DFG liveness can't skip tail caller inline frames
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-14  Keith Miller  <keith_miller@apple.com>
2
3         DFG liveness can't skip tail caller inline frames
4         https://bugs.webkit.org/show_bug.cgi?id=195715
5
6         Reviewed by Saam Barati.
7
8         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
9         (i.foo):
10
11 2019-03-13  Mark Lam  <mark.lam@apple.com>
12
13         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
14         https://bugs.webkit.org/show_bug.cgi?id=195415
15
16         Not reviewed.
17
18         Changed these tests to only run the default configuration.
19         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
20         There's no strong need to run this test on that variant.
21
22         * stress/dfg-to-string-on-int-does-gc.js:
23         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
24
25 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         String overflow when using StringBuilder in JSC::createError
28         https://bugs.webkit.org/show_bug.cgi?id=194957
29
30         Reviewed by Mark Lam.
31
32         Add test string-overflow-createError-bulder.js that overflows
33         StringBuilder in notAFunctionSourceAppender. The second new test
34         string-overflow-createError-fit.js has an error message that doesn't
35         overflow, it still failed since the String's capacity can't be doubled.
36         Run test string-overflow-createError.js only in the default
37         configuration to reduce memory consumption when running the test
38         in all configurations on multiple CPUs in parallel.
39
40         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
41         (catch):
42         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
43         (catch):
44         * stress/string-overflow-createError.js:
45
46 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
47
48         [JSC] OSR entry should respect abstract values in addition to flush formats
49         https://bugs.webkit.org/show_bug.cgi?id=195653
50
51         Reviewed by Mark Lam.
52
53         * stress/osr-entry-locals-none.js: Added.
54
55 2019-03-12  Michael Saboff  <msaboff@apple.com>
56
57         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
58         https://bugs.webkit.org/show_bug.cgi?id=195613
59
60         Reviewed by Mark Lam.
61
62         New regression test.
63
64         * stress/regexp-backref-inbounds.js: Added.
65         (testRegExp):
66
67 2019-03-12  Mark Lam  <mark.lam@apple.com>
68
69         The HasIndexedProperty node does GC.
70         https://bugs.webkit.org/show_bug.cgi?id=195559
71         <rdar://problem/48767923>
72
73         Reviewed by Yusuke Suzuki.
74
75         * stress/HasIndexedProperty-does-gc.js: Added.
76
77 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
78
79         [ESNext][BigInt] Implement "~" unary operation
80         https://bugs.webkit.org/show_bug.cgi?id=182216
81
82         Reviewed by Keith Miller.
83
84         * stress/big-int-bit-not-general.js: Added.
85         * stress/big-int-bitwise-not-jit.js: Added.
86         * stress/big-int-bitwise-not-wrapped-value.js: Added.
87         * stress/bit-op-with-object-returning-int32.js:
88         * stress/bitwise-not-fixup-rules.js: Added.
89         * stress/value-bit-not-ai-rule.js: Added.
90
91 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
92
93         Invalid flags in a RegExp literal should be an early SyntaxError
94         https://bugs.webkit.org/show_bug.cgi?id=195514
95
96         Reviewed by Darin Adler.
97
98         * test262/expectations.yaml:
99         Mark 4 test cases as passing.
100
101         * stress/regexp-syntax-error-invalid-flags.js:
102         * stress/regress-161995.js: Removed.
103         Update existing test, merging in an older test for the same behavior.
104
105 2019-03-08  Mark Lam  <mark.lam@apple.com>
106
107         Stack overflow crash in JSC::JSObject::hasInstance.
108         https://bugs.webkit.org/show_bug.cgi?id=195458
109         <rdar://problem/48710195>
110
111         Reviewed by Yusuke Suzuki.
112
113         * stress/stack-overflow-in-custom-hasInstance.js: Added.
114
115 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
116
117         op_check_tdz does not def its argument
118         https://bugs.webkit.org/show_bug.cgi?id=192880
119         <rdar://problem/46221598>
120
121         Reviewed by Saam Barati.
122
123         * microbenchmarks/let-for-in.js: Added.
124         (foo):
125
126 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
127
128         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
129         https://bugs.webkit.org/show_bug.cgi?id=195429
130
131         Reviewed by Saam Barati.
132
133         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
134         (foo):
135         * stress/string-from-char-code-255.js: Added.
136
137 2019-03-06  Mark Lam  <mark.lam@apple.com>
138
139         Fix incorrect handling of try-finally completion values.
140         https://bugs.webkit.org/show_bug.cgi?id=195131
141         <rdar://problem/46222079>
142
143         Reviewed by Saam Barati and Yusuke Suzuki.
144
145         Added many permutations of new test case to test-finally.js.  test-finally.js has
146         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
147         tests passes there as well.
148
149         * stress/test-finally.js:
150
151 2019-03-06  Saam Barati  <sbarati@apple.com>
152
153         Air::reportUsedRegisters must padInterference
154         https://bugs.webkit.org/show_bug.cgi?id=195303
155         <rdar://problem/48270343>
156
157         Reviewed by Keith Miller.
158
159         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
160
161 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
162
163         [JSC] AI should not propagate AbstractValue relying on constant folding phase
164         https://bugs.webkit.org/show_bug.cgi?id=195375
165
166         Reviewed by Saam Barati.
167
168         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
169         (let.array):
170
171 2019-03-05  Saam barati  <sbarati@apple.com>
172
173         op_switch_char broken for rope strings after JSRopeString layout rewrite
174         https://bugs.webkit.org/show_bug.cgi?id=195339
175         <rdar://problem/48592545>
176
177         Reviewed by Yusuke Suzuki.
178
179         * stress/switch-on-char-llint-rope.js: Added.
180
181 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
182
183         [JSC] Store bits for JSRopeString in 3 stores
184         https://bugs.webkit.org/show_bug.cgi?id=195234
185
186         Reviewed by Saam Barati.
187
188         * stress/null-rope-and-collectors.js: Added.
189
190 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
191
192         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
193         https://bugs.webkit.org/show_bug.cgi?id=195207
194
195         Unreviewed. After test runtime was reduced in r242213, test can be
196         run again on ARM/MIPS.
197
198         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
199
200 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
201
202         [JSC] sizeof(JSString) should be 16
203         https://bugs.webkit.org/show_bug.cgi?id=194375
204
205         Reviewed by Saam Barati.
206
207         * microbenchmarks/make-rope.js: Added.
208         (makeRope):
209         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
210         (returnRope.helper): Deleted.
211         (returnRope): Deleted.
212
213 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
214
215         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
216         https://bugs.webkit.org/show_bug.cgi?id=195144
217
218         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
219         Change the number from 1e8 to 1e5.
220
221         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
222         (foo):
223
224 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
225
226         Test times out on ARM/MIPS
227         https://bugs.webkit.org/show_bug.cgi?id=195168
228
229         Unreviewed. Skip test on ARM/MIPS.
230
231         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
232
233 2019-02-27  Mark Lam  <mark.lam@apple.com>
234
235         The parser is failing to record the token location of new in new.target.
236         https://bugs.webkit.org/show_bug.cgi?id=195127
237         <rdar://problem/39645578>
238
239         Reviewed by Yusuke Suzuki.
240
241         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
242
243 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
244
245         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
246         https://bugs.webkit.org/show_bug.cgi?id=195144
247         <rdar://problem/47595961>
248
249         Reviewed by Mark Lam.
250
251         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
252         (bar):
253         (foo):
254         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
255         (bar):
256         (foo):
257
258 2019-02-27  Robin Morisset  <rmorisset@apple.com>
259
260         DFG: Loop-invariant code motion (LICM) should not hoist dead code
261         https://bugs.webkit.org/show_bug.cgi?id=194945
262         <rdar://problem/48311657>
263
264         Reviewed by Mark Lam.
265
266         * stress/licm-dead-code.js: Added.
267
268 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
269
270         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
271         https://bugs.webkit.org/show_bug.cgi?id=194677
272         <rdar://problem/48112492>
273
274         Reviewed by Mark Lam.
275
276         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
277         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
278         it immediately fails due the large size.
279
280         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
281         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
282         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
283         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
284
285         This patch changes the test to produce 16bit string from String.fromCharCode.
286
287         * stress/regress-178386.js:
288
289 2019-02-26  Mark Lam  <mark.lam@apple.com>
290
291         wasmToJS() should purify incoming NaNs.
292         https://bugs.webkit.org/show_bug.cgi?id=194807
293         <rdar://problem/48189132>
294
295         Reviewed by Saam Barati.
296
297         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
298
299 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
300
301         [JSC] Repeat string created from Array.prototype.join() take too much memory
302         https://bugs.webkit.org/show_bug.cgi?id=193912
303
304         Reviewed by Saam Barati.
305
306         Added a test and a microbenchmark for corner cases of
307         Array.prototype.join() with an uninitialized array.
308
309         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
310         * stress/array-prototype-join-uninitialized.js: Added.
311         (testArray):
312         (testABC):
313         (B):
314         (C):
315
316 2019-02-22  Robin Morisset  <rmorisset@apple.com>
317
318         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
319         https://bugs.webkit.org/show_bug.cgi?id=194953
320         <rdar://problem/47595253>
321
322         Reviewed by Saam Barati.
323
324         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
325
326         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
327
328 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
329
330         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
331         https://bugs.webkit.org/show_bug.cgi?id=172848
332         <rdar://problem/25709212>
333
334         Reviewed by Mark Lam.
335
336         * typeProfiler/inheritance.js:
337         Rewrite the test slightly for clarity. The hoisting was confusing.
338
339         * heapProfiler/class-names.js: Added.
340         (MyES5Class):
341         (MyES6Class):
342         (MyES6Subclass):
343         Test object types and improved class names.
344
345         * heapProfiler/driver/driver.js:
346         (CheapHeapSnapshotNode):
347         (CheapHeapSnapshot):
348         (createCheapHeapSnapshot):
349         (HeapSnapshot):
350         (createHeapSnapshot):
351         Update snapshot parsing from version 1 to version 2.
352
353 2019-02-19  Truitt Savell  <tsavell@apple.com>
354
355         Unreviewed, rolling out r241784.
356
357         Broke all OpenSource builds.
358
359         Reverted changeset:
360
361         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
362         instances view"
363         https://bugs.webkit.org/show_bug.cgi?id=172848
364         https://trac.webkit.org/changeset/241784
365
366 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
367
368         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
369         https://bugs.webkit.org/show_bug.cgi?id=172848
370         <rdar://problem/25709212>
371
372         Reviewed by Mark Lam.
373
374         * typeProfiler/inheritance.js:
375         Rewrite the test slightly for clarity. The hoisting was confusing.
376
377         * heapProfiler/class-names.js: Added.
378         (MyES5Class):
379         (MyES6Class):
380         (MyES6Subclass):
381         Test object types and improved class names.
382
383         * heapProfiler/driver/driver.js:
384         (CheapHeapSnapshotNode):
385         (CheapHeapSnapshot):
386         (createCheapHeapSnapshot):
387         (HeapSnapshot):
388         (createHeapSnapshot):
389         Update snapshot parsing from version 1 to version 2.
390
391 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
392
393         [ARM] Fix crash with sampling profiler
394         https://bugs.webkit.org/show_bug.cgi?id=194772
395
396         Reviewed by Mark Lam.
397
398         Do not skip test since crash with sampling profiler is now fixed.
399
400         * stress/sampling-profiler-richards.js:
401
402 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
403
404         [JSC] Add LazyClassStructure::getInitializedOnMainThread
405         https://bugs.webkit.org/show_bug.cgi?id=194784
406         <rdar://problem/48154820>
407
408         Reviewed by Mark Lam.
409
410         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
411         (getProperties):
412         (getRandomProperty):
413         (i.catch):
414
415 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
416
417         [ARM] Test gardening: Test running out of executable memory
418         https://bugs.webkit.org/show_bug.cgi?id=194771
419
420         Unreviewed. Do not run test without LLInt, test is running out of executable
421         memory on ARM otherwise.
422
423         * stress/tagged-template-object-collect.js:
424
425 2019-02-18  Tomas Popela  <tpopela@redhat.com>
426
427         Unreviewed, skip the test on platforms without sampling profiler
428
429         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
430         (platformSupportsSamplingProfiler.foo):
431         (platformSupportsSamplingProfiler.test):
432         (platformSupportsSamplingProfiler):
433         (foo): Deleted.
434         (test): Deleted.
435
436 2019-02-17  Saam Barati  <sbarati@apple.com>
437
438         Deadlock when adding a Structure property transition and then doing incremental marking
439         https://bugs.webkit.org/show_bug.cgi?id=194767
440
441         Reviewed by Mark Lam.
442
443         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
444
445 2019-02-15  Michael Saboff  <msaboff@apple.com>
446
447         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
448         https://bugs.webkit.org/show_bug.cgi?id=194558
449
450         Reviewed by Saam Barati.
451
452         New regression test.
453
454         * stress/regexp-unicode-within-string.js: Added.
455
456 2019-02-15  Mark Lam  <mark.lam@apple.com>
457
458         SamplingProfiler::stackTracesAsJSON() should escape strings.
459         https://bugs.webkit.org/show_bug.cgi?id=194649
460         <rdar://problem/48072386>
461
462         Reviewed by Saam Barati.
463
464         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
465         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
466         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
467         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
468
469 2019-02-15  Robin Morisset  <rmorisset@apple.com>
470         CodeBlock::jettison should clear related watchpoints
471         https://bugs.webkit.org/show_bug.cgi?id=194544
472
473         Reviewed by Mark Lam.
474
475         * stress/regexp-replace-double-watchpoint.js: Added.
476         (foo):
477
478 2019-02-15  Saam barati  <sbarati@apple.com>
479
480         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
481         https://bugs.webkit.org/show_bug.cgi?id=194036
482
483         Reviewed by Yusuke Suzuki.
484
485         * stress/tail-call-many-arguments.js: Added.
486         (foo):
487         (bar):
488
489 2019-02-14  Saam Barati  <sbarati@apple.com>
490
491         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
492         https://bugs.webkit.org/show_bug.cgi?id=194583
493         <rdar://problem/48028140>
494
495         Reviewed by Yusuke Suzuki.
496
497         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
498
499 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
500
501         [JSC] String.fromCharCode's slow path always generates 16bit string
502         https://bugs.webkit.org/show_bug.cgi?id=194466
503
504         Reviewed by Keith Miller.
505
506         * stress/string-from-char-code-slow-path.js: Added.
507         (shouldBe):
508         (testWithLength):
509
510 2019-02-08  Saam barati  <sbarati@apple.com>
511
512         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
513         https://bugs.webkit.org/show_bug.cgi?id=194334
514         <rdar://problem/47844327>
515
516         Reviewed by Mark Lam.
517
518         * stress/check-in-bounds-should-be-a-child-use.js: Added.
519         (func):
520
521 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
522
523         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
524         https://bugs.webkit.org/show_bug.cgi?id=194369
525         <rdar://problem/47813087>
526
527         Reviewed by Saam Barati.
528
529         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
530         (A):
531
532 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
533
534         [JSC] PrivateName to PublicName hash table is wasteful
535         https://bugs.webkit.org/show_bug.cgi?id=194277
536
537         Reviewed by Michael Saboff.
538
539         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
540
541         * ChakraCore.yaml:
542
543 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
544
545         [ARM] Test running out of executable memory
546         https://bugs.webkit.org/show_bug.cgi?id=194285
547
548         Unreviewed. Do no execute test with LLInt disabled, test runs out of
549         executable memory otherwise.
550
551         * stress/class-subclassing-function.js:
552
553 2019-02-04  Robin Morisset  <rmorisset@apple.com>
554
555         when lowering AssertNotEmpty, create the value before creating the patchpoint
556         https://bugs.webkit.org/show_bug.cgi?id=194231
557
558         Reviewed by Saam Barati.
559
560         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
561         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
562         So even tiny changes to this test can change the path code taken.
563
564         * stress/assert-not-empty.js: Added.
565         (foo):
566
567 2019-02-01  Mark Lam  <mark.lam@apple.com>
568
569         Remove invalid assertion in DFG's compileDoubleRep().
570         https://bugs.webkit.org/show_bug.cgi?id=194130
571         <rdar://problem/47699474>
572
573         Reviewed by Saam Barati.
574
575         * stress/constant-fold-double-rep-into-double-constant.js: Added.
576
577 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
578
579         Import latest Test262 updates.
580
581         Rubber-stamped by Keith Miller.
582
583         * test262.yaml: Deleted.
584         * test262/config.yaml:
585         * test262/expectations.yaml:
586         * test262/latest-changes-summary.txt:
587         * test262/test/:
588         * test262/test262-Revision.txt:
589
590 2019-01-30  Robin Morisset  <rmorisset@apple.com>
591
592         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
593         https://bugs.webkit.org/show_bug.cgi?id=194050
594         <rdar://problem/47595592>
595
596         Reviewed by Yusuke Suzuki.
597
598         * stress/object-keys-osr-exit.js: Added.
599         (foo):
600         (catch):
601
602 2019-01-29  Mark Lam  <mark.lam@apple.com>
603
604         ValueRecovery::recover() should purify NaN values it recovers.
605         https://bugs.webkit.org/show_bug.cgi?id=193978
606         <rdar://problem/47625488>
607
608         Reviewed by Saam Barati.
609
610         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
611
612 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
613
614         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
615         https://bugs.webkit.org/show_bug.cgi?id=193713
616
617         * stress/try-get-by-id-should-spill-registers-dfg.js:
618         (let.f.createBuiltin):
619
620 2019-01-28  Mark Lam  <mark.lam@apple.com>
621
622         ToString node actually does GC.
623         https://bugs.webkit.org/show_bug.cgi?id=193920
624         <rdar://problem/46695900>
625
626         Reviewed by Yusuke Suzuki.
627
628         * stress/dfg-to-string-on-int-does-gc.js: Added.
629         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
630         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
631
632 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
633
634         [JSC] NativeErrorConstructor should not have own IsoSubspace
635         https://bugs.webkit.org/show_bug.cgi?id=193713
636
637         Reviewed by Saam Barati.
638
639         Remove @Error use.
640
641         * stress/try-get-by-id-should-spill-registers-dfg.js:
642         (let.f.createBuiltin):
643
644 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
645
646         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
647         https://bugs.webkit.org/show_bug.cgi?id=190693
648
649         Reviewed by Michael Saboff.
650
651         * stress/regress-190693.js: Added.
652         (truth):
653         (assert):
654         (shouldThrowInvalidConstAssignment):
655         (taz):
656
657 2019-01-24  Saam Barati  <sbarati@apple.com>
658
659         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
660         https://bugs.webkit.org/show_bug.cgi?id=193751
661         <rdar://problem/47280215>
662
663         Reviewed by Michael Saboff.
664
665         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
666         (let.thing):
667         (foo.let.hello):
668         (foo):
669
670 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
671
672         [JSC] Reenable baseline JIT on mips
673         https://bugs.webkit.org/show_bug.cgi?id=192983
674
675         Reviewed by Mark Lam.
676
677         Added a new test for a case that was triggering a RELEASE_ASSERT when
678         testing.
679         Disable some slow tests that were already disabled for arm and x86.
680
681         * stress/json-parse-big-object.js: Added.
682         * stress/new-largeish-contiguous-array-with-size.js:
683         * stress/op_add.js:
684         * stress/op_bitand.js:
685         * stress/op_bitor.js:
686         * stress/op_bitxor.js:
687         * stress/op_lshift-ConstVar.js:
688         * stress/op_lshift-VarConst.js:
689         * stress/op_lshift-VarVar.js:
690         * stress/op_mod-ConstVar.js:
691         * stress/op_mod-VarConst.js:
692         * stress/op_mod-VarVar.js:
693         * stress/op_mul-ConstVar.js:
694         * stress/op_mul-VarConst.js:
695         * stress/op_mul-VarVar.js:
696         * stress/op_rshift-ConstVar.js:
697         * stress/op_rshift-VarConst.js:
698         * stress/op_rshift-VarVar.js:
699         * stress/op_sub-ConstVar.js:
700         * stress/op_sub-VarConst.js:
701         * stress/op_sub-VarVar.js:
702         * stress/op_urshift-ConstVar.js:
703         * stress/op_urshift-VarConst.js:
704         * stress/op_urshift-VarVar.js:
705         * stress/sampling-profiler-richards.js:
706         * stress/spread-forward-call-varargs-stack-overflow.js:
707
708 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
709
710         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
711         https://bugs.webkit.org/show_bug.cgi?id=193711
712         <rdar://problem/47250262>
713
714         Reviewed by Saam Barati.
715
716         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
717         (shouldBe):
718         (foo):
719         (bar):
720         (baz):
721
722 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
723
724         Unreviewed, fix initial global lexical binding epoch
725         https://bugs.webkit.org/show_bug.cgi?id=193603
726         <rdar://problem/47380869>
727
728         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
729         (f1.f2.f3.f4):
730         (f1.f2.f3):
731         (f1.f2):
732         (f1):
733
734 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
735
736         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
737         https://bugs.webkit.org/show_bug.cgi?id=193709
738         <rdar://problem/47363838>
739
740         Unreviewed, rollout to watch the tests.
741
742         * stress/object-tostring-changed-proto.js: Removed.
743         * stress/object-tostring-changed.js: Removed.
744         * stress/object-tostring-misc.js: Removed.
745         * stress/object-tostring-other.js: Removed.
746         * stress/object-tostring-untyped.js: Removed.
747
748 2019-01-22  Saam Barati  <sbarati@apple.com>
749
750         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
751
752         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
753         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
754         (testUncheckedLessThanZero):
755         (testUncheckedLessThanOrEqualZero):
756         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
757         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
758
759 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
760
761         [JSC] Invalidate old scope operations using global lexical binding epoch
762         https://bugs.webkit.org/show_bug.cgi?id=193603
763         <rdar://problem/47380869>
764
765         Reviewed by Saam Barati.
766
767         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
768         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
769         (shouldThrow):
770         (bar):
771         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
772         (shouldBe):
773         (get1):
774         (get2):
775         (get1If):
776         (get2If):
777         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
778         (shouldThrow):
779         (foo):
780
781 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
782
783         Unreviewed, roll out r240220 due to date-format-xparb regression
784         https://bugs.webkit.org/show_bug.cgi?id=193603
785
786         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
787         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
788         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
789         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
790
791 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
792
793         DoesGC rule is wrong for nodes with BigIntUse
794         https://bugs.webkit.org/show_bug.cgi?id=193652
795
796         Reviewed by Saam Barati.
797
798         * stress/big-int-value-op-update-gc-rules.js: Added.
799         (assert):
800         (doesGCAdd):
801         (doesGCSub):
802         (doesGCDiv):
803         (doesGCMul):
804         (doesGCBitAnd):
805         (doesGCBitOr):
806         (doesGCBitXor):
807
808 2019-01-20  Saam Barati  <sbarati@apple.com>
809
810         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
811         https://bugs.webkit.org/show_bug.cgi?id=193644
812         <rdar://problem/46209745>
813
814         Reviewed by Yusuke Suzuki.
815
816         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
817         (foo):
818         * stress/data-view-set-intrinsic-undefined-result.js: Added.
819         (foo):
820         (bar):
821
822 2019-01-20  Saam Barati  <sbarati@apple.com>
823
824         MovHint must merge NodeBytecodeUsesAsValue for its child
825         https://bugs.webkit.org/show_bug.cgi?id=186916
826         <rdar://problem/41396612>
827
828         Reviewed by Yusuke Suzuki.
829
830         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
831         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
832
833 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
834
835         [JSC] Invalidate old scope operations using global lexical binding epoch
836         https://bugs.webkit.org/show_bug.cgi?id=193603
837         <rdar://problem/47380869>
838
839         Reviewed by Saam Barati.
840
841         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
842         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
843         (shouldThrow):
844         (bar):
845         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
846         (shouldBe):
847         (get1):
848         (get2):
849         (get1If):
850         (get2If):
851         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
852         (shouldThrow):
853         (foo):
854
855 2019-01-17  Saam barati  <sbarati@apple.com>
856
857         StringObjectUse should not be a structure check for the original string object structure
858         https://bugs.webkit.org/show_bug.cgi?id=193483
859         <rdar://problem/47280522>
860
861         Reviewed by Yusuke Suzuki.
862
863         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
864         (foo):
865         (a.valueOf.0):
866
867 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
868
869         [JSC] ToThis omission in DFGByteCodeParser is wrong
870         https://bugs.webkit.org/show_bug.cgi?id=193513
871         <rdar://problem/45842236>
872
873         Reviewed by Saam Barati.
874
875         * stress/to-this-omission-with-different-strict-modes.js: Added.
876         (thisA):
877         (thisAStrictWrapper):
878
879 2019-01-15  Mark Lam  <mark.lam@apple.com>
880
881         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
882         https://bugs.webkit.org/show_bug.cgi?id=193423
883         <rdar://problem/46209355>
884
885         Reviewed by Saam Barati.
886
887         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
888         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
889         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
890         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
891
892 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
893
894         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
895         https://bugs.webkit.org/show_bug.cgi?id=193438
896         <rdar://problem/45581249>
897
898         Reviewed by Saam Barati and Keith Miller.
899
900         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
901         Then, GetByVal(String) crashed.
902
903         * stress/string-get-by-val-lowering.js: Added.
904         (shouldBe):
905         (test):
906         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
907         (Hello):
908         (foo):
909
910 2019-01-15  Tomas Popela  <tpopela@redhat.com>
911
912         Unreviewed, skip JIT tests if it's not enabled
913
914         * stress/bit-op-with-object-returning-int32.js:
915
916 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
917
918         DFGByteCodeParser rules for bitwise operations should consider type of their operands
919         https://bugs.webkit.org/show_bug.cgi?id=192966
920
921         Reviewed by Yusuke Suzuki.
922
923         * stress/bit-op-with-object-returning-int32.js: Added.
924
925 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
926
927         Skip a slow test and a flakey test on arm
928
929         Unreviewed gardening.
930
931         * typeProfiler/getter-richards.js:
932         this test always times out, it used to be always skipped on arm and
933         mips, but got accidentally enabled by r237919 now that we have DFG on
934         arm. Also skipping on mips as we plan to soon enable DFG for it too.
935
936 2019-01-14  Keith Miller  <keith_miller@apple.com>
937
938         Skip type-check-hoisting-phase-hoist... with no jit
939         https://bugs.webkit.org/show_bug.cgi?id=193421
940
941         Reviewed by Mark Lam.
942
943         It's timing out the 32-bit bots and takes 330 seconds
944         on my machine when run by itself.
945
946         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
947
948 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
949
950         [JSC] AI should check the given constant's array type when folding GetByVal into constant
951         https://bugs.webkit.org/show_bug.cgi?id=193413
952         <rdar://problem/46092389>
953
954         Reviewed by Keith Miller.
955
956         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
957         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
958         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
959         but GetByVal does not have appropriate ArrayModes, JSC crashes.
960
961         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
962         (compareArray):
963
964 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
965
966         [BigInt] Literal parsing is crashing when used inside a Object Literal
967         https://bugs.webkit.org/show_bug.cgi?id=193404
968
969         Reviewed by Yusuke Suzuki.
970
971         * stress/big-int-literal-inside-literal-object.js: Added.
972
973 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
974
975         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
976         https://bugs.webkit.org/show_bug.cgi?id=193372
977
978         Reviewed by Saam Barati.
979
980         * stress/typed-array-array-modes-profile.js: Added.
981         (foo):
982
983 2019-01-14  Mark Lam  <mark.lam@apple.com>
984
985         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
986         https://bugs.webkit.org/show_bug.cgi?id=193402
987         <rdar://problem/46012309>
988
989         Reviewed by Keith Miller.
990
991         * stress/regexp-compile-oom.js:
992         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
993           is enabled.  As a result, it will fail on cloop builds though there is no bug.
994
995 2019-01-11  Saam barati  <sbarati@apple.com>
996
997         DFG combined liveness can be wrong for terminal basic blocks
998         https://bugs.webkit.org/show_bug.cgi?id=193304
999         <rdar://problem/45268632>
1000
1001         Reviewed by Yusuke Suzuki.
1002
1003         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1004
1005 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1006
1007         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1008         https://bugs.webkit.org/show_bug.cgi?id=193308
1009         <rdar://problem/45546542>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1014         (shouldThrow):
1015         (shouldBe):
1016         (foo):
1017         (get shouldThrow):
1018         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1019         (shouldThrow):
1020         (shouldBe):
1021         (foo):
1022         (get shouldBe):
1023         (get shouldThrow):
1024         (get return):
1025         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1026         (shouldThrow):
1027         (shouldBe):
1028         (foo):
1029         (get shouldBe):
1030         (get shouldThrow):
1031         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1032         (shouldThrow):
1033         (shouldBe):
1034         (foo):
1035         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1036         (shouldThrow):
1037         (shouldBe):
1038         (foo):
1039         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1040         (shouldThrow):
1041         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1042         (shouldThrow):
1043         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1044         (shouldThrow):
1045         (shouldBe):
1046         (foo):
1047         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1048         (shouldThrow):
1049         (shouldBe):
1050         (foo):
1051         (get shouldBe):
1052         (get shouldThrow):
1053         (get return):
1054         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1055         (shouldThrow):
1056         (shouldBe):
1057         (foo):
1058         (get shouldBe):
1059         (get shouldThrow):
1060         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1061         (shouldThrow):
1062         (shouldBe):
1063         (foo):
1064         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1065         (shouldThrow):
1066         (shouldBe):
1067         (foo):
1068
1069 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1070
1071         Enable DFG on ARM/Linux again
1072         https://bugs.webkit.org/show_bug.cgi?id=192496
1073
1074         Reviewed by Yusuke Suzuki.
1075
1076         Test wasn't really skipped before moving the line with skip
1077         to the top.
1078
1079         * stress/regress-192717.js:
1080
1081 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1082
1083         Unreviewed, rolling out r239825.
1084         https://bugs.webkit.org/show_bug.cgi?id=193330
1085
1086         Broke tests on armv7/linux bots (Requested by guijemont on
1087         #webkit).
1088
1089         Reverted changeset:
1090
1091         "Enable DFG on ARM/Linux again"
1092         https://bugs.webkit.org/show_bug.cgi?id=192496
1093         https://trac.webkit.org/changeset/239825
1094
1095 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1096
1097         Enable DFG on ARM/Linux again
1098         https://bugs.webkit.org/show_bug.cgi?id=192496
1099
1100         Reviewed by Yusuke Suzuki.
1101
1102         Test wasn't really skipped before moving the line with skip
1103         to the top.
1104
1105         * stress/regress-192717.js:
1106
1107 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1108
1109         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1110         https://bugs.webkit.org/show_bug.cgi?id=193127
1111
1112         Reviewed by Saam Barati.
1113
1114         * stress/array-species-create-should-handle-masquerader.js: Added.
1115         (shouldThrow):
1116         * stress/is-undefined-or-null-builtin.js: Added.
1117         (shouldBe):
1118         (isUndefinedOrNull.vm.createBuiltin):
1119
1120 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1121
1122         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1123         https://bugs.webkit.org/show_bug.cgi?id=193221
1124
1125         Reviewed by Mark Lam.
1126
1127         * stress/put-by-id-flags.js: Added.
1128         (f):
1129         (g):
1130         (numberOfDFGCompiles):
1131
1132 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1133
1134         Baseline version of get_by_id may corrupt metadata
1135         https://bugs.webkit.org/show_bug.cgi?id=193085
1136         <rdar://problem/23453006>
1137
1138         Reviewed by Saam Barati.
1139
1140         * stress/get-by-id-change-mode.js: Added.
1141         (forEach):
1142
1143 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1144
1145         [JSC] Optimize Object.prototype.toString
1146         https://bugs.webkit.org/show_bug.cgi?id=193031
1147
1148         Reviewed by Saam Barati.
1149
1150         * stress/object-tostring-changed-proto.js: Added.
1151         (shouldBe):
1152         (test):
1153         * stress/object-tostring-changed.js: Added.
1154         (shouldBe):
1155         (test):
1156         * stress/object-tostring-misc.js: Added.
1157         (shouldBe):
1158         (test):
1159         (i.switch):
1160         * stress/object-tostring-other.js: Added.
1161         (shouldBe):
1162         (test):
1163         * stress/object-tostring-untyped.js: Added.
1164         (shouldBe):
1165         (test):
1166         (i.switch):
1167
1168 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1169
1170         test262-runner misbehaves when test file YAML has a trailing space
1171         https://bugs.webkit.org/show_bug.cgi?id=193053
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * test262/expectations.yaml:
1176         Mark two dozen tests as passing (and correct the output of another).
1177
1178 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1179
1180         Unreviewed, JSTests gardening with memoryLimited
1181
1182         * stress/string-overflow-createError.js:
1183
1184 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1185
1186         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1187         https://bugs.webkit.org/show_bug.cgi?id=193050
1188
1189         Reviewed by Yusuke Suzuki.
1190
1191         * test262.yaml:
1192         * test262/expectations.yaml:
1193         Mark 16 tests as passing.
1194
1195 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1196
1197         [BigInt] Support BigInt in JSON.stringify
1198         https://bugs.webkit.org/show_bug.cgi?id=192624
1199
1200         Reviewed by Saam Barati.
1201
1202         * stress/big-int-json-stringify-to-json.js: Added.
1203         (shouldBe):
1204         (shouldThrow):
1205         (BigInt.prototype.toJSON):
1206         (shouldBe.JSON.stringify):
1207         * stress/big-int-json-stringify.js: Added.
1208         (shouldBe):
1209         (shouldThrow):
1210
1211 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1212
1213         [JSC] Implement "well-formed JSON.stringify" proposal
1214         https://bugs.webkit.org/show_bug.cgi?id=191677
1215
1216         Reviewed by Darin Adler.
1217
1218         * stress/json-surrogate-pair.js: Added.
1219         (shouldBe):
1220         * test262/expectations.yaml:
1221
1222 2018-12-20  Keith Miller  <keith_miller@apple.com>
1223
1224         Add support for globalThis
1225         https://bugs.webkit.org/show_bug.cgi?id=165171
1226
1227         Reviewed by Mark Lam.
1228
1229         * test262/config.yaml:
1230
1231 2018-12-19  Keith Miller  <keith_miller@apple.com>
1232
1233         Update test262 configuration to not run tests dependent on ICU version.
1234         https://bugs.webkit.org/show_bug.cgi?id=192920
1235
1236         Reviewed by Saam Barati.
1237
1238         * test262/expectations.yaml:
1239
1240 2018-12-20  Mark Lam  <mark.lam@apple.com>
1241
1242         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1243         https://bugs.webkit.org/show_bug.cgi?id=192939
1244         <rdar://problem/46869516>
1245
1246         Reviewed by Keith Miller.
1247
1248         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1249
1250 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1251
1252         WTF::String and StringImpl overflow MaxLength
1253         https://bugs.webkit.org/show_bug.cgi?id=192853
1254         <rdar://problem/45726906>
1255
1256         Reviewed by Mark Lam.
1257
1258         * stress/string-16bit-repeat-overflow.js: Added.
1259         (catch):
1260
1261 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1262
1263         Unreviewed follow-up to r192914.
1264
1265         * test262/expectations.yaml:
1266         Add the last 20 missing expectations.
1267
1268 2018-12-19  Keith Miller  <keith_miller@apple.com>
1269
1270         Fix test262 expectations
1271         https://bugs.webkit.org/show_bug.cgi?id=192914
1272
1273         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1274
1275         * test262/expectations.yaml:
1276
1277 2018-12-19  Keith Miller  <keith_miller@apple.com>
1278
1279         Update test262 tests.
1280         https://bugs.webkit.org/show_bug.cgi?id=192907
1281
1282         Rubber stamped by Mark Lam.
1283
1284         * test262/*: Omitted because prepare-changelog crashes.
1285
1286 2018-12-19  Mark Lam  <mark.lam@apple.com>
1287
1288         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1289         https://bugs.webkit.org/show_bug.cgi?id=192464
1290         <rdar://problem/46519455>
1291
1292         Reviewed by Saam Barati.
1293
1294         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1295         microbenchmark.
1296
1297         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1298         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1299
1300 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1301
1302         String overflow in JSC::createError results in ASSERT in WTF::makeString
1303         https://bugs.webkit.org/show_bug.cgi?id=192833
1304         <rdar://problem/45706868>
1305
1306         Reviewed by Mark Lam.
1307
1308         * stress/string-overflow-createError.js: Added.
1309
1310 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1311
1312         Error message for `-x ** y` contains a typo.
1313         https://bugs.webkit.org/show_bug.cgi?id=192832
1314
1315         Reviewed by Saam Barati.
1316
1317         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1318         (assert.assert.return.throws):
1319         * stress/pow-expects-update-expression-on-lhs.js:
1320         (throw.new.Error):
1321         Update test expectations which match against the exact error message.
1322
1323 2018-12-18  Mark Lam  <mark.lam@apple.com>
1324
1325         Gardening: test options fix.
1326         https://bugs.webkit.org/show_bug.cgi?id=192822
1327
1328         Unreviewed.
1329
1330         * stress/json-stringify-string-builder-overflow.js:
1331
1332 2018-12-18  Mark Lam  <mark.lam@apple.com>
1333
1334         JSON.stringify() should throw OOM on StringBuilder overflows.
1335         https://bugs.webkit.org/show_bug.cgi?id=192822
1336         <rdar://problem/46670577>
1337
1338         Reviewed by Saam Barati.
1339
1340         * stress/json-stringify-string-builder-overflow.js: Added.
1341
1342 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1343
1344         Redeclaration of var over let/const/class should be a syntax error.
1345         https://bugs.webkit.org/show_bug.cgi?id=192298
1346
1347         Reviewed by Keith Miller.
1348
1349         * test262.yaml:
1350         * test262/expectations.yaml:
1351         Mark 46 tests as passing.
1352
1353         * stress/block-scope-redeclarations.js:
1354         Add some new tests.
1355
1356         * stress/for-in-invalidate-context-weird-assignments.js:
1357         * stress/for-in-tests.js:
1358         Replace tests for outdated behavior with tests for SyntaxError.
1359
1360         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1361         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1362         Update expectations.
1363
1364 2018-12-18  Mark Lam  <mark.lam@apple.com>
1365
1366         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1367         https://bugs.webkit.org/show_bug.cgi?id=191374
1368         <rdar://problem/46525447>
1369
1370         Reviewed by Yusuke Suzuki.
1371
1372         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1373
1374         * stress/elidable-new-object-roflcopter-then-exit.js:
1375
1376 2018-12-17  Mark Lam  <mark.lam@apple.com>
1377
1378         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1379         https://bugs.webkit.org/show_bug.cgi?id=192019
1380         <rdar://problem/46525456>
1381
1382         Reviewed by Yusuke Suzuki.
1383
1384         The test runs too slow on 32-bit.
1385
1386         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1387
1388 2018-12-17  Mark Lam  <mark.lam@apple.com>
1389
1390         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1391         https://bugs.webkit.org/show_bug.cgi?id=191373
1392         <rdar://problem/46525458>
1393
1394         Reviewed by Yusuke Suzuki.
1395
1396         The test is already slow running with a JIT on 64-bit.  It will always timeout
1397         on 32-bit without a JIT.
1398
1399         * stress/materialize-regexp-cyclic-regexp.js:
1400
1401 2018-12-17  Mark Lam  <mark.lam@apple.com>
1402
1403         Array unshift/shift should not race against the AI in the compiler thread.
1404         https://bugs.webkit.org/show_bug.cgi?id=192795
1405         <rdar://problem/46724263>
1406
1407         Reviewed by Saam Barati.
1408
1409         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1410
1411 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1412
1413         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1414         https://bugs.webkit.org/show_bug.cgi?id=190047
1415
1416         Reviewed by Saam Barati.
1417
1418         * stress/object-keys-cached-zero.js: Added.
1419         (shouldBe):
1420         (test):
1421         * stress/object-keys-changed-attribute.js: Added.
1422         (shouldBe):
1423         (test):
1424         * stress/object-keys-changed-index.js: Added.
1425         (shouldBe):
1426         (test):
1427         * stress/object-keys-changed.js: Added.
1428         (shouldBe):
1429         (test):
1430         * stress/object-keys-indexed-non-cache.js: Added.
1431         (shouldBe):
1432         (test):
1433         * stress/object-keys-overrides-get-property-names.js: Added.
1434         (shouldBe):
1435         (test):
1436         (noInline):
1437
1438 2018-12-17  Mark Lam  <mark.lam@apple.com>
1439
1440         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1441         https://bugs.webkit.org/show_bug.cgi?id=192779
1442         <rdar://problem/46775869>
1443
1444         Reviewed by Saam Barati.
1445
1446         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1447
1448 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1449
1450         Unreviewed test gardening, address a syntax error in a new test.
1451
1452         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1453
1454 2018-12-17  Mark Lam  <mark.lam@apple.com>
1455
1456         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1457         https://bugs.webkit.org/show_bug.cgi?id=192776
1458         <rdar://problem/46772368>
1459
1460         Reviewed by Keith Miller.
1461
1462         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1463
1464 2018-12-17  Mark Lam  <mark.lam@apple.com>
1465
1466         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1467         https://bugs.webkit.org/show_bug.cgi?id=192770
1468         <rdar://problem/46449037>
1469
1470         Reviewed by Keith Miller.
1471
1472         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1473
1474 2018-12-14  Mark Lam  <mark.lam@apple.com>
1475
1476         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1477         https://bugs.webkit.org/show_bug.cgi?id=192717
1478         <rdar://problem/46660677>
1479
1480         Reviewed by Saam Barati.
1481
1482         * stress/regress-192717.js: Added.
1483
1484 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1485
1486         Unreviewed, rolling out r239153, r239154, and r239155.
1487         https://bugs.webkit.org/show_bug.cgi?id=192715
1488
1489         Caused flaky GC-related crashes seen with layout tests
1490         (Requested by ryanhaddad on #webkit).
1491
1492         Reverted changesets:
1493
1494         "[JSC] Optimize Object.keys by caching own keys results in
1495         StructureRareData"
1496         https://bugs.webkit.org/show_bug.cgi?id=190047
1497         https://trac.webkit.org/changeset/239153
1498
1499         "Unreviewed, build fix after r239153"
1500         https://bugs.webkit.org/show_bug.cgi?id=190047
1501         https://trac.webkit.org/changeset/239154
1502
1503         "Unreviewed, build fix after r239153, part 2"
1504         https://bugs.webkit.org/show_bug.cgi?id=190047
1505         https://trac.webkit.org/changeset/239155
1506
1507 2018-12-14  Keith Miller  <keith_miller@apple.com>
1508
1509         Callers of JSString::getIndex should check for OOM exceptions
1510         https://bugs.webkit.org/show_bug.cgi?id=192709
1511
1512         Reviewed by Mark Lam.
1513
1514         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1515
1516 2018-12-13  Mark Lam  <mark.lam@apple.com>
1517
1518         Add a missing exception check.
1519         https://bugs.webkit.org/show_bug.cgi?id=192626
1520         <rdar://problem/46662163>
1521
1522         Reviewed by Keith Miller.
1523
1524         * stress/regress-192626.js: Added.
1525
1526 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1527
1528         [BigInt] Add ValueDiv into DFG
1529         https://bugs.webkit.org/show_bug.cgi?id=186178
1530
1531         Reviewed by Yusuke Suzuki.
1532
1533         * stress/big-int-div-jit-osr.js: Added.
1534         * stress/big-int-div-jit-untyped.js: Added.
1535         * stress/value-div-fixup-int32-big-int.js: Added.
1536
1537 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1538
1539         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1540         https://bugs.webkit.org/show_bug.cgi?id=190047
1541
1542         Reviewed by Keith Miller.
1543
1544         * stress/object-keys-cached-zero.js: Added.
1545         (shouldBe):
1546         (test):
1547         * stress/object-keys-changed-attribute.js: Added.
1548         (shouldBe):
1549         (test):
1550         * stress/object-keys-changed-index.js: Added.
1551         (shouldBe):
1552         (test):
1553         * stress/object-keys-changed.js: Added.
1554         (shouldBe):
1555         (test):
1556         * stress/object-keys-indexed-non-cache.js: Added.
1557         (shouldBe):
1558         (test):
1559         * stress/object-keys-overrides-get-property-names.js: Added.
1560         (shouldBe):
1561         (test):
1562         (noInline):
1563
1564 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1565
1566         [DFG][FTL] Add NewSymbol
1567         https://bugs.webkit.org/show_bug.cgi?id=192620
1568
1569         Reviewed by Saam Barati.
1570
1571         * microbenchmarks/symbol-creation.js: Added.
1572         (test):
1573         * stress/symbol-description-identity.js: Added.
1574         (shouldBe):
1575         (test):
1576         * stress/symbol-identity.js: Added.
1577         (shouldBe):
1578         (test):
1579         * stress/symbol-with-description-throw-error.js: Added.
1580         (shouldBe):
1581         (shouldThrow):
1582         (test):
1583         (object.toString):
1584
1585 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1586
1587         [BigInt] Implement DFG/FTL typeof for BigInt
1588         https://bugs.webkit.org/show_bug.cgi?id=192619
1589
1590         Reviewed by Keith Miller.
1591
1592         * stress/big-int-boolean-proven-type.js: Added.
1593         (assert):
1594         (bool):
1595         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1596         (assert):
1597         (typeOf):
1598         (i.switch):
1599         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1600         (assert):
1601         (typeOf):
1602         * stress/big-int-type-of.js:
1603         (typeOf):
1604         (func):
1605
1606 2018-12-10  Mark Lam  <mark.lam@apple.com>
1607
1608         PropertyAttribute needs a CustomValue bit.
1609         https://bugs.webkit.org/show_bug.cgi?id=191993
1610         <rdar://problem/46264467>
1611
1612         Reviewed by Saam Barati.
1613
1614         * stress/regress-191993.js: Added.
1615
1616 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1617
1618         [BigInt] Add ValueMul into DFG
1619         https://bugs.webkit.org/show_bug.cgi?id=186175
1620
1621         Reviewed by Yusuke Suzuki.
1622
1623         * stress/big-int-mul-jit-osr.js: Added.
1624         * stress/big-int-mul-jit-untyped.js: Added.
1625         * stress/value-mul-fixup-int32-big-int.js: Added.
1626
1627 2018-12-06  Keith Miller  <keith_miller@apple.com>
1628
1629         stress/big-wasm-memory tests failing on 32-bit JSC bot
1630         https://bugs.webkit.org/show_bug.cgi?id=192020
1631
1632         Reviewed by Saam Barati.
1633
1634         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1635         the wasm stress tests if the WebAssembly object does not exist.
1636
1637         * stress/big-wasm-memory-grow-no-max.js:
1638         (test.foo):
1639         (test):
1640         (foo): Deleted.
1641         (catch): Deleted.
1642         * stress/big-wasm-memory-grow.js:
1643         (test.foo):
1644         (test):
1645         (foo): Deleted.
1646         (catch): Deleted.
1647         * stress/big-wasm-memory.js:
1648         (test.foo):
1649         (test):
1650         (foo): Deleted.
1651         (catch): Deleted.
1652
1653 2018-12-05  Mark Lam  <mark.lam@apple.com>
1654
1655         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1656         https://bugs.webkit.org/show_bug.cgi?id=192441
1657         <rdar://problem/46480355>
1658
1659         Reviewed by Saam Barati.
1660
1661         * stress/regress-192441.js: Added.
1662
1663 2018-12-04  Mark Lam  <mark.lam@apple.com>
1664
1665         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1666         https://bugs.webkit.org/show_bug.cgi?id=192386
1667         <rdar://problem/46445516>
1668
1669         Reviewed by Saam Barati.
1670
1671         * stress/regress-192386.js: Added.
1672
1673 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1674
1675         [ESNext][BigInt] Support logic operations
1676         https://bugs.webkit.org/show_bug.cgi?id=179903
1677
1678         Reviewed by Yusuke Suzuki.
1679
1680         * stress/big-int-branch-usage.js: Added.
1681         * stress/big-int-logical-and.js: Added.
1682         * stress/big-int-logical-not.js: Added.
1683         * stress/big-int-logical-or.js: Added.
1684
1685 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1686
1687         Unreviewed, rolling out r238833.
1688
1689         Breaks macOS and iOS debug builds.
1690
1691         Reverted changeset:
1692
1693         "[ESNext][BigInt] Support logic operations"
1694         https://bugs.webkit.org/show_bug.cgi?id=179903
1695         https://trac.webkit.org/changeset/238833
1696
1697 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1698
1699         [ESNext][BigInt] Support logic operations
1700         https://bugs.webkit.org/show_bug.cgi?id=179903
1701
1702         Reviewed by Yusuke Suzuki.
1703
1704         * stress/big-int-branch-usage.js: Added.
1705         * stress/big-int-logical-and.js: Added.
1706         * stress/big-int-logical-not.js: Added.
1707         * stress/big-int-logical-or.js: Added.
1708
1709 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1710
1711         [ESNext][BigInt] Implement support for "<<" and ">>"
1712         https://bugs.webkit.org/show_bug.cgi?id=186233
1713
1714         Reviewed by Yusuke Suzuki.
1715
1716         * stress/big-int-left-shift-general.js: Added.
1717         * stress/big-int-left-shift-range-error.js: Added.
1718         * stress/big-int-left-shift-type-error.js: Added.
1719         * stress/big-int-left-shift-wrapped-value.js: Added.
1720         * stress/big-int-right-shift-general.js: Added.
1721         * stress/big-int-right-shift-type-error.js: Added.
1722         * stress/big-int-right-shift-wrapped-value.js: Added.
1723         * stress/left-shift-to-primitive-precedence.js: Added.
1724         * stress/right-shift-to-primitive-precedence.js: Added.
1725
1726 2018-11-30  Dean Jackson  <dino@apple.com>
1727
1728         Add first-class support for .mjs files in jsc binary
1729         https://bugs.webkit.org/show_bug.cgi?id=192190
1730         <rdar://problem/46375715>
1731
1732         Reviewed by Keith Miller.
1733
1734         * stress/simple-module.mjs: Added.
1735         * stress/simple-script.js: Added.
1736
1737 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1738
1739         [BigInt] Implement ValueBitXor into DFG
1740         https://bugs.webkit.org/show_bug.cgi?id=190264
1741
1742         Reviewed by Yusuke Suzuki.
1743
1744         * stress/big-int-bitwise-xor-jit.js: Added.
1745         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1746         * stress/big-int-bitwise-xor-untyped.js: Added.
1747
1748 2018-11-27  Saam barati  <sbarati@apple.com>
1749
1750         r238510 broke scopes of size zero
1751         https://bugs.webkit.org/show_bug.cgi?id=192033
1752         <rdar://problem/46281734>
1753
1754         Reviewed by Keith Miller.
1755
1756         * stress/r238510-bad-loop.js: Added.
1757         (foo):
1758
1759 2018-11-27  Mark Lam  <mark.lam@apple.com>
1760
1761         [Re-landing] NaNs read from Wasm code needs to be be purified.
1762         https://bugs.webkit.org/show_bug.cgi?id=191056
1763         <rdar://problem/45660341>
1764
1765         Reviewed by Filip Pizlo.
1766
1767         * wasm/regress/regress-191056.js: Added.
1768
1769 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1770
1771         Unreviewed, rolling out r238509.
1772
1773         Causes JSC tests to fail on iOS.
1774
1775         Reverted changeset:
1776
1777         "NaNs read from Wasm code needs to be be purified."
1778         https://bugs.webkit.org/show_bug.cgi?id=191056
1779         https://trac.webkit.org/changeset/238509
1780
1781 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1782
1783         Re-introduce op_bitnot
1784         https://bugs.webkit.org/show_bug.cgi?id=190923
1785
1786         Reviewed by Yusuke Suzuki.
1787
1788         * stress/bit-not-must-generate.js: Added.
1789         * stress/bitwise-not-no-int32.js: Added.
1790
1791 2018-11-26  Saam barati  <sbarati@apple.com>
1792
1793         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1794         https://bugs.webkit.org/show_bug.cgi?id=191956
1795         <rdar://problem/45665806>
1796
1797         Reviewed by Yusuke Suzuki.
1798
1799         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1800         (bar):
1801         (foo):
1802
1803 2018-11-26  Saam barati  <sbarati@apple.com>
1804
1805         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1806         https://bugs.webkit.org/show_bug.cgi?id=191958
1807         <rdar://problem/46221877>
1808
1809         Reviewed by Yusuke Suzuki.
1810
1811         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1812         (x):
1813         (foo):
1814
1815 2018-11-26  Mark Lam  <mark.lam@apple.com>
1816
1817         NaNs read from Wasm code needs to be be purified.
1818         https://bugs.webkit.org/show_bug.cgi?id=191056
1819         <rdar://problem/45660341>
1820
1821         Reviewed by Filip Pizlo.
1822
1823         * wasm/regress/regress-191056.js: Added.
1824
1825 2018-11-26  Michael Saboff  <msaboff@apple.com>
1826
1827         32-bit JSC test failure: stress/regexp-compile-oom.js
1828         https://bugs.webkit.org/show_bug.cgi?id=191375
1829
1830         Reviewed by Mark Lam.
1831
1832         Disabled the test for 32 bit platforms.
1833
1834         * stress/regexp-compile-oom.js:
1835
1836 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1837
1838         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1839         https://bugs.webkit.org/show_bug.cgi?id=191716
1840         <rdar://problem/45723878>
1841
1842         Reviewed by Saam Barati.
1843
1844         * stress/regress-187373.js: Added.
1845         (async.fn):
1846
1847 2018-11-21  Saam barati  <sbarati@apple.com>
1848
1849         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1850         https://bugs.webkit.org/show_bug.cgi?id=191897
1851         <rdar://problem/45871998>
1852
1853         Reviewed by Mark Lam.
1854
1855         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1856         (bar):
1857         (foo):
1858
1859 2018-11-21  Saam barati  <sbarati@apple.com>
1860
1861         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1862         https://bugs.webkit.org/show_bug.cgi?id=191895
1863         <rdar://problem/46167406>
1864
1865         Reviewed by Mark Lam.
1866
1867         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1868         (foo):
1869         (bar):
1870
1871 2018-11-21  Mark Lam  <mark.lam@apple.com>
1872
1873         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1874         https://bugs.webkit.org/show_bug.cgi?id=191776
1875         <rdar://problem/46152851>
1876
1877         Reviewed by Saam Barati.
1878
1879         * stress/big-wasm-memory-grow-no-max.js:
1880         * stress/big-wasm-memory-grow.js:
1881         * stress/big-wasm-memory.js:
1882         - updated these to expect an OutOfMemoryError.
1883
1884         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1885         (Binary.prototype.emit_u8):
1886         (Binary.prototype.emit_u32v):
1887         (Binary.prototype.emit_header):
1888         (Binary.prototype.emit_section):
1889         (Binary):
1890         (WasmModuleBuilder):
1891         (WasmModuleBuilder.prototype.addMemory):
1892         (WasmModuleBuilder.prototype.toArray):
1893         (WasmModuleBuilder.prototype.toBuffer):
1894         (WasmModuleBuilder.prototype.instantiate):
1895         (catch):
1896         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1897         (catch):
1898
1899 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1900
1901         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1902         https://bugs.webkit.org/show_bug.cgi?id=190836
1903
1904         Reviewed by Saam Barati and Yusuke Suzuki.
1905
1906         * stress/big-int-out-of-memory-tests.js: Added.
1907
1908 2018-11-20  Mark Lam  <mark.lam@apple.com>
1909
1910         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1911         https://bugs.webkit.org/show_bug.cgi?id=191856
1912         <rdar://problem/46089992>
1913
1914         Reviewed by Yusuke Suzuki.
1915
1916         * stress/regress-191856.js: Added.
1917         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1918
1919 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1920
1921         Enable JIT on ARM/Linux
1922         https://bugs.webkit.org/show_bug.cgi?id=191548
1923
1924         Reviewed by Yusuke Suzuki.
1925
1926         Disable test on system with limited memory. Program was killed by
1927         the OS before the exception was thrown.
1928
1929         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1930
1931 2018-11-20  Saam barati  <sbarati@apple.com>
1932
1933         Merging an IC variant may lead to the IC status containing overlapping structure sets
1934         https://bugs.webkit.org/show_bug.cgi?id=191869
1935         <rdar://problem/45403453>
1936
1937         Reviewed by Mark Lam.
1938
1939         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1940
1941 2018-11-19  Mark Lam  <mark.lam@apple.com>
1942
1943         globalFuncImportModule() should return a promise when it clears exceptions.
1944         https://bugs.webkit.org/show_bug.cgi?id=191792
1945         <rdar://problem/46090763>
1946
1947         Reviewed by Michael Saboff.
1948
1949         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1950
1951 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1952
1953         Skip new memory-hungry tests on memory limited devices
1954
1955         Unreviewed gardening.
1956
1957         * stress/big-wasm-memory-grow-no-max.js:
1958         * stress/big-wasm-memory-grow.js:
1959         * stress/big-wasm-memory.js:
1960
1961 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1962
1963         Unreviewed, rolling in the rest of r237254
1964         https://bugs.webkit.org/show_bug.cgi?id=190340
1965
1966         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1967         * stress/function-cache-with-parameters-end-position.js: Added.
1968         (shouldBe):
1969         (shouldThrow):
1970         (i.anonymous):
1971         * stress/function-constructor-name.js: Added.
1972         (shouldBe):
1973         (GeneratorFunction):
1974         (AsyncFunction.async):
1975         (AsyncGeneratorFunction.async):
1976         (anonymous):
1977         (async.anonymous):
1978         * test262/expectations.yaml:
1979
1980 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1981
1982         All users of ArrayBuffer should agree on the same max size
1983         https://bugs.webkit.org/show_bug.cgi?id=191771
1984
1985         Reviewed by Mark Lam.
1986
1987         * stress/big-wasm-memory-grow-no-max.js: Added.
1988         (foo):
1989         (catch):
1990         * stress/big-wasm-memory-grow.js: Added.
1991         (foo):
1992         (catch):
1993         * stress/big-wasm-memory.js: Added.
1994         (foo):
1995         (catch):
1996
1997 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1998
1999         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2000         run for each JSC config since they're regression tests for runtime bugs.
2001
2002         * stress/json-stringified-overflow-2.js:
2003         * stress/json-stringified-overflow.js:
2004
2005 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2006
2007         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2008         config since they're regression tests for runtime bugs.
2009
2010         * stress/large-unshift-splice.js:
2011         * stress/regress-185888.js:
2012
2013 2018-11-16  Saam Barati  <sbarati@apple.com>
2014
2015         KnownCellUse should also have SpecCellCheck as its type filter
2016         https://bugs.webkit.org/show_bug.cgi?id=191729
2017         <rdar://problem/45872852>
2018
2019         Reviewed by Filip Pizlo.
2020
2021         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2022         (C):
2023
2024 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2025
2026         Fix assertion failure on BytecodeGenerator::recordOpcode
2027         https://bugs.webkit.org/show_bug.cgi?id=191724
2028         <rdar://problem/45724395>
2029
2030         Reviewed by Saam Barati.
2031
2032         * stress/regress-187373-2.js: Added.
2033         (foo):
2034
2035 2018-11-15  Mark Lam  <mark.lam@apple.com>
2036
2037         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2038         https://bugs.webkit.org/show_bug.cgi?id=191730
2039         <rdar://problem/46048517>
2040
2041         Reviewed by Saam Barati.
2042
2043         * stress/regress-187006.js: Removed.
2044           - this test is invalid because its sole purpose is to test for the non-spec
2045             compliant behavior that we just fixed.
2046
2047         * stress/regress-191730.js: Added.
2048
2049 2018-11-15  Mark Lam  <mark.lam@apple.com>
2050
2051         RegExp operations should not take fast patch if lastIndex is not numeric.
2052         https://bugs.webkit.org/show_bug.cgi?id=191731
2053         <rdar://problem/46017305>
2054
2055         Reviewed by Saam Barati.
2056
2057         * stress/regress-191731.js: Added.
2058
2059 2018-11-13  Saam Barati  <sbarati@apple.com>
2060
2061         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2062         https://bugs.webkit.org/show_bug.cgi?id=191600
2063
2064         Reviewed by Mark Lam.
2065
2066         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2067         (foo):
2068         (test):
2069         (bar):
2070
2071 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2072
2073         Unreviewed, rolling out r238132.
2074
2075         The test added with this change is timing out on Debug JSC
2076         bots.
2077
2078         Reverted changeset:
2079
2080         "[BigInt] JSBigInt::createWithLength should throw when length
2081         is greater than JSBigInt::maxLength"
2082         https://bugs.webkit.org/show_bug.cgi?id=190836
2083         https://trac.webkit.org/changeset/238132
2084
2085 2018-11-13  Mark Lam  <mark.lam@apple.com>
2086
2087         Add OOM detection to StringPrototype's substituteBackreferences().
2088         https://bugs.webkit.org/show_bug.cgi?id=191563
2089         <rdar://problem/45720428>
2090
2091         Reviewed by Saam Barati.
2092
2093         * stress/regress-191563.js: Added.
2094
2095 2018-11-13  Mark Lam  <mark.lam@apple.com>
2096
2097         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2098         https://bugs.webkit.org/show_bug.cgi?id=191579
2099         <rdar://problem/45942472>
2100
2101         Reviewed by Saam Barati.
2102
2103         * stress/regress-191579.js: Added.
2104
2105 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2106
2107         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2108         https://bugs.webkit.org/show_bug.cgi?id=190836
2109
2110         Reviewed by Saam Barati.
2111
2112         * stress/big-int-out-of-memory-tests.js: Added.
2113
2114 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2115
2116         U+180E is no longer a whitespace character
2117         https://bugs.webkit.org/show_bug.cgi?id=191415
2118
2119         Reviewed by Saam Barati.
2120
2121         * ChakraCore/test/es5/regexSpace.baseline:
2122         * ChakraCore/test/es6/unicode_whitespace.js:
2123         Update tests to latest version.
2124         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2125
2126         * test262.yaml:
2127         * test262/config.yaml:
2128         * test262/expectations.yaml:
2129         Update expectations.
2130
2131 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2132
2133         [BigInt] Add support to BigInt into ValueAdd
2134         https://bugs.webkit.org/show_bug.cgi?id=186177
2135
2136         Reviewed by Keith Miller.
2137
2138         * stress/big-int-negate-jit.js:
2139         * stress/value-add-big-int-and-string.js: Added.
2140         * stress/value-add-big-int-prediction-propagation.js: Added.
2141         * stress/value-add-big-int-untyped.js: Added.
2142
2143 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2144
2145         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2146         https://bugs.webkit.org/show_bug.cgi?id=191184
2147
2148         Reviewed by Saam Barati.
2149
2150         Most tests were failing due to timeouts, since they are too slow to
2151         run on CLoop. The exceptions are:
2152
2153         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2154         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2155         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2156         to change the stack size since CLoop requires it to be page aligned.
2157
2158         * microbenchmarks/array-push-1.js:
2159         * microbenchmarks/array-push-2.js:
2160         * microbenchmarks/elidable-new-object-dag.js:
2161         * microbenchmarks/elidable-new-object-roflcopter.js:
2162         * microbenchmarks/elidable-new-object-tree.js:
2163         * microbenchmarks/getter-richards.js:
2164         * microbenchmarks/sinkable-new-object-dag.js:
2165         * microbenchmarks/string-concat-long-convert.js:
2166         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2167         * slowMicrobenchmarks/array-push-3.js:
2168         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2169         * slowMicrobenchmarks/spread-small-array.js:
2170         * slowMicrobenchmarks/undefined-property-access.js:
2171         * stress/activation-sink-default-value-tdz-error.js:
2172         * stress/activation-sink-default-value.js:
2173         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2174         * stress/activation-sink-osrexit-default-value.js:
2175         * stress/activation-sink-osrexit.js:
2176         * stress/activation-sink.js:
2177         * stress/allow-math-ic-b3-code-duplication.js:
2178         * stress/array-push-multiple-int32.js:
2179         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2180         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2181         * stress/arrowfunction-lexical-this-activation-sink.js:
2182         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2183         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2184         * stress/elide-new-object-dag-then-exit.js:
2185         * stress/materialize-regexp-cyclic.js:
2186         * stress/new-regex-inline.js:
2187         * stress/op_add.js:
2188         * stress/op_bitand.js:
2189         * stress/op_bitor.js:
2190         * stress/op_bitxor.js:
2191         * stress/op_div-ConstVar.js:
2192         * stress/op_div-VarConst.js:
2193         * stress/op_div-VarVar.js:
2194         * stress/op_lshift-ConstVar.js:
2195         * stress/op_lshift-VarConst.js:
2196         * stress/op_lshift-VarVar.js:
2197         * stress/op_mod-ConstVar.js:
2198         * stress/op_mod-VarConst.js:
2199         * stress/op_mod-VarVar.js:
2200         * stress/op_mul-ConstVar.js:
2201         * stress/op_mul-VarConst.js:
2202         * stress/op_mul-VarVar.js:
2203         * stress/op_rshift-ConstVar.js:
2204         * stress/op_rshift-VarConst.js:
2205         * stress/op_rshift-VarVar.js:
2206         * stress/op_sub-ConstVar.js:
2207         * stress/op_sub-VarConst.js:
2208         * stress/op_sub-VarVar.js:
2209         * stress/op_urshift-ConstVar.js:
2210         * stress/op_urshift-VarConst.js:
2211         * stress/op_urshift-VarVar.js:
2212         * stress/proxy-get-set-correct-receiver.js:
2213         * stress/regress-179562.js:
2214         * stress/rest-parameter-many-arguments.js:
2215         * stress/sampling-profiler-richards.js:
2216         * stress/splay-flash-access-1ms.js:
2217         * stress/tailCallForwardArguments.js:
2218         * stress/typed-array-get-by-val-profiling.js:
2219         * typeProfiler/getter-richards.js:
2220
2221 2018-11-06  Michael Saboff  <msaboff@apple.com>
2222
2223         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2224         https://bugs.webkit.org/show_bug.cgi?id=191271
2225
2226         Reviewed by Saam Barati.
2227
2228         Added more test cases and made all test cases run with the same deeply recursive stack
2229         instead of finding that same point for each test case.
2230
2231         * stress/regexp-compile-oom.js:
2232         (prototype.runTest):
2233         (recurseAndTest):
2234         (testList.push.new.TestAndExpectedException):
2235
2236 2018-11-05  Michael Saboff  <msaboff@apple.com>
2237
2238         Unreviewed build fix for linux.
2239
2240         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2241
2242 2018-11-02  Michael Saboff  <msaboff@apple.com>
2243
2244         Rolling in r237753 with unreviewed build fix.
2245
2246         Fixed issues with DECLARE_THROW_SCOPE placement.
2247
2248 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2249
2250         Unreviewed, rolling out r237753.
2251
2252         Introduced JSC test failures
2253
2254         Reverted changeset:
2255
2256         "Running out of stack space not properly handled in
2257         RegExp::compile() and its callers"
2258         https://bugs.webkit.org/show_bug.cgi?id=191206
2259         https://trac.webkit.org/changeset/237753
2260
2261 2018-11-02  Michael Saboff  <msaboff@apple.com>
2262
2263         Running out of stack space not properly handled in RegExp::compile() and its callers
2264         https://bugs.webkit.org/show_bug.cgi?id=191206
2265
2266         Reviewed by Filip Pizlo.
2267
2268         New regression test.
2269
2270         * stress/regexp-compile-oom.js: Added.
2271         (recurseAndTest):
2272
2273 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2274
2275         Skip tests on arm/mips that time out now we're running on CLoop
2276
2277         Unreviewed gardening.
2278
2279         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2280         time out on the bots and need to be disabled. There's more tests
2281         disabled on arm because the timeout is longer on the mips bot (as the
2282         device is slower to start with), so many of the tests don't time out
2283         there.
2284
2285         * microbenchmarks/getter-richards.js: disable on arm and mips.
2286         * stress/op_add.js: disable on arm.
2287         * stress/op_bitand.js: disable on arm.
2288         * stress/op_bitor.js: disable on arm.
2289         * stress/op_bitxor.js: disable on arm.
2290         * stress/op_lshift-ConstVar.js: disable on arm.
2291         * stress/op_lshift-VarConst.js: disable on arm.
2292         * stress/op_lshift-VarVar.js: disable on arm.
2293         * stress/op_mod-ConstVar.js: disable on arm.
2294         * stress/op_mod-VarConst.js: disable on arm.
2295         * stress/op_mod-VarVar.js: disable on arm.
2296         * stress/op_mul-ConstVar.js: disable on arm.
2297         * stress/op_mul-VarConst.js: disable on arm.
2298         * stress/op_mul-VarVar.js: disable on arm.
2299         * stress/op_rshift-ConstVar.js: disable on arm.
2300         * stress/op_rshift-VarConst.js: disable on arm.
2301         * stress/op_rshift-VarVar.js: disable on arm.
2302         * stress/op_sub-ConstVar.js: disable on arm.
2303         * stress/op_sub-VarConst.js: disable on arm.
2304         * stress/op_sub-VarVar.js: disable on arm.
2305         * stress/op_urshift-ConstVar.js: disable on arm.
2306         * stress/op_urshift-VarConst.js: disable on arm.
2307         * stress/op_urshift-VarVar.js: disable on arm.
2308         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2309         * stress/value-to-boolean.js: disable on arm and mips.
2310
2311 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2312
2313         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2314         https://bugs.webkit.org/show_bug.cgi?id=191108
2315         <rdar://problem/45690700>
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/wide-op_catch.js: Added.
2320         (catch):
2321
2322 2018-10-29  Mark Lam  <mark.lam@apple.com>
2323
2324         Correctly detect string overflow when using the 'Function' constructor.
2325         https://bugs.webkit.org/show_bug.cgi?id=184883
2326         <rdar://problem/36320331>
2327
2328         Reviewed by Saam Barati.
2329
2330         I've verified that this passes on 32-bit as well.
2331
2332         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2333
2334 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2335
2336         Add support for GetStack FlushedDouble
2337         https://bugs.webkit.org/show_bug.cgi?id=191012
2338         <rdar://problem/45265141>
2339
2340         Reviewed by Saam Barati.
2341
2342         * stress/get-stack-double.js: Added.
2343         (bar):
2344         (noInline):
2345
2346 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2347
2348         New bytecode format for JSC
2349         https://bugs.webkit.org/show_bug.cgi?id=187373
2350         <rdar://problem/44186758>
2351
2352         Reviewed by Filip Pizlo.
2353
2354         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2355
2356         * stress/maximum-inline-capacity.js: Added.
2357         (test1):
2358         (test3.Foo):
2359         (test3):
2360
2361 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2362
2363         Unreviewed, rolling out r237479 and r237484.
2364         https://bugs.webkit.org/show_bug.cgi?id=190978
2365
2366         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2367
2368         Reverted changesets:
2369
2370         "New bytecode format for JSC"
2371         https://bugs.webkit.org/show_bug.cgi?id=187373
2372         https://trac.webkit.org/changeset/237479
2373
2374         "Gardening: Build fix after r237479."
2375         https://bugs.webkit.org/show_bug.cgi?id=187373
2376         https://trac.webkit.org/changeset/237484
2377
2378 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2379
2380         New bytecode format for JSC
2381         https://bugs.webkit.org/show_bug.cgi?id=187373
2382         <rdar://problem/44186758>
2383
2384         Reviewed by Filip Pizlo.
2385
2386         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2387
2388         * stress/maximum-inline-capacity.js: Added.
2389         (test1):
2390         (test3.Foo):
2391         (test3):
2392
2393 2018-10-26  Mark Lam  <mark.lam@apple.com>
2394
2395         Fix missing edge cases with JSGlobalObjects having a bad time.
2396         https://bugs.webkit.org/show_bug.cgi?id=189028
2397         <rdar://problem/45204939>
2398
2399         Reviewed by Saam Barati.
2400
2401         * stress/regress-189028.js: Added.
2402
2403 2018-10-22  Mark Lam  <mark.lam@apple.com>
2404
2405         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2406         https://bugs.webkit.org/show_bug.cgi?id=190515
2407         <rdar://problem/45222379>
2408
2409         Rubber-stamped by Saam Barati.
2410
2411         Adding another test.
2412
2413         * stress/regress-190515-2.js: Added.
2414
2415 2018-10-22  Mark Lam  <mark.lam@apple.com>
2416
2417         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2418         https://bugs.webkit.org/show_bug.cgi?id=190515
2419         <rdar://problem/45222379>
2420
2421         Reviewed by Saam Barati.
2422
2423         * stress/regress-190515.js: Added.
2424
2425 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2426
2427         Unreviewed, rolling out r237254.
2428         https://bugs.webkit.org/show_bug.cgi?id=190760
2429
2430         "It regresses JetStream 2 by 5% on some iOS devices"
2431         (Requested by saamyjoon on #webkit).
2432
2433         Reverted changeset:
2434
2435         "[JSC] JSC should have "parseFunction" to optimize Function
2436         constructor"
2437         https://bugs.webkit.org/show_bug.cgi?id=190340
2438         https://trac.webkit.org/changeset/237254
2439
2440 2018-10-19  Saam Barati  <sbarati@apple.com>
2441
2442         vmCall should check if we exit before emitting an OSR exit due to exceptions
2443         https://bugs.webkit.org/show_bug.cgi?id=190740
2444         <rdar://problem/45220139>
2445
2446         Reviewed by Mark Lam.
2447
2448         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2449         (foo):
2450
2451 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2452
2453         [ESNext][BigInt] Implement support for "^"
2454         https://bugs.webkit.org/show_bug.cgi?id=186235
2455
2456         Reviewed by Yusuke Suzuki.
2457
2458         * stress/big-int-bitwise-xor-general.js: Added.
2459         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2460         * stress/big-int-bitwise-xor-type-error.js: Added.
2461         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2462
2463 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2464
2465         [BigInt] Add ValueSub into DFG
2466         https://bugs.webkit.org/show_bug.cgi?id=186176
2467
2468         Reviewed by Yusuke Suzuki.
2469
2470         * stress/big-int-subtraction-jit.js:
2471         * stress/value-sub-big-int-prediction-propagation.js: Added.
2472         * stress/value-sub-big-int-untyped.js: Added.
2473         * stress/value-sub-spec-none-case.js: Added.
2474
2475 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2476
2477         [JSC] JSC should have "parseFunction" to optimize Function constructor
2478         https://bugs.webkit.org/show_bug.cgi?id=190340
2479
2480         Reviewed by Mark Lam.
2481
2482         This patch fixes the line number of syntax errors raised by the Function constructor,
2483         since we now parse the final code only once. And we no longer use block statement
2484         for Function constructor's parsing.
2485
2486         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2487         * stress/function-cache-with-parameters-end-position.js: Added.
2488         (shouldBe):
2489         (shouldThrow):
2490         (i.anonymous):
2491         * stress/function-constructor-name.js: Added.
2492         (shouldBe):
2493         (GeneratorFunction):
2494         (AsyncFunction.async):
2495         (AsyncGeneratorFunction.async):
2496         (anonymous):
2497         (async.anonymous):
2498         * test262/expectations.yaml:
2499
2500 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2501
2502         Unreviewed, rolling out r237242.
2503         https://bugs.webkit.org/show_bug.cgi?id=190701
2504
2505         it breaks "stress/sampling-profiler-basic.js" (Requested by
2506         caiolima on #webkit).
2507
2508         Reverted changeset:
2509
2510         "[BigInt] Add ValueSub into DFG"
2511         https://bugs.webkit.org/show_bug.cgi?id=186176
2512         https://trac.webkit.org/changeset/237242
2513
2514 2018-10-17  Keith Miller  <keith_miller@apple.com>
2515
2516         AI does not clear Phantom allocation nodes.
2517         https://bugs.webkit.org/show_bug.cgi?id=190694
2518
2519         Reviewed by Saam Barati.
2520
2521         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2522         (Day):
2523         (DaysInYear):
2524         (TimeInYear):
2525         (TimeFromYear):
2526         (DayFromYear):
2527         (InLeapYear):
2528         (YearFromTime):
2529         (WeekDay):
2530         (DaylightSavingTA):
2531         (GetSecondSundayInMarch):
2532         (TimeInMonth):
2533
2534 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2535
2536         [BigInt] Add ValueSub into DFG
2537         https://bugs.webkit.org/show_bug.cgi?id=186176
2538
2539         Reviewed by Yusuke Suzuki.
2540
2541         * stress/big-int-subtraction-jit.js:
2542         * stress/value-sub-big-int-prediction-propagation.js: Added.
2543         * stress/value-sub-big-int-untyped.js: Added.
2544
2545 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2546
2547         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2548         https://bugs.webkit.org/show_bug.cgi?id=190611
2549
2550         Reviewed by Saam Barati.
2551
2552         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2553         to improve test runtime. On ARM/MIPS this test even timed out when running all
2554         tests.
2555
2556         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2557         (test):
2558
2559 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2560
2561         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2562
2563         Unreviewed gardening.
2564
2565         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2566
2567 2018-10-15  Saam barati  <sbarati@apple.com>
2568
2569         Emit fjcvtzs on ARM64E on Darwin
2570         https://bugs.webkit.org/show_bug.cgi?id=184023
2571
2572         Reviewed by Yusuke Suzuki and Filip Pizlo.
2573
2574         * stress/double-to-int32-NaN.js: Added.
2575         (assert):
2576         (foo):
2577
2578 2018-10-15  Saam Barati  <sbarati@apple.com>
2579
2580         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2581         https://bugs.webkit.org/show_bug.cgi?id=190262
2582         <rdar://problem/44986241>
2583
2584         Reviewed by Mark Lam.
2585
2586         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2587         (test):
2588         * stress/slice-array-storage-with-holes.js: Added.
2589         (main):
2590
2591 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2592
2593         Unreviewed, rolling out r237054.
2594         https://bugs.webkit.org/show_bug.cgi?id=190593
2595
2596         "this regressed JetStream 2 by 6% on iOS" (Requested by
2597         saamyjoon on #webkit).
2598
2599         Reverted changeset:
2600
2601         "[JSC] JSC should have "parseFunction" to optimize Function
2602         constructor"
2603         https://bugs.webkit.org/show_bug.cgi?id=190340
2604         https://trac.webkit.org/changeset/237054
2605
2606 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2607
2608         [JSC] JSON.stringify can accept call-with-no-arguments
2609         https://bugs.webkit.org/show_bug.cgi?id=190343
2610
2611         Reviewed by Mark Lam.
2612
2613         * stress/json-stringify-no-arguments.js: Added.
2614         (shouldBe):
2615
2616 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2617
2618         [JSC] JSC should have "parseFunction" to optimize Function constructor
2619         https://bugs.webkit.org/show_bug.cgi?id=190340
2620
2621         Reviewed by Mark Lam.
2622
2623         This patch fixes the line number of syntax errors raised by the Function constructor,
2624         since we now parse the final code only once. And we no longer use block statement
2625         for Function constructor's parsing.
2626
2627         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2628         * stress/function-cache-with-parameters-end-position.js: Added.
2629         (shouldBe):
2630         (shouldThrow):
2631         (i.anonymous):
2632         * stress/function-constructor-name.js: Added.
2633         (shouldBe):
2634         (GeneratorFunction):
2635         (AsyncFunction.async):
2636         (AsyncGeneratorFunction.async):
2637         (anonymous):
2638         (async.anonymous):
2639         * test262/expectations.yaml:
2640
2641 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2642
2643         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2644         https://bugs.webkit.org/show_bug.cgi?id=190426
2645
2646         Unreviewed gardening.
2647
2648         * stress/sampling-profiler-richards.js:
2649
2650 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2651
2652         [ESNext][BigInt] Implement support for "|"
2653         https://bugs.webkit.org/show_bug.cgi?id=186229
2654
2655         Reviewed by Yusuke Suzuki.
2656
2657         * stress/big-int-bitwise-and-jit.js:
2658         * stress/big-int-bitwise-or-general.js: Added.
2659         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2660         * stress/big-int-bitwise-or-jit.js: Added.
2661         * stress/big-int-bitwise-or-memory-stress.js: Added.
2662         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2663         * stress/big-int-bitwise-or-type-error.js: Added.
2664         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2665
2666 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2667
2668         Skip test on systems with limited memory
2669         https://bugs.webkit.org/show_bug.cgi?id=190310
2670
2671         Invoking runDefault adds test to runlist, skipping the test in the next
2672         line does not prevent the test from executing. Change order of lines such
2673         that runDefault is only executed if test is not executed.
2674
2675         Reviewed by Mark Lam.
2676
2677         * stress/regress-190187.js:
2678
2679 2018-10-03  Saam barati  <sbarati@apple.com>
2680
2681         lowXYZ in FTLLower should always filter the type of the incoming edge
2682         https://bugs.webkit.org/show_bug.cgi?id=189939
2683         <rdar://problem/44407030>
2684
2685         Reviewed by Michael Saboff.
2686
2687         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2688         (foo):
2689         (test):
2690
2691 2018-10-03  Mark Lam  <mark.lam@apple.com>
2692
2693         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2694         https://bugs.webkit.org/show_bug.cgi?id=190187
2695         <rdar://problem/42512909>
2696
2697         Reviewed by Michael Saboff.
2698
2699         * stress/regress-190187.js: Added.
2700
2701 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2702
2703         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2704         https://bugs.webkit.org/show_bug.cgi?id=190033
2705
2706         Reviewed by Yusuke Suzuki.
2707
2708         * stress/big-int-to-string.js:
2709
2710 2018-10-01  Mark Lam  <mark.lam@apple.com>
2711
2712         Function.toString() should also copy the source code Functions that are class definitions.
2713         https://bugs.webkit.org/show_bug.cgi?id=190186
2714         <rdar://problem/44733360>
2715
2716         Reviewed by Saam Barati.
2717
2718         * stress/regress-190186.js: Added.
2719
2720 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2721
2722         Split NaN-check into separate test
2723         https://bugs.webkit.org/show_bug.cgi?id=190010
2724
2725         Reviewed by Saam Barati.
2726
2727         DataView exposes NaN-representation, which is not necessarily the same on each
2728         architecture. Therefore move the check of the NaN-representation into its own
2729         file such that we can disable this test on MIPS where NaN-representation can be
2730         different on older CPUs.
2731
2732         * stress/dataview-jit-set-nan.js: Added.
2733         (assert):
2734         (test.storeLittleEndian):
2735         (test.storeBigEndian):
2736         (test.store):
2737         (test):
2738         * stress/dataview-jit-set.js:
2739         (test5):
2740
2741 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2742
2743         Unreviewed, rolling out r236647.
2744         https://bugs.webkit.org/show_bug.cgi?id=190124
2745
2746         Breaking test stress/big-int-to-string.js (Requested by
2747         caiolima_ on #webkit).
2748
2749         Reverted changeset:
2750
2751         "[BigInt] BigInt.proptotype.toString is broken when radix is
2752         power of 2"
2753         https://bugs.webkit.org/show_bug.cgi?id=190033
2754         https://trac.webkit.org/changeset/236647
2755
2756 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2757
2758         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2759         https://bugs.webkit.org/show_bug.cgi?id=190033
2760
2761         Reviewed by Yusuke Suzuki.
2762
2763         * stress/big-int-to-string.js:
2764
2765 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2766
2767         [ESNext][BigInt] Implement support for "&"
2768         https://bugs.webkit.org/show_bug.cgi?id=186228
2769
2770         Reviewed by Yusuke Suzuki.
2771
2772         * stress/big-int-bitwise-and-general.js: Added.
2773         (assert):
2774         (assert.sameValue):
2775         * stress/big-int-bitwise-and-jit.js: Added.
2776         (let.assert.sameValue):
2777         (bigIntBitAnd):
2778         * stress/big-int-bitwise-and-memory-stress.js: Added.
2779         (assert):
2780         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2781         (assert.sameValue):
2782         (let.o.Symbol.toPrimitive):
2783         (catch):
2784         * stress/big-int-bitwise-and-type-error.js: Added.
2785         (assert):
2786         (assertThrowTypeError):
2787         (let.o.valueOf):
2788         (o.valueOf):
2789         (o.toString):
2790         (o.Symbol.toPrimitive):
2791         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2792         (assert.sameValue):
2793         (testBitAnd):
2794         (let.o.Symbol.toPrimitive):
2795         (o.valueOf):
2796         (o.toString):
2797
2798 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2799
2800         JSC test stress/jsc-read.js doesn't support CRLF
2801         https://bugs.webkit.org/show_bug.cgi?id=190063
2802
2803         Reviewed by Yusuke Suzuki.
2804
2805         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2806
2807         * stress/jsc-read.js:
2808         (test):
2809
2810 2018-09-27  Saam barati  <sbarati@apple.com>
2811
2812         Verify the contents of AssemblerBuffer on arm64e
2813         https://bugs.webkit.org/show_bug.cgi?id=190057
2814         <rdar://problem/38916630>
2815
2816         Reviewed by Mark Lam.
2817
2818         * stress/regress-189132.js:
2819
2820 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2821
2822         Disable test without LLInt on ARMv7
2823         https://bugs.webkit.org/show_bug.cgi?id=190037
2824
2825         Reviewed by Mark Lam.
2826
2827         Test runs out of executable memory on ARMv7, do not run
2828         this test without LLInt enabled.
2829
2830         * stress/regress-169445.js:
2831
2832 2018-09-26  Keith Miller  <keith_miller@apple.com>
2833
2834         We should zero unused property storage when rebalancing array storage.
2835         https://bugs.webkit.org/show_bug.cgi?id=188151
2836
2837         Reviewed by Michael Saboff.
2838
2839         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2840
2841 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2842
2843         [JSC] Optimize Array#lastIndexOf
2844         https://bugs.webkit.org/show_bug.cgi?id=189780
2845
2846         Reviewed by Saam Barati.
2847
2848         * stress/array-lastindexof-array-prototype-trap.js: Added.
2849         (shouldBe):
2850         (AncestorArray.prototype.get 2):
2851         (AncestorArray):
2852         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2853         (shouldBe):
2854         * stress/array-lastindexof-hole-nan.js: Added.
2855         (shouldBe):
2856         (throw.new.Error):
2857         * stress/array-lastindexof-infinity.js: Added.
2858         (shouldBe):
2859         (throw.new.Error):
2860         * stress/array-lastindexof-negative-zero.js: Added.
2861         (shouldBe):
2862         (throw.new.Error):
2863         * stress/array-lastindexof-own-getter.js: Added.
2864         (shouldBe):
2865         (throw.new.Error.get array):
2866         (get array):
2867         * stress/array-lastindexof-prototype-trap.js: Added.
2868         (shouldBe):
2869         (DerivedArray.prototype.get 2):
2870         (DerivedArray):
2871
2872 2018-09-25  Saam Barati  <sbarati@apple.com>
2873
2874         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2875         https://bugs.webkit.org/show_bug.cgi?id=189940
2876         <rdar://problem/43640987>
2877
2878         Reviewed by Mark Lam.
2879
2880         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2881
2882 2018-09-24  Saam Barati  <sbarati@apple.com>
2883
2884         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2885         https://bugs.webkit.org/show_bug.cgi?id=189922
2886         <rdar://problem/44651275>
2887
2888         Reviewed by Mark Lam.
2889
2890         * stress/array-indexof-fast-path-effects.js: Added.
2891         * stress/array-indexof-cached-length.js: Added.
2892
2893 2018-09-24  Saam barati  <sbarati@apple.com>
2894
2895         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2896         https://bugs.webkit.org/show_bug.cgi?id=189682
2897         <rdar://problem/43557315>
2898
2899         Reviewed by Mark Lam.
2900
2901         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2902         (foo):
2903
2904 2018-09-22  Saam barati  <sbarati@apple.com>
2905
2906         The sampling should not use Strong<CodeBlock> in its machineLocation field
2907         https://bugs.webkit.org/show_bug.cgi?id=189319
2908
2909         Reviewed by Filip Pizlo.
2910
2911         * stress/sampling-profiler-richards.js: Added.
2912
2913 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2914
2915         [JSC] Optimize Array#indexOf in C++ runtime
2916         https://bugs.webkit.org/show_bug.cgi?id=189507
2917
2918         Reviewed by Saam Barati.
2919
2920         * stress/array-indexof-array-prototype-trap.js: Added.
2921         (shouldBe):
2922         (AncestorArray.prototype.get 2):
2923         (AncestorArray):
2924         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2925         (shouldBe):
2926         * stress/array-indexof-hole-nan.js: Added.
2927         (shouldBe):
2928         (throw.new.Error):
2929         * stress/array-indexof-infinity.js: Added.
2930         (shouldBe):
2931         (throw.new.Error):
2932         * stress/array-indexof-negative-zero.js: Added.
2933         (shouldBe):
2934         (throw.new.Error):
2935         * stress/array-indexof-own-getter.js: Added.
2936         (shouldBe):
2937         (throw.new.Error.get array):
2938         (get array):
2939         * stress/array-indexof-prototype-trap.js: Added.
2940         (shouldBe):
2941         (DerivedArray.prototype.get 2):
2942         (DerivedArray):
2943
2944 2018-09-19  Saam barati  <sbarati@apple.com>
2945
2946         AI rule for MultiPutByOffset executes its effects in the wrong order
2947         https://bugs.webkit.org/show_bug.cgi?id=189757
2948         <rdar://problem/43535257>
2949
2950         Reviewed by Michael Saboff.
2951
2952         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2953         (foo):
2954         (Foo):
2955         (g):
2956
2957 2018-09-17  Mark Lam  <mark.lam@apple.com>
2958
2959         Ensure that ForInContexts are invalidated if their loop local is over-written.
2960         https://bugs.webkit.org/show_bug.cgi?id=189571
2961         <rdar://problem/44402277>
2962
2963         Reviewed by Saam Barati.
2964
2965         * stress/regress-189571.js: Added.
2966
2967 2018-09-17  Saam barati  <sbarati@apple.com>
2968
2969         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2970         https://bugs.webkit.org/show_bug.cgi?id=189676
2971         <rdar://problem/39682897>
2972
2973         Reviewed by Michael Saboff.
2974
2975         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2976         (A):
2977         (K):
2978         (i.catch):
2979
2980 2018-09-14  Saam barati  <sbarati@apple.com>
2981
2982         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2983         https://bugs.webkit.org/show_bug.cgi?id=189628
2984         <rdar://problem/39481690>
2985
2986         Reviewed by Mark Lam.
2987
2988         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2989         (foo):
2990
2991 2018-09-11  Mark Lam  <mark.lam@apple.com>
2992
2993         Test for array initialization in arrayProtoFuncSplice.
2994         https://bugs.webkit.org/show_bug.cgi?id=170253
2995         <rdar://problem/31328773>
2996
2997         Rubber-stamped by Saam Barati.
2998
2999         * stress/regress-170253.js: Added.
3000
3001 2018-09-11  Mark Lam  <mark.lam@apple.com>
3002
3003         Test for IntlObject initialization.
3004         https://bugs.webkit.org/show_bug.cgi?id=170251
3005         <rdar://problem/31328419>
3006
3007         Rubber-stamped by Saam Barati.
3008
3009         * stress/regress-170251.js: Added.
3010
3011 2018-09-11  Mark Lam  <mark.lam@apple.com>
3012
3013         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3014         https://bugs.webkit.org/show_bug.cgi?id=169889
3015         <rdar://problem/31155607>
3016
3017         Reviewed by Saam Barati.
3018
3019         * stress/regress-169889-array-concat.js: Added.
3020         * stress/regress-169889-array-concat1.js: Added.
3021         * stress/regress-169889-array-slice.js: Added.
3022
3023 2018-09-11  Mark Lam  <mark.lam@apple.com>
3024
3025         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3026         https://bugs.webkit.org/show_bug.cgi?id=169445
3027         <rdar://problem/30957435>
3028
3029         Reviewed by Saam Barati.
3030
3031         * stress/regress-169445.js: Added.
3032         (let.gun.eval.A):
3033         (let.gun.eval.B.C):
3034         (let.gun.eval.B.C.prototype.trigger):
3035         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3036         (let.gun.eval.B):
3037         (let.gun.eval):
3038
3039 == Rolled over to ChangeLog-2018-09-11 ==