/regress-189571.js: Added.
3338
3339 2018-09-17  Saam barati  <sbarati@apple.com>
3340
3341         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3342         https://bugs.webkit.org/show_bug.cgi?id=189676
3343         <rdar://problem/39682897>
3344
3345         Reviewed by Michael Saboff.
3346
3347         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3348         (A):
3349         (K):
3350         (i.catch):
3351
3352 2018-09-14  Saam barati  <sbarati@apple.com>
3353
3354         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3355         https://bugs.webkit.org/show_bug.cgi?id=189628
3356         <rdar://problem/39481690>
3357
3358         Reviewed by Mark Lam.
3359
3360         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3361         (foo):
3362
3363 2018-09-11  Mark Lam  <mark.lam@apple.com>
3364
3365         Test for array initialization in arrayProtoFuncSplice.
3366         https://bugs.webkit.org/show_bug.cgi?id=170253
3367         <rdar://problem/31328773>
3368
3369         Rubber-stamped by Saam Barati.
3370
3371         * stress/regress-170253.js: Added.
3372
3373 2018-09-11  Mark Lam  <mark.lam@apple.com>
3374
3375         Test for IntlObject initialization.
3376         https://bugs.webkit.org/show_bug.cgi?id=170251
3377         <rdar://problem/31328419>
3378
3379         Rubber-stamped by Saam Barati.
3380
3381         * stress/regress-170251.js: Added.
3382
3383 2018-09-11  Mark Lam  <mark.lam@apple.com>
3384
3385         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3386         https://bugs.webkit.org/show_bug.cgi?id=169889
3387         <rdar://problem/31155607>
3388
3389         Reviewed by Saam Barati.
3390
3391         * stress/regress-169889-array-concat.js: Added.
3392         * stress/regress-169889-array-concat1.js: Added.
3393         * stress/regress-169889-array-slice.js: Added.
3394
3395 2018-09-11  Mark Lam  <mark.lam@apple.com>
3396
3397         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3398         https://bugs.webkit.org/show_bug.cgi?id=169445
3399         <rdar://problem/30957435>
3400
3401         Reviewed by Saam Barati.
3402
3403         * stress/regress-169445.js: Added.
3404         (let.gun.eval.A):
3405         (let.gun.eval.B.C):
3406         (let.gun.eval.B.C.prototype.trigger):
3407         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3408         (let.gun.eval.B):
3409         (let.gun.eval):
3410
3411 == Rolled over to ChangeLog-2018-09-11 ==