[JSC] imports-oom.js intermittently fails
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] imports-oom.js intermittently fails
4         https://bugs.webkit.org/show_bug.cgi?id=196373
5
6         Reviewed by Saam Barati.
7
8         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
9         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
10         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
11         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
12         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
13
14         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
15         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
16
17         * wasm/lowExecutableMemory/imports-oom.js:
18
19 2019-03-27  Saam Barati  <sbarati@apple.com>
20
21         validateOSREntryValue with Int52 should box the value being checked into double format
22         https://bugs.webkit.org/show_bug.cgi?id=196313
23         <rdar://problem/49306703>
24
25         Reviewed by Yusuke Suzuki.
26
27         * stress/validate-int-52-ai-state.js: Added.
28
29 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
30
31         [JSC] Owner of watchpoints should validate at GC finalizing phase
32         https://bugs.webkit.org/show_bug.cgi?id=195827
33
34         Reviewed by Filip Pizlo.
35
36         * stress/gc-should-reap-dead-watchpoints.js: Added.
37         (foo):
38         (A.prototype.y):
39         (A):
40
41 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
42
43         Skip WebAssembly test on 32-bit systems
44         https://bugs.webkit.org/show_bug.cgi?id=196206
45
46         Reviewed by Saam Barati.
47
48         Invoking runDefault executes test immediately even though
49         that test should be skipped due to missing WASM support.
50         Therefore remove runDefault.
51
52         * wasm/regress/web-assembly-link-error-exception-check.js:
53
54 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
55
56         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
57         https://bugs.webkit.org/show_bug.cgi?id=196217
58
59         Reviewed by Saam Barati.
60
61         Re-enable all NaN tests for f32.min, f64.min and f64.max.
62
63         * wasm/spec-tests/f32.wast.js:
64         * wasm/spec-tests/f64.wast.js:
65         * wasm/wasm.json:
66
67 2019-03-25  Keith Miller  <keith_miller@apple.com>
68
69         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
70         https://bugs.webkit.org/show_bug.cgi?id=196176
71
72         Reviewed by Saam Barati.
73
74         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
75         (main.v10):
76         (main):
77
78 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
79
80         WebAssembly: f32.max with NaN generates incorrect result
81         https://bugs.webkit.org/show_bug.cgi?id=175691
82         <rdar://problem/33952228>
83
84         Reviewed by Saam Barati.
85
86         Enable all f32.max NaN tests
87
88         * wasm/spec-tests/f32.wast.js:
89         * wasm/wasm.json:
90
91 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
92
93         [JSC] Move test into directory for WASM tests
94         https://bugs.webkit.org/show_bug.cgi?id=196187
95
96         Reviewed by Mark Lam.
97
98         Move Test into wasm-directory. Otherwise this test
99         is also executed on systems without WASM support.
100
101         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
102
103 2019-03-23  Mark Lam  <mark.lam@apple.com>
104
105         Rolling out r243032 and r243071 because the fix is incorrect.
106         https://bugs.webkit.org/show_bug.cgi?id=195892
107         <rdar://problem/48981239>
108
109         Not reviewed.
110
111         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
112
113 2019-03-22  Mark Lam  <mark.lam@apple.com>
114
115         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
116         https://bugs.webkit.org/show_bug.cgi?id=196154
117         <rdar://problem/49145307>
118
119         Reviewed by Filip Pizlo.
120
121         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
122         There's no need to run this test on more than 1 test configuration.
123
124         * stress/typed-array-lastIndexOf-exception-check.js: Added.
125         * stress/web-assembly-link-error-exception-check.js:
126
127 2019-03-22  Mark Lam  <mark.lam@apple.com>
128
129         Placate exception check validation in constructJSWebAssemblyLinkError().
130         https://bugs.webkit.org/show_bug.cgi?id=196152
131         <rdar://problem/49145257>
132
133         Reviewed by Michael Saboff.
134
135         * stress/web-assembly-link-error-exception-check.js: Added.
136
137 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
138
139         Skip tests running out of memory on ARM/MIPS
140         https://bugs.webkit.org/show_bug.cgi?id=196131
141
142         Unreviewed. Skip test if memory is limited.
143
144         * microbenchmarks/put-by-val-direct-large-index.js:
145
146 2019-03-21  Mark Lam  <mark.lam@apple.com>
147
148         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
149         https://bugs.webkit.org/show_bug.cgi?id=196116
150         <rdar://problem/48976951>
151
152         Reviewed by Filip Pizlo.
153
154         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
155
156 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
157
158         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
159         https://bugs.webkit.org/show_bug.cgi?id=196078
160         <rdar://problem/35925380>
161
162         Reviewed by Mark Lam.
163
164         Add a new benchmark that allocates several objects and invokes put_by_val_direct
165         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
166
167         * microbenchmarks/put-by-val-direct-large-index.js: Added.
168
169 2019-03-21  Mark Lam  <mark.lam@apple.com>
170
171         Placate exception check validation in operationArrayIndexOfString().
172         https://bugs.webkit.org/show_bug.cgi?id=196067
173         <rdar://problem/49056572>
174
175         Reviewed by Michael Saboff.
176
177         * stress/string-equal-exception-check.js: Added.
178
179 2019-03-21  Mark Lam  <mark.lam@apple.com>
180
181         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
182         https://bugs.webkit.org/show_bug.cgi?id=196055
183         <rdar://problem/49067448>
184
185         Reviewed by Yusuke Suzuki.
186
187         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
188
189 2019-03-20  Saam Barati  <sbarati@apple.com>
190
191         typeOfDoubleSum is wrong for when NaN can be produced
192         https://bugs.webkit.org/show_bug.cgi?id=196030
193
194         Reviewed by Filip Pizlo.
195
196         * stress/double-add-sub-mul-can-produce-nan.js: Added.
197         (assert):
198         (noInline.sub):
199         (noInline):
200         (assert.mul):
201         (assert.add):
202
203 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
204
205         Update the test to ensure OutOfMemoryError is thrown as intended
206         https://bugs.webkit.org/show_bug.cgi?id=196032
207         <rdar://problem/46842740>
208
209         Rubber stamped by Saam Barati.
210
211         * stress/create-error-out-of-memory-rope-string.js:
212         (assert):
213         (catch):
214
215 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
216
217         JSC::createError needs to check for OOM in errorDescriptionForValue
218         https://bugs.webkit.org/show_bug.cgi?id=196032
219         <rdar://problem/46842740>
220
221         Reviewed by Mark Lam.
222
223         * stress/create-error-out-of-memory-rope-string.js: Added.
224
225 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
226
227         Unreviewed, reduce # of iterations to avoid timing out after r242991
228         https://bugs.webkit.org/show_bug.cgi?id=195791
229
230         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
231
232         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
233
234 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
235
236         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
237         https://bugs.webkit.org/show_bug.cgi?id=195950
238
239         Unreviewed, reducing the amount of memory used on this test to avoid
240         OOM on devices with memory restrictions.
241
242         * microbenchmarks/generate-multiple-llint-entrypoints.js:
243
244 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
245
246         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
247         https://bugs.webkit.org/show_bug.cgi?id=194648
248
249         Reviewed by Keith Miller.
250
251         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
252
253 2019-03-18  Mark Lam  <mark.lam@apple.com>
254
255         Missing a ThrowScope release in JSObject::toString().
256         https://bugs.webkit.org/show_bug.cgi?id=195893
257         <rdar://problem/48970986>
258
259         Reviewed by Michael Saboff.
260
261         * stress/to-string-exception-check-release.js: Added.
262
263 2019-03-18  Mark Lam  <mark.lam@apple.com>
264
265         Structure::flattenDictionary() should clear unused property slots.
266         https://bugs.webkit.org/show_bug.cgi?id=195871
267         <rdar://problem/48959497>
268
269         Reviewed by Michael Saboff.
270
271         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
272
273 2019-03-15  Mark Lam  <mark.lam@apple.com>
274
275         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
276         https://bugs.webkit.org/show_bug.cgi?id=195827
277         <rdar://problem/48845513>
278
279         Reviewed by Filip Pizlo.
280
281         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
282
283 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
284
285         [ARM,MIPS] Skip slow tests
286         https://bugs.webkit.org/show_bug.cgi?id=195799
287
288         Unreviewed, test does not finish on ARM and MIPS within the
289         timeout limit.
290
291         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
292
293 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
294
295         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
296         https://bugs.webkit.org/show_bug.cgi?id=195791
297         <rdar://problem/48806130>
298
299         Reviewed by Mark Lam.
300
301         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
302         (foo):
303
304 2019-03-14  Saam barati  <sbarati@apple.com>
305
306         We can't remove code after ForceOSRExit until after FixupPhase
307         https://bugs.webkit.org/show_bug.cgi?id=186916
308         <rdar://problem/41396612>
309
310         Reviewed by Yusuke Suzuki.
311
312         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
313         (foo):
314         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
315         (foo):
316
317 2019-03-13  Michael Saboff  <msaboff@apple.com>
318
319         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
320         https://bugs.webkit.org/show_bug.cgi?id=195735
321
322         Reviewed by Mark Lam.
323
324         New regression test.
325
326         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
327         (foo):
328         (bar):
329
330 2019-03-14  Saam barati  <sbarati@apple.com>
331
332         Fixup uses KnownInt32 incorrectly in some nodes
333         https://bugs.webkit.org/show_bug.cgi?id=195279
334         <rdar://problem/47915654>
335
336         Reviewed by Yusuke Suzuki.
337
338         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
339         (foo):
340
341 2019-03-14  Keith Miller  <keith_miller@apple.com>
342
343         DFG liveness can't skip tail caller inline frames
344         https://bugs.webkit.org/show_bug.cgi?id=195715
345
346         Reviewed by Saam Barati.
347
348         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
349         (i.foo):
350
351 2019-03-13  Mark Lam  <mark.lam@apple.com>
352
353         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
354         https://bugs.webkit.org/show_bug.cgi?id=195415
355
356         Not reviewed.
357
358         Changed these tests to only run the default configuration.
359         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
360         There's no strong need to run this test on that variant.
361
362         * stress/dfg-to-string-on-int-does-gc.js:
363         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
364
365 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
366
367         String overflow when using StringBuilder in JSC::createError
368         https://bugs.webkit.org/show_bug.cgi?id=194957
369
370         Reviewed by Mark Lam.
371
372         Add test string-overflow-createError-bulder.js that overflows
373         StringBuilder in notAFunctionSourceAppender. The second new test
374         string-overflow-createError-fit.js has an error message that doesn't
375         overflow, it still failed since the String's capacity can't be doubled.
376         Run test string-overflow-createError.js only in the default
377         configuration to reduce memory consumption when running the test
378         in all configurations on multiple CPUs in parallel.
379
380         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
381         (catch):
382         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
383         (catch):
384         * stress/string-overflow-createError.js:
385
386 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
387
388         [JSC] OSR entry should respect abstract values in addition to flush formats
389         https://bugs.webkit.org/show_bug.cgi?id=195653
390
391         Reviewed by Mark Lam.
392
393         * stress/osr-entry-locals-none.js: Added.
394
395 2019-03-12  Michael Saboff  <msaboff@apple.com>
396
397         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
398         https://bugs.webkit.org/show_bug.cgi?id=195613
399
400         Reviewed by Mark Lam.
401
402         New regression test.
403
404         * stress/regexp-backref-inbounds.js: Added.
405         (testRegExp):
406
407 2019-03-12  Mark Lam  <mark.lam@apple.com>
408
409         The HasIndexedProperty node does GC.
410         https://bugs.webkit.org/show_bug.cgi?id=195559
411         <rdar://problem/48767923>
412
413         Reviewed by Yusuke Suzuki.
414
415         * stress/HasIndexedProperty-does-gc.js: Added.
416
417 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
418
419         [ESNext][BigInt] Implement "~" unary operation
420         https://bugs.webkit.org/show_bug.cgi?id=182216
421
422         Reviewed by Keith Miller.
423
424         * stress/big-int-bit-not-general.js: Added.
425         * stress/big-int-bitwise-not-jit.js: Added.
426         * stress/big-int-bitwise-not-wrapped-value.js: Added.
427         * stress/bit-op-with-object-returning-int32.js:
428         * stress/bitwise-not-fixup-rules.js: Added.
429         * stress/value-bit-not-ai-rule.js: Added.
430
431 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
432
433         Invalid flags in a RegExp literal should be an early SyntaxError
434         https://bugs.webkit.org/show_bug.cgi?id=195514
435
436         Reviewed by Darin Adler.
437
438         * test262/expectations.yaml:
439         Mark 4 test cases as passing.
440
441         * stress/regexp-syntax-error-invalid-flags.js:
442         * stress/regress-161995.js: Removed.
443         Update existing test, merging in an older test for the same behavior.
444
445 2019-03-08  Mark Lam  <mark.lam@apple.com>
446
447         Stack overflow crash in JSC::JSObject::hasInstance.
448         https://bugs.webkit.org/show_bug.cgi?id=195458
449         <rdar://problem/48710195>
450
451         Reviewed by Yusuke Suzuki.
452
453         * stress/stack-overflow-in-custom-hasInstance.js: Added.
454
455 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
456
457         op_check_tdz does not def its argument
458         https://bugs.webkit.org/show_bug.cgi?id=192880
459         <rdar://problem/46221598>
460
461         Reviewed by Saam Barati.
462
463         * microbenchmarks/let-for-in.js: Added.
464         (foo):
465
466 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
467
468         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
469         https://bugs.webkit.org/show_bug.cgi?id=195429
470
471         Reviewed by Saam Barati.
472
473         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
474         (foo):
475         * stress/string-from-char-code-255.js: Added.
476
477 2019-03-06  Mark Lam  <mark.lam@apple.com>
478
479         Fix incorrect handling of try-finally completion values.
480         https://bugs.webkit.org/show_bug.cgi?id=195131
481         <rdar://problem/46222079>
482
483         Reviewed by Saam Barati and Yusuke Suzuki.
484
485         Added many permutations of new test case to test-finally.js.  test-finally.js has
486         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
487         tests passes there as well.
488
489         * stress/test-finally.js:
490
491 2019-03-06  Saam Barati  <sbarati@apple.com>
492
493         Air::reportUsedRegisters must padInterference
494         https://bugs.webkit.org/show_bug.cgi?id=195303
495         <rdar://problem/48270343>
496
497         Reviewed by Keith Miller.
498
499         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
500
501 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
502
503         [JSC] AI should not propagate AbstractValue relying on constant folding phase
504         https://bugs.webkit.org/show_bug.cgi?id=195375
505
506         Reviewed by Saam Barati.
507
508         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
509         (let.array):
510
511 2019-03-05  Saam barati  <sbarati@apple.com>
512
513         op_switch_char broken for rope strings after JSRopeString layout rewrite
514         https://bugs.webkit.org/show_bug.cgi?id=195339
515         <rdar://problem/48592545>
516
517         Reviewed by Yusuke Suzuki.
518
519         * stress/switch-on-char-llint-rope.js: Added.
520
521 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
522
523         [JSC] Store bits for JSRopeString in 3 stores
524         https://bugs.webkit.org/show_bug.cgi?id=195234
525
526         Reviewed by Saam Barati.
527
528         * stress/null-rope-and-collectors.js: Added.
529
530 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
531
532         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
533         https://bugs.webkit.org/show_bug.cgi?id=195207
534
535         Unreviewed. After test runtime was reduced in r242213, test can be
536         run again on ARM/MIPS.
537
538         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
539
540 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
541
542         [JSC] sizeof(JSString) should be 16
543         https://bugs.webkit.org/show_bug.cgi?id=194375
544
545         Reviewed by Saam Barati.
546
547         * microbenchmarks/make-rope.js: Added.
548         (makeRope):
549         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
550         (returnRope.helper): Deleted.
551         (returnRope): Deleted.
552
553 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
554
555         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
556         https://bugs.webkit.org/show_bug.cgi?id=195144
557
558         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
559         Change the number from 1e8 to 1e5.
560
561         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
562         (foo):
563
564 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
565
566         Test times out on ARM/MIPS
567         https://bugs.webkit.org/show_bug.cgi?id=195168
568
569         Unreviewed. Skip test on ARM/MIPS.
570
571         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
572
573 2019-02-27  Mark Lam  <mark.lam@apple.com>
574
575         The parser is failing to record the token location of new in new.target.
576         https://bugs.webkit.org/show_bug.cgi?id=195127
577         <rdar://problem/39645578>
578
579         Reviewed by Yusuke Suzuki.
580
581         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
582
583 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
584
585         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
586         https://bugs.webkit.org/show_bug.cgi?id=195144
587         <rdar://problem/47595961>
588
589         Reviewed by Mark Lam.
590
591         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
592         (bar):
593         (foo):
594         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
595         (bar):
596         (foo):
597
598 2019-02-27  Robin Morisset  <rmorisset@apple.com>
599
600         DFG: Loop-invariant code motion (LICM) should not hoist dead code
601         https://bugs.webkit.org/show_bug.cgi?id=194945
602         <rdar://problem/48311657>
603
604         Reviewed by Mark Lam.
605
606         * stress/licm-dead-code.js: Added.
607
608 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
611         https://bugs.webkit.org/show_bug.cgi?id=194677
612         <rdar://problem/48112492>
613
614         Reviewed by Mark Lam.
615
616         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
617         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
618         it immediately fails due the large size.
619
620         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
621         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
622         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
623         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
624
625         This patch changes the test to produce 16bit string from String.fromCharCode.
626
627         * stress/regress-178386.js:
628
629 2019-02-26  Mark Lam  <mark.lam@apple.com>
630
631         wasmToJS() should purify incoming NaNs.
632         https://bugs.webkit.org/show_bug.cgi?id=194807
633         <rdar://problem/48189132>
634
635         Reviewed by Saam Barati.
636
637         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
638
639 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
640
641         [JSC] Repeat string created from Array.prototype.join() take too much memory
642         https://bugs.webkit.org/show_bug.cgi?id=193912
643
644         Reviewed by Saam Barati.
645
646         Added a test and a microbenchmark for corner cases of
647         Array.prototype.join() with an uninitialized array.
648
649         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
650         * stress/array-prototype-join-uninitialized.js: Added.
651         (testArray):
652         (testABC):
653         (B):
654         (C):
655
656 2019-02-22  Robin Morisset  <rmorisset@apple.com>
657
658         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
659         https://bugs.webkit.org/show_bug.cgi?id=194953
660         <rdar://problem/47595253>
661
662         Reviewed by Saam Barati.
663
664         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
665
666         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
667
668 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
669
670         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
671         https://bugs.webkit.org/show_bug.cgi?id=172848
672         <rdar://problem/25709212>
673
674         Reviewed by Mark Lam.
675
676         * typeProfiler/inheritance.js:
677         Rewrite the test slightly for clarity. The hoisting was confusing.
678
679         * heapProfiler/class-names.js: Added.
680         (MyES5Class):
681         (MyES6Class):
682         (MyES6Subclass):
683         Test object types and improved class names.
684
685         * heapProfiler/driver/driver.js:
686         (CheapHeapSnapshotNode):
687         (CheapHeapSnapshot):
688         (createCheapHeapSnapshot):
689         (HeapSnapshot):
690         (createHeapSnapshot):
691         Update snapshot parsing from version 1 to version 2.
692
693 2019-02-19  Truitt Savell  <tsavell@apple.com>
694
695         Unreviewed, rolling out r241784.
696
697         Broke all OpenSource builds.
698
699         Reverted changeset:
700
701         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
702         instances view"
703         https://bugs.webkit.org/show_bug.cgi?id=172848
704         https://trac.webkit.org/changeset/241784
705
706 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
707
708         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
709         https://bugs.webkit.org/show_bug.cgi?id=172848
710         <rdar://problem/25709212>
711
712         Reviewed by Mark Lam.
713
714         * typeProfiler/inheritance.js:
715         Rewrite the test slightly for clarity. The hoisting was confusing.
716
717         * heapProfiler/class-names.js: Added.
718         (MyES5Class):
719         (MyES6Class):
720         (MyES6Subclass):
721         Test object types and improved class names.
722
723         * heapProfiler/driver/driver.js:
724         (CheapHeapSnapshotNode):
725         (CheapHeapSnapshot):
726         (createCheapHeapSnapshot):
727         (HeapSnapshot):
728         (createHeapSnapshot):
729         Update snapshot parsing from version 1 to version 2.
730
731 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
732
733         [ARM] Fix crash with sampling profiler
734         https://bugs.webkit.org/show_bug.cgi?id=194772
735
736         Reviewed by Mark Lam.
737
738         Do not skip test since crash with sampling profiler is now fixed.
739
740         * stress/sampling-profiler-richards.js:
741
742 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         [JSC] Add LazyClassStructure::getInitializedOnMainThread
745         https://bugs.webkit.org/show_bug.cgi?id=194784
746         <rdar://problem/48154820>
747
748         Reviewed by Mark Lam.
749
750         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
751         (getProperties):
752         (getRandomProperty):
753         (i.catch):
754
755 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
756
757         [ARM] Test gardening: Test running out of executable memory
758         https://bugs.webkit.org/show_bug.cgi?id=194771
759
760         Unreviewed. Do not run test without LLInt, test is running out of executable
761         memory on ARM otherwise.
762
763         * stress/tagged-template-object-collect.js:
764
765 2019-02-18  Tomas Popela  <tpopela@redhat.com>
766
767         Unreviewed, skip the test on platforms without sampling profiler
768
769         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
770         (platformSupportsSamplingProfiler.foo):
771         (platformSupportsSamplingProfiler.test):
772         (platformSupportsSamplingProfiler):
773         (foo): Deleted.
774         (test): Deleted.
775
776 2019-02-17  Saam Barati  <sbarati@apple.com>
777
778         Deadlock when adding a Structure property transition and then doing incremental marking
779         https://bugs.webkit.org/show_bug.cgi?id=194767
780
781         Reviewed by Mark Lam.
782
783         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
784
785 2019-02-15  Michael Saboff  <msaboff@apple.com>
786
787         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
788         https://bugs.webkit.org/show_bug.cgi?id=194558
789
790         Reviewed by Saam Barati.
791
792         New regression test.
793
794         * stress/regexp-unicode-within-string.js: Added.
795
796 2019-02-15  Mark Lam  <mark.lam@apple.com>
797
798         SamplingProfiler::stackTracesAsJSON() should escape strings.
799         https://bugs.webkit.org/show_bug.cgi?id=194649
800         <rdar://problem/48072386>
801
802         Reviewed by Saam Barati.
803
804         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
805         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
806         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
807         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
808
809 2019-02-15  Robin Morisset  <rmorisset@apple.com>
810         CodeBlock::jettison should clear related watchpoints
811         https://bugs.webkit.org/show_bug.cgi?id=194544
812
813         Reviewed by Mark Lam.
814
815         * stress/regexp-replace-double-watchpoint.js: Added.
816         (foo):
817
818 2019-02-15  Saam barati  <sbarati@apple.com>
819
820         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
821         https://bugs.webkit.org/show_bug.cgi?id=194036
822
823         Reviewed by Yusuke Suzuki.
824
825         * stress/tail-call-many-arguments.js: Added.
826         (foo):
827         (bar):
828
829 2019-02-14  Saam Barati  <sbarati@apple.com>
830
831         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
832         https://bugs.webkit.org/show_bug.cgi?id=194583
833         <rdar://problem/48028140>
834
835         Reviewed by Yusuke Suzuki.
836
837         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
838
839 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
840
841         [JSC] String.fromCharCode's slow path always generates 16bit string
842         https://bugs.webkit.org/show_bug.cgi?id=194466
843
844         Reviewed by Keith Miller.
845
846         * stress/string-from-char-code-slow-path.js: Added.
847         (shouldBe):
848         (testWithLength):
849
850 2019-02-08  Saam barati  <sbarati@apple.com>
851
852         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
853         https://bugs.webkit.org/show_bug.cgi?id=194334
854         <rdar://problem/47844327>
855
856         Reviewed by Mark Lam.
857
858         * stress/check-in-bounds-should-be-a-child-use.js: Added.
859         (func):
860
861 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
862
863         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
864         https://bugs.webkit.org/show_bug.cgi?id=194369
865         <rdar://problem/47813087>
866
867         Reviewed by Saam Barati.
868
869         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
870         (A):
871
872 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
873
874         [JSC] PrivateName to PublicName hash table is wasteful
875         https://bugs.webkit.org/show_bug.cgi?id=194277
876
877         Reviewed by Michael Saboff.
878
879         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
880
881         * ChakraCore.yaml:
882
883 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
884
885         [ARM] Test running out of executable memory
886         https://bugs.webkit.org/show_bug.cgi?id=194285
887
888         Unreviewed. Do no execute test with LLInt disabled, test runs out of
889         executable memory otherwise.
890
891         * stress/class-subclassing-function.js:
892
893 2019-02-04  Robin Morisset  <rmorisset@apple.com>
894
895         when lowering AssertNotEmpty, create the value before creating the patchpoint
896         https://bugs.webkit.org/show_bug.cgi?id=194231
897
898         Reviewed by Saam Barati.
899
900         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
901         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
902         So even tiny changes to this test can change the path code taken.
903
904         * stress/assert-not-empty.js: Added.
905         (foo):
906
907 2019-02-01  Mark Lam  <mark.lam@apple.com>
908
909         Remove invalid assertion in DFG's compileDoubleRep().
910         https://bugs.webkit.org/show_bug.cgi?id=194130
911         <rdar://problem/47699474>
912
913         Reviewed by Saam Barati.
914
915         * stress/constant-fold-double-rep-into-double-constant.js: Added.
916
917 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
918
919         Import latest Test262 updates.
920
921         Rubber-stamped by Keith Miller.
922
923         * test262.yaml: Deleted.
924         * test262/config.yaml:
925         * test262/expectations.yaml:
926         * test262/latest-changes-summary.txt:
927         * test262/test/:
928         * test262/test262-Revision.txt:
929
930 2019-01-30  Robin Morisset  <rmorisset@apple.com>
931
932         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
933         https://bugs.webkit.org/show_bug.cgi?id=194050
934         <rdar://problem/47595592>
935
936         Reviewed by Yusuke Suzuki.
937
938         * stress/object-keys-osr-exit.js: Added.
939         (foo):
940         (catch):
941
942 2019-01-29  Mark Lam  <mark.lam@apple.com>
943
944         ValueRecovery::recover() should purify NaN values it recovers.
945         https://bugs.webkit.org/show_bug.cgi?id=193978
946         <rdar://problem/47625488>
947
948         Reviewed by Saam Barati.
949
950         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
951
952 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
953
954         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
955         https://bugs.webkit.org/show_bug.cgi?id=193713
956
957         * stress/try-get-by-id-should-spill-registers-dfg.js:
958         (let.f.createBuiltin):
959
960 2019-01-28  Mark Lam  <mark.lam@apple.com>
961
962         ToString node actually does GC.
963         https://bugs.webkit.org/show_bug.cgi?id=193920
964         <rdar://problem/46695900>
965
966         Reviewed by Yusuke Suzuki.
967
968         * stress/dfg-to-string-on-int-does-gc.js: Added.
969         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
970         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
971
972 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
973
974         [JSC] NativeErrorConstructor should not have own IsoSubspace
975         https://bugs.webkit.org/show_bug.cgi?id=193713
976
977         Reviewed by Saam Barati.
978
979         Remove @Error use.
980
981         * stress/try-get-by-id-should-spill-registers-dfg.js:
982         (let.f.createBuiltin):
983
984 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
985
986         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
987         https://bugs.webkit.org/show_bug.cgi?id=190693
988
989         Reviewed by Michael Saboff.
990
991         * stress/regress-190693.js: Added.
992         (truth):
993         (assert):
994         (shouldThrowInvalidConstAssignment):
995         (taz):
996
997 2019-01-24  Saam Barati  <sbarati@apple.com>
998
999         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1000         https://bugs.webkit.org/show_bug.cgi?id=193751
1001         <rdar://problem/47280215>
1002
1003         Reviewed by Michael Saboff.
1004
1005         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1006         (let.thing):
1007         (foo.let.hello):
1008         (foo):
1009
1010 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1011
1012         [JSC] Reenable baseline JIT on mips
1013         https://bugs.webkit.org/show_bug.cgi?id=192983
1014
1015         Reviewed by Mark Lam.
1016
1017         Added a new test for a case that was triggering a RELEASE_ASSERT when
1018         testing.
1019         Disable some slow tests that were already disabled for arm and x86.
1020
1021         * stress/json-parse-big-object.js: Added.
1022         * stress/new-largeish-contiguous-array-with-size.js:
1023         * stress/op_add.js:
1024         * stress/op_bitand.js:
1025         * stress/op_bitor.js:
1026         * stress/op_bitxor.js:
1027         * stress/op_lshift-ConstVar.js:
1028         * stress/op_lshift-VarConst.js:
1029         * stress/op_lshift-VarVar.js:
1030         * stress/op_mod-ConstVar.js:
1031         * stress/op_mod-VarConst.js:
1032         * stress/op_mod-VarVar.js:
1033         * stress/op_mul-ConstVar.js:
1034         * stress/op_mul-VarConst.js:
1035         * stress/op_mul-VarVar.js:
1036         * stress/op_rshift-ConstVar.js:
1037         * stress/op_rshift-VarConst.js:
1038         * stress/op_rshift-VarVar.js:
1039         * stress/op_sub-ConstVar.js:
1040         * stress/op_sub-VarConst.js:
1041         * stress/op_sub-VarVar.js:
1042         * stress/op_urshift-ConstVar.js:
1043         * stress/op_urshift-VarConst.js:
1044         * stress/op_urshift-VarVar.js:
1045         * stress/sampling-profiler-richards.js:
1046         * stress/spread-forward-call-varargs-stack-overflow.js:
1047
1048 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1049
1050         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1051         https://bugs.webkit.org/show_bug.cgi?id=193711
1052         <rdar://problem/47250262>
1053
1054         Reviewed by Saam Barati.
1055
1056         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1057         (shouldBe):
1058         (foo):
1059         (bar):
1060         (baz):
1061
1062 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1063
1064         Unreviewed, fix initial global lexical binding epoch
1065         https://bugs.webkit.org/show_bug.cgi?id=193603
1066         <rdar://problem/47380869>
1067
1068         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1069         (f1.f2.f3.f4):
1070         (f1.f2.f3):
1071         (f1.f2):
1072         (f1):
1073
1074 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1075
1076         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1077         https://bugs.webkit.org/show_bug.cgi?id=193709
1078         <rdar://problem/47363838>
1079
1080         Unreviewed, rollout to watch the tests.
1081
1082         * stress/object-tostring-changed-proto.js: Removed.
1083         * stress/object-tostring-changed.js: Removed.
1084         * stress/object-tostring-misc.js: Removed.
1085         * stress/object-tostring-other.js: Removed.
1086         * stress/object-tostring-untyped.js: Removed.
1087
1088 2019-01-22  Saam Barati  <sbarati@apple.com>
1089
1090         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1091
1092         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1093         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1094         (testUncheckedLessThanZero):
1095         (testUncheckedLessThanOrEqualZero):
1096         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1097         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1098
1099 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1100
1101         [JSC] Invalidate old scope operations using global lexical binding epoch
1102         https://bugs.webkit.org/show_bug.cgi?id=193603
1103         <rdar://problem/47380869>
1104
1105         Reviewed by Saam Barati.
1106
1107         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1108         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1109         (shouldThrow):
1110         (bar):
1111         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1112         (shouldBe):
1113         (get1):
1114         (get2):
1115         (get1If):
1116         (get2If):
1117         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1118         (shouldThrow):
1119         (foo):
1120
1121 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1122
1123         Unreviewed, roll out r240220 due to date-format-xparb regression
1124         https://bugs.webkit.org/show_bug.cgi?id=193603
1125
1126         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1127         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1128         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1129         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1130
1131 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1132
1133         DoesGC rule is wrong for nodes with BigIntUse
1134         https://bugs.webkit.org/show_bug.cgi?id=193652
1135
1136         Reviewed by Saam Barati.
1137
1138         * stress/big-int-value-op-update-gc-rules.js: Added.
1139         (assert):
1140         (doesGCAdd):
1141         (doesGCSub):
1142         (doesGCDiv):
1143         (doesGCMul):
1144         (doesGCBitAnd):
1145         (doesGCBitOr):
1146         (doesGCBitXor):
1147
1148 2019-01-20  Saam Barati  <sbarati@apple.com>
1149
1150         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1151         https://bugs.webkit.org/show_bug.cgi?id=193644
1152         <rdar://problem/46209745>
1153
1154         Reviewed by Yusuke Suzuki.
1155
1156         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1157         (foo):
1158         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1159         (foo):
1160         (bar):
1161
1162 2019-01-20  Saam Barati  <sbarati@apple.com>
1163
1164         MovHint must merge NodeBytecodeUsesAsValue for its child
1165         https://bugs.webkit.org/show_bug.cgi?id=186916
1166         <rdar://problem/41396612>
1167
1168         Reviewed by Yusuke Suzuki.
1169
1170         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1171         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1172
1173 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1174
1175         [JSC] Invalidate old scope operations using global lexical binding epoch
1176         https://bugs.webkit.org/show_bug.cgi?id=193603
1177         <rdar://problem/47380869>
1178
1179         Reviewed by Saam Barati.
1180
1181         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1182         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1183         (shouldThrow):
1184         (bar):
1185         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1186         (shouldBe):
1187         (get1):
1188         (get2):
1189         (get1If):
1190         (get2If):
1191         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1192         (shouldThrow):
1193         (foo):
1194
1195 2019-01-17  Saam barati  <sbarati@apple.com>
1196
1197         StringObjectUse should not be a structure check for the original string object structure
1198         https://bugs.webkit.org/show_bug.cgi?id=193483
1199         <rdar://problem/47280522>
1200
1201         Reviewed by Yusuke Suzuki.
1202
1203         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1204         (foo):
1205         (a.valueOf.0):
1206
1207 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1208
1209         [JSC] ToThis omission in DFGByteCodeParser is wrong
1210         https://bugs.webkit.org/show_bug.cgi?id=193513
1211         <rdar://problem/45842236>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/to-this-omission-with-different-strict-modes.js: Added.
1216         (thisA):
1217         (thisAStrictWrapper):
1218
1219 2019-01-15  Mark Lam  <mark.lam@apple.com>
1220
1221         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1222         https://bugs.webkit.org/show_bug.cgi?id=193423
1223         <rdar://problem/46209355>
1224
1225         Reviewed by Saam Barati.
1226
1227         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1228         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1229         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1230         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1231
1232 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1233
1234         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1235         https://bugs.webkit.org/show_bug.cgi?id=193438
1236         <rdar://problem/45581249>
1237
1238         Reviewed by Saam Barati and Keith Miller.
1239
1240         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1241         Then, GetByVal(String) crashed.
1242
1243         * stress/string-get-by-val-lowering.js: Added.
1244         (shouldBe):
1245         (test):
1246         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1247         (Hello):
1248         (foo):
1249
1250 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1251
1252         Unreviewed, skip JIT tests if it's not enabled
1253
1254         * stress/bit-op-with-object-returning-int32.js:
1255
1256 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1257
1258         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1259         https://bugs.webkit.org/show_bug.cgi?id=192966
1260
1261         Reviewed by Yusuke Suzuki.
1262
1263         * stress/bit-op-with-object-returning-int32.js: Added.
1264
1265 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1266
1267         Skip a slow test and a flakey test on arm
1268
1269         Unreviewed gardening.
1270
1271         * typeProfiler/getter-richards.js:
1272         this test always times out, it used to be always skipped on arm and
1273         mips, but got accidentally enabled by r237919 now that we have DFG on
1274         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1275
1276 2019-01-14  Keith Miller  <keith_miller@apple.com>
1277
1278         Skip type-check-hoisting-phase-hoist... with no jit
1279         https://bugs.webkit.org/show_bug.cgi?id=193421
1280
1281         Reviewed by Mark Lam.
1282
1283         It's timing out the 32-bit bots and takes 330 seconds
1284         on my machine when run by itself.
1285
1286         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1287
1288 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1289
1290         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1291         https://bugs.webkit.org/show_bug.cgi?id=193413
1292         <rdar://problem/46092389>
1293
1294         Reviewed by Keith Miller.
1295
1296         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1297         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1298         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1299         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1300
1301         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1302         (compareArray):
1303
1304 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1305
1306         [BigInt] Literal parsing is crashing when used inside a Object Literal
1307         https://bugs.webkit.org/show_bug.cgi?id=193404
1308
1309         Reviewed by Yusuke Suzuki.
1310
1311         * stress/big-int-literal-inside-literal-object.js: Added.
1312
1313 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1314
1315         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1316         https://bugs.webkit.org/show_bug.cgi?id=193372
1317
1318         Reviewed by Saam Barati.
1319
1320         * stress/typed-array-array-modes-profile.js: Added.
1321         (foo):
1322
1323 2019-01-14  Mark Lam  <mark.lam@apple.com>
1324
1325         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1326         https://bugs.webkit.org/show_bug.cgi?id=193402
1327         <rdar://problem/46012309>
1328
1329         Reviewed by Keith Miller.
1330
1331         * stress/regexp-compile-oom.js:
1332         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1333           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1334
1335 2019-01-11  Saam barati  <sbarati@apple.com>
1336
1337         DFG combined liveness can be wrong for terminal basic blocks
1338         https://bugs.webkit.org/show_bug.cgi?id=193304
1339         <rdar://problem/45268632>
1340
1341         Reviewed by Yusuke Suzuki.
1342
1343         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1344
1345 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1346
1347         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1348         https://bugs.webkit.org/show_bug.cgi?id=193308
1349         <rdar://problem/45546542>
1350
1351         Reviewed by Saam Barati.
1352
1353         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1354         (shouldThrow):
1355         (shouldBe):
1356         (foo):
1357         (get shouldThrow):
1358         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1359         (shouldThrow):
1360         (shouldBe):
1361         (foo):
1362         (get shouldBe):
1363         (get shouldThrow):
1364         (get return):
1365         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1366         (shouldThrow):
1367         (shouldBe):
1368         (foo):
1369         (get shouldBe):
1370         (get shouldThrow):
1371         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1372         (shouldThrow):
1373         (shouldBe):
1374         (foo):
1375         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1376         (shouldThrow):
1377         (shouldBe):
1378         (foo):
1379         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1380         (shouldThrow):
1381         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1382         (shouldThrow):
1383         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1384         (shouldThrow):
1385         (shouldBe):
1386         (foo):
1387         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1388         (shouldThrow):
1389         (shouldBe):
1390         (foo):
1391         (get shouldBe):
1392         (get shouldThrow):
1393         (get return):
1394         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1395         (shouldThrow):
1396         (shouldBe):
1397         (foo):
1398         (get shouldBe):
1399         (get shouldThrow):
1400         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1401         (shouldThrow):
1402         (shouldBe):
1403         (foo):
1404         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1405         (shouldThrow):
1406         (shouldBe):
1407         (foo):
1408
1409 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1410
1411         Enable DFG on ARM/Linux again
1412         https://bugs.webkit.org/show_bug.cgi?id=192496
1413
1414         Reviewed by Yusuke Suzuki.
1415
1416         Test wasn't really skipped before moving the line with skip
1417         to the top.
1418
1419         * stress/regress-192717.js:
1420
1421 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1422
1423         Unreviewed, rolling out r239825.
1424         https://bugs.webkit.org/show_bug.cgi?id=193330
1425
1426         Broke tests on armv7/linux bots (Requested by guijemont on
1427         #webkit).
1428
1429         Reverted changeset:
1430
1431         "Enable DFG on ARM/Linux again"
1432         https://bugs.webkit.org/show_bug.cgi?id=192496
1433         https://trac.webkit.org/changeset/239825
1434
1435 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1436
1437         Enable DFG on ARM/Linux again
1438         https://bugs.webkit.org/show_bug.cgi?id=192496
1439
1440         Reviewed by Yusuke Suzuki.
1441
1442         Test wasn't really skipped before moving the line with skip
1443         to the top.
1444
1445         * stress/regress-192717.js:
1446
1447 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1448
1449         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1450         https://bugs.webkit.org/show_bug.cgi?id=193127
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/array-species-create-should-handle-masquerader.js: Added.
1455         (shouldThrow):
1456         * stress/is-undefined-or-null-builtin.js: Added.
1457         (shouldBe):
1458         (isUndefinedOrNull.vm.createBuiltin):
1459
1460 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1461
1462         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1463         https://bugs.webkit.org/show_bug.cgi?id=193221
1464
1465         Reviewed by Mark Lam.
1466
1467         * stress/put-by-id-flags.js: Added.
1468         (f):
1469         (g):
1470         (numberOfDFGCompiles):
1471
1472 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1473
1474         Baseline version of get_by_id may corrupt metadata
1475         https://bugs.webkit.org/show_bug.cgi?id=193085
1476         <rdar://problem/23453006>
1477
1478         Reviewed by Saam Barati.
1479
1480         * stress/get-by-id-change-mode.js: Added.
1481         (forEach):
1482
1483 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1484
1485         [JSC] Optimize Object.prototype.toString
1486         https://bugs.webkit.org/show_bug.cgi?id=193031
1487
1488         Reviewed by Saam Barati.
1489
1490         * stress/object-tostring-changed-proto.js: Added.
1491         (shouldBe):
1492         (test):
1493         * stress/object-tostring-changed.js: Added.
1494         (shouldBe):
1495         (test):
1496         * stress/object-tostring-misc.js: Added.
1497         (shouldBe):
1498         (test):
1499         (i.switch):
1500         * stress/object-tostring-other.js: Added.
1501         (shouldBe):
1502         (test):
1503         * stress/object-tostring-untyped.js: Added.
1504         (shouldBe):
1505         (test):
1506         (i.switch):
1507
1508 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1509
1510         test262-runner misbehaves when test file YAML has a trailing space
1511         https://bugs.webkit.org/show_bug.cgi?id=193053
1512
1513         Reviewed by Yusuke Suzuki.
1514
1515         * test262/expectations.yaml:
1516         Mark two dozen tests as passing (and correct the output of another).
1517
1518 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1519
1520         Unreviewed, JSTests gardening with memoryLimited
1521
1522         * stress/string-overflow-createError.js:
1523
1524 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1525
1526         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1527         https://bugs.webkit.org/show_bug.cgi?id=193050
1528
1529         Reviewed by Yusuke Suzuki.
1530
1531         * test262.yaml:
1532         * test262/expectations.yaml:
1533         Mark 16 tests as passing.
1534
1535 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1536
1537         [BigInt] Support BigInt in JSON.stringify
1538         https://bugs.webkit.org/show_bug.cgi?id=192624
1539
1540         Reviewed by Saam Barati.
1541
1542         * stress/big-int-json-stringify-to-json.js: Added.
1543         (shouldBe):
1544         (shouldThrow):
1545         (BigInt.prototype.toJSON):
1546         (shouldBe.JSON.stringify):
1547         * stress/big-int-json-stringify.js: Added.
1548         (shouldBe):
1549         (shouldThrow):
1550
1551 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1552
1553         [JSC] Implement "well-formed JSON.stringify" proposal
1554         https://bugs.webkit.org/show_bug.cgi?id=191677
1555
1556         Reviewed by Darin Adler.
1557
1558         * stress/json-surrogate-pair.js: Added.
1559         (shouldBe):
1560         * test262/expectations.yaml:
1561
1562 2018-12-20  Keith Miller  <keith_miller@apple.com>
1563
1564         Add support for globalThis
1565         https://bugs.webkit.org/show_bug.cgi?id=165171
1566
1567         Reviewed by Mark Lam.
1568
1569         * test262/config.yaml:
1570
1571 2018-12-19  Keith Miller  <keith_miller@apple.com>
1572
1573         Update test262 configuration to not run tests dependent on ICU version.
1574         https://bugs.webkit.org/show_bug.cgi?id=192920
1575
1576         Reviewed by Saam Barati.
1577
1578         * test262/expectations.yaml:
1579
1580 2018-12-20  Mark Lam  <mark.lam@apple.com>
1581
1582         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1583         https://bugs.webkit.org/show_bug.cgi?id=192939
1584         <rdar://problem/46869516>
1585
1586         Reviewed by Keith Miller.
1587
1588         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1589
1590 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1591
1592         WTF::String and StringImpl overflow MaxLength
1593         https://bugs.webkit.org/show_bug.cgi?id=192853
1594         <rdar://problem/45726906>
1595
1596         Reviewed by Mark Lam.
1597
1598         * stress/string-16bit-repeat-overflow.js: Added.
1599         (catch):
1600
1601 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1602
1603         Unreviewed follow-up to r192914.
1604
1605         * test262/expectations.yaml:
1606         Add the last 20 missing expectations.
1607
1608 2018-12-19  Keith Miller  <keith_miller@apple.com>
1609
1610         Fix test262 expectations
1611         https://bugs.webkit.org/show_bug.cgi?id=192914
1612
1613         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1614
1615         * test262/expectations.yaml:
1616
1617 2018-12-19  Keith Miller  <keith_miller@apple.com>
1618
1619         Update test262 tests.
1620         https://bugs.webkit.org/show_bug.cgi?id=192907
1621
1622         Rubber stamped by Mark Lam.
1623
1624         * test262/*: Omitted because prepare-changelog crashes.
1625
1626 2018-12-19  Mark Lam  <mark.lam@apple.com>
1627
1628         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1629         https://bugs.webkit.org/show_bug.cgi?id=192464
1630         <rdar://problem/46519455>
1631
1632         Reviewed by Saam Barati.
1633
1634         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1635         microbenchmark.
1636
1637         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1638         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1639
1640 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1641
1642         String overflow in JSC::createError results in ASSERT in WTF::makeString
1643         https://bugs.webkit.org/show_bug.cgi?id=192833
1644         <rdar://problem/45706868>
1645
1646         Reviewed by Mark Lam.
1647
1648         * stress/string-overflow-createError.js: Added.
1649
1650 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1651
1652         Error message for `-x ** y` contains a typo.
1653         https://bugs.webkit.org/show_bug.cgi?id=192832
1654
1655         Reviewed by Saam Barati.
1656
1657         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1658         (assert.assert.return.throws):
1659         * stress/pow-expects-update-expression-on-lhs.js:
1660         (throw.new.Error):
1661         Update test expectations which match against the exact error message.
1662
1663 2018-12-18  Mark Lam  <mark.lam@apple.com>
1664
1665         Gardening: test options fix.
1666         https://bugs.webkit.org/show_bug.cgi?id=192822
1667
1668         Unreviewed.
1669
1670         * stress/json-stringify-string-builder-overflow.js:
1671
1672 2018-12-18  Mark Lam  <mark.lam@apple.com>
1673
1674         JSON.stringify() should throw OOM on StringBuilder overflows.
1675         https://bugs.webkit.org/show_bug.cgi?id=192822
1676         <rdar://problem/46670577>
1677
1678         Reviewed by Saam Barati.
1679
1680         * stress/json-stringify-string-builder-overflow.js: Added.
1681
1682 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1683
1684         Redeclaration of var over let/const/class should be a syntax error.
1685         https://bugs.webkit.org/show_bug.cgi?id=192298
1686
1687         Reviewed by Keith Miller.
1688
1689         * test262.yaml:
1690         * test262/expectations.yaml:
1691         Mark 46 tests as passing.
1692
1693         * stress/block-scope-redeclarations.js:
1694         Add some new tests.
1695
1696         * stress/for-in-invalidate-context-weird-assignments.js:
1697         * stress/for-in-tests.js:
1698         Replace tests for outdated behavior with tests for SyntaxError.
1699
1700         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1701         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1702         Update expectations.
1703
1704 2018-12-18  Mark Lam  <mark.lam@apple.com>
1705
1706         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1707         https://bugs.webkit.org/show_bug.cgi?id=191374
1708         <rdar://problem/46525447>
1709
1710         Reviewed by Yusuke Suzuki.
1711
1712         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1713
1714         * stress/elidable-new-object-roflcopter-then-exit.js:
1715
1716 2018-12-17  Mark Lam  <mark.lam@apple.com>
1717
1718         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1719         https://bugs.webkit.org/show_bug.cgi?id=192019
1720         <rdar://problem/46525456>
1721
1722         Reviewed by Yusuke Suzuki.
1723
1724         The test runs too slow on 32-bit.
1725
1726         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1727
1728 2018-12-17  Mark Lam  <mark.lam@apple.com>
1729
1730         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1731         https://bugs.webkit.org/show_bug.cgi?id=191373
1732         <rdar://problem/46525458>
1733
1734         Reviewed by Yusuke Suzuki.
1735
1736         The test is already slow running with a JIT on 64-bit.  It will always timeout
1737         on 32-bit without a JIT.
1738
1739         * stress/materialize-regexp-cyclic-regexp.js:
1740
1741 2018-12-17  Mark Lam  <mark.lam@apple.com>
1742
1743         Array unshift/shift should not race against the AI in the compiler thread.
1744         https://bugs.webkit.org/show_bug.cgi?id=192795
1745         <rdar://problem/46724263>
1746
1747         Reviewed by Saam Barati.
1748
1749         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1750
1751 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1752
1753         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1754         https://bugs.webkit.org/show_bug.cgi?id=190047
1755
1756         Reviewed by Saam Barati.
1757
1758         * stress/object-keys-cached-zero.js: Added.
1759         (shouldBe):
1760         (test):
1761         * stress/object-keys-changed-attribute.js: Added.
1762         (shouldBe):
1763         (test):
1764         * stress/object-keys-changed-index.js: Added.
1765         (shouldBe):
1766         (test):
1767         * stress/object-keys-changed.js: Added.
1768         (shouldBe):
1769         (test):
1770         * stress/object-keys-indexed-non-cache.js: Added.
1771         (shouldBe):
1772         (test):
1773         * stress/object-keys-overrides-get-property-names.js: Added.
1774         (shouldBe):
1775         (test):
1776         (noInline):
1777
1778 2018-12-17  Mark Lam  <mark.lam@apple.com>
1779
1780         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1781         https://bugs.webkit.org/show_bug.cgi?id=192779
1782         <rdar://problem/46775869>
1783
1784         Reviewed by Saam Barati.
1785
1786         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1787
1788 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1789
1790         Unreviewed test gardening, address a syntax error in a new test.
1791
1792         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1793
1794 2018-12-17  Mark Lam  <mark.lam@apple.com>
1795
1796         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1797         https://bugs.webkit.org/show_bug.cgi?id=192776
1798         <rdar://problem/46772368>
1799
1800         Reviewed by Keith Miller.
1801
1802         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1803
1804 2018-12-17  Mark Lam  <mark.lam@apple.com>
1805
1806         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1807         https://bugs.webkit.org/show_bug.cgi?id=192770
1808         <rdar://problem/46449037>
1809
1810         Reviewed by Keith Miller.
1811
1812         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1813
1814 2018-12-14  Mark Lam  <mark.lam@apple.com>
1815
1816         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1817         https://bugs.webkit.org/show_bug.cgi?id=192717
1818         <rdar://problem/46660677>
1819
1820         Reviewed by Saam Barati.
1821
1822         * stress/regress-192717.js: Added.
1823
1824 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1825
1826         Unreviewed, rolling out r239153, r239154, and r239155.
1827         https://bugs.webkit.org/show_bug.cgi?id=192715
1828
1829         Caused flaky GC-related crashes seen with layout tests
1830         (Requested by ryanhaddad on #webkit).
1831
1832         Reverted changesets:
1833
1834         "[JSC] Optimize Object.keys by caching own keys results in
1835         StructureRareData"
1836         https://bugs.webkit.org/show_bug.cgi?id=190047
1837         https://trac.webkit.org/changeset/239153
1838
1839         "Unreviewed, build fix after r239153"
1840         https://bugs.webkit.org/show_bug.cgi?id=190047
1841         https://trac.webkit.org/changeset/239154
1842
1843         "Unreviewed, build fix after r239153, part 2"
1844         https://bugs.webkit.org/show_bug.cgi?id=190047
1845         https://trac.webkit.org/changeset/239155
1846
1847 2018-12-14  Keith Miller  <keith_miller@apple.com>
1848
1849         Callers of JSString::getIndex should check for OOM exceptions
1850         https://bugs.webkit.org/show_bug.cgi?id=192709
1851
1852         Reviewed by Mark Lam.
1853
1854         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1855
1856 2018-12-13  Mark Lam  <mark.lam@apple.com>
1857
1858         Add a missing exception check.
1859         https://bugs.webkit.org/show_bug.cgi?id=192626
1860         <rdar://problem/46662163>
1861
1862         Reviewed by Keith Miller.
1863
1864         * stress/regress-192626.js: Added.
1865
1866 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1867
1868         [BigInt] Add ValueDiv into DFG
1869         https://bugs.webkit.org/show_bug.cgi?id=186178
1870
1871         Reviewed by Yusuke Suzuki.
1872
1873         * stress/big-int-div-jit-osr.js: Added.
1874         * stress/big-int-div-jit-untyped.js: Added.
1875         * stress/value-div-fixup-int32-big-int.js: Added.
1876
1877 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1878
1879         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1880         https://bugs.webkit.org/show_bug.cgi?id=190047
1881
1882         Reviewed by Keith Miller.
1883
1884         * stress/object-keys-cached-zero.js: Added.
1885         (shouldBe):
1886         (test):
1887         * stress/object-keys-changed-attribute.js: Added.
1888         (shouldBe):
1889         (test):
1890         * stress/object-keys-changed-index.js: Added.
1891         (shouldBe):
1892         (test):
1893         * stress/object-keys-changed.js: Added.
1894         (shouldBe):
1895         (test):
1896         * stress/object-keys-indexed-non-cache.js: Added.
1897         (shouldBe):
1898         (test):
1899         * stress/object-keys-overrides-get-property-names.js: Added.
1900         (shouldBe):
1901         (test):
1902         (noInline):
1903
1904 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1905
1906         [DFG][FTL] Add NewSymbol
1907         https://bugs.webkit.org/show_bug.cgi?id=192620
1908
1909         Reviewed by Saam Barati.
1910
1911         * microbenchmarks/symbol-creation.js: Added.
1912         (test):
1913         * stress/symbol-description-identity.js: Added.
1914         (shouldBe):
1915         (test):
1916         * stress/symbol-identity.js: Added.
1917         (shouldBe):
1918         (test):
1919         * stress/symbol-with-description-throw-error.js: Added.
1920         (shouldBe):
1921         (shouldThrow):
1922         (test):
1923         (object.toString):
1924
1925 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1926
1927         [BigInt] Implement DFG/FTL typeof for BigInt
1928         https://bugs.webkit.org/show_bug.cgi?id=192619
1929
1930         Reviewed by Keith Miller.
1931
1932         * stress/big-int-boolean-proven-type.js: Added.
1933         (assert):
1934         (bool):
1935         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1936         (assert):
1937         (typeOf):
1938         (i.switch):
1939         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1940         (assert):
1941         (typeOf):
1942         * stress/big-int-type-of.js:
1943         (typeOf):
1944         (func):
1945
1946 2018-12-10  Mark Lam  <mark.lam@apple.com>
1947
1948         PropertyAttribute needs a CustomValue bit.
1949         https://bugs.webkit.org/show_bug.cgi?id=191993
1950         <rdar://problem/46264467>
1951
1952         Reviewed by Saam Barati.
1953
1954         * stress/regress-191993.js: Added.
1955
1956 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1957
1958         [BigInt] Add ValueMul into DFG
1959         https://bugs.webkit.org/show_bug.cgi?id=186175
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         * stress/big-int-mul-jit-osr.js: Added.
1964         * stress/big-int-mul-jit-untyped.js: Added.
1965         * stress/value-mul-fixup-int32-big-int.js: Added.
1966
1967 2018-12-06  Keith Miller  <keith_miller@apple.com>
1968
1969         stress/big-wasm-memory tests failing on 32-bit JSC bot
1970         https://bugs.webkit.org/show_bug.cgi?id=192020
1971
1972         Reviewed by Saam Barati.
1973
1974         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1975         the wasm stress tests if the WebAssembly object does not exist.
1976
1977         * stress/big-wasm-memory-grow-no-max.js:
1978         (test.foo):
1979         (test):
1980         (foo): Deleted.
1981         (catch): Deleted.
1982         * stress/big-wasm-memory-grow.js:
1983         (test.foo):
1984         (test):
1985         (foo): Deleted.
1986         (catch): Deleted.
1987         * stress/big-wasm-memory.js:
1988         (test.foo):
1989         (test):
1990         (foo): Deleted.
1991         (catch): Deleted.
1992
1993 2018-12-05  Mark Lam  <mark.lam@apple.com>
1994
1995         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1996         https://bugs.webkit.org/show_bug.cgi?id=192441
1997         <rdar://problem/46480355>
1998
1999         Reviewed by Saam Barati.
2000
2001         * stress/regress-192441.js: Added.
2002
2003 2018-12-04  Mark Lam  <mark.lam@apple.com>
2004
2005         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2006         https://bugs.webkit.org/show_bug.cgi?id=192386
2007         <rdar://problem/46445516>
2008
2009         Reviewed by Saam Barati.
2010
2011         * stress/regress-192386.js: Added.
2012
2013 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2014
2015         [ESNext][BigInt] Support logic operations
2016         https://bugs.webkit.org/show_bug.cgi?id=179903
2017
2018         Reviewed by Yusuke Suzuki.
2019
2020         * stress/big-int-branch-usage.js: Added.
2021         * stress/big-int-logical-and.js: Added.
2022         * stress/big-int-logical-not.js: Added.
2023         * stress/big-int-logical-or.js: Added.
2024
2025 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2026
2027         Unreviewed, rolling out r238833.
2028
2029         Breaks macOS and iOS debug builds.
2030
2031         Reverted changeset:
2032
2033         "[ESNext][BigInt] Support logic operations"
2034         https://bugs.webkit.org/show_bug.cgi?id=179903
2035         https://trac.webkit.org/changeset/238833
2036
2037 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2038
2039         [ESNext][BigInt] Support logic operations
2040         https://bugs.webkit.org/show_bug.cgi?id=179903
2041
2042         Reviewed by Yusuke Suzuki.
2043
2044         * stress/big-int-branch-usage.js: Added.
2045         * stress/big-int-logical-and.js: Added.
2046         * stress/big-int-logical-not.js: Added.
2047         * stress/big-int-logical-or.js: Added.
2048
2049 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2050
2051         [ESNext][BigInt] Implement support for "<<" and ">>"
2052         https://bugs.webkit.org/show_bug.cgi?id=186233
2053
2054         Reviewed by Yusuke Suzuki.
2055
2056         * stress/big-int-left-shift-general.js: Added.
2057         * stress/big-int-left-shift-range-error.js: Added.
2058         * stress/big-int-left-shift-type-error.js: Added.
2059         * stress/big-int-left-shift-wrapped-value.js: Added.
2060         * stress/big-int-right-shift-general.js: Added.
2061         * stress/big-int-right-shift-type-error.js: Added.
2062         * stress/big-int-right-shift-wrapped-value.js: Added.
2063         * stress/left-shift-to-primitive-precedence.js: Added.
2064         * stress/right-shift-to-primitive-precedence.js: Added.
2065
2066 2018-11-30  Dean Jackson  <dino@apple.com>
2067
2068         Add first-class support for .mjs files in jsc binary
2069         https://bugs.webkit.org/show_bug.cgi?id=192190
2070         <rdar://problem/46375715>
2071
2072         Reviewed by Keith Miller.
2073
2074         * stress/simple-module.mjs: Added.
2075         * stress/simple-script.js: Added.
2076
2077 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2078
2079         [BigInt] Implement ValueBitXor into DFG
2080         https://bugs.webkit.org/show_bug.cgi?id=190264
2081
2082         Reviewed by Yusuke Suzuki.
2083
2084         * stress/big-int-bitwise-xor-jit.js: Added.
2085         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2086         * stress/big-int-bitwise-xor-untyped.js: Added.
2087
2088 2018-11-27  Saam barati  <sbarati@apple.com>
2089
2090         r238510 broke scopes of size zero
2091         https://bugs.webkit.org/show_bug.cgi?id=192033
2092         <rdar://problem/46281734>
2093
2094         Reviewed by Keith Miller.
2095
2096         * stress/r238510-bad-loop.js: Added.
2097         (foo):
2098
2099 2018-11-27  Mark Lam  <mark.lam@apple.com>
2100
2101         [Re-landing] NaNs read from Wasm code needs to be be purified.
2102         https://bugs.webkit.org/show_bug.cgi?id=191056
2103         <rdar://problem/45660341>
2104
2105         Reviewed by Filip Pizlo.
2106
2107         * wasm/regress/regress-191056.js: Added.
2108
2109 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2110
2111         Unreviewed, rolling out r238509.
2112
2113         Causes JSC tests to fail on iOS.
2114
2115         Reverted changeset:
2116
2117         "NaNs read from Wasm code needs to be be purified."
2118         https://bugs.webkit.org/show_bug.cgi?id=191056
2119         https://trac.webkit.org/changeset/238509
2120
2121 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2122
2123         Re-introduce op_bitnot
2124         https://bugs.webkit.org/show_bug.cgi?id=190923
2125
2126         Reviewed by Yusuke Suzuki.
2127
2128         * stress/bit-not-must-generate.js: Added.
2129         * stress/bitwise-not-no-int32.js: Added.
2130
2131 2018-11-26  Saam barati  <sbarati@apple.com>
2132
2133         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2134         https://bugs.webkit.org/show_bug.cgi?id=191956
2135         <rdar://problem/45665806>
2136
2137         Reviewed by Yusuke Suzuki.
2138
2139         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2140         (bar):
2141         (foo):
2142
2143 2018-11-26  Saam barati  <sbarati@apple.com>
2144
2145         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2146         https://bugs.webkit.org/show_bug.cgi?id=191958
2147         <rdar://problem/46221877>
2148
2149         Reviewed by Yusuke Suzuki.
2150
2151         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2152         (x):
2153         (foo):
2154
2155 2018-11-26  Mark Lam  <mark.lam@apple.com>
2156
2157         NaNs read from Wasm code needs to be be purified.
2158         https://bugs.webkit.org/show_bug.cgi?id=191056
2159         <rdar://problem/45660341>
2160
2161         Reviewed by Filip Pizlo.
2162
2163         * wasm/regress/regress-191056.js: Added.
2164
2165 2018-11-26  Michael Saboff  <msaboff@apple.com>
2166
2167         32-bit JSC test failure: stress/regexp-compile-oom.js
2168         https://bugs.webkit.org/show_bug.cgi?id=191375
2169
2170         Reviewed by Mark Lam.
2171
2172         Disabled the test for 32 bit platforms.
2173
2174         * stress/regexp-compile-oom.js:
2175
2176 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2177
2178         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2179         https://bugs.webkit.org/show_bug.cgi?id=191716
2180         <rdar://problem/45723878>
2181
2182         Reviewed by Saam Barati.
2183
2184         * stress/regress-187373.js: Added.
2185         (async.fn):
2186
2187 2018-11-21  Saam barati  <sbarati@apple.com>
2188
2189         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2190         https://bugs.webkit.org/show_bug.cgi?id=191897
2191         <rdar://problem/45871998>
2192
2193         Reviewed by Mark Lam.
2194
2195         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2196         (bar):
2197         (foo):
2198
2199 2018-11-21  Saam barati  <sbarati@apple.com>
2200
2201         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2202         https://bugs.webkit.org/show_bug.cgi?id=191895
2203         <rdar://problem/46167406>
2204
2205         Reviewed by Mark Lam.
2206
2207         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2208         (foo):
2209         (bar):
2210
2211 2018-11-21  Mark Lam  <mark.lam@apple.com>
2212
2213         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2214         https://bugs.webkit.org/show_bug.cgi?id=191776
2215         <rdar://problem/46152851>
2216
2217         Reviewed by Saam Barati.
2218
2219         * stress/big-wasm-memory-grow-no-max.js:
2220         * stress/big-wasm-memory-grow.js:
2221         * stress/big-wasm-memory.js:
2222         - updated these to expect an OutOfMemoryError.
2223
2224         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2225         (Binary.prototype.emit_u8):
2226         (Binary.prototype.emit_u32v):
2227         (Binary.prototype.emit_header):
2228         (Binary.prototype.emit_section):
2229         (Binary):
2230         (WasmModuleBuilder):
2231         (WasmModuleBuilder.prototype.addMemory):
2232         (WasmModuleBuilder.prototype.toArray):
2233         (WasmModuleBuilder.prototype.toBuffer):
2234         (WasmModuleBuilder.prototype.instantiate):
2235         (catch):
2236         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2237         (catch):
2238
2239 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2240
2241         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2242         https://bugs.webkit.org/show_bug.cgi?id=190836
2243
2244         Reviewed by Saam Barati and Yusuke Suzuki.
2245
2246         * stress/big-int-out-of-memory-tests.js: Added.
2247
2248 2018-11-20  Mark Lam  <mark.lam@apple.com>
2249
2250         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2251         https://bugs.webkit.org/show_bug.cgi?id=191856
2252         <rdar://problem/46089992>
2253
2254         Reviewed by Yusuke Suzuki.
2255
2256         * stress/regress-191856.js: Added.
2257         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2258
2259 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2260
2261         Enable JIT on ARM/Linux
2262         https://bugs.webkit.org/show_bug.cgi?id=191548
2263
2264         Reviewed by Yusuke Suzuki.
2265
2266         Disable test on system with limited memory. Program was killed by
2267         the OS before the exception was thrown.
2268
2269         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2270
2271 2018-11-20  Saam barati  <sbarati@apple.com>
2272
2273         Merging an IC variant may lead to the IC status containing overlapping structure sets
2274         https://bugs.webkit.org/show_bug.cgi?id=191869
2275         <rdar://problem/45403453>
2276
2277         Reviewed by Mark Lam.
2278
2279         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2280
2281 2018-11-19  Mark Lam  <mark.lam@apple.com>
2282
2283         globalFuncImportModule() should return a promise when it clears exceptions.
2284         https://bugs.webkit.org/show_bug.cgi?id=191792
2285         <rdar://problem/46090763>
2286
2287         Reviewed by Michael Saboff.
2288
2289         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2290
2291 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2292
2293         Skip new memory-hungry tests on memory limited devices
2294
2295         Unreviewed gardening.
2296
2297         * stress/big-wasm-memory-grow-no-max.js:
2298         * stress/big-wasm-memory-grow.js:
2299         * stress/big-wasm-memory.js:
2300
2301 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2302
2303         Unreviewed, rolling in the rest of r237254
2304         https://bugs.webkit.org/show_bug.cgi?id=190340
2305
2306         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2307         * stress/function-cache-with-parameters-end-position.js: Added.
2308         (shouldBe):
2309         (shouldThrow):
2310         (i.anonymous):
2311         * stress/function-constructor-name.js: Added.
2312         (shouldBe):
2313         (GeneratorFunction):
2314         (AsyncFunction.async):
2315         (AsyncGeneratorFunction.async):
2316         (anonymous):
2317         (async.anonymous):
2318         * test262/expectations.yaml:
2319
2320 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2321
2322         All users of ArrayBuffer should agree on the same max size
2323         https://bugs.webkit.org/show_bug.cgi?id=191771
2324
2325         Reviewed by Mark Lam.
2326
2327         * stress/big-wasm-memory-grow-no-max.js: Added.
2328         (foo):
2329         (catch):
2330         * stress/big-wasm-memory-grow.js: Added.
2331         (foo):
2332         (catch):
2333         * stress/big-wasm-memory.js: Added.
2334         (foo):
2335         (catch):
2336
2337 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2338
2339         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2340         run for each JSC config since they're regression tests for runtime bugs.
2341
2342         * stress/json-stringified-overflow-2.js:
2343         * stress/json-stringified-overflow.js:
2344
2345 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2346
2347         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2348         config since they're regression tests for runtime bugs.
2349
2350         * stress/large-unshift-splice.js:
2351         * stress/regress-185888.js:
2352
2353 2018-11-16  Saam Barati  <sbarati@apple.com>
2354
2355         KnownCellUse should also have SpecCellCheck as its type filter
2356         https://bugs.webkit.org/show_bug.cgi?id=191729
2357         <rdar://problem/45872852>
2358
2359         Reviewed by Filip Pizlo.
2360
2361         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2362         (C):
2363
2364 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2365
2366         Fix assertion failure on BytecodeGenerator::recordOpcode
2367         https://bugs.webkit.org/show_bug.cgi?id=191724
2368         <rdar://problem/45724395>
2369
2370         Reviewed by Saam Barati.
2371
2372         * stress/regress-187373-2.js: Added.
2373         (foo):
2374
2375 2018-11-15  Mark Lam  <mark.lam@apple.com>
2376
2377         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2378         https://bugs.webkit.org/show_bug.cgi?id=191730
2379         <rdar://problem/46048517>
2380
2381         Reviewed by Saam Barati.
2382
2383         * stress/regress-187006.js: Removed.
2384           - this test is invalid because its sole purpose is to test for the non-spec
2385             compliant behavior that we just fixed.
2386
2387         * stress/regress-191730.js: Added.
2388
2389 2018-11-15  Mark Lam  <mark.lam@apple.com>
2390
2391         RegExp operations should not take fast patch if lastIndex is not numeric.
2392         https://bugs.webkit.org/show_bug.cgi?id=191731
2393         <rdar://problem/46017305>
2394
2395         Reviewed by Saam Barati.
2396
2397         * stress/regress-191731.js: Added.
2398
2399 2018-11-13  Saam Barati  <sbarati@apple.com>
2400
2401         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2402         https://bugs.webkit.org/show_bug.cgi?id=191600
2403
2404         Reviewed by Mark Lam.
2405
2406         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2407         (foo):
2408         (test):
2409         (bar):
2410
2411 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2412
2413         Unreviewed, rolling out r238132.
2414
2415         The test added with this change is timing out on Debug JSC
2416         bots.
2417
2418         Reverted changeset:
2419
2420         "[BigInt] JSBigInt::createWithLength should throw when length
2421         is greater than JSBigInt::maxLength"
2422         https://bugs.webkit.org/show_bug.cgi?id=190836
2423         https://trac.webkit.org/changeset/238132
2424
2425 2018-11-13  Mark Lam  <mark.lam@apple.com>
2426
2427         Add OOM detection to StringPrototype's substituteBackreferences().
2428         https://bugs.webkit.org/show_bug.cgi?id=191563
2429         <rdar://problem/45720428>
2430
2431         Reviewed by Saam Barati.
2432
2433         * stress/regress-191563.js: Added.
2434
2435 2018-11-13  Mark Lam  <mark.lam@apple.com>
2436
2437         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2438         https://bugs.webkit.org/show_bug.cgi?id=191579
2439         <rdar://problem/45942472>
2440
2441         Reviewed by Saam Barati.
2442
2443         * stress/regress-191579.js: Added.
2444
2445 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2446
2447         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2448         https://bugs.webkit.org/show_bug.cgi?id=190836
2449
2450         Reviewed by Saam Barati.
2451
2452         * stress/big-int-out-of-memory-tests.js: Added.
2453
2454 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2455
2456         U+180E is no longer a whitespace character
2457         https://bugs.webkit.org/show_bug.cgi?id=191415
2458
2459         Reviewed by Saam Barati.
2460
2461         * ChakraCore/test/es5/regexSpace.baseline:
2462         * ChakraCore/test/es6/unicode_whitespace.js:
2463         Update tests to latest version.
2464         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2465
2466         * test262.yaml:
2467         * test262/config.yaml:
2468         * test262/expectations.yaml:
2469         Update expectations.
2470
2471 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2472
2473         [BigInt] Add support to BigInt into ValueAdd
2474         https://bugs.webkit.org/show_bug.cgi?id=186177
2475
2476         Reviewed by Keith Miller.
2477
2478         * stress/big-int-negate-jit.js:
2479         * stress/value-add-big-int-and-string.js: Added.
2480         * stress/value-add-big-int-prediction-propagation.js: Added.
2481         * stress/value-add-big-int-untyped.js: Added.
2482
2483 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2484
2485         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2486         https://bugs.webkit.org/show_bug.cgi?id=191184
2487
2488         Reviewed by Saam Barati.
2489
2490         Most tests were failing due to timeouts, since they are too slow to
2491         run on CLoop. The exceptions are:
2492
2493         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2494         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2495         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2496         to change the stack size since CLoop requires it to be page aligned.
2497
2498         * microbenchmarks/array-push-1.js:
2499         * microbenchmarks/array-push-2.js:
2500         * microbenchmarks/elidable-new-object-dag.js:
2501         * microbenchmarks/elidable-new-object-roflcopter.js:
2502         * microbenchmarks/elidable-new-object-tree.js:
2503         * microbenchmarks/getter-richards.js:
2504         * microbenchmarks/sinkable-new-object-dag.js:
2505         * microbenchmarks/string-concat-long-convert.js:
2506         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2507         * slowMicrobenchmarks/array-push-3.js:
2508         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2509         * slowMicrobenchmarks/spread-small-array.js:
2510         * slowMicrobenchmarks/undefined-property-access.js:
2511         * stress/activation-sink-default-value-tdz-error.js:
2512         * stress/activation-sink-default-value.js:
2513         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2514         * stress/activation-sink-osrexit-default-value.js:
2515         * stress/activation-sink-osrexit.js:
2516         * stress/activation-sink.js:
2517         * stress/allow-math-ic-b3-code-duplication.js:
2518         * stress/array-push-multiple-int32.js:
2519         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2520         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2521         * stress/arrowfunction-lexical-this-activation-sink.js:
2522         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2523         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2524         * stress/elide-new-object-dag-then-exit.js:
2525         * stress/materialize-regexp-cyclic.js:
2526         * stress/new-regex-inline.js:
2527         * stress/op_add.js:
2528         * stress/op_bitand.js:
2529         * stress/op_bitor.js:
2530         * stress/op_bitxor.js:
2531         * stress/op_div-ConstVar.js:
2532         * stress/op_div-VarConst.js:
2533         * stress/op_div-VarVar.js:
2534         * stress/op_lshift-ConstVar.js:
2535         * stress/op_lshift-VarConst.js:
2536         * stress/op_lshift-VarVar.js:
2537         * stress/op_mod-ConstVar.js:
2538         * stress/op_mod-VarConst.js:
2539         * stress/op_mod-VarVar.js:
2540         * stress/op_mul-ConstVar.js:
2541         * stress/op_mul-VarConst.js:
2542         * stress/op_mul-VarVar.js:
2543         * stress/op_rshift-ConstVar.js:
2544         * stress/op_rshift-VarConst.js:
2545         * stress/op_rshift-VarVar.js:
2546         * stress/op_sub-ConstVar.js:
2547         * stress/op_sub-VarConst.js:
2548         * stress/op_sub-VarVar.js:
2549         * stress/op_urshift-ConstVar.js:
2550         * stress/op_urshift-VarConst.js:
2551         * stress/op_urshift-VarVar.js:
2552         * stress/proxy-get-set-correct-receiver.js:
2553         * stress/regress-179562.js:
2554         * stress/rest-parameter-many-arguments.js:
2555         * stress/sampling-profiler-richards.js:
2556         * stress/splay-flash-access-1ms.js:
2557         * stress/tailCallForwardArguments.js:
2558         * stress/typed-array-get-by-val-profiling.js:
2559         * typeProfiler/getter-richards.js:
2560
2561 2018-11-06  Michael Saboff  <msaboff@apple.com>
2562
2563         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2564         https://bugs.webkit.org/show_bug.cgi?id=191271
2565
2566         Reviewed by Saam Barati.
2567
2568         Added more test cases and made all test cases run with the same deeply recursive stack
2569         instead of finding that same point for each test case.
2570
2571         * stress/regexp-compile-oom.js:
2572         (prototype.runTest):
2573         (recurseAndTest):
2574         (testList.push.new.TestAndExpectedException):
2575
2576 2018-11-05  Michael Saboff  <msaboff@apple.com>
2577
2578         Unreviewed build fix for linux.
2579
2580         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2581
2582 2018-11-02  Michael Saboff  <msaboff@apple.com>
2583
2584         Rolling in r237753 with unreviewed build fix.
2585
2586         Fixed issues with DECLARE_THROW_SCOPE placement.
2587
2588 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2589
2590         Unreviewed, rolling out r237753.
2591
2592         Introduced JSC test failures
2593
2594         Reverted changeset:
2595
2596         "Running out of stack space not properly handled in
2597         RegExp::compile() and its callers"
2598         https://bugs.webkit.org/show_bug.cgi?id=191206
2599         https://trac.webkit.org/changeset/237753
2600
2601 2018-11-02  Michael Saboff  <msaboff@apple.com>
2602
2603         Running out of stack space not properly handled in RegExp::compile() and its callers
2604         https://bugs.webkit.org/show_bug.cgi?id=191206
2605
2606         Reviewed by Filip Pizlo.
2607
2608         New regression test.
2609
2610         * stress/regexp-compile-oom.js: Added.
2611         (recurseAndTest):
2612
2613 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2614
2615         Skip tests on arm/mips that time out now we're running on CLoop
2616
2617         Unreviewed gardening.
2618
2619         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2620         time out on the bots and need to be disabled. There's more tests
2621         disabled on arm because the timeout is longer on the mips bot (as the
2622         device is slower to start with), so many of the tests don't time out
2623         there.
2624
2625         * microbenchmarks/getter-richards.js: disable on arm and mips.
2626         * stress/op_add.js: disable on arm.
2627         * stress/op_bitand.js: disable on arm.
2628         * stress/op_bitor.js: disable on arm.
2629         * stress/op_bitxor.js: disable on arm.
2630         * stress/op_lshift-ConstVar.js: disable on arm.
2631         * stress/op_lshift-VarConst.js: disable on arm.
2632         * stress/op_lshift-VarVar.js: disable on arm.
2633         * stress/op_mod-ConstVar.js: disable on arm.
2634         * stress/op_mod-VarConst.js: disable on arm.
2635         * stress/op_mod-VarVar.js: disable on arm.
2636         * stress/op_mul-ConstVar.js: disable on arm.
2637         * stress/op_mul-VarConst.js: disable on arm.
2638         * stress/op_mul-VarVar.js: disable on arm.
2639         * stress/op_rshift-ConstVar.js: disable on arm.
2640         * stress/op_rshift-VarConst.js: disable on arm.
2641         * stress/op_rshift-VarVar.js: disable on arm.
2642         * stress/op_sub-ConstVar.js: disable on arm.
2643         * stress/op_sub-VarConst.js: disable on arm.
2644         * stress/op_sub-VarVar.js: disable on arm.
2645         * stress/op_urshift-ConstVar.js: disable on arm.
2646         * stress/op_urshift-VarConst.js: disable on arm.
2647         * stress/op_urshift-VarVar.js: disable on arm.
2648         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2649         * stress/value-to-boolean.js: disable on arm and mips.
2650
2651 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2652
2653         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2654         https://bugs.webkit.org/show_bug.cgi?id=191108
2655         <rdar://problem/45690700>
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/wide-op_catch.js: Added.
2660         (catch):
2661
2662 2018-10-29  Mark Lam  <mark.lam@apple.com>
2663
2664         Correctly detect string overflow when using the 'Function' constructor.
2665         https://bugs.webkit.org/show_bug.cgi?id=184883
2666         <rdar://problem/36320331>
2667
2668         Reviewed by Saam Barati.
2669
2670         I've verified that this passes on 32-bit as well.
2671
2672         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2673
2674 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2675
2676         Add support for GetStack FlushedDouble
2677         https://bugs.webkit.org/show_bug.cgi?id=191012
2678         <rdar://problem/45265141>
2679
2680         Reviewed by Saam Barati.
2681
2682         * stress/get-stack-double.js: Added.
2683         (bar):
2684         (noInline):
2685
2686 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2687
2688         New bytecode format for JSC
2689         https://bugs.webkit.org/show_bug.cgi?id=187373
2690         <rdar://problem/44186758>
2691
2692         Reviewed by Filip Pizlo.
2693
2694         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2695
2696         * stress/maximum-inline-capacity.js: Added.
2697         (test1):
2698         (test3.Foo):
2699         (test3):
2700
2701 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2702
2703         Unreviewed, rolling out r237479 and r237484.
2704         https://bugs.webkit.org/show_bug.cgi?id=190978
2705
2706         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2707
2708         Reverted changesets:
2709
2710         "New bytecode format for JSC"
2711         https://bugs.webkit.org/show_bug.cgi?id=187373
2712         https://trac.webkit.org/changeset/237479
2713
2714         "Gardening: Build fix after r237479."
2715         https://bugs.webkit.org/show_bug.cgi?id=187373
2716         https://trac.webkit.org/changeset/237484
2717
2718 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2719
2720         New bytecode format for JSC
2721         https://bugs.webkit.org/show_bug.cgi?id=187373
2722         <rdar://problem/44186758>
2723
2724         Reviewed by Filip Pizlo.
2725
2726         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2727
2728         * stress/maximum-inline-capacity.js: Added.
2729         (test1):
2730         (test3.Foo):
2731         (test3):
2732
2733 2018-10-26  Mark Lam  <mark.lam@apple.com>
2734
2735         Fix missing edge cases with JSGlobalObjects having a bad time.
2736         https://bugs.webkit.org/show_bug.cgi?id=189028
2737         <rdar://problem/45204939>
2738
2739         Reviewed by Saam Barati.
2740
2741         * stress/regress-189028.js: Added.
2742
2743 2018-10-22  Mark Lam  <mark.lam@apple.com>
2744
2745         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2746         https://bugs.webkit.org/show_bug.cgi?id=190515
2747         <rdar://problem/45222379>
2748
2749         Rubber-stamped by Saam Barati.
2750
2751         Adding another test.
2752
2753         * stress/regress-190515-2.js: Added.
2754
2755 2018-10-22  Mark Lam  <mark.lam@apple.com>
2756
2757         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2758         https://bugs.webkit.org/show_bug.cgi?id=190515
2759         <rdar://problem/45222379>
2760
2761         Reviewed by Saam Barati.
2762
2763         * stress/regress-190515.js: Added.
2764
2765 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2766
2767         Unreviewed, rolling out r237254.
2768         https://bugs.webkit.org/show_bug.cgi?id=190760
2769
2770         "It regresses JetStream 2 by 5% on some iOS devices"
2771         (Requested by saamyjoon on #webkit).
2772
2773         Reverted changeset:
2774
2775         "[JSC] JSC should have "parseFunction" to optimize Function
2776         constructor"
2777         https://bugs.webkit.org/show_bug.cgi?id=190340
2778         https://trac.webkit.org/changeset/237254
2779
2780 2018-10-19  Saam Barati  <sbarati@apple.com>
2781
2782         vmCall should check if we exit before emitting an OSR exit due to exceptions
2783         https://bugs.webkit.org/show_bug.cgi?id=190740
2784         <rdar://problem/45220139>
2785
2786         Reviewed by Mark Lam.
2787
2788         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2789         (foo):
2790
2791 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2792
2793         [ESNext][BigInt] Implement support for "^"
2794         https://bugs.webkit.org/show_bug.cgi?id=186235
2795
2796         Reviewed by Yusuke Suzuki.
2797
2798         * stress/big-int-bitwise-xor-general.js: Added.
2799         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2800         * stress/big-int-bitwise-xor-type-error.js: Added.
2801         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2802
2803 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2804
2805         [BigInt] Add ValueSub into DFG
2806         https://bugs.webkit.org/show_bug.cgi?id=186176
2807
2808         Reviewed by Yusuke Suzuki.
2809
2810         * stress/big-int-subtraction-jit.js:
2811         * stress/value-sub-big-int-prediction-propagation.js: Added.
2812         * stress/value-sub-big-int-untyped.js: Added.
2813         * stress/value-sub-spec-none-case.js: Added.
2814
2815 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2816
2817         [JSC] JSC should have "parseFunction" to optimize Function constructor
2818         https://bugs.webkit.org/show_bug.cgi?id=190340
2819
2820         Reviewed by Mark Lam.
2821
2822         This patch fixes the line number of syntax errors raised by the Function constructor,
2823         since we now parse the final code only once. And we no longer use block statement
2824         for Function constructor's parsing.
2825
2826         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2827         * stress/function-cache-with-parameters-end-position.js: Added.
2828         (shouldBe):
2829         (shouldThrow):
2830         (i.anonymous):
2831         * stress/function-constructor-name.js: Added.
2832         (shouldBe):
2833         (GeneratorFunction):
2834         (AsyncFunction.async):
2835         (AsyncGeneratorFunction.async):
2836         (anonymous):
2837         (async.anonymous):
2838         * test262/expectations.yaml:
2839
2840 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2841
2842         Unreviewed, rolling out r237242.
2843         https://bugs.webkit.org/show_bug.cgi?id=190701
2844
2845         it breaks "stress/sampling-profiler-basic.js" (Requested by
2846         caiolima on #webkit).
2847
2848         Reverted changeset:
2849
2850         "[BigInt] Add ValueSub into DFG"
2851         https://bugs.webkit.org/show_bug.cgi?id=186176
2852         https://trac.webkit.org/changeset/237242
2853
2854 2018-10-17  Keith Miller  <keith_miller@apple.com>
2855
2856         AI does not clear Phantom allocation nodes.
2857         https://bugs.webkit.org/show_bug.cgi?id=190694
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2862         (Day):
2863         (DaysInYear):
2864         (TimeInYear):
2865         (TimeFromYear):
2866         (DayFromYear):
2867         (InLeapYear):
2868         (YearFromTime):
2869         (WeekDay):
2870         (DaylightSavingTA):
2871         (GetSecondSundayInMarch):
2872         (TimeInMonth):
2873
2874 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2875
2876         [BigInt] Add ValueSub into DFG
2877         https://bugs.webkit.org/show_bug.cgi?id=186176
2878
2879         Reviewed by Yusuke Suzuki.
2880
2881         * stress/big-int-subtraction-jit.js:
2882         * stress/value-sub-big-int-prediction-propagation.js: Added.
2883         * stress/value-sub-big-int-untyped.js: Added.
2884
2885 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2886
2887         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2888         https://bugs.webkit.org/show_bug.cgi?id=190611
2889
2890         Reviewed by Saam Barati.
2891
2892         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2893         to improve test runtime. On ARM/MIPS this test even timed out when running all
2894         tests.
2895
2896         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2897         (test):
2898
2899 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2900
2901         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2902
2903         Unreviewed gardening.
2904
2905         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2906
2907 2018-10-15  Saam barati  <sbarati@apple.com>
2908
2909         Emit fjcvtzs on ARM64E on Darwin
2910         https://bugs.webkit.org/show_bug.cgi?id=184023
2911
2912         Reviewed by Yusuke Suzuki and Filip Pizlo.
2913
2914         * stress/double-to-int32-NaN.js: Added.
2915         (assert):
2916         (foo):
2917
2918 2018-10-15  Saam Barati  <sbarati@apple.com>
2919
2920         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2921         https://bugs.webkit.org/show_bug.cgi?id=190262
2922         <rdar://problem/44986241>
2923
2924         Reviewed by Mark Lam.
2925
2926         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2927         (test):
2928         * stress/slice-array-storage-with-holes.js: Added.
2929         (main):
2930
2931 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2932
2933         Unreviewed, rolling out r237054.
2934         https://bugs.webkit.org/show_bug.cgi?id=190593
2935
2936         "this regressed JetStream 2 by 6% on iOS" (Requested by
2937         saamyjoon on #webkit).
2938
2939         Reverted changeset:
2940
2941         "[JSC] JSC should have "parseFunction" to optimize Function
2942         constructor"
2943         https://bugs.webkit.org/show_bug.cgi?id=190340
2944         https://trac.webkit.org/changeset/237054
2945
2946 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2947
2948         [JSC] JSON.stringify can accept call-with-no-arguments
2949         https://bugs.webkit.org/show_bug.cgi?id=190343
2950
2951         Reviewed by Mark Lam.
2952
2953         * stress/json-stringify-no-arguments.js: Added.
2954         (shouldBe):
2955
2956 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2957
2958         [JSC] JSC should have "parseFunction" to optimize Function constructor
2959         https://bugs.webkit.org/show_bug.cgi?id=190340
2960
2961         Reviewed by Mark Lam.
2962
2963         This patch fixes the line number of syntax errors raised by the Function constructor,
2964         since we now parse the final code only once. And we no longer use block statement
2965         for Function constructor's parsing.
2966
2967         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2968         * stress/function-cache-with-parameters-end-position.js: Added.
2969         (shouldBe):
2970         (shouldThrow):
2971         (i.anonymous):
2972         * stress/function-constructor-name.js: Added.
2973         (shouldBe):
2974         (GeneratorFunction):
2975         (AsyncFunction.async):
2976         (AsyncGeneratorFunction.async):
2977         (anonymous):
2978         (async.anonymous):
2979         * test262/expectations.yaml:
2980
2981 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2982
2983         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2984         https://bugs.webkit.org/show_bug.cgi?id=190426
2985
2986         Unreviewed gardening.
2987
2988         * stress/sampling-profiler-richards.js:
2989
2990 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2991
2992         [ESNext][BigInt] Implement support for "|"
2993         https://bugs.webkit.org/show_bug.cgi?id=186229
2994
2995         Reviewed by Yusuke Suzuki.
2996
2997         * stress/big-int-bitwise-and-jit.js:
2998         * stress/big-int-bitwise-or-general.js: Added.
2999         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3000         * stress/big-int-bitwise-or-jit.js: Added.
3001         * stress/big-int-bitwise-or-memory-stress.js: Added.
3002         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3003         * stress/big-int-bitwise-or-type-error.js: Added.
3004         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3005
3006 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3007
3008         Skip test on systems with limited memory
3009         https://bugs.webkit.org/show_bug.cgi?id=190310
3010
3011         Invoking runDefault adds test to runlist, skipping the test in the next
3012         line does not prevent the test from executing. Change order of lines such
3013         that runDefault is only executed if test is not executed.
3014
3015         Reviewed by Mark Lam.
3016
3017         * stress/regress-190187.js:
3018
3019 2018-10-03  Saam barati  <sbarati@apple.com>
3020
3021         lowXYZ in FTLLower should always filter the type of the incoming edge
3022         https://bugs.webkit.org/show_bug.cgi?id=189939
3023         <rdar://problem/44407030>
3024
3025         Reviewed by Michael Saboff.
3026
3027         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3028         (foo):
3029         (test):
3030
3031 2018-10-03  Mark Lam  <mark.lam@apple.com>
3032
3033         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3034         https://bugs.webkit.org/show_bug.cgi?id=190187
3035         <rdar://problem/42512909>
3036
3037         Reviewed by Michael Saboff.
3038
3039         * stress/regress-190187.js: Added.
3040
3041 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3042
3043         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3044         https://bugs.webkit.org/show_bug.cgi?id=190033
3045
3046         Reviewed by Yusuke Suzuki.
3047
3048         * stress/big-int-to-string.js:
3049
3050 2018-10-01  Mark Lam  <mark.lam@apple.com>
3051
3052         Function.toString() should also copy the source code Functions that are class definitions.
3053         https://bugs.webkit.org/show_bug.cgi?id=190186
3054         <rdar://problem/44733360>
3055
3056         Reviewed by Saam Barati.
3057
3058         * stress/regress-190186.js: Added.
3059
3060 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3061
3062         Split NaN-check into separate test
3063         https://bugs.webkit.org/show_bug.cgi?id=190010
3064
3065         Reviewed by Saam Barati.
3066
3067         DataView exposes NaN-representation, which is not necessarily the same on each
3068         architecture. Therefore move the check of the NaN-representation into its own
3069         file such that we can disable this test on MIPS where NaN-representation can be
3070         different on older CPUs.
3071
3072         * stress/dataview-jit-set-nan.js: Added.
3073         (assert):
3074         (test.storeLittleEndian):
3075         (test.storeBigEndian):
3076         (test.store):
3077         (test):
3078         * stress/dataview-jit-set.js:
3079         (test5):
3080
3081 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3082
3083         Unreviewed, rolling out r236647.
3084         https://bugs.webkit.org/show_bug.cgi?id=190124
3085
3086         Breaking test stress/big-int-to-string.js (Requested by
3087         caiolima_ on #webkit).
3088
3089         Reverted changeset:
3090
3091         "[BigInt] BigInt.proptotype.toString is broken when radix is
3092         power of 2"
3093         https://bugs.webkit.org/show_bug.cgi?id=190033
3094         https://trac.webkit.org/changeset/236647
3095
3096 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3097
3098         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3099         https://bugs.webkit.org/show_bug.cgi?id=190033
3100
3101         Reviewed by Yusuke Suzuki.
3102
3103         * stress/big-int-to-string.js:
3104
3105 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3106
3107         [ESNext][BigInt] Implement support for "&"
3108         https://bugs.webkit.org/show_bug.cgi?id=186228
3109
3110         Reviewed by Yusuke Suzuki.
3111
3112         * stress/big-int-bitwise-and-general.js: Added.
3113         (assert):
3114         (assert.sameValue):
3115         * stress/big-int-bitwise-and-jit.js: Added.
3116         (let.assert.sameValue):
3117         (bigIntBitAnd):
3118         * stress/big-int-bitwise-and-memory-stress.js: Added.
3119         (assert):
3120         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3121         (assert.sameValue):
3122         (let.o.Symbol.toPrimitive):
3123         (catch):
3124         * stress/big-int-bitwise-and-type-error.js: Added.
3125         (assert):
3126         (assertThrowTypeError):
3127         (let.o.valueOf):
3128         (o.valueOf):
3129         (o.toString):
3130         (o.Symbol.toPrimitive):
3131         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3132         (assert.sameValue):
3133         (testBitAnd):
3134         (let.o.Symbol.toPrimitive):
3135         (o.valueOf):
3136         (o.toString):
3137
3138 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3139
3140         JSC test stress/jsc-read.js doesn't support CRLF
3141         https://bugs.webkit.org/show_bug.cgi?id=190063
3142
3143         Reviewed by Yusuke Suzuki.
3144
3145         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3146
3147         * stress/jsc-read.js:
3148         (test):
3149
3150 2018-09-27  Saam barati  <sbarati@apple.com>
3151
3152         Verify the contents of AssemblerBuffer on arm64e
3153         https://bugs.webkit.org/show_bug.cgi?id=190057
3154         <rdar://problem/38916630>
3155
3156         Reviewed by Mark Lam.
3157
3158         * stress/regress-189132.js:
3159
3160 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3161
3162         Disable test without LLInt on ARMv7
3163         https://bugs.webkit.org/show_bug.cgi?id=190037
3164
3165         Reviewed by Mark Lam.
3166
3167         Test runs out of executable memory on ARMv7, do not run
3168         this test without LLInt enabled.
3169
3170         * stress/regress-169445.js:
3171
3172 2018-09-26  Keith Miller  <keith_miller@apple.com>
3173
3174         We should zero unused property storage when rebalancing array storage.
3175         https://bugs.webkit.org/show_bug.cgi?id=188151
3176
3177         Reviewed by Michael Saboff.
3178
3179         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3180
3181 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3182
3183         [JSC] Optimize Array#lastIndexOf
3184         https://bugs.webkit.org/show_bug.cgi?id=189780
3185
3186         Reviewed by Saam Barati.
3187
3188         * stress/array-lastindexof-array-prototype-trap.js: Added.
3189         (shouldBe):
3190         (AncestorArray.prototype.get 2):
3191         (AncestorArray):
3192         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3193         (shouldBe):
3194         * stress/array-lastindexof-hole-nan.js: Added.
3195         (shouldBe):
3196         (throw.new.Error):
3197         * stress/array-lastindexof-infinity.js: Added.
3198         (shouldBe):
3199         (throw.new.Error):
3200         * stress/array-lastindexof-negative-zero.js: Added.
3201         (shouldBe):
3202         (throw.new.Error):
3203         * stress/array-lastindexof-own-getter.js: Added.
3204         (shouldBe):
3205         (throw.new.Error.get array):
3206         (get array):
3207         * stress/array-lastindexof-prototype-trap.js: Added.
3208         (shouldBe):
3209         (DerivedArray.prototype.get 2):
3210         (DerivedArray):
3211
3212 2018-09-25  Saam Barati  <sbarati@apple.com>
3213
3214         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3215         https://bugs.webkit.org/show_bug.cgi?id=189940
3216         <rdar://problem/43640987>
3217
3218         Reviewed by Mark Lam.
3219
3220         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3221
3222 2018-09-24  Saam Barati  <sbarati@apple.com>
3223
3224         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3225         https://bugs.webkit.org/show_bug.cgi?id=189922
3226         <rdar://problem/44651275>
3227
3228         Reviewed by Mark Lam.
3229
3230         * stress/array-indexof-fast-path-effects.js: Added.
3231         * stress/array-indexof-cached-length.js: Added.
3232
3233 2018-09-24  Saam barati  <sbarati@apple.com>
3234
3235         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3236         https://bugs.webkit.org/show_bug.cgi?id=189682
3237         <rdar://problem/43557315>
3238
3239         Reviewed by Mark Lam.
3240
3241         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3242         (foo):
3243
3244 2018-09-22  Saam barati  <sbarati@apple.com>
3245
3246         The sampling should not use Strong<CodeBlock> in its machineLocation field
3247         https://bugs.webkit.org/show_bug.cgi?id=189319
3248
3249         Reviewed by Filip Pizlo.
3250
3251         * stress/sampling-profiler-richards.js: Added.
3252
3253 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3254
3255         [JSC] Optimize Array#indexOf in C++ runtime
3256         https://bugs.webkit.org/show_bug.cgi?id=189507
3257
3258         Reviewed by Saam Barati.
3259
3260         * stress/array-indexof-array-prototype-trap.js: Added.
3261         (shouldBe):
3262         (AncestorArray.prototype.get 2):
3263         (AncestorArray):
3264         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3265         (shouldBe):
3266         * stress/array-indexof-hole-nan.js: Added.
3267         (shouldBe):
3268         (throw.new.Error):
3269         * stress/array-indexof-infinity.js: Added.
3270         (shouldBe):
3271         (throw.new.Error):
3272         * stress/array-indexof-negative-zero.js: Added.
3273         (shouldBe):
3274         (throw.new.Error):
3275         * stress/array-indexof-own-getter.js: Added.
3276         (shouldBe):
3277         (throw.new.Error.get array):
3278         (get array):
3279         * stress/array-indexof-prototype-trap.js: Added.
3280         (shouldBe):
3281         (DerivedArray.prototype.get 2):
3282         (DerivedArray):
3283
3284 2018-09-19  Saam barati  <sbarati@apple.com>
3285
3286         AI rule for MultiPutByOffset executes its effects in the wrong order
3287         https://bugs.webkit.org/show_bug.cgi?id=189757
3288         <rdar://problem/43535257>
3289
3290         Reviewed by Michael Saboff.
3291
3292         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3293         (foo):
3294         (Foo):
3295         (g):
3296
3297 2018-09-17  Mark Lam  <mark.lam@apple.com>
3298
3299         Ensure that ForInContexts are invalidated if their loop local is over-written.
3300         https://bugs.webkit.org/show_bug.cgi?id=189571
3301         <rdar://problem/44402277>
3302
3303         Reviewed by Saam Barati.
3304
3305         * stress/regress-189571.js: Added.
3306
3307 2018-09-17  Saam barati  <sbarati@apple.com>
3308
3309         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3310         https://bugs.webkit.org/show_bug.cgi?id=189676
3311         <rdar://problem/39682897>
3312
3313         Reviewed by Michael Saboff.
3314
3315         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3316         (A):
3317         (K):
3318         (i.catch):
3319
3320 2018-09-14  Saam barati  <sbarati@apple.com>
3321
3322         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3323         https://bugs.webkit.org/show_bug.cgi?id=189628
3324         <rdar://problem/39481690>
3325
3326         Reviewed by Mark Lam.
3327
3328         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3329         (foo):
3330
3331 2018-09-11  Mark Lam  <mark.lam@apple.com>
3332
3333         Test for array initialization in arrayProtoFuncSplice.
3334         https://bugs.webkit.org/show_bug.cgi?id=170253
3335         <rdar://problem/31328773>
3336
3337         Rubber-stamped by Saam Barati.
3338
3339         * stress/regress-170253.js: Added.
3340
3341 2018-09-11  Mark Lam  <mark.lam@apple.com>
3342
3343         Test for IntlObject initialization.
3344         https://bugs.webkit.org/show_bug.cgi?id=170251
3345         <rdar://problem/31328419>
3346
3347         Rubber-stamped by Saam Barati.
3348
3349         * stress/regress-170251.js: Added.
3350
3351 2018-09-11  Mark Lam  <mark.lam@apple.com>
3352
3353         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3354         https://bugs.webkit.org/show_bug.cgi?id=169889
3355         <rdar://problem/31155607>
3356
3357         Reviewed by Saam Barati.
3358
3359         * stress/regress-169889-array-concat.js: Added.
3360         * stress/regress-169889-array-concat1.js: Added.
3361         * stress/regress-169889-array-slice.js: Added.
3362
3363 2018-09-11  Mark Lam  <mark.lam@apple.com>
3364
3365         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3366         https://bugs.webkit.org/show_bug.cgi?id=169445
3367         <rdar://problem/30957435>
3368
3369         Reviewed by Saam Barati.
3370
3371         * stress/regress-169445.js: Added.
3372         (let.gun.eval.A):
3373         (let.gun.eval.B.C):
3374         (let.gun.eval.B.C.prototype.trigger):
3375         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3376         (let.gun.eval.B):
3377         (let.gun.eval):
3378
3379 == Rolled over to ChangeLog-2018-09-11 ==