[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
4         https://bugs.webkit.org/show_bug.cgi?id=196631
5
6         Reviewed by Saam Barati.
7
8         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
9         (assert):
10         (test):
11         (foo):
12
13 2019-04-04  Saam Barati  <sbarati@apple.com>
14
15         Unreviewed. Make the test from r243906 catch the thrown exceptions.
16
17         * stress/inferred-types-regex-matches-array.js:
18
19 2019-04-04  Saam Barati  <sbarati@apple.com>
20
21         createRegExpMatchesArray does not respect inferred types
22         https://bugs.webkit.org/show_bug.cgi?id=193287
23
24         Reviewed by Yusuke Suzuki.
25
26         This checks in the test case for 193287. This issue was discovered by
27         Samuel GroƟ of Google Project Zero.
28
29         * stress/inferred-types-regex-matches-array.js: Added.
30
31 2019-04-04  Saam barati  <sbarati@apple.com>
32
33         Teach Call ICs how to call Wasm
34         https://bugs.webkit.org/show_bug.cgi?id=196387
35
36         Reviewed by Filip Pizlo.
37
38         * wasm/function-tests/stack-trace.js:
39
40 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
41
42         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
43         https://bugs.webkit.org/show_bug.cgi?id=194944
44
45         Reviewed by Keith Miller.
46
47         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
48
49 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
50
51         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
52         https://bugs.webkit.org/show_bug.cgi?id=196409
53
54         Reviewed by Saam Barati.
55
56         * stress/bytecode-cache-cached-string-impl.js: Added.
57         (f):
58         (g):
59         * stress/bytecode-cache-run-string.js: Added.
60
61 2019-04-03  Robin Morisset  <rmorisset@apple.com>
62
63         B3 should use associativity to optimize expression trees
64         https://bugs.webkit.org/show_bug.cgi?id=194081
65
66         Reviewed by Filip Pizlo.
67
68         Added three microbenchmarks:
69         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
70         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
71           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
72         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
73
74         * microbenchmarks/add-tree.js: Added.
75         * microbenchmarks/bit-or-tree.js: Added.
76         * microbenchmarks/bit-xor-tree.js: Added.
77
78 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
79
80         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
81         https://bugs.webkit.org/show_bug.cgi?id=196574
82
83         Reviewed by Saam Barati.
84
85         * stress/string-index-of-exception-check.js: Added.
86         (blurType):
87         (1.forEach):
88
89 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
90
91         Assertion failed in JSC::createError
92         https://bugs.webkit.org/show_bug.cgi?id=196305
93         <rdar://problem/49387382>
94
95         Reviewed by Saam Barati.
96
97         * stress/create-error-out-of-memory-rope-string-2.js: Added.
98         (assert):
99         (catch):
100
101 2019-03-28  Saam Barati  <sbarati@apple.com>
102
103         BackwardsGraph needs to consider back edges as the backward's root successor
104         https://bugs.webkit.org/show_bug.cgi?id=195991
105
106         Reviewed by Filip Pizlo.
107
108         * stress/map-b3-licm-infinite-loop.js: Added.
109
110 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
111
112         CodeBlock::jettison() should disallow repatching its own calls
113         https://bugs.webkit.org/show_bug.cgi?id=196359
114         <rdar://problem/48973663>
115
116         Reviewed by Saam Barati.
117
118         * stress/call-link-info-osrexit-repatch.js: Added.
119         (foo):
120
121 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
122
123         [JSC] imports-oom.js intermittently fails
124         https://bugs.webkit.org/show_bug.cgi?id=196373
125
126         Reviewed by Saam Barati.
127
128         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
129         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
130         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
131         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
132         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
133
134         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
135         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
136
137         * wasm/lowExecutableMemory/imports-oom.js:
138
139 2019-03-27  Saam Barati  <sbarati@apple.com>
140
141         validateOSREntryValue with Int52 should box the value being checked into double format
142         https://bugs.webkit.org/show_bug.cgi?id=196313
143         <rdar://problem/49306703>
144
145         Reviewed by Yusuke Suzuki.
146
147         * stress/validate-int-52-ai-state.js: Added.
148
149 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
150
151         [JSC] Owner of watchpoints should validate at GC finalizing phase
152         https://bugs.webkit.org/show_bug.cgi?id=195827
153
154         Reviewed by Filip Pizlo.
155
156         * stress/gc-should-reap-dead-watchpoints.js: Added.
157         (foo):
158         (A.prototype.y):
159         (A):
160
161 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
162
163         Skip WebAssembly test on 32-bit systems
164         https://bugs.webkit.org/show_bug.cgi?id=196206
165
166         Reviewed by Saam Barati.
167
168         Invoking runDefault executes test immediately even though
169         that test should be skipped due to missing WASM support.
170         Therefore remove runDefault.
171
172         * wasm/regress/web-assembly-link-error-exception-check.js:
173
174 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
175
176         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
177         https://bugs.webkit.org/show_bug.cgi?id=196217
178
179         Reviewed by Saam Barati.
180
181         Re-enable all NaN tests for f32.min, f64.min and f64.max.
182
183         * wasm/spec-tests/f32.wast.js:
184         * wasm/spec-tests/f64.wast.js:
185         * wasm/wasm.json:
186
187 2019-03-25  Keith Miller  <keith_miller@apple.com>
188
189         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
190         https://bugs.webkit.org/show_bug.cgi?id=196176
191
192         Reviewed by Saam Barati.
193
194         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
195         (main.v10):
196         (main):
197
198 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
199
200         WebAssembly: f32.max with NaN generates incorrect result
201         https://bugs.webkit.org/show_bug.cgi?id=175691
202         <rdar://problem/33952228>
203
204         Reviewed by Saam Barati.
205
206         Enable all f32.max NaN tests
207
208         * wasm/spec-tests/f32.wast.js:
209         * wasm/wasm.json:
210
211 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
212
213         [JSC] Move test into directory for WASM tests
214         https://bugs.webkit.org/show_bug.cgi?id=196187
215
216         Reviewed by Mark Lam.
217
218         Move Test into wasm-directory. Otherwise this test
219         is also executed on systems without WASM support.
220
221         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
222
223 2019-03-23  Mark Lam  <mark.lam@apple.com>
224
225         Rolling out r243032 and r243071 because the fix is incorrect.
226         https://bugs.webkit.org/show_bug.cgi?id=195892
227         <rdar://problem/48981239>
228
229         Not reviewed.
230
231         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
232
233 2019-03-22  Mark Lam  <mark.lam@apple.com>
234
235         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
236         https://bugs.webkit.org/show_bug.cgi?id=196154
237         <rdar://problem/49145307>
238
239         Reviewed by Filip Pizlo.
240
241         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
242         There's no need to run this test on more than 1 test configuration.
243
244         * stress/typed-array-lastIndexOf-exception-check.js: Added.
245         * stress/web-assembly-link-error-exception-check.js:
246
247 2019-03-22  Mark Lam  <mark.lam@apple.com>
248
249         Placate exception check validation in constructJSWebAssemblyLinkError().
250         https://bugs.webkit.org/show_bug.cgi?id=196152
251         <rdar://problem/49145257>
252
253         Reviewed by Michael Saboff.
254
255         * stress/web-assembly-link-error-exception-check.js: Added.
256
257 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
258
259         Skip tests running out of memory on ARM/MIPS
260         https://bugs.webkit.org/show_bug.cgi?id=196131
261
262         Unreviewed. Skip test if memory is limited.
263
264         * microbenchmarks/put-by-val-direct-large-index.js:
265
266 2019-03-21  Mark Lam  <mark.lam@apple.com>
267
268         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
269         https://bugs.webkit.org/show_bug.cgi?id=196116
270         <rdar://problem/48976951>
271
272         Reviewed by Filip Pizlo.
273
274         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
275
276 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
277
278         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
279         https://bugs.webkit.org/show_bug.cgi?id=196078
280         <rdar://problem/35925380>
281
282         Reviewed by Mark Lam.
283
284         Add a new benchmark that allocates several objects and invokes put_by_val_direct
285         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
286
287         * microbenchmarks/put-by-val-direct-large-index.js: Added.
288
289 2019-03-21  Mark Lam  <mark.lam@apple.com>
290
291         Placate exception check validation in operationArrayIndexOfString().
292         https://bugs.webkit.org/show_bug.cgi?id=196067
293         <rdar://problem/49056572>
294
295         Reviewed by Michael Saboff.
296
297         * stress/string-equal-exception-check.js: Added.
298
299 2019-03-21  Mark Lam  <mark.lam@apple.com>
300
301         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
302         https://bugs.webkit.org/show_bug.cgi?id=196055
303         <rdar://problem/49067448>
304
305         Reviewed by Yusuke Suzuki.
306
307         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
308
309 2019-03-20  Saam Barati  <sbarati@apple.com>
310
311         typeOfDoubleSum is wrong for when NaN can be produced
312         https://bugs.webkit.org/show_bug.cgi?id=196030
313
314         Reviewed by Filip Pizlo.
315
316         * stress/double-add-sub-mul-can-produce-nan.js: Added.
317         (assert):
318         (noInline.sub):
319         (noInline):
320         (assert.mul):
321         (assert.add):
322
323 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
324
325         Update the test to ensure OutOfMemoryError is thrown as intended
326         https://bugs.webkit.org/show_bug.cgi?id=196032
327         <rdar://problem/46842740>
328
329         Rubber stamped by Saam Barati.
330
331         * stress/create-error-out-of-memory-rope-string.js:
332         (assert):
333         (catch):
334
335 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
336
337         JSC::createError needs to check for OOM in errorDescriptionForValue
338         https://bugs.webkit.org/show_bug.cgi?id=196032
339         <rdar://problem/46842740>
340
341         Reviewed by Mark Lam.
342
343         * stress/create-error-out-of-memory-rope-string.js: Added.
344
345 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
346
347         Unreviewed, reduce # of iterations to avoid timing out after r242991
348         https://bugs.webkit.org/show_bug.cgi?id=195791
349
350         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
351
352         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
353
354 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
355
356         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
357         https://bugs.webkit.org/show_bug.cgi?id=195950
358
359         Unreviewed, reducing the amount of memory used on this test to avoid
360         OOM on devices with memory restrictions.
361
362         * microbenchmarks/generate-multiple-llint-entrypoints.js:
363
364 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
365
366         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
367         https://bugs.webkit.org/show_bug.cgi?id=194648
368
369         Reviewed by Keith Miller.
370
371         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
372
373 2019-03-18  Mark Lam  <mark.lam@apple.com>
374
375         Missing a ThrowScope release in JSObject::toString().
376         https://bugs.webkit.org/show_bug.cgi?id=195893
377         <rdar://problem/48970986>
378
379         Reviewed by Michael Saboff.
380
381         * stress/to-string-exception-check-release.js: Added.
382
383 2019-03-18  Mark Lam  <mark.lam@apple.com>
384
385         Structure::flattenDictionary() should clear unused property slots.
386         https://bugs.webkit.org/show_bug.cgi?id=195871
387         <rdar://problem/48959497>
388
389         Reviewed by Michael Saboff.
390
391         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
392
393 2019-03-15  Mark Lam  <mark.lam@apple.com>
394
395         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
396         https://bugs.webkit.org/show_bug.cgi?id=195827
397         <rdar://problem/48845513>
398
399         Reviewed by Filip Pizlo.
400
401         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
402
403 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
404
405         [ARM,MIPS] Skip slow tests
406         https://bugs.webkit.org/show_bug.cgi?id=195799
407
408         Unreviewed, test does not finish on ARM and MIPS within the
409         timeout limit.
410
411         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
412
413 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
414
415         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
416         https://bugs.webkit.org/show_bug.cgi?id=195791
417         <rdar://problem/48806130>
418
419         Reviewed by Mark Lam.
420
421         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
422         (foo):
423
424 2019-03-14  Saam barati  <sbarati@apple.com>
425
426         We can't remove code after ForceOSRExit until after FixupPhase
427         https://bugs.webkit.org/show_bug.cgi?id=186916
428         <rdar://problem/41396612>
429
430         Reviewed by Yusuke Suzuki.
431
432         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
433         (foo):
434         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
435         (foo):
436
437 2019-03-13  Michael Saboff  <msaboff@apple.com>
438
439         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
440         https://bugs.webkit.org/show_bug.cgi?id=195735
441
442         Reviewed by Mark Lam.
443
444         New regression test.
445
446         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
447         (foo):
448         (bar):
449
450 2019-03-14  Saam barati  <sbarati@apple.com>
451
452         Fixup uses KnownInt32 incorrectly in some nodes
453         https://bugs.webkit.org/show_bug.cgi?id=195279
454         <rdar://problem/47915654>
455
456         Reviewed by Yusuke Suzuki.
457
458         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
459         (foo):
460
461 2019-03-14  Keith Miller  <keith_miller@apple.com>
462
463         DFG liveness can't skip tail caller inline frames
464         https://bugs.webkit.org/show_bug.cgi?id=195715
465
466         Reviewed by Saam Barati.
467
468         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
469         (i.foo):
470
471 2019-03-13  Mark Lam  <mark.lam@apple.com>
472
473         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
474         https://bugs.webkit.org/show_bug.cgi?id=195415
475
476         Not reviewed.
477
478         Changed these tests to only run the default configuration.
479         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
480         There's no strong need to run this test on that variant.
481
482         * stress/dfg-to-string-on-int-does-gc.js:
483         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
484
485 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
486
487         String overflow when using StringBuilder in JSC::createError
488         https://bugs.webkit.org/show_bug.cgi?id=194957
489
490         Reviewed by Mark Lam.
491
492         Add test string-overflow-createError-bulder.js that overflows
493         StringBuilder in notAFunctionSourceAppender. The second new test
494         string-overflow-createError-fit.js has an error message that doesn't
495         overflow, it still failed since the String's capacity can't be doubled.
496         Run test string-overflow-createError.js only in the default
497         configuration to reduce memory consumption when running the test
498         in all configurations on multiple CPUs in parallel.
499
500         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
501         (catch):
502         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
503         (catch):
504         * stress/string-overflow-createError.js:
505
506 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
507
508         [JSC] OSR entry should respect abstract values in addition to flush formats
509         https://bugs.webkit.org/show_bug.cgi?id=195653
510
511         Reviewed by Mark Lam.
512
513         * stress/osr-entry-locals-none.js: Added.
514
515 2019-03-12  Michael Saboff  <msaboff@apple.com>
516
517         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
518         https://bugs.webkit.org/show_bug.cgi?id=195613
519
520         Reviewed by Mark Lam.
521
522         New regression test.
523
524         * stress/regexp-backref-inbounds.js: Added.
525         (testRegExp):
526
527 2019-03-12  Mark Lam  <mark.lam@apple.com>
528
529         The HasIndexedProperty node does GC.
530         https://bugs.webkit.org/show_bug.cgi?id=195559
531         <rdar://problem/48767923>
532
533         Reviewed by Yusuke Suzuki.
534
535         * stress/HasIndexedProperty-does-gc.js: Added.
536
537 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
538
539         [ESNext][BigInt] Implement "~" unary operation
540         https://bugs.webkit.org/show_bug.cgi?id=182216
541
542         Reviewed by Keith Miller.
543
544         * stress/big-int-bit-not-general.js: Added.
545         * stress/big-int-bitwise-not-jit.js: Added.
546         * stress/big-int-bitwise-not-wrapped-value.js: Added.
547         * stress/bit-op-with-object-returning-int32.js:
548         * stress/bitwise-not-fixup-rules.js: Added.
549         * stress/value-bit-not-ai-rule.js: Added.
550
551 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
552
553         Invalid flags in a RegExp literal should be an early SyntaxError
554         https://bugs.webkit.org/show_bug.cgi?id=195514
555
556         Reviewed by Darin Adler.
557
558         * test262/expectations.yaml:
559         Mark 4 test cases as passing.
560
561         * stress/regexp-syntax-error-invalid-flags.js:
562         * stress/regress-161995.js: Removed.
563         Update existing test, merging in an older test for the same behavior.
564
565 2019-03-08  Mark Lam  <mark.lam@apple.com>
566
567         Stack overflow crash in JSC::JSObject::hasInstance.
568         https://bugs.webkit.org/show_bug.cgi?id=195458
569         <rdar://problem/48710195>
570
571         Reviewed by Yusuke Suzuki.
572
573         * stress/stack-overflow-in-custom-hasInstance.js: Added.
574
575 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
576
577         op_check_tdz does not def its argument
578         https://bugs.webkit.org/show_bug.cgi?id=192880
579         <rdar://problem/46221598>
580
581         Reviewed by Saam Barati.
582
583         * microbenchmarks/let-for-in.js: Added.
584         (foo):
585
586 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
587
588         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
589         https://bugs.webkit.org/show_bug.cgi?id=195429
590
591         Reviewed by Saam Barati.
592
593         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
594         (foo):
595         * stress/string-from-char-code-255.js: Added.
596
597 2019-03-06  Mark Lam  <mark.lam@apple.com>
598
599         Fix incorrect handling of try-finally completion values.
600         https://bugs.webkit.org/show_bug.cgi?id=195131
601         <rdar://problem/46222079>
602
603         Reviewed by Saam Barati and Yusuke Suzuki.
604
605         Added many permutations of new test case to test-finally.js.  test-finally.js has
606         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
607         tests passes there as well.
608
609         * stress/test-finally.js:
610
611 2019-03-06  Saam Barati  <sbarati@apple.com>
612
613         Air::reportUsedRegisters must padInterference
614         https://bugs.webkit.org/show_bug.cgi?id=195303
615         <rdar://problem/48270343>
616
617         Reviewed by Keith Miller.
618
619         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
620
621 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
622
623         [JSC] AI should not propagate AbstractValue relying on constant folding phase
624         https://bugs.webkit.org/show_bug.cgi?id=195375
625
626         Reviewed by Saam Barati.
627
628         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
629         (let.array):
630
631 2019-03-05  Saam barati  <sbarati@apple.com>
632
633         op_switch_char broken for rope strings after JSRopeString layout rewrite
634         https://bugs.webkit.org/show_bug.cgi?id=195339
635         <rdar://problem/48592545>
636
637         Reviewed by Yusuke Suzuki.
638
639         * stress/switch-on-char-llint-rope.js: Added.
640
641 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
642
643         [JSC] Store bits for JSRopeString in 3 stores
644         https://bugs.webkit.org/show_bug.cgi?id=195234
645
646         Reviewed by Saam Barati.
647
648         * stress/null-rope-and-collectors.js: Added.
649
650 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
651
652         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
653         https://bugs.webkit.org/show_bug.cgi?id=195207
654
655         Unreviewed. After test runtime was reduced in r242213, test can be
656         run again on ARM/MIPS.
657
658         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
659
660 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
661
662         [JSC] sizeof(JSString) should be 16
663         https://bugs.webkit.org/show_bug.cgi?id=194375
664
665         Reviewed by Saam Barati.
666
667         * microbenchmarks/make-rope.js: Added.
668         (makeRope):
669         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
670         (returnRope.helper): Deleted.
671         (returnRope): Deleted.
672
673 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
676         https://bugs.webkit.org/show_bug.cgi?id=195144
677
678         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
679         Change the number from 1e8 to 1e5.
680
681         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
682         (foo):
683
684 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
685
686         Test times out on ARM/MIPS
687         https://bugs.webkit.org/show_bug.cgi?id=195168
688
689         Unreviewed. Skip test on ARM/MIPS.
690
691         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
692
693 2019-02-27  Mark Lam  <mark.lam@apple.com>
694
695         The parser is failing to record the token location of new in new.target.
696         https://bugs.webkit.org/show_bug.cgi?id=195127
697         <rdar://problem/39645578>
698
699         Reviewed by Yusuke Suzuki.
700
701         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
702
703 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
704
705         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
706         https://bugs.webkit.org/show_bug.cgi?id=195144
707         <rdar://problem/47595961>
708
709         Reviewed by Mark Lam.
710
711         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
712         (bar):
713         (foo):
714         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
715         (bar):
716         (foo):
717
718 2019-02-27  Robin Morisset  <rmorisset@apple.com>
719
720         DFG: Loop-invariant code motion (LICM) should not hoist dead code
721         https://bugs.webkit.org/show_bug.cgi?id=194945
722         <rdar://problem/48311657>
723
724         Reviewed by Mark Lam.
725
726         * stress/licm-dead-code.js: Added.
727
728 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
729
730         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
731         https://bugs.webkit.org/show_bug.cgi?id=194677
732         <rdar://problem/48112492>
733
734         Reviewed by Mark Lam.
735
736         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
737         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
738         it immediately fails due the large size.
739
740         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
741         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
742         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
743         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
744
745         This patch changes the test to produce 16bit string from String.fromCharCode.
746
747         * stress/regress-178386.js:
748
749 2019-02-26  Mark Lam  <mark.lam@apple.com>
750
751         wasmToJS() should purify incoming NaNs.
752         https://bugs.webkit.org/show_bug.cgi?id=194807
753         <rdar://problem/48189132>
754
755         Reviewed by Saam Barati.
756
757         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
758
759 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
760
761         [JSC] Repeat string created from Array.prototype.join() take too much memory
762         https://bugs.webkit.org/show_bug.cgi?id=193912
763
764         Reviewed by Saam Barati.
765
766         Added a test and a microbenchmark for corner cases of
767         Array.prototype.join() with an uninitialized array.
768
769         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
770         * stress/array-prototype-join-uninitialized.js: Added.
771         (testArray):
772         (testABC):
773         (B):
774         (C):
775
776 2019-02-22  Robin Morisset  <rmorisset@apple.com>
777
778         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
779         https://bugs.webkit.org/show_bug.cgi?id=194953
780         <rdar://problem/47595253>
781
782         Reviewed by Saam Barati.
783
784         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
785
786         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
787
788 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
789
790         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
791         https://bugs.webkit.org/show_bug.cgi?id=172848
792         <rdar://problem/25709212>
793
794         Reviewed by Mark Lam.
795
796         * typeProfiler/inheritance.js:
797         Rewrite the test slightly for clarity. The hoisting was confusing.
798
799         * heapProfiler/class-names.js: Added.
800         (MyES5Class):
801         (MyES6Class):
802         (MyES6Subclass):
803         Test object types and improved class names.
804
805         * heapProfiler/driver/driver.js:
806         (CheapHeapSnapshotNode):
807         (CheapHeapSnapshot):
808         (createCheapHeapSnapshot):
809         (HeapSnapshot):
810         (createHeapSnapshot):
811         Update snapshot parsing from version 1 to version 2.
812
813 2019-02-19  Truitt Savell  <tsavell@apple.com>
814
815         Unreviewed, rolling out r241784.
816
817         Broke all OpenSource builds.
818
819         Reverted changeset:
820
821         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
822         instances view"
823         https://bugs.webkit.org/show_bug.cgi?id=172848
824         https://trac.webkit.org/changeset/241784
825
826 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
827
828         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
829         https://bugs.webkit.org/show_bug.cgi?id=172848
830         <rdar://problem/25709212>
831
832         Reviewed by Mark Lam.
833
834         * typeProfiler/inheritance.js:
835         Rewrite the test slightly for clarity. The hoisting was confusing.
836
837         * heapProfiler/class-names.js: Added.
838         (MyES5Class):
839         (MyES6Class):
840         (MyES6Subclass):
841         Test object types and improved class names.
842
843         * heapProfiler/driver/driver.js:
844         (CheapHeapSnapshotNode):
845         (CheapHeapSnapshot):
846         (createCheapHeapSnapshot):
847         (HeapSnapshot):
848         (createHeapSnapshot):
849         Update snapshot parsing from version 1 to version 2.
850
851 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
852
853         [ARM] Fix crash with sampling profiler
854         https://bugs.webkit.org/show_bug.cgi?id=194772
855
856         Reviewed by Mark Lam.
857
858         Do not skip test since crash with sampling profiler is now fixed.
859
860         * stress/sampling-profiler-richards.js:
861
862 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
863
864         [JSC] Add LazyClassStructure::getInitializedOnMainThread
865         https://bugs.webkit.org/show_bug.cgi?id=194784
866         <rdar://problem/48154820>
867
868         Reviewed by Mark Lam.
869
870         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
871         (getProperties):
872         (getRandomProperty):
873         (i.catch):
874
875 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
876
877         [ARM] Test gardening: Test running out of executable memory
878         https://bugs.webkit.org/show_bug.cgi?id=194771
879
880         Unreviewed. Do not run test without LLInt, test is running out of executable
881         memory on ARM otherwise.
882
883         * stress/tagged-template-object-collect.js:
884
885 2019-02-18  Tomas Popela  <tpopela@redhat.com>
886
887         Unreviewed, skip the test on platforms without sampling profiler
888
889         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
890         (platformSupportsSamplingProfiler.foo):
891         (platformSupportsSamplingProfiler.test):
892         (platformSupportsSamplingProfiler):
893         (foo): Deleted.
894         (test): Deleted.
895
896 2019-02-17  Saam Barati  <sbarati@apple.com>
897
898         Deadlock when adding a Structure property transition and then doing incremental marking
899         https://bugs.webkit.org/show_bug.cgi?id=194767
900
901         Reviewed by Mark Lam.
902
903         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
904
905 2019-02-15  Michael Saboff  <msaboff@apple.com>
906
907         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
908         https://bugs.webkit.org/show_bug.cgi?id=194558
909
910         Reviewed by Saam Barati.
911
912         New regression test.
913
914         * stress/regexp-unicode-within-string.js: Added.
915
916 2019-02-15  Mark Lam  <mark.lam@apple.com>
917
918         SamplingProfiler::stackTracesAsJSON() should escape strings.
919         https://bugs.webkit.org/show_bug.cgi?id=194649
920         <rdar://problem/48072386>
921
922         Reviewed by Saam Barati.
923
924         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
925         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
926         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
927         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
928
929 2019-02-15  Robin Morisset  <rmorisset@apple.com>
930         CodeBlock::jettison should clear related watchpoints
931         https://bugs.webkit.org/show_bug.cgi?id=194544
932
933         Reviewed by Mark Lam.
934
935         * stress/regexp-replace-double-watchpoint.js: Added.
936         (foo):
937
938 2019-02-15  Saam barati  <sbarati@apple.com>
939
940         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
941         https://bugs.webkit.org/show_bug.cgi?id=194036
942
943         Reviewed by Yusuke Suzuki.
944
945         * stress/tail-call-many-arguments.js: Added.
946         (foo):
947         (bar):
948
949 2019-02-14  Saam Barati  <sbarati@apple.com>
950
951         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
952         https://bugs.webkit.org/show_bug.cgi?id=194583
953         <rdar://problem/48028140>
954
955         Reviewed by Yusuke Suzuki.
956
957         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
958
959 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
960
961         [JSC] String.fromCharCode's slow path always generates 16bit string
962         https://bugs.webkit.org/show_bug.cgi?id=194466
963
964         Reviewed by Keith Miller.
965
966         * stress/string-from-char-code-slow-path.js: Added.
967         (shouldBe):
968         (testWithLength):
969
970 2019-02-08  Saam barati  <sbarati@apple.com>
971
972         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
973         https://bugs.webkit.org/show_bug.cgi?id=194334
974         <rdar://problem/47844327>
975
976         Reviewed by Mark Lam.
977
978         * stress/check-in-bounds-should-be-a-child-use.js: Added.
979         (func):
980
981 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
982
983         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
984         https://bugs.webkit.org/show_bug.cgi?id=194369
985         <rdar://problem/47813087>
986
987         Reviewed by Saam Barati.
988
989         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
990         (A):
991
992 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
993
994         [JSC] PrivateName to PublicName hash table is wasteful
995         https://bugs.webkit.org/show_bug.cgi?id=194277
996
997         Reviewed by Michael Saboff.
998
999         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1000
1001         * ChakraCore.yaml:
1002
1003 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1004
1005         [ARM] Test running out of executable memory
1006         https://bugs.webkit.org/show_bug.cgi?id=194285
1007
1008         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1009         executable memory otherwise.
1010
1011         * stress/class-subclassing-function.js:
1012
1013 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1014
1015         when lowering AssertNotEmpty, create the value before creating the patchpoint
1016         https://bugs.webkit.org/show_bug.cgi?id=194231
1017
1018         Reviewed by Saam Barati.
1019
1020         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1021         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1022         So even tiny changes to this test can change the path code taken.
1023
1024         * stress/assert-not-empty.js: Added.
1025         (foo):
1026
1027 2019-02-01  Mark Lam  <mark.lam@apple.com>
1028
1029         Remove invalid assertion in DFG's compileDoubleRep().
1030         https://bugs.webkit.org/show_bug.cgi?id=194130
1031         <rdar://problem/47699474>
1032
1033         Reviewed by Saam Barati.
1034
1035         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1036
1037 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1038
1039         Import latest Test262 updates.
1040
1041         Rubber-stamped by Keith Miller.
1042
1043         * test262.yaml: Deleted.
1044         * test262/config.yaml:
1045         * test262/expectations.yaml:
1046         * test262/latest-changes-summary.txt:
1047         * test262/test/:
1048         * test262/test262-Revision.txt:
1049
1050 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1051
1052         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1053         https://bugs.webkit.org/show_bug.cgi?id=194050
1054         <rdar://problem/47595592>
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         * stress/object-keys-osr-exit.js: Added.
1059         (foo):
1060         (catch):
1061
1062 2019-01-29  Mark Lam  <mark.lam@apple.com>
1063
1064         ValueRecovery::recover() should purify NaN values it recovers.
1065         https://bugs.webkit.org/show_bug.cgi?id=193978
1066         <rdar://problem/47625488>
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1071
1072 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1073
1074         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1075         https://bugs.webkit.org/show_bug.cgi?id=193713
1076
1077         * stress/try-get-by-id-should-spill-registers-dfg.js:
1078         (let.f.createBuiltin):
1079
1080 2019-01-28  Mark Lam  <mark.lam@apple.com>
1081
1082         ToString node actually does GC.
1083         https://bugs.webkit.org/show_bug.cgi?id=193920
1084         <rdar://problem/46695900>
1085
1086         Reviewed by Yusuke Suzuki.
1087
1088         * stress/dfg-to-string-on-int-does-gc.js: Added.
1089         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1090         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1091
1092 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         [JSC] NativeErrorConstructor should not have own IsoSubspace
1095         https://bugs.webkit.org/show_bug.cgi?id=193713
1096
1097         Reviewed by Saam Barati.
1098
1099         Remove @Error use.
1100
1101         * stress/try-get-by-id-should-spill-registers-dfg.js:
1102         (let.f.createBuiltin):
1103
1104 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1105
1106         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1107         https://bugs.webkit.org/show_bug.cgi?id=190693
1108
1109         Reviewed by Michael Saboff.
1110
1111         * stress/regress-190693.js: Added.
1112         (truth):
1113         (assert):
1114         (shouldThrowInvalidConstAssignment):
1115         (taz):
1116
1117 2019-01-24  Saam Barati  <sbarati@apple.com>
1118
1119         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1120         https://bugs.webkit.org/show_bug.cgi?id=193751
1121         <rdar://problem/47280215>
1122
1123         Reviewed by Michael Saboff.
1124
1125         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1126         (let.thing):
1127         (foo.let.hello):
1128         (foo):
1129
1130 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1131
1132         [JSC] Reenable baseline JIT on mips
1133         https://bugs.webkit.org/show_bug.cgi?id=192983
1134
1135         Reviewed by Mark Lam.
1136
1137         Added a new test for a case that was triggering a RELEASE_ASSERT when
1138         testing.
1139         Disable some slow tests that were already disabled for arm and x86.
1140
1141         * stress/json-parse-big-object.js: Added.
1142         * stress/new-largeish-contiguous-array-with-size.js:
1143         * stress/op_add.js:
1144         * stress/op_bitand.js:
1145         * stress/op_bitor.js:
1146         * stress/op_bitxor.js:
1147         * stress/op_lshift-ConstVar.js:
1148         * stress/op_lshift-VarConst.js:
1149         * stress/op_lshift-VarVar.js:
1150         * stress/op_mod-ConstVar.js:
1151         * stress/op_mod-VarConst.js:
1152         * stress/op_mod-VarVar.js:
1153         * stress/op_mul-ConstVar.js:
1154         * stress/op_mul-VarConst.js:
1155         * stress/op_mul-VarVar.js:
1156         * stress/op_rshift-ConstVar.js:
1157         * stress/op_rshift-VarConst.js:
1158         * stress/op_rshift-VarVar.js:
1159         * stress/op_sub-ConstVar.js:
1160         * stress/op_sub-VarConst.js:
1161         * stress/op_sub-VarVar.js:
1162         * stress/op_urshift-ConstVar.js:
1163         * stress/op_urshift-VarConst.js:
1164         * stress/op_urshift-VarVar.js:
1165         * stress/sampling-profiler-richards.js:
1166         * stress/spread-forward-call-varargs-stack-overflow.js:
1167
1168 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1169
1170         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1171         https://bugs.webkit.org/show_bug.cgi?id=193711
1172         <rdar://problem/47250262>
1173
1174         Reviewed by Saam Barati.
1175
1176         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1177         (shouldBe):
1178         (foo):
1179         (bar):
1180         (baz):
1181
1182 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1183
1184         Unreviewed, fix initial global lexical binding epoch
1185         https://bugs.webkit.org/show_bug.cgi?id=193603
1186         <rdar://problem/47380869>
1187
1188         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1189         (f1.f2.f3.f4):
1190         (f1.f2.f3):
1191         (f1.f2):
1192         (f1):
1193
1194 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1195
1196         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1197         https://bugs.webkit.org/show_bug.cgi?id=193709
1198         <rdar://problem/47363838>
1199
1200         Unreviewed, rollout to watch the tests.
1201
1202         * stress/object-tostring-changed-proto.js: Removed.
1203         * stress/object-tostring-changed.js: Removed.
1204         * stress/object-tostring-misc.js: Removed.
1205         * stress/object-tostring-other.js: Removed.
1206         * stress/object-tostring-untyped.js: Removed.
1207
1208 2019-01-22  Saam Barati  <sbarati@apple.com>
1209
1210         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1211
1212         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1213         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1214         (testUncheckedLessThanZero):
1215         (testUncheckedLessThanOrEqualZero):
1216         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1217         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1218
1219 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         [JSC] Invalidate old scope operations using global lexical binding epoch
1222         https://bugs.webkit.org/show_bug.cgi?id=193603
1223         <rdar://problem/47380869>
1224
1225         Reviewed by Saam Barati.
1226
1227         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1228         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1229         (shouldThrow):
1230         (bar):
1231         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1232         (shouldBe):
1233         (get1):
1234         (get2):
1235         (get1If):
1236         (get2If):
1237         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1238         (shouldThrow):
1239         (foo):
1240
1241 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1242
1243         Unreviewed, roll out r240220 due to date-format-xparb regression
1244         https://bugs.webkit.org/show_bug.cgi?id=193603
1245
1246         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1247         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1248         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1249         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1250
1251 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1252
1253         DoesGC rule is wrong for nodes with BigIntUse
1254         https://bugs.webkit.org/show_bug.cgi?id=193652
1255
1256         Reviewed by Saam Barati.
1257
1258         * stress/big-int-value-op-update-gc-rules.js: Added.
1259         (assert):
1260         (doesGCAdd):
1261         (doesGCSub):
1262         (doesGCDiv):
1263         (doesGCMul):
1264         (doesGCBitAnd):
1265         (doesGCBitOr):
1266         (doesGCBitXor):
1267
1268 2019-01-20  Saam Barati  <sbarati@apple.com>
1269
1270         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1271         https://bugs.webkit.org/show_bug.cgi?id=193644
1272         <rdar://problem/46209745>
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1277         (foo):
1278         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1279         (foo):
1280         (bar):
1281
1282 2019-01-20  Saam Barati  <sbarati@apple.com>
1283
1284         MovHint must merge NodeBytecodeUsesAsValue for its child
1285         https://bugs.webkit.org/show_bug.cgi?id=186916
1286         <rdar://problem/41396612>
1287
1288         Reviewed by Yusuke Suzuki.
1289
1290         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1291         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1292
1293 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1294
1295         [JSC] Invalidate old scope operations using global lexical binding epoch
1296         https://bugs.webkit.org/show_bug.cgi?id=193603
1297         <rdar://problem/47380869>
1298
1299         Reviewed by Saam Barati.
1300
1301         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1302         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1303         (shouldThrow):
1304         (bar):
1305         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1306         (shouldBe):
1307         (get1):
1308         (get2):
1309         (get1If):
1310         (get2If):
1311         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1312         (shouldThrow):
1313         (foo):
1314
1315 2019-01-17  Saam barati  <sbarati@apple.com>
1316
1317         StringObjectUse should not be a structure check for the original string object structure
1318         https://bugs.webkit.org/show_bug.cgi?id=193483
1319         <rdar://problem/47280522>
1320
1321         Reviewed by Yusuke Suzuki.
1322
1323         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1324         (foo):
1325         (a.valueOf.0):
1326
1327 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1328
1329         [JSC] ToThis omission in DFGByteCodeParser is wrong
1330         https://bugs.webkit.org/show_bug.cgi?id=193513
1331         <rdar://problem/45842236>
1332
1333         Reviewed by Saam Barati.
1334
1335         * stress/to-this-omission-with-different-strict-modes.js: Added.
1336         (thisA):
1337         (thisAStrictWrapper):
1338
1339 2019-01-15  Mark Lam  <mark.lam@apple.com>
1340
1341         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1342         https://bugs.webkit.org/show_bug.cgi?id=193423
1343         <rdar://problem/46209355>
1344
1345         Reviewed by Saam Barati.
1346
1347         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1348         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1349         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1350         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1351
1352 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1353
1354         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1355         https://bugs.webkit.org/show_bug.cgi?id=193438
1356         <rdar://problem/45581249>
1357
1358         Reviewed by Saam Barati and Keith Miller.
1359
1360         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1361         Then, GetByVal(String) crashed.
1362
1363         * stress/string-get-by-val-lowering.js: Added.
1364         (shouldBe):
1365         (test):
1366         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1367         (Hello):
1368         (foo):
1369
1370 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1371
1372         Unreviewed, skip JIT tests if it's not enabled
1373
1374         * stress/bit-op-with-object-returning-int32.js:
1375
1376 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1377
1378         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1379         https://bugs.webkit.org/show_bug.cgi?id=192966
1380
1381         Reviewed by Yusuke Suzuki.
1382
1383         * stress/bit-op-with-object-returning-int32.js: Added.
1384
1385 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1386
1387         Skip a slow test and a flakey test on arm
1388
1389         Unreviewed gardening.
1390
1391         * typeProfiler/getter-richards.js:
1392         this test always times out, it used to be always skipped on arm and
1393         mips, but got accidentally enabled by r237919 now that we have DFG on
1394         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1395
1396 2019-01-14  Keith Miller  <keith_miller@apple.com>
1397
1398         Skip type-check-hoisting-phase-hoist... with no jit
1399         https://bugs.webkit.org/show_bug.cgi?id=193421
1400
1401         Reviewed by Mark Lam.
1402
1403         It's timing out the 32-bit bots and takes 330 seconds
1404         on my machine when run by itself.
1405
1406         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1407
1408 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1409
1410         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1411         https://bugs.webkit.org/show_bug.cgi?id=193413
1412         <rdar://problem/46092389>
1413
1414         Reviewed by Keith Miller.
1415
1416         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1417         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1418         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1419         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1420
1421         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1422         (compareArray):
1423
1424 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1425
1426         [BigInt] Literal parsing is crashing when used inside a Object Literal
1427         https://bugs.webkit.org/show_bug.cgi?id=193404
1428
1429         Reviewed by Yusuke Suzuki.
1430
1431         * stress/big-int-literal-inside-literal-object.js: Added.
1432
1433 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1434
1435         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1436         https://bugs.webkit.org/show_bug.cgi?id=193372
1437
1438         Reviewed by Saam Barati.
1439
1440         * stress/typed-array-array-modes-profile.js: Added.
1441         (foo):
1442
1443 2019-01-14  Mark Lam  <mark.lam@apple.com>
1444
1445         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1446         https://bugs.webkit.org/show_bug.cgi?id=193402
1447         <rdar://problem/46012309>
1448
1449         Reviewed by Keith Miller.
1450
1451         * stress/regexp-compile-oom.js:
1452         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1453           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1454
1455 2019-01-11  Saam barati  <sbarati@apple.com>
1456
1457         DFG combined liveness can be wrong for terminal basic blocks
1458         https://bugs.webkit.org/show_bug.cgi?id=193304
1459         <rdar://problem/45268632>
1460
1461         Reviewed by Yusuke Suzuki.
1462
1463         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1464
1465 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1466
1467         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1468         https://bugs.webkit.org/show_bug.cgi?id=193308
1469         <rdar://problem/45546542>
1470
1471         Reviewed by Saam Barati.
1472
1473         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1474         (shouldThrow):
1475         (shouldBe):
1476         (foo):
1477         (get shouldThrow):
1478         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1479         (shouldThrow):
1480         (shouldBe):
1481         (foo):
1482         (get shouldBe):
1483         (get shouldThrow):
1484         (get return):
1485         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1486         (shouldThrow):
1487         (shouldBe):
1488         (foo):
1489         (get shouldBe):
1490         (get shouldThrow):
1491         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1492         (shouldThrow):
1493         (shouldBe):
1494         (foo):
1495         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1496         (shouldThrow):
1497         (shouldBe):
1498         (foo):
1499         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1500         (shouldThrow):
1501         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1502         (shouldThrow):
1503         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1504         (shouldThrow):
1505         (shouldBe):
1506         (foo):
1507         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1508         (shouldThrow):
1509         (shouldBe):
1510         (foo):
1511         (get shouldBe):
1512         (get shouldThrow):
1513         (get return):
1514         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1515         (shouldThrow):
1516         (shouldBe):
1517         (foo):
1518         (get shouldBe):
1519         (get shouldThrow):
1520         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1521         (shouldThrow):
1522         (shouldBe):
1523         (foo):
1524         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1525         (shouldThrow):
1526         (shouldBe):
1527         (foo):
1528
1529 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1530
1531         Enable DFG on ARM/Linux again
1532         https://bugs.webkit.org/show_bug.cgi?id=192496
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         Test wasn't really skipped before moving the line with skip
1537         to the top.
1538
1539         * stress/regress-192717.js:
1540
1541 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1542
1543         Unreviewed, rolling out r239825.
1544         https://bugs.webkit.org/show_bug.cgi?id=193330
1545
1546         Broke tests on armv7/linux bots (Requested by guijemont on
1547         #webkit).
1548
1549         Reverted changeset:
1550
1551         "Enable DFG on ARM/Linux again"
1552         https://bugs.webkit.org/show_bug.cgi?id=192496
1553         https://trac.webkit.org/changeset/239825
1554
1555 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1556
1557         Enable DFG on ARM/Linux again
1558         https://bugs.webkit.org/show_bug.cgi?id=192496
1559
1560         Reviewed by Yusuke Suzuki.
1561
1562         Test wasn't really skipped before moving the line with skip
1563         to the top.
1564
1565         * stress/regress-192717.js:
1566
1567 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1568
1569         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1570         https://bugs.webkit.org/show_bug.cgi?id=193127
1571
1572         Reviewed by Saam Barati.
1573
1574         * stress/array-species-create-should-handle-masquerader.js: Added.
1575         (shouldThrow):
1576         * stress/is-undefined-or-null-builtin.js: Added.
1577         (shouldBe):
1578         (isUndefinedOrNull.vm.createBuiltin):
1579
1580 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1581
1582         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1583         https://bugs.webkit.org/show_bug.cgi?id=193221
1584
1585         Reviewed by Mark Lam.
1586
1587         * stress/put-by-id-flags.js: Added.
1588         (f):
1589         (g):
1590         (numberOfDFGCompiles):
1591
1592 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1593
1594         Baseline version of get_by_id may corrupt metadata
1595         https://bugs.webkit.org/show_bug.cgi?id=193085
1596         <rdar://problem/23453006>
1597
1598         Reviewed by Saam Barati.
1599
1600         * stress/get-by-id-change-mode.js: Added.
1601         (forEach):
1602
1603 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1604
1605         [JSC] Optimize Object.prototype.toString
1606         https://bugs.webkit.org/show_bug.cgi?id=193031
1607
1608         Reviewed by Saam Barati.
1609
1610         * stress/object-tostring-changed-proto.js: Added.
1611         (shouldBe):
1612         (test):
1613         * stress/object-tostring-changed.js: Added.
1614         (shouldBe):
1615         (test):
1616         * stress/object-tostring-misc.js: Added.
1617         (shouldBe):
1618         (test):
1619         (i.switch):
1620         * stress/object-tostring-other.js: Added.
1621         (shouldBe):
1622         (test):
1623         * stress/object-tostring-untyped.js: Added.
1624         (shouldBe):
1625         (test):
1626         (i.switch):
1627
1628 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1629
1630         test262-runner misbehaves when test file YAML has a trailing space
1631         https://bugs.webkit.org/show_bug.cgi?id=193053
1632
1633         Reviewed by Yusuke Suzuki.
1634
1635         * test262/expectations.yaml:
1636         Mark two dozen tests as passing (and correct the output of another).
1637
1638 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1639
1640         Unreviewed, JSTests gardening with memoryLimited
1641
1642         * stress/string-overflow-createError.js:
1643
1644 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1645
1646         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1647         https://bugs.webkit.org/show_bug.cgi?id=193050
1648
1649         Reviewed by Yusuke Suzuki.
1650
1651         * test262.yaml:
1652         * test262/expectations.yaml:
1653         Mark 16 tests as passing.
1654
1655 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1656
1657         [BigInt] Support BigInt in JSON.stringify
1658         https://bugs.webkit.org/show_bug.cgi?id=192624
1659
1660         Reviewed by Saam Barati.
1661
1662         * stress/big-int-json-stringify-to-json.js: Added.
1663         (shouldBe):
1664         (shouldThrow):
1665         (BigInt.prototype.toJSON):
1666         (shouldBe.JSON.stringify):
1667         * stress/big-int-json-stringify.js: Added.
1668         (shouldBe):
1669         (shouldThrow):
1670
1671 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1672
1673         [JSC] Implement "well-formed JSON.stringify" proposal
1674         https://bugs.webkit.org/show_bug.cgi?id=191677
1675
1676         Reviewed by Darin Adler.
1677
1678         * stress/json-surrogate-pair.js: Added.
1679         (shouldBe):
1680         * test262/expectations.yaml:
1681
1682 2018-12-20  Keith Miller  <keith_miller@apple.com>
1683
1684         Add support for globalThis
1685         https://bugs.webkit.org/show_bug.cgi?id=165171
1686
1687         Reviewed by Mark Lam.
1688
1689         * test262/config.yaml:
1690
1691 2018-12-19  Keith Miller  <keith_miller@apple.com>
1692
1693         Update test262 configuration to not run tests dependent on ICU version.
1694         https://bugs.webkit.org/show_bug.cgi?id=192920
1695
1696         Reviewed by Saam Barati.
1697
1698         * test262/expectations.yaml:
1699
1700 2018-12-20  Mark Lam  <mark.lam@apple.com>
1701
1702         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1703         https://bugs.webkit.org/show_bug.cgi?id=192939
1704         <rdar://problem/46869516>
1705
1706         Reviewed by Keith Miller.
1707
1708         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1709
1710 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1711
1712         WTF::String and StringImpl overflow MaxLength
1713         https://bugs.webkit.org/show_bug.cgi?id=192853
1714         <rdar://problem/45726906>
1715
1716         Reviewed by Mark Lam.
1717
1718         * stress/string-16bit-repeat-overflow.js: Added.
1719         (catch):
1720
1721 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1722
1723         Unreviewed follow-up to r192914.
1724
1725         * test262/expectations.yaml:
1726         Add the last 20 missing expectations.
1727
1728 2018-12-19  Keith Miller  <keith_miller@apple.com>
1729
1730         Fix test262 expectations
1731         https://bugs.webkit.org/show_bug.cgi?id=192914
1732
1733         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1734
1735         * test262/expectations.yaml:
1736
1737 2018-12-19  Keith Miller  <keith_miller@apple.com>
1738
1739         Update test262 tests.
1740         https://bugs.webkit.org/show_bug.cgi?id=192907
1741
1742         Rubber stamped by Mark Lam.
1743
1744         * test262/*: Omitted because prepare-changelog crashes.
1745
1746 2018-12-19  Mark Lam  <mark.lam@apple.com>
1747
1748         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1749         https://bugs.webkit.org/show_bug.cgi?id=192464
1750         <rdar://problem/46519455>
1751
1752         Reviewed by Saam Barati.
1753
1754         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1755         microbenchmark.
1756
1757         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1758         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1759
1760 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1761
1762         String overflow in JSC::createError results in ASSERT in WTF::makeString
1763         https://bugs.webkit.org/show_bug.cgi?id=192833
1764         <rdar://problem/45706868>
1765
1766         Reviewed by Mark Lam.
1767
1768         * stress/string-overflow-createError.js: Added.
1769
1770 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1771
1772         Error message for `-x ** y` contains a typo.
1773         https://bugs.webkit.org/show_bug.cgi?id=192832
1774
1775         Reviewed by Saam Barati.
1776
1777         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1778         (assert.assert.return.throws):
1779         * stress/pow-expects-update-expression-on-lhs.js:
1780         (throw.new.Error):
1781         Update test expectations which match against the exact error message.
1782
1783 2018-12-18  Mark Lam  <mark.lam@apple.com>
1784
1785         Gardening: test options fix.
1786         https://bugs.webkit.org/show_bug.cgi?id=192822
1787
1788         Unreviewed.
1789
1790         * stress/json-stringify-string-builder-overflow.js:
1791
1792 2018-12-18  Mark Lam  <mark.lam@apple.com>
1793
1794         JSON.stringify() should throw OOM on StringBuilder overflows.
1795         https://bugs.webkit.org/show_bug.cgi?id=192822
1796         <rdar://problem/46670577>
1797
1798         Reviewed by Saam Barati.
1799
1800         * stress/json-stringify-string-builder-overflow.js: Added.
1801
1802 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1803
1804         Redeclaration of var over let/const/class should be a syntax error.
1805         https://bugs.webkit.org/show_bug.cgi?id=192298
1806
1807         Reviewed by Keith Miller.
1808
1809         * test262.yaml:
1810         * test262/expectations.yaml:
1811         Mark 46 tests as passing.
1812
1813         * stress/block-scope-redeclarations.js:
1814         Add some new tests.
1815
1816         * stress/for-in-invalidate-context-weird-assignments.js:
1817         * stress/for-in-tests.js:
1818         Replace tests for outdated behavior with tests for SyntaxError.
1819
1820         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1821         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1822         Update expectations.
1823
1824 2018-12-18  Mark Lam  <mark.lam@apple.com>
1825
1826         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1827         https://bugs.webkit.org/show_bug.cgi?id=191374
1828         <rdar://problem/46525447>
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1833
1834         * stress/elidable-new-object-roflcopter-then-exit.js:
1835
1836 2018-12-17  Mark Lam  <mark.lam@apple.com>
1837
1838         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1839         https://bugs.webkit.org/show_bug.cgi?id=192019
1840         <rdar://problem/46525456>
1841
1842         Reviewed by Yusuke Suzuki.
1843
1844         The test runs too slow on 32-bit.
1845
1846         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1847
1848 2018-12-17  Mark Lam  <mark.lam@apple.com>
1849
1850         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1851         https://bugs.webkit.org/show_bug.cgi?id=191373
1852         <rdar://problem/46525458>
1853
1854         Reviewed by Yusuke Suzuki.
1855
1856         The test is already slow running with a JIT on 64-bit.  It will always timeout
1857         on 32-bit without a JIT.
1858
1859         * stress/materialize-regexp-cyclic-regexp.js:
1860
1861 2018-12-17  Mark Lam  <mark.lam@apple.com>
1862
1863         Array unshift/shift should not race against the AI in the compiler thread.
1864         https://bugs.webkit.org/show_bug.cgi?id=192795
1865         <rdar://problem/46724263>
1866
1867         Reviewed by Saam Barati.
1868
1869         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1870
1871 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1872
1873         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1874         https://bugs.webkit.org/show_bug.cgi?id=190047
1875
1876         Reviewed by Saam Barati.
1877
1878         * stress/object-keys-cached-zero.js: Added.
1879         (shouldBe):
1880         (test):
1881         * stress/object-keys-changed-attribute.js: Added.
1882         (shouldBe):
1883         (test):
1884         * stress/object-keys-changed-index.js: Added.
1885         (shouldBe):
1886         (test):
1887         * stress/object-keys-changed.js: Added.
1888         (shouldBe):
1889         (test):
1890         * stress/object-keys-indexed-non-cache.js: Added.
1891         (shouldBe):
1892         (test):
1893         * stress/object-keys-overrides-get-property-names.js: Added.
1894         (shouldBe):
1895         (test):
1896         (noInline):
1897
1898 2018-12-17  Mark Lam  <mark.lam@apple.com>
1899
1900         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1901         https://bugs.webkit.org/show_bug.cgi?id=192779
1902         <rdar://problem/46775869>
1903
1904         Reviewed by Saam Barati.
1905
1906         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1907
1908 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1909
1910         Unreviewed test gardening, address a syntax error in a new test.
1911
1912         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1913
1914 2018-12-17  Mark Lam  <mark.lam@apple.com>
1915
1916         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1917         https://bugs.webkit.org/show_bug.cgi?id=192776
1918         <rdar://problem/46772368>
1919
1920         Reviewed by Keith Miller.
1921
1922         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1923
1924 2018-12-17  Mark Lam  <mark.lam@apple.com>
1925
1926         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1927         https://bugs.webkit.org/show_bug.cgi?id=192770
1928         <rdar://problem/46449037>
1929
1930         Reviewed by Keith Miller.
1931
1932         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1933
1934 2018-12-14  Mark Lam  <mark.lam@apple.com>
1935
1936         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1937         https://bugs.webkit.org/show_bug.cgi?id=192717
1938         <rdar://problem/46660677>
1939
1940         Reviewed by Saam Barati.
1941
1942         * stress/regress-192717.js: Added.
1943
1944 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1945
1946         Unreviewed, rolling out r239153, r239154, and r239155.
1947         https://bugs.webkit.org/show_bug.cgi?id=192715
1948
1949         Caused flaky GC-related crashes seen with layout tests
1950         (Requested by ryanhaddad on #webkit).
1951
1952         Reverted changesets:
1953
1954         "[JSC] Optimize Object.keys by caching own keys results in
1955         StructureRareData"
1956         https://bugs.webkit.org/show_bug.cgi?id=190047
1957         https://trac.webkit.org/changeset/239153
1958
1959         "Unreviewed, build fix after r239153"
1960         https://bugs.webkit.org/show_bug.cgi?id=190047
1961         https://trac.webkit.org/changeset/239154
1962
1963         "Unreviewed, build fix after r239153, part 2"
1964         https://bugs.webkit.org/show_bug.cgi?id=190047
1965         https://trac.webkit.org/changeset/239155
1966
1967 2018-12-14  Keith Miller  <keith_miller@apple.com>
1968
1969         Callers of JSString::getIndex should check for OOM exceptions
1970         https://bugs.webkit.org/show_bug.cgi?id=192709
1971
1972         Reviewed by Mark Lam.
1973
1974         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1975
1976 2018-12-13  Mark Lam  <mark.lam@apple.com>
1977
1978         Add a missing exception check.
1979         https://bugs.webkit.org/show_bug.cgi?id=192626
1980         <rdar://problem/46662163>
1981
1982         Reviewed by Keith Miller.
1983
1984         * stress/regress-192626.js: Added.
1985
1986 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1987
1988         [BigInt] Add ValueDiv into DFG
1989         https://bugs.webkit.org/show_bug.cgi?id=186178
1990
1991         Reviewed by Yusuke Suzuki.
1992
1993         * stress/big-int-div-jit-osr.js: Added.
1994         * stress/big-int-div-jit-untyped.js: Added.
1995         * stress/value-div-fixup-int32-big-int.js: Added.
1996
1997 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1998
1999         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2000         https://bugs.webkit.org/show_bug.cgi?id=190047
2001
2002         Reviewed by Keith Miller.
2003
2004         * stress/object-keys-cached-zero.js: Added.
2005         (shouldBe):
2006         (test):
2007         * stress/object-keys-changed-attribute.js: Added.
2008         (shouldBe):
2009         (test):
2010         * stress/object-keys-changed-index.js: Added.
2011         (shouldBe):
2012         (test):
2013         * stress/object-keys-changed.js: Added.
2014         (shouldBe):
2015         (test):
2016         * stress/object-keys-indexed-non-cache.js: Added.
2017         (shouldBe):
2018         (test):
2019         * stress/object-keys-overrides-get-property-names.js: Added.
2020         (shouldBe):
2021         (test):
2022         (noInline):
2023
2024 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2025
2026         [DFG][FTL] Add NewSymbol
2027         https://bugs.webkit.org/show_bug.cgi?id=192620
2028
2029         Reviewed by Saam Barati.
2030
2031         * microbenchmarks/symbol-creation.js: Added.
2032         (test):
2033         * stress/symbol-description-identity.js: Added.
2034         (shouldBe):
2035         (test):
2036         * stress/symbol-identity.js: Added.
2037         (shouldBe):
2038         (test):
2039         * stress/symbol-with-description-throw-error.js: Added.
2040         (shouldBe):
2041         (shouldThrow):
2042         (test):
2043         (object.toString):
2044
2045 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2046
2047         [BigInt] Implement DFG/FTL typeof for BigInt
2048         https://bugs.webkit.org/show_bug.cgi?id=192619
2049
2050         Reviewed by Keith Miller.
2051
2052         * stress/big-int-boolean-proven-type.js: Added.
2053         (assert):
2054         (bool):
2055         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2056         (assert):
2057         (typeOf):
2058         (i.switch):
2059         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2060         (assert):
2061         (typeOf):
2062         * stress/big-int-type-of.js:
2063         (typeOf):
2064         (func):
2065
2066 2018-12-10  Mark Lam  <mark.lam@apple.com>
2067
2068         PropertyAttribute needs a CustomValue bit.
2069         https://bugs.webkit.org/show_bug.cgi?id=191993
2070         <rdar://problem/46264467>
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/regress-191993.js: Added.
2075
2076 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2077
2078         [BigInt] Add ValueMul into DFG
2079         https://bugs.webkit.org/show_bug.cgi?id=186175
2080
2081         Reviewed by Yusuke Suzuki.
2082
2083         * stress/big-int-mul-jit-osr.js: Added.
2084         * stress/big-int-mul-jit-untyped.js: Added.
2085         * stress/value-mul-fixup-int32-big-int.js: Added.
2086
2087 2018-12-06  Keith Miller  <keith_miller@apple.com>
2088
2089         stress/big-wasm-memory tests failing on 32-bit JSC bot
2090         https://bugs.webkit.org/show_bug.cgi?id=192020
2091
2092         Reviewed by Saam Barati.
2093
2094         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2095         the wasm stress tests if the WebAssembly object does not exist.
2096
2097         * stress/big-wasm-memory-grow-no-max.js:
2098         (test.foo):
2099         (test):
2100         (foo): Deleted.
2101         (catch): Deleted.
2102         * stress/big-wasm-memory-grow.js:
2103         (test.foo):
2104         (test):
2105         (foo): Deleted.
2106         (catch): Deleted.
2107         * stress/big-wasm-memory.js:
2108         (test.foo):
2109         (test):
2110         (foo): Deleted.
2111         (catch): Deleted.
2112
2113 2018-12-05  Mark Lam  <mark.lam@apple.com>
2114
2115         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2116         https://bugs.webkit.org/show_bug.cgi?id=192441
2117         <rdar://problem/46480355>
2118
2119         Reviewed by Saam Barati.
2120
2121         * stress/regress-192441.js: Added.
2122
2123 2018-12-04  Mark Lam  <mark.lam@apple.com>
2124
2125         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2126         https://bugs.webkit.org/show_bug.cgi?id=192386
2127         <rdar://problem/46445516>
2128
2129         Reviewed by Saam Barati.
2130
2131         * stress/regress-192386.js: Added.
2132
2133 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2134
2135         [ESNext][BigInt] Support logic operations
2136         https://bugs.webkit.org/show_bug.cgi?id=179903
2137
2138         Reviewed by Yusuke Suzuki.
2139
2140         * stress/big-int-branch-usage.js: Added.
2141         * stress/big-int-logical-and.js: Added.
2142         * stress/big-int-logical-not.js: Added.
2143         * stress/big-int-logical-or.js: Added.
2144
2145 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2146
2147         Unreviewed, rolling out r238833.
2148
2149         Breaks macOS and iOS debug builds.
2150
2151         Reverted changeset:
2152
2153         "[ESNext][BigInt] Support logic operations"
2154         https://bugs.webkit.org/show_bug.cgi?id=179903
2155         https://trac.webkit.org/changeset/238833
2156
2157 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2158
2159         [ESNext][BigInt] Support logic operations
2160         https://bugs.webkit.org/show_bug.cgi?id=179903
2161
2162         Reviewed by Yusuke Suzuki.
2163
2164         * stress/big-int-branch-usage.js: Added.
2165         * stress/big-int-logical-and.js: Added.
2166         * stress/big-int-logical-not.js: Added.
2167         * stress/big-int-logical-or.js: Added.
2168
2169 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2170
2171         [ESNext][BigInt] Implement support for "<<" and ">>"
2172         https://bugs.webkit.org/show_bug.cgi?id=186233
2173
2174         Reviewed by Yusuke Suzuki.
2175
2176         * stress/big-int-left-shift-general.js: Added.
2177         * stress/big-int-left-shift-range-error.js: Added.
2178         * stress/big-int-left-shift-type-error.js: Added.
2179         * stress/big-int-left-shift-wrapped-value.js: Added.
2180         * stress/big-int-right-shift-general.js: Added.
2181         * stress/big-int-right-shift-type-error.js: Added.
2182         * stress/big-int-right-shift-wrapped-value.js: Added.
2183         * stress/left-shift-to-primitive-precedence.js: Added.
2184         * stress/right-shift-to-primitive-precedence.js: Added.
2185
2186 2018-11-30  Dean Jackson  <dino@apple.com>
2187
2188         Add first-class support for .mjs files in jsc binary
2189         https://bugs.webkit.org/show_bug.cgi?id=192190
2190         <rdar://problem/46375715>
2191
2192         Reviewed by Keith Miller.
2193
2194         * stress/simple-module.mjs: Added.
2195         * stress/simple-script.js: Added.
2196
2197 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2198
2199         [BigInt] Implement ValueBitXor into DFG
2200         https://bugs.webkit.org/show_bug.cgi?id=190264
2201
2202         Reviewed by Yusuke Suzuki.
2203
2204         * stress/big-int-bitwise-xor-jit.js: Added.
2205         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2206         * stress/big-int-bitwise-xor-untyped.js: Added.
2207
2208 2018-11-27  Saam barati  <sbarati@apple.com>
2209
2210         r238510 broke scopes of size zero
2211         https://bugs.webkit.org/show_bug.cgi?id=192033
2212         <rdar://problem/46281734>
2213
2214         Reviewed by Keith Miller.
2215
2216         * stress/r238510-bad-loop.js: Added.
2217         (foo):
2218
2219 2018-11-27  Mark Lam  <mark.lam@apple.com>
2220
2221         [Re-landing] NaNs read from Wasm code needs to be be purified.
2222         https://bugs.webkit.org/show_bug.cgi?id=191056
2223         <rdar://problem/45660341>
2224
2225         Reviewed by Filip Pizlo.
2226
2227         * wasm/regress/regress-191056.js: Added.
2228
2229 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2230
2231         Unreviewed, rolling out r238509.
2232
2233         Causes JSC tests to fail on iOS.
2234
2235         Reverted changeset:
2236
2237         "NaNs read from Wasm code needs to be be purified."
2238         https://bugs.webkit.org/show_bug.cgi?id=191056
2239         https://trac.webkit.org/changeset/238509
2240
2241 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2242
2243         Re-introduce op_bitnot
2244         https://bugs.webkit.org/show_bug.cgi?id=190923
2245
2246         Reviewed by Yusuke Suzuki.
2247
2248         * stress/bit-not-must-generate.js: Added.
2249         * stress/bitwise-not-no-int32.js: Added.
2250
2251 2018-11-26  Saam barati  <sbarati@apple.com>
2252
2253         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2254         https://bugs.webkit.org/show_bug.cgi?id=191956
2255         <rdar://problem/45665806>
2256
2257         Reviewed by Yusuke Suzuki.
2258
2259         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2260         (bar):
2261         (foo):
2262
2263 2018-11-26  Saam barati  <sbarati@apple.com>
2264
2265         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2266         https://bugs.webkit.org/show_bug.cgi?id=191958
2267         <rdar://problem/46221877>
2268
2269         Reviewed by Yusuke Suzuki.
2270
2271         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2272         (x):
2273         (foo):
2274
2275 2018-11-26  Mark Lam  <mark.lam@apple.com>
2276
2277         NaNs read from Wasm code needs to be be purified.
2278         https://bugs.webkit.org/show_bug.cgi?id=191056
2279         <rdar://problem/45660341>
2280
2281         Reviewed by Filip Pizlo.
2282
2283         * wasm/regress/regress-191056.js: Added.
2284
2285 2018-11-26  Michael Saboff  <msaboff@apple.com>
2286
2287         32-bit JSC test failure: stress/regexp-compile-oom.js
2288         https://bugs.webkit.org/show_bug.cgi?id=191375
2289
2290         Reviewed by Mark Lam.
2291
2292         Disabled the test for 32 bit platforms.
2293
2294         * stress/regexp-compile-oom.js:
2295
2296 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2297
2298         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2299         https://bugs.webkit.org/show_bug.cgi?id=191716
2300         <rdar://problem/45723878>
2301
2302         Reviewed by Saam Barati.
2303
2304         * stress/regress-187373.js: Added.
2305         (async.fn):
2306
2307 2018-11-21  Saam barati  <sbarati@apple.com>
2308
2309         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2310         https://bugs.webkit.org/show_bug.cgi?id=191897
2311         <rdar://problem/45871998>
2312
2313         Reviewed by Mark Lam.
2314
2315         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2316         (bar):
2317         (foo):
2318
2319 2018-11-21  Saam barati  <sbarati@apple.com>
2320
2321         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2322         https://bugs.webkit.org/show_bug.cgi?id=191895
2323         <rdar://problem/46167406>
2324
2325         Reviewed by Mark Lam.
2326
2327         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2328         (foo):
2329         (bar):
2330
2331 2018-11-21  Mark Lam  <mark.lam@apple.com>
2332
2333         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2334         https://bugs.webkit.org/show_bug.cgi?id=191776
2335         <rdar://problem/46152851>
2336
2337         Reviewed by Saam Barati.
2338
2339         * stress/big-wasm-memory-grow-no-max.js:
2340         * stress/big-wasm-memory-grow.js:
2341         * stress/big-wasm-memory.js:
2342         - updated these to expect an OutOfMemoryError.
2343
2344         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2345         (Binary.prototype.emit_u8):
2346         (Binary.prototype.emit_u32v):
2347         (Binary.prototype.emit_header):
2348         (Binary.prototype.emit_section):
2349         (Binary):
2350         (WasmModuleBuilder):
2351         (WasmModuleBuilder.prototype.addMemory):
2352         (WasmModuleBuilder.prototype.toArray):
2353         (WasmModuleBuilder.prototype.toBuffer):
2354         (WasmModuleBuilder.prototype.instantiate):
2355         (catch):
2356         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2357         (catch):
2358
2359 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2360
2361         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2362         https://bugs.webkit.org/show_bug.cgi?id=190836
2363
2364         Reviewed by Saam Barati and Yusuke Suzuki.
2365
2366         * stress/big-int-out-of-memory-tests.js: Added.
2367
2368 2018-11-20  Mark Lam  <mark.lam@apple.com>
2369
2370         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2371         https://bugs.webkit.org/show_bug.cgi?id=191856
2372         <rdar://problem/46089992>
2373
2374         Reviewed by Yusuke Suzuki.
2375
2376         * stress/regress-191856.js: Added.
2377         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2378
2379 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2380
2381         Enable JIT on ARM/Linux
2382         https://bugs.webkit.org/show_bug.cgi?id=191548
2383
2384         Reviewed by Yusuke Suzuki.
2385
2386         Disable test on system with limited memory. Program was killed by
2387         the OS before the exception was thrown.
2388
2389         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2390
2391 2018-11-20  Saam barati  <sbarati@apple.com>
2392
2393         Merging an IC variant may lead to the IC status containing overlapping structure sets
2394         https://bugs.webkit.org/show_bug.cgi?id=191869
2395         <rdar://problem/45403453>
2396
2397         Reviewed by Mark Lam.
2398
2399         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2400
2401 2018-11-19  Mark Lam  <mark.lam@apple.com>
2402
2403         globalFuncImportModule() should return a promise when it clears exceptions.
2404         https://bugs.webkit.org/show_bug.cgi?id=191792
2405         <rdar://problem/46090763>
2406
2407         Reviewed by Michael Saboff.
2408
2409         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2410
2411 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2412
2413         Skip new memory-hungry tests on memory limited devices
2414
2415         Unreviewed gardening.
2416
2417         * stress/big-wasm-memory-grow-no-max.js:
2418         * stress/big-wasm-memory-grow.js:
2419         * stress/big-wasm-memory.js:
2420
2421 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2422
2423         Unreviewed, rolling in the rest of r237254
2424         https://bugs.webkit.org/show_bug.cgi?id=190340
2425
2426         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2427         * stress/function-cache-with-parameters-end-position.js: Added.
2428         (shouldBe):
2429         (shouldThrow):
2430         (i.anonymous):
2431         * stress/function-constructor-name.js: Added.
2432         (shouldBe):
2433         (GeneratorFunction):
2434         (AsyncFunction.async):
2435         (AsyncGeneratorFunction.async):
2436         (anonymous):
2437         (async.anonymous):
2438         * test262/expectations.yaml:
2439
2440 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2441
2442         All users of ArrayBuffer should agree on the same max size
2443         https://bugs.webkit.org/show_bug.cgi?id=191771
2444
2445         Reviewed by Mark Lam.
2446
2447         * stress/big-wasm-memory-grow-no-max.js: Added.
2448         (foo):
2449         (catch):
2450         * stress/big-wasm-memory-grow.js: Added.
2451         (foo):
2452         (catch):
2453         * stress/big-wasm-memory.js: Added.
2454         (foo):
2455         (catch):
2456
2457 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2458
2459         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2460         run for each JSC config since they're regression tests for runtime bugs.
2461
2462         * stress/json-stringified-overflow-2.js:
2463         * stress/json-stringified-overflow.js:
2464
2465 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2466
2467         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2468         config since they're regression tests for runtime bugs.
2469
2470         * stress/large-unshift-splice.js:
2471         * stress/regress-185888.js:
2472
2473 2018-11-16  Saam Barati  <sbarati@apple.com>
2474
2475         KnownCellUse should also have SpecCellCheck as its type filter
2476         https://bugs.webkit.org/show_bug.cgi?id=191729
2477         <rdar://problem/45872852>
2478
2479         Reviewed by Filip Pizlo.
2480
2481         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2482         (C):
2483
2484 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2485
2486         Fix assertion failure on BytecodeGenerator::recordOpcode
2487         https://bugs.webkit.org/show_bug.cgi?id=191724
2488         <rdar://problem/45724395>
2489
2490         Reviewed by Saam Barati.
2491
2492         * stress/regress-187373-2.js: Added.
2493         (foo):
2494
2495 2018-11-15  Mark Lam  <mark.lam@apple.com>
2496
2497         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2498         https://bugs.webkit.org/show_bug.cgi?id=191730
2499         <rdar://problem/46048517>
2500
2501         Reviewed by Saam Barati.
2502
2503         * stress/regress-187006.js: Removed.
2504           - this test is invalid because its sole purpose is to test for the non-spec
2505             compliant behavior that we just fixed.
2506
2507         * stress/regress-191730.js: Added.
2508
2509 2018-11-15  Mark Lam  <mark.lam@apple.com>
2510
2511         RegExp operations should not take fast patch if lastIndex is not numeric.
2512         https://bugs.webkit.org/show_bug.cgi?id=191731
2513         <rdar://problem/46017305>
2514
2515         Reviewed by Saam Barati.
2516
2517         * stress/regress-191731.js: Added.
2518
2519 2018-11-13  Saam Barati  <sbarati@apple.com>
2520
2521         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2522         https://bugs.webkit.org/show_bug.cgi?id=191600
2523
2524         Reviewed by Mark Lam.
2525
2526         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2527         (foo):
2528         (test):
2529         (bar):
2530
2531 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2532
2533         Unreviewed, rolling out r238132.
2534
2535         The test added with this change is timing out on Debug JSC
2536         bots.
2537
2538         Reverted changeset:
2539
2540         "[BigInt] JSBigInt::createWithLength should throw when length
2541         is greater than JSBigInt::maxLength"
2542         https://bugs.webkit.org/show_bug.cgi?id=190836
2543         https://trac.webkit.org/changeset/238132
2544
2545 2018-11-13  Mark Lam  <mark.lam@apple.com>
2546
2547         Add OOM detection to StringPrototype's substituteBackreferences().
2548         https://bugs.webkit.org/show_bug.cgi?id=191563
2549         <rdar://problem/45720428>
2550
2551         Reviewed by Saam Barati.
2552
2553         * stress/regress-191563.js: Added.
2554
2555 2018-11-13  Mark Lam  <mark.lam@apple.com>
2556
2557         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2558         https://bugs.webkit.org/show_bug.cgi?id=191579
2559         <rdar://problem/45942472>
2560
2561         Reviewed by Saam Barati.
2562
2563         * stress/regress-191579.js: Added.
2564
2565 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2566
2567         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2568         https://bugs.webkit.org/show_bug.cgi?id=190836
2569
2570         Reviewed by Saam Barati.
2571
2572         * stress/big-int-out-of-memory-tests.js: Added.
2573
2574 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2575
2576         U+180E is no longer a whitespace character
2577         https://bugs.webkit.org/show_bug.cgi?id=191415
2578
2579         Reviewed by Saam Barati.
2580
2581         * ChakraCore/test/es5/regexSpace.baseline:
2582         * ChakraCore/test/es6/unicode_whitespace.js:
2583         Update tests to latest version.
2584         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2585
2586         * test262.yaml:
2587         * test262/config.yaml:
2588         * test262/expectations.yaml:
2589         Update expectations.
2590
2591 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2592
2593         [BigInt] Add support to BigInt into ValueAdd
2594         https://bugs.webkit.org/show_bug.cgi?id=186177
2595
2596         Reviewed by Keith Miller.
2597
2598         * stress/big-int-negate-jit.js:
2599         * stress/value-add-big-int-and-string.js: Added.
2600         * stress/value-add-big-int-prediction-propagation.js: Added.
2601         * stress/value-add-big-int-untyped.js: Added.
2602
2603 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2604
2605         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2606         https://bugs.webkit.org/show_bug.cgi?id=191184
2607
2608         Reviewed by Saam Barati.
2609
2610         Most tests were failing due to timeouts, since they are too slow to
2611         run on CLoop. The exceptions are:
2612
2613         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2614         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2615         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2616         to change the stack size since CLoop requires it to be page aligned.
2617
2618         * microbenchmarks/array-push-1.js:
2619         * microbenchmarks/array-push-2.js:
2620         * microbenchmarks/elidable-new-object-dag.js:
2621         * microbenchmarks/elidable-new-object-roflcopter.js:
2622         * microbenchmarks/elidable-new-object-tree.js:
2623         * microbenchmarks/getter-richards.js:
2624         * microbenchmarks/sinkable-new-object-dag.js:
2625         * microbenchmarks/string-concat-long-convert.js:
2626         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2627         * slowMicrobenchmarks/array-push-3.js:
2628         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2629         * slowMicrobenchmarks/spread-small-array.js:
2630         * slowMicrobenchmarks/undefined-property-access.js:
2631         * stress/activation-sink-default-value-tdz-error.js:
2632         * stress/activation-sink-default-value.js:
2633         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2634         * stress/activation-sink-osrexit-default-value.js:
2635         * stress/activation-sink-osrexit.js:
2636         * stress/activation-sink.js:
2637         * stress/allow-math-ic-b3-code-duplication.js:
2638         * stress/array-push-multiple-int32.js:
2639         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2640         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2641         * stress/arrowfunction-lexical-this-activation-sink.js:
2642         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2643         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2644         * stress/elide-new-object-dag-then-exit.js:
2645         * stress/materialize-regexp-cyclic.js:
2646         * stress/new-regex-inline.js:
2647         * stress/op_add.js:
2648         * stress/op_bitand.js:
2649         * stress/op_bitor.js:
2650         * stress/op_bitxor.js:
2651         * stress/op_div-ConstVar.js:
2652         * stress/op_div-VarConst.js:
2653         * stress/op_div-VarVar.js:
2654         * stress/op_lshift-ConstVar.js:
2655         * stress/op_lshift-VarConst.js:
2656         * stress/op_lshift-VarVar.js:
2657         * stress/op_mod-ConstVar.js:
2658         * stress/op_mod-VarConst.js:
2659         * stress/op_mod-VarVar.js:
2660         * stress/op_mul-ConstVar.js:
2661         * stress/op_mul-VarConst.js:
2662         * stress/op_mul-VarVar.js:
2663         * stress/op_rshift-ConstVar.js:
2664         * stress/op_rshift-VarConst.js:
2665         * stress/op_rshift-VarVar.js:
2666         * stress/op_sub-ConstVar.js:
2667         * stress/op_sub-VarConst.js:
2668         * stress/op_sub-VarVar.js:
2669         * stress/op_urshift-ConstVar.js:
2670         * stress/op_urshift-VarConst.js:
2671         * stress/op_urshift-VarVar.js:
2672         * stress/proxy-get-set-correct-receiver.js:
2673         * stress/regress-179562.js:
2674         * stress/rest-parameter-many-arguments.js:
2675         * stress/sampling-profiler-richards.js:
2676         * stress/splay-flash-access-1ms.js:
2677         * stress/tailCallForwardArguments.js:
2678         * stress/typed-array-get-by-val-profiling.js:
2679         * typeProfiler/getter-richards.js:
2680
2681 2018-11-06  Michael Saboff  <msaboff@apple.com>
2682
2683         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2684         https://bugs.webkit.org/show_bug.cgi?id=191271
2685
2686         Reviewed by Saam Barati.
2687
2688         Added more test cases and made all test cases run with the same deeply recursive stack
2689         instead of finding that same point for each test case.
2690
2691         * stress/regexp-compile-oom.js:
2692         (prototype.runTest):
2693         (recurseAndTest):
2694         (testList.push.new.TestAndExpectedException):
2695
2696 2018-11-05  Michael Saboff  <msaboff@apple.com>
2697
2698         Unreviewed build fix for linux.
2699
2700         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2701
2702 2018-11-02  Michael Saboff  <msaboff@apple.com>
2703
2704         Rolling in r237753 with unreviewed build fix.
2705
2706         Fixed issues with DECLARE_THROW_SCOPE placement.
2707
2708 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2709
2710         Unreviewed, rolling out r237753.
2711
2712         Introduced JSC test failures
2713
2714         Reverted changeset:
2715
2716         "Running out of stack space not properly handled in
2717         RegExp::compile() and its callers"
2718         https://bugs.webkit.org/show_bug.cgi?id=191206
2719         https://trac.webkit.org/changeset/237753
2720
2721 2018-11-02  Michael Saboff  <msaboff@apple.com>
2722
2723         Running out of stack space not properly handled in RegExp::compile() and its callers
2724         https://bugs.webkit.org/show_bug.cgi?id=191206
2725
2726         Reviewed by Filip Pizlo.
2727
2728         New regression test.
2729
2730         * stress/regexp-compile-oom.js: Added.
2731         (recurseAndTest):
2732
2733 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2734
2735         Skip tests on arm/mips that time out now we're running on CLoop
2736
2737         Unreviewed gardening.
2738
2739         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2740         time out on the bots and need to be disabled. There's more tests
2741         disabled on arm because the timeout is longer on the mips bot (as the
2742         device is slower to start with), so many of the tests don't time out
2743         there.
2744
2745         * microbenchmarks/getter-richards.js: disable on arm and mips.
2746         * stress/op_add.js: disable on arm.
2747         * stress/op_bitand.js: disable on arm.
2748         * stress/op_bitor.js: disable on arm.
2749         * stress/op_bitxor.js: disable on arm.
2750         * stress/op_lshift-ConstVar.js: disable on arm.
2751         * stress/op_lshift-VarConst.js: disable on arm.
2752         * stress/op_lshift-VarVar.js: disable on arm.
2753         * stress/op_mod-ConstVar.js: disable on arm.
2754         * stress/op_mod-VarConst.js: disable on arm.
2755         * stress/op_mod-VarVar.js: disable on arm.
2756         * stress/op_mul-ConstVar.js: disable on arm.
2757         * stress/op_mul-VarConst.js: disable on arm.
2758         * stress/op_mul-VarVar.js: disable on arm.
2759         * stress/op_rshift-ConstVar.js: disable on arm.
2760         * stress/op_rshift-VarConst.js: disable on arm.
2761         * stress/op_rshift-VarVar.js: disable on arm.
2762         * stress/op_sub-ConstVar.js: disable on arm.
2763         * stress/op_sub-VarConst.js: disable on arm.
2764         * stress/op_sub-VarVar.js: disable on arm.
2765         * stress/op_urshift-ConstVar.js: disable on arm.
2766         * stress/op_urshift-VarConst.js: disable on arm.
2767         * stress/op_urshift-VarVar.js: disable on arm.
2768         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2769         * stress/value-to-boolean.js: disable on arm and mips.
2770
2771 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2772
2773         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2774         https://bugs.webkit.org/show_bug.cgi?id=191108
2775         <rdar://problem/45690700>
2776
2777         Reviewed by Saam Barati.
2778
2779         * stress/wide-op_catch.js: Added.
2780         (catch):
2781
2782 2018-10-29  Mark Lam  <mark.lam@apple.com>
2783
2784         Correctly detect string overflow when using the 'Function' constructor.
2785         https://bugs.webkit.org/show_bug.cgi?id=184883
2786         <rdar://problem/36320331>
2787
2788         Reviewed by Saam Barati.
2789
2790         I've verified that this passes on 32-bit as well.
2791
2792         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2793
2794 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2795
2796         Add support for GetStack FlushedDouble
2797         https://bugs.webkit.org/show_bug.cgi?id=191012
2798         <rdar://problem/45265141>
2799
2800         Reviewed by Saam Barati.
2801
2802         * stress/get-stack-double.js: Added.
2803         (bar):
2804         (noInline):
2805
2806 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2807
2808         New bytecode format for JSC
2809         https://bugs.webkit.org/show_bug.cgi?id=187373
2810         <rdar://problem/44186758>
2811
2812         Reviewed by Filip Pizlo.
2813
2814         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2815
2816         * stress/maximum-inline-capacity.js: Added.
2817         (test1):
2818         (test3.Foo):
2819         (test3):
2820
2821 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2822
2823         Unreviewed, rolling out r237479 and r237484.
2824         https://bugs.webkit.org/show_bug.cgi?id=190978
2825
2826         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2827
2828         Reverted changesets:
2829
2830         "New bytecode format for JSC"
2831         https://bugs.webkit.org/show_bug.cgi?id=187373
2832         https://trac.webkit.org/changeset/237479
2833
2834         "Gardening: Build fix after r237479."
2835         https://bugs.webkit.org/show_bug.cgi?id=187373
2836         https://trac.webkit.org/changeset/237484
2837
2838 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2839
2840         New bytecode format for JSC
2841         https://bugs.webkit.org/show_bug.cgi?id=187373
2842         <rdar://problem/44186758>
2843
2844         Reviewed by Filip Pizlo.
2845
2846         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2847
2848         * stress/maximum-inline-capacity.js: Added.
2849         (test1):
2850         (test3.Foo):
2851         (test3):
2852
2853 2018-10-26  Mark Lam  <mark.lam@apple.com>
2854
2855         Fix missing edge cases with JSGlobalObjects having a bad time.
2856         https://bugs.webkit.org/show_bug.cgi?id=189028
2857         <rdar://problem/45204939>
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/regress-189028.js: Added.
2862
2863 2018-10-22  Mark Lam  <mark.lam@apple.com>
2864
2865         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2866         https://bugs.webkit.org/show_bug.cgi?id=190515
2867         <rdar://problem/45222379>
2868
2869         Rubber-stamped by Saam Barati.
2870
2871         Adding another test.
2872
2873         * stress/regress-190515-2.js: Added.
2874
2875 2018-10-22  Mark Lam  <mark.lam@apple.com>
2876
2877         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2878         https://bugs.webkit.org/show_bug.cgi?id=190515
2879         <rdar://problem/45222379>
2880
2881         Reviewed by Saam Barati.
2882
2883         * stress/regress-190515.js: Added.
2884
2885 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2886
2887         Unreviewed, rolling out r237254.
2888         https://bugs.webkit.org/show_bug.cgi?id=190760
2889
2890         "It regresses JetStream 2 by 5% on some iOS devices"
2891         (Requested by saamyjoon on #webkit).
2892
2893         Reverted changeset:
2894
2895         "[JSC] JSC should have "parseFunction" to optimize Function
2896         constructor"
2897         https://bugs.webkit.org/show_bug.cgi?id=190340
2898         https://trac.webkit.org/changeset/237254
2899
2900 2018-10-19  Saam Barati  <sbarati@apple.com>
2901
2902         vmCall should check if we exit before emitting an OSR exit due to exceptions
2903         https://bugs.webkit.org/show_bug.cgi?id=190740
2904         <rdar://problem/45220139>
2905
2906         Reviewed by Mark Lam.
2907
2908         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2909         (foo):
2910
2911 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2912
2913         [ESNext][BigInt] Implement support for "^"
2914         https://bugs.webkit.org/show_bug.cgi?id=186235
2915
2916         Reviewed by Yusuke Suzuki.
2917
2918         * stress/big-int-bitwise-xor-general.js: Added.
2919         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2920         * stress/big-int-bitwise-xor-type-error.js: Added.
2921         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2922
2923 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2924
2925         [BigInt] Add ValueSub into DFG
2926         https://bugs.webkit.org/show_bug.cgi?id=186176
2927
2928         Reviewed by Yusuke Suzuki.
2929
2930         * stress/big-int-subtraction-jit.js:
2931         * stress/value-sub-big-int-prediction-propagation.js: Added.
2932         * stress/value-sub-big-int-untyped.js: Added.
2933         * stress/value-sub-spec-none-case.js: Added.
2934
2935 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2936
2937         [JSC] JSC should have "parseFunction" to optimize Function constructor
2938         https://bugs.webkit.org/show_bug.cgi?id=190340
2939
2940         Reviewed by Mark Lam.
2941
2942         This patch fixes the line number of syntax errors raised by the Function constructor,
2943         since we now parse the final code only once. And we no longer use block statement
2944         for Function constructor's parsing.
2945
2946         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2947         * stress/function-cache-with-parameters-end-position.js: Added.
2948         (shouldBe):
2949         (shouldThrow):
2950         (i.anonymous):
2951         * stress/function-constructor-name.js: Added.
2952         (shouldBe):
2953         (GeneratorFunction):
2954         (AsyncFunction.async):
2955         (AsyncGeneratorFunction.async):
2956         (anonymous):
2957         (async.anonymous):
2958         * test262/expectations.yaml:
2959
2960 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2961
2962         Unreviewed, rolling out r237242.
2963         https://bugs.webkit.org/show_bug.cgi?id=190701
2964
2965         it breaks "stress/sampling-profiler-basic.js" (Requested by
2966         caiolima on #webkit).
2967
2968         Reverted changeset:
2969
2970         "[BigInt] Add ValueSub into DFG"
2971         https://bugs.webkit.org/show_bug.cgi?id=186176
2972         https://trac.webkit.org/changeset/237242
2973
2974 2018-10-17  Keith Miller  <keith_miller@apple.com>
2975
2976         AI does not clear Phantom allocation nodes.
2977         https://bugs.webkit.org/show_bug.cgi?id=190694
2978
2979         Reviewed by Saam Barati.
2980
2981         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2982         (Day):
2983         (DaysInYear):
2984         (TimeInYear):
2985         (TimeFromYear):
2986         (DayFromYear):
2987         (InLeapYear):
2988         (YearFromTime):
2989         (WeekDay):
2990         (DaylightSavingTA):
2991         (GetSecondSundayInMarch):
2992         (TimeInMonth):
2993
2994 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2995
2996         [BigInt] Add ValueSub into DFG
2997         https://bugs.webkit.org/show_bug.cgi?id=186176
2998
2999         Reviewed by Yusuke Suzuki.
3000
3001         * stress/big-int-subtraction-jit.js:
3002         * stress/value-sub-big-int-prediction-propagation.js: Added.
3003         * stress/value-sub-big-int-untyped.js: Added.
3004
3005 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3006
3007         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3008         https://bugs.webkit.org/show_bug.cgi?id=190611
3009
3010         Reviewed by Saam Barati.
3011
3012         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3013         to improve test runtime. On ARM/MIPS this test even timed out when running all
3014         tests.
3015
3016         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3017         (test):
3018
3019 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3020
3021         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3022
3023         Unreviewed gardening.
3024
3025         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3026
3027 2018-10-15  Saam barati  <sbarati@apple.com>
3028
3029         Emit fjcvtzs on ARM64E on Darwin
3030         https://bugs.webkit.org/show_bug.cgi?id=184023
3031
3032         Reviewed by Yusuke Suzuki and Filip Pizlo.
3033
3034         * stress/double-to-int32-NaN.js: Added.
3035         (assert):
3036         (foo):
3037
3038 2018-10-15  Saam Barati  <sbarati@apple.com>
3039
3040         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3041         https://bugs.webkit.org/show_bug.cgi?id=190262
3042         <rdar://problem/44986241>
3043
3044         Reviewed by Mark Lam.
3045
3046         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3047         (test):
3048         * stress/slice-array-storage-with-holes.js: Added.
3049         (main):
3050
3051 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3052
3053         Unreviewed, rolling out r237054.
3054         https://bugs.webkit.org/show_bug.cgi?id=190593
3055
3056         "this regressed JetStream 2 by 6% on iOS" (Requested by
3057         saamyjoon on #webkit).
3058
3059         Reverted changeset:
3060
3061         "[JSC] JSC should have "parseFunction" to optimize Function
3062         constructor"
3063         https://bugs.webkit.org/show_bug.cgi?id=190340
3064         https://trac.webkit.org/changeset/237054
3065
3066 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3067
3068         [JSC] JSON.stringify can accept call-with-no-arguments
3069         https://bugs.webkit.org/show_bug.cgi?id=190343
3070
3071         Reviewed by Mark Lam.
3072
3073         * stress/json-stringify-no-arguments.js: Added.
3074         (shouldBe):
3075
3076 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3077
3078         [JSC] JSC should have "parseFunction" to optimize Function constructor
3079         https://bugs.webkit.org/show_bug.cgi?id=190340
3080
3081         Reviewed by Mark Lam.
3082
3083         This patch fixes the line number of syntax errors raised by the Function constructor,
3084         since we now parse the final code only once. And we no longer use block statement
3085         for Function constructor's parsing.
3086
3087         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3088         * stress/function-cache-with-parameters-end-position.js: Added.
3089         (shouldBe):
3090         (shouldThrow):
3091         (i.anonymous):
3092         * stress/function-constructor-name.js: Added.
3093         (shouldBe):
3094         (GeneratorFunction):
3095         (AsyncFunction.async):
3096         (AsyncGeneratorFunction.async):
3097         (anonymous):
3098         (async.anonymous):
3099         * test262/expectations.yaml:
3100
3101 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3102
3103         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3104         https://bugs.webkit.org/show_bug.cgi?id=190426
3105
3106         Unreviewed gardening.
3107
3108         * stress/sampling-profiler-richards.js:
3109
3110 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3111
3112         [ESNext][BigInt] Implement support for "|"
3113         https://bugs.webkit.org/show_bug.cgi?id=186229
3114
3115         Reviewed by Yusuke Suzuki.
3116
3117         * stress/big-int-bitwise-and-jit.js:
3118         * stress/big-int-bitwise-or-general.js: Added.
3119         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3120         * stress/big-int-bitwise-or-jit.js: Added.
3121         * stress/big-int-bitwise-or-memory-stress.js: Added.
3122         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3123         * stress/big-int-bitwise-or-type-error.js: Added.
3124         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3125
3126 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3127
3128         Skip test on systems with limited memory
3129         https://bugs.webkit.org/show_bug.cgi?id=190310
3130
3131         Invoking runDefault adds test to runlist, skipping the test in the next
3132         line does not prevent the test from executing. Change order of lines such
3133         that runDefault is only executed if test is not executed.
3134
3135         Reviewed by Mark Lam.
3136
3137         * stress/regress-190187.js:
3138
3139 2018-10-03  Saam barati  <sbarati@apple.com>
3140
3141         lowXYZ in FTLLower should always filter the type of the incoming edge
3142         https://bugs.webkit.org/show_bug.cgi?id=189939
3143         <rdar://problem/44407030>
3144
3145         Reviewed by Michael Saboff.
3146
3147         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3148         (foo):
3149         (test):
3150
3151 2018-10-03  Mark Lam  <mark.lam@apple.com>
3152
3153         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3154         https://bugs.webkit.org/show_bug.cgi?id=190187
3155         <rdar://problem/42512909>
3156
3157         Reviewed by Michael Saboff.
3158
3159         * stress/regress-190187.js: Added.
3160
3161 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3162
3163         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3164         https://bugs.webkit.org/show_bug.cgi?id=190033
3165
3166         Reviewed by Yusuke Suzuki.
3167
3168         * stress/big-int-to-string.js:
3169
3170 2018-10-01  Mark Lam  <mark.lam@apple.com>
3171
3172         Function.toString() should also copy the source code Functions that are class definitions.
3173         https://bugs.webkit.org/show_bug.cgi?id=190186
3174         <rdar://problem/44733360>
3175
3176         Reviewed by Saam Barati.
3177
3178         * stress/regress-190186.js: Added.
3179
3180 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3181
3182         Split NaN-check into separate test
3183         https://bugs.webkit.org/show_bug.cgi?id=190010
3184
3185         Reviewed by Saam Barati.
3186
3187         DataView exposes NaN-representation, which is not necessarily the same on each
3188         architecture. Therefore move the check of the NaN-representation into its own
3189         file such that we can disable this test on MIPS where NaN-representation can be
3190         different on older CPUs.
3191
3192         * stress/dataview-jit-set-nan.js: Added.
3193         (assert):
3194         (test.storeLittleEndian):
3195         (test.storeBigEndian):
3196         (test.store):
3197         (test):
3198         * stress/dataview-jit-set.js:
3199         (test5):
3200
3201 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r236647.
3204         https://bugs.webkit.org/show_bug.cgi?id=190124
3205
3206         Breaking test stress/big-int-to-string.js (Requested by
3207         caiolima_ on #webkit).
3208
3209         Reverted changeset:
3210
3211         "[BigInt] BigInt.proptotype.toString is broken when radix is
3212         power of 2"
3213         https://bugs.webkit.org/show_bug.cgi?id=190033
3214         https://trac.webkit.org/changeset/236647
3215
3216 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3217
3218         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3219         https://bugs.webkit.org/show_bug.cgi?id=190033
3220
3221         Reviewed by Yusuke Suzuki.
3222
3223         * stress/big-int-to-string.js:
3224
3225 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3226
3227         [ESNext][BigInt] Implement support for "&"
3228         https://bugs.webkit.org/show_bug.cgi?id=186228
3229
3230         Reviewed by Yusuke Suzuki.
3231
3232         * stress/big-int-bitwise-and-general.js: Added.
3233         (assert):
3234         (assert.sameValue):
3235         * stress/big-int-bitwise-and-jit.js: Added.
3236         (let.assert.sameValue):
3237         (bigIntBitAnd):
3238         * stress/big-int-bitwise-and-memory-stress.js: Added.
3239         (assert):
3240         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3241         (assert.sameValue):
3242         (let.o.Symbol.toPrimitive):
3243         (catch):
3244         * stress/big-int-bitwise-and-type-error.js: Added.
3245         (assert):
3246         (assertThrowTypeError):
3247         (let.o.valueOf):
3248         (o.valueOf):
3249         (o.toString):
3250         (o.Symbol.toPrimitive):
3251         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3252         (assert.sameValue):
3253         (testBitAnd):
3254         (let.o.Symbol.toPrimitive):
3255         (o.valueOf):
3256         (o.toString):
3257
3258 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3259
3260         JSC test stress/jsc-read.js doesn't support CRLF
3261         https://bugs.webkit.org/show_bug.cgi?id=190063
3262
3263         Reviewed by Yusuke Suzuki.
3264
3265         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3266
3267         * stress/jsc-read.js:
3268         (test):
3269
3270 2018-09-27  Saam barati  <sbarati@apple.com>
3271
3272         Verify the contents of AssemblerBuffer on arm64e
3273         https://bugs.webkit.org/show_bug.cgi?id=190057
3274         <rdar://problem/38916630>
3275
3276         Reviewed by Mark Lam.
3277
3278         * stress/regress-189132.js:
3279
3280 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3281
3282         Disable test without LLInt on ARMv7
3283         https://bugs.webkit.org/show_bug.cgi?id=190037
3284
3285         Reviewed by Mark Lam.
3286
3287         Test runs out of executable memory on ARMv7, do not run
3288         this test without LLInt enabled.
3289
3290         * stress/regress-169445.js:
3291
3292 2018-09-26  Keith Miller  <keith_miller@apple.com>
3293
3294         We should zero unused property storage when rebalancing array storage.
3295         https://bugs.webkit.org/show_bug.cgi?id=188151
3296
3297         Reviewed by Michael Saboff.
3298
3299         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3300
3301 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3302
3303         [JSC] Optimize Array#lastIndexOf
3304         https://bugs.webkit.org/show_bug.cgi?id=189780
3305
3306         Reviewed by Saam Barati.
3307
3308         * stress/array-lastindexof-array-prototype-trap.js: Added.
3309         (shouldBe):
3310         (AncestorArray.prototype.get 2):
3311         (AncestorArray):
3312         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3313         (shouldBe):
3314         * stress/array-lastindexof-hole-nan.js: Added.
3315         (shouldBe):
3316         (throw.new.Error):
3317         * stress/array-lastindexof-infinity.js: Added.
3318         (shouldBe):
3319         (throw.new.Error):
3320         * stress/array-lastindexof-negative-zero.js: Added.
3321         (shouldBe):
3322         (throw.new.Error):
3323         * stress/array-lastindexof-own-getter.js: Added.
3324         (shouldBe):
3325         (throw.new.Error.get array):
3326         (get array):
3327         * stress/array-lastindexof-prototype-trap.js: Added.
3328         (shouldBe):
3329         (DerivedArray.prototype.get 2):
3330         (DerivedArray):
3331
3332 2018-09-25  Saam Barati  <sbarati@apple.com>
3333
3334         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3335         https://bugs.webkit.org/show_bug.cgi?id=189940
3336         <rdar://problem/43640987>
3337
3338         Reviewed by Mark Lam.
3339
3340         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3341
3342 2018-09-24  Saam Barati  <sbarati@apple.com>
3343
3344         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3345         https://bugs.webkit.org/show_bug.cgi?id=189922
3346         <rdar://problem/44651275>
3347
3348         Reviewed by Mark Lam.
3349
3350         * stress/array-indexof-fast-path-effects.js: Added.
3351         * stress/array-indexof-cached-length.js: Added.
3352
3353 2018-09-24  Saam barati  <sbarati@apple.com>
3354
3355         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3356         https://bugs.webkit.org/show_bug.cgi?id=189682
3357         <rdar://problem/43557315>
3358
3359         Reviewed by Mark Lam.
3360
3361         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3362         (foo):
3363
3364 2018-09-22  Saam barati  <sbarati@apple.com>
3365
3366         The sampling should not use Strong<CodeBlock> in its machineLocation field
3367         https://bugs.webkit.org/show_bug.cgi?id=189319
3368
3369         Reviewed by Filip Pizlo.
3370
3371         * stress/sampling-profiler-richards.js: Added.
3372
3373 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3374
3375         [JSC] Optimize Array#indexOf in C++ runtime
3376         https://bugs.webkit.org/show_bug.cgi?id=189507
3377
3378         Reviewed by Saam Barati.
3379
3380         * stress/array-indexof-array-prototype-trap.js: Added.
3381         (shouldBe):
3382         (AncestorArray.prototype.get 2):
3383         (AncestorArray):
3384         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3385         (shouldBe):
3386         * stress/array-indexof-hole-nan.js: Added.
3387         (shouldBe):
3388         (throw.new.Error):
3389         * stress/array-indexof-infinity.js: Added.
3390         (shouldBe):
3391         (throw.new.Error):
3392         * stress/array-indexof-negative-zero.js: Added.
3393         (shouldBe):
3394         (throw.new.Error):
3395         * stress/array-indexof-own-getter.js: Added.
3396         (shouldBe):
3397         (throw.new.Error.get array):
3398         (get array):
3399         * stress/array-indexof-prototype-trap.js: Added.
3400         (shouldBe):
3401         (DerivedArray.prototype.get 2):
3402         (DerivedArray):
3403
3404 2018-09-19  Saam barati  <sbarati@apple.com>
3405
3406         AI rule for MultiPutByOffset executes its effects in the wrong order
3407         https://bugs.webkit.org/show_bug.cgi?id=189757
3408         <rdar://problem/43535257>
3409
3410         Reviewed by Michael Saboff.
3411
3412         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3413         (foo):
3414         (Foo):
3415         (g):
3416
3417 2018-09-17  Mark Lam  <mark.lam@apple.com>
3418
3419         Ensure that ForInContexts are invalidated if their loop local is over-written.
3420         https://bugs.webkit.org/show_bug.cgi?id=189571
3421         <rdar://problem/44402277>
3422
3423         Reviewed by Saam Barati.
3424
3425         * stress/regress-189571.js: Added.
3426
3427 2018-09-17  Saam barati  <sbarati@apple.com>
3428
3429         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3430         https://bugs.webkit.org/show_bug.cgi?id=189676
3431         <rdar://problem/39682897>
3432
3433         Reviewed by Michael Saboff.
3434
3435         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3436         (A):
3437         (K):
3438         (i.catch):
3439
3440 2018-09-14  Saam barati  <sbarati@apple.com>
3441
3442         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3443         https://bugs.webkit.org/show_bug.cgi?id=189628
3444         <rdar://problem/39481690>
3445
3446         Reviewed by Mark Lam.
3447
3448         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3449         (foo):
3450
3451 2018-09-11  Mark Lam  <mark.lam@apple.com>
3452
3453         Test for array initialization in arrayProtoFuncSplice.
3454         https://bugs.webkit.org/show_bug.cgi?id=170253
3455         <rdar://problem/31328773>
3456
3457         Rubber-stamped by Saam Barati.
3458
3459         * stress/regress-170253.js: Added.
3460
3461 2018-09-11  Mark Lam  <mark.lam@apple.com>
3462
3463         Test for IntlObject initialization.
3464         https://bugs.webkit.org/show_bug.cgi?id=170251
3465         <rdar://problem/31328419>
3466
3467         Rubber-stamped by Saam Barati.
3468
3469         * stress/regress-170251.js: Added.
3470
3471 2018-09-11  Mark Lam  <mark.lam@apple.com>
3472
3473         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3474         https://bugs.webkit.org/show_bug.cgi?id=169889
3475         <rdar://problem/31155607>
3476
3477         Reviewed by Saam Barati.
3478
3479         * stress/regress-169889-array-concat.js: Added.
3480         * stress/regress-169889-array-concat1.js: Added.
3481         * stress/regress-169889-array-slice.js: Added.
3482
3483 2018-09-11  Mark Lam  <mark.lam@apple.com>
3484
3485         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3486         https://bugs.webkit.org/show_bug.cgi?id=169445
3487         <rdar://problem/30957435>
3488
3489         Reviewed by Saam Barati.
3490
3491         * stress/regress-169445.js: Added.
3492         (let.gun.eval.A):
3493         (let.gun.eval.B.C):
3494         (let.gun.eval.B.C.prototype.trigger):
3495         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3496         (let.gun.eval.B):
3497         (let.gun.eval):
3498
3499 == Rolled over to ChangeLog-2018-09-11 ==