Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2
3         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
4         https://bugs.webkit.org/show_bug.cgi?id=194050
5         <rdar://problem/47595592>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/object-keys-osr-exit.js: Added.
10         (foo):
11         (catch):
12
13 2019-01-29  Mark Lam  <mark.lam@apple.com>
14
15         ValueRecovery::recover() should purify NaN values it recovers.
16         https://bugs.webkit.org/show_bug.cgi?id=193978
17         <rdar://problem/47625488>
18
19         Reviewed by Saam Barati.
20
21         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
22
23 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
26         https://bugs.webkit.org/show_bug.cgi?id=193713
27
28         * stress/try-get-by-id-should-spill-registers-dfg.js:
29         (let.f.createBuiltin):
30
31 2019-01-28  Mark Lam  <mark.lam@apple.com>
32
33         ToString node actually does GC.
34         https://bugs.webkit.org/show_bug.cgi?id=193920
35         <rdar://problem/46695900>
36
37         Reviewed by Yusuke Suzuki.
38
39         * stress/dfg-to-string-on-int-does-gc.js: Added.
40         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
41         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
42
43 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         [JSC] NativeErrorConstructor should not have own IsoSubspace
46         https://bugs.webkit.org/show_bug.cgi?id=193713
47
48         Reviewed by Saam Barati.
49
50         Remove @Error use.
51
52         * stress/try-get-by-id-should-spill-registers-dfg.js:
53         (let.f.createBuiltin):
54
55 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
56
57         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
58         https://bugs.webkit.org/show_bug.cgi?id=190693
59
60         Reviewed by Michael Saboff.
61
62         * stress/regress-190693.js: Added.
63         (truth):
64         (assert):
65         (shouldThrowInvalidConstAssignment):
66         (taz):
67
68 2019-01-24  Saam Barati  <sbarati@apple.com>
69
70         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
71         https://bugs.webkit.org/show_bug.cgi?id=193751
72         <rdar://problem/47280215>
73
74         Reviewed by Michael Saboff.
75
76         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
77         (let.thing):
78         (foo.let.hello):
79         (foo):
80
81 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
82
83         [JSC] Reenable baseline JIT on mips
84         https://bugs.webkit.org/show_bug.cgi?id=192983
85
86         Reviewed by Mark Lam.
87
88         Added a new test for a case that was triggering a RELEASE_ASSERT when
89         testing.
90         Disable some slow tests that were already disabled for arm and x86.
91
92         * stress/json-parse-big-object.js: Added.
93         * stress/new-largeish-contiguous-array-with-size.js:
94         * stress/op_add.js:
95         * stress/op_bitand.js:
96         * stress/op_bitor.js:
97         * stress/op_bitxor.js:
98         * stress/op_lshift-ConstVar.js:
99         * stress/op_lshift-VarConst.js:
100         * stress/op_lshift-VarVar.js:
101         * stress/op_mod-ConstVar.js:
102         * stress/op_mod-VarConst.js:
103         * stress/op_mod-VarVar.js:
104         * stress/op_mul-ConstVar.js:
105         * stress/op_mul-VarConst.js:
106         * stress/op_mul-VarVar.js:
107         * stress/op_rshift-ConstVar.js:
108         * stress/op_rshift-VarConst.js:
109         * stress/op_rshift-VarVar.js:
110         * stress/op_sub-ConstVar.js:
111         * stress/op_sub-VarConst.js:
112         * stress/op_sub-VarVar.js:
113         * stress/op_urshift-ConstVar.js:
114         * stress/op_urshift-VarConst.js:
115         * stress/op_urshift-VarVar.js:
116         * stress/sampling-profiler-richards.js:
117         * stress/spread-forward-call-varargs-stack-overflow.js:
118
119 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
120
121         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
122         https://bugs.webkit.org/show_bug.cgi?id=193711
123         <rdar://problem/47250262>
124
125         Reviewed by Saam Barati.
126
127         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
128         (shouldBe):
129         (foo):
130         (bar):
131         (baz):
132
133 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
134
135         Unreviewed, fix initial global lexical binding epoch
136         https://bugs.webkit.org/show_bug.cgi?id=193603
137         <rdar://problem/47380869>
138
139         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
140         (f1.f2.f3.f4):
141         (f1.f2.f3):
142         (f1.f2):
143         (f1):
144
145 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
146
147         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
148         https://bugs.webkit.org/show_bug.cgi?id=193709
149         <rdar://problem/47363838>
150
151         Unreviewed, rollout to watch the tests.
152
153         * stress/object-tostring-changed-proto.js: Removed.
154         * stress/object-tostring-changed.js: Removed.
155         * stress/object-tostring-misc.js: Removed.
156         * stress/object-tostring-other.js: Removed.
157         * stress/object-tostring-untyped.js: Removed.
158
159 2019-01-22  Saam Barati  <sbarati@apple.com>
160
161         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
162
163         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
164         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
165         (testUncheckedLessThanZero):
166         (testUncheckedLessThanOrEqualZero):
167         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
168         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
169
170 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
171
172         [JSC] Invalidate old scope operations using global lexical binding epoch
173         https://bugs.webkit.org/show_bug.cgi?id=193603
174         <rdar://problem/47380869>
175
176         Reviewed by Saam Barati.
177
178         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
179         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
180         (shouldThrow):
181         (bar):
182         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
183         (shouldBe):
184         (get1):
185         (get2):
186         (get1If):
187         (get2If):
188         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
189         (shouldThrow):
190         (foo):
191
192 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
193
194         Unreviewed, roll out r240220 due to date-format-xparb regression
195         https://bugs.webkit.org/show_bug.cgi?id=193603
196
197         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
198         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
199         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
200         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
201
202 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
203
204         DoesGC rule is wrong for nodes with BigIntUse
205         https://bugs.webkit.org/show_bug.cgi?id=193652
206
207         Reviewed by Saam Barati.
208
209         * stress/big-int-value-op-update-gc-rules.js: Added.
210         (assert):
211         (doesGCAdd):
212         (doesGCSub):
213         (doesGCDiv):
214         (doesGCMul):
215         (doesGCBitAnd):
216         (doesGCBitOr):
217         (doesGCBitXor):
218
219 2019-01-20  Saam Barati  <sbarati@apple.com>
220
221         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
222         https://bugs.webkit.org/show_bug.cgi?id=193644
223         <rdar://problem/46209745>
224
225         Reviewed by Yusuke Suzuki.
226
227         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
228         (foo):
229         * stress/data-view-set-intrinsic-undefined-result.js: Added.
230         (foo):
231         (bar):
232
233 2019-01-20  Saam Barati  <sbarati@apple.com>
234
235         MovHint must merge NodeBytecodeUsesAsValue for its child
236         https://bugs.webkit.org/show_bug.cgi?id=186916
237         <rdar://problem/41396612>
238
239         Reviewed by Yusuke Suzuki.
240
241         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
242         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
243
244 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
245
246         [JSC] Invalidate old scope operations using global lexical binding epoch
247         https://bugs.webkit.org/show_bug.cgi?id=193603
248         <rdar://problem/47380869>
249
250         Reviewed by Saam Barati.
251
252         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
253         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
254         (shouldThrow):
255         (bar):
256         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
257         (shouldBe):
258         (get1):
259         (get2):
260         (get1If):
261         (get2If):
262         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
263         (shouldThrow):
264         (foo):
265
266 2019-01-17  Saam barati  <sbarati@apple.com>
267
268         StringObjectUse should not be a structure check for the original string object structure
269         https://bugs.webkit.org/show_bug.cgi?id=193483
270         <rdar://problem/47280522>
271
272         Reviewed by Yusuke Suzuki.
273
274         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
275         (foo):
276         (a.valueOf.0):
277
278 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
279
280         [JSC] ToThis omission in DFGByteCodeParser is wrong
281         https://bugs.webkit.org/show_bug.cgi?id=193513
282         <rdar://problem/45842236>
283
284         Reviewed by Saam Barati.
285
286         * stress/to-this-omission-with-different-strict-modes.js: Added.
287         (thisA):
288         (thisAStrictWrapper):
289
290 2019-01-15  Mark Lam  <mark.lam@apple.com>
291
292         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
293         https://bugs.webkit.org/show_bug.cgi?id=193423
294         <rdar://problem/46209355>
295
296         Reviewed by Saam Barati.
297
298         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
299         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
300         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
301         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
302
303 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
304
305         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
306         https://bugs.webkit.org/show_bug.cgi?id=193438
307         <rdar://problem/45581249>
308
309         Reviewed by Saam Barati and Keith Miller.
310
311         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
312         Then, GetByVal(String) crashed.
313
314         * stress/string-get-by-val-lowering.js: Added.
315         (shouldBe):
316         (test):
317         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
318         (Hello):
319         (foo):
320
321 2019-01-15  Tomas Popela  <tpopela@redhat.com>
322
323         Unreviewed, skip JIT tests if it's not enabled
324
325         * stress/bit-op-with-object-returning-int32.js:
326
327 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
328
329         DFGByteCodeParser rules for bitwise operations should consider type of their operands
330         https://bugs.webkit.org/show_bug.cgi?id=192966
331
332         Reviewed by Yusuke Suzuki.
333
334         * stress/bit-op-with-object-returning-int32.js: Added.
335
336 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
337
338         Skip a slow test and a flakey test on arm
339
340         Unreviewed gardening.
341
342         * typeProfiler/getter-richards.js:
343         this test always times out, it used to be always skipped on arm and
344         mips, but got accidentally enabled by r237919 now that we have DFG on
345         arm. Also skipping on mips as we plan to soon enable DFG for it too.
346
347 2019-01-14  Keith Miller  <keith_miller@apple.com>
348
349         Skip type-check-hoisting-phase-hoist... with no jit
350         https://bugs.webkit.org/show_bug.cgi?id=193421
351
352         Reviewed by Mark Lam.
353
354         It's timing out the 32-bit bots and takes 330 seconds
355         on my machine when run by itself.
356
357         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
358
359 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
360
361         [JSC] AI should check the given constant's array type when folding GetByVal into constant
362         https://bugs.webkit.org/show_bug.cgi?id=193413
363         <rdar://problem/46092389>
364
365         Reviewed by Keith Miller.
366
367         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
368         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
369         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
370         but GetByVal does not have appropriate ArrayModes, JSC crashes.
371
372         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
373         (compareArray):
374
375 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
376
377         [BigInt] Literal parsing is crashing when used inside a Object Literal
378         https://bugs.webkit.org/show_bug.cgi?id=193404
379
380         Reviewed by Yusuke Suzuki.
381
382         * stress/big-int-literal-inside-literal-object.js: Added.
383
384 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
385
386         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
387         https://bugs.webkit.org/show_bug.cgi?id=193372
388
389         Reviewed by Saam Barati.
390
391         * stress/typed-array-array-modes-profile.js: Added.
392         (foo):
393
394 2019-01-14  Mark Lam  <mark.lam@apple.com>
395
396         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
397         https://bugs.webkit.org/show_bug.cgi?id=193402
398         <rdar://problem/46012309>
399
400         Reviewed by Keith Miller.
401
402         * stress/regexp-compile-oom.js:
403         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
404           is enabled.  As a result, it will fail on cloop builds though there is no bug.
405
406 2019-01-11  Saam barati  <sbarati@apple.com>
407
408         DFG combined liveness can be wrong for terminal basic blocks
409         https://bugs.webkit.org/show_bug.cgi?id=193304
410         <rdar://problem/45268632>
411
412         Reviewed by Yusuke Suzuki.
413
414         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
415
416 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
417
418         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
419         https://bugs.webkit.org/show_bug.cgi?id=193308
420         <rdar://problem/45546542>
421
422         Reviewed by Saam Barati.
423
424         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
425         (shouldThrow):
426         (shouldBe):
427         (foo):
428         (get shouldThrow):
429         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
430         (shouldThrow):
431         (shouldBe):
432         (foo):
433         (get shouldBe):
434         (get shouldThrow):
435         (get return):
436         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
437         (shouldThrow):
438         (shouldBe):
439         (foo):
440         (get shouldBe):
441         (get shouldThrow):
442         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
443         (shouldThrow):
444         (shouldBe):
445         (foo):
446         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
447         (shouldThrow):
448         (shouldBe):
449         (foo):
450         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
451         (shouldThrow):
452         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
453         (shouldThrow):
454         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
455         (shouldThrow):
456         (shouldBe):
457         (foo):
458         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
459         (shouldThrow):
460         (shouldBe):
461         (foo):
462         (get shouldBe):
463         (get shouldThrow):
464         (get return):
465         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
466         (shouldThrow):
467         (shouldBe):
468         (foo):
469         (get shouldBe):
470         (get shouldThrow):
471         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
472         (shouldThrow):
473         (shouldBe):
474         (foo):
475         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
476         (shouldThrow):
477         (shouldBe):
478         (foo):
479
480 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
481
482         Enable DFG on ARM/Linux again
483         https://bugs.webkit.org/show_bug.cgi?id=192496
484
485         Reviewed by Yusuke Suzuki.
486
487         Test wasn't really skipped before moving the line with skip
488         to the top.
489
490         * stress/regress-192717.js:
491
492 2019-01-10  Commit Queue  <commit-queue@webkit.org>
493
494         Unreviewed, rolling out r239825.
495         https://bugs.webkit.org/show_bug.cgi?id=193330
496
497         Broke tests on armv7/linux bots (Requested by guijemont on
498         #webkit).
499
500         Reverted changeset:
501
502         "Enable DFG on ARM/Linux again"
503         https://bugs.webkit.org/show_bug.cgi?id=192496
504         https://trac.webkit.org/changeset/239825
505
506 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
507
508         Enable DFG on ARM/Linux again
509         https://bugs.webkit.org/show_bug.cgi?id=192496
510
511         Reviewed by Yusuke Suzuki.
512
513         Test wasn't really skipped before moving the line with skip
514         to the top.
515
516         * stress/regress-192717.js:
517
518 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
519
520         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
521         https://bugs.webkit.org/show_bug.cgi?id=193127
522
523         Reviewed by Saam Barati.
524
525         * stress/array-species-create-should-handle-masquerader.js: Added.
526         (shouldThrow):
527         * stress/is-undefined-or-null-builtin.js: Added.
528         (shouldBe):
529         (isUndefinedOrNull.vm.createBuiltin):
530
531 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
532
533         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
534         https://bugs.webkit.org/show_bug.cgi?id=193221
535
536         Reviewed by Mark Lam.
537
538         * stress/put-by-id-flags.js: Added.
539         (f):
540         (g):
541         (numberOfDFGCompiles):
542
543 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
544
545         Baseline version of get_by_id may corrupt metadata
546         https://bugs.webkit.org/show_bug.cgi?id=193085
547         <rdar://problem/23453006>
548
549         Reviewed by Saam Barati.
550
551         * stress/get-by-id-change-mode.js: Added.
552         (forEach):
553
554 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
555
556         [JSC] Optimize Object.prototype.toString
557         https://bugs.webkit.org/show_bug.cgi?id=193031
558
559         Reviewed by Saam Barati.
560
561         * stress/object-tostring-changed-proto.js: Added.
562         (shouldBe):
563         (test):
564         * stress/object-tostring-changed.js: Added.
565         (shouldBe):
566         (test):
567         * stress/object-tostring-misc.js: Added.
568         (shouldBe):
569         (test):
570         (i.switch):
571         * stress/object-tostring-other.js: Added.
572         (shouldBe):
573         (test):
574         * stress/object-tostring-untyped.js: Added.
575         (shouldBe):
576         (test):
577         (i.switch):
578
579 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
580
581         test262-runner misbehaves when test file YAML has a trailing space
582         https://bugs.webkit.org/show_bug.cgi?id=193053
583
584         Reviewed by Yusuke Suzuki.
585
586         * test262/expectations.yaml:
587         Mark two dozen tests as passing (and correct the output of another).
588
589 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
590
591         Unreviewed, JSTests gardening with memoryLimited
592
593         * stress/string-overflow-createError.js:
594
595 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
596
597         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
598         https://bugs.webkit.org/show_bug.cgi?id=193050
599
600         Reviewed by Yusuke Suzuki.
601
602         * test262.yaml:
603         * test262/expectations.yaml:
604         Mark 16 tests as passing.
605
606 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
607
608         [BigInt] Support BigInt in JSON.stringify
609         https://bugs.webkit.org/show_bug.cgi?id=192624
610
611         Reviewed by Saam Barati.
612
613         * stress/big-int-json-stringify-to-json.js: Added.
614         (shouldBe):
615         (shouldThrow):
616         (BigInt.prototype.toJSON):
617         (shouldBe.JSON.stringify):
618         * stress/big-int-json-stringify.js: Added.
619         (shouldBe):
620         (shouldThrow):
621
622 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
623
624         [JSC] Implement "well-formed JSON.stringify" proposal
625         https://bugs.webkit.org/show_bug.cgi?id=191677
626
627         Reviewed by Darin Adler.
628
629         * stress/json-surrogate-pair.js: Added.
630         (shouldBe):
631         * test262/expectations.yaml:
632
633 2018-12-20  Keith Miller  <keith_miller@apple.com>
634
635         Add support for globalThis
636         https://bugs.webkit.org/show_bug.cgi?id=165171
637
638         Reviewed by Mark Lam.
639
640         * test262/config.yaml:
641
642 2018-12-19  Keith Miller  <keith_miller@apple.com>
643
644         Update test262 configuration to not run tests dependent on ICU version.
645         https://bugs.webkit.org/show_bug.cgi?id=192920
646
647         Reviewed by Saam Barati.
648
649         * test262/expectations.yaml:
650
651 2018-12-20  Mark Lam  <mark.lam@apple.com>
652
653         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
654         https://bugs.webkit.org/show_bug.cgi?id=192939
655         <rdar://problem/46869516>
656
657         Reviewed by Keith Miller.
658
659         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
660
661 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
662
663         WTF::String and StringImpl overflow MaxLength
664         https://bugs.webkit.org/show_bug.cgi?id=192853
665         <rdar://problem/45726906>
666
667         Reviewed by Mark Lam.
668
669         * stress/string-16bit-repeat-overflow.js: Added.
670         (catch):
671
672 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
673
674         Unreviewed follow-up to r192914.
675
676         * test262/expectations.yaml:
677         Add the last 20 missing expectations.
678
679 2018-12-19  Keith Miller  <keith_miller@apple.com>
680
681         Fix test262 expectations
682         https://bugs.webkit.org/show_bug.cgi?id=192914
683
684         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
685
686         * test262/expectations.yaml:
687
688 2018-12-19  Keith Miller  <keith_miller@apple.com>
689
690         Update test262 tests.
691         https://bugs.webkit.org/show_bug.cgi?id=192907
692
693         Rubber stamped by Mark Lam.
694
695         * test262/*: Omitted because prepare-changelog crashes.
696
697 2018-12-19  Mark Lam  <mark.lam@apple.com>
698
699         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
700         https://bugs.webkit.org/show_bug.cgi?id=192464
701         <rdar://problem/46519455>
702
703         Reviewed by Saam Barati.
704
705         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
706         microbenchmark.
707
708         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
709         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
710
711 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
712
713         String overflow in JSC::createError results in ASSERT in WTF::makeString
714         https://bugs.webkit.org/show_bug.cgi?id=192833
715         <rdar://problem/45706868>
716
717         Reviewed by Mark Lam.
718
719         * stress/string-overflow-createError.js: Added.
720
721 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
722
723         Error message for `-x ** y` contains a typo.
724         https://bugs.webkit.org/show_bug.cgi?id=192832
725
726         Reviewed by Saam Barati.
727
728         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
729         (assert.assert.return.throws):
730         * stress/pow-expects-update-expression-on-lhs.js:
731         (throw.new.Error):
732         Update test expectations which match against the exact error message.
733
734 2018-12-18  Mark Lam  <mark.lam@apple.com>
735
736         Gardening: test options fix.
737         https://bugs.webkit.org/show_bug.cgi?id=192822
738
739         Unreviewed.
740
741         * stress/json-stringify-string-builder-overflow.js:
742
743 2018-12-18  Mark Lam  <mark.lam@apple.com>
744
745         JSON.stringify() should throw OOM on StringBuilder overflows.
746         https://bugs.webkit.org/show_bug.cgi?id=192822
747         <rdar://problem/46670577>
748
749         Reviewed by Saam Barati.
750
751         * stress/json-stringify-string-builder-overflow.js: Added.
752
753 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
754
755         Redeclaration of var over let/const/class should be a syntax error.
756         https://bugs.webkit.org/show_bug.cgi?id=192298
757
758         Reviewed by Keith Miller.
759
760         * test262.yaml:
761         * test262/expectations.yaml:
762         Mark 46 tests as passing.
763
764         * stress/block-scope-redeclarations.js:
765         Add some new tests.
766
767         * stress/for-in-invalidate-context-weird-assignments.js:
768         * stress/for-in-tests.js:
769         Replace tests for outdated behavior with tests for SyntaxError.
770
771         * ChakraCore/test/LetConst/defer3.baseline-jsc:
772         * ChakraCore/test/LetConst/letvar.baseline-jsc:
773         Update expectations.
774
775 2018-12-18  Mark Lam  <mark.lam@apple.com>
776
777         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
778         https://bugs.webkit.org/show_bug.cgi?id=191374
779         <rdar://problem/46525447>
780
781         Reviewed by Yusuke Suzuki.
782
783         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
784
785         * stress/elidable-new-object-roflcopter-then-exit.js:
786
787 2018-12-17  Mark Lam  <mark.lam@apple.com>
788
789         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
790         https://bugs.webkit.org/show_bug.cgi?id=192019
791         <rdar://problem/46525456>
792
793         Reviewed by Yusuke Suzuki.
794
795         The test runs too slow on 32-bit.
796
797         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
798
799 2018-12-17  Mark Lam  <mark.lam@apple.com>
800
801         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
802         https://bugs.webkit.org/show_bug.cgi?id=191373
803         <rdar://problem/46525458>
804
805         Reviewed by Yusuke Suzuki.
806
807         The test is already slow running with a JIT on 64-bit.  It will always timeout
808         on 32-bit without a JIT.
809
810         * stress/materialize-regexp-cyclic-regexp.js:
811
812 2018-12-17  Mark Lam  <mark.lam@apple.com>
813
814         Array unshift/shift should not race against the AI in the compiler thread.
815         https://bugs.webkit.org/show_bug.cgi?id=192795
816         <rdar://problem/46724263>
817
818         Reviewed by Saam Barati.
819
820         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
821
822 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
823
824         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
825         https://bugs.webkit.org/show_bug.cgi?id=190047
826
827         Reviewed by Saam Barati.
828
829         * stress/object-keys-cached-zero.js: Added.
830         (shouldBe):
831         (test):
832         * stress/object-keys-changed-attribute.js: Added.
833         (shouldBe):
834         (test):
835         * stress/object-keys-changed-index.js: Added.
836         (shouldBe):
837         (test):
838         * stress/object-keys-changed.js: Added.
839         (shouldBe):
840         (test):
841         * stress/object-keys-indexed-non-cache.js: Added.
842         (shouldBe):
843         (test):
844         * stress/object-keys-overrides-get-property-names.js: Added.
845         (shouldBe):
846         (test):
847         (noInline):
848
849 2018-12-17  Mark Lam  <mark.lam@apple.com>
850
851         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
852         https://bugs.webkit.org/show_bug.cgi?id=192779
853         <rdar://problem/46775869>
854
855         Reviewed by Saam Barati.
856
857         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
858
859 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
860
861         Unreviewed test gardening, address a syntax error in a new test.
862
863         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
864
865 2018-12-17  Mark Lam  <mark.lam@apple.com>
866
867         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
868         https://bugs.webkit.org/show_bug.cgi?id=192776
869         <rdar://problem/46772368>
870
871         Reviewed by Keith Miller.
872
873         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
874
875 2018-12-17  Mark Lam  <mark.lam@apple.com>
876
877         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
878         https://bugs.webkit.org/show_bug.cgi?id=192770
879         <rdar://problem/46449037>
880
881         Reviewed by Keith Miller.
882
883         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
884
885 2018-12-14  Mark Lam  <mark.lam@apple.com>
886
887         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
888         https://bugs.webkit.org/show_bug.cgi?id=192717
889         <rdar://problem/46660677>
890
891         Reviewed by Saam Barati.
892
893         * stress/regress-192717.js: Added.
894
895 2018-12-14  Commit Queue  <commit-queue@webkit.org>
896
897         Unreviewed, rolling out r239153, r239154, and r239155.
898         https://bugs.webkit.org/show_bug.cgi?id=192715
899
900         Caused flaky GC-related crashes seen with layout tests
901         (Requested by ryanhaddad on #webkit).
902
903         Reverted changesets:
904
905         "[JSC] Optimize Object.keys by caching own keys results in
906         StructureRareData"
907         https://bugs.webkit.org/show_bug.cgi?id=190047
908         https://trac.webkit.org/changeset/239153
909
910         "Unreviewed, build fix after r239153"
911         https://bugs.webkit.org/show_bug.cgi?id=190047
912         https://trac.webkit.org/changeset/239154
913
914         "Unreviewed, build fix after r239153, part 2"
915         https://bugs.webkit.org/show_bug.cgi?id=190047
916         https://trac.webkit.org/changeset/239155
917
918 2018-12-14  Keith Miller  <keith_miller@apple.com>
919
920         Callers of JSString::getIndex should check for OOM exceptions
921         https://bugs.webkit.org/show_bug.cgi?id=192709
922
923         Reviewed by Mark Lam.
924
925         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
926
927 2018-12-13  Mark Lam  <mark.lam@apple.com>
928
929         Add a missing exception check.
930         https://bugs.webkit.org/show_bug.cgi?id=192626
931         <rdar://problem/46662163>
932
933         Reviewed by Keith Miller.
934
935         * stress/regress-192626.js: Added.
936
937 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
938
939         [BigInt] Add ValueDiv into DFG
940         https://bugs.webkit.org/show_bug.cgi?id=186178
941
942         Reviewed by Yusuke Suzuki.
943
944         * stress/big-int-div-jit-osr.js: Added.
945         * stress/big-int-div-jit-untyped.js: Added.
946         * stress/value-div-fixup-int32-big-int.js: Added.
947
948 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
949
950         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
951         https://bugs.webkit.org/show_bug.cgi?id=190047
952
953         Reviewed by Keith Miller.
954
955         * stress/object-keys-cached-zero.js: Added.
956         (shouldBe):
957         (test):
958         * stress/object-keys-changed-attribute.js: Added.
959         (shouldBe):
960         (test):
961         * stress/object-keys-changed-index.js: Added.
962         (shouldBe):
963         (test):
964         * stress/object-keys-changed.js: Added.
965         (shouldBe):
966         (test):
967         * stress/object-keys-indexed-non-cache.js: Added.
968         (shouldBe):
969         (test):
970         * stress/object-keys-overrides-get-property-names.js: Added.
971         (shouldBe):
972         (test):
973         (noInline):
974
975 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
976
977         [DFG][FTL] Add NewSymbol
978         https://bugs.webkit.org/show_bug.cgi?id=192620
979
980         Reviewed by Saam Barati.
981
982         * microbenchmarks/symbol-creation.js: Added.
983         (test):
984         * stress/symbol-description-identity.js: Added.
985         (shouldBe):
986         (test):
987         * stress/symbol-identity.js: Added.
988         (shouldBe):
989         (test):
990         * stress/symbol-with-description-throw-error.js: Added.
991         (shouldBe):
992         (shouldThrow):
993         (test):
994         (object.toString):
995
996 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
997
998         [BigInt] Implement DFG/FTL typeof for BigInt
999         https://bugs.webkit.org/show_bug.cgi?id=192619
1000
1001         Reviewed by Keith Miller.
1002
1003         * stress/big-int-boolean-proven-type.js: Added.
1004         (assert):
1005         (bool):
1006         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1007         (assert):
1008         (typeOf):
1009         (i.switch):
1010         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1011         (assert):
1012         (typeOf):
1013         * stress/big-int-type-of.js:
1014         (typeOf):
1015         (func):
1016
1017 2018-12-10  Mark Lam  <mark.lam@apple.com>
1018
1019         PropertyAttribute needs a CustomValue bit.
1020         https://bugs.webkit.org/show_bug.cgi?id=191993
1021         <rdar://problem/46264467>
1022
1023         Reviewed by Saam Barati.
1024
1025         * stress/regress-191993.js: Added.
1026
1027 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1028
1029         [BigInt] Add ValueMul into DFG
1030         https://bugs.webkit.org/show_bug.cgi?id=186175
1031
1032         Reviewed by Yusuke Suzuki.
1033
1034         * stress/big-int-mul-jit-osr.js: Added.
1035         * stress/big-int-mul-jit-untyped.js: Added.
1036         * stress/value-mul-fixup-int32-big-int.js: Added.
1037
1038 2018-12-06  Keith Miller  <keith_miller@apple.com>
1039
1040         stress/big-wasm-memory tests failing on 32-bit JSC bot
1041         https://bugs.webkit.org/show_bug.cgi?id=192020
1042
1043         Reviewed by Saam Barati.
1044
1045         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1046         the wasm stress tests if the WebAssembly object does not exist.
1047
1048         * stress/big-wasm-memory-grow-no-max.js:
1049         (test.foo):
1050         (test):
1051         (foo): Deleted.
1052         (catch): Deleted.
1053         * stress/big-wasm-memory-grow.js:
1054         (test.foo):
1055         (test):
1056         (foo): Deleted.
1057         (catch): Deleted.
1058         * stress/big-wasm-memory.js:
1059         (test.foo):
1060         (test):
1061         (foo): Deleted.
1062         (catch): Deleted.
1063
1064 2018-12-05  Mark Lam  <mark.lam@apple.com>
1065
1066         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1067         https://bugs.webkit.org/show_bug.cgi?id=192441
1068         <rdar://problem/46480355>
1069
1070         Reviewed by Saam Barati.
1071
1072         * stress/regress-192441.js: Added.
1073
1074 2018-12-04  Mark Lam  <mark.lam@apple.com>
1075
1076         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1077         https://bugs.webkit.org/show_bug.cgi?id=192386
1078         <rdar://problem/46445516>
1079
1080         Reviewed by Saam Barati.
1081
1082         * stress/regress-192386.js: Added.
1083
1084 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1085
1086         [ESNext][BigInt] Support logic operations
1087         https://bugs.webkit.org/show_bug.cgi?id=179903
1088
1089         Reviewed by Yusuke Suzuki.
1090
1091         * stress/big-int-branch-usage.js: Added.
1092         * stress/big-int-logical-and.js: Added.
1093         * stress/big-int-logical-not.js: Added.
1094         * stress/big-int-logical-or.js: Added.
1095
1096 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1097
1098         Unreviewed, rolling out r238833.
1099
1100         Breaks macOS and iOS debug builds.
1101
1102         Reverted changeset:
1103
1104         "[ESNext][BigInt] Support logic operations"
1105         https://bugs.webkit.org/show_bug.cgi?id=179903
1106         https://trac.webkit.org/changeset/238833
1107
1108 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1109
1110         [ESNext][BigInt] Support logic operations
1111         https://bugs.webkit.org/show_bug.cgi?id=179903
1112
1113         Reviewed by Yusuke Suzuki.
1114
1115         * stress/big-int-branch-usage.js: Added.
1116         * stress/big-int-logical-and.js: Added.
1117         * stress/big-int-logical-not.js: Added.
1118         * stress/big-int-logical-or.js: Added.
1119
1120 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1121
1122         [ESNext][BigInt] Implement support for "<<" and ">>"
1123         https://bugs.webkit.org/show_bug.cgi?id=186233
1124
1125         Reviewed by Yusuke Suzuki.
1126
1127         * stress/big-int-left-shift-general.js: Added.
1128         * stress/big-int-left-shift-range-error.js: Added.
1129         * stress/big-int-left-shift-type-error.js: Added.
1130         * stress/big-int-left-shift-wrapped-value.js: Added.
1131         * stress/big-int-right-shift-general.js: Added.
1132         * stress/big-int-right-shift-type-error.js: Added.
1133         * stress/big-int-right-shift-wrapped-value.js: Added.
1134         * stress/left-shift-to-primitive-precedence.js: Added.
1135         * stress/right-shift-to-primitive-precedence.js: Added.
1136
1137 2018-11-30  Dean Jackson  <dino@apple.com>
1138
1139         Add first-class support for .mjs files in jsc binary
1140         https://bugs.webkit.org/show_bug.cgi?id=192190
1141         <rdar://problem/46375715>
1142
1143         Reviewed by Keith Miller.
1144
1145         * stress/simple-module.mjs: Added.
1146         * stress/simple-script.js: Added.
1147
1148 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1149
1150         [BigInt] Implement ValueBitXor into DFG
1151         https://bugs.webkit.org/show_bug.cgi?id=190264
1152
1153         Reviewed by Yusuke Suzuki.
1154
1155         * stress/big-int-bitwise-xor-jit.js: Added.
1156         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1157         * stress/big-int-bitwise-xor-untyped.js: Added.
1158
1159 2018-11-27  Saam barati  <sbarati@apple.com>
1160
1161         r238510 broke scopes of size zero
1162         https://bugs.webkit.org/show_bug.cgi?id=192033
1163         <rdar://problem/46281734>
1164
1165         Reviewed by Keith Miller.
1166
1167         * stress/r238510-bad-loop.js: Added.
1168         (foo):
1169
1170 2018-11-27  Mark Lam  <mark.lam@apple.com>
1171
1172         [Re-landing] NaNs read from Wasm code needs to be be purified.
1173         https://bugs.webkit.org/show_bug.cgi?id=191056
1174         <rdar://problem/45660341>
1175
1176         Reviewed by Filip Pizlo.
1177
1178         * wasm/regress/regress-191056.js: Added.
1179
1180 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1181
1182         Unreviewed, rolling out r238509.
1183
1184         Causes JSC tests to fail on iOS.
1185
1186         Reverted changeset:
1187
1188         "NaNs read from Wasm code needs to be be purified."
1189         https://bugs.webkit.org/show_bug.cgi?id=191056
1190         https://trac.webkit.org/changeset/238509
1191
1192 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1193
1194         Re-introduce op_bitnot
1195         https://bugs.webkit.org/show_bug.cgi?id=190923
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         * stress/bit-not-must-generate.js: Added.
1200         * stress/bitwise-not-no-int32.js: Added.
1201
1202 2018-11-26  Saam barati  <sbarati@apple.com>
1203
1204         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1205         https://bugs.webkit.org/show_bug.cgi?id=191956
1206         <rdar://problem/45665806>
1207
1208         Reviewed by Yusuke Suzuki.
1209
1210         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1211         (bar):
1212         (foo):
1213
1214 2018-11-26  Saam barati  <sbarati@apple.com>
1215
1216         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1217         https://bugs.webkit.org/show_bug.cgi?id=191958
1218         <rdar://problem/46221877>
1219
1220         Reviewed by Yusuke Suzuki.
1221
1222         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1223         (x):
1224         (foo):
1225
1226 2018-11-26  Mark Lam  <mark.lam@apple.com>
1227
1228         NaNs read from Wasm code needs to be be purified.
1229         https://bugs.webkit.org/show_bug.cgi?id=191056
1230         <rdar://problem/45660341>
1231
1232         Reviewed by Filip Pizlo.
1233
1234         * wasm/regress/regress-191056.js: Added.
1235
1236 2018-11-26  Michael Saboff  <msaboff@apple.com>
1237
1238         32-bit JSC test failure: stress/regexp-compile-oom.js
1239         https://bugs.webkit.org/show_bug.cgi?id=191375
1240
1241         Reviewed by Mark Lam.
1242
1243         Disabled the test for 32 bit platforms.
1244
1245         * stress/regexp-compile-oom.js:
1246
1247 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1248
1249         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1250         https://bugs.webkit.org/show_bug.cgi?id=191716
1251         <rdar://problem/45723878>
1252
1253         Reviewed by Saam Barati.
1254
1255         * stress/regress-187373.js: Added.
1256         (async.fn):
1257
1258 2018-11-21  Saam barati  <sbarati@apple.com>
1259
1260         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1261         https://bugs.webkit.org/show_bug.cgi?id=191897
1262         <rdar://problem/45871998>
1263
1264         Reviewed by Mark Lam.
1265
1266         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1267         (bar):
1268         (foo):
1269
1270 2018-11-21  Saam barati  <sbarati@apple.com>
1271
1272         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1273         https://bugs.webkit.org/show_bug.cgi?id=191895
1274         <rdar://problem/46167406>
1275
1276         Reviewed by Mark Lam.
1277
1278         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1279         (foo):
1280         (bar):
1281
1282 2018-11-21  Mark Lam  <mark.lam@apple.com>
1283
1284         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1285         https://bugs.webkit.org/show_bug.cgi?id=191776
1286         <rdar://problem/46152851>
1287
1288         Reviewed by Saam Barati.
1289
1290         * stress/big-wasm-memory-grow-no-max.js:
1291         * stress/big-wasm-memory-grow.js:
1292         * stress/big-wasm-memory.js:
1293         - updated these to expect an OutOfMemoryError.
1294
1295         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1296         (Binary.prototype.emit_u8):
1297         (Binary.prototype.emit_u32v):
1298         (Binary.prototype.emit_header):
1299         (Binary.prototype.emit_section):
1300         (Binary):
1301         (WasmModuleBuilder):
1302         (WasmModuleBuilder.prototype.addMemory):
1303         (WasmModuleBuilder.prototype.toArray):
1304         (WasmModuleBuilder.prototype.toBuffer):
1305         (WasmModuleBuilder.prototype.instantiate):
1306         (catch):
1307         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1308         (catch):
1309
1310 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1311
1312         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1313         https://bugs.webkit.org/show_bug.cgi?id=190836
1314
1315         Reviewed by Saam Barati and Yusuke Suzuki.
1316
1317         * stress/big-int-out-of-memory-tests.js: Added.
1318
1319 2018-11-20  Mark Lam  <mark.lam@apple.com>
1320
1321         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1322         https://bugs.webkit.org/show_bug.cgi?id=191856
1323         <rdar://problem/46089992>
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         * stress/regress-191856.js: Added.
1328         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1329
1330 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1331
1332         Enable JIT on ARM/Linux
1333         https://bugs.webkit.org/show_bug.cgi?id=191548
1334
1335         Reviewed by Yusuke Suzuki.
1336
1337         Disable test on system with limited memory. Program was killed by
1338         the OS before the exception was thrown.
1339
1340         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1341
1342 2018-11-20  Saam barati  <sbarati@apple.com>
1343
1344         Merging an IC variant may lead to the IC status containing overlapping structure sets
1345         https://bugs.webkit.org/show_bug.cgi?id=191869
1346         <rdar://problem/45403453>
1347
1348         Reviewed by Mark Lam.
1349
1350         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1351
1352 2018-11-19  Mark Lam  <mark.lam@apple.com>
1353
1354         globalFuncImportModule() should return a promise when it clears exceptions.
1355         https://bugs.webkit.org/show_bug.cgi?id=191792
1356         <rdar://problem/46090763>
1357
1358         Reviewed by Michael Saboff.
1359
1360         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1361
1362 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1363
1364         Skip new memory-hungry tests on memory limited devices
1365
1366         Unreviewed gardening.
1367
1368         * stress/big-wasm-memory-grow-no-max.js:
1369         * stress/big-wasm-memory-grow.js:
1370         * stress/big-wasm-memory.js:
1371
1372 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1373
1374         Unreviewed, rolling in the rest of r237254
1375         https://bugs.webkit.org/show_bug.cgi?id=190340
1376
1377         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1378         * stress/function-cache-with-parameters-end-position.js: Added.
1379         (shouldBe):
1380         (shouldThrow):
1381         (i.anonymous):
1382         * stress/function-constructor-name.js: Added.
1383         (shouldBe):
1384         (GeneratorFunction):
1385         (AsyncFunction.async):
1386         (AsyncGeneratorFunction.async):
1387         (anonymous):
1388         (async.anonymous):
1389         * test262/expectations.yaml:
1390
1391 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1392
1393         All users of ArrayBuffer should agree on the same max size
1394         https://bugs.webkit.org/show_bug.cgi?id=191771
1395
1396         Reviewed by Mark Lam.
1397
1398         * stress/big-wasm-memory-grow-no-max.js: Added.
1399         (foo):
1400         (catch):
1401         * stress/big-wasm-memory-grow.js: Added.
1402         (foo):
1403         (catch):
1404         * stress/big-wasm-memory.js: Added.
1405         (foo):
1406         (catch):
1407
1408 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1409
1410         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1411         run for each JSC config since they're regression tests for runtime bugs.
1412
1413         * stress/json-stringified-overflow-2.js:
1414         * stress/json-stringified-overflow.js:
1415
1416 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1417
1418         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1419         config since they're regression tests for runtime bugs.
1420
1421         * stress/large-unshift-splice.js:
1422         * stress/regress-185888.js:
1423
1424 2018-11-16  Saam Barati  <sbarati@apple.com>
1425
1426         KnownCellUse should also have SpecCellCheck as its type filter
1427         https://bugs.webkit.org/show_bug.cgi?id=191729
1428         <rdar://problem/45872852>
1429
1430         Reviewed by Filip Pizlo.
1431
1432         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1433         (C):
1434
1435 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1436
1437         Fix assertion failure on BytecodeGenerator::recordOpcode
1438         https://bugs.webkit.org/show_bug.cgi?id=191724
1439         <rdar://problem/45724395>
1440
1441         Reviewed by Saam Barati.
1442
1443         * stress/regress-187373-2.js: Added.
1444         (foo):
1445
1446 2018-11-15  Mark Lam  <mark.lam@apple.com>
1447
1448         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1449         https://bugs.webkit.org/show_bug.cgi?id=191730
1450         <rdar://problem/46048517>
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/regress-187006.js: Removed.
1455           - this test is invalid because its sole purpose is to test for the non-spec
1456             compliant behavior that we just fixed.
1457
1458         * stress/regress-191730.js: Added.
1459
1460 2018-11-15  Mark Lam  <mark.lam@apple.com>
1461
1462         RegExp operations should not take fast patch if lastIndex is not numeric.
1463         https://bugs.webkit.org/show_bug.cgi?id=191731
1464         <rdar://problem/46017305>
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/regress-191731.js: Added.
1469
1470 2018-11-13  Saam Barati  <sbarati@apple.com>
1471
1472         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1473         https://bugs.webkit.org/show_bug.cgi?id=191600
1474
1475         Reviewed by Mark Lam.
1476
1477         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1478         (foo):
1479         (test):
1480         (bar):
1481
1482 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1483
1484         Unreviewed, rolling out r238132.
1485
1486         The test added with this change is timing out on Debug JSC
1487         bots.
1488
1489         Reverted changeset:
1490
1491         "[BigInt] JSBigInt::createWithLength should throw when length
1492         is greater than JSBigInt::maxLength"
1493         https://bugs.webkit.org/show_bug.cgi?id=190836
1494         https://trac.webkit.org/changeset/238132
1495
1496 2018-11-13  Mark Lam  <mark.lam@apple.com>
1497
1498         Add OOM detection to StringPrototype's substituteBackreferences().
1499         https://bugs.webkit.org/show_bug.cgi?id=191563
1500         <rdar://problem/45720428>
1501
1502         Reviewed by Saam Barati.
1503
1504         * stress/regress-191563.js: Added.
1505
1506 2018-11-13  Mark Lam  <mark.lam@apple.com>
1507
1508         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1509         https://bugs.webkit.org/show_bug.cgi?id=191579
1510         <rdar://problem/45942472>
1511
1512         Reviewed by Saam Barati.
1513
1514         * stress/regress-191579.js: Added.
1515
1516 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1517
1518         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1519         https://bugs.webkit.org/show_bug.cgi?id=190836
1520
1521         Reviewed by Saam Barati.
1522
1523         * stress/big-int-out-of-memory-tests.js: Added.
1524
1525 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1526
1527         U+180E is no longer a whitespace character
1528         https://bugs.webkit.org/show_bug.cgi?id=191415
1529
1530         Reviewed by Saam Barati.
1531
1532         * ChakraCore/test/es5/regexSpace.baseline:
1533         * ChakraCore/test/es6/unicode_whitespace.js:
1534         Update tests to latest version.
1535         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1536
1537         * test262.yaml:
1538         * test262/config.yaml:
1539         * test262/expectations.yaml:
1540         Update expectations.
1541
1542 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1543
1544         [BigInt] Add support to BigInt into ValueAdd
1545         https://bugs.webkit.org/show_bug.cgi?id=186177
1546
1547         Reviewed by Keith Miller.
1548
1549         * stress/big-int-negate-jit.js:
1550         * stress/value-add-big-int-and-string.js: Added.
1551         * stress/value-add-big-int-prediction-propagation.js: Added.
1552         * stress/value-add-big-int-untyped.js: Added.
1553
1554 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1555
1556         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1557         https://bugs.webkit.org/show_bug.cgi?id=191184
1558
1559         Reviewed by Saam Barati.
1560
1561         Most tests were failing due to timeouts, since they are too slow to
1562         run on CLoop. The exceptions are:
1563
1564         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1565         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1566         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1567         to change the stack size since CLoop requires it to be page aligned.
1568
1569         * microbenchmarks/array-push-1.js:
1570         * microbenchmarks/array-push-2.js:
1571         * microbenchmarks/elidable-new-object-dag.js:
1572         * microbenchmarks/elidable-new-object-roflcopter.js:
1573         * microbenchmarks/elidable-new-object-tree.js:
1574         * microbenchmarks/getter-richards.js:
1575         * microbenchmarks/sinkable-new-object-dag.js:
1576         * microbenchmarks/string-concat-long-convert.js:
1577         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1578         * slowMicrobenchmarks/array-push-3.js:
1579         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1580         * slowMicrobenchmarks/spread-small-array.js:
1581         * slowMicrobenchmarks/undefined-property-access.js:
1582         * stress/activation-sink-default-value-tdz-error.js:
1583         * stress/activation-sink-default-value.js:
1584         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1585         * stress/activation-sink-osrexit-default-value.js:
1586         * stress/activation-sink-osrexit.js:
1587         * stress/activation-sink.js:
1588         * stress/allow-math-ic-b3-code-duplication.js:
1589         * stress/array-push-multiple-int32.js:
1590         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1591         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1592         * stress/arrowfunction-lexical-this-activation-sink.js:
1593         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1594         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1595         * stress/elide-new-object-dag-then-exit.js:
1596         * stress/materialize-regexp-cyclic.js:
1597         * stress/new-regex-inline.js:
1598         * stress/op_add.js:
1599         * stress/op_bitand.js:
1600         * stress/op_bitor.js:
1601         * stress/op_bitxor.js:
1602         * stress/op_div-ConstVar.js:
1603         * stress/op_div-VarConst.js:
1604         * stress/op_div-VarVar.js:
1605         * stress/op_lshift-ConstVar.js:
1606         * stress/op_lshift-VarConst.js:
1607         * stress/op_lshift-VarVar.js:
1608         * stress/op_mod-ConstVar.js:
1609         * stress/op_mod-VarConst.js:
1610         * stress/op_mod-VarVar.js:
1611         * stress/op_mul-ConstVar.js:
1612         * stress/op_mul-VarConst.js:
1613         * stress/op_mul-VarVar.js:
1614         * stress/op_rshift-ConstVar.js:
1615         * stress/op_rshift-VarConst.js:
1616         * stress/op_rshift-VarVar.js:
1617         * stress/op_sub-ConstVar.js:
1618         * stress/op_sub-VarConst.js:
1619         * stress/op_sub-VarVar.js:
1620         * stress/op_urshift-ConstVar.js:
1621         * stress/op_urshift-VarConst.js:
1622         * stress/op_urshift-VarVar.js:
1623         * stress/proxy-get-set-correct-receiver.js:
1624         * stress/regress-179562.js:
1625         * stress/rest-parameter-many-arguments.js:
1626         * stress/sampling-profiler-richards.js:
1627         * stress/splay-flash-access-1ms.js:
1628         * stress/tailCallForwardArguments.js:
1629         * stress/typed-array-get-by-val-profiling.js:
1630         * typeProfiler/getter-richards.js:
1631
1632 2018-11-06  Michael Saboff  <msaboff@apple.com>
1633
1634         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1635         https://bugs.webkit.org/show_bug.cgi?id=191271
1636
1637         Reviewed by Saam Barati.
1638
1639         Added more test cases and made all test cases run with the same deeply recursive stack
1640         instead of finding that same point for each test case.
1641
1642         * stress/regexp-compile-oom.js:
1643         (prototype.runTest):
1644         (recurseAndTest):
1645         (testList.push.new.TestAndExpectedException):
1646
1647 2018-11-05  Michael Saboff  <msaboff@apple.com>
1648
1649         Unreviewed build fix for linux.
1650
1651         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1652
1653 2018-11-02  Michael Saboff  <msaboff@apple.com>
1654
1655         Rolling in r237753 with unreviewed build fix.
1656
1657         Fixed issues with DECLARE_THROW_SCOPE placement.
1658
1659 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1660
1661         Unreviewed, rolling out r237753.
1662
1663         Introduced JSC test failures
1664
1665         Reverted changeset:
1666
1667         "Running out of stack space not properly handled in
1668         RegExp::compile() and its callers"
1669         https://bugs.webkit.org/show_bug.cgi?id=191206
1670         https://trac.webkit.org/changeset/237753
1671
1672 2018-11-02  Michael Saboff  <msaboff@apple.com>
1673
1674         Running out of stack space not properly handled in RegExp::compile() and its callers
1675         https://bugs.webkit.org/show_bug.cgi?id=191206
1676
1677         Reviewed by Filip Pizlo.
1678
1679         New regression test.
1680
1681         * stress/regexp-compile-oom.js: Added.
1682         (recurseAndTest):
1683
1684 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1685
1686         Skip tests on arm/mips that time out now we're running on CLoop
1687
1688         Unreviewed gardening.
1689
1690         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1691         time out on the bots and need to be disabled. There's more tests
1692         disabled on arm because the timeout is longer on the mips bot (as the
1693         device is slower to start with), so many of the tests don't time out
1694         there.
1695
1696         * microbenchmarks/getter-richards.js: disable on arm and mips.
1697         * stress/op_add.js: disable on arm.
1698         * stress/op_bitand.js: disable on arm.
1699         * stress/op_bitor.js: disable on arm.
1700         * stress/op_bitxor.js: disable on arm.
1701         * stress/op_lshift-ConstVar.js: disable on arm.
1702         * stress/op_lshift-VarConst.js: disable on arm.
1703         * stress/op_lshift-VarVar.js: disable on arm.
1704         * stress/op_mod-ConstVar.js: disable on arm.
1705         * stress/op_mod-VarConst.js: disable on arm.
1706         * stress/op_mod-VarVar.js: disable on arm.
1707         * stress/op_mul-ConstVar.js: disable on arm.
1708         * stress/op_mul-VarConst.js: disable on arm.
1709         * stress/op_mul-VarVar.js: disable on arm.
1710         * stress/op_rshift-ConstVar.js: disable on arm.
1711         * stress/op_rshift-VarConst.js: disable on arm.
1712         * stress/op_rshift-VarVar.js: disable on arm.
1713         * stress/op_sub-ConstVar.js: disable on arm.
1714         * stress/op_sub-VarConst.js: disable on arm.
1715         * stress/op_sub-VarVar.js: disable on arm.
1716         * stress/op_urshift-ConstVar.js: disable on arm.
1717         * stress/op_urshift-VarConst.js: disable on arm.
1718         * stress/op_urshift-VarVar.js: disable on arm.
1719         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1720         * stress/value-to-boolean.js: disable on arm and mips.
1721
1722 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1723
1724         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1725         https://bugs.webkit.org/show_bug.cgi?id=191108
1726         <rdar://problem/45690700>
1727
1728         Reviewed by Saam Barati.
1729
1730         * stress/wide-op_catch.js: Added.
1731         (catch):
1732
1733 2018-10-29  Mark Lam  <mark.lam@apple.com>
1734
1735         Correctly detect string overflow when using the 'Function' constructor.
1736         https://bugs.webkit.org/show_bug.cgi?id=184883
1737         <rdar://problem/36320331>
1738
1739         Reviewed by Saam Barati.
1740
1741         I've verified that this passes on 32-bit as well.
1742
1743         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1744
1745 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1746
1747         Add support for GetStack FlushedDouble
1748         https://bugs.webkit.org/show_bug.cgi?id=191012
1749         <rdar://problem/45265141>
1750
1751         Reviewed by Saam Barati.
1752
1753         * stress/get-stack-double.js: Added.
1754         (bar):
1755         (noInline):
1756
1757 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1758
1759         New bytecode format for JSC
1760         https://bugs.webkit.org/show_bug.cgi?id=187373
1761         <rdar://problem/44186758>
1762
1763         Reviewed by Filip Pizlo.
1764
1765         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1766
1767         * stress/maximum-inline-capacity.js: Added.
1768         (test1):
1769         (test3.Foo):
1770         (test3):
1771
1772 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1773
1774         Unreviewed, rolling out r237479 and r237484.
1775         https://bugs.webkit.org/show_bug.cgi?id=190978
1776
1777         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1778
1779         Reverted changesets:
1780
1781         "New bytecode format for JSC"
1782         https://bugs.webkit.org/show_bug.cgi?id=187373
1783         https://trac.webkit.org/changeset/237479
1784
1785         "Gardening: Build fix after r237479."
1786         https://bugs.webkit.org/show_bug.cgi?id=187373
1787         https://trac.webkit.org/changeset/237484
1788
1789 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1790
1791         New bytecode format for JSC
1792         https://bugs.webkit.org/show_bug.cgi?id=187373
1793         <rdar://problem/44186758>
1794
1795         Reviewed by Filip Pizlo.
1796
1797         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1798
1799         * stress/maximum-inline-capacity.js: Added.
1800         (test1):
1801         (test3.Foo):
1802         (test3):
1803
1804 2018-10-26  Mark Lam  <mark.lam@apple.com>
1805
1806         Fix missing edge cases with JSGlobalObjects having a bad time.
1807         https://bugs.webkit.org/show_bug.cgi?id=189028
1808         <rdar://problem/45204939>
1809
1810         Reviewed by Saam Barati.
1811
1812         * stress/regress-189028.js: Added.
1813
1814 2018-10-22  Mark Lam  <mark.lam@apple.com>
1815
1816         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1817         https://bugs.webkit.org/show_bug.cgi?id=190515
1818         <rdar://problem/45222379>
1819
1820         Rubber-stamped by Saam Barati.
1821
1822         Adding another test.
1823
1824         * stress/regress-190515-2.js: Added.
1825
1826 2018-10-22  Mark Lam  <mark.lam@apple.com>
1827
1828         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1829         https://bugs.webkit.org/show_bug.cgi?id=190515
1830         <rdar://problem/45222379>
1831
1832         Reviewed by Saam Barati.
1833
1834         * stress/regress-190515.js: Added.
1835
1836 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1837
1838         Unreviewed, rolling out r237254.
1839         https://bugs.webkit.org/show_bug.cgi?id=190760
1840
1841         "It regresses JetStream 2 by 5% on some iOS devices"
1842         (Requested by saamyjoon on #webkit).
1843
1844         Reverted changeset:
1845
1846         "[JSC] JSC should have "parseFunction" to optimize Function
1847         constructor"
1848         https://bugs.webkit.org/show_bug.cgi?id=190340
1849         https://trac.webkit.org/changeset/237254
1850
1851 2018-10-19  Saam Barati  <sbarati@apple.com>
1852
1853         vmCall should check if we exit before emitting an OSR exit due to exceptions
1854         https://bugs.webkit.org/show_bug.cgi?id=190740
1855         <rdar://problem/45220139>
1856
1857         Reviewed by Mark Lam.
1858
1859         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1860         (foo):
1861
1862 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1863
1864         [ESNext][BigInt] Implement support for "^"
1865         https://bugs.webkit.org/show_bug.cgi?id=186235
1866
1867         Reviewed by Yusuke Suzuki.
1868
1869         * stress/big-int-bitwise-xor-general.js: Added.
1870         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1871         * stress/big-int-bitwise-xor-type-error.js: Added.
1872         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1873
1874 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1875
1876         [BigInt] Add ValueSub into DFG
1877         https://bugs.webkit.org/show_bug.cgi?id=186176
1878
1879         Reviewed by Yusuke Suzuki.
1880
1881         * stress/big-int-subtraction-jit.js:
1882         * stress/value-sub-big-int-prediction-propagation.js: Added.
1883         * stress/value-sub-big-int-untyped.js: Added.
1884         * stress/value-sub-spec-none-case.js: Added.
1885
1886 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1887
1888         [JSC] JSC should have "parseFunction" to optimize Function constructor
1889         https://bugs.webkit.org/show_bug.cgi?id=190340
1890
1891         Reviewed by Mark Lam.
1892
1893         This patch fixes the line number of syntax errors raised by the Function constructor,
1894         since we now parse the final code only once. And we no longer use block statement
1895         for Function constructor's parsing.
1896
1897         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1898         * stress/function-cache-with-parameters-end-position.js: Added.
1899         (shouldBe):
1900         (shouldThrow):
1901         (i.anonymous):
1902         * stress/function-constructor-name.js: Added.
1903         (shouldBe):
1904         (GeneratorFunction):
1905         (AsyncFunction.async):
1906         (AsyncGeneratorFunction.async):
1907         (anonymous):
1908         (async.anonymous):
1909         * test262/expectations.yaml:
1910
1911 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1912
1913         Unreviewed, rolling out r237242.
1914         https://bugs.webkit.org/show_bug.cgi?id=190701
1915
1916         it breaks "stress/sampling-profiler-basic.js" (Requested by
1917         caiolima on #webkit).
1918
1919         Reverted changeset:
1920
1921         "[BigInt] Add ValueSub into DFG"
1922         https://bugs.webkit.org/show_bug.cgi?id=186176
1923         https://trac.webkit.org/changeset/237242
1924
1925 2018-10-17  Keith Miller  <keith_miller@apple.com>
1926
1927         AI does not clear Phantom allocation nodes.
1928         https://bugs.webkit.org/show_bug.cgi?id=190694
1929
1930         Reviewed by Saam Barati.
1931
1932         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1933         (Day):
1934         (DaysInYear):
1935         (TimeInYear):
1936         (TimeFromYear):
1937         (DayFromYear):
1938         (InLeapYear):
1939         (YearFromTime):
1940         (WeekDay):
1941         (DaylightSavingTA):
1942         (GetSecondSundayInMarch):
1943         (TimeInMonth):
1944
1945 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1946
1947         [BigInt] Add ValueSub into DFG
1948         https://bugs.webkit.org/show_bug.cgi?id=186176
1949
1950         Reviewed by Yusuke Suzuki.
1951
1952         * stress/big-int-subtraction-jit.js:
1953         * stress/value-sub-big-int-prediction-propagation.js: Added.
1954         * stress/value-sub-big-int-untyped.js: Added.
1955
1956 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1957
1958         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1959         https://bugs.webkit.org/show_bug.cgi?id=190611
1960
1961         Reviewed by Saam Barati.
1962
1963         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1964         to improve test runtime. On ARM/MIPS this test even timed out when running all
1965         tests.
1966
1967         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1968         (test):
1969
1970 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1971
1972         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1973
1974         Unreviewed gardening.
1975
1976         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1977
1978 2018-10-15  Saam barati  <sbarati@apple.com>
1979
1980         Emit fjcvtzs on ARM64E on Darwin
1981         https://bugs.webkit.org/show_bug.cgi?id=184023
1982
1983         Reviewed by Yusuke Suzuki and Filip Pizlo.
1984
1985         * stress/double-to-int32-NaN.js: Added.
1986         (assert):
1987         (foo):
1988
1989 2018-10-15  Saam Barati  <sbarati@apple.com>
1990
1991         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1992         https://bugs.webkit.org/show_bug.cgi?id=190262
1993         <rdar://problem/44986241>
1994
1995         Reviewed by Mark Lam.
1996
1997         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1998         (test):
1999         * stress/slice-array-storage-with-holes.js: Added.
2000         (main):
2001
2002 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2003
2004         Unreviewed, rolling out r237054.
2005         https://bugs.webkit.org/show_bug.cgi?id=190593
2006
2007         "this regressed JetStream 2 by 6% on iOS" (Requested by
2008         saamyjoon on #webkit).
2009
2010         Reverted changeset:
2011
2012         "[JSC] JSC should have "parseFunction" to optimize Function
2013         constructor"
2014         https://bugs.webkit.org/show_bug.cgi?id=190340
2015         https://trac.webkit.org/changeset/237054
2016
2017 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2018
2019         [JSC] JSON.stringify can accept call-with-no-arguments
2020         https://bugs.webkit.org/show_bug.cgi?id=190343
2021
2022         Reviewed by Mark Lam.
2023
2024         * stress/json-stringify-no-arguments.js: Added.
2025         (shouldBe):
2026
2027 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2028
2029         [JSC] JSC should have "parseFunction" to optimize Function constructor
2030         https://bugs.webkit.org/show_bug.cgi?id=190340
2031
2032         Reviewed by Mark Lam.
2033
2034         This patch fixes the line number of syntax errors raised by the Function constructor,
2035         since we now parse the final code only once. And we no longer use block statement
2036         for Function constructor's parsing.
2037
2038         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2039         * stress/function-cache-with-parameters-end-position.js: Added.
2040         (shouldBe):
2041         (shouldThrow):
2042         (i.anonymous):
2043         * stress/function-constructor-name.js: Added.
2044         (shouldBe):
2045         (GeneratorFunction):
2046         (AsyncFunction.async):
2047         (AsyncGeneratorFunction.async):
2048         (anonymous):
2049         (async.anonymous):
2050         * test262/expectations.yaml:
2051
2052 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2053
2054         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2055         https://bugs.webkit.org/show_bug.cgi?id=190426
2056
2057         Unreviewed gardening.
2058
2059         * stress/sampling-profiler-richards.js:
2060
2061 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2062
2063         [ESNext][BigInt] Implement support for "|"
2064         https://bugs.webkit.org/show_bug.cgi?id=186229
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         * stress/big-int-bitwise-and-jit.js:
2069         * stress/big-int-bitwise-or-general.js: Added.
2070         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2071         * stress/big-int-bitwise-or-jit.js: Added.
2072         * stress/big-int-bitwise-or-memory-stress.js: Added.
2073         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2074         * stress/big-int-bitwise-or-type-error.js: Added.
2075         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2076
2077 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2078
2079         Skip test on systems with limited memory
2080         https://bugs.webkit.org/show_bug.cgi?id=190310
2081
2082         Invoking runDefault adds test to runlist, skipping the test in the next
2083         line does not prevent the test from executing. Change order of lines such
2084         that runDefault is only executed if test is not executed.
2085
2086         Reviewed by Mark Lam.
2087
2088         * stress/regress-190187.js:
2089
2090 2018-10-03  Saam barati  <sbarati@apple.com>
2091
2092         lowXYZ in FTLLower should always filter the type of the incoming edge
2093         https://bugs.webkit.org/show_bug.cgi?id=189939
2094         <rdar://problem/44407030>
2095
2096         Reviewed by Michael Saboff.
2097
2098         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2099         (foo):
2100         (test):
2101
2102 2018-10-03  Mark Lam  <mark.lam@apple.com>
2103
2104         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2105         https://bugs.webkit.org/show_bug.cgi?id=190187
2106         <rdar://problem/42512909>
2107
2108         Reviewed by Michael Saboff.
2109
2110         * stress/regress-190187.js: Added.
2111
2112 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2113
2114         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2115         https://bugs.webkit.org/show_bug.cgi?id=190033
2116
2117         Reviewed by Yusuke Suzuki.
2118
2119         * stress/big-int-to-string.js:
2120
2121 2018-10-01  Mark Lam  <mark.lam@apple.com>
2122
2123         Function.toString() should also copy the source code Functions that are class definitions.
2124         https://bugs.webkit.org/show_bug.cgi?id=190186
2125         <rdar://problem/44733360>
2126
2127         Reviewed by Saam Barati.
2128
2129         * stress/regress-190186.js: Added.
2130
2131 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2132
2133         Split NaN-check into separate test
2134         https://bugs.webkit.org/show_bug.cgi?id=190010
2135
2136         Reviewed by Saam Barati.
2137
2138         DataView exposes NaN-representation, which is not necessarily the same on each
2139         architecture. Therefore move the check of the NaN-representation into its own
2140         file such that we can disable this test on MIPS where NaN-representation can be
2141         different on older CPUs.
2142
2143         * stress/dataview-jit-set-nan.js: Added.
2144         (assert):
2145         (test.storeLittleEndian):
2146         (test.storeBigEndian):
2147         (test.store):
2148         (test):
2149         * stress/dataview-jit-set.js:
2150         (test5):
2151
2152 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2153
2154         Unreviewed, rolling out r236647.
2155         https://bugs.webkit.org/show_bug.cgi?id=190124
2156
2157         Breaking test stress/big-int-to-string.js (Requested by
2158         caiolima_ on #webkit).
2159
2160         Reverted changeset:
2161
2162         "[BigInt] BigInt.proptotype.toString is broken when radix is
2163         power of 2"
2164         https://bugs.webkit.org/show_bug.cgi?id=190033
2165         https://trac.webkit.org/changeset/236647
2166
2167 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2168
2169         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2170         https://bugs.webkit.org/show_bug.cgi?id=190033
2171
2172         Reviewed by Yusuke Suzuki.
2173
2174         * stress/big-int-to-string.js:
2175
2176 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2177
2178         [ESNext][BigInt] Implement support for "&"
2179         https://bugs.webkit.org/show_bug.cgi?id=186228
2180
2181         Reviewed by Yusuke Suzuki.
2182
2183         * stress/big-int-bitwise-and-general.js: Added.
2184         (assert):
2185         (assert.sameValue):
2186         * stress/big-int-bitwise-and-jit.js: Added.
2187         (let.assert.sameValue):
2188         (bigIntBitAnd):
2189         * stress/big-int-bitwise-and-memory-stress.js: Added.
2190         (assert):
2191         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2192         (assert.sameValue):
2193         (let.o.Symbol.toPrimitive):
2194         (catch):
2195         * stress/big-int-bitwise-and-type-error.js: Added.
2196         (assert):
2197         (assertThrowTypeError):
2198         (let.o.valueOf):
2199         (o.valueOf):
2200         (o.toString):
2201         (o.Symbol.toPrimitive):
2202         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2203         (assert.sameValue):
2204         (testBitAnd):
2205         (let.o.Symbol.toPrimitive):
2206         (o.valueOf):
2207         (o.toString):
2208
2209 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2210
2211         JSC test stress/jsc-read.js doesn't support CRLF
2212         https://bugs.webkit.org/show_bug.cgi?id=190063
2213
2214         Reviewed by Yusuke Suzuki.
2215
2216         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2217
2218         * stress/jsc-read.js:
2219         (test):
2220
2221 2018-09-27  Saam barati  <sbarati@apple.com>
2222
2223         Verify the contents of AssemblerBuffer on arm64e
2224         https://bugs.webkit.org/show_bug.cgi?id=190057
2225         <rdar://problem/38916630>
2226
2227         Reviewed by Mark Lam.
2228
2229         * stress/regress-189132.js:
2230
2231 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2232
2233         Disable test without LLInt on ARMv7
2234         https://bugs.webkit.org/show_bug.cgi?id=190037
2235
2236         Reviewed by Mark Lam.
2237
2238         Test runs out of executable memory on ARMv7, do not run
2239         this test without LLInt enabled.
2240
2241         * stress/regress-169445.js:
2242
2243 2018-09-26  Keith Miller  <keith_miller@apple.com>
2244
2245         We should zero unused property storage when rebalancing array storage.
2246         https://bugs.webkit.org/show_bug.cgi?id=188151
2247
2248         Reviewed by Michael Saboff.
2249
2250         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2251
2252 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2253
2254         [JSC] Optimize Array#lastIndexOf
2255         https://bugs.webkit.org/show_bug.cgi?id=189780
2256
2257         Reviewed by Saam Barati.
2258
2259         * stress/array-lastindexof-array-prototype-trap.js: Added.
2260         (shouldBe):
2261         (AncestorArray.prototype.get 2):
2262         (AncestorArray):
2263         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2264         (shouldBe):
2265         * stress/array-lastindexof-hole-nan.js: Added.
2266         (shouldBe):
2267         (throw.new.Error):
2268         * stress/array-lastindexof-infinity.js: Added.
2269         (shouldBe):
2270         (throw.new.Error):
2271         * stress/array-lastindexof-negative-zero.js: Added.
2272         (shouldBe):
2273         (throw.new.Error):
2274         * stress/array-lastindexof-own-getter.js: Added.
2275         (shouldBe):
2276         (throw.new.Error.get array):
2277         (get array):
2278         * stress/array-lastindexof-prototype-trap.js: Added.
2279         (shouldBe):
2280         (DerivedArray.prototype.get 2):
2281         (DerivedArray):
2282
2283 2018-09-25  Saam Barati  <sbarati@apple.com>
2284
2285         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2286         https://bugs.webkit.org/show_bug.cgi?id=189940
2287         <rdar://problem/43640987>
2288
2289         Reviewed by Mark Lam.
2290
2291         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2292
2293 2018-09-24  Saam Barati  <sbarati@apple.com>
2294
2295         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2296         https://bugs.webkit.org/show_bug.cgi?id=189922
2297         <rdar://problem/44651275>
2298
2299         Reviewed by Mark Lam.
2300
2301         * stress/array-indexof-fast-path-effects.js: Added.
2302         * stress/array-indexof-cached-length.js: Added.
2303
2304 2018-09-24  Saam barati  <sbarati@apple.com>
2305
2306         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2307         https://bugs.webkit.org/show_bug.cgi?id=189682
2308         <rdar://problem/43557315>
2309
2310         Reviewed by Mark Lam.
2311
2312         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2313         (foo):
2314
2315 2018-09-22  Saam barati  <sbarati@apple.com>
2316
2317         The sampling should not use Strong<CodeBlock> in its machineLocation field
2318         https://bugs.webkit.org/show_bug.cgi?id=189319
2319
2320         Reviewed by Filip Pizlo.
2321
2322         * stress/sampling-profiler-richards.js: Added.
2323
2324 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2325
2326         [JSC] Optimize Array#indexOf in C++ runtime
2327         https://bugs.webkit.org/show_bug.cgi?id=189507
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/array-indexof-array-prototype-trap.js: Added.
2332         (shouldBe):
2333         (AncestorArray.prototype.get 2):
2334         (AncestorArray):
2335         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2336         (shouldBe):
2337         * stress/array-indexof-hole-nan.js: Added.
2338         (shouldBe):
2339         (throw.new.Error):
2340         * stress/array-indexof-infinity.js: Added.
2341         (shouldBe):
2342         (throw.new.Error):
2343         * stress/array-indexof-negative-zero.js: Added.
2344         (shouldBe):
2345         (throw.new.Error):
2346         * stress/array-indexof-own-getter.js: Added.
2347         (shouldBe):
2348         (throw.new.Error.get array):
2349         (get array):
2350         * stress/array-indexof-prototype-trap.js: Added.
2351         (shouldBe):
2352         (DerivedArray.prototype.get 2):
2353         (DerivedArray):
2354
2355 2018-09-19  Saam barati  <sbarati@apple.com>
2356
2357         AI rule for MultiPutByOffset executes its effects in the wrong order
2358         https://bugs.webkit.org/show_bug.cgi?id=189757
2359         <rdar://problem/43535257>
2360
2361         Reviewed by Michael Saboff.
2362
2363         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2364         (foo):
2365         (Foo):
2366         (g):
2367
2368 2018-09-17  Mark Lam  <mark.lam@apple.com>
2369
2370         Ensure that ForInContexts are invalidated if their loop local is over-written.
2371         https://bugs.webkit.org/show_bug.cgi?id=189571
2372         <rdar://problem/44402277>
2373
2374         Reviewed by Saam Barati.
2375
2376         * stress/regress-189571.js: Added.
2377
2378 2018-09-17  Saam barati  <sbarati@apple.com>
2379
2380         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2381         https://bugs.webkit.org/show_bug.cgi?id=189676
2382         <rdar://problem/39682897>
2383
2384         Reviewed by Michael Saboff.
2385
2386         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2387         (A):
2388         (K):
2389         (i.catch):
2390
2391 2018-09-14  Saam barati  <sbarati@apple.com>
2392
2393         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2394         https://bugs.webkit.org/show_bug.cgi?id=189628
2395         <rdar://problem/39481690>
2396
2397         Reviewed by Mark Lam.
2398
2399         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2400         (foo):
2401
2402 2018-09-11  Mark Lam  <mark.lam@apple.com>
2403
2404         Test for array initialization in arrayProtoFuncSplice.
2405         https://bugs.webkit.org/show_bug.cgi?id=170253
2406         <rdar://problem/31328773>
2407
2408         Rubber-stamped by Saam Barati.
2409
2410         * stress/regress-170253.js: Added.
2411
2412 2018-09-11  Mark Lam  <mark.lam@apple.com>
2413
2414         Test for IntlObject initialization.
2415         https://bugs.webkit.org/show_bug.cgi?id=170251
2416         <rdar://problem/31328419>
2417
2418         Rubber-stamped by Saam Barati.
2419
2420         * stress/regress-170251.js: Added.
2421
2422 2018-09-11  Mark Lam  <mark.lam@apple.com>
2423
2424         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2425         https://bugs.webkit.org/show_bug.cgi?id=169889
2426         <rdar://problem/31155607>
2427
2428         Reviewed by Saam Barati.
2429
2430         * stress/regress-169889-array-concat.js: Added.
2431         * stress/regress-169889-array-concat1.js: Added.
2432         * stress/regress-169889-array-slice.js: Added.
2433
2434 2018-09-11  Mark Lam  <mark.lam@apple.com>
2435
2436         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2437         https://bugs.webkit.org/show_bug.cgi?id=169445
2438         <rdar://problem/30957435>
2439
2440         Reviewed by Saam Barati.
2441
2442         * stress/regress-169445.js: Added.
2443         (let.gun.eval.A):
2444         (let.gun.eval.B.C):
2445         (let.gun.eval.B.C.prototype.trigger):
2446         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2447         (let.gun.eval.B):
2448         (let.gun.eval):
2449
2450 == Rolled over to ChangeLog-2018-09-11 ==