Test times out on ARM/MIPS
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         Test times out on ARM/MIPS
4         https://bugs.webkit.org/show_bug.cgi?id=195168
5
6         Unreviewed. Skip test on ARM/MIPS.
7
8         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
9
10 2019-02-27  Mark Lam  <mark.lam@apple.com>
11
12         The parser is failing to record the token location of new in new.target.
13         https://bugs.webkit.org/show_bug.cgi?id=195127
14         <rdar://problem/39645578>
15
16         Reviewed by Yusuke Suzuki.
17
18         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
19
20 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
21
22         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
23         https://bugs.webkit.org/show_bug.cgi?id=195144
24         <rdar://problem/47595961>
25
26         Reviewed by Mark Lam.
27
28         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
29         (bar):
30         (foo):
31         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
32         (bar):
33         (foo):
34
35 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
36
37         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
38         https://bugs.webkit.org/show_bug.cgi?id=194677
39         <rdar://problem/48112492>
40
41         Reviewed by Mark Lam.
42
43         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
44         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
45         it immediately fails due the large size.
46
47         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
48         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
49         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
50         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
51
52         This patch changes the test to produce 16bit string from String.fromCharCode.
53
54         * stress/regress-178386.js:
55
56 2019-02-26  Mark Lam  <mark.lam@apple.com>
57
58         wasmToJS() should purify incoming NaNs.
59         https://bugs.webkit.org/show_bug.cgi?id=194807
60         <rdar://problem/48189132>
61
62         Reviewed by Saam Barati.
63
64         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
65
66 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
67
68         [JSC] Repeat string created from Array.prototype.join() take too much memory
69         https://bugs.webkit.org/show_bug.cgi?id=193912
70
71         Reviewed by Saam Barati.
72
73         Added a test and a microbenchmark for corner cases of
74         Array.prototype.join() with an uninitialized array.
75
76         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
77         * stress/array-prototype-join-uninitialized.js: Added.
78         (testArray):
79         (testABC):
80         (B):
81         (C):
82
83 2019-02-22  Robin Morisset  <rmorisset@apple.com>
84
85         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
86         https://bugs.webkit.org/show_bug.cgi?id=194953
87         <rdar://problem/47595253>
88
89         Reviewed by Saam Barati.
90
91         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
92
93         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
94
95 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
96
97         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
98         https://bugs.webkit.org/show_bug.cgi?id=172848
99         <rdar://problem/25709212>
100
101         Reviewed by Mark Lam.
102
103         * typeProfiler/inheritance.js:
104         Rewrite the test slightly for clarity. The hoisting was confusing.
105
106         * heapProfiler/class-names.js: Added.
107         (MyES5Class):
108         (MyES6Class):
109         (MyES6Subclass):
110         Test object types and improved class names.
111
112         * heapProfiler/driver/driver.js:
113         (CheapHeapSnapshotNode):
114         (CheapHeapSnapshot):
115         (createCheapHeapSnapshot):
116         (HeapSnapshot):
117         (createHeapSnapshot):
118         Update snapshot parsing from version 1 to version 2.
119
120 2019-02-19  Truitt Savell  <tsavell@apple.com>
121
122         Unreviewed, rolling out r241784.
123
124         Broke all OpenSource builds.
125
126         Reverted changeset:
127
128         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
129         instances view"
130         https://bugs.webkit.org/show_bug.cgi?id=172848
131         https://trac.webkit.org/changeset/241784
132
133 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
134
135         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
136         https://bugs.webkit.org/show_bug.cgi?id=172848
137         <rdar://problem/25709212>
138
139         Reviewed by Mark Lam.
140
141         * typeProfiler/inheritance.js:
142         Rewrite the test slightly for clarity. The hoisting was confusing.
143
144         * heapProfiler/class-names.js: Added.
145         (MyES5Class):
146         (MyES6Class):
147         (MyES6Subclass):
148         Test object types and improved class names.
149
150         * heapProfiler/driver/driver.js:
151         (CheapHeapSnapshotNode):
152         (CheapHeapSnapshot):
153         (createCheapHeapSnapshot):
154         (HeapSnapshot):
155         (createHeapSnapshot):
156         Update snapshot parsing from version 1 to version 2.
157
158 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
159
160         [ARM] Fix crash with sampling profiler
161         https://bugs.webkit.org/show_bug.cgi?id=194772
162
163         Reviewed by Mark Lam.
164
165         Do not skip test since crash with sampling profiler is now fixed.
166
167         * stress/sampling-profiler-richards.js:
168
169 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
170
171         [JSC] Add LazyClassStructure::getInitializedOnMainThread
172         https://bugs.webkit.org/show_bug.cgi?id=194784
173         <rdar://problem/48154820>
174
175         Reviewed by Mark Lam.
176
177         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
178         (getProperties):
179         (getRandomProperty):
180         (i.catch):
181
182 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
183
184         [ARM] Test gardening: Test running out of executable memory
185         https://bugs.webkit.org/show_bug.cgi?id=194771
186
187         Unreviewed. Do not run test without LLInt, test is running out of executable
188         memory on ARM otherwise.
189
190         * stress/tagged-template-object-collect.js:
191
192 2019-02-18  Tomas Popela  <tpopela@redhat.com>
193
194         Unreviewed, skip the test on platforms without sampling profiler
195
196         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
197         (platformSupportsSamplingProfiler.foo):
198         (platformSupportsSamplingProfiler.test):
199         (platformSupportsSamplingProfiler):
200         (foo): Deleted.
201         (test): Deleted.
202
203 2019-02-17  Saam Barati  <sbarati@apple.com>
204
205         Deadlock when adding a Structure property transition and then doing incremental marking
206         https://bugs.webkit.org/show_bug.cgi?id=194767
207
208         Reviewed by Mark Lam.
209
210         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
211
212 2019-02-15  Michael Saboff  <msaboff@apple.com>
213
214         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
215         https://bugs.webkit.org/show_bug.cgi?id=194558
216
217         Reviewed by Saam Barati.
218
219         New regression test.
220
221         * stress/regexp-unicode-within-string.js: Added.
222
223 2019-02-15  Mark Lam  <mark.lam@apple.com>
224
225         SamplingProfiler::stackTracesAsJSON() should escape strings.
226         https://bugs.webkit.org/show_bug.cgi?id=194649
227         <rdar://problem/48072386>
228
229         Reviewed by Saam Barati.
230
231         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
232         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
233         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
234         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
235
236 2019-02-15  Robin Morisset  <rmorisset@apple.com>
237         CodeBlock::jettison should clear related watchpoints
238         https://bugs.webkit.org/show_bug.cgi?id=194544
239
240         Reviewed by Mark Lam.
241
242         * stress/regexp-replace-double-watchpoint.js: Added.
243         (foo):
244
245 2019-02-15  Saam barati  <sbarati@apple.com>
246
247         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
248         https://bugs.webkit.org/show_bug.cgi?id=194036
249
250         Reviewed by Yusuke Suzuki.
251
252         * stress/tail-call-many-arguments.js: Added.
253         (foo):
254         (bar):
255
256 2019-02-14  Saam Barati  <sbarati@apple.com>
257
258         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
259         https://bugs.webkit.org/show_bug.cgi?id=194583
260         <rdar://problem/48028140>
261
262         Reviewed by Yusuke Suzuki.
263
264         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
265
266 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         [JSC] String.fromCharCode's slow path always generates 16bit string
269         https://bugs.webkit.org/show_bug.cgi?id=194466
270
271         Reviewed by Keith Miller.
272
273         * stress/string-from-char-code-slow-path.js: Added.
274         (shouldBe):
275         (testWithLength):
276
277 2019-02-08  Saam barati  <sbarati@apple.com>
278
279         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
280         https://bugs.webkit.org/show_bug.cgi?id=194334
281         <rdar://problem/47844327>
282
283         Reviewed by Mark Lam.
284
285         * stress/check-in-bounds-should-be-a-child-use.js: Added.
286         (func):
287
288 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
291         https://bugs.webkit.org/show_bug.cgi?id=194369
292         <rdar://problem/47813087>
293
294         Reviewed by Saam Barati.
295
296         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
297         (A):
298
299 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         [JSC] PrivateName to PublicName hash table is wasteful
302         https://bugs.webkit.org/show_bug.cgi?id=194277
303
304         Reviewed by Michael Saboff.
305
306         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
307
308         * ChakraCore.yaml:
309
310 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
311
312         [ARM] Test running out of executable memory
313         https://bugs.webkit.org/show_bug.cgi?id=194285
314
315         Unreviewed. Do no execute test with LLInt disabled, test runs out of
316         executable memory otherwise.
317
318         * stress/class-subclassing-function.js:
319
320 2019-02-04  Robin Morisset  <rmorisset@apple.com>
321
322         when lowering AssertNotEmpty, create the value before creating the patchpoint
323         https://bugs.webkit.org/show_bug.cgi?id=194231
324
325         Reviewed by Saam Barati.
326
327         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
328         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
329         So even tiny changes to this test can change the path code taken.
330
331         * stress/assert-not-empty.js: Added.
332         (foo):
333
334 2019-02-01  Mark Lam  <mark.lam@apple.com>
335
336         Remove invalid assertion in DFG's compileDoubleRep().
337         https://bugs.webkit.org/show_bug.cgi?id=194130
338         <rdar://problem/47699474>
339
340         Reviewed by Saam Barati.
341
342         * stress/constant-fold-double-rep-into-double-constant.js: Added.
343
344 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
345
346         Import latest Test262 updates.
347
348         Rubber-stamped by Keith Miller.
349
350         * test262.yaml: Deleted.
351         * test262/config.yaml:
352         * test262/expectations.yaml:
353         * test262/latest-changes-summary.txt:
354         * test262/test/:
355         * test262/test262-Revision.txt:
356
357 2019-01-30  Robin Morisset  <rmorisset@apple.com>
358
359         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
360         https://bugs.webkit.org/show_bug.cgi?id=194050
361         <rdar://problem/47595592>
362
363         Reviewed by Yusuke Suzuki.
364
365         * stress/object-keys-osr-exit.js: Added.
366         (foo):
367         (catch):
368
369 2019-01-29  Mark Lam  <mark.lam@apple.com>
370
371         ValueRecovery::recover() should purify NaN values it recovers.
372         https://bugs.webkit.org/show_bug.cgi?id=193978
373         <rdar://problem/47625488>
374
375         Reviewed by Saam Barati.
376
377         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
378
379 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
380
381         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
382         https://bugs.webkit.org/show_bug.cgi?id=193713
383
384         * stress/try-get-by-id-should-spill-registers-dfg.js:
385         (let.f.createBuiltin):
386
387 2019-01-28  Mark Lam  <mark.lam@apple.com>
388
389         ToString node actually does GC.
390         https://bugs.webkit.org/show_bug.cgi?id=193920
391         <rdar://problem/46695900>
392
393         Reviewed by Yusuke Suzuki.
394
395         * stress/dfg-to-string-on-int-does-gc.js: Added.
396         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
397         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
398
399 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
400
401         [JSC] NativeErrorConstructor should not have own IsoSubspace
402         https://bugs.webkit.org/show_bug.cgi?id=193713
403
404         Reviewed by Saam Barati.
405
406         Remove @Error use.
407
408         * stress/try-get-by-id-should-spill-registers-dfg.js:
409         (let.f.createBuiltin):
410
411 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
412
413         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
414         https://bugs.webkit.org/show_bug.cgi?id=190693
415
416         Reviewed by Michael Saboff.
417
418         * stress/regress-190693.js: Added.
419         (truth):
420         (assert):
421         (shouldThrowInvalidConstAssignment):
422         (taz):
423
424 2019-01-24  Saam Barati  <sbarati@apple.com>
425
426         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
427         https://bugs.webkit.org/show_bug.cgi?id=193751
428         <rdar://problem/47280215>
429
430         Reviewed by Michael Saboff.
431
432         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
433         (let.thing):
434         (foo.let.hello):
435         (foo):
436
437 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
438
439         [JSC] Reenable baseline JIT on mips
440         https://bugs.webkit.org/show_bug.cgi?id=192983
441
442         Reviewed by Mark Lam.
443
444         Added a new test for a case that was triggering a RELEASE_ASSERT when
445         testing.
446         Disable some slow tests that were already disabled for arm and x86.
447
448         * stress/json-parse-big-object.js: Added.
449         * stress/new-largeish-contiguous-array-with-size.js:
450         * stress/op_add.js:
451         * stress/op_bitand.js:
452         * stress/op_bitor.js:
453         * stress/op_bitxor.js:
454         * stress/op_lshift-ConstVar.js:
455         * stress/op_lshift-VarConst.js:
456         * stress/op_lshift-VarVar.js:
457         * stress/op_mod-ConstVar.js:
458         * stress/op_mod-VarConst.js:
459         * stress/op_mod-VarVar.js:
460         * stress/op_mul-ConstVar.js:
461         * stress/op_mul-VarConst.js:
462         * stress/op_mul-VarVar.js:
463         * stress/op_rshift-ConstVar.js:
464         * stress/op_rshift-VarConst.js:
465         * stress/op_rshift-VarVar.js:
466         * stress/op_sub-ConstVar.js:
467         * stress/op_sub-VarConst.js:
468         * stress/op_sub-VarVar.js:
469         * stress/op_urshift-ConstVar.js:
470         * stress/op_urshift-VarConst.js:
471         * stress/op_urshift-VarVar.js:
472         * stress/sampling-profiler-richards.js:
473         * stress/spread-forward-call-varargs-stack-overflow.js:
474
475 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
476
477         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
478         https://bugs.webkit.org/show_bug.cgi?id=193711
479         <rdar://problem/47250262>
480
481         Reviewed by Saam Barati.
482
483         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
484         (shouldBe):
485         (foo):
486         (bar):
487         (baz):
488
489 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
490
491         Unreviewed, fix initial global lexical binding epoch
492         https://bugs.webkit.org/show_bug.cgi?id=193603
493         <rdar://problem/47380869>
494
495         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
496         (f1.f2.f3.f4):
497         (f1.f2.f3):
498         (f1.f2):
499         (f1):
500
501 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
502
503         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
504         https://bugs.webkit.org/show_bug.cgi?id=193709
505         <rdar://problem/47363838>
506
507         Unreviewed, rollout to watch the tests.
508
509         * stress/object-tostring-changed-proto.js: Removed.
510         * stress/object-tostring-changed.js: Removed.
511         * stress/object-tostring-misc.js: Removed.
512         * stress/object-tostring-other.js: Removed.
513         * stress/object-tostring-untyped.js: Removed.
514
515 2019-01-22  Saam Barati  <sbarati@apple.com>
516
517         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
518
519         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
520         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
521         (testUncheckedLessThanZero):
522         (testUncheckedLessThanOrEqualZero):
523         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
524         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
525
526 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
527
528         [JSC] Invalidate old scope operations using global lexical binding epoch
529         https://bugs.webkit.org/show_bug.cgi?id=193603
530         <rdar://problem/47380869>
531
532         Reviewed by Saam Barati.
533
534         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
535         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
536         (shouldThrow):
537         (bar):
538         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
539         (shouldBe):
540         (get1):
541         (get2):
542         (get1If):
543         (get2If):
544         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
545         (shouldThrow):
546         (foo):
547
548 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
549
550         Unreviewed, roll out r240220 due to date-format-xparb regression
551         https://bugs.webkit.org/show_bug.cgi?id=193603
552
553         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
554         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
555         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
556         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
557
558 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
559
560         DoesGC rule is wrong for nodes with BigIntUse
561         https://bugs.webkit.org/show_bug.cgi?id=193652
562
563         Reviewed by Saam Barati.
564
565         * stress/big-int-value-op-update-gc-rules.js: Added.
566         (assert):
567         (doesGCAdd):
568         (doesGCSub):
569         (doesGCDiv):
570         (doesGCMul):
571         (doesGCBitAnd):
572         (doesGCBitOr):
573         (doesGCBitXor):
574
575 2019-01-20  Saam Barati  <sbarati@apple.com>
576
577         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
578         https://bugs.webkit.org/show_bug.cgi?id=193644
579         <rdar://problem/46209745>
580
581         Reviewed by Yusuke Suzuki.
582
583         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
584         (foo):
585         * stress/data-view-set-intrinsic-undefined-result.js: Added.
586         (foo):
587         (bar):
588
589 2019-01-20  Saam Barati  <sbarati@apple.com>
590
591         MovHint must merge NodeBytecodeUsesAsValue for its child
592         https://bugs.webkit.org/show_bug.cgi?id=186916
593         <rdar://problem/41396612>
594
595         Reviewed by Yusuke Suzuki.
596
597         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
598         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
599
600 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
601
602         [JSC] Invalidate old scope operations using global lexical binding epoch
603         https://bugs.webkit.org/show_bug.cgi?id=193603
604         <rdar://problem/47380869>
605
606         Reviewed by Saam Barati.
607
608         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
609         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
610         (shouldThrow):
611         (bar):
612         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
613         (shouldBe):
614         (get1):
615         (get2):
616         (get1If):
617         (get2If):
618         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
619         (shouldThrow):
620         (foo):
621
622 2019-01-17  Saam barati  <sbarati@apple.com>
623
624         StringObjectUse should not be a structure check for the original string object structure
625         https://bugs.webkit.org/show_bug.cgi?id=193483
626         <rdar://problem/47280522>
627
628         Reviewed by Yusuke Suzuki.
629
630         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
631         (foo):
632         (a.valueOf.0):
633
634 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
635
636         [JSC] ToThis omission in DFGByteCodeParser is wrong
637         https://bugs.webkit.org/show_bug.cgi?id=193513
638         <rdar://problem/45842236>
639
640         Reviewed by Saam Barati.
641
642         * stress/to-this-omission-with-different-strict-modes.js: Added.
643         (thisA):
644         (thisAStrictWrapper):
645
646 2019-01-15  Mark Lam  <mark.lam@apple.com>
647
648         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
649         https://bugs.webkit.org/show_bug.cgi?id=193423
650         <rdar://problem/46209355>
651
652         Reviewed by Saam Barati.
653
654         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
655         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
656         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
657         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
658
659 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
660
661         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
662         https://bugs.webkit.org/show_bug.cgi?id=193438
663         <rdar://problem/45581249>
664
665         Reviewed by Saam Barati and Keith Miller.
666
667         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
668         Then, GetByVal(String) crashed.
669
670         * stress/string-get-by-val-lowering.js: Added.
671         (shouldBe):
672         (test):
673         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
674         (Hello):
675         (foo):
676
677 2019-01-15  Tomas Popela  <tpopela@redhat.com>
678
679         Unreviewed, skip JIT tests if it's not enabled
680
681         * stress/bit-op-with-object-returning-int32.js:
682
683 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
684
685         DFGByteCodeParser rules for bitwise operations should consider type of their operands
686         https://bugs.webkit.org/show_bug.cgi?id=192966
687
688         Reviewed by Yusuke Suzuki.
689
690         * stress/bit-op-with-object-returning-int32.js: Added.
691
692 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
693
694         Skip a slow test and a flakey test on arm
695
696         Unreviewed gardening.
697
698         * typeProfiler/getter-richards.js:
699         this test always times out, it used to be always skipped on arm and
700         mips, but got accidentally enabled by r237919 now that we have DFG on
701         arm. Also skipping on mips as we plan to soon enable DFG for it too.
702
703 2019-01-14  Keith Miller  <keith_miller@apple.com>
704
705         Skip type-check-hoisting-phase-hoist... with no jit
706         https://bugs.webkit.org/show_bug.cgi?id=193421
707
708         Reviewed by Mark Lam.
709
710         It's timing out the 32-bit bots and takes 330 seconds
711         on my machine when run by itself.
712
713         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
714
715 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
716
717         [JSC] AI should check the given constant's array type when folding GetByVal into constant
718         https://bugs.webkit.org/show_bug.cgi?id=193413
719         <rdar://problem/46092389>
720
721         Reviewed by Keith Miller.
722
723         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
724         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
725         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
726         but GetByVal does not have appropriate ArrayModes, JSC crashes.
727
728         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
729         (compareArray):
730
731 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
732
733         [BigInt] Literal parsing is crashing when used inside a Object Literal
734         https://bugs.webkit.org/show_bug.cgi?id=193404
735
736         Reviewed by Yusuke Suzuki.
737
738         * stress/big-int-literal-inside-literal-object.js: Added.
739
740 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
741
742         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
743         https://bugs.webkit.org/show_bug.cgi?id=193372
744
745         Reviewed by Saam Barati.
746
747         * stress/typed-array-array-modes-profile.js: Added.
748         (foo):
749
750 2019-01-14  Mark Lam  <mark.lam@apple.com>
751
752         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
753         https://bugs.webkit.org/show_bug.cgi?id=193402
754         <rdar://problem/46012309>
755
756         Reviewed by Keith Miller.
757
758         * stress/regexp-compile-oom.js:
759         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
760           is enabled.  As a result, it will fail on cloop builds though there is no bug.
761
762 2019-01-11  Saam barati  <sbarati@apple.com>
763
764         DFG combined liveness can be wrong for terminal basic blocks
765         https://bugs.webkit.org/show_bug.cgi?id=193304
766         <rdar://problem/45268632>
767
768         Reviewed by Yusuke Suzuki.
769
770         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
771
772 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
773
774         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
775         https://bugs.webkit.org/show_bug.cgi?id=193308
776         <rdar://problem/45546542>
777
778         Reviewed by Saam Barati.
779
780         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
781         (shouldThrow):
782         (shouldBe):
783         (foo):
784         (get shouldThrow):
785         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
786         (shouldThrow):
787         (shouldBe):
788         (foo):
789         (get shouldBe):
790         (get shouldThrow):
791         (get return):
792         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
793         (shouldThrow):
794         (shouldBe):
795         (foo):
796         (get shouldBe):
797         (get shouldThrow):
798         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
799         (shouldThrow):
800         (shouldBe):
801         (foo):
802         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
803         (shouldThrow):
804         (shouldBe):
805         (foo):
806         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
807         (shouldThrow):
808         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
809         (shouldThrow):
810         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
811         (shouldThrow):
812         (shouldBe):
813         (foo):
814         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
815         (shouldThrow):
816         (shouldBe):
817         (foo):
818         (get shouldBe):
819         (get shouldThrow):
820         (get return):
821         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
822         (shouldThrow):
823         (shouldBe):
824         (foo):
825         (get shouldBe):
826         (get shouldThrow):
827         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
828         (shouldThrow):
829         (shouldBe):
830         (foo):
831         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
832         (shouldThrow):
833         (shouldBe):
834         (foo):
835
836 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
837
838         Enable DFG on ARM/Linux again
839         https://bugs.webkit.org/show_bug.cgi?id=192496
840
841         Reviewed by Yusuke Suzuki.
842
843         Test wasn't really skipped before moving the line with skip
844         to the top.
845
846         * stress/regress-192717.js:
847
848 2019-01-10  Commit Queue  <commit-queue@webkit.org>
849
850         Unreviewed, rolling out r239825.
851         https://bugs.webkit.org/show_bug.cgi?id=193330
852
853         Broke tests on armv7/linux bots (Requested by guijemont on
854         #webkit).
855
856         Reverted changeset:
857
858         "Enable DFG on ARM/Linux again"
859         https://bugs.webkit.org/show_bug.cgi?id=192496
860         https://trac.webkit.org/changeset/239825
861
862 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
863
864         Enable DFG on ARM/Linux again
865         https://bugs.webkit.org/show_bug.cgi?id=192496
866
867         Reviewed by Yusuke Suzuki.
868
869         Test wasn't really skipped before moving the line with skip
870         to the top.
871
872         * stress/regress-192717.js:
873
874 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
875
876         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
877         https://bugs.webkit.org/show_bug.cgi?id=193127
878
879         Reviewed by Saam Barati.
880
881         * stress/array-species-create-should-handle-masquerader.js: Added.
882         (shouldThrow):
883         * stress/is-undefined-or-null-builtin.js: Added.
884         (shouldBe):
885         (isUndefinedOrNull.vm.createBuiltin):
886
887 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
888
889         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
890         https://bugs.webkit.org/show_bug.cgi?id=193221
891
892         Reviewed by Mark Lam.
893
894         * stress/put-by-id-flags.js: Added.
895         (f):
896         (g):
897         (numberOfDFGCompiles):
898
899 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
900
901         Baseline version of get_by_id may corrupt metadata
902         https://bugs.webkit.org/show_bug.cgi?id=193085
903         <rdar://problem/23453006>
904
905         Reviewed by Saam Barati.
906
907         * stress/get-by-id-change-mode.js: Added.
908         (forEach):
909
910 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
911
912         [JSC] Optimize Object.prototype.toString
913         https://bugs.webkit.org/show_bug.cgi?id=193031
914
915         Reviewed by Saam Barati.
916
917         * stress/object-tostring-changed-proto.js: Added.
918         (shouldBe):
919         (test):
920         * stress/object-tostring-changed.js: Added.
921         (shouldBe):
922         (test):
923         * stress/object-tostring-misc.js: Added.
924         (shouldBe):
925         (test):
926         (i.switch):
927         * stress/object-tostring-other.js: Added.
928         (shouldBe):
929         (test):
930         * stress/object-tostring-untyped.js: Added.
931         (shouldBe):
932         (test):
933         (i.switch):
934
935 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
936
937         test262-runner misbehaves when test file YAML has a trailing space
938         https://bugs.webkit.org/show_bug.cgi?id=193053
939
940         Reviewed by Yusuke Suzuki.
941
942         * test262/expectations.yaml:
943         Mark two dozen tests as passing (and correct the output of another).
944
945 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
946
947         Unreviewed, JSTests gardening with memoryLimited
948
949         * stress/string-overflow-createError.js:
950
951 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
952
953         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
954         https://bugs.webkit.org/show_bug.cgi?id=193050
955
956         Reviewed by Yusuke Suzuki.
957
958         * test262.yaml:
959         * test262/expectations.yaml:
960         Mark 16 tests as passing.
961
962 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
963
964         [BigInt] Support BigInt in JSON.stringify
965         https://bugs.webkit.org/show_bug.cgi?id=192624
966
967         Reviewed by Saam Barati.
968
969         * stress/big-int-json-stringify-to-json.js: Added.
970         (shouldBe):
971         (shouldThrow):
972         (BigInt.prototype.toJSON):
973         (shouldBe.JSON.stringify):
974         * stress/big-int-json-stringify.js: Added.
975         (shouldBe):
976         (shouldThrow):
977
978 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
979
980         [JSC] Implement "well-formed JSON.stringify" proposal
981         https://bugs.webkit.org/show_bug.cgi?id=191677
982
983         Reviewed by Darin Adler.
984
985         * stress/json-surrogate-pair.js: Added.
986         (shouldBe):
987         * test262/expectations.yaml:
988
989 2018-12-20  Keith Miller  <keith_miller@apple.com>
990
991         Add support for globalThis
992         https://bugs.webkit.org/show_bug.cgi?id=165171
993
994         Reviewed by Mark Lam.
995
996         * test262/config.yaml:
997
998 2018-12-19  Keith Miller  <keith_miller@apple.com>
999
1000         Update test262 configuration to not run tests dependent on ICU version.
1001         https://bugs.webkit.org/show_bug.cgi?id=192920
1002
1003         Reviewed by Saam Barati.
1004
1005         * test262/expectations.yaml:
1006
1007 2018-12-20  Mark Lam  <mark.lam@apple.com>
1008
1009         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1010         https://bugs.webkit.org/show_bug.cgi?id=192939
1011         <rdar://problem/46869516>
1012
1013         Reviewed by Keith Miller.
1014
1015         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1016
1017 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1018
1019         WTF::String and StringImpl overflow MaxLength
1020         https://bugs.webkit.org/show_bug.cgi?id=192853
1021         <rdar://problem/45726906>
1022
1023         Reviewed by Mark Lam.
1024
1025         * stress/string-16bit-repeat-overflow.js: Added.
1026         (catch):
1027
1028 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1029
1030         Unreviewed follow-up to r192914.
1031
1032         * test262/expectations.yaml:
1033         Add the last 20 missing expectations.
1034
1035 2018-12-19  Keith Miller  <keith_miller@apple.com>
1036
1037         Fix test262 expectations
1038         https://bugs.webkit.org/show_bug.cgi?id=192914
1039
1040         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1041
1042         * test262/expectations.yaml:
1043
1044 2018-12-19  Keith Miller  <keith_miller@apple.com>
1045
1046         Update test262 tests.
1047         https://bugs.webkit.org/show_bug.cgi?id=192907
1048
1049         Rubber stamped by Mark Lam.
1050
1051         * test262/*: Omitted because prepare-changelog crashes.
1052
1053 2018-12-19  Mark Lam  <mark.lam@apple.com>
1054
1055         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1056         https://bugs.webkit.org/show_bug.cgi?id=192464
1057         <rdar://problem/46519455>
1058
1059         Reviewed by Saam Barati.
1060
1061         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1062         microbenchmark.
1063
1064         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1065         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1066
1067 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1068
1069         String overflow in JSC::createError results in ASSERT in WTF::makeString
1070         https://bugs.webkit.org/show_bug.cgi?id=192833
1071         <rdar://problem/45706868>
1072
1073         Reviewed by Mark Lam.
1074
1075         * stress/string-overflow-createError.js: Added.
1076
1077 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1078
1079         Error message for `-x ** y` contains a typo.
1080         https://bugs.webkit.org/show_bug.cgi?id=192832
1081
1082         Reviewed by Saam Barati.
1083
1084         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1085         (assert.assert.return.throws):
1086         * stress/pow-expects-update-expression-on-lhs.js:
1087         (throw.new.Error):
1088         Update test expectations which match against the exact error message.
1089
1090 2018-12-18  Mark Lam  <mark.lam@apple.com>
1091
1092         Gardening: test options fix.
1093         https://bugs.webkit.org/show_bug.cgi?id=192822
1094
1095         Unreviewed.
1096
1097         * stress/json-stringify-string-builder-overflow.js:
1098
1099 2018-12-18  Mark Lam  <mark.lam@apple.com>
1100
1101         JSON.stringify() should throw OOM on StringBuilder overflows.
1102         https://bugs.webkit.org/show_bug.cgi?id=192822
1103         <rdar://problem/46670577>
1104
1105         Reviewed by Saam Barati.
1106
1107         * stress/json-stringify-string-builder-overflow.js: Added.
1108
1109 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1110
1111         Redeclaration of var over let/const/class should be a syntax error.
1112         https://bugs.webkit.org/show_bug.cgi?id=192298
1113
1114         Reviewed by Keith Miller.
1115
1116         * test262.yaml:
1117         * test262/expectations.yaml:
1118         Mark 46 tests as passing.
1119
1120         * stress/block-scope-redeclarations.js:
1121         Add some new tests.
1122
1123         * stress/for-in-invalidate-context-weird-assignments.js:
1124         * stress/for-in-tests.js:
1125         Replace tests for outdated behavior with tests for SyntaxError.
1126
1127         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1128         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1129         Update expectations.
1130
1131 2018-12-18  Mark Lam  <mark.lam@apple.com>
1132
1133         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1134         https://bugs.webkit.org/show_bug.cgi?id=191374
1135         <rdar://problem/46525447>
1136
1137         Reviewed by Yusuke Suzuki.
1138
1139         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1140
1141         * stress/elidable-new-object-roflcopter-then-exit.js:
1142
1143 2018-12-17  Mark Lam  <mark.lam@apple.com>
1144
1145         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1146         https://bugs.webkit.org/show_bug.cgi?id=192019
1147         <rdar://problem/46525456>
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         The test runs too slow on 32-bit.
1152
1153         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1154
1155 2018-12-17  Mark Lam  <mark.lam@apple.com>
1156
1157         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1158         https://bugs.webkit.org/show_bug.cgi?id=191373
1159         <rdar://problem/46525458>
1160
1161         Reviewed by Yusuke Suzuki.
1162
1163         The test is already slow running with a JIT on 64-bit.  It will always timeout
1164         on 32-bit without a JIT.
1165
1166         * stress/materialize-regexp-cyclic-regexp.js:
1167
1168 2018-12-17  Mark Lam  <mark.lam@apple.com>
1169
1170         Array unshift/shift should not race against the AI in the compiler thread.
1171         https://bugs.webkit.org/show_bug.cgi?id=192795
1172         <rdar://problem/46724263>
1173
1174         Reviewed by Saam Barati.
1175
1176         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1177
1178 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1179
1180         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1181         https://bugs.webkit.org/show_bug.cgi?id=190047
1182
1183         Reviewed by Saam Barati.
1184
1185         * stress/object-keys-cached-zero.js: Added.
1186         (shouldBe):
1187         (test):
1188         * stress/object-keys-changed-attribute.js: Added.
1189         (shouldBe):
1190         (test):
1191         * stress/object-keys-changed-index.js: Added.
1192         (shouldBe):
1193         (test):
1194         * stress/object-keys-changed.js: Added.
1195         (shouldBe):
1196         (test):
1197         * stress/object-keys-indexed-non-cache.js: Added.
1198         (shouldBe):
1199         (test):
1200         * stress/object-keys-overrides-get-property-names.js: Added.
1201         (shouldBe):
1202         (test):
1203         (noInline):
1204
1205 2018-12-17  Mark Lam  <mark.lam@apple.com>
1206
1207         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1208         https://bugs.webkit.org/show_bug.cgi?id=192779
1209         <rdar://problem/46775869>
1210
1211         Reviewed by Saam Barati.
1212
1213         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1214
1215 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1216
1217         Unreviewed test gardening, address a syntax error in a new test.
1218
1219         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1220
1221 2018-12-17  Mark Lam  <mark.lam@apple.com>
1222
1223         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1224         https://bugs.webkit.org/show_bug.cgi?id=192776
1225         <rdar://problem/46772368>
1226
1227         Reviewed by Keith Miller.
1228
1229         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1230
1231 2018-12-17  Mark Lam  <mark.lam@apple.com>
1232
1233         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1234         https://bugs.webkit.org/show_bug.cgi?id=192770
1235         <rdar://problem/46449037>
1236
1237         Reviewed by Keith Miller.
1238
1239         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1240
1241 2018-12-14  Mark Lam  <mark.lam@apple.com>
1242
1243         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1244         https://bugs.webkit.org/show_bug.cgi?id=192717
1245         <rdar://problem/46660677>
1246
1247         Reviewed by Saam Barati.
1248
1249         * stress/regress-192717.js: Added.
1250
1251 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1252
1253         Unreviewed, rolling out r239153, r239154, and r239155.
1254         https://bugs.webkit.org/show_bug.cgi?id=192715
1255
1256         Caused flaky GC-related crashes seen with layout tests
1257         (Requested by ryanhaddad on #webkit).
1258
1259         Reverted changesets:
1260
1261         "[JSC] Optimize Object.keys by caching own keys results in
1262         StructureRareData"
1263         https://bugs.webkit.org/show_bug.cgi?id=190047
1264         https://trac.webkit.org/changeset/239153
1265
1266         "Unreviewed, build fix after r239153"
1267         https://bugs.webkit.org/show_bug.cgi?id=190047
1268         https://trac.webkit.org/changeset/239154
1269
1270         "Unreviewed, build fix after r239153, part 2"
1271         https://bugs.webkit.org/show_bug.cgi?id=190047
1272         https://trac.webkit.org/changeset/239155
1273
1274 2018-12-14  Keith Miller  <keith_miller@apple.com>
1275
1276         Callers of JSString::getIndex should check for OOM exceptions
1277         https://bugs.webkit.org/show_bug.cgi?id=192709
1278
1279         Reviewed by Mark Lam.
1280
1281         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1282
1283 2018-12-13  Mark Lam  <mark.lam@apple.com>
1284
1285         Add a missing exception check.
1286         https://bugs.webkit.org/show_bug.cgi?id=192626
1287         <rdar://problem/46662163>
1288
1289         Reviewed by Keith Miller.
1290
1291         * stress/regress-192626.js: Added.
1292
1293 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1294
1295         [BigInt] Add ValueDiv into DFG
1296         https://bugs.webkit.org/show_bug.cgi?id=186178
1297
1298         Reviewed by Yusuke Suzuki.
1299
1300         * stress/big-int-div-jit-osr.js: Added.
1301         * stress/big-int-div-jit-untyped.js: Added.
1302         * stress/value-div-fixup-int32-big-int.js: Added.
1303
1304 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1305
1306         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1307         https://bugs.webkit.org/show_bug.cgi?id=190047
1308
1309         Reviewed by Keith Miller.
1310
1311         * stress/object-keys-cached-zero.js: Added.
1312         (shouldBe):
1313         (test):
1314         * stress/object-keys-changed-attribute.js: Added.
1315         (shouldBe):
1316         (test):
1317         * stress/object-keys-changed-index.js: Added.
1318         (shouldBe):
1319         (test):
1320         * stress/object-keys-changed.js: Added.
1321         (shouldBe):
1322         (test):
1323         * stress/object-keys-indexed-non-cache.js: Added.
1324         (shouldBe):
1325         (test):
1326         * stress/object-keys-overrides-get-property-names.js: Added.
1327         (shouldBe):
1328         (test):
1329         (noInline):
1330
1331 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1332
1333         [DFG][FTL] Add NewSymbol
1334         https://bugs.webkit.org/show_bug.cgi?id=192620
1335
1336         Reviewed by Saam Barati.
1337
1338         * microbenchmarks/symbol-creation.js: Added.
1339         (test):
1340         * stress/symbol-description-identity.js: Added.
1341         (shouldBe):
1342         (test):
1343         * stress/symbol-identity.js: Added.
1344         (shouldBe):
1345         (test):
1346         * stress/symbol-with-description-throw-error.js: Added.
1347         (shouldBe):
1348         (shouldThrow):
1349         (test):
1350         (object.toString):
1351
1352 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1353
1354         [BigInt] Implement DFG/FTL typeof for BigInt
1355         https://bugs.webkit.org/show_bug.cgi?id=192619
1356
1357         Reviewed by Keith Miller.
1358
1359         * stress/big-int-boolean-proven-type.js: Added.
1360         (assert):
1361         (bool):
1362         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1363         (assert):
1364         (typeOf):
1365         (i.switch):
1366         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1367         (assert):
1368         (typeOf):
1369         * stress/big-int-type-of.js:
1370         (typeOf):
1371         (func):
1372
1373 2018-12-10  Mark Lam  <mark.lam@apple.com>
1374
1375         PropertyAttribute needs a CustomValue bit.
1376         https://bugs.webkit.org/show_bug.cgi?id=191993
1377         <rdar://problem/46264467>
1378
1379         Reviewed by Saam Barati.
1380
1381         * stress/regress-191993.js: Added.
1382
1383 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1384
1385         [BigInt] Add ValueMul into DFG
1386         https://bugs.webkit.org/show_bug.cgi?id=186175
1387
1388         Reviewed by Yusuke Suzuki.
1389
1390         * stress/big-int-mul-jit-osr.js: Added.
1391         * stress/big-int-mul-jit-untyped.js: Added.
1392         * stress/value-mul-fixup-int32-big-int.js: Added.
1393
1394 2018-12-06  Keith Miller  <keith_miller@apple.com>
1395
1396         stress/big-wasm-memory tests failing on 32-bit JSC bot
1397         https://bugs.webkit.org/show_bug.cgi?id=192020
1398
1399         Reviewed by Saam Barati.
1400
1401         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1402         the wasm stress tests if the WebAssembly object does not exist.
1403
1404         * stress/big-wasm-memory-grow-no-max.js:
1405         (test.foo):
1406         (test):
1407         (foo): Deleted.
1408         (catch): Deleted.
1409         * stress/big-wasm-memory-grow.js:
1410         (test.foo):
1411         (test):
1412         (foo): Deleted.
1413         (catch): Deleted.
1414         * stress/big-wasm-memory.js:
1415         (test.foo):
1416         (test):
1417         (foo): Deleted.
1418         (catch): Deleted.
1419
1420 2018-12-05  Mark Lam  <mark.lam@apple.com>
1421
1422         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1423         https://bugs.webkit.org/show_bug.cgi?id=192441
1424         <rdar://problem/46480355>
1425
1426         Reviewed by Saam Barati.
1427
1428         * stress/regress-192441.js: Added.
1429
1430 2018-12-04  Mark Lam  <mark.lam@apple.com>
1431
1432         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1433         https://bugs.webkit.org/show_bug.cgi?id=192386
1434         <rdar://problem/46445516>
1435
1436         Reviewed by Saam Barati.
1437
1438         * stress/regress-192386.js: Added.
1439
1440 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1441
1442         [ESNext][BigInt] Support logic operations
1443         https://bugs.webkit.org/show_bug.cgi?id=179903
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * stress/big-int-branch-usage.js: Added.
1448         * stress/big-int-logical-and.js: Added.
1449         * stress/big-int-logical-not.js: Added.
1450         * stress/big-int-logical-or.js: Added.
1451
1452 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1453
1454         Unreviewed, rolling out r238833.
1455
1456         Breaks macOS and iOS debug builds.
1457
1458         Reverted changeset:
1459
1460         "[ESNext][BigInt] Support logic operations"
1461         https://bugs.webkit.org/show_bug.cgi?id=179903
1462         https://trac.webkit.org/changeset/238833
1463
1464 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1465
1466         [ESNext][BigInt] Support logic operations
1467         https://bugs.webkit.org/show_bug.cgi?id=179903
1468
1469         Reviewed by Yusuke Suzuki.
1470
1471         * stress/big-int-branch-usage.js: Added.
1472         * stress/big-int-logical-and.js: Added.
1473         * stress/big-int-logical-not.js: Added.
1474         * stress/big-int-logical-or.js: Added.
1475
1476 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1477
1478         [ESNext][BigInt] Implement support for "<<" and ">>"
1479         https://bugs.webkit.org/show_bug.cgi?id=186233
1480
1481         Reviewed by Yusuke Suzuki.
1482
1483         * stress/big-int-left-shift-general.js: Added.
1484         * stress/big-int-left-shift-range-error.js: Added.
1485         * stress/big-int-left-shift-type-error.js: Added.
1486         * stress/big-int-left-shift-wrapped-value.js: Added.
1487         * stress/big-int-right-shift-general.js: Added.
1488         * stress/big-int-right-shift-type-error.js: Added.
1489         * stress/big-int-right-shift-wrapped-value.js: Added.
1490         * stress/left-shift-to-primitive-precedence.js: Added.
1491         * stress/right-shift-to-primitive-precedence.js: Added.
1492
1493 2018-11-30  Dean Jackson  <dino@apple.com>
1494
1495         Add first-class support for .mjs files in jsc binary
1496         https://bugs.webkit.org/show_bug.cgi?id=192190
1497         <rdar://problem/46375715>
1498
1499         Reviewed by Keith Miller.
1500
1501         * stress/simple-module.mjs: Added.
1502         * stress/simple-script.js: Added.
1503
1504 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1505
1506         [BigInt] Implement ValueBitXor into DFG
1507         https://bugs.webkit.org/show_bug.cgi?id=190264
1508
1509         Reviewed by Yusuke Suzuki.
1510
1511         * stress/big-int-bitwise-xor-jit.js: Added.
1512         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1513         * stress/big-int-bitwise-xor-untyped.js: Added.
1514
1515 2018-11-27  Saam barati  <sbarati@apple.com>
1516
1517         r238510 broke scopes of size zero
1518         https://bugs.webkit.org/show_bug.cgi?id=192033
1519         <rdar://problem/46281734>
1520
1521         Reviewed by Keith Miller.
1522
1523         * stress/r238510-bad-loop.js: Added.
1524         (foo):
1525
1526 2018-11-27  Mark Lam  <mark.lam@apple.com>
1527
1528         [Re-landing] NaNs read from Wasm code needs to be be purified.
1529         https://bugs.webkit.org/show_bug.cgi?id=191056
1530         <rdar://problem/45660341>
1531
1532         Reviewed by Filip Pizlo.
1533
1534         * wasm/regress/regress-191056.js: Added.
1535
1536 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1537
1538         Unreviewed, rolling out r238509.
1539
1540         Causes JSC tests to fail on iOS.
1541
1542         Reverted changeset:
1543
1544         "NaNs read from Wasm code needs to be be purified."
1545         https://bugs.webkit.org/show_bug.cgi?id=191056
1546         https://trac.webkit.org/changeset/238509
1547
1548 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1549
1550         Re-introduce op_bitnot
1551         https://bugs.webkit.org/show_bug.cgi?id=190923
1552
1553         Reviewed by Yusuke Suzuki.
1554
1555         * stress/bit-not-must-generate.js: Added.
1556         * stress/bitwise-not-no-int32.js: Added.
1557
1558 2018-11-26  Saam barati  <sbarati@apple.com>
1559
1560         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1561         https://bugs.webkit.org/show_bug.cgi?id=191956
1562         <rdar://problem/45665806>
1563
1564         Reviewed by Yusuke Suzuki.
1565
1566         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1567         (bar):
1568         (foo):
1569
1570 2018-11-26  Saam barati  <sbarati@apple.com>
1571
1572         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1573         https://bugs.webkit.org/show_bug.cgi?id=191958
1574         <rdar://problem/46221877>
1575
1576         Reviewed by Yusuke Suzuki.
1577
1578         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1579         (x):
1580         (foo):
1581
1582 2018-11-26  Mark Lam  <mark.lam@apple.com>
1583
1584         NaNs read from Wasm code needs to be be purified.
1585         https://bugs.webkit.org/show_bug.cgi?id=191056
1586         <rdar://problem/45660341>
1587
1588         Reviewed by Filip Pizlo.
1589
1590         * wasm/regress/regress-191056.js: Added.
1591
1592 2018-11-26  Michael Saboff  <msaboff@apple.com>
1593
1594         32-bit JSC test failure: stress/regexp-compile-oom.js
1595         https://bugs.webkit.org/show_bug.cgi?id=191375
1596
1597         Reviewed by Mark Lam.
1598
1599         Disabled the test for 32 bit platforms.
1600
1601         * stress/regexp-compile-oom.js:
1602
1603 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1604
1605         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1606         https://bugs.webkit.org/show_bug.cgi?id=191716
1607         <rdar://problem/45723878>
1608
1609         Reviewed by Saam Barati.
1610
1611         * stress/regress-187373.js: Added.
1612         (async.fn):
1613
1614 2018-11-21  Saam barati  <sbarati@apple.com>
1615
1616         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1617         https://bugs.webkit.org/show_bug.cgi?id=191897
1618         <rdar://problem/45871998>
1619
1620         Reviewed by Mark Lam.
1621
1622         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1623         (bar):
1624         (foo):
1625
1626 2018-11-21  Saam barati  <sbarati@apple.com>
1627
1628         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1629         https://bugs.webkit.org/show_bug.cgi?id=191895
1630         <rdar://problem/46167406>
1631
1632         Reviewed by Mark Lam.
1633
1634         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1635         (foo):
1636         (bar):
1637
1638 2018-11-21  Mark Lam  <mark.lam@apple.com>
1639
1640         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1641         https://bugs.webkit.org/show_bug.cgi?id=191776
1642         <rdar://problem/46152851>
1643
1644         Reviewed by Saam Barati.
1645
1646         * stress/big-wasm-memory-grow-no-max.js:
1647         * stress/big-wasm-memory-grow.js:
1648         * stress/big-wasm-memory.js:
1649         - updated these to expect an OutOfMemoryError.
1650
1651         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1652         (Binary.prototype.emit_u8):
1653         (Binary.prototype.emit_u32v):
1654         (Binary.prototype.emit_header):
1655         (Binary.prototype.emit_section):
1656         (Binary):
1657         (WasmModuleBuilder):
1658         (WasmModuleBuilder.prototype.addMemory):
1659         (WasmModuleBuilder.prototype.toArray):
1660         (WasmModuleBuilder.prototype.toBuffer):
1661         (WasmModuleBuilder.prototype.instantiate):
1662         (catch):
1663         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1664         (catch):
1665
1666 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1667
1668         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1669         https://bugs.webkit.org/show_bug.cgi?id=190836
1670
1671         Reviewed by Saam Barati and Yusuke Suzuki.
1672
1673         * stress/big-int-out-of-memory-tests.js: Added.
1674
1675 2018-11-20  Mark Lam  <mark.lam@apple.com>
1676
1677         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1678         https://bugs.webkit.org/show_bug.cgi?id=191856
1679         <rdar://problem/46089992>
1680
1681         Reviewed by Yusuke Suzuki.
1682
1683         * stress/regress-191856.js: Added.
1684         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1685
1686 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1687
1688         Enable JIT on ARM/Linux
1689         https://bugs.webkit.org/show_bug.cgi?id=191548
1690
1691         Reviewed by Yusuke Suzuki.
1692
1693         Disable test on system with limited memory. Program was killed by
1694         the OS before the exception was thrown.
1695
1696         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1697
1698 2018-11-20  Saam barati  <sbarati@apple.com>
1699
1700         Merging an IC variant may lead to the IC status containing overlapping structure sets
1701         https://bugs.webkit.org/show_bug.cgi?id=191869
1702         <rdar://problem/45403453>
1703
1704         Reviewed by Mark Lam.
1705
1706         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1707
1708 2018-11-19  Mark Lam  <mark.lam@apple.com>
1709
1710         globalFuncImportModule() should return a promise when it clears exceptions.
1711         https://bugs.webkit.org/show_bug.cgi?id=191792
1712         <rdar://problem/46090763>
1713
1714         Reviewed by Michael Saboff.
1715
1716         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1717
1718 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1719
1720         Skip new memory-hungry tests on memory limited devices
1721
1722         Unreviewed gardening.
1723
1724         * stress/big-wasm-memory-grow-no-max.js:
1725         * stress/big-wasm-memory-grow.js:
1726         * stress/big-wasm-memory.js:
1727
1728 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1729
1730         Unreviewed, rolling in the rest of r237254
1731         https://bugs.webkit.org/show_bug.cgi?id=190340
1732
1733         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1734         * stress/function-cache-with-parameters-end-position.js: Added.
1735         (shouldBe):
1736         (shouldThrow):
1737         (i.anonymous):
1738         * stress/function-constructor-name.js: Added.
1739         (shouldBe):
1740         (GeneratorFunction):
1741         (AsyncFunction.async):
1742         (AsyncGeneratorFunction.async):
1743         (anonymous):
1744         (async.anonymous):
1745         * test262/expectations.yaml:
1746
1747 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1748
1749         All users of ArrayBuffer should agree on the same max size
1750         https://bugs.webkit.org/show_bug.cgi?id=191771
1751
1752         Reviewed by Mark Lam.
1753
1754         * stress/big-wasm-memory-grow-no-max.js: Added.
1755         (foo):
1756         (catch):
1757         * stress/big-wasm-memory-grow.js: Added.
1758         (foo):
1759         (catch):
1760         * stress/big-wasm-memory.js: Added.
1761         (foo):
1762         (catch):
1763
1764 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1765
1766         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1767         run for each JSC config since they're regression tests for runtime bugs.
1768
1769         * stress/json-stringified-overflow-2.js:
1770         * stress/json-stringified-overflow.js:
1771
1772 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1773
1774         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1775         config since they're regression tests for runtime bugs.
1776
1777         * stress/large-unshift-splice.js:
1778         * stress/regress-185888.js:
1779
1780 2018-11-16  Saam Barati  <sbarati@apple.com>
1781
1782         KnownCellUse should also have SpecCellCheck as its type filter
1783         https://bugs.webkit.org/show_bug.cgi?id=191729
1784         <rdar://problem/45872852>
1785
1786         Reviewed by Filip Pizlo.
1787
1788         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1789         (C):
1790
1791 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1792
1793         Fix assertion failure on BytecodeGenerator::recordOpcode
1794         https://bugs.webkit.org/show_bug.cgi?id=191724
1795         <rdar://problem/45724395>
1796
1797         Reviewed by Saam Barati.
1798
1799         * stress/regress-187373-2.js: Added.
1800         (foo):
1801
1802 2018-11-15  Mark Lam  <mark.lam@apple.com>
1803
1804         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1805         https://bugs.webkit.org/show_bug.cgi?id=191730
1806         <rdar://problem/46048517>
1807
1808         Reviewed by Saam Barati.
1809
1810         * stress/regress-187006.js: Removed.
1811           - this test is invalid because its sole purpose is to test for the non-spec
1812             compliant behavior that we just fixed.
1813
1814         * stress/regress-191730.js: Added.
1815
1816 2018-11-15  Mark Lam  <mark.lam@apple.com>
1817
1818         RegExp operations should not take fast patch if lastIndex is not numeric.
1819         https://bugs.webkit.org/show_bug.cgi?id=191731
1820         <rdar://problem/46017305>
1821
1822         Reviewed by Saam Barati.
1823
1824         * stress/regress-191731.js: Added.
1825
1826 2018-11-13  Saam Barati  <sbarati@apple.com>
1827
1828         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1829         https://bugs.webkit.org/show_bug.cgi?id=191600
1830
1831         Reviewed by Mark Lam.
1832
1833         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1834         (foo):
1835         (test):
1836         (bar):
1837
1838 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1839
1840         Unreviewed, rolling out r238132.
1841
1842         The test added with this change is timing out on Debug JSC
1843         bots.
1844
1845         Reverted changeset:
1846
1847         "[BigInt] JSBigInt::createWithLength should throw when length
1848         is greater than JSBigInt::maxLength"
1849         https://bugs.webkit.org/show_bug.cgi?id=190836
1850         https://trac.webkit.org/changeset/238132
1851
1852 2018-11-13  Mark Lam  <mark.lam@apple.com>
1853
1854         Add OOM detection to StringPrototype's substituteBackreferences().
1855         https://bugs.webkit.org/show_bug.cgi?id=191563
1856         <rdar://problem/45720428>
1857
1858         Reviewed by Saam Barati.
1859
1860         * stress/regress-191563.js: Added.
1861
1862 2018-11-13  Mark Lam  <mark.lam@apple.com>
1863
1864         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1865         https://bugs.webkit.org/show_bug.cgi?id=191579
1866         <rdar://problem/45942472>
1867
1868         Reviewed by Saam Barati.
1869
1870         * stress/regress-191579.js: Added.
1871
1872 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1873
1874         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1875         https://bugs.webkit.org/show_bug.cgi?id=190836
1876
1877         Reviewed by Saam Barati.
1878
1879         * stress/big-int-out-of-memory-tests.js: Added.
1880
1881 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1882
1883         U+180E is no longer a whitespace character
1884         https://bugs.webkit.org/show_bug.cgi?id=191415
1885
1886         Reviewed by Saam Barati.
1887
1888         * ChakraCore/test/es5/regexSpace.baseline:
1889         * ChakraCore/test/es6/unicode_whitespace.js:
1890         Update tests to latest version.
1891         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1892
1893         * test262.yaml:
1894         * test262/config.yaml:
1895         * test262/expectations.yaml:
1896         Update expectations.
1897
1898 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1899
1900         [BigInt] Add support to BigInt into ValueAdd
1901         https://bugs.webkit.org/show_bug.cgi?id=186177
1902
1903         Reviewed by Keith Miller.
1904
1905         * stress/big-int-negate-jit.js:
1906         * stress/value-add-big-int-and-string.js: Added.
1907         * stress/value-add-big-int-prediction-propagation.js: Added.
1908         * stress/value-add-big-int-untyped.js: Added.
1909
1910 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1911
1912         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1913         https://bugs.webkit.org/show_bug.cgi?id=191184
1914
1915         Reviewed by Saam Barati.
1916
1917         Most tests were failing due to timeouts, since they are too slow to
1918         run on CLoop. The exceptions are:
1919
1920         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1921         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1922         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1923         to change the stack size since CLoop requires it to be page aligned.
1924
1925         * microbenchmarks/array-push-1.js:
1926         * microbenchmarks/array-push-2.js:
1927         * microbenchmarks/elidable-new-object-dag.js:
1928         * microbenchmarks/elidable-new-object-roflcopter.js:
1929         * microbenchmarks/elidable-new-object-tree.js:
1930         * microbenchmarks/getter-richards.js:
1931         * microbenchmarks/sinkable-new-object-dag.js:
1932         * microbenchmarks/string-concat-long-convert.js:
1933         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1934         * slowMicrobenchmarks/array-push-3.js:
1935         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1936         * slowMicrobenchmarks/spread-small-array.js:
1937         * slowMicrobenchmarks/undefined-property-access.js:
1938         * stress/activation-sink-default-value-tdz-error.js:
1939         * stress/activation-sink-default-value.js:
1940         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1941         * stress/activation-sink-osrexit-default-value.js:
1942         * stress/activation-sink-osrexit.js:
1943         * stress/activation-sink.js:
1944         * stress/allow-math-ic-b3-code-duplication.js:
1945         * stress/array-push-multiple-int32.js:
1946         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1947         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1948         * stress/arrowfunction-lexical-this-activation-sink.js:
1949         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1950         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1951         * stress/elide-new-object-dag-then-exit.js:
1952         * stress/materialize-regexp-cyclic.js:
1953         * stress/new-regex-inline.js:
1954         * stress/op_add.js:
1955         * stress/op_bitand.js:
1956         * stress/op_bitor.js:
1957         * stress/op_bitxor.js:
1958         * stress/op_div-ConstVar.js:
1959         * stress/op_div-VarConst.js:
1960         * stress/op_div-VarVar.js:
1961         * stress/op_lshift-ConstVar.js:
1962         * stress/op_lshift-VarConst.js:
1963         * stress/op_lshift-VarVar.js:
1964         * stress/op_mod-ConstVar.js:
1965         * stress/op_mod-VarConst.js:
1966         * stress/op_mod-VarVar.js:
1967         * stress/op_mul-ConstVar.js:
1968         * stress/op_mul-VarConst.js:
1969         * stress/op_mul-VarVar.js:
1970         * stress/op_rshift-ConstVar.js:
1971         * stress/op_rshift-VarConst.js:
1972         * stress/op_rshift-VarVar.js:
1973         * stress/op_sub-ConstVar.js:
1974         * stress/op_sub-VarConst.js:
1975         * stress/op_sub-VarVar.js:
1976         * stress/op_urshift-ConstVar.js:
1977         * stress/op_urshift-VarConst.js:
1978         * stress/op_urshift-VarVar.js:
1979         * stress/proxy-get-set-correct-receiver.js:
1980         * stress/regress-179562.js:
1981         * stress/rest-parameter-many-arguments.js:
1982         * stress/sampling-profiler-richards.js:
1983         * stress/splay-flash-access-1ms.js:
1984         * stress/tailCallForwardArguments.js:
1985         * stress/typed-array-get-by-val-profiling.js:
1986         * typeProfiler/getter-richards.js:
1987
1988 2018-11-06  Michael Saboff  <msaboff@apple.com>
1989
1990         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1991         https://bugs.webkit.org/show_bug.cgi?id=191271
1992
1993         Reviewed by Saam Barati.
1994
1995         Added more test cases and made all test cases run with the same deeply recursive stack
1996         instead of finding that same point for each test case.
1997
1998         * stress/regexp-compile-oom.js:
1999         (prototype.runTest):
2000         (recurseAndTest):
2001         (testList.push.new.TestAndExpectedException):
2002
2003 2018-11-05  Michael Saboff  <msaboff@apple.com>
2004
2005         Unreviewed build fix for linux.
2006
2007         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2008
2009 2018-11-02  Michael Saboff  <msaboff@apple.com>
2010
2011         Rolling in r237753 with unreviewed build fix.
2012
2013         Fixed issues with DECLARE_THROW_SCOPE placement.
2014
2015 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2016
2017         Unreviewed, rolling out r237753.
2018
2019         Introduced JSC test failures
2020
2021         Reverted changeset:
2022
2023         "Running out of stack space not properly handled in
2024         RegExp::compile() and its callers"
2025         https://bugs.webkit.org/show_bug.cgi?id=191206
2026         https://trac.webkit.org/changeset/237753
2027
2028 2018-11-02  Michael Saboff  <msaboff@apple.com>
2029
2030         Running out of stack space not properly handled in RegExp::compile() and its callers
2031         https://bugs.webkit.org/show_bug.cgi?id=191206
2032
2033         Reviewed by Filip Pizlo.
2034
2035         New regression test.
2036
2037         * stress/regexp-compile-oom.js: Added.
2038         (recurseAndTest):
2039
2040 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2041
2042         Skip tests on arm/mips that time out now we're running on CLoop
2043
2044         Unreviewed gardening.
2045
2046         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2047         time out on the bots and need to be disabled. There's more tests
2048         disabled on arm because the timeout is longer on the mips bot (as the
2049         device is slower to start with), so many of the tests don't time out
2050         there.
2051
2052         * microbenchmarks/getter-richards.js: disable on arm and mips.
2053         * stress/op_add.js: disable on arm.
2054         * stress/op_bitand.js: disable on arm.
2055         * stress/op_bitor.js: disable on arm.
2056         * stress/op_bitxor.js: disable on arm.
2057         * stress/op_lshift-ConstVar.js: disable on arm.
2058         * stress/op_lshift-VarConst.js: disable on arm.
2059         * stress/op_lshift-VarVar.js: disable on arm.
2060         * stress/op_mod-ConstVar.js: disable on arm.
2061         * stress/op_mod-VarConst.js: disable on arm.
2062         * stress/op_mod-VarVar.js: disable on arm.
2063         * stress/op_mul-ConstVar.js: disable on arm.
2064         * stress/op_mul-VarConst.js: disable on arm.
2065         * stress/op_mul-VarVar.js: disable on arm.
2066         * stress/op_rshift-ConstVar.js: disable on arm.
2067         * stress/op_rshift-VarConst.js: disable on arm.
2068         * stress/op_rshift-VarVar.js: disable on arm.
2069         * stress/op_sub-ConstVar.js: disable on arm.
2070         * stress/op_sub-VarConst.js: disable on arm.
2071         * stress/op_sub-VarVar.js: disable on arm.
2072         * stress/op_urshift-ConstVar.js: disable on arm.
2073         * stress/op_urshift-VarConst.js: disable on arm.
2074         * stress/op_urshift-VarVar.js: disable on arm.
2075         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2076         * stress/value-to-boolean.js: disable on arm and mips.
2077
2078 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2079
2080         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2081         https://bugs.webkit.org/show_bug.cgi?id=191108
2082         <rdar://problem/45690700>
2083
2084         Reviewed by Saam Barati.
2085
2086         * stress/wide-op_catch.js: Added.
2087         (catch):
2088
2089 2018-10-29  Mark Lam  <mark.lam@apple.com>
2090
2091         Correctly detect string overflow when using the 'Function' constructor.
2092         https://bugs.webkit.org/show_bug.cgi?id=184883
2093         <rdar://problem/36320331>
2094
2095         Reviewed by Saam Barati.
2096
2097         I've verified that this passes on 32-bit as well.
2098
2099         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2100
2101 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2102
2103         Add support for GetStack FlushedDouble
2104         https://bugs.webkit.org/show_bug.cgi?id=191012
2105         <rdar://problem/45265141>
2106
2107         Reviewed by Saam Barati.
2108
2109         * stress/get-stack-double.js: Added.
2110         (bar):
2111         (noInline):
2112
2113 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2114
2115         New bytecode format for JSC
2116         https://bugs.webkit.org/show_bug.cgi?id=187373
2117         <rdar://problem/44186758>
2118
2119         Reviewed by Filip Pizlo.
2120
2121         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2122
2123         * stress/maximum-inline-capacity.js: Added.
2124         (test1):
2125         (test3.Foo):
2126         (test3):
2127
2128 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2129
2130         Unreviewed, rolling out r237479 and r237484.
2131         https://bugs.webkit.org/show_bug.cgi?id=190978
2132
2133         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2134
2135         Reverted changesets:
2136
2137         "New bytecode format for JSC"
2138         https://bugs.webkit.org/show_bug.cgi?id=187373
2139         https://trac.webkit.org/changeset/237479
2140
2141         "Gardening: Build fix after r237479."
2142         https://bugs.webkit.org/show_bug.cgi?id=187373
2143         https://trac.webkit.org/changeset/237484
2144
2145 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2146
2147         New bytecode format for JSC
2148         https://bugs.webkit.org/show_bug.cgi?id=187373
2149         <rdar://problem/44186758>
2150
2151         Reviewed by Filip Pizlo.
2152
2153         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2154
2155         * stress/maximum-inline-capacity.js: Added.
2156         (test1):
2157         (test3.Foo):
2158         (test3):
2159
2160 2018-10-26  Mark Lam  <mark.lam@apple.com>
2161
2162         Fix missing edge cases with JSGlobalObjects having a bad time.
2163         https://bugs.webkit.org/show_bug.cgi?id=189028
2164         <rdar://problem/45204939>
2165
2166         Reviewed by Saam Barati.
2167
2168         * stress/regress-189028.js: Added.
2169
2170 2018-10-22  Mark Lam  <mark.lam@apple.com>
2171
2172         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2173         https://bugs.webkit.org/show_bug.cgi?id=190515
2174         <rdar://problem/45222379>
2175
2176         Rubber-stamped by Saam Barati.
2177
2178         Adding another test.
2179
2180         * stress/regress-190515-2.js: Added.
2181
2182 2018-10-22  Mark Lam  <mark.lam@apple.com>
2183
2184         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2185         https://bugs.webkit.org/show_bug.cgi?id=190515
2186         <rdar://problem/45222379>
2187
2188         Reviewed by Saam Barati.
2189
2190         * stress/regress-190515.js: Added.
2191
2192 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2193
2194         Unreviewed, rolling out r237254.
2195         https://bugs.webkit.org/show_bug.cgi?id=190760
2196
2197         "It regresses JetStream 2 by 5% on some iOS devices"
2198         (Requested by saamyjoon on #webkit).
2199
2200         Reverted changeset:
2201
2202         "[JSC] JSC should have "parseFunction" to optimize Function
2203         constructor"
2204         https://bugs.webkit.org/show_bug.cgi?id=190340
2205         https://trac.webkit.org/changeset/237254
2206
2207 2018-10-19  Saam Barati  <sbarati@apple.com>
2208
2209         vmCall should check if we exit before emitting an OSR exit due to exceptions
2210         https://bugs.webkit.org/show_bug.cgi?id=190740
2211         <rdar://problem/45220139>
2212
2213         Reviewed by Mark Lam.
2214
2215         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2216         (foo):
2217
2218 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2219
2220         [ESNext][BigInt] Implement support for "^"
2221         https://bugs.webkit.org/show_bug.cgi?id=186235
2222
2223         Reviewed by Yusuke Suzuki.
2224
2225         * stress/big-int-bitwise-xor-general.js: Added.
2226         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2227         * stress/big-int-bitwise-xor-type-error.js: Added.
2228         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2229
2230 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2231
2232         [BigInt] Add ValueSub into DFG
2233         https://bugs.webkit.org/show_bug.cgi?id=186176
2234
2235         Reviewed by Yusuke Suzuki.
2236
2237         * stress/big-int-subtraction-jit.js:
2238         * stress/value-sub-big-int-prediction-propagation.js: Added.
2239         * stress/value-sub-big-int-untyped.js: Added.
2240         * stress/value-sub-spec-none-case.js: Added.
2241
2242 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2243
2244         [JSC] JSC should have "parseFunction" to optimize Function constructor
2245         https://bugs.webkit.org/show_bug.cgi?id=190340
2246
2247         Reviewed by Mark Lam.
2248
2249         This patch fixes the line number of syntax errors raised by the Function constructor,
2250         since we now parse the final code only once. And we no longer use block statement
2251         for Function constructor's parsing.
2252
2253         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2254         * stress/function-cache-with-parameters-end-position.js: Added.
2255         (shouldBe):
2256         (shouldThrow):
2257         (i.anonymous):
2258         * stress/function-constructor-name.js: Added.
2259         (shouldBe):
2260         (GeneratorFunction):
2261         (AsyncFunction.async):
2262         (AsyncGeneratorFunction.async):
2263         (anonymous):
2264         (async.anonymous):
2265         * test262/expectations.yaml:
2266
2267 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2268
2269         Unreviewed, rolling out r237242.
2270         https://bugs.webkit.org/show_bug.cgi?id=190701
2271
2272         it breaks "stress/sampling-profiler-basic.js" (Requested by
2273         caiolima on #webkit).
2274
2275         Reverted changeset:
2276
2277         "[BigInt] Add ValueSub into DFG"
2278         https://bugs.webkit.org/show_bug.cgi?id=186176
2279         https://trac.webkit.org/changeset/237242
2280
2281 2018-10-17  Keith Miller  <keith_miller@apple.com>
2282
2283         AI does not clear Phantom allocation nodes.
2284         https://bugs.webkit.org/show_bug.cgi?id=190694
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2289         (Day):
2290         (DaysInYear):
2291         (TimeInYear):
2292         (TimeFromYear):
2293         (DayFromYear):
2294         (InLeapYear):
2295         (YearFromTime):
2296         (WeekDay):
2297         (DaylightSavingTA):
2298         (GetSecondSundayInMarch):
2299         (TimeInMonth):
2300
2301 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2302
2303         [BigInt] Add ValueSub into DFG
2304         https://bugs.webkit.org/show_bug.cgi?id=186176
2305
2306         Reviewed by Yusuke Suzuki.
2307
2308         * stress/big-int-subtraction-jit.js:
2309         * stress/value-sub-big-int-prediction-propagation.js: Added.
2310         * stress/value-sub-big-int-untyped.js: Added.
2311
2312 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2313
2314         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2315         https://bugs.webkit.org/show_bug.cgi?id=190611
2316
2317         Reviewed by Saam Barati.
2318
2319         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2320         to improve test runtime. On ARM/MIPS this test even timed out when running all
2321         tests.
2322
2323         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2324         (test):
2325
2326 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2327
2328         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2329
2330         Unreviewed gardening.
2331
2332         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2333
2334 2018-10-15  Saam barati  <sbarati@apple.com>
2335
2336         Emit fjcvtzs on ARM64E on Darwin
2337         https://bugs.webkit.org/show_bug.cgi?id=184023
2338
2339         Reviewed by Yusuke Suzuki and Filip Pizlo.
2340
2341         * stress/double-to-int32-NaN.js: Added.
2342         (assert):
2343         (foo):
2344
2345 2018-10-15  Saam Barati  <sbarati@apple.com>
2346
2347         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2348         https://bugs.webkit.org/show_bug.cgi?id=190262
2349         <rdar://problem/44986241>
2350
2351         Reviewed by Mark Lam.
2352
2353         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2354         (test):
2355         * stress/slice-array-storage-with-holes.js: Added.
2356         (main):
2357
2358 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2359
2360         Unreviewed, rolling out r237054.
2361         https://bugs.webkit.org/show_bug.cgi?id=190593
2362
2363         "this regressed JetStream 2 by 6% on iOS" (Requested by
2364         saamyjoon on #webkit).
2365
2366         Reverted changeset:
2367
2368         "[JSC] JSC should have "parseFunction" to optimize Function
2369         constructor"
2370         https://bugs.webkit.org/show_bug.cgi?id=190340
2371         https://trac.webkit.org/changeset/237054
2372
2373 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2374
2375         [JSC] JSON.stringify can accept call-with-no-arguments
2376         https://bugs.webkit.org/show_bug.cgi?id=190343
2377
2378         Reviewed by Mark Lam.
2379
2380         * stress/json-stringify-no-arguments.js: Added.
2381         (shouldBe):
2382
2383 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2384
2385         [JSC] JSC should have "parseFunction" to optimize Function constructor
2386         https://bugs.webkit.org/show_bug.cgi?id=190340
2387
2388         Reviewed by Mark Lam.
2389
2390         This patch fixes the line number of syntax errors raised by the Function constructor,
2391         since we now parse the final code only once. And we no longer use block statement
2392         for Function constructor's parsing.
2393
2394         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2395         * stress/function-cache-with-parameters-end-position.js: Added.
2396         (shouldBe):
2397         (shouldThrow):
2398         (i.anonymous):
2399         * stress/function-constructor-name.js: Added.
2400         (shouldBe):
2401         (GeneratorFunction):
2402         (AsyncFunction.async):
2403         (AsyncGeneratorFunction.async):
2404         (anonymous):
2405         (async.anonymous):
2406         * test262/expectations.yaml:
2407
2408 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2409
2410         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2411         https://bugs.webkit.org/show_bug.cgi?id=190426
2412
2413         Unreviewed gardening.
2414
2415         * stress/sampling-profiler-richards.js:
2416
2417 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2418
2419         [ESNext][BigInt] Implement support for "|"
2420         https://bugs.webkit.org/show_bug.cgi?id=186229
2421
2422         Reviewed by Yusuke Suzuki.
2423
2424         * stress/big-int-bitwise-and-jit.js:
2425         * stress/big-int-bitwise-or-general.js: Added.
2426         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2427         * stress/big-int-bitwise-or-jit.js: Added.
2428         * stress/big-int-bitwise-or-memory-stress.js: Added.
2429         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2430         * stress/big-int-bitwise-or-type-error.js: Added.
2431         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2432
2433 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2434
2435         Skip test on systems with limited memory
2436         https://bugs.webkit.org/show_bug.cgi?id=190310
2437
2438         Invoking runDefault adds test to runlist, skipping the test in the next
2439         line does not prevent the test from executing. Change order of lines such
2440         that runDefault is only executed if test is not executed.
2441
2442         Reviewed by Mark Lam.
2443
2444         * stress/regress-190187.js:
2445
2446 2018-10-03  Saam barati  <sbarati@apple.com>
2447
2448         lowXYZ in FTLLower should always filter the type of the incoming edge
2449         https://bugs.webkit.org/show_bug.cgi?id=189939
2450         <rdar://problem/44407030>
2451
2452         Reviewed by Michael Saboff.
2453
2454         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2455         (foo):
2456         (test):
2457
2458 2018-10-03  Mark Lam  <mark.lam@apple.com>
2459
2460         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2461         https://bugs.webkit.org/show_bug.cgi?id=190187
2462         <rdar://problem/42512909>
2463
2464         Reviewed by Michael Saboff.
2465
2466         * stress/regress-190187.js: Added.
2467
2468 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2469
2470         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2471         https://bugs.webkit.org/show_bug.cgi?id=190033
2472
2473         Reviewed by Yusuke Suzuki.
2474
2475         * stress/big-int-to-string.js:
2476
2477 2018-10-01  Mark Lam  <mark.lam@apple.com>
2478
2479         Function.toString() should also copy the source code Functions that are class definitions.
2480         https://bugs.webkit.org/show_bug.cgi?id=190186
2481         <rdar://problem/44733360>
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/regress-190186.js: Added.
2486
2487 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2488
2489         Split NaN-check into separate test
2490         https://bugs.webkit.org/show_bug.cgi?id=190010
2491
2492         Reviewed by Saam Barati.
2493
2494         DataView exposes NaN-representation, which is not necessarily the same on each
2495         architecture. Therefore move the check of the NaN-representation into its own
2496         file such that we can disable this test on MIPS where NaN-representation can be
2497         different on older CPUs.
2498
2499         * stress/dataview-jit-set-nan.js: Added.
2500         (assert):
2501         (test.storeLittleEndian):
2502         (test.storeBigEndian):
2503         (test.store):
2504         (test):
2505         * stress/dataview-jit-set.js:
2506         (test5):
2507
2508 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2509
2510         Unreviewed, rolling out r236647.
2511         https://bugs.webkit.org/show_bug.cgi?id=190124
2512
2513         Breaking test stress/big-int-to-string.js (Requested by
2514         caiolima_ on #webkit).
2515
2516         Reverted changeset:
2517
2518         "[BigInt] BigInt.proptotype.toString is broken when radix is
2519         power of 2"
2520         https://bugs.webkit.org/show_bug.cgi?id=190033
2521         https://trac.webkit.org/changeset/236647
2522
2523 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2524
2525         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2526         https://bugs.webkit.org/show_bug.cgi?id=190033
2527
2528         Reviewed by Yusuke Suzuki.
2529
2530         * stress/big-int-to-string.js:
2531
2532 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2533
2534         [ESNext][BigInt] Implement support for "&"
2535         https://bugs.webkit.org/show_bug.cgi?id=186228
2536
2537         Reviewed by Yusuke Suzuki.
2538
2539         * stress/big-int-bitwise-and-general.js: Added.
2540         (assert):
2541         (assert.sameValue):
2542         * stress/big-int-bitwise-and-jit.js: Added.
2543         (let.assert.sameValue):
2544         (bigIntBitAnd):
2545         * stress/big-int-bitwise-and-memory-stress.js: Added.
2546         (assert):
2547         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2548         (assert.sameValue):
2549         (let.o.Symbol.toPrimitive):
2550         (catch):
2551         * stress/big-int-bitwise-and-type-error.js: Added.
2552         (assert):
2553         (assertThrowTypeError):
2554         (let.o.valueOf):
2555         (o.valueOf):
2556         (o.toString):
2557         (o.Symbol.toPrimitive):
2558         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2559         (assert.sameValue):
2560         (testBitAnd):
2561         (let.o.Symbol.toPrimitive):
2562         (o.valueOf):
2563         (o.toString):
2564
2565 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2566
2567         JSC test stress/jsc-read.js doesn't support CRLF
2568         https://bugs.webkit.org/show_bug.cgi?id=190063
2569
2570         Reviewed by Yusuke Suzuki.
2571
2572         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2573
2574         * stress/jsc-read.js:
2575         (test):
2576
2577 2018-09-27  Saam barati  <sbarati@apple.com>
2578
2579         Verify the contents of AssemblerBuffer on arm64e
2580         https://bugs.webkit.org/show_bug.cgi?id=190057
2581         <rdar://problem/38916630>
2582
2583         Reviewed by Mark Lam.
2584
2585         * stress/regress-189132.js:
2586
2587 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2588
2589         Disable test without LLInt on ARMv7
2590         https://bugs.webkit.org/show_bug.cgi?id=190037
2591
2592         Reviewed by Mark Lam.
2593
2594         Test runs out of executable memory on ARMv7, do not run
2595         this test without LLInt enabled.
2596
2597         * stress/regress-169445.js:
2598
2599 2018-09-26  Keith Miller  <keith_miller@apple.com>
2600
2601         We should zero unused property storage when rebalancing array storage.
2602         https://bugs.webkit.org/show_bug.cgi?id=188151
2603
2604         Reviewed by Michael Saboff.
2605
2606         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2607
2608 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2609
2610         [JSC] Optimize Array#lastIndexOf
2611         https://bugs.webkit.org/show_bug.cgi?id=189780
2612
2613         Reviewed by Saam Barati.
2614
2615         * stress/array-lastindexof-array-prototype-trap.js: Added.
2616         (shouldBe):
2617         (AncestorArray.prototype.get 2):
2618         (AncestorArray):
2619         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2620         (shouldBe):
2621         * stress/array-lastindexof-hole-nan.js: Added.
2622         (shouldBe):
2623         (throw.new.Error):
2624         * stress/array-lastindexof-infinity.js: Added.
2625         (shouldBe):
2626         (throw.new.Error):
2627         * stress/array-lastindexof-negative-zero.js: Added.
2628         (shouldBe):
2629         (throw.new.Error):
2630         * stress/array-lastindexof-own-getter.js: Added.
2631         (shouldBe):
2632         (throw.new.Error.get array):
2633         (get array):
2634         * stress/array-lastindexof-prototype-trap.js: Added.
2635         (shouldBe):
2636         (DerivedArray.prototype.get 2):
2637         (DerivedArray):
2638
2639 2018-09-25  Saam Barati  <sbarati@apple.com>
2640
2641         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2642         https://bugs.webkit.org/show_bug.cgi?id=189940
2643         <rdar://problem/43640987>
2644
2645         Reviewed by Mark Lam.
2646
2647         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2648
2649 2018-09-24  Saam Barati  <sbarati@apple.com>
2650
2651         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2652         https://bugs.webkit.org/show_bug.cgi?id=189922
2653         <rdar://problem/44651275>
2654
2655         Reviewed by Mark Lam.
2656
2657         * stress/array-indexof-fast-path-effects.js: Added.
2658         * stress/array-indexof-cached-length.js: Added.
2659
2660 2018-09-24  Saam barati  <sbarati@apple.com>
2661
2662         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2663         https://bugs.webkit.org/show_bug.cgi?id=189682
2664         <rdar://problem/43557315>
2665
2666         Reviewed by Mark Lam.
2667
2668         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2669         (foo):
2670
2671 2018-09-22  Saam barati  <sbarati@apple.com>
2672
2673         The sampling should not use Strong<CodeBlock> in its machineLocation field
2674         https://bugs.webkit.org/show_bug.cgi?id=189319
2675
2676         Reviewed by Filip Pizlo.
2677
2678         * stress/sampling-profiler-richards.js: Added.
2679
2680 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2681
2682         [JSC] Optimize Array#indexOf in C++ runtime
2683         https://bugs.webkit.org/show_bug.cgi?id=189507
2684
2685         Reviewed by Saam Barati.
2686
2687         * stress/array-indexof-array-prototype-trap.js: Added.
2688         (shouldBe):
2689         (AncestorArray.prototype.get 2):
2690         (AncestorArray):
2691         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2692         (shouldBe):
2693         * stress/array-indexof-hole-nan.js: Added.
2694         (shouldBe):
2695         (throw.new.Error):
2696         * stress/array-indexof-infinity.js: Added.
2697         (shouldBe):
2698         (throw.new.Error):
2699         * stress/array-indexof-negative-zero.js: Added.
2700         (shouldBe):
2701         (throw.new.Error):
2702         * stress/array-indexof-own-getter.js: Added.
2703         (shouldBe):
2704         (throw.new.Error.get array):
2705         (get array):
2706         * stress/array-indexof-prototype-trap.js: Added.
2707         (shouldBe):
2708         (DerivedArray.prototype.get 2):
2709         (DerivedArray):
2710
2711 2018-09-19  Saam barati  <sbarati@apple.com>
2712
2713         AI rule for MultiPutByOffset executes its effects in the wrong order
2714         https://bugs.webkit.org/show_bug.cgi?id=189757
2715         <rdar://problem/43535257>
2716
2717         Reviewed by Michael Saboff.
2718
2719         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2720         (foo):
2721         (Foo):
2722         (g):
2723
2724 2018-09-17  Mark Lam  <mark.lam@apple.com>
2725
2726         Ensure that ForInContexts are invalidated if their loop local is over-written.
2727         https://bugs.webkit.org/show_bug.cgi?id=189571
2728         <rdar://problem/44402277>
2729
2730         Reviewed by Saam Barati.
2731
2732         * stress/regress-189571.js: Added.
2733
2734 2018-09-17  Saam barati  <sbarati@apple.com>
2735
2736         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2737         https://bugs.webkit.org/show_bug.cgi?id=189676
2738         <rdar://problem/39682897>
2739
2740         Reviewed by Michael Saboff.
2741
2742         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2743         (A):
2744         (K):
2745         (i.catch):
2746
2747 2018-09-14  Saam barati  <sbarati@apple.com>
2748
2749         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2750         https://bugs.webkit.org/show_bug.cgi?id=189628
2751         <rdar://problem/39481690>
2752
2753         Reviewed by Mark Lam.
2754
2755         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2756         (foo):
2757
2758 2018-09-11  Mark Lam  <mark.lam@apple.com>
2759
2760         Test for array initialization in arrayProtoFuncSplice.
2761         https://bugs.webkit.org/show_bug.cgi?id=170253
2762         <rdar://problem/31328773>
2763
2764         Rubber-stamped by Saam Barati.
2765
2766         * stress/regress-170253.js: Added.
2767
2768 2018-09-11  Mark Lam  <mark.lam@apple.com>
2769
2770         Test for IntlObject initialization.
2771         https://bugs.webkit.org/show_bug.cgi?id=170251
2772         <rdar://problem/31328419>
2773
2774         Rubber-stamped by Saam Barati.
2775
2776         * stress/regress-170251.js: Added.
2777
2778 2018-09-11  Mark Lam  <mark.lam@apple.com>
2779
2780         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2781         https://bugs.webkit.org/show_bug.cgi?id=169889
2782         <rdar://problem/31155607>
2783
2784         Reviewed by Saam Barati.
2785
2786         * stress/regress-169889-array-concat.js: Added.
2787         * stress/regress-169889-array-concat1.js: Added.
2788         * stress/regress-169889-array-slice.js: Added.
2789
2790 2018-09-11  Mark Lam  <mark.lam@apple.com>
2791
2792         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2793         https://bugs.webkit.org/show_bug.cgi?id=169445
2794         <rdar://problem/30957435>
2795
2796         Reviewed by Saam Barati.
2797
2798         * stress/regress-169445.js: Added.
2799         (let.gun.eval.A):
2800         (let.gun.eval.B.C):
2801         (let.gun.eval.B.C.prototype.trigger):
2802         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2803         (let.gun.eval.B):
2804         (let.gun.eval):
2805
2806 == Rolled over to ChangeLog-2018-09-11 ==