[JSC] Do not use asArrayModes() with Structures because it discards TypedArray inform...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
4         https://bugs.webkit.org/show_bug.cgi?id=193372
5
6         Reviewed by Saam Barati.
7
8         * stress/typed-array-array-modes-profile.js: Added.
9         (foo):
10
11 2019-01-14  Mark Lam  <mark.lam@apple.com>
12
13         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
14         https://bugs.webkit.org/show_bug.cgi?id=193402
15         <rdar://problem/46012309>
16
17         Reviewed by Keith Miller.
18
19         * stress/regexp-compile-oom.js:
20         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
21           is enabled.  As a result, it will fail on cloop builds though there is no bug.
22
23 2019-01-11  Saam barati  <sbarati@apple.com>
24
25         DFG combined liveness can be wrong for terminal basic blocks
26         https://bugs.webkit.org/show_bug.cgi?id=193304
27         <rdar://problem/45268632>
28
29         Reviewed by Yusuke Suzuki.
30
31         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
32
33 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
34
35         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
36         https://bugs.webkit.org/show_bug.cgi?id=193308
37         <rdar://problem/45546542>
38
39         Reviewed by Saam Barati.
40
41         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
42         (shouldThrow):
43         (shouldBe):
44         (foo):
45         (get shouldThrow):
46         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
47         (shouldThrow):
48         (shouldBe):
49         (foo):
50         (get shouldBe):
51         (get shouldThrow):
52         (get return):
53         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
54         (shouldThrow):
55         (shouldBe):
56         (foo):
57         (get shouldBe):
58         (get shouldThrow):
59         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
60         (shouldThrow):
61         (shouldBe):
62         (foo):
63         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
64         (shouldThrow):
65         (shouldBe):
66         (foo):
67         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
68         (shouldThrow):
69         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
70         (shouldThrow):
71         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
72         (shouldThrow):
73         (shouldBe):
74         (foo):
75         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
76         (shouldThrow):
77         (shouldBe):
78         (foo):
79         (get shouldBe):
80         (get shouldThrow):
81         (get return):
82         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
83         (shouldThrow):
84         (shouldBe):
85         (foo):
86         (get shouldBe):
87         (get shouldThrow):
88         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
89         (shouldThrow):
90         (shouldBe):
91         (foo):
92         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
93         (shouldThrow):
94         (shouldBe):
95         (foo):
96
97 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
98
99         Enable DFG on ARM/Linux again
100         https://bugs.webkit.org/show_bug.cgi?id=192496
101
102         Reviewed by Yusuke Suzuki.
103
104         Test wasn't really skipped before moving the line with skip
105         to the top.
106
107         * stress/regress-192717.js:
108
109 2019-01-10  Commit Queue  <commit-queue@webkit.org>
110
111         Unreviewed, rolling out r239825.
112         https://bugs.webkit.org/show_bug.cgi?id=193330
113
114         Broke tests on armv7/linux bots (Requested by guijemont on
115         #webkit).
116
117         Reverted changeset:
118
119         "Enable DFG on ARM/Linux again"
120         https://bugs.webkit.org/show_bug.cgi?id=192496
121         https://trac.webkit.org/changeset/239825
122
123 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
124
125         Enable DFG on ARM/Linux again
126         https://bugs.webkit.org/show_bug.cgi?id=192496
127
128         Reviewed by Yusuke Suzuki.
129
130         Test wasn't really skipped before moving the line with skip
131         to the top.
132
133         * stress/regress-192717.js:
134
135 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
136
137         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
138         https://bugs.webkit.org/show_bug.cgi?id=193127
139
140         Reviewed by Saam Barati.
141
142         * stress/array-species-create-should-handle-masquerader.js: Added.
143         (shouldThrow):
144         * stress/is-undefined-or-null-builtin.js: Added.
145         (shouldBe):
146         (isUndefinedOrNull.vm.createBuiltin):
147
148 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
149
150         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
151         https://bugs.webkit.org/show_bug.cgi?id=193221
152
153         Reviewed by Mark Lam.
154
155         * stress/put-by-id-flags.js: Added.
156         (f):
157         (g):
158         (numberOfDFGCompiles):
159
160 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
161
162         Baseline version of get_by_id may corrupt metadata
163         https://bugs.webkit.org/show_bug.cgi?id=193085
164         <rdar://problem/23453006>
165
166         Reviewed by Saam Barati.
167
168         * stress/get-by-id-change-mode.js: Added.
169         (forEach):
170
171 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
172
173         [JSC] Optimize Object.prototype.toString
174         https://bugs.webkit.org/show_bug.cgi?id=193031
175
176         Reviewed by Saam Barati.
177
178         * stress/object-tostring-changed-proto.js: Added.
179         (shouldBe):
180         (test):
181         * stress/object-tostring-changed.js: Added.
182         (shouldBe):
183         (test):
184         * stress/object-tostring-misc.js: Added.
185         (shouldBe):
186         (test):
187         (i.switch):
188         * stress/object-tostring-other.js: Added.
189         (shouldBe):
190         (test):
191         * stress/object-tostring-untyped.js: Added.
192         (shouldBe):
193         (test):
194         (i.switch):
195
196 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
197
198         test262-runner misbehaves when test file YAML has a trailing space
199         https://bugs.webkit.org/show_bug.cgi?id=193053
200
201         Reviewed by Yusuke Suzuki.
202
203         * test262/expectations.yaml:
204         Mark two dozen tests as passing (and correct the output of another).
205
206 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
207
208         Unreviewed, JSTests gardening with memoryLimited
209
210         * stress/string-overflow-createError.js:
211
212 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
213
214         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
215         https://bugs.webkit.org/show_bug.cgi?id=193050
216
217         Reviewed by Yusuke Suzuki.
218
219         * test262.yaml:
220         * test262/expectations.yaml:
221         Mark 16 tests as passing.
222
223 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
224
225         [BigInt] Support BigInt in JSON.stringify
226         https://bugs.webkit.org/show_bug.cgi?id=192624
227
228         Reviewed by Saam Barati.
229
230         * stress/big-int-json-stringify-to-json.js: Added.
231         (shouldBe):
232         (shouldThrow):
233         (BigInt.prototype.toJSON):
234         (shouldBe.JSON.stringify):
235         * stress/big-int-json-stringify.js: Added.
236         (shouldBe):
237         (shouldThrow):
238
239 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
240
241         [JSC] Implement "well-formed JSON.stringify" proposal
242         https://bugs.webkit.org/show_bug.cgi?id=191677
243
244         Reviewed by Darin Adler.
245
246         * stress/json-surrogate-pair.js: Added.
247         (shouldBe):
248         * test262/expectations.yaml:
249
250 2018-12-20  Keith Miller  <keith_miller@apple.com>
251
252         Add support for globalThis
253         https://bugs.webkit.org/show_bug.cgi?id=165171
254
255         Reviewed by Mark Lam.
256
257         * test262/config.yaml:
258
259 2018-12-19  Keith Miller  <keith_miller@apple.com>
260
261         Update test262 configuration to not run tests dependent on ICU version.
262         https://bugs.webkit.org/show_bug.cgi?id=192920
263
264         Reviewed by Saam Barati.
265
266         * test262/expectations.yaml:
267
268 2018-12-20  Mark Lam  <mark.lam@apple.com>
269
270         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
271         https://bugs.webkit.org/show_bug.cgi?id=192939
272         <rdar://problem/46869516>
273
274         Reviewed by Keith Miller.
275
276         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
277
278 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
279
280         WTF::String and StringImpl overflow MaxLength
281         https://bugs.webkit.org/show_bug.cgi?id=192853
282         <rdar://problem/45726906>
283
284         Reviewed by Mark Lam.
285
286         * stress/string-16bit-repeat-overflow.js: Added.
287         (catch):
288
289 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
290
291         Unreviewed follow-up to r192914.
292
293         * test262/expectations.yaml:
294         Add the last 20 missing expectations.
295
296 2018-12-19  Keith Miller  <keith_miller@apple.com>
297
298         Fix test262 expectations
299         https://bugs.webkit.org/show_bug.cgi?id=192914
300
301         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
302
303         * test262/expectations.yaml:
304
305 2018-12-19  Keith Miller  <keith_miller@apple.com>
306
307         Update test262 tests.
308         https://bugs.webkit.org/show_bug.cgi?id=192907
309
310         Rubber stamped by Mark Lam.
311
312         * test262/*: Omitted because prepare-changelog crashes.
313
314 2018-12-19  Mark Lam  <mark.lam@apple.com>
315
316         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
317         https://bugs.webkit.org/show_bug.cgi?id=192464
318         <rdar://problem/46519455>
319
320         Reviewed by Saam Barati.
321
322         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
323         microbenchmark.
324
325         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
326         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
327
328 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
329
330         String overflow in JSC::createError results in ASSERT in WTF::makeString
331         https://bugs.webkit.org/show_bug.cgi?id=192833
332         <rdar://problem/45706868>
333
334         Reviewed by Mark Lam.
335
336         * stress/string-overflow-createError.js: Added.
337
338 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
339
340         Error message for `-x ** y` contains a typo.
341         https://bugs.webkit.org/show_bug.cgi?id=192832
342
343         Reviewed by Saam Barati.
344
345         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
346         (assert.assert.return.throws):
347         * stress/pow-expects-update-expression-on-lhs.js:
348         (throw.new.Error):
349         Update test expectations which match against the exact error message.
350
351 2018-12-18  Mark Lam  <mark.lam@apple.com>
352
353         Gardening: test options fix.
354         https://bugs.webkit.org/show_bug.cgi?id=192822
355
356         Unreviewed.
357
358         * stress/json-stringify-string-builder-overflow.js:
359
360 2018-12-18  Mark Lam  <mark.lam@apple.com>
361
362         JSON.stringify() should throw OOM on StringBuilder overflows.
363         https://bugs.webkit.org/show_bug.cgi?id=192822
364         <rdar://problem/46670577>
365
366         Reviewed by Saam Barati.
367
368         * stress/json-stringify-string-builder-overflow.js: Added.
369
370 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
371
372         Redeclaration of var over let/const/class should be a syntax error.
373         https://bugs.webkit.org/show_bug.cgi?id=192298
374
375         Reviewed by Keith Miller.
376
377         * test262.yaml:
378         * test262/expectations.yaml:
379         Mark 46 tests as passing.
380
381         * stress/block-scope-redeclarations.js:
382         Add some new tests.
383
384         * stress/for-in-invalidate-context-weird-assignments.js:
385         * stress/for-in-tests.js:
386         Replace tests for outdated behavior with tests for SyntaxError.
387
388         * ChakraCore/test/LetConst/defer3.baseline-jsc:
389         * ChakraCore/test/LetConst/letvar.baseline-jsc:
390         Update expectations.
391
392 2018-12-18  Mark Lam  <mark.lam@apple.com>
393
394         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
395         https://bugs.webkit.org/show_bug.cgi?id=191374
396         <rdar://problem/46525447>
397
398         Reviewed by Yusuke Suzuki.
399
400         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
401
402         * stress/elidable-new-object-roflcopter-then-exit.js:
403
404 2018-12-17  Mark Lam  <mark.lam@apple.com>
405
406         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
407         https://bugs.webkit.org/show_bug.cgi?id=192019
408         <rdar://problem/46525456>
409
410         Reviewed by Yusuke Suzuki.
411
412         The test runs too slow on 32-bit.
413
414         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
415
416 2018-12-17  Mark Lam  <mark.lam@apple.com>
417
418         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
419         https://bugs.webkit.org/show_bug.cgi?id=191373
420         <rdar://problem/46525458>
421
422         Reviewed by Yusuke Suzuki.
423
424         The test is already slow running with a JIT on 64-bit.  It will always timeout
425         on 32-bit without a JIT.
426
427         * stress/materialize-regexp-cyclic-regexp.js:
428
429 2018-12-17  Mark Lam  <mark.lam@apple.com>
430
431         Array unshift/shift should not race against the AI in the compiler thread.
432         https://bugs.webkit.org/show_bug.cgi?id=192795
433         <rdar://problem/46724263>
434
435         Reviewed by Saam Barati.
436
437         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
438
439 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
440
441         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
442         https://bugs.webkit.org/show_bug.cgi?id=190047
443
444         Reviewed by Saam Barati.
445
446         * stress/object-keys-cached-zero.js: Added.
447         (shouldBe):
448         (test):
449         * stress/object-keys-changed-attribute.js: Added.
450         (shouldBe):
451         (test):
452         * stress/object-keys-changed-index.js: Added.
453         (shouldBe):
454         (test):
455         * stress/object-keys-changed.js: Added.
456         (shouldBe):
457         (test):
458         * stress/object-keys-indexed-non-cache.js: Added.
459         (shouldBe):
460         (test):
461         * stress/object-keys-overrides-get-property-names.js: Added.
462         (shouldBe):
463         (test):
464         (noInline):
465
466 2018-12-17  Mark Lam  <mark.lam@apple.com>
467
468         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
469         https://bugs.webkit.org/show_bug.cgi?id=192779
470         <rdar://problem/46775869>
471
472         Reviewed by Saam Barati.
473
474         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
475
476 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
477
478         Unreviewed test gardening, address a syntax error in a new test.
479
480         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
481
482 2018-12-17  Mark Lam  <mark.lam@apple.com>
483
484         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
485         https://bugs.webkit.org/show_bug.cgi?id=192776
486         <rdar://problem/46772368>
487
488         Reviewed by Keith Miller.
489
490         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
491
492 2018-12-17  Mark Lam  <mark.lam@apple.com>
493
494         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
495         https://bugs.webkit.org/show_bug.cgi?id=192770
496         <rdar://problem/46449037>
497
498         Reviewed by Keith Miller.
499
500         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
501
502 2018-12-14  Mark Lam  <mark.lam@apple.com>
503
504         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
505         https://bugs.webkit.org/show_bug.cgi?id=192717
506         <rdar://problem/46660677>
507
508         Reviewed by Saam Barati.
509
510         * stress/regress-192717.js: Added.
511
512 2018-12-14  Commit Queue  <commit-queue@webkit.org>
513
514         Unreviewed, rolling out r239153, r239154, and r239155.
515         https://bugs.webkit.org/show_bug.cgi?id=192715
516
517         Caused flaky GC-related crashes seen with layout tests
518         (Requested by ryanhaddad on #webkit).
519
520         Reverted changesets:
521
522         "[JSC] Optimize Object.keys by caching own keys results in
523         StructureRareData"
524         https://bugs.webkit.org/show_bug.cgi?id=190047
525         https://trac.webkit.org/changeset/239153
526
527         "Unreviewed, build fix after r239153"
528         https://bugs.webkit.org/show_bug.cgi?id=190047
529         https://trac.webkit.org/changeset/239154
530
531         "Unreviewed, build fix after r239153, part 2"
532         https://bugs.webkit.org/show_bug.cgi?id=190047
533         https://trac.webkit.org/changeset/239155
534
535 2018-12-14  Keith Miller  <keith_miller@apple.com>
536
537         Callers of JSString::getIndex should check for OOM exceptions
538         https://bugs.webkit.org/show_bug.cgi?id=192709
539
540         Reviewed by Mark Lam.
541
542         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
543
544 2018-12-13  Mark Lam  <mark.lam@apple.com>
545
546         Add a missing exception check.
547         https://bugs.webkit.org/show_bug.cgi?id=192626
548         <rdar://problem/46662163>
549
550         Reviewed by Keith Miller.
551
552         * stress/regress-192626.js: Added.
553
554 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
555
556         [BigInt] Add ValueDiv into DFG
557         https://bugs.webkit.org/show_bug.cgi?id=186178
558
559         Reviewed by Yusuke Suzuki.
560
561         * stress/big-int-div-jit-osr.js: Added.
562         * stress/big-int-div-jit-untyped.js: Added.
563         * stress/value-div-fixup-int32-big-int.js: Added.
564
565 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
566
567         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
568         https://bugs.webkit.org/show_bug.cgi?id=190047
569
570         Reviewed by Keith Miller.
571
572         * stress/object-keys-cached-zero.js: Added.
573         (shouldBe):
574         (test):
575         * stress/object-keys-changed-attribute.js: Added.
576         (shouldBe):
577         (test):
578         * stress/object-keys-changed-index.js: Added.
579         (shouldBe):
580         (test):
581         * stress/object-keys-changed.js: Added.
582         (shouldBe):
583         (test):
584         * stress/object-keys-indexed-non-cache.js: Added.
585         (shouldBe):
586         (test):
587         * stress/object-keys-overrides-get-property-names.js: Added.
588         (shouldBe):
589         (test):
590         (noInline):
591
592 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
593
594         [DFG][FTL] Add NewSymbol
595         https://bugs.webkit.org/show_bug.cgi?id=192620
596
597         Reviewed by Saam Barati.
598
599         * microbenchmarks/symbol-creation.js: Added.
600         (test):
601         * stress/symbol-description-identity.js: Added.
602         (shouldBe):
603         (test):
604         * stress/symbol-identity.js: Added.
605         (shouldBe):
606         (test):
607         * stress/symbol-with-description-throw-error.js: Added.
608         (shouldBe):
609         (shouldThrow):
610         (test):
611         (object.toString):
612
613 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
614
615         [BigInt] Implement DFG/FTL typeof for BigInt
616         https://bugs.webkit.org/show_bug.cgi?id=192619
617
618         Reviewed by Keith Miller.
619
620         * stress/big-int-boolean-proven-type.js: Added.
621         (assert):
622         (bool):
623         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
624         (assert):
625         (typeOf):
626         (i.switch):
627         * stress/big-int-type-of-proven-type-non-constant.js: Added.
628         (assert):
629         (typeOf):
630         * stress/big-int-type-of.js:
631         (typeOf):
632         (func):
633
634 2018-12-10  Mark Lam  <mark.lam@apple.com>
635
636         PropertyAttribute needs a CustomValue bit.
637         https://bugs.webkit.org/show_bug.cgi?id=191993
638         <rdar://problem/46264467>
639
640         Reviewed by Saam Barati.
641
642         * stress/regress-191993.js: Added.
643
644 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
645
646         [BigInt] Add ValueMul into DFG
647         https://bugs.webkit.org/show_bug.cgi?id=186175
648
649         Reviewed by Yusuke Suzuki.
650
651         * stress/big-int-mul-jit-osr.js: Added.
652         * stress/big-int-mul-jit-untyped.js: Added.
653         * stress/value-mul-fixup-int32-big-int.js: Added.
654
655 2018-12-06  Keith Miller  <keith_miller@apple.com>
656
657         stress/big-wasm-memory tests failing on 32-bit JSC bot
658         https://bugs.webkit.org/show_bug.cgi?id=192020
659
660         Reviewed by Saam Barati.
661
662         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
663         the wasm stress tests if the WebAssembly object does not exist.
664
665         * stress/big-wasm-memory-grow-no-max.js:
666         (test.foo):
667         (test):
668         (foo): Deleted.
669         (catch): Deleted.
670         * stress/big-wasm-memory-grow.js:
671         (test.foo):
672         (test):
673         (foo): Deleted.
674         (catch): Deleted.
675         * stress/big-wasm-memory.js:
676         (test.foo):
677         (test):
678         (foo): Deleted.
679         (catch): Deleted.
680
681 2018-12-05  Mark Lam  <mark.lam@apple.com>
682
683         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
684         https://bugs.webkit.org/show_bug.cgi?id=192441
685         <rdar://problem/46480355>
686
687         Reviewed by Saam Barati.
688
689         * stress/regress-192441.js: Added.
690
691 2018-12-04  Mark Lam  <mark.lam@apple.com>
692
693         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
694         https://bugs.webkit.org/show_bug.cgi?id=192386
695         <rdar://problem/46445516>
696
697         Reviewed by Saam Barati.
698
699         * stress/regress-192386.js: Added.
700
701 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
702
703         [ESNext][BigInt] Support logic operations
704         https://bugs.webkit.org/show_bug.cgi?id=179903
705
706         Reviewed by Yusuke Suzuki.
707
708         * stress/big-int-branch-usage.js: Added.
709         * stress/big-int-logical-and.js: Added.
710         * stress/big-int-logical-not.js: Added.
711         * stress/big-int-logical-or.js: Added.
712
713 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
714
715         Unreviewed, rolling out r238833.
716
717         Breaks macOS and iOS debug builds.
718
719         Reverted changeset:
720
721         "[ESNext][BigInt] Support logic operations"
722         https://bugs.webkit.org/show_bug.cgi?id=179903
723         https://trac.webkit.org/changeset/238833
724
725 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
726
727         [ESNext][BigInt] Support logic operations
728         https://bugs.webkit.org/show_bug.cgi?id=179903
729
730         Reviewed by Yusuke Suzuki.
731
732         * stress/big-int-branch-usage.js: Added.
733         * stress/big-int-logical-and.js: Added.
734         * stress/big-int-logical-not.js: Added.
735         * stress/big-int-logical-or.js: Added.
736
737 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
738
739         [ESNext][BigInt] Implement support for "<<" and ">>"
740         https://bugs.webkit.org/show_bug.cgi?id=186233
741
742         Reviewed by Yusuke Suzuki.
743
744         * stress/big-int-left-shift-general.js: Added.
745         * stress/big-int-left-shift-range-error.js: Added.
746         * stress/big-int-left-shift-type-error.js: Added.
747         * stress/big-int-left-shift-wrapped-value.js: Added.
748         * stress/big-int-right-shift-general.js: Added.
749         * stress/big-int-right-shift-type-error.js: Added.
750         * stress/big-int-right-shift-wrapped-value.js: Added.
751         * stress/left-shift-to-primitive-precedence.js: Added.
752         * stress/right-shift-to-primitive-precedence.js: Added.
753
754 2018-11-30  Dean Jackson  <dino@apple.com>
755
756         Add first-class support for .mjs files in jsc binary
757         https://bugs.webkit.org/show_bug.cgi?id=192190
758         <rdar://problem/46375715>
759
760         Reviewed by Keith Miller.
761
762         * stress/simple-module.mjs: Added.
763         * stress/simple-script.js: Added.
764
765 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
766
767         [BigInt] Implement ValueBitXor into DFG
768         https://bugs.webkit.org/show_bug.cgi?id=190264
769
770         Reviewed by Yusuke Suzuki.
771
772         * stress/big-int-bitwise-xor-jit.js: Added.
773         * stress/big-int-bitwise-xor-memory-stress.js: Added.
774         * stress/big-int-bitwise-xor-untyped.js: Added.
775
776 2018-11-27  Saam barati  <sbarati@apple.com>
777
778         r238510 broke scopes of size zero
779         https://bugs.webkit.org/show_bug.cgi?id=192033
780         <rdar://problem/46281734>
781
782         Reviewed by Keith Miller.
783
784         * stress/r238510-bad-loop.js: Added.
785         (foo):
786
787 2018-11-27  Mark Lam  <mark.lam@apple.com>
788
789         [Re-landing] NaNs read from Wasm code needs to be be purified.
790         https://bugs.webkit.org/show_bug.cgi?id=191056
791         <rdar://problem/45660341>
792
793         Reviewed by Filip Pizlo.
794
795         * wasm/regress/regress-191056.js: Added.
796
797 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
798
799         Unreviewed, rolling out r238509.
800
801         Causes JSC tests to fail on iOS.
802
803         Reverted changeset:
804
805         "NaNs read from Wasm code needs to be be purified."
806         https://bugs.webkit.org/show_bug.cgi?id=191056
807         https://trac.webkit.org/changeset/238509
808
809 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
810
811         Re-introduce op_bitnot
812         https://bugs.webkit.org/show_bug.cgi?id=190923
813
814         Reviewed by Yusuke Suzuki.
815
816         * stress/bit-not-must-generate.js: Added.
817         * stress/bitwise-not-no-int32.js: Added.
818
819 2018-11-26  Saam barati  <sbarati@apple.com>
820
821         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
822         https://bugs.webkit.org/show_bug.cgi?id=191956
823         <rdar://problem/45665806>
824
825         Reviewed by Yusuke Suzuki.
826
827         * stress/end-basic-block-set-local-should-filter-type.js: Added.
828         (bar):
829         (foo):
830
831 2018-11-26  Saam barati  <sbarati@apple.com>
832
833         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
834         https://bugs.webkit.org/show_bug.cgi?id=191958
835         <rdar://problem/46221877>
836
837         Reviewed by Yusuke Suzuki.
838
839         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
840         (x):
841         (foo):
842
843 2018-11-26  Mark Lam  <mark.lam@apple.com>
844
845         NaNs read from Wasm code needs to be be purified.
846         https://bugs.webkit.org/show_bug.cgi?id=191056
847         <rdar://problem/45660341>
848
849         Reviewed by Filip Pizlo.
850
851         * wasm/regress/regress-191056.js: Added.
852
853 2018-11-26  Michael Saboff  <msaboff@apple.com>
854
855         32-bit JSC test failure: stress/regexp-compile-oom.js
856         https://bugs.webkit.org/show_bug.cgi?id=191375
857
858         Reviewed by Mark Lam.
859
860         Disabled the test for 32 bit platforms.
861
862         * stress/regexp-compile-oom.js:
863
864 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
865
866         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
867         https://bugs.webkit.org/show_bug.cgi?id=191716
868         <rdar://problem/45723878>
869
870         Reviewed by Saam Barati.
871
872         * stress/regress-187373.js: Added.
873         (async.fn):
874
875 2018-11-21  Saam barati  <sbarati@apple.com>
876
877         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
878         https://bugs.webkit.org/show_bug.cgi?id=191897
879         <rdar://problem/45871998>
880
881         Reviewed by Mark Lam.
882
883         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
884         (bar):
885         (foo):
886
887 2018-11-21  Saam barati  <sbarati@apple.com>
888
889         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
890         https://bugs.webkit.org/show_bug.cgi?id=191895
891         <rdar://problem/46167406>
892
893         Reviewed by Mark Lam.
894
895         * stress/known-cell-use-needs-type-check-assertion.js: Added.
896         (foo):
897         (bar):
898
899 2018-11-21  Mark Lam  <mark.lam@apple.com>
900
901         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
902         https://bugs.webkit.org/show_bug.cgi?id=191776
903         <rdar://problem/46152851>
904
905         Reviewed by Saam Barati.
906
907         * stress/big-wasm-memory-grow-no-max.js:
908         * stress/big-wasm-memory-grow.js:
909         * stress/big-wasm-memory.js:
910         - updated these to expect an OutOfMemoryError.
911
912         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
913         (Binary.prototype.emit_u8):
914         (Binary.prototype.emit_u32v):
915         (Binary.prototype.emit_header):
916         (Binary.prototype.emit_section):
917         (Binary):
918         (WasmModuleBuilder):
919         (WasmModuleBuilder.prototype.addMemory):
920         (WasmModuleBuilder.prototype.toArray):
921         (WasmModuleBuilder.prototype.toBuffer):
922         (WasmModuleBuilder.prototype.instantiate):
923         (catch):
924         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
925         (catch):
926
927 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
928
929         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
930         https://bugs.webkit.org/show_bug.cgi?id=190836
931
932         Reviewed by Saam Barati and Yusuke Suzuki.
933
934         * stress/big-int-out-of-memory-tests.js: Added.
935
936 2018-11-20  Mark Lam  <mark.lam@apple.com>
937
938         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
939         https://bugs.webkit.org/show_bug.cgi?id=191856
940         <rdar://problem/46089992>
941
942         Reviewed by Yusuke Suzuki.
943
944         * stress/regress-191856.js: Added.
945         - this test is skipped for now until we have a fix for webkit.org/b/191855.
946
947 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
948
949         Enable JIT on ARM/Linux
950         https://bugs.webkit.org/show_bug.cgi?id=191548
951
952         Reviewed by Yusuke Suzuki.
953
954         Disable test on system with limited memory. Program was killed by
955         the OS before the exception was thrown.
956
957         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
958
959 2018-11-20  Saam barati  <sbarati@apple.com>
960
961         Merging an IC variant may lead to the IC status containing overlapping structure sets
962         https://bugs.webkit.org/show_bug.cgi?id=191869
963         <rdar://problem/45403453>
964
965         Reviewed by Mark Lam.
966
967         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
968
969 2018-11-19  Mark Lam  <mark.lam@apple.com>
970
971         globalFuncImportModule() should return a promise when it clears exceptions.
972         https://bugs.webkit.org/show_bug.cgi?id=191792
973         <rdar://problem/46090763>
974
975         Reviewed by Michael Saboff.
976
977         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
978
979 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
980
981         Skip new memory-hungry tests on memory limited devices
982
983         Unreviewed gardening.
984
985         * stress/big-wasm-memory-grow-no-max.js:
986         * stress/big-wasm-memory-grow.js:
987         * stress/big-wasm-memory.js:
988
989 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
990
991         Unreviewed, rolling in the rest of r237254
992         https://bugs.webkit.org/show_bug.cgi?id=190340
993
994         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
995         * stress/function-cache-with-parameters-end-position.js: Added.
996         (shouldBe):
997         (shouldThrow):
998         (i.anonymous):
999         * stress/function-constructor-name.js: Added.
1000         (shouldBe):
1001         (GeneratorFunction):
1002         (AsyncFunction.async):
1003         (AsyncGeneratorFunction.async):
1004         (anonymous):
1005         (async.anonymous):
1006         * test262/expectations.yaml:
1007
1008 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1009
1010         All users of ArrayBuffer should agree on the same max size
1011         https://bugs.webkit.org/show_bug.cgi?id=191771
1012
1013         Reviewed by Mark Lam.
1014
1015         * stress/big-wasm-memory-grow-no-max.js: Added.
1016         (foo):
1017         (catch):
1018         * stress/big-wasm-memory-grow.js: Added.
1019         (foo):
1020         (catch):
1021         * stress/big-wasm-memory.js: Added.
1022         (foo):
1023         (catch):
1024
1025 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1026
1027         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1028         run for each JSC config since they're regression tests for runtime bugs.
1029
1030         * stress/json-stringified-overflow-2.js:
1031         * stress/json-stringified-overflow.js:
1032
1033 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1034
1035         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1036         config since they're regression tests for runtime bugs.
1037
1038         * stress/large-unshift-splice.js:
1039         * stress/regress-185888.js:
1040
1041 2018-11-16  Saam Barati  <sbarati@apple.com>
1042
1043         KnownCellUse should also have SpecCellCheck as its type filter
1044         https://bugs.webkit.org/show_bug.cgi?id=191729
1045         <rdar://problem/45872852>
1046
1047         Reviewed by Filip Pizlo.
1048
1049         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1050         (C):
1051
1052 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1053
1054         Fix assertion failure on BytecodeGenerator::recordOpcode
1055         https://bugs.webkit.org/show_bug.cgi?id=191724
1056         <rdar://problem/45724395>
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/regress-187373-2.js: Added.
1061         (foo):
1062
1063 2018-11-15  Mark Lam  <mark.lam@apple.com>
1064
1065         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1066         https://bugs.webkit.org/show_bug.cgi?id=191730
1067         <rdar://problem/46048517>
1068
1069         Reviewed by Saam Barati.
1070
1071         * stress/regress-187006.js: Removed.
1072           - this test is invalid because its sole purpose is to test for the non-spec
1073             compliant behavior that we just fixed.
1074
1075         * stress/regress-191730.js: Added.
1076
1077 2018-11-15  Mark Lam  <mark.lam@apple.com>
1078
1079         RegExp operations should not take fast patch if lastIndex is not numeric.
1080         https://bugs.webkit.org/show_bug.cgi?id=191731
1081         <rdar://problem/46017305>
1082
1083         Reviewed by Saam Barati.
1084
1085         * stress/regress-191731.js: Added.
1086
1087 2018-11-13  Saam Barati  <sbarati@apple.com>
1088
1089         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1090         https://bugs.webkit.org/show_bug.cgi?id=191600
1091
1092         Reviewed by Mark Lam.
1093
1094         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1095         (foo):
1096         (test):
1097         (bar):
1098
1099 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1100
1101         Unreviewed, rolling out r238132.
1102
1103         The test added with this change is timing out on Debug JSC
1104         bots.
1105
1106         Reverted changeset:
1107
1108         "[BigInt] JSBigInt::createWithLength should throw when length
1109         is greater than JSBigInt::maxLength"
1110         https://bugs.webkit.org/show_bug.cgi?id=190836
1111         https://trac.webkit.org/changeset/238132
1112
1113 2018-11-13  Mark Lam  <mark.lam@apple.com>
1114
1115         Add OOM detection to StringPrototype's substituteBackreferences().
1116         https://bugs.webkit.org/show_bug.cgi?id=191563
1117         <rdar://problem/45720428>
1118
1119         Reviewed by Saam Barati.
1120
1121         * stress/regress-191563.js: Added.
1122
1123 2018-11-13  Mark Lam  <mark.lam@apple.com>
1124
1125         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1126         https://bugs.webkit.org/show_bug.cgi?id=191579
1127         <rdar://problem/45942472>
1128
1129         Reviewed by Saam Barati.
1130
1131         * stress/regress-191579.js: Added.
1132
1133 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1134
1135         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1136         https://bugs.webkit.org/show_bug.cgi?id=190836
1137
1138         Reviewed by Saam Barati.
1139
1140         * stress/big-int-out-of-memory-tests.js: Added.
1141
1142 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1143
1144         U+180E is no longer a whitespace character
1145         https://bugs.webkit.org/show_bug.cgi?id=191415
1146
1147         Reviewed by Saam Barati.
1148
1149         * ChakraCore/test/es5/regexSpace.baseline:
1150         * ChakraCore/test/es6/unicode_whitespace.js:
1151         Update tests to latest version.
1152         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1153
1154         * test262.yaml:
1155         * test262/config.yaml:
1156         * test262/expectations.yaml:
1157         Update expectations.
1158
1159 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1160
1161         [BigInt] Add support to BigInt into ValueAdd
1162         https://bugs.webkit.org/show_bug.cgi?id=186177
1163
1164         Reviewed by Keith Miller.
1165
1166         * stress/big-int-negate-jit.js:
1167         * stress/value-add-big-int-and-string.js: Added.
1168         * stress/value-add-big-int-prediction-propagation.js: Added.
1169         * stress/value-add-big-int-untyped.js: Added.
1170
1171 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1172
1173         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1174         https://bugs.webkit.org/show_bug.cgi?id=191184
1175
1176         Reviewed by Saam Barati.
1177
1178         Most tests were failing due to timeouts, since they are too slow to
1179         run on CLoop. The exceptions are:
1180
1181         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1182         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1183         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1184         to change the stack size since CLoop requires it to be page aligned.
1185
1186         * microbenchmarks/array-push-1.js:
1187         * microbenchmarks/array-push-2.js:
1188         * microbenchmarks/elidable-new-object-dag.js:
1189         * microbenchmarks/elidable-new-object-roflcopter.js:
1190         * microbenchmarks/elidable-new-object-tree.js:
1191         * microbenchmarks/getter-richards.js:
1192         * microbenchmarks/sinkable-new-object-dag.js:
1193         * microbenchmarks/string-concat-long-convert.js:
1194         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1195         * slowMicrobenchmarks/array-push-3.js:
1196         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1197         * slowMicrobenchmarks/spread-small-array.js:
1198         * slowMicrobenchmarks/undefined-property-access.js:
1199         * stress/activation-sink-default-value-tdz-error.js:
1200         * stress/activation-sink-default-value.js:
1201         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1202         * stress/activation-sink-osrexit-default-value.js:
1203         * stress/activation-sink-osrexit.js:
1204         * stress/activation-sink.js:
1205         * stress/allow-math-ic-b3-code-duplication.js:
1206         * stress/array-push-multiple-int32.js:
1207         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1208         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1209         * stress/arrowfunction-lexical-this-activation-sink.js:
1210         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1211         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1212         * stress/elide-new-object-dag-then-exit.js:
1213         * stress/materialize-regexp-cyclic.js:
1214         * stress/new-regex-inline.js:
1215         * stress/op_add.js:
1216         * stress/op_bitand.js:
1217         * stress/op_bitor.js:
1218         * stress/op_bitxor.js:
1219         * stress/op_div-ConstVar.js:
1220         * stress/op_div-VarConst.js:
1221         * stress/op_div-VarVar.js:
1222         * stress/op_lshift-ConstVar.js:
1223         * stress/op_lshift-VarConst.js:
1224         * stress/op_lshift-VarVar.js:
1225         * stress/op_mod-ConstVar.js:
1226         * stress/op_mod-VarConst.js:
1227         * stress/op_mod-VarVar.js:
1228         * stress/op_mul-ConstVar.js:
1229         * stress/op_mul-VarConst.js:
1230         * stress/op_mul-VarVar.js:
1231         * stress/op_rshift-ConstVar.js:
1232         * stress/op_rshift-VarConst.js:
1233         * stress/op_rshift-VarVar.js:
1234         * stress/op_sub-ConstVar.js:
1235         * stress/op_sub-VarConst.js:
1236         * stress/op_sub-VarVar.js:
1237         * stress/op_urshift-ConstVar.js:
1238         * stress/op_urshift-VarConst.js:
1239         * stress/op_urshift-VarVar.js:
1240         * stress/proxy-get-set-correct-receiver.js:
1241         * stress/regress-179562.js:
1242         * stress/rest-parameter-many-arguments.js:
1243         * stress/sampling-profiler-richards.js:
1244         * stress/splay-flash-access-1ms.js:
1245         * stress/tailCallForwardArguments.js:
1246         * stress/typed-array-get-by-val-profiling.js:
1247         * typeProfiler/getter-richards.js:
1248
1249 2018-11-06  Michael Saboff  <msaboff@apple.com>
1250
1251         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1252         https://bugs.webkit.org/show_bug.cgi?id=191271
1253
1254         Reviewed by Saam Barati.
1255
1256         Added more test cases and made all test cases run with the same deeply recursive stack
1257         instead of finding that same point for each test case.
1258
1259         * stress/regexp-compile-oom.js:
1260         (prototype.runTest):
1261         (recurseAndTest):
1262         (testList.push.new.TestAndExpectedException):
1263
1264 2018-11-05  Michael Saboff  <msaboff@apple.com>
1265
1266         Unreviewed build fix for linux.
1267
1268         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1269
1270 2018-11-02  Michael Saboff  <msaboff@apple.com>
1271
1272         Rolling in r237753 with unreviewed build fix.
1273
1274         Fixed issues with DECLARE_THROW_SCOPE placement.
1275
1276 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1277
1278         Unreviewed, rolling out r237753.
1279
1280         Introduced JSC test failures
1281
1282         Reverted changeset:
1283
1284         "Running out of stack space not properly handled in
1285         RegExp::compile() and its callers"
1286         https://bugs.webkit.org/show_bug.cgi?id=191206
1287         https://trac.webkit.org/changeset/237753
1288
1289 2018-11-02  Michael Saboff  <msaboff@apple.com>
1290
1291         Running out of stack space not properly handled in RegExp::compile() and its callers
1292         https://bugs.webkit.org/show_bug.cgi?id=191206
1293
1294         Reviewed by Filip Pizlo.
1295
1296         New regression test.
1297
1298         * stress/regexp-compile-oom.js: Added.
1299         (recurseAndTest):
1300
1301 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1302
1303         Skip tests on arm/mips that time out now we're running on CLoop
1304
1305         Unreviewed gardening.
1306
1307         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1308         time out on the bots and need to be disabled. There's more tests
1309         disabled on arm because the timeout is longer on the mips bot (as the
1310         device is slower to start with), so many of the tests don't time out
1311         there.
1312
1313         * microbenchmarks/getter-richards.js: disable on arm and mips.
1314         * stress/op_add.js: disable on arm.
1315         * stress/op_bitand.js: disable on arm.
1316         * stress/op_bitor.js: disable on arm.
1317         * stress/op_bitxor.js: disable on arm.
1318         * stress/op_lshift-ConstVar.js: disable on arm.
1319         * stress/op_lshift-VarConst.js: disable on arm.
1320         * stress/op_lshift-VarVar.js: disable on arm.
1321         * stress/op_mod-ConstVar.js: disable on arm.
1322         * stress/op_mod-VarConst.js: disable on arm.
1323         * stress/op_mod-VarVar.js: disable on arm.
1324         * stress/op_mul-ConstVar.js: disable on arm.
1325         * stress/op_mul-VarConst.js: disable on arm.
1326         * stress/op_mul-VarVar.js: disable on arm.
1327         * stress/op_rshift-ConstVar.js: disable on arm.
1328         * stress/op_rshift-VarConst.js: disable on arm.
1329         * stress/op_rshift-VarVar.js: disable on arm.
1330         * stress/op_sub-ConstVar.js: disable on arm.
1331         * stress/op_sub-VarConst.js: disable on arm.
1332         * stress/op_sub-VarVar.js: disable on arm.
1333         * stress/op_urshift-ConstVar.js: disable on arm.
1334         * stress/op_urshift-VarConst.js: disable on arm.
1335         * stress/op_urshift-VarVar.js: disable on arm.
1336         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1337         * stress/value-to-boolean.js: disable on arm and mips.
1338
1339 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1340
1341         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1342         https://bugs.webkit.org/show_bug.cgi?id=191108
1343         <rdar://problem/45690700>
1344
1345         Reviewed by Saam Barati.
1346
1347         * stress/wide-op_catch.js: Added.
1348         (catch):
1349
1350 2018-10-29  Mark Lam  <mark.lam@apple.com>
1351
1352         Correctly detect string overflow when using the 'Function' constructor.
1353         https://bugs.webkit.org/show_bug.cgi?id=184883
1354         <rdar://problem/36320331>
1355
1356         Reviewed by Saam Barati.
1357
1358         I've verified that this passes on 32-bit as well.
1359
1360         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1361
1362 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1363
1364         Add support for GetStack FlushedDouble
1365         https://bugs.webkit.org/show_bug.cgi?id=191012
1366         <rdar://problem/45265141>
1367
1368         Reviewed by Saam Barati.
1369
1370         * stress/get-stack-double.js: Added.
1371         (bar):
1372         (noInline):
1373
1374 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1375
1376         New bytecode format for JSC
1377         https://bugs.webkit.org/show_bug.cgi?id=187373
1378         <rdar://problem/44186758>
1379
1380         Reviewed by Filip Pizlo.
1381
1382         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1383
1384         * stress/maximum-inline-capacity.js: Added.
1385         (test1):
1386         (test3.Foo):
1387         (test3):
1388
1389 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1390
1391         Unreviewed, rolling out r237479 and r237484.
1392         https://bugs.webkit.org/show_bug.cgi?id=190978
1393
1394         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1395
1396         Reverted changesets:
1397
1398         "New bytecode format for JSC"
1399         https://bugs.webkit.org/show_bug.cgi?id=187373
1400         https://trac.webkit.org/changeset/237479
1401
1402         "Gardening: Build fix after r237479."
1403         https://bugs.webkit.org/show_bug.cgi?id=187373
1404         https://trac.webkit.org/changeset/237484
1405
1406 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1407
1408         New bytecode format for JSC
1409         https://bugs.webkit.org/show_bug.cgi?id=187373
1410         <rdar://problem/44186758>
1411
1412         Reviewed by Filip Pizlo.
1413
1414         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1415
1416         * stress/maximum-inline-capacity.js: Added.
1417         (test1):
1418         (test3.Foo):
1419         (test3):
1420
1421 2018-10-26  Mark Lam  <mark.lam@apple.com>
1422
1423         Fix missing edge cases with JSGlobalObjects having a bad time.
1424         https://bugs.webkit.org/show_bug.cgi?id=189028
1425         <rdar://problem/45204939>
1426
1427         Reviewed by Saam Barati.
1428
1429         * stress/regress-189028.js: Added.
1430
1431 2018-10-22  Mark Lam  <mark.lam@apple.com>
1432
1433         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1434         https://bugs.webkit.org/show_bug.cgi?id=190515
1435         <rdar://problem/45222379>
1436
1437         Rubber-stamped by Saam Barati.
1438
1439         Adding another test.
1440
1441         * stress/regress-190515-2.js: Added.
1442
1443 2018-10-22  Mark Lam  <mark.lam@apple.com>
1444
1445         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1446         https://bugs.webkit.org/show_bug.cgi?id=190515
1447         <rdar://problem/45222379>
1448
1449         Reviewed by Saam Barati.
1450
1451         * stress/regress-190515.js: Added.
1452
1453 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1454
1455         Unreviewed, rolling out r237254.
1456         https://bugs.webkit.org/show_bug.cgi?id=190760
1457
1458         "It regresses JetStream 2 by 5% on some iOS devices"
1459         (Requested by saamyjoon on #webkit).
1460
1461         Reverted changeset:
1462
1463         "[JSC] JSC should have "parseFunction" to optimize Function
1464         constructor"
1465         https://bugs.webkit.org/show_bug.cgi?id=190340
1466         https://trac.webkit.org/changeset/237254
1467
1468 2018-10-19  Saam Barati  <sbarati@apple.com>
1469
1470         vmCall should check if we exit before emitting an OSR exit due to exceptions
1471         https://bugs.webkit.org/show_bug.cgi?id=190740
1472         <rdar://problem/45220139>
1473
1474         Reviewed by Mark Lam.
1475
1476         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1477         (foo):
1478
1479 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1480
1481         [ESNext][BigInt] Implement support for "^"
1482         https://bugs.webkit.org/show_bug.cgi?id=186235
1483
1484         Reviewed by Yusuke Suzuki.
1485
1486         * stress/big-int-bitwise-xor-general.js: Added.
1487         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1488         * stress/big-int-bitwise-xor-type-error.js: Added.
1489         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1490
1491 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1492
1493         [BigInt] Add ValueSub into DFG
1494         https://bugs.webkit.org/show_bug.cgi?id=186176
1495
1496         Reviewed by Yusuke Suzuki.
1497
1498         * stress/big-int-subtraction-jit.js:
1499         * stress/value-sub-big-int-prediction-propagation.js: Added.
1500         * stress/value-sub-big-int-untyped.js: Added.
1501         * stress/value-sub-spec-none-case.js: Added.
1502
1503 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1504
1505         [JSC] JSC should have "parseFunction" to optimize Function constructor
1506         https://bugs.webkit.org/show_bug.cgi?id=190340
1507
1508         Reviewed by Mark Lam.
1509
1510         This patch fixes the line number of syntax errors raised by the Function constructor,
1511         since we now parse the final code only once. And we no longer use block statement
1512         for Function constructor's parsing.
1513
1514         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1515         * stress/function-cache-with-parameters-end-position.js: Added.
1516         (shouldBe):
1517         (shouldThrow):
1518         (i.anonymous):
1519         * stress/function-constructor-name.js: Added.
1520         (shouldBe):
1521         (GeneratorFunction):
1522         (AsyncFunction.async):
1523         (AsyncGeneratorFunction.async):
1524         (anonymous):
1525         (async.anonymous):
1526         * test262/expectations.yaml:
1527
1528 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1529
1530         Unreviewed, rolling out r237242.
1531         https://bugs.webkit.org/show_bug.cgi?id=190701
1532
1533         it breaks "stress/sampling-profiler-basic.js" (Requested by
1534         caiolima on #webkit).
1535
1536         Reverted changeset:
1537
1538         "[BigInt] Add ValueSub into DFG"
1539         https://bugs.webkit.org/show_bug.cgi?id=186176
1540         https://trac.webkit.org/changeset/237242
1541
1542 2018-10-17  Keith Miller  <keith_miller@apple.com>
1543
1544         AI does not clear Phantom allocation nodes.
1545         https://bugs.webkit.org/show_bug.cgi?id=190694
1546
1547         Reviewed by Saam Barati.
1548
1549         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1550         (Day):
1551         (DaysInYear):
1552         (TimeInYear):
1553         (TimeFromYear):
1554         (DayFromYear):
1555         (InLeapYear):
1556         (YearFromTime):
1557         (WeekDay):
1558         (DaylightSavingTA):
1559         (GetSecondSundayInMarch):
1560         (TimeInMonth):
1561
1562 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1563
1564         [BigInt] Add ValueSub into DFG
1565         https://bugs.webkit.org/show_bug.cgi?id=186176
1566
1567         Reviewed by Yusuke Suzuki.
1568
1569         * stress/big-int-subtraction-jit.js:
1570         * stress/value-sub-big-int-prediction-propagation.js: Added.
1571         * stress/value-sub-big-int-untyped.js: Added.
1572
1573 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1574
1575         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1576         https://bugs.webkit.org/show_bug.cgi?id=190611
1577
1578         Reviewed by Saam Barati.
1579
1580         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1581         to improve test runtime. On ARM/MIPS this test even timed out when running all
1582         tests.
1583
1584         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1585         (test):
1586
1587 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1588
1589         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1590
1591         Unreviewed gardening.
1592
1593         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1594
1595 2018-10-15  Saam barati  <sbarati@apple.com>
1596
1597         Emit fjcvtzs on ARM64E on Darwin
1598         https://bugs.webkit.org/show_bug.cgi?id=184023
1599
1600         Reviewed by Yusuke Suzuki and Filip Pizlo.
1601
1602         * stress/double-to-int32-NaN.js: Added.
1603         (assert):
1604         (foo):
1605
1606 2018-10-15  Saam Barati  <sbarati@apple.com>
1607
1608         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1609         https://bugs.webkit.org/show_bug.cgi?id=190262
1610         <rdar://problem/44986241>
1611
1612         Reviewed by Mark Lam.
1613
1614         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1615         (test):
1616         * stress/slice-array-storage-with-holes.js: Added.
1617         (main):
1618
1619 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1620
1621         Unreviewed, rolling out r237054.
1622         https://bugs.webkit.org/show_bug.cgi?id=190593
1623
1624         "this regressed JetStream 2 by 6% on iOS" (Requested by
1625         saamyjoon on #webkit).
1626
1627         Reverted changeset:
1628
1629         "[JSC] JSC should have "parseFunction" to optimize Function
1630         constructor"
1631         https://bugs.webkit.org/show_bug.cgi?id=190340
1632         https://trac.webkit.org/changeset/237054
1633
1634 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1635
1636         [JSC] JSON.stringify can accept call-with-no-arguments
1637         https://bugs.webkit.org/show_bug.cgi?id=190343
1638
1639         Reviewed by Mark Lam.
1640
1641         * stress/json-stringify-no-arguments.js: Added.
1642         (shouldBe):
1643
1644 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1645
1646         [JSC] JSC should have "parseFunction" to optimize Function constructor
1647         https://bugs.webkit.org/show_bug.cgi?id=190340
1648
1649         Reviewed by Mark Lam.
1650
1651         This patch fixes the line number of syntax errors raised by the Function constructor,
1652         since we now parse the final code only once. And we no longer use block statement
1653         for Function constructor's parsing.
1654
1655         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1656         * stress/function-cache-with-parameters-end-position.js: Added.
1657         (shouldBe):
1658         (shouldThrow):
1659         (i.anonymous):
1660         * stress/function-constructor-name.js: Added.
1661         (shouldBe):
1662         (GeneratorFunction):
1663         (AsyncFunction.async):
1664         (AsyncGeneratorFunction.async):
1665         (anonymous):
1666         (async.anonymous):
1667         * test262/expectations.yaml:
1668
1669 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1670
1671         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1672         https://bugs.webkit.org/show_bug.cgi?id=190426
1673
1674         Unreviewed gardening.
1675
1676         * stress/sampling-profiler-richards.js:
1677
1678 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1679
1680         [ESNext][BigInt] Implement support for "|"
1681         https://bugs.webkit.org/show_bug.cgi?id=186229
1682
1683         Reviewed by Yusuke Suzuki.
1684
1685         * stress/big-int-bitwise-and-jit.js:
1686         * stress/big-int-bitwise-or-general.js: Added.
1687         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1688         * stress/big-int-bitwise-or-jit.js: Added.
1689         * stress/big-int-bitwise-or-memory-stress.js: Added.
1690         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1691         * stress/big-int-bitwise-or-type-error.js: Added.
1692         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1693
1694 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1695
1696         Skip test on systems with limited memory
1697         https://bugs.webkit.org/show_bug.cgi?id=190310
1698
1699         Invoking runDefault adds test to runlist, skipping the test in the next
1700         line does not prevent the test from executing. Change order of lines such
1701         that runDefault is only executed if test is not executed.
1702
1703         Reviewed by Mark Lam.
1704
1705         * stress/regress-190187.js:
1706
1707 2018-10-03  Saam barati  <sbarati@apple.com>
1708
1709         lowXYZ in FTLLower should always filter the type of the incoming edge
1710         https://bugs.webkit.org/show_bug.cgi?id=189939
1711         <rdar://problem/44407030>
1712
1713         Reviewed by Michael Saboff.
1714
1715         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1716         (foo):
1717         (test):
1718
1719 2018-10-03  Mark Lam  <mark.lam@apple.com>
1720
1721         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1722         https://bugs.webkit.org/show_bug.cgi?id=190187
1723         <rdar://problem/42512909>
1724
1725         Reviewed by Michael Saboff.
1726
1727         * stress/regress-190187.js: Added.
1728
1729 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1730
1731         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1732         https://bugs.webkit.org/show_bug.cgi?id=190033
1733
1734         Reviewed by Yusuke Suzuki.
1735
1736         * stress/big-int-to-string.js:
1737
1738 2018-10-01  Mark Lam  <mark.lam@apple.com>
1739
1740         Function.toString() should also copy the source code Functions that are class definitions.
1741         https://bugs.webkit.org/show_bug.cgi?id=190186
1742         <rdar://problem/44733360>
1743
1744         Reviewed by Saam Barati.
1745
1746         * stress/regress-190186.js: Added.
1747
1748 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1749
1750         Split NaN-check into separate test
1751         https://bugs.webkit.org/show_bug.cgi?id=190010
1752
1753         Reviewed by Saam Barati.
1754
1755         DataView exposes NaN-representation, which is not necessarily the same on each
1756         architecture. Therefore move the check of the NaN-representation into its own
1757         file such that we can disable this test on MIPS where NaN-representation can be
1758         different on older CPUs.
1759
1760         * stress/dataview-jit-set-nan.js: Added.
1761         (assert):
1762         (test.storeLittleEndian):
1763         (test.storeBigEndian):
1764         (test.store):
1765         (test):
1766         * stress/dataview-jit-set.js:
1767         (test5):
1768
1769 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1770
1771         Unreviewed, rolling out r236647.
1772         https://bugs.webkit.org/show_bug.cgi?id=190124
1773
1774         Breaking test stress/big-int-to-string.js (Requested by
1775         caiolima_ on #webkit).
1776
1777         Reverted changeset:
1778
1779         "[BigInt] BigInt.proptotype.toString is broken when radix is
1780         power of 2"
1781         https://bugs.webkit.org/show_bug.cgi?id=190033
1782         https://trac.webkit.org/changeset/236647
1783
1784 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1785
1786         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1787         https://bugs.webkit.org/show_bug.cgi?id=190033
1788
1789         Reviewed by Yusuke Suzuki.
1790
1791         * stress/big-int-to-string.js:
1792
1793 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1794
1795         [ESNext][BigInt] Implement support for "&"
1796         https://bugs.webkit.org/show_bug.cgi?id=186228
1797
1798         Reviewed by Yusuke Suzuki.
1799
1800         * stress/big-int-bitwise-and-general.js: Added.
1801         (assert):
1802         (assert.sameValue):
1803         * stress/big-int-bitwise-and-jit.js: Added.
1804         (let.assert.sameValue):
1805         (bigIntBitAnd):
1806         * stress/big-int-bitwise-and-memory-stress.js: Added.
1807         (assert):
1808         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1809         (assert.sameValue):
1810         (let.o.Symbol.toPrimitive):
1811         (catch):
1812         * stress/big-int-bitwise-and-type-error.js: Added.
1813         (assert):
1814         (assertThrowTypeError):
1815         (let.o.valueOf):
1816         (o.valueOf):
1817         (o.toString):
1818         (o.Symbol.toPrimitive):
1819         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1820         (assert.sameValue):
1821         (testBitAnd):
1822         (let.o.Symbol.toPrimitive):
1823         (o.valueOf):
1824         (o.toString):
1825
1826 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1827
1828         JSC test stress/jsc-read.js doesn't support CRLF
1829         https://bugs.webkit.org/show_bug.cgi?id=190063
1830
1831         Reviewed by Yusuke Suzuki.
1832
1833         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1834
1835         * stress/jsc-read.js:
1836         (test):
1837
1838 2018-09-27  Saam barati  <sbarati@apple.com>
1839
1840         Verify the contents of AssemblerBuffer on arm64e
1841         https://bugs.webkit.org/show_bug.cgi?id=190057
1842         <rdar://problem/38916630>
1843
1844         Reviewed by Mark Lam.
1845
1846         * stress/regress-189132.js:
1847
1848 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1849
1850         Disable test without LLInt on ARMv7
1851         https://bugs.webkit.org/show_bug.cgi?id=190037
1852
1853         Reviewed by Mark Lam.
1854
1855         Test runs out of executable memory on ARMv7, do not run
1856         this test without LLInt enabled.
1857
1858         * stress/regress-169445.js:
1859
1860 2018-09-26  Keith Miller  <keith_miller@apple.com>
1861
1862         We should zero unused property storage when rebalancing array storage.
1863         https://bugs.webkit.org/show_bug.cgi?id=188151
1864
1865         Reviewed by Michael Saboff.
1866
1867         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1868
1869 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1870
1871         [JSC] Optimize Array#lastIndexOf
1872         https://bugs.webkit.org/show_bug.cgi?id=189780
1873
1874         Reviewed by Saam Barati.
1875
1876         * stress/array-lastindexof-array-prototype-trap.js: Added.
1877         (shouldBe):
1878         (AncestorArray.prototype.get 2):
1879         (AncestorArray):
1880         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1881         (shouldBe):
1882         * stress/array-lastindexof-hole-nan.js: Added.
1883         (shouldBe):
1884         (throw.new.Error):
1885         * stress/array-lastindexof-infinity.js: Added.
1886         (shouldBe):
1887         (throw.new.Error):
1888         * stress/array-lastindexof-negative-zero.js: Added.
1889         (shouldBe):
1890         (throw.new.Error):
1891         * stress/array-lastindexof-own-getter.js: Added.
1892         (shouldBe):
1893         (throw.new.Error.get array):
1894         (get array):
1895         * stress/array-lastindexof-prototype-trap.js: Added.
1896         (shouldBe):
1897         (DerivedArray.prototype.get 2):
1898         (DerivedArray):
1899
1900 2018-09-25  Saam Barati  <sbarati@apple.com>
1901
1902         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1903         https://bugs.webkit.org/show_bug.cgi?id=189940
1904         <rdar://problem/43640987>
1905
1906         Reviewed by Mark Lam.
1907
1908         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1909
1910 2018-09-24  Saam Barati  <sbarati@apple.com>
1911
1912         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1913         https://bugs.webkit.org/show_bug.cgi?id=189922
1914         <rdar://problem/44651275>
1915
1916         Reviewed by Mark Lam.
1917
1918         * stress/array-indexof-fast-path-effects.js: Added.
1919         * stress/array-indexof-cached-length.js: Added.
1920
1921 2018-09-24  Saam barati  <sbarati@apple.com>
1922
1923         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1924         https://bugs.webkit.org/show_bug.cgi?id=189682
1925         <rdar://problem/43557315>
1926
1927         Reviewed by Mark Lam.
1928
1929         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1930         (foo):
1931
1932 2018-09-22  Saam barati  <sbarati@apple.com>
1933
1934         The sampling should not use Strong<CodeBlock> in its machineLocation field
1935         https://bugs.webkit.org/show_bug.cgi?id=189319
1936
1937         Reviewed by Filip Pizlo.
1938
1939         * stress/sampling-profiler-richards.js: Added.
1940
1941 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1942
1943         [JSC] Optimize Array#indexOf in C++ runtime
1944         https://bugs.webkit.org/show_bug.cgi?id=189507
1945
1946         Reviewed by Saam Barati.
1947
1948         * stress/array-indexof-array-prototype-trap.js: Added.
1949         (shouldBe):
1950         (AncestorArray.prototype.get 2):
1951         (AncestorArray):
1952         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1953         (shouldBe):
1954         * stress/array-indexof-hole-nan.js: Added.
1955         (shouldBe):
1956         (throw.new.Error):
1957         * stress/array-indexof-infinity.js: Added.
1958         (shouldBe):
1959         (throw.new.Error):
1960         * stress/array-indexof-negative-zero.js: Added.
1961         (shouldBe):
1962         (throw.new.Error):
1963         * stress/array-indexof-own-getter.js: Added.
1964         (shouldBe):
1965         (throw.new.Error.get array):
1966         (get array):
1967         * stress/array-indexof-prototype-trap.js: Added.
1968         (shouldBe):
1969         (DerivedArray.prototype.get 2):
1970         (DerivedArray):
1971
1972 2018-09-19  Saam barati  <sbarati@apple.com>
1973
1974         AI rule for MultiPutByOffset executes its effects in the wrong order
1975         https://bugs.webkit.org/show_bug.cgi?id=189757
1976         <rdar://problem/43535257>
1977
1978         Reviewed by Michael Saboff.
1979
1980         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1981         (foo):
1982         (Foo):
1983         (g):
1984
1985 2018-09-17  Mark Lam  <mark.lam@apple.com>
1986
1987         Ensure that ForInContexts are invalidated if their loop local is over-written.
1988         https://bugs.webkit.org/show_bug.cgi?id=189571
1989         <rdar://problem/44402277>
1990
1991         Reviewed by Saam Barati.
1992
1993         * stress/regress-189571.js: Added.
1994
1995 2018-09-17  Saam barati  <sbarati@apple.com>
1996
1997         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1998         https://bugs.webkit.org/show_bug.cgi?id=189676
1999         <rdar://problem/39682897>
2000
2001         Reviewed by Michael Saboff.
2002
2003         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2004         (A):
2005         (K):
2006         (i.catch):
2007
2008 2018-09-14  Saam barati  <sbarati@apple.com>
2009
2010         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2011         https://bugs.webkit.org/show_bug.cgi?id=189628
2012         <rdar://problem/39481690>
2013
2014         Reviewed by Mark Lam.
2015
2016         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2017         (foo):
2018
2019 2018-09-11  Mark Lam  <mark.lam@apple.com>
2020
2021         Test for array initialization in arrayProtoFuncSplice.
2022         https://bugs.webkit.org/show_bug.cgi?id=170253
2023         <rdar://problem/31328773>
2024
2025         Rubber-stamped by Saam Barati.
2026
2027         * stress/regress-170253.js: Added.
2028
2029 2018-09-11  Mark Lam  <mark.lam@apple.com>
2030
2031         Test for IntlObject initialization.
2032         https://bugs.webkit.org/show_bug.cgi?id=170251
2033         <rdar://problem/31328419>
2034
2035         Rubber-stamped by Saam Barati.
2036
2037         * stress/regress-170251.js: Added.
2038
2039 2018-09-11  Mark Lam  <mark.lam@apple.com>
2040
2041         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2042         https://bugs.webkit.org/show_bug.cgi?id=169889
2043         <rdar://problem/31155607>
2044
2045         Reviewed by Saam Barati.
2046
2047         * stress/regress-169889-array-concat.js: Added.
2048         * stress/regress-169889-array-concat1.js: Added.
2049         * stress/regress-169889-array-slice.js: Added.
2050
2051 2018-09-11  Mark Lam  <mark.lam@apple.com>
2052
2053         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2054         https://bugs.webkit.org/show_bug.cgi?id=169445
2055         <rdar://problem/30957435>
2056
2057         Reviewed by Saam Barati.
2058
2059         * stress/regress-169445.js: Added.
2060         (let.gun.eval.A):
2061         (let.gun.eval.B.C):
2062         (let.gun.eval.B.C.prototype.trigger):
2063         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2064         (let.gun.eval.B):
2065         (let.gun.eval):
2066
2067 == Rolled over to ChangeLog-2018-09-11 ==