[JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
4         https://bugs.webkit.org/show_bug.cgi?id=196574
5
6         Reviewed by Saam Barati.
7
8         * stress/string-index-of-exception-check.js: Added.
9         (blurType):
10         (1.forEach):
11
12 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
13
14         Assertion failed in JSC::createError
15         https://bugs.webkit.org/show_bug.cgi?id=196305
16         <rdar://problem/49387382>
17
18         Reviewed by Saam Barati.
19
20         * stress/create-error-out-of-memory-rope-string-2.js: Added.
21         (assert):
22         (catch):
23
24 2019-03-28  Saam Barati  <sbarati@apple.com>
25
26         BackwardsGraph needs to consider back edges as the backward's root successor
27         https://bugs.webkit.org/show_bug.cgi?id=195991
28
29         Reviewed by Filip Pizlo.
30
31         * stress/map-b3-licm-infinite-loop.js: Added.
32
33 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
34
35         CodeBlock::jettison() should disallow repatching its own calls
36         https://bugs.webkit.org/show_bug.cgi?id=196359
37         <rdar://problem/48973663>
38
39         Reviewed by Saam Barati.
40
41         * stress/call-link-info-osrexit-repatch.js: Added.
42         (foo):
43
44 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] imports-oom.js intermittently fails
47         https://bugs.webkit.org/show_bug.cgi?id=196373
48
49         Reviewed by Saam Barati.
50
51         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
52         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
53         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
54         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
55         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
56
57         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
58         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
59
60         * wasm/lowExecutableMemory/imports-oom.js:
61
62 2019-03-27  Saam Barati  <sbarati@apple.com>
63
64         validateOSREntryValue with Int52 should box the value being checked into double format
65         https://bugs.webkit.org/show_bug.cgi?id=196313
66         <rdar://problem/49306703>
67
68         Reviewed by Yusuke Suzuki.
69
70         * stress/validate-int-52-ai-state.js: Added.
71
72 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
73
74         [JSC] Owner of watchpoints should validate at GC finalizing phase
75         https://bugs.webkit.org/show_bug.cgi?id=195827
76
77         Reviewed by Filip Pizlo.
78
79         * stress/gc-should-reap-dead-watchpoints.js: Added.
80         (foo):
81         (A.prototype.y):
82         (A):
83
84 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
85
86         Skip WebAssembly test on 32-bit systems
87         https://bugs.webkit.org/show_bug.cgi?id=196206
88
89         Reviewed by Saam Barati.
90
91         Invoking runDefault executes test immediately even though
92         that test should be skipped due to missing WASM support.
93         Therefore remove runDefault.
94
95         * wasm/regress/web-assembly-link-error-exception-check.js:
96
97 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
98
99         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
100         https://bugs.webkit.org/show_bug.cgi?id=196217
101
102         Reviewed by Saam Barati.
103
104         Re-enable all NaN tests for f32.min, f64.min and f64.max.
105
106         * wasm/spec-tests/f32.wast.js:
107         * wasm/spec-tests/f64.wast.js:
108         * wasm/wasm.json:
109
110 2019-03-25  Keith Miller  <keith_miller@apple.com>
111
112         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
113         https://bugs.webkit.org/show_bug.cgi?id=196176
114
115         Reviewed by Saam Barati.
116
117         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
118         (main.v10):
119         (main):
120
121 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
122
123         WebAssembly: f32.max with NaN generates incorrect result
124         https://bugs.webkit.org/show_bug.cgi?id=175691
125         <rdar://problem/33952228>
126
127         Reviewed by Saam Barati.
128
129         Enable all f32.max NaN tests
130
131         * wasm/spec-tests/f32.wast.js:
132         * wasm/wasm.json:
133
134 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
135
136         [JSC] Move test into directory for WASM tests
137         https://bugs.webkit.org/show_bug.cgi?id=196187
138
139         Reviewed by Mark Lam.
140
141         Move Test into wasm-directory. Otherwise this test
142         is also executed on systems without WASM support.
143
144         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
145
146 2019-03-23  Mark Lam  <mark.lam@apple.com>
147
148         Rolling out r243032 and r243071 because the fix is incorrect.
149         https://bugs.webkit.org/show_bug.cgi?id=195892
150         <rdar://problem/48981239>
151
152         Not reviewed.
153
154         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
155
156 2019-03-22  Mark Lam  <mark.lam@apple.com>
157
158         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
159         https://bugs.webkit.org/show_bug.cgi?id=196154
160         <rdar://problem/49145307>
161
162         Reviewed by Filip Pizlo.
163
164         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
165         There's no need to run this test on more than 1 test configuration.
166
167         * stress/typed-array-lastIndexOf-exception-check.js: Added.
168         * stress/web-assembly-link-error-exception-check.js:
169
170 2019-03-22  Mark Lam  <mark.lam@apple.com>
171
172         Placate exception check validation in constructJSWebAssemblyLinkError().
173         https://bugs.webkit.org/show_bug.cgi?id=196152
174         <rdar://problem/49145257>
175
176         Reviewed by Michael Saboff.
177
178         * stress/web-assembly-link-error-exception-check.js: Added.
179
180 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
181
182         Skip tests running out of memory on ARM/MIPS
183         https://bugs.webkit.org/show_bug.cgi?id=196131
184
185         Unreviewed. Skip test if memory is limited.
186
187         * microbenchmarks/put-by-val-direct-large-index.js:
188
189 2019-03-21  Mark Lam  <mark.lam@apple.com>
190
191         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
192         https://bugs.webkit.org/show_bug.cgi?id=196116
193         <rdar://problem/48976951>
194
195         Reviewed by Filip Pizlo.
196
197         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
198
199 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
200
201         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
202         https://bugs.webkit.org/show_bug.cgi?id=196078
203         <rdar://problem/35925380>
204
205         Reviewed by Mark Lam.
206
207         Add a new benchmark that allocates several objects and invokes put_by_val_direct
208         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
209
210         * microbenchmarks/put-by-val-direct-large-index.js: Added.
211
212 2019-03-21  Mark Lam  <mark.lam@apple.com>
213
214         Placate exception check validation in operationArrayIndexOfString().
215         https://bugs.webkit.org/show_bug.cgi?id=196067
216         <rdar://problem/49056572>
217
218         Reviewed by Michael Saboff.
219
220         * stress/string-equal-exception-check.js: Added.
221
222 2019-03-21  Mark Lam  <mark.lam@apple.com>
223
224         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
225         https://bugs.webkit.org/show_bug.cgi?id=196055
226         <rdar://problem/49067448>
227
228         Reviewed by Yusuke Suzuki.
229
230         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
231
232 2019-03-20  Saam Barati  <sbarati@apple.com>
233
234         typeOfDoubleSum is wrong for when NaN can be produced
235         https://bugs.webkit.org/show_bug.cgi?id=196030
236
237         Reviewed by Filip Pizlo.
238
239         * stress/double-add-sub-mul-can-produce-nan.js: Added.
240         (assert):
241         (noInline.sub):
242         (noInline):
243         (assert.mul):
244         (assert.add):
245
246 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
247
248         Update the test to ensure OutOfMemoryError is thrown as intended
249         https://bugs.webkit.org/show_bug.cgi?id=196032
250         <rdar://problem/46842740>
251
252         Rubber stamped by Saam Barati.
253
254         * stress/create-error-out-of-memory-rope-string.js:
255         (assert):
256         (catch):
257
258 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
259
260         JSC::createError needs to check for OOM in errorDescriptionForValue
261         https://bugs.webkit.org/show_bug.cgi?id=196032
262         <rdar://problem/46842740>
263
264         Reviewed by Mark Lam.
265
266         * stress/create-error-out-of-memory-rope-string.js: Added.
267
268 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
269
270         Unreviewed, reduce # of iterations to avoid timing out after r242991
271         https://bugs.webkit.org/show_bug.cgi?id=195791
272
273         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
274
275         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
276
277 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
278
279         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
280         https://bugs.webkit.org/show_bug.cgi?id=195950
281
282         Unreviewed, reducing the amount of memory used on this test to avoid
283         OOM on devices with memory restrictions.
284
285         * microbenchmarks/generate-multiple-llint-entrypoints.js:
286
287 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
288
289         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
290         https://bugs.webkit.org/show_bug.cgi?id=194648
291
292         Reviewed by Keith Miller.
293
294         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
295
296 2019-03-18  Mark Lam  <mark.lam@apple.com>
297
298         Missing a ThrowScope release in JSObject::toString().
299         https://bugs.webkit.org/show_bug.cgi?id=195893
300         <rdar://problem/48970986>
301
302         Reviewed by Michael Saboff.
303
304         * stress/to-string-exception-check-release.js: Added.
305
306 2019-03-18  Mark Lam  <mark.lam@apple.com>
307
308         Structure::flattenDictionary() should clear unused property slots.
309         https://bugs.webkit.org/show_bug.cgi?id=195871
310         <rdar://problem/48959497>
311
312         Reviewed by Michael Saboff.
313
314         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
315
316 2019-03-15  Mark Lam  <mark.lam@apple.com>
317
318         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
319         https://bugs.webkit.org/show_bug.cgi?id=195827
320         <rdar://problem/48845513>
321
322         Reviewed by Filip Pizlo.
323
324         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
325
326 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
327
328         [ARM,MIPS] Skip slow tests
329         https://bugs.webkit.org/show_bug.cgi?id=195799
330
331         Unreviewed, test does not finish on ARM and MIPS within the
332         timeout limit.
333
334         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
335
336 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
337
338         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
339         https://bugs.webkit.org/show_bug.cgi?id=195791
340         <rdar://problem/48806130>
341
342         Reviewed by Mark Lam.
343
344         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
345         (foo):
346
347 2019-03-14  Saam barati  <sbarati@apple.com>
348
349         We can't remove code after ForceOSRExit until after FixupPhase
350         https://bugs.webkit.org/show_bug.cgi?id=186916
351         <rdar://problem/41396612>
352
353         Reviewed by Yusuke Suzuki.
354
355         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
356         (foo):
357         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
358         (foo):
359
360 2019-03-13  Michael Saboff  <msaboff@apple.com>
361
362         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
363         https://bugs.webkit.org/show_bug.cgi?id=195735
364
365         Reviewed by Mark Lam.
366
367         New regression test.
368
369         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
370         (foo):
371         (bar):
372
373 2019-03-14  Saam barati  <sbarati@apple.com>
374
375         Fixup uses KnownInt32 incorrectly in some nodes
376         https://bugs.webkit.org/show_bug.cgi?id=195279
377         <rdar://problem/47915654>
378
379         Reviewed by Yusuke Suzuki.
380
381         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
382         (foo):
383
384 2019-03-14  Keith Miller  <keith_miller@apple.com>
385
386         DFG liveness can't skip tail caller inline frames
387         https://bugs.webkit.org/show_bug.cgi?id=195715
388
389         Reviewed by Saam Barati.
390
391         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
392         (i.foo):
393
394 2019-03-13  Mark Lam  <mark.lam@apple.com>
395
396         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
397         https://bugs.webkit.org/show_bug.cgi?id=195415
398
399         Not reviewed.
400
401         Changed these tests to only run the default configuration.
402         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
403         There's no strong need to run this test on that variant.
404
405         * stress/dfg-to-string-on-int-does-gc.js:
406         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
407
408 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
409
410         String overflow when using StringBuilder in JSC::createError
411         https://bugs.webkit.org/show_bug.cgi?id=194957
412
413         Reviewed by Mark Lam.
414
415         Add test string-overflow-createError-bulder.js that overflows
416         StringBuilder in notAFunctionSourceAppender. The second new test
417         string-overflow-createError-fit.js has an error message that doesn't
418         overflow, it still failed since the String's capacity can't be doubled.
419         Run test string-overflow-createError.js only in the default
420         configuration to reduce memory consumption when running the test
421         in all configurations on multiple CPUs in parallel.
422
423         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
424         (catch):
425         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
426         (catch):
427         * stress/string-overflow-createError.js:
428
429 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
430
431         [JSC] OSR entry should respect abstract values in addition to flush formats
432         https://bugs.webkit.org/show_bug.cgi?id=195653
433
434         Reviewed by Mark Lam.
435
436         * stress/osr-entry-locals-none.js: Added.
437
438 2019-03-12  Michael Saboff  <msaboff@apple.com>
439
440         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
441         https://bugs.webkit.org/show_bug.cgi?id=195613
442
443         Reviewed by Mark Lam.
444
445         New regression test.
446
447         * stress/regexp-backref-inbounds.js: Added.
448         (testRegExp):
449
450 2019-03-12  Mark Lam  <mark.lam@apple.com>
451
452         The HasIndexedProperty node does GC.
453         https://bugs.webkit.org/show_bug.cgi?id=195559
454         <rdar://problem/48767923>
455
456         Reviewed by Yusuke Suzuki.
457
458         * stress/HasIndexedProperty-does-gc.js: Added.
459
460 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
461
462         [ESNext][BigInt] Implement "~" unary operation
463         https://bugs.webkit.org/show_bug.cgi?id=182216
464
465         Reviewed by Keith Miller.
466
467         * stress/big-int-bit-not-general.js: Added.
468         * stress/big-int-bitwise-not-jit.js: Added.
469         * stress/big-int-bitwise-not-wrapped-value.js: Added.
470         * stress/bit-op-with-object-returning-int32.js:
471         * stress/bitwise-not-fixup-rules.js: Added.
472         * stress/value-bit-not-ai-rule.js: Added.
473
474 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
475
476         Invalid flags in a RegExp literal should be an early SyntaxError
477         https://bugs.webkit.org/show_bug.cgi?id=195514
478
479         Reviewed by Darin Adler.
480
481         * test262/expectations.yaml:
482         Mark 4 test cases as passing.
483
484         * stress/regexp-syntax-error-invalid-flags.js:
485         * stress/regress-161995.js: Removed.
486         Update existing test, merging in an older test for the same behavior.
487
488 2019-03-08  Mark Lam  <mark.lam@apple.com>
489
490         Stack overflow crash in JSC::JSObject::hasInstance.
491         https://bugs.webkit.org/show_bug.cgi?id=195458
492         <rdar://problem/48710195>
493
494         Reviewed by Yusuke Suzuki.
495
496         * stress/stack-overflow-in-custom-hasInstance.js: Added.
497
498 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
499
500         op_check_tdz does not def its argument
501         https://bugs.webkit.org/show_bug.cgi?id=192880
502         <rdar://problem/46221598>
503
504         Reviewed by Saam Barati.
505
506         * microbenchmarks/let-for-in.js: Added.
507         (foo):
508
509 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
510
511         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
512         https://bugs.webkit.org/show_bug.cgi?id=195429
513
514         Reviewed by Saam Barati.
515
516         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
517         (foo):
518         * stress/string-from-char-code-255.js: Added.
519
520 2019-03-06  Mark Lam  <mark.lam@apple.com>
521
522         Fix incorrect handling of try-finally completion values.
523         https://bugs.webkit.org/show_bug.cgi?id=195131
524         <rdar://problem/46222079>
525
526         Reviewed by Saam Barati and Yusuke Suzuki.
527
528         Added many permutations of new test case to test-finally.js.  test-finally.js has
529         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
530         tests passes there as well.
531
532         * stress/test-finally.js:
533
534 2019-03-06  Saam Barati  <sbarati@apple.com>
535
536         Air::reportUsedRegisters must padInterference
537         https://bugs.webkit.org/show_bug.cgi?id=195303
538         <rdar://problem/48270343>
539
540         Reviewed by Keith Miller.
541
542         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
543
544 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
545
546         [JSC] AI should not propagate AbstractValue relying on constant folding phase
547         https://bugs.webkit.org/show_bug.cgi?id=195375
548
549         Reviewed by Saam Barati.
550
551         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
552         (let.array):
553
554 2019-03-05  Saam barati  <sbarati@apple.com>
555
556         op_switch_char broken for rope strings after JSRopeString layout rewrite
557         https://bugs.webkit.org/show_bug.cgi?id=195339
558         <rdar://problem/48592545>
559
560         Reviewed by Yusuke Suzuki.
561
562         * stress/switch-on-char-llint-rope.js: Added.
563
564 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         [JSC] Store bits for JSRopeString in 3 stores
567         https://bugs.webkit.org/show_bug.cgi?id=195234
568
569         Reviewed by Saam Barati.
570
571         * stress/null-rope-and-collectors.js: Added.
572
573 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
574
575         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
576         https://bugs.webkit.org/show_bug.cgi?id=195207
577
578         Unreviewed. After test runtime was reduced in r242213, test can be
579         run again on ARM/MIPS.
580
581         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
582
583 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
584
585         [JSC] sizeof(JSString) should be 16
586         https://bugs.webkit.org/show_bug.cgi?id=194375
587
588         Reviewed by Saam Barati.
589
590         * microbenchmarks/make-rope.js: Added.
591         (makeRope):
592         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
593         (returnRope.helper): Deleted.
594         (returnRope): Deleted.
595
596 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
597
598         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
599         https://bugs.webkit.org/show_bug.cgi?id=195144
600
601         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
602         Change the number from 1e8 to 1e5.
603
604         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
605         (foo):
606
607 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
608
609         Test times out on ARM/MIPS
610         https://bugs.webkit.org/show_bug.cgi?id=195168
611
612         Unreviewed. Skip test on ARM/MIPS.
613
614         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
615
616 2019-02-27  Mark Lam  <mark.lam@apple.com>
617
618         The parser is failing to record the token location of new in new.target.
619         https://bugs.webkit.org/show_bug.cgi?id=195127
620         <rdar://problem/39645578>
621
622         Reviewed by Yusuke Suzuki.
623
624         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
625
626 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
627
628         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
629         https://bugs.webkit.org/show_bug.cgi?id=195144
630         <rdar://problem/47595961>
631
632         Reviewed by Mark Lam.
633
634         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
635         (bar):
636         (foo):
637         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
638         (bar):
639         (foo):
640
641 2019-02-27  Robin Morisset  <rmorisset@apple.com>
642
643         DFG: Loop-invariant code motion (LICM) should not hoist dead code
644         https://bugs.webkit.org/show_bug.cgi?id=194945
645         <rdar://problem/48311657>
646
647         Reviewed by Mark Lam.
648
649         * stress/licm-dead-code.js: Added.
650
651 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
652
653         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
654         https://bugs.webkit.org/show_bug.cgi?id=194677
655         <rdar://problem/48112492>
656
657         Reviewed by Mark Lam.
658
659         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
660         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
661         it immediately fails due the large size.
662
663         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
664         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
665         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
666         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
667
668         This patch changes the test to produce 16bit string from String.fromCharCode.
669
670         * stress/regress-178386.js:
671
672 2019-02-26  Mark Lam  <mark.lam@apple.com>
673
674         wasmToJS() should purify incoming NaNs.
675         https://bugs.webkit.org/show_bug.cgi?id=194807
676         <rdar://problem/48189132>
677
678         Reviewed by Saam Barati.
679
680         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
681
682 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
683
684         [JSC] Repeat string created from Array.prototype.join() take too much memory
685         https://bugs.webkit.org/show_bug.cgi?id=193912
686
687         Reviewed by Saam Barati.
688
689         Added a test and a microbenchmark for corner cases of
690         Array.prototype.join() with an uninitialized array.
691
692         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
693         * stress/array-prototype-join-uninitialized.js: Added.
694         (testArray):
695         (testABC):
696         (B):
697         (C):
698
699 2019-02-22  Robin Morisset  <rmorisset@apple.com>
700
701         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
702         https://bugs.webkit.org/show_bug.cgi?id=194953
703         <rdar://problem/47595253>
704
705         Reviewed by Saam Barati.
706
707         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
708
709         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
710
711 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
712
713         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
714         https://bugs.webkit.org/show_bug.cgi?id=172848
715         <rdar://problem/25709212>
716
717         Reviewed by Mark Lam.
718
719         * typeProfiler/inheritance.js:
720         Rewrite the test slightly for clarity. The hoisting was confusing.
721
722         * heapProfiler/class-names.js: Added.
723         (MyES5Class):
724         (MyES6Class):
725         (MyES6Subclass):
726         Test object types and improved class names.
727
728         * heapProfiler/driver/driver.js:
729         (CheapHeapSnapshotNode):
730         (CheapHeapSnapshot):
731         (createCheapHeapSnapshot):
732         (HeapSnapshot):
733         (createHeapSnapshot):
734         Update snapshot parsing from version 1 to version 2.
735
736 2019-02-19  Truitt Savell  <tsavell@apple.com>
737
738         Unreviewed, rolling out r241784.
739
740         Broke all OpenSource builds.
741
742         Reverted changeset:
743
744         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
745         instances view"
746         https://bugs.webkit.org/show_bug.cgi?id=172848
747         https://trac.webkit.org/changeset/241784
748
749 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
750
751         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
752         https://bugs.webkit.org/show_bug.cgi?id=172848
753         <rdar://problem/25709212>
754
755         Reviewed by Mark Lam.
756
757         * typeProfiler/inheritance.js:
758         Rewrite the test slightly for clarity. The hoisting was confusing.
759
760         * heapProfiler/class-names.js: Added.
761         (MyES5Class):
762         (MyES6Class):
763         (MyES6Subclass):
764         Test object types and improved class names.
765
766         * heapProfiler/driver/driver.js:
767         (CheapHeapSnapshotNode):
768         (CheapHeapSnapshot):
769         (createCheapHeapSnapshot):
770         (HeapSnapshot):
771         (createHeapSnapshot):
772         Update snapshot parsing from version 1 to version 2.
773
774 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
775
776         [ARM] Fix crash with sampling profiler
777         https://bugs.webkit.org/show_bug.cgi?id=194772
778
779         Reviewed by Mark Lam.
780
781         Do not skip test since crash with sampling profiler is now fixed.
782
783         * stress/sampling-profiler-richards.js:
784
785 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
786
787         [JSC] Add LazyClassStructure::getInitializedOnMainThread
788         https://bugs.webkit.org/show_bug.cgi?id=194784
789         <rdar://problem/48154820>
790
791         Reviewed by Mark Lam.
792
793         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
794         (getProperties):
795         (getRandomProperty):
796         (i.catch):
797
798 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
799
800         [ARM] Test gardening: Test running out of executable memory
801         https://bugs.webkit.org/show_bug.cgi?id=194771
802
803         Unreviewed. Do not run test without LLInt, test is running out of executable
804         memory on ARM otherwise.
805
806         * stress/tagged-template-object-collect.js:
807
808 2019-02-18  Tomas Popela  <tpopela@redhat.com>
809
810         Unreviewed, skip the test on platforms without sampling profiler
811
812         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
813         (platformSupportsSamplingProfiler.foo):
814         (platformSupportsSamplingProfiler.test):
815         (platformSupportsSamplingProfiler):
816         (foo): Deleted.
817         (test): Deleted.
818
819 2019-02-17  Saam Barati  <sbarati@apple.com>
820
821         Deadlock when adding a Structure property transition and then doing incremental marking
822         https://bugs.webkit.org/show_bug.cgi?id=194767
823
824         Reviewed by Mark Lam.
825
826         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
827
828 2019-02-15  Michael Saboff  <msaboff@apple.com>
829
830         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
831         https://bugs.webkit.org/show_bug.cgi?id=194558
832
833         Reviewed by Saam Barati.
834
835         New regression test.
836
837         * stress/regexp-unicode-within-string.js: Added.
838
839 2019-02-15  Mark Lam  <mark.lam@apple.com>
840
841         SamplingProfiler::stackTracesAsJSON() should escape strings.
842         https://bugs.webkit.org/show_bug.cgi?id=194649
843         <rdar://problem/48072386>
844
845         Reviewed by Saam Barati.
846
847         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
848         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
849         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
850         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
851
852 2019-02-15  Robin Morisset  <rmorisset@apple.com>
853         CodeBlock::jettison should clear related watchpoints
854         https://bugs.webkit.org/show_bug.cgi?id=194544
855
856         Reviewed by Mark Lam.
857
858         * stress/regexp-replace-double-watchpoint.js: Added.
859         (foo):
860
861 2019-02-15  Saam barati  <sbarati@apple.com>
862
863         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
864         https://bugs.webkit.org/show_bug.cgi?id=194036
865
866         Reviewed by Yusuke Suzuki.
867
868         * stress/tail-call-many-arguments.js: Added.
869         (foo):
870         (bar):
871
872 2019-02-14  Saam Barati  <sbarati@apple.com>
873
874         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
875         https://bugs.webkit.org/show_bug.cgi?id=194583
876         <rdar://problem/48028140>
877
878         Reviewed by Yusuke Suzuki.
879
880         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
881
882 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
883
884         [JSC] String.fromCharCode's slow path always generates 16bit string
885         https://bugs.webkit.org/show_bug.cgi?id=194466
886
887         Reviewed by Keith Miller.
888
889         * stress/string-from-char-code-slow-path.js: Added.
890         (shouldBe):
891         (testWithLength):
892
893 2019-02-08  Saam barati  <sbarati@apple.com>
894
895         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
896         https://bugs.webkit.org/show_bug.cgi?id=194334
897         <rdar://problem/47844327>
898
899         Reviewed by Mark Lam.
900
901         * stress/check-in-bounds-should-be-a-child-use.js: Added.
902         (func):
903
904 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
905
906         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
907         https://bugs.webkit.org/show_bug.cgi?id=194369
908         <rdar://problem/47813087>
909
910         Reviewed by Saam Barati.
911
912         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
913         (A):
914
915 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
916
917         [JSC] PrivateName to PublicName hash table is wasteful
918         https://bugs.webkit.org/show_bug.cgi?id=194277
919
920         Reviewed by Michael Saboff.
921
922         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
923
924         * ChakraCore.yaml:
925
926 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
927
928         [ARM] Test running out of executable memory
929         https://bugs.webkit.org/show_bug.cgi?id=194285
930
931         Unreviewed. Do no execute test with LLInt disabled, test runs out of
932         executable memory otherwise.
933
934         * stress/class-subclassing-function.js:
935
936 2019-02-04  Robin Morisset  <rmorisset@apple.com>
937
938         when lowering AssertNotEmpty, create the value before creating the patchpoint
939         https://bugs.webkit.org/show_bug.cgi?id=194231
940
941         Reviewed by Saam Barati.
942
943         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
944         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
945         So even tiny changes to this test can change the path code taken.
946
947         * stress/assert-not-empty.js: Added.
948         (foo):
949
950 2019-02-01  Mark Lam  <mark.lam@apple.com>
951
952         Remove invalid assertion in DFG's compileDoubleRep().
953         https://bugs.webkit.org/show_bug.cgi?id=194130
954         <rdar://problem/47699474>
955
956         Reviewed by Saam Barati.
957
958         * stress/constant-fold-double-rep-into-double-constant.js: Added.
959
960 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
961
962         Import latest Test262 updates.
963
964         Rubber-stamped by Keith Miller.
965
966         * test262.yaml: Deleted.
967         * test262/config.yaml:
968         * test262/expectations.yaml:
969         * test262/latest-changes-summary.txt:
970         * test262/test/:
971         * test262/test262-Revision.txt:
972
973 2019-01-30  Robin Morisset  <rmorisset@apple.com>
974
975         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
976         https://bugs.webkit.org/show_bug.cgi?id=194050
977         <rdar://problem/47595592>
978
979         Reviewed by Yusuke Suzuki.
980
981         * stress/object-keys-osr-exit.js: Added.
982         (foo):
983         (catch):
984
985 2019-01-29  Mark Lam  <mark.lam@apple.com>
986
987         ValueRecovery::recover() should purify NaN values it recovers.
988         https://bugs.webkit.org/show_bug.cgi?id=193978
989         <rdar://problem/47625488>
990
991         Reviewed by Saam Barati.
992
993         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
994
995 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
998         https://bugs.webkit.org/show_bug.cgi?id=193713
999
1000         * stress/try-get-by-id-should-spill-registers-dfg.js:
1001         (let.f.createBuiltin):
1002
1003 2019-01-28  Mark Lam  <mark.lam@apple.com>
1004
1005         ToString node actually does GC.
1006         https://bugs.webkit.org/show_bug.cgi?id=193920
1007         <rdar://problem/46695900>
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         * stress/dfg-to-string-on-int-does-gc.js: Added.
1012         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1013         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1014
1015 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1016
1017         [JSC] NativeErrorConstructor should not have own IsoSubspace
1018         https://bugs.webkit.org/show_bug.cgi?id=193713
1019
1020         Reviewed by Saam Barati.
1021
1022         Remove @Error use.
1023
1024         * stress/try-get-by-id-should-spill-registers-dfg.js:
1025         (let.f.createBuiltin):
1026
1027 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1028
1029         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1030         https://bugs.webkit.org/show_bug.cgi?id=190693
1031
1032         Reviewed by Michael Saboff.
1033
1034         * stress/regress-190693.js: Added.
1035         (truth):
1036         (assert):
1037         (shouldThrowInvalidConstAssignment):
1038         (taz):
1039
1040 2019-01-24  Saam Barati  <sbarati@apple.com>
1041
1042         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1043         https://bugs.webkit.org/show_bug.cgi?id=193751
1044         <rdar://problem/47280215>
1045
1046         Reviewed by Michael Saboff.
1047
1048         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1049         (let.thing):
1050         (foo.let.hello):
1051         (foo):
1052
1053 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1054
1055         [JSC] Reenable baseline JIT on mips
1056         https://bugs.webkit.org/show_bug.cgi?id=192983
1057
1058         Reviewed by Mark Lam.
1059
1060         Added a new test for a case that was triggering a RELEASE_ASSERT when
1061         testing.
1062         Disable some slow tests that were already disabled for arm and x86.
1063
1064         * stress/json-parse-big-object.js: Added.
1065         * stress/new-largeish-contiguous-array-with-size.js:
1066         * stress/op_add.js:
1067         * stress/op_bitand.js:
1068         * stress/op_bitor.js:
1069         * stress/op_bitxor.js:
1070         * stress/op_lshift-ConstVar.js:
1071         * stress/op_lshift-VarConst.js:
1072         * stress/op_lshift-VarVar.js:
1073         * stress/op_mod-ConstVar.js:
1074         * stress/op_mod-VarConst.js:
1075         * stress/op_mod-VarVar.js:
1076         * stress/op_mul-ConstVar.js:
1077         * stress/op_mul-VarConst.js:
1078         * stress/op_mul-VarVar.js:
1079         * stress/op_rshift-ConstVar.js:
1080         * stress/op_rshift-VarConst.js:
1081         * stress/op_rshift-VarVar.js:
1082         * stress/op_sub-ConstVar.js:
1083         * stress/op_sub-VarConst.js:
1084         * stress/op_sub-VarVar.js:
1085         * stress/op_urshift-ConstVar.js:
1086         * stress/op_urshift-VarConst.js:
1087         * stress/op_urshift-VarVar.js:
1088         * stress/sampling-profiler-richards.js:
1089         * stress/spread-forward-call-varargs-stack-overflow.js:
1090
1091 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1092
1093         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1094         https://bugs.webkit.org/show_bug.cgi?id=193711
1095         <rdar://problem/47250262>
1096
1097         Reviewed by Saam Barati.
1098
1099         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1100         (shouldBe):
1101         (foo):
1102         (bar):
1103         (baz):
1104
1105 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1106
1107         Unreviewed, fix initial global lexical binding epoch
1108         https://bugs.webkit.org/show_bug.cgi?id=193603
1109         <rdar://problem/47380869>
1110
1111         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1112         (f1.f2.f3.f4):
1113         (f1.f2.f3):
1114         (f1.f2):
1115         (f1):
1116
1117 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1118
1119         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1120         https://bugs.webkit.org/show_bug.cgi?id=193709
1121         <rdar://problem/47363838>
1122
1123         Unreviewed, rollout to watch the tests.
1124
1125         * stress/object-tostring-changed-proto.js: Removed.
1126         * stress/object-tostring-changed.js: Removed.
1127         * stress/object-tostring-misc.js: Removed.
1128         * stress/object-tostring-other.js: Removed.
1129         * stress/object-tostring-untyped.js: Removed.
1130
1131 2019-01-22  Saam Barati  <sbarati@apple.com>
1132
1133         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1134
1135         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1136         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1137         (testUncheckedLessThanZero):
1138         (testUncheckedLessThanOrEqualZero):
1139         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1140         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1141
1142 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1143
1144         [JSC] Invalidate old scope operations using global lexical binding epoch
1145         https://bugs.webkit.org/show_bug.cgi?id=193603
1146         <rdar://problem/47380869>
1147
1148         Reviewed by Saam Barati.
1149
1150         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1151         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1152         (shouldThrow):
1153         (bar):
1154         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1155         (shouldBe):
1156         (get1):
1157         (get2):
1158         (get1If):
1159         (get2If):
1160         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1161         (shouldThrow):
1162         (foo):
1163
1164 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1165
1166         Unreviewed, roll out r240220 due to date-format-xparb regression
1167         https://bugs.webkit.org/show_bug.cgi?id=193603
1168
1169         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1170         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1171         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1172         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1173
1174 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1175
1176         DoesGC rule is wrong for nodes with BigIntUse
1177         https://bugs.webkit.org/show_bug.cgi?id=193652
1178
1179         Reviewed by Saam Barati.
1180
1181         * stress/big-int-value-op-update-gc-rules.js: Added.
1182         (assert):
1183         (doesGCAdd):
1184         (doesGCSub):
1185         (doesGCDiv):
1186         (doesGCMul):
1187         (doesGCBitAnd):
1188         (doesGCBitOr):
1189         (doesGCBitXor):
1190
1191 2019-01-20  Saam Barati  <sbarati@apple.com>
1192
1193         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1194         https://bugs.webkit.org/show_bug.cgi?id=193644
1195         <rdar://problem/46209745>
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1200         (foo):
1201         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1202         (foo):
1203         (bar):
1204
1205 2019-01-20  Saam Barati  <sbarati@apple.com>
1206
1207         MovHint must merge NodeBytecodeUsesAsValue for its child
1208         https://bugs.webkit.org/show_bug.cgi?id=186916
1209         <rdar://problem/41396612>
1210
1211         Reviewed by Yusuke Suzuki.
1212
1213         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1214         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1215
1216 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1217
1218         [JSC] Invalidate old scope operations using global lexical binding epoch
1219         https://bugs.webkit.org/show_bug.cgi?id=193603
1220         <rdar://problem/47380869>
1221
1222         Reviewed by Saam Barati.
1223
1224         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1225         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1226         (shouldThrow):
1227         (bar):
1228         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1229         (shouldBe):
1230         (get1):
1231         (get2):
1232         (get1If):
1233         (get2If):
1234         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1235         (shouldThrow):
1236         (foo):
1237
1238 2019-01-17  Saam barati  <sbarati@apple.com>
1239
1240         StringObjectUse should not be a structure check for the original string object structure
1241         https://bugs.webkit.org/show_bug.cgi?id=193483
1242         <rdar://problem/47280522>
1243
1244         Reviewed by Yusuke Suzuki.
1245
1246         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1247         (foo):
1248         (a.valueOf.0):
1249
1250 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1251
1252         [JSC] ToThis omission in DFGByteCodeParser is wrong
1253         https://bugs.webkit.org/show_bug.cgi?id=193513
1254         <rdar://problem/45842236>
1255
1256         Reviewed by Saam Barati.
1257
1258         * stress/to-this-omission-with-different-strict-modes.js: Added.
1259         (thisA):
1260         (thisAStrictWrapper):
1261
1262 2019-01-15  Mark Lam  <mark.lam@apple.com>
1263
1264         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1265         https://bugs.webkit.org/show_bug.cgi?id=193423
1266         <rdar://problem/46209355>
1267
1268         Reviewed by Saam Barati.
1269
1270         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1271         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1272         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1273         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1274
1275 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1276
1277         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1278         https://bugs.webkit.org/show_bug.cgi?id=193438
1279         <rdar://problem/45581249>
1280
1281         Reviewed by Saam Barati and Keith Miller.
1282
1283         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1284         Then, GetByVal(String) crashed.
1285
1286         * stress/string-get-by-val-lowering.js: Added.
1287         (shouldBe):
1288         (test):
1289         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1290         (Hello):
1291         (foo):
1292
1293 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1294
1295         Unreviewed, skip JIT tests if it's not enabled
1296
1297         * stress/bit-op-with-object-returning-int32.js:
1298
1299 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1300
1301         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1302         https://bugs.webkit.org/show_bug.cgi?id=192966
1303
1304         Reviewed by Yusuke Suzuki.
1305
1306         * stress/bit-op-with-object-returning-int32.js: Added.
1307
1308 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1309
1310         Skip a slow test and a flakey test on arm
1311
1312         Unreviewed gardening.
1313
1314         * typeProfiler/getter-richards.js:
1315         this test always times out, it used to be always skipped on arm and
1316         mips, but got accidentally enabled by r237919 now that we have DFG on
1317         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1318
1319 2019-01-14  Keith Miller  <keith_miller@apple.com>
1320
1321         Skip type-check-hoisting-phase-hoist... with no jit
1322         https://bugs.webkit.org/show_bug.cgi?id=193421
1323
1324         Reviewed by Mark Lam.
1325
1326         It's timing out the 32-bit bots and takes 330 seconds
1327         on my machine when run by itself.
1328
1329         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1330
1331 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1332
1333         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1334         https://bugs.webkit.org/show_bug.cgi?id=193413
1335         <rdar://problem/46092389>
1336
1337         Reviewed by Keith Miller.
1338
1339         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1340         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1341         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1342         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1343
1344         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1345         (compareArray):
1346
1347 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1348
1349         [BigInt] Literal parsing is crashing when used inside a Object Literal
1350         https://bugs.webkit.org/show_bug.cgi?id=193404
1351
1352         Reviewed by Yusuke Suzuki.
1353
1354         * stress/big-int-literal-inside-literal-object.js: Added.
1355
1356 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1357
1358         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1359         https://bugs.webkit.org/show_bug.cgi?id=193372
1360
1361         Reviewed by Saam Barati.
1362
1363         * stress/typed-array-array-modes-profile.js: Added.
1364         (foo):
1365
1366 2019-01-14  Mark Lam  <mark.lam@apple.com>
1367
1368         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1369         https://bugs.webkit.org/show_bug.cgi?id=193402
1370         <rdar://problem/46012309>
1371
1372         Reviewed by Keith Miller.
1373
1374         * stress/regexp-compile-oom.js:
1375         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1376           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1377
1378 2019-01-11  Saam barati  <sbarati@apple.com>
1379
1380         DFG combined liveness can be wrong for terminal basic blocks
1381         https://bugs.webkit.org/show_bug.cgi?id=193304
1382         <rdar://problem/45268632>
1383
1384         Reviewed by Yusuke Suzuki.
1385
1386         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1387
1388 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1389
1390         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1391         https://bugs.webkit.org/show_bug.cgi?id=193308
1392         <rdar://problem/45546542>
1393
1394         Reviewed by Saam Barati.
1395
1396         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1397         (shouldThrow):
1398         (shouldBe):
1399         (foo):
1400         (get shouldThrow):
1401         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1402         (shouldThrow):
1403         (shouldBe):
1404         (foo):
1405         (get shouldBe):
1406         (get shouldThrow):
1407         (get return):
1408         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1409         (shouldThrow):
1410         (shouldBe):
1411         (foo):
1412         (get shouldBe):
1413         (get shouldThrow):
1414         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1415         (shouldThrow):
1416         (shouldBe):
1417         (foo):
1418         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1419         (shouldThrow):
1420         (shouldBe):
1421         (foo):
1422         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1423         (shouldThrow):
1424         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1425         (shouldThrow):
1426         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1427         (shouldThrow):
1428         (shouldBe):
1429         (foo):
1430         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1431         (shouldThrow):
1432         (shouldBe):
1433         (foo):
1434         (get shouldBe):
1435         (get shouldThrow):
1436         (get return):
1437         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1438         (shouldThrow):
1439         (shouldBe):
1440         (foo):
1441         (get shouldBe):
1442         (get shouldThrow):
1443         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1444         (shouldThrow):
1445         (shouldBe):
1446         (foo):
1447         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1448         (shouldThrow):
1449         (shouldBe):
1450         (foo):
1451
1452 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1453
1454         Enable DFG on ARM/Linux again
1455         https://bugs.webkit.org/show_bug.cgi?id=192496
1456
1457         Reviewed by Yusuke Suzuki.
1458
1459         Test wasn't really skipped before moving the line with skip
1460         to the top.
1461
1462         * stress/regress-192717.js:
1463
1464 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1465
1466         Unreviewed, rolling out r239825.
1467         https://bugs.webkit.org/show_bug.cgi?id=193330
1468
1469         Broke tests on armv7/linux bots (Requested by guijemont on
1470         #webkit).
1471
1472         Reverted changeset:
1473
1474         "Enable DFG on ARM/Linux again"
1475         https://bugs.webkit.org/show_bug.cgi?id=192496
1476         https://trac.webkit.org/changeset/239825
1477
1478 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1479
1480         Enable DFG on ARM/Linux again
1481         https://bugs.webkit.org/show_bug.cgi?id=192496
1482
1483         Reviewed by Yusuke Suzuki.
1484
1485         Test wasn't really skipped before moving the line with skip
1486         to the top.
1487
1488         * stress/regress-192717.js:
1489
1490 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1491
1492         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1493         https://bugs.webkit.org/show_bug.cgi?id=193127
1494
1495         Reviewed by Saam Barati.
1496
1497         * stress/array-species-create-should-handle-masquerader.js: Added.
1498         (shouldThrow):
1499         * stress/is-undefined-or-null-builtin.js: Added.
1500         (shouldBe):
1501         (isUndefinedOrNull.vm.createBuiltin):
1502
1503 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1504
1505         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1506         https://bugs.webkit.org/show_bug.cgi?id=193221
1507
1508         Reviewed by Mark Lam.
1509
1510         * stress/put-by-id-flags.js: Added.
1511         (f):
1512         (g):
1513         (numberOfDFGCompiles):
1514
1515 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1516
1517         Baseline version of get_by_id may corrupt metadata
1518         https://bugs.webkit.org/show_bug.cgi?id=193085
1519         <rdar://problem/23453006>
1520
1521         Reviewed by Saam Barati.
1522
1523         * stress/get-by-id-change-mode.js: Added.
1524         (forEach):
1525
1526 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1527
1528         [JSC] Optimize Object.prototype.toString
1529         https://bugs.webkit.org/show_bug.cgi?id=193031
1530
1531         Reviewed by Saam Barati.
1532
1533         * stress/object-tostring-changed-proto.js: Added.
1534         (shouldBe):
1535         (test):
1536         * stress/object-tostring-changed.js: Added.
1537         (shouldBe):
1538         (test):
1539         * stress/object-tostring-misc.js: Added.
1540         (shouldBe):
1541         (test):
1542         (i.switch):
1543         * stress/object-tostring-other.js: Added.
1544         (shouldBe):
1545         (test):
1546         * stress/object-tostring-untyped.js: Added.
1547         (shouldBe):
1548         (test):
1549         (i.switch):
1550
1551 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1552
1553         test262-runner misbehaves when test file YAML has a trailing space
1554         https://bugs.webkit.org/show_bug.cgi?id=193053
1555
1556         Reviewed by Yusuke Suzuki.
1557
1558         * test262/expectations.yaml:
1559         Mark two dozen tests as passing (and correct the output of another).
1560
1561 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1562
1563         Unreviewed, JSTests gardening with memoryLimited
1564
1565         * stress/string-overflow-createError.js:
1566
1567 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1568
1569         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1570         https://bugs.webkit.org/show_bug.cgi?id=193050
1571
1572         Reviewed by Yusuke Suzuki.
1573
1574         * test262.yaml:
1575         * test262/expectations.yaml:
1576         Mark 16 tests as passing.
1577
1578 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1579
1580         [BigInt] Support BigInt in JSON.stringify
1581         https://bugs.webkit.org/show_bug.cgi?id=192624
1582
1583         Reviewed by Saam Barati.
1584
1585         * stress/big-int-json-stringify-to-json.js: Added.
1586         (shouldBe):
1587         (shouldThrow):
1588         (BigInt.prototype.toJSON):
1589         (shouldBe.JSON.stringify):
1590         * stress/big-int-json-stringify.js: Added.
1591         (shouldBe):
1592         (shouldThrow):
1593
1594 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1595
1596         [JSC] Implement "well-formed JSON.stringify" proposal
1597         https://bugs.webkit.org/show_bug.cgi?id=191677
1598
1599         Reviewed by Darin Adler.
1600
1601         * stress/json-surrogate-pair.js: Added.
1602         (shouldBe):
1603         * test262/expectations.yaml:
1604
1605 2018-12-20  Keith Miller  <keith_miller@apple.com>
1606
1607         Add support for globalThis
1608         https://bugs.webkit.org/show_bug.cgi?id=165171
1609
1610         Reviewed by Mark Lam.
1611
1612         * test262/config.yaml:
1613
1614 2018-12-19  Keith Miller  <keith_miller@apple.com>
1615
1616         Update test262 configuration to not run tests dependent on ICU version.
1617         https://bugs.webkit.org/show_bug.cgi?id=192920
1618
1619         Reviewed by Saam Barati.
1620
1621         * test262/expectations.yaml:
1622
1623 2018-12-20  Mark Lam  <mark.lam@apple.com>
1624
1625         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1626         https://bugs.webkit.org/show_bug.cgi?id=192939
1627         <rdar://problem/46869516>
1628
1629         Reviewed by Keith Miller.
1630
1631         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1632
1633 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1634
1635         WTF::String and StringImpl overflow MaxLength
1636         https://bugs.webkit.org/show_bug.cgi?id=192853
1637         <rdar://problem/45726906>
1638
1639         Reviewed by Mark Lam.
1640
1641         * stress/string-16bit-repeat-overflow.js: Added.
1642         (catch):
1643
1644 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1645
1646         Unreviewed follow-up to r192914.
1647
1648         * test262/expectations.yaml:
1649         Add the last 20 missing expectations.
1650
1651 2018-12-19  Keith Miller  <keith_miller@apple.com>
1652
1653         Fix test262 expectations
1654         https://bugs.webkit.org/show_bug.cgi?id=192914
1655
1656         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1657
1658         * test262/expectations.yaml:
1659
1660 2018-12-19  Keith Miller  <keith_miller@apple.com>
1661
1662         Update test262 tests.
1663         https://bugs.webkit.org/show_bug.cgi?id=192907
1664
1665         Rubber stamped by Mark Lam.
1666
1667         * test262/*: Omitted because prepare-changelog crashes.
1668
1669 2018-12-19  Mark Lam  <mark.lam@apple.com>
1670
1671         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1672         https://bugs.webkit.org/show_bug.cgi?id=192464
1673         <rdar://problem/46519455>
1674
1675         Reviewed by Saam Barati.
1676
1677         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1678         microbenchmark.
1679
1680         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1681         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1682
1683 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1684
1685         String overflow in JSC::createError results in ASSERT in WTF::makeString
1686         https://bugs.webkit.org/show_bug.cgi?id=192833
1687         <rdar://problem/45706868>
1688
1689         Reviewed by Mark Lam.
1690
1691         * stress/string-overflow-createError.js: Added.
1692
1693 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1694
1695         Error message for `-x ** y` contains a typo.
1696         https://bugs.webkit.org/show_bug.cgi?id=192832
1697
1698         Reviewed by Saam Barati.
1699
1700         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1701         (assert.assert.return.throws):
1702         * stress/pow-expects-update-expression-on-lhs.js:
1703         (throw.new.Error):
1704         Update test expectations which match against the exact error message.
1705
1706 2018-12-18  Mark Lam  <mark.lam@apple.com>
1707
1708         Gardening: test options fix.
1709         https://bugs.webkit.org/show_bug.cgi?id=192822
1710
1711         Unreviewed.
1712
1713         * stress/json-stringify-string-builder-overflow.js:
1714
1715 2018-12-18  Mark Lam  <mark.lam@apple.com>
1716
1717         JSON.stringify() should throw OOM on StringBuilder overflows.
1718         https://bugs.webkit.org/show_bug.cgi?id=192822
1719         <rdar://problem/46670577>
1720
1721         Reviewed by Saam Barati.
1722
1723         * stress/json-stringify-string-builder-overflow.js: Added.
1724
1725 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1726
1727         Redeclaration of var over let/const/class should be a syntax error.
1728         https://bugs.webkit.org/show_bug.cgi?id=192298
1729
1730         Reviewed by Keith Miller.
1731
1732         * test262.yaml:
1733         * test262/expectations.yaml:
1734         Mark 46 tests as passing.
1735
1736         * stress/block-scope-redeclarations.js:
1737         Add some new tests.
1738
1739         * stress/for-in-invalidate-context-weird-assignments.js:
1740         * stress/for-in-tests.js:
1741         Replace tests for outdated behavior with tests for SyntaxError.
1742
1743         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1744         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1745         Update expectations.
1746
1747 2018-12-18  Mark Lam  <mark.lam@apple.com>
1748
1749         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1750         https://bugs.webkit.org/show_bug.cgi?id=191374
1751         <rdar://problem/46525447>
1752
1753         Reviewed by Yusuke Suzuki.
1754
1755         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1756
1757         * stress/elidable-new-object-roflcopter-then-exit.js:
1758
1759 2018-12-17  Mark Lam  <mark.lam@apple.com>
1760
1761         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1762         https://bugs.webkit.org/show_bug.cgi?id=192019
1763         <rdar://problem/46525456>
1764
1765         Reviewed by Yusuke Suzuki.
1766
1767         The test runs too slow on 32-bit.
1768
1769         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1770
1771 2018-12-17  Mark Lam  <mark.lam@apple.com>
1772
1773         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1774         https://bugs.webkit.org/show_bug.cgi?id=191373
1775         <rdar://problem/46525458>
1776
1777         Reviewed by Yusuke Suzuki.
1778
1779         The test is already slow running with a JIT on 64-bit.  It will always timeout
1780         on 32-bit without a JIT.
1781
1782         * stress/materialize-regexp-cyclic-regexp.js:
1783
1784 2018-12-17  Mark Lam  <mark.lam@apple.com>
1785
1786         Array unshift/shift should not race against the AI in the compiler thread.
1787         https://bugs.webkit.org/show_bug.cgi?id=192795
1788         <rdar://problem/46724263>
1789
1790         Reviewed by Saam Barati.
1791
1792         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1793
1794 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1795
1796         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1797         https://bugs.webkit.org/show_bug.cgi?id=190047
1798
1799         Reviewed by Saam Barati.
1800
1801         * stress/object-keys-cached-zero.js: Added.
1802         (shouldBe):
1803         (test):
1804         * stress/object-keys-changed-attribute.js: Added.
1805         (shouldBe):
1806         (test):
1807         * stress/object-keys-changed-index.js: Added.
1808         (shouldBe):
1809         (test):
1810         * stress/object-keys-changed.js: Added.
1811         (shouldBe):
1812         (test):
1813         * stress/object-keys-indexed-non-cache.js: Added.
1814         (shouldBe):
1815         (test):
1816         * stress/object-keys-overrides-get-property-names.js: Added.
1817         (shouldBe):
1818         (test):
1819         (noInline):
1820
1821 2018-12-17  Mark Lam  <mark.lam@apple.com>
1822
1823         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1824         https://bugs.webkit.org/show_bug.cgi?id=192779
1825         <rdar://problem/46775869>
1826
1827         Reviewed by Saam Barati.
1828
1829         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1830
1831 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1832
1833         Unreviewed test gardening, address a syntax error in a new test.
1834
1835         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1836
1837 2018-12-17  Mark Lam  <mark.lam@apple.com>
1838
1839         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1840         https://bugs.webkit.org/show_bug.cgi?id=192776
1841         <rdar://problem/46772368>
1842
1843         Reviewed by Keith Miller.
1844
1845         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1846
1847 2018-12-17  Mark Lam  <mark.lam@apple.com>
1848
1849         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1850         https://bugs.webkit.org/show_bug.cgi?id=192770
1851         <rdar://problem/46449037>
1852
1853         Reviewed by Keith Miller.
1854
1855         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1856
1857 2018-12-14  Mark Lam  <mark.lam@apple.com>
1858
1859         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1860         https://bugs.webkit.org/show_bug.cgi?id=192717
1861         <rdar://problem/46660677>
1862
1863         Reviewed by Saam Barati.
1864
1865         * stress/regress-192717.js: Added.
1866
1867 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1868
1869         Unreviewed, rolling out r239153, r239154, and r239155.
1870         https://bugs.webkit.org/show_bug.cgi?id=192715
1871
1872         Caused flaky GC-related crashes seen with layout tests
1873         (Requested by ryanhaddad on #webkit).
1874
1875         Reverted changesets:
1876
1877         "[JSC] Optimize Object.keys by caching own keys results in
1878         StructureRareData"
1879         https://bugs.webkit.org/show_bug.cgi?id=190047
1880         https://trac.webkit.org/changeset/239153
1881
1882         "Unreviewed, build fix after r239153"
1883         https://bugs.webkit.org/show_bug.cgi?id=190047
1884         https://trac.webkit.org/changeset/239154
1885
1886         "Unreviewed, build fix after r239153, part 2"
1887         https://bugs.webkit.org/show_bug.cgi?id=190047
1888         https://trac.webkit.org/changeset/239155
1889
1890 2018-12-14  Keith Miller  <keith_miller@apple.com>
1891
1892         Callers of JSString::getIndex should check for OOM exceptions
1893         https://bugs.webkit.org/show_bug.cgi?id=192709
1894
1895         Reviewed by Mark Lam.
1896
1897         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1898
1899 2018-12-13  Mark Lam  <mark.lam@apple.com>
1900
1901         Add a missing exception check.
1902         https://bugs.webkit.org/show_bug.cgi?id=192626
1903         <rdar://problem/46662163>
1904
1905         Reviewed by Keith Miller.
1906
1907         * stress/regress-192626.js: Added.
1908
1909 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1910
1911         [BigInt] Add ValueDiv into DFG
1912         https://bugs.webkit.org/show_bug.cgi?id=186178
1913
1914         Reviewed by Yusuke Suzuki.
1915
1916         * stress/big-int-div-jit-osr.js: Added.
1917         * stress/big-int-div-jit-untyped.js: Added.
1918         * stress/value-div-fixup-int32-big-int.js: Added.
1919
1920 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1921
1922         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1923         https://bugs.webkit.org/show_bug.cgi?id=190047
1924
1925         Reviewed by Keith Miller.
1926
1927         * stress/object-keys-cached-zero.js: Added.
1928         (shouldBe):
1929         (test):
1930         * stress/object-keys-changed-attribute.js: Added.
1931         (shouldBe):
1932         (test):
1933         * stress/object-keys-changed-index.js: Added.
1934         (shouldBe):
1935         (test):
1936         * stress/object-keys-changed.js: Added.
1937         (shouldBe):
1938         (test):
1939         * stress/object-keys-indexed-non-cache.js: Added.
1940         (shouldBe):
1941         (test):
1942         * stress/object-keys-overrides-get-property-names.js: Added.
1943         (shouldBe):
1944         (test):
1945         (noInline):
1946
1947 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1948
1949         [DFG][FTL] Add NewSymbol
1950         https://bugs.webkit.org/show_bug.cgi?id=192620
1951
1952         Reviewed by Saam Barati.
1953
1954         * microbenchmarks/symbol-creation.js: Added.
1955         (test):
1956         * stress/symbol-description-identity.js: Added.
1957         (shouldBe):
1958         (test):
1959         * stress/symbol-identity.js: Added.
1960         (shouldBe):
1961         (test):
1962         * stress/symbol-with-description-throw-error.js: Added.
1963         (shouldBe):
1964         (shouldThrow):
1965         (test):
1966         (object.toString):
1967
1968 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1969
1970         [BigInt] Implement DFG/FTL typeof for BigInt
1971         https://bugs.webkit.org/show_bug.cgi?id=192619
1972
1973         Reviewed by Keith Miller.
1974
1975         * stress/big-int-boolean-proven-type.js: Added.
1976         (assert):
1977         (bool):
1978         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1979         (assert):
1980         (typeOf):
1981         (i.switch):
1982         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1983         (assert):
1984         (typeOf):
1985         * stress/big-int-type-of.js:
1986         (typeOf):
1987         (func):
1988
1989 2018-12-10  Mark Lam  <mark.lam@apple.com>
1990
1991         PropertyAttribute needs a CustomValue bit.
1992         https://bugs.webkit.org/show_bug.cgi?id=191993
1993         <rdar://problem/46264467>
1994
1995         Reviewed by Saam Barati.
1996
1997         * stress/regress-191993.js: Added.
1998
1999 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2000
2001         [BigInt] Add ValueMul into DFG
2002         https://bugs.webkit.org/show_bug.cgi?id=186175
2003
2004         Reviewed by Yusuke Suzuki.
2005
2006         * stress/big-int-mul-jit-osr.js: Added.
2007         * stress/big-int-mul-jit-untyped.js: Added.
2008         * stress/value-mul-fixup-int32-big-int.js: Added.
2009
2010 2018-12-06  Keith Miller  <keith_miller@apple.com>
2011
2012         stress/big-wasm-memory tests failing on 32-bit JSC bot
2013         https://bugs.webkit.org/show_bug.cgi?id=192020
2014
2015         Reviewed by Saam Barati.
2016
2017         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2018         the wasm stress tests if the WebAssembly object does not exist.
2019
2020         * stress/big-wasm-memory-grow-no-max.js:
2021         (test.foo):
2022         (test):
2023         (foo): Deleted.
2024         (catch): Deleted.
2025         * stress/big-wasm-memory-grow.js:
2026         (test.foo):
2027         (test):
2028         (foo): Deleted.
2029         (catch): Deleted.
2030         * stress/big-wasm-memory.js:
2031         (test.foo):
2032         (test):
2033         (foo): Deleted.
2034         (catch): Deleted.
2035
2036 2018-12-05  Mark Lam  <mark.lam@apple.com>
2037
2038         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2039         https://bugs.webkit.org/show_bug.cgi?id=192441
2040         <rdar://problem/46480355>
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/regress-192441.js: Added.
2045
2046 2018-12-04  Mark Lam  <mark.lam@apple.com>
2047
2048         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2049         https://bugs.webkit.org/show_bug.cgi?id=192386
2050         <rdar://problem/46445516>
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/regress-192386.js: Added.
2055
2056 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2057
2058         [ESNext][BigInt] Support logic operations
2059         https://bugs.webkit.org/show_bug.cgi?id=179903
2060
2061         Reviewed by Yusuke Suzuki.
2062
2063         * stress/big-int-branch-usage.js: Added.
2064         * stress/big-int-logical-and.js: Added.
2065         * stress/big-int-logical-not.js: Added.
2066         * stress/big-int-logical-or.js: Added.
2067
2068 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2069
2070         Unreviewed, rolling out r238833.
2071
2072         Breaks macOS and iOS debug builds.
2073
2074         Reverted changeset:
2075
2076         "[ESNext][BigInt] Support logic operations"
2077         https://bugs.webkit.org/show_bug.cgi?id=179903
2078         https://trac.webkit.org/changeset/238833
2079
2080 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2081
2082         [ESNext][BigInt] Support logic operations
2083         https://bugs.webkit.org/show_bug.cgi?id=179903
2084
2085         Reviewed by Yusuke Suzuki.
2086
2087         * stress/big-int-branch-usage.js: Added.
2088         * stress/big-int-logical-and.js: Added.
2089         * stress/big-int-logical-not.js: Added.
2090         * stress/big-int-logical-or.js: Added.
2091
2092 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2093
2094         [ESNext][BigInt] Implement support for "<<" and ">>"
2095         https://bugs.webkit.org/show_bug.cgi?id=186233
2096
2097         Reviewed by Yusuke Suzuki.
2098
2099         * stress/big-int-left-shift-general.js: Added.
2100         * stress/big-int-left-shift-range-error.js: Added.
2101         * stress/big-int-left-shift-type-error.js: Added.
2102         * stress/big-int-left-shift-wrapped-value.js: Added.
2103         * stress/big-int-right-shift-general.js: Added.
2104         * stress/big-int-right-shift-type-error.js: Added.
2105         * stress/big-int-right-shift-wrapped-value.js: Added.
2106         * stress/left-shift-to-primitive-precedence.js: Added.
2107         * stress/right-shift-to-primitive-precedence.js: Added.
2108
2109 2018-11-30  Dean Jackson  <dino@apple.com>
2110
2111         Add first-class support for .mjs files in jsc binary
2112         https://bugs.webkit.org/show_bug.cgi?id=192190
2113         <rdar://problem/46375715>
2114
2115         Reviewed by Keith Miller.
2116
2117         * stress/simple-module.mjs: Added.
2118         * stress/simple-script.js: Added.
2119
2120 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2121
2122         [BigInt] Implement ValueBitXor into DFG
2123         https://bugs.webkit.org/show_bug.cgi?id=190264
2124
2125         Reviewed by Yusuke Suzuki.
2126
2127         * stress/big-int-bitwise-xor-jit.js: Added.
2128         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2129         * stress/big-int-bitwise-xor-untyped.js: Added.
2130
2131 2018-11-27  Saam barati  <sbarati@apple.com>
2132
2133         r238510 broke scopes of size zero
2134         https://bugs.webkit.org/show_bug.cgi?id=192033
2135         <rdar://problem/46281734>
2136
2137         Reviewed by Keith Miller.
2138
2139         * stress/r238510-bad-loop.js: Added.
2140         (foo):
2141
2142 2018-11-27  Mark Lam  <mark.lam@apple.com>
2143
2144         [Re-landing] NaNs read from Wasm code needs to be be purified.
2145         https://bugs.webkit.org/show_bug.cgi?id=191056
2146         <rdar://problem/45660341>
2147
2148         Reviewed by Filip Pizlo.
2149
2150         * wasm/regress/regress-191056.js: Added.
2151
2152 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2153
2154         Unreviewed, rolling out r238509.
2155
2156         Causes JSC tests to fail on iOS.
2157
2158         Reverted changeset:
2159
2160         "NaNs read from Wasm code needs to be be purified."
2161         https://bugs.webkit.org/show_bug.cgi?id=191056
2162         https://trac.webkit.org/changeset/238509
2163
2164 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2165
2166         Re-introduce op_bitnot
2167         https://bugs.webkit.org/show_bug.cgi?id=190923
2168
2169         Reviewed by Yusuke Suzuki.
2170
2171         * stress/bit-not-must-generate.js: Added.
2172         * stress/bitwise-not-no-int32.js: Added.
2173
2174 2018-11-26  Saam barati  <sbarati@apple.com>
2175
2176         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2177         https://bugs.webkit.org/show_bug.cgi?id=191956
2178         <rdar://problem/45665806>
2179
2180         Reviewed by Yusuke Suzuki.
2181
2182         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2183         (bar):
2184         (foo):
2185
2186 2018-11-26  Saam barati  <sbarati@apple.com>
2187
2188         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2189         https://bugs.webkit.org/show_bug.cgi?id=191958
2190         <rdar://problem/46221877>
2191
2192         Reviewed by Yusuke Suzuki.
2193
2194         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2195         (x):
2196         (foo):
2197
2198 2018-11-26  Mark Lam  <mark.lam@apple.com>
2199
2200         NaNs read from Wasm code needs to be be purified.
2201         https://bugs.webkit.org/show_bug.cgi?id=191056
2202         <rdar://problem/45660341>
2203
2204         Reviewed by Filip Pizlo.
2205
2206         * wasm/regress/regress-191056.js: Added.
2207
2208 2018-11-26  Michael Saboff  <msaboff@apple.com>
2209
2210         32-bit JSC test failure: stress/regexp-compile-oom.js
2211         https://bugs.webkit.org/show_bug.cgi?id=191375
2212
2213         Reviewed by Mark Lam.
2214
2215         Disabled the test for 32 bit platforms.
2216
2217         * stress/regexp-compile-oom.js:
2218
2219 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2220
2221         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2222         https://bugs.webkit.org/show_bug.cgi?id=191716
2223         <rdar://problem/45723878>
2224
2225         Reviewed by Saam Barati.
2226
2227         * stress/regress-187373.js: Added.
2228         (async.fn):
2229
2230 2018-11-21  Saam barati  <sbarati@apple.com>
2231
2232         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2233         https://bugs.webkit.org/show_bug.cgi?id=191897
2234         <rdar://problem/45871998>
2235
2236         Reviewed by Mark Lam.
2237
2238         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2239         (bar):
2240         (foo):
2241
2242 2018-11-21  Saam barati  <sbarati@apple.com>
2243
2244         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2245         https://bugs.webkit.org/show_bug.cgi?id=191895
2246         <rdar://problem/46167406>
2247
2248         Reviewed by Mark Lam.
2249
2250         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2251         (foo):
2252         (bar):
2253
2254 2018-11-21  Mark Lam  <mark.lam@apple.com>
2255
2256         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2257         https://bugs.webkit.org/show_bug.cgi?id=191776
2258         <rdar://problem/46152851>
2259
2260         Reviewed by Saam Barati.
2261
2262         * stress/big-wasm-memory-grow-no-max.js:
2263         * stress/big-wasm-memory-grow.js:
2264         * stress/big-wasm-memory.js:
2265         - updated these to expect an OutOfMemoryError.
2266
2267         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2268         (Binary.prototype.emit_u8):
2269         (Binary.prototype.emit_u32v):
2270         (Binary.prototype.emit_header):
2271         (Binary.prototype.emit_section):
2272         (Binary):
2273         (WasmModuleBuilder):
2274         (WasmModuleBuilder.prototype.addMemory):
2275         (WasmModuleBuilder.prototype.toArray):
2276         (WasmModuleBuilder.prototype.toBuffer):
2277         (WasmModuleBuilder.prototype.instantiate):
2278         (catch):
2279         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2280         (catch):
2281
2282 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2283
2284         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2285         https://bugs.webkit.org/show_bug.cgi?id=190836
2286
2287         Reviewed by Saam Barati and Yusuke Suzuki.
2288
2289         * stress/big-int-out-of-memory-tests.js: Added.
2290
2291 2018-11-20  Mark Lam  <mark.lam@apple.com>
2292
2293         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2294         https://bugs.webkit.org/show_bug.cgi?id=191856
2295         <rdar://problem/46089992>
2296
2297         Reviewed by Yusuke Suzuki.
2298
2299         * stress/regress-191856.js: Added.
2300         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2301
2302 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2303
2304         Enable JIT on ARM/Linux
2305         https://bugs.webkit.org/show_bug.cgi?id=191548
2306
2307         Reviewed by Yusuke Suzuki.
2308
2309         Disable test on system with limited memory. Program was killed by
2310         the OS before the exception was thrown.
2311
2312         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2313
2314 2018-11-20  Saam barati  <sbarati@apple.com>
2315
2316         Merging an IC variant may lead to the IC status containing overlapping structure sets
2317         https://bugs.webkit.org/show_bug.cgi?id=191869
2318         <rdar://problem/45403453>
2319
2320         Reviewed by Mark Lam.
2321
2322         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2323
2324 2018-11-19  Mark Lam  <mark.lam@apple.com>
2325
2326         globalFuncImportModule() should return a promise when it clears exceptions.
2327         https://bugs.webkit.org/show_bug.cgi?id=191792
2328         <rdar://problem/46090763>
2329
2330         Reviewed by Michael Saboff.
2331
2332         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2333
2334 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2335
2336         Skip new memory-hungry tests on memory limited devices
2337
2338         Unreviewed gardening.
2339
2340         * stress/big-wasm-memory-grow-no-max.js:
2341         * stress/big-wasm-memory-grow.js:
2342         * stress/big-wasm-memory.js:
2343
2344 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2345
2346         Unreviewed, rolling in the rest of r237254
2347         https://bugs.webkit.org/show_bug.cgi?id=190340
2348
2349         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2350         * stress/function-cache-with-parameters-end-position.js: Added.
2351         (shouldBe):
2352         (shouldThrow):
2353         (i.anonymous):
2354         * stress/function-constructor-name.js: Added.
2355         (shouldBe):
2356         (GeneratorFunction):
2357         (AsyncFunction.async):
2358         (AsyncGeneratorFunction.async):
2359         (anonymous):
2360         (async.anonymous):
2361         * test262/expectations.yaml:
2362
2363 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2364
2365         All users of ArrayBuffer should agree on the same max size
2366         https://bugs.webkit.org/show_bug.cgi?id=191771
2367
2368         Reviewed by Mark Lam.
2369
2370         * stress/big-wasm-memory-grow-no-max.js: Added.
2371         (foo):
2372         (catch):
2373         * stress/big-wasm-memory-grow.js: Added.
2374         (foo):
2375         (catch):
2376         * stress/big-wasm-memory.js: Added.
2377         (foo):
2378         (catch):
2379
2380 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2381
2382         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2383         run for each JSC config since they're regression tests for runtime bugs.
2384
2385         * stress/json-stringified-overflow-2.js:
2386         * stress/json-stringified-overflow.js:
2387
2388 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2389
2390         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2391         config since they're regression tests for runtime bugs.
2392
2393         * stress/large-unshift-splice.js:
2394         * stress/regress-185888.js:
2395
2396 2018-11-16  Saam Barati  <sbarati@apple.com>
2397
2398         KnownCellUse should also have SpecCellCheck as its type filter
2399         https://bugs.webkit.org/show_bug.cgi?id=191729
2400         <rdar://problem/45872852>
2401
2402         Reviewed by Filip Pizlo.
2403
2404         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2405         (C):
2406
2407 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2408
2409         Fix assertion failure on BytecodeGenerator::recordOpcode
2410         https://bugs.webkit.org/show_bug.cgi?id=191724
2411         <rdar://problem/45724395>
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/regress-187373-2.js: Added.
2416         (foo):
2417
2418 2018-11-15  Mark Lam  <mark.lam@apple.com>
2419
2420         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2421         https://bugs.webkit.org/show_bug.cgi?id=191730
2422         <rdar://problem/46048517>
2423
2424         Reviewed by Saam Barati.
2425
2426         * stress/regress-187006.js: Removed.
2427           - this test is invalid because its sole purpose is to test for the non-spec
2428             compliant behavior that we just fixed.
2429
2430         * stress/regress-191730.js: Added.
2431
2432 2018-11-15  Mark Lam  <mark.lam@apple.com>
2433
2434         RegExp operations should not take fast patch if lastIndex is not numeric.
2435         https://bugs.webkit.org/show_bug.cgi?id=191731
2436         <rdar://problem/46017305>
2437
2438         Reviewed by Saam Barati.
2439
2440         * stress/regress-191731.js: Added.
2441
2442 2018-11-13  Saam Barati  <sbarati@apple.com>
2443
2444         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2445         https://bugs.webkit.org/show_bug.cgi?id=191600
2446
2447         Reviewed by Mark Lam.
2448
2449         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2450         (foo):
2451         (test):
2452         (bar):
2453
2454 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2455
2456         Unreviewed, rolling out r238132.
2457
2458         The test added with this change is timing out on Debug JSC
2459         bots.
2460
2461         Reverted changeset:
2462
2463         "[BigInt] JSBigInt::createWithLength should throw when length
2464         is greater than JSBigInt::maxLength"
2465         https://bugs.webkit.org/show_bug.cgi?id=190836
2466         https://trac.webkit.org/changeset/238132
2467
2468 2018-11-13  Mark Lam  <mark.lam@apple.com>
2469
2470         Add OOM detection to StringPrototype's substituteBackreferences().
2471         https://bugs.webkit.org/show_bug.cgi?id=191563
2472         <rdar://problem/45720428>
2473
2474         Reviewed by Saam Barati.
2475
2476         * stress/regress-191563.js: Added.
2477
2478 2018-11-13  Mark Lam  <mark.lam@apple.com>
2479
2480         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2481         https://bugs.webkit.org/show_bug.cgi?id=191579
2482         <rdar://problem/45942472>
2483
2484         Reviewed by Saam Barati.
2485
2486         * stress/regress-191579.js: Added.
2487
2488 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2489
2490         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2491         https://bugs.webkit.org/show_bug.cgi?id=190836
2492
2493         Reviewed by Saam Barati.
2494
2495         * stress/big-int-out-of-memory-tests.js: Added.
2496
2497 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2498
2499         U+180E is no longer a whitespace character
2500         https://bugs.webkit.org/show_bug.cgi?id=191415
2501
2502         Reviewed by Saam Barati.
2503
2504         * ChakraCore/test/es5/regexSpace.baseline:
2505         * ChakraCore/test/es6/unicode_whitespace.js:
2506         Update tests to latest version.
2507         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2508
2509         * test262.yaml:
2510         * test262/config.yaml:
2511         * test262/expectations.yaml:
2512         Update expectations.
2513
2514 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2515
2516         [BigInt] Add support to BigInt into ValueAdd
2517         https://bugs.webkit.org/show_bug.cgi?id=186177
2518
2519         Reviewed by Keith Miller.
2520
2521         * stress/big-int-negate-jit.js:
2522         * stress/value-add-big-int-and-string.js: Added.
2523         * stress/value-add-big-int-prediction-propagation.js: Added.
2524         * stress/value-add-big-int-untyped.js: Added.
2525
2526 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2527
2528         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2529         https://bugs.webkit.org/show_bug.cgi?id=191184
2530
2531         Reviewed by Saam Barati.
2532
2533         Most tests were failing due to timeouts, since they are too slow to
2534         run on CLoop. The exceptions are:
2535
2536         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2537         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2538         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2539         to change the stack size since CLoop requires it to be page aligned.
2540
2541         * microbenchmarks/array-push-1.js:
2542         * microbenchmarks/array-push-2.js:
2543         * microbenchmarks/elidable-new-object-dag.js:
2544         * microbenchmarks/elidable-new-object-roflcopter.js:
2545         * microbenchmarks/elidable-new-object-tree.js:
2546         * microbenchmarks/getter-richards.js:
2547         * microbenchmarks/sinkable-new-object-dag.js:
2548         * microbenchmarks/string-concat-long-convert.js:
2549         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2550         * slowMicrobenchmarks/array-push-3.js:
2551         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2552         * slowMicrobenchmarks/spread-small-array.js:
2553         * slowMicrobenchmarks/undefined-property-access.js:
2554         * stress/activation-sink-default-value-tdz-error.js:
2555         * stress/activation-sink-default-value.js:
2556         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2557         * stress/activation-sink-osrexit-default-value.js:
2558         * stress/activation-sink-osrexit.js:
2559         * stress/activation-sink.js:
2560         * stress/allow-math-ic-b3-code-duplication.js:
2561         * stress/array-push-multiple-int32.js:
2562         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2563         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2564         * stress/arrowfunction-lexical-this-activation-sink.js:
2565         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2566         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2567         * stress/elide-new-object-dag-then-exit.js:
2568         * stress/materialize-regexp-cyclic.js:
2569         * stress/new-regex-inline.js:
2570         * stress/op_add.js:
2571         * stress/op_bitand.js:
2572         * stress/op_bitor.js:
2573         * stress/op_bitxor.js:
2574         * stress/op_div-ConstVar.js:
2575         * stress/op_div-VarConst.js:
2576         * stress/op_div-VarVar.js:
2577         * stress/op_lshift-ConstVar.js:
2578         * stress/op_lshift-VarConst.js:
2579         * stress/op_lshift-VarVar.js:
2580         * stress/op_mod-ConstVar.js:
2581         * stress/op_mod-VarConst.js:
2582         * stress/op_mod-VarVar.js:
2583         * stress/op_mul-ConstVar.js:
2584         * stress/op_mul-VarConst.js:
2585         * stress/op_mul-VarVar.js:
2586         * stress/op_rshift-ConstVar.js:
2587         * stress/op_rshift-VarConst.js:
2588         * stress/op_rshift-VarVar.js:
2589         * stress/op_sub-ConstVar.js:
2590         * stress/op_sub-VarConst.js:
2591         * stress/op_sub-VarVar.js:
2592         * stress/op_urshift-ConstVar.js:
2593         * stress/op_urshift-VarConst.js:
2594         * stress/op_urshift-VarVar.js:
2595         * stress/proxy-get-set-correct-receiver.js:
2596         * stress/regress-179562.js:
2597         * stress/rest-parameter-many-arguments.js:
2598         * stress/sampling-profiler-richards.js:
2599         * stress/splay-flash-access-1ms.js:
2600         * stress/tailCallForwardArguments.js:
2601         * stress/typed-array-get-by-val-profiling.js:
2602         * typeProfiler/getter-richards.js:
2603
2604 2018-11-06  Michael Saboff  <msaboff@apple.com>
2605
2606         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2607         https://bugs.webkit.org/show_bug.cgi?id=191271
2608
2609         Reviewed by Saam Barati.
2610
2611         Added more test cases and made all test cases run with the same deeply recursive stack
2612         instead of finding that same point for each test case.
2613
2614         * stress/regexp-compile-oom.js:
2615         (prototype.runTest):
2616         (recurseAndTest):
2617         (testList.push.new.TestAndExpectedException):
2618
2619 2018-11-05  Michael Saboff  <msaboff@apple.com>
2620
2621         Unreviewed build fix for linux.
2622
2623         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2624
2625 2018-11-02  Michael Saboff  <msaboff@apple.com>
2626
2627         Rolling in r237753 with unreviewed build fix.
2628
2629         Fixed issues with DECLARE_THROW_SCOPE placement.
2630
2631 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2632
2633         Unreviewed, rolling out r237753.
2634
2635         Introduced JSC test failures
2636
2637         Reverted changeset:
2638
2639         "Running out of stack space not properly handled in
2640         RegExp::compile() and its callers"
2641         https://bugs.webkit.org/show_bug.cgi?id=191206
2642         https://trac.webkit.org/changeset/237753
2643
2644 2018-11-02  Michael Saboff  <msaboff@apple.com>
2645
2646         Running out of stack space not properly handled in RegExp::compile() and its callers
2647         https://bugs.webkit.org/show_bug.cgi?id=191206
2648
2649         Reviewed by Filip Pizlo.
2650
2651         New regression test.
2652
2653         * stress/regexp-compile-oom.js: Added.
2654         (recurseAndTest):
2655
2656 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2657
2658         Skip tests on arm/mips that time out now we're running on CLoop
2659
2660         Unreviewed gardening.
2661
2662         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2663         time out on the bots and need to be disabled. There's more tests
2664         disabled on arm because the timeout is longer on the mips bot (as the
2665         device is slower to start with), so many of the tests don't time out
2666         there.
2667
2668         * microbenchmarks/getter-richards.js: disable on arm and mips.
2669         * stress/op_add.js: disable on arm.
2670         * stress/op_bitand.js: disable on arm.
2671         * stress/op_bitor.js: disable on arm.
2672         * stress/op_bitxor.js: disable on arm.
2673         * stress/op_lshift-ConstVar.js: disable on arm.
2674         * stress/op_lshift-VarConst.js: disable on arm.
2675         * stress/op_lshift-VarVar.js: disable on arm.
2676         * stress/op_mod-ConstVar.js: disable on arm.
2677         * stress/op_mod-VarConst.js: disable on arm.
2678         * stress/op_mod-VarVar.js: disable on arm.
2679         * stress/op_mul-ConstVar.js: disable on arm.
2680         * stress/op_mul-VarConst.js: disable on arm.
2681         * stress/op_mul-VarVar.js: disable on arm.
2682         * stress/op_rshift-ConstVar.js: disable on arm.
2683         * stress/op_rshift-VarConst.js: disable on arm.
2684         * stress/op_rshift-VarVar.js: disable on arm.
2685         * stress/op_sub-ConstVar.js: disable on arm.
2686         * stress/op_sub-VarConst.js: disable on arm.
2687         * stress/op_sub-VarVar.js: disable on arm.
2688         * stress/op_urshift-ConstVar.js: disable on arm.
2689         * stress/op_urshift-VarConst.js: disable on arm.
2690         * stress/op_urshift-VarVar.js: disable on arm.
2691         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2692         * stress/value-to-boolean.js: disable on arm and mips.
2693
2694 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2695
2696         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2697         https://bugs.webkit.org/show_bug.cgi?id=191108
2698         <rdar://problem/45690700>
2699
2700         Reviewed by Saam Barati.
2701
2702         * stress/wide-op_catch.js: Added.
2703         (catch):
2704
2705 2018-10-29  Mark Lam  <mark.lam@apple.com>
2706
2707         Correctly detect string overflow when using the 'Function' constructor.
2708         https://bugs.webkit.org/show_bug.cgi?id=184883
2709         <rdar://problem/36320331>
2710
2711         Reviewed by Saam Barati.
2712
2713         I've verified that this passes on 32-bit as well.
2714
2715         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2716
2717 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2718
2719         Add support for GetStack FlushedDouble
2720         https://bugs.webkit.org/show_bug.cgi?id=191012
2721         <rdar://problem/45265141>
2722
2723         Reviewed by Saam Barati.
2724
2725         * stress/get-stack-double.js: Added.
2726         (bar):
2727         (noInline):
2728
2729 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2730
2731         New bytecode format for JSC
2732         https://bugs.webkit.org/show_bug.cgi?id=187373
2733         <rdar://problem/44186758>
2734
2735         Reviewed by Filip Pizlo.
2736
2737         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2738
2739         * stress/maximum-inline-capacity.js: Added.
2740         (test1):
2741         (test3.Foo):
2742         (test3):
2743
2744 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2745
2746         Unreviewed, rolling out r237479 and r237484.
2747         https://bugs.webkit.org/show_bug.cgi?id=190978
2748
2749         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2750
2751         Reverted changesets:
2752
2753         "New bytecode format for JSC"
2754         https://bugs.webkit.org/show_bug.cgi?id=187373
2755         https://trac.webkit.org/changeset/237479
2756
2757         "Gardening: Build fix after r237479."
2758         https://bugs.webkit.org/show_bug.cgi?id=187373
2759         https://trac.webkit.org/changeset/237484
2760
2761 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2762
2763         New bytecode format for JSC
2764         https://bugs.webkit.org/show_bug.cgi?id=187373
2765         <rdar://problem/44186758>
2766
2767         Reviewed by Filip Pizlo.
2768
2769         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2770
2771         * stress/maximum-inline-capacity.js: Added.
2772         (test1):
2773         (test3.Foo):
2774         (test3):
2775
2776 2018-10-26  Mark Lam  <mark.lam@apple.com>
2777
2778         Fix missing edge cases with JSGlobalObjects having a bad time.
2779         https://bugs.webkit.org/show_bug.cgi?id=189028
2780         <rdar://problem/45204939>
2781
2782         Reviewed by Saam Barati.
2783
2784         * stress/regress-189028.js: Added.
2785
2786 2018-10-22  Mark Lam  <mark.lam@apple.com>
2787
2788         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2789         https://bugs.webkit.org/show_bug.cgi?id=190515
2790         <rdar://problem/45222379>
2791
2792         Rubber-stamped by Saam Barati.
2793
2794         Adding another test.
2795
2796         * stress/regress-190515-2.js: Added.
2797
2798 2018-10-22  Mark Lam  <mark.lam@apple.com>
2799
2800         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2801         https://bugs.webkit.org/show_bug.cgi?id=190515
2802         <rdar://problem/45222379>
2803
2804         Reviewed by Saam Barati.
2805
2806         * stress/regress-190515.js: Added.
2807
2808 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2809
2810         Unreviewed, rolling out r237254.
2811         https://bugs.webkit.org/show_bug.cgi?id=190760
2812
2813         "It regresses JetStream 2 by 5% on some iOS devices"
2814         (Requested by saamyjoon on #webkit).
2815
2816         Reverted changeset:
2817
2818         "[JSC] JSC should have "parseFunction" to optimize Function
2819         constructor"
2820         https://bugs.webkit.org/show_bug.cgi?id=190340
2821         https://trac.webkit.org/changeset/237254
2822
2823 2018-10-19  Saam Barati  <sbarati@apple.com>
2824
2825         vmCall should check if we exit before emitting an OSR exit due to exceptions
2826         https://bugs.webkit.org/show_bug.cgi?id=190740
2827         <rdar://problem/45220139>
2828
2829         Reviewed by Mark Lam.
2830
2831         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2832         (foo):
2833
2834 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2835
2836         [ESNext][BigInt] Implement support for "^"
2837         https://bugs.webkit.org/show_bug.cgi?id=186235
2838
2839         Reviewed by Yusuke Suzuki.
2840
2841         * stress/big-int-bitwise-xor-general.js: Added.
2842         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2843         * stress/big-int-bitwise-xor-type-error.js: Added.
2844         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2845
2846 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2847
2848         [BigInt] Add ValueSub into DFG
2849         https://bugs.webkit.org/show_bug.cgi?id=186176
2850
2851         Reviewed by Yusuke Suzuki.
2852
2853         * stress/big-int-subtraction-jit.js:
2854         * stress/value-sub-big-int-prediction-propagation.js: Added.
2855         * stress/value-sub-big-int-untyped.js: Added.
2856         * stress/value-sub-spec-none-case.js: Added.
2857
2858 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2859
2860         [JSC] JSC should have "parseFunction" to optimize Function constructor
2861         https://bugs.webkit.org/show_bug.cgi?id=190340
2862
2863         Reviewed by Mark Lam.
2864
2865         This patch fixes the line number of syntax errors raised by the Function constructor,
2866         since we now parse the final code only once. And we no longer use block statement
2867         for Function constructor's parsing.
2868
2869         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2870         * stress/function-cache-with-parameters-end-position.js: Added.
2871         (shouldBe):
2872         (shouldThrow):
2873         (i.anonymous):
2874         * stress/function-constructor-name.js: Added.
2875         (shouldBe):
2876         (GeneratorFunction):
2877         (AsyncFunction.async):
2878         (AsyncGeneratorFunction.async):
2879         (anonymous):
2880         (async.anonymous):
2881         * test262/expectations.yaml:
2882
2883 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2884
2885         Unreviewed, rolling out r237242.
2886         https://bugs.webkit.org/show_bug.cgi?id=190701
2887
2888         it breaks "stress/sampling-profiler-basic.js" (Requested by
2889         caiolima on #webkit).
2890
2891         Reverted changeset:
2892
2893         "[BigInt] Add ValueSub into DFG"
2894         https://bugs.webkit.org/show_bug.cgi?id=186176
2895         https://trac.webkit.org/changeset/237242
2896
2897 2018-10-17  Keith Miller  <keith_miller@apple.com>
2898
2899         AI does not clear Phantom allocation nodes.
2900         https://bugs.webkit.org/show_bug.cgi?id=190694
2901
2902         Reviewed by Saam Barati.
2903
2904         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2905         (Day):
2906         (DaysInYear):
2907         (TimeInYear):
2908         (TimeFromYear):
2909         (DayFromYear):
2910         (InLeapYear):
2911         (YearFromTime):
2912         (WeekDay):
2913         (DaylightSavingTA):
2914         (GetSecondSundayInMarch):
2915         (TimeInMonth):
2916
2917 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2918
2919         [BigInt] Add ValueSub into DFG
2920         https://bugs.webkit.org/show_bug.cgi?id=186176
2921
2922         Reviewed by Yusuke Suzuki.
2923
2924         * stress/big-int-subtraction-jit.js:
2925         * stress/value-sub-big-int-prediction-propagation.js: Added.
2926         * stress/value-sub-big-int-untyped.js: Added.
2927
2928 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2929
2930         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2931         https://bugs.webkit.org/show_bug.cgi?id=190611
2932
2933         Reviewed by Saam Barati.
2934
2935         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2936         to improve test runtime. On ARM/MIPS this test even timed out when running all
2937         tests.
2938
2939         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2940         (test):
2941
2942 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2943
2944         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2945
2946         Unreviewed gardening.
2947
2948         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2949
2950 2018-10-15  Saam barati  <sbarati@apple.com>
2951
2952         Emit fjcvtzs on ARM64E on Darwin
2953         https://bugs.webkit.org/show_bug.cgi?id=184023
2954
2955         Reviewed by Yusuke Suzuki and Filip Pizlo.
2956
2957         * stress/double-to-int32-NaN.js: Added.
2958         (assert):
2959         (foo):
2960
2961 2018-10-15  Saam Barati  <sbarati@apple.com>
2962
2963         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2964         https://bugs.webkit.org/show_bug.cgi?id=190262
2965         <rdar://problem/44986241>
2966
2967         Reviewed by Mark Lam.
2968
2969         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2970         (test):
2971         * stress/slice-array-storage-with-holes.js: Added.
2972         (main):
2973
2974 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2975
2976         Unreviewed, rolling out r237054.
2977         https://bugs.webkit.org/show_bug.cgi?id=190593
2978
2979         "this regressed JetStream 2 by 6% on iOS" (Requested by
2980         saamyjoon on #webkit).
2981
2982         Reverted changeset:
2983
2984         "[JSC] JSC should have "parseFunction" to optimize Function
2985         constructor"
2986         https://bugs.webkit.org/show_bug.cgi?id=190340
2987         https://trac.webkit.org/changeset/237054
2988
2989 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2990
2991         [JSC] JSON.stringify can accept call-with-no-arguments
2992         https://bugs.webkit.org/show_bug.cgi?id=190343
2993
2994         Reviewed by Mark Lam.
2995
2996         * stress/json-stringify-no-arguments.js: Added.
2997         (shouldBe):
2998
2999 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3000
3001         [JSC] JSC should have "parseFunction" to optimize Function constructor
3002         https://bugs.webkit.org/show_bug.cgi?id=190340
3003
3004         Reviewed by Mark Lam.
3005
3006         This patch fixes the line number of syntax errors raised by the Function constructor,
3007         since we now parse the final code only once. And we no longer use block statement
3008         for Function constructor's parsing.
3009
3010         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3011         * stress/function-cache-with-parameters-end-position.js: Added.
3012         (shouldBe):
3013         (shouldThrow):
3014         (i.anonymous):
3015         * stress/function-constructor-name.js: Added.
3016         (shouldBe):
3017         (GeneratorFunction):
3018         (AsyncFunction.async):
3019         (AsyncGeneratorFunction.async):
3020         (anonymous):
3021         (async.anonymous):
3022         * test262/expectations.yaml:
3023
3024 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3025
3026         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3027         https://bugs.webkit.org/show_bug.cgi?id=190426
3028
3029         Unreviewed gardening.
3030
3031         * stress/sampling-profiler-richards.js:
3032
3033 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3034
3035         [ESNext][BigInt] Implement support for "|"
3036         https://bugs.webkit.org/show_bug.cgi?id=186229
3037
3038         Reviewed by Yusuke Suzuki.
3039
3040         * stress/big-int-bitwise-and-jit.js:
3041         * stress/big-int-bitwise-or-general.js: Added.
3042         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3043         * stress/big-int-bitwise-or-jit.js: Added.
3044         * stress/big-int-bitwise-or-memory-stress.js: Added.
3045         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3046         * stress/big-int-bitwise-or-type-error.js: Added.
3047         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3048
3049 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3050
3051         Skip test on systems with limited memory
3052         https://bugs.webkit.org/show_bug.cgi?id=190310
3053
3054         Invoking runDefault adds test to runlist, skipping the test in the next
3055         line does not prevent the test from executing. Change order of lines such
3056         that runDefault is only executed if test is not executed.
3057
3058         Reviewed by Mark Lam.
3059
3060         * stress/regress-190187.js:
3061
3062 2018-10-03  Saam barati  <sbarati@apple.com>
3063
3064         lowXYZ in FTLLower should always filter the type of the incoming edge
3065         https://bugs.webkit.org/show_bug.cgi?id=189939
3066         <rdar://problem/44407030>
3067
3068         Reviewed by Michael Saboff.
3069
3070         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3071         (foo):
3072         (test):
3073
3074 2018-10-03  Mark Lam  <mark.lam@apple.com>
3075
3076         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3077         https://bugs.webkit.org/show_bug.cgi?id=190187
3078         <rdar://problem/42512909>
3079
3080         Reviewed by Michael Saboff.
3081
3082         * stress/regress-190187.js: Added.
3083
3084 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3085
3086         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3087         https://bugs.webkit.org/show_bug.cgi?id=190033
3088
3089         Reviewed by Yusuke Suzuki.
3090
3091         * stress/big-int-to-string.js:
3092
3093 2018-10-01  Mark Lam  <mark.lam@apple.com>
3094
3095         Function.toString() should also copy the source code Functions that are class definitions.
3096         https://bugs.webkit.org/show_bug.cgi?id=190186
3097         <rdar://problem/44733360>
3098
3099         Reviewed by Saam Barati.
3100
3101         * stress/regress-190186.js: Added.
3102
3103 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3104
3105         Split NaN-check into separate test
3106         https://bugs.webkit.org/show_bug.cgi?id=190010
3107
3108         Reviewed by Saam Barati.
3109
3110         DataView exposes NaN-representation, which is not necessarily the same on each
3111         architecture. Therefore move the check of the NaN-representation into its own
3112         file such that we can disable this test on MIPS where NaN-representation can be
3113         different on older CPUs.
3114
3115         * stress/dataview-jit-set-nan.js: Added.
3116         (assert):
3117         (test.storeLittleEndian):
3118         (test.storeBigEndian):
3119         (test.store):
3120         (test):
3121         * stress/dataview-jit-set.js:
3122         (test5):
3123
3124 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3125
3126         Unreviewed, rolling out r236647.
3127         https://bugs.webkit.org/show_bug.cgi?id=190124
3128
3129         Breaking test stress/big-int-to-string.js (Requested by
3130         caiolima_ on #webkit).
3131
3132         Reverted changeset:
3133
3134         "[BigInt] BigInt.proptotype.toString is broken when radix is
3135         power of 2"
3136         https://bugs.webkit.org/show_bug.cgi?id=190033
3137         https://trac.webkit.org/changeset/236647
3138
3139 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3140
3141         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3142         https://bugs.webkit.org/show_bug.cgi?id=190033
3143
3144         Reviewed by Yusuke Suzuki.
3145
3146         * stress/big-int-to-string.js:
3147
3148 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3149
3150         [ESNext][BigInt] Implement support for "&"
3151         https://bugs.webkit.org/show_bug.cgi?id=186228
3152
3153         Reviewed by Yusuke Suzuki.
3154
3155         * stress/big-int-bitwise-and-general.js: Added.
3156         (assert):
3157         (assert.sameValue):
3158         * stress/big-int-bitwise-and-jit.js: Added.
3159         (let.assert.sameValue):
3160         (bigIntBitAnd):
3161         * stress/big-int-bitwise-and-memory-stress.js: Added.
3162         (assert):
3163         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3164         (assert.sameValue):
3165         (let.o.Symbol.toPrimitive):
3166         (catch):
3167         * stress/big-int-bitwise-and-type-error.js: Added.
3168         (assert):
3169         (assertThrowTypeError):
3170         (let.o.valueOf):
3171         (o.valueOf):
3172         (o.toString):
3173         (o.Symbol.toPrimitive):
3174         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3175         (assert.sameValue):
3176         (testBitAnd):
3177         (let.o.Symbol.toPrimitive):
3178         (o.valueOf):
3179         (o.toString):
3180
3181 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3182
3183         JSC test stress/jsc-read.js doesn't support CRLF
3184         https://bugs.webkit.org/show_bug.cgi?id=190063
3185
3186         Reviewed by Yusuke Suzuki.
3187
3188         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3189
3190         * stress/jsc-read.js:
3191         (test):
3192
3193 2018-09-27  Saam barati  <sbarati@apple.com>
3194
3195         Verify the contents of AssemblerBuffer on arm64e
3196         https://bugs.webkit.org/show_bug.cgi?id=190057
3197         <rdar://problem/38916630>
3198
3199         Reviewed by Mark Lam.
3200
3201         * stress/regress-189132.js:
3202
3203 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3204
3205         Disable test without LLInt on ARMv7
3206         https://bugs.webkit.org/show_bug.cgi?id=190037
3207
3208         Reviewed by Mark Lam.
3209
3210         Test runs out of executable memory on ARMv7, do not run
3211         this test without LLInt enabled.
3212
3213         * stress/regress-169445.js:
3214
3215 2018-09-26  Keith Miller  <keith_miller@apple.com>
3216
3217         We should zero unused property storage when rebalancing array storage.
3218         https://bugs.webkit.org/show_bug.cgi?id=188151
3219
3220         Reviewed by Michael Saboff.
3221
3222         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3223
3224 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3225
3226         [JSC] Optimize Array#lastIndexOf
3227         https://bugs.webkit.org/show_bug.cgi?id=189780
3228
3229         Reviewed by Saam Barati.
3230
3231         * stress/array-lastindexof-array-prototype-trap.js: Added.
3232         (shouldBe):
3233         (AncestorArray.prototype.get 2):
3234         (AncestorArray):
3235         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3236         (shouldBe):
3237         * stress/array-lastindexof-hole-nan.js: Added.
3238         (shouldBe):
3239         (throw.new.Error):
3240         * stress/array-lastindexof-infinity.js: Added.
3241         (shouldBe):
3242         (throw.new.Error):
3243         * stress/array-lastindexof-negative-zero.js: Added.
3244         (shouldBe):
3245         (throw.new.Error):
3246         * stress/array-lastindexof-own-getter.js: Added.
3247         (shouldBe):
3248         (throw.new.Error.get array):
3249         (get array):
3250         * stress/array-lastindexof-prototype-trap.js: Added.
3251         (shouldBe):
3252         (DerivedArray.prototype.get 2):
3253         (DerivedArray):
3254
3255 2018-09-25  Saam Barati  <sbarati@apple.com>
3256
3257         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3258         https://bugs.webkit.org/show_bug.cgi?id=189940
3259         <rdar://problem/43640987>
3260
3261         Reviewed by Mark Lam.
3262
3263         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3264
3265 2018-09-24  Saam Barati  <sbarati@apple.com>
3266
3267         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3268         https://bugs.webkit.org/show_bug.cgi?id=189922
3269         <rdar://problem/44651275>
3270
3271         Reviewed by Mark Lam.
3272
3273         * stress/array-indexof-fast-path-effects.js: Added.
3274         * stress/array-indexof-cached-length.js: Added.
3275
3276 2018-09-24  Saam barati  <sbarati@apple.com>
3277
3278         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3279         https://bugs.webkit.org/show_bug.cgi?id=189682
3280         <rdar://problem/43557315>
3281
3282         Reviewed by Mark Lam.
3283
3284         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3285         (foo):
3286
3287 2018-09-22  Saam barati  <sbarati@apple.com>
3288
3289         The sampling should not use Strong<CodeBlock> in its machineLocation field
3290         https://bugs.webkit.org/show_bug.cgi?id=189319
3291
3292         Reviewed by Filip Pizlo.
3293
3294         * stress/sampling-profiler-richards.js: Added.
3295
3296 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3297
3298         [JSC] Optimize Array#indexOf in C++ runtime
3299         https://bugs.webkit.org/show_bug.cgi?id=189507
3300
3301         Reviewed by Saam Barati.
3302
3303         * stress/array-indexof-array-prototype-trap.js: Added.
3304         (shouldBe):
3305         (AncestorArray.prototype.get 2):
3306         (AncestorArray):
3307         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3308         (shouldBe):
3309         * stress/array-indexof-hole-nan.js: Added.
3310         (shouldBe):
3311         (throw.new.Error):
3312         * stress/array-indexof-infinity.js: Added.
3313         (shouldBe):
3314         (throw.new.Error):
3315         * stress/array-indexof-negative-zero.js: Added.
3316         (shouldBe):
3317         (throw.new.Error):
3318         * stress/array-indexof-own-getter.js: Added.
3319         (shouldBe):
3320         (throw.new.Error.get array):
3321         (get array):
3322         * stress/array-indexof-prototype-trap.js: Added.
3323         (shouldBe):
3324         (DerivedArray.prototype.get 2):
3325         (DerivedArray):
3326
3327 2018-09-19  Saam barati  <sbarati@apple.com>
3328
3329         AI rule for MultiPutByOffset executes its effects in the wrong order
3330         https://bugs.webkit.org/show_bug.cgi?id=189757
3331         <rdar://problem/43535257>
3332
3333         Reviewed by Michael Saboff.
3334
3335         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3336         (foo):
3337         (Foo):
3338         (g):
3339
3340 2018-09-17  Mark Lam  <mark.lam@apple.com>
3341
3342         Ensure that ForInContexts are invalidated if their loop local is over-written.
3343         https://bugs.webkit.org/show_bug.cgi?id=189571
3344         <rdar://problem/44402277>
3345
3346         Reviewed by Saam Barati.
3347
3348         * stress/regress-189571.js: Added.
3349
3350 2018-09-17  Saam barati  <sbarati@apple.com>
3351
3352         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3353         https://bugs.webkit.org/show_bug.cgi?id=189676
3354         <rdar://problem/39682897>
3355
3356         Reviewed by Michael Saboff.
3357
3358         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3359         (A):
3360         (K):
3361         (i.catch):
3362
3363 2018-09-14  Saam barati  <sbarati@apple.com>
3364
3365         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3366         https://bugs.webkit.org/show_bug.cgi?id=189628
3367         <rdar://problem/39481690>
3368
3369         Reviewed by Mark Lam.
3370
3371         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3372         (foo):
3373
3374 2018-09-11  Mark Lam  <mark.lam@apple.com>
3375
3376         Test for array initialization in arrayProtoFuncSplice.
3377         https://bugs.webkit.org/show_bug.cgi?id=170253
3378         <rdar://problem/31328773>
3379
3380         Rubber-stamped by Saam Barati.
3381
3382         * stress/regress-170253.js: Added.
3383
3384 2018-09-11  Mark Lam  <mark.lam@apple.com>
3385
3386         Test for IntlObject initialization.
3387         https://bugs.webkit.org/show_bug.cgi?id=170251
3388         <rdar://problem/31328419>
3389
3390         Rubber-stamped by Saam Barati.
3391
3392         * stress/regress-170251.js: Added.
3393
3394 2018-09-11  Mark Lam  <mark.lam@apple.com>
3395
3396         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3397         https://bugs.webkit.org/show_bug.cgi?id=169889
3398         <rdar://problem/31155607>
3399
3400         Reviewed by Saam Barati.
3401
3402         * stress/regress-169889-array-concat.js: Added.
3403         * stress/regress-169889-array-concat1.js: Added.
3404         * stress/regress-169889-array-slice.js: Added.
3405
3406 2018-09-11  Mark Lam  <mark.lam@apple.com>
3407
3408         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3409         https://bugs.webkit.org/show_bug.cgi?id=169445
3410         <rdar://problem/30957435>
3411
3412         Reviewed by Saam Barati.
3413
3414         * stress/regress-169445.js: Added.
3415         (let.gun.eval.A):
3416         (let.gun.eval.B.C):
3417         (let.gun.eval.B.C.prototype.trigger):
3418         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3419         (let.gun.eval.B):
3420         (let.gun.eval):
3421
3422 == Rolled over to ChangeLog-2018-09-11 ==