[JSC] op_has_indexed_property should not assume subscript part is Uint32
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] op_has_indexed_property should not assume subscript part is Uint32
4         https://bugs.webkit.org/show_bug.cgi?id=196850
5
6         Reviewed by Saam Barati.
7
8         * stress/has-indexed-property-should-accept-non-int32.js: Added.
9         (foo):
10
11 2019-04-11  Saam barati  <sbarati@apple.com>
12
13         Remove invalid assertion in operationInstanceOfCustom
14         https://bugs.webkit.org/show_bug.cgi?id=196842
15         <rdar://problem/49725493>
16
17         Reviewed by Michael Saboff.
18
19         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
20
21 2019-04-10  Saam Barati  <sbarati@apple.com>
22
23         AbstractValue::validateOSREntryValue is wrong for Int52 constants
24         https://bugs.webkit.org/show_bug.cgi?id=196801
25         <rdar://problem/49771122>
26
27         Reviewed by Yusuke Suzuki.
28
29         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
30
31 2019-04-10  Robin Morisset  <rmorisset@apple.com>
32
33         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
34         https://bugs.webkit.org/show_bug.cgi?id=196746
35
36         Reviewed by Yusuke Suzuki.
37
38         * stress/cyclic-define-properties.js: Added.
39         (foo):
40
41 2019-04-09  Saam barati  <sbarati@apple.com>
42
43         Clean up Int52 code and some bugs in it
44         https://bugs.webkit.org/show_bug.cgi?id=196639
45         <rdar://problem/49515757>
46
47         Reviewed by Yusuke Suzuki.
48
49         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
50
51 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
52
53         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
54         https://bugs.webkit.org/show_bug.cgi?id=196708
55         <rdar://problem/49556803>
56
57         Reviewed by Yusuke Suzuki.
58
59         * stress/proxy-getter-stack-overflow.js: Added.
60         (const.handler.get target):
61         (const.handler.has):
62         (try.with):
63         (catch):
64
65 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
66
67         [JSC] DFG should respect node's strict flag
68         https://bugs.webkit.org/show_bug.cgi?id=196617
69
70         Reviewed by Saam Barati.
71
72         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
73         (shouldEqual):
74         (makeUnwriteableUnconfigurableObject):
75         (runTest):
76         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
77         (shouldBe):
78         (shouldThrow):
79         (with.result):
80         (with.putValueStrict):
81         (with.putValueSloppy):
82
83 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
84
85         [JSC] isRope jump in StringSlice should not jump over register allocations
86         https://bugs.webkit.org/show_bug.cgi?id=196716
87
88         Reviewed by Saam Barati.
89
90         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
91         (foo.bar):
92         (foo):
93
94 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         [JSC] to_index_string should not assume incoming value is Uint32
97         https://bugs.webkit.org/show_bug.cgi?id=196713
98
99         Reviewed by Saam Barati.
100
101         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
102         (foo):
103
104 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
105
106         [JSC] Add more tests for r243966
107         https://bugs.webkit.org/show_bug.cgi?id=196711
108
109         Reviewed by Saam Barati.
110
111         Adding one more test for r243966 fix. The added test will not crash after r243966.
112
113         * stress/stress-cleared-calllinkinfo.js: Added.
114         (runNearStackLimit.t):
115         (runNearStackLimit):
116         (repeat):
117         (cls):
118         (let.item.of.array.runNearStackLimit):
119
120 2019-04-08  Saam Barati  <sbarati@apple.com>
121
122         WebAssembly.RuntimeError missing exception check
123         https://bugs.webkit.org/show_bug.cgi?id=196700
124         <rdar://problem/49693932>
125
126         Reviewed by Yusuke Suzuki.
127
128         * wasm/js-api/runtime-error-should-exception-check.js: Added.
129
130 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
131
132         Unreviewed, rolling in r243948 with test fix
133         https://bugs.webkit.org/show_bug.cgi?id=196486
134
135         * stress/arrow-function-and-use-strict-directive.js: Added.
136         * stress/arrow-function-syntax.js: Added.
137         (checkSyntax):
138         (checkSyntaxError):
139
140 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
141
142         Unreviewed, rolling out r243948.
143
144         Caused inspector/runtime/parse.html to fail
145
146         Reverted changeset:
147
148         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
149         https://bugs.webkit.org/show_bug.cgi?id=196486
150         https://trac.webkit.org/changeset/243948
151
152 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
153
154         Unreviewed, rolling out r243943.
155
156         Caused test262 failures.
157
158         Reverted changeset:
159
160         "[JSC] Filter DontEnum properties in
161         ProxyObject::getOwnPropertyNames()"
162         https://bugs.webkit.org/show_bug.cgi?id=176810
163         https://trac.webkit.org/changeset/243943
164
165 2019-04-07  Michael Saboff  <msaboff@apple.com>
166
167         REGRESSION (r243642): Crash in reddit.com page
168         https://bugs.webkit.org/show_bug.cgi?id=196684
169
170         Reviewed by Geoffrey Garen.
171
172         New regression test.
173
174         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
175
176 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
179         https://bugs.webkit.org/show_bug.cgi?id=196683
180
181         Reviewed by Saam Barati.
182
183         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
184         (foo):
185
186 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
187
188         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
189         https://bugs.webkit.org/show_bug.cgi?id=196582
190
191         Reviewed by Saam Barati.
192
193         * stress/add-overflow-check-with-three-same-registers.js: Added.
194         (foo):
195         (Number.prototype.valueOf):
196         (runWithNumber):
197
198 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
199
200         Unreviewed, rolling out r243665.
201
202         Caused iOS JSC tests to exit with an exception.
203
204         Reverted changeset:
205
206         "Assertion failed in JSC::createError"
207         https://bugs.webkit.org/show_bug.cgi?id=196305
208         https://trac.webkit.org/changeset/243665
209
210 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
211
212         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
213         https://bugs.webkit.org/show_bug.cgi?id=196486
214
215         Reviewed by Saam Barati.
216
217         * stress/arrow-function-and-use-strict-directive.js: Added.
218         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
219         (checkSyntax):
220         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
221
222 2019-04-05  Caitlin Potter  <caitp@igalia.com>
223
224         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
225         https://bugs.webkit.org/show_bug.cgi?id=176810
226
227         Reviewed by Saam Barati.
228
229         Add tests for the DontEnum filtering, and variations of other tests
230         take the DontEnum-filtering path.
231
232         * stress/proxy-own-keys.js:
233         (i.catch):
234         (set assert):
235         (set add):
236         (let.set new):
237         (get let):
238
239 2019-04-05  Caitlin Potter  <caitp@igalia.com>
240
241         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
242         https://bugs.webkit.org/show_bug.cgi?id=185211
243
244         Reviewed by Saam Barati.
245
246         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
247
248         This changes several assertions to expect a TypeError to be thrown (in some cases,
249         changing thee expected message).
250
251         * es6/Proxy_ownKeys_duplicates.js:
252         (handler):
253         (shouldThrow):
254         (test):
255         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
256         (shouldThrow):
257         * stress/proxy-own-keys.js:
258         (i.catch):
259         (assert):
260
261 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
262
263         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
264         https://bugs.webkit.org/show_bug.cgi?id=196631
265
266         Reviewed by Saam Barati.
267
268         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
269         (assert):
270         (test):
271         (foo):
272
273 2019-04-04  Saam Barati  <sbarati@apple.com>
274
275         Unreviewed. Make the test from r243906 catch the thrown exceptions.
276
277         * stress/inferred-types-regex-matches-array.js:
278
279 2019-04-04  Saam Barati  <sbarati@apple.com>
280
281         createRegExpMatchesArray does not respect inferred types
282         https://bugs.webkit.org/show_bug.cgi?id=193287
283
284         Reviewed by Yusuke Suzuki.
285
286         This checks in the test case for 193287. This issue was discovered by
287         Samuel GroƟ of Google Project Zero.
288
289         * stress/inferred-types-regex-matches-array.js: Added.
290
291 2019-04-04  Saam barati  <sbarati@apple.com>
292
293         Teach Call ICs how to call Wasm
294         https://bugs.webkit.org/show_bug.cgi?id=196387
295
296         Reviewed by Filip Pizlo.
297
298         * wasm/function-tests/stack-trace.js:
299
300 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
301
302         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
303         https://bugs.webkit.org/show_bug.cgi?id=194944
304
305         Reviewed by Keith Miller.
306
307         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
308
309 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
310
311         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
312         https://bugs.webkit.org/show_bug.cgi?id=196409
313
314         Reviewed by Saam Barati.
315
316         * stress/bytecode-cache-cached-string-impl.js: Added.
317         (f):
318         (g):
319         * stress/bytecode-cache-run-string.js: Added.
320
321 2019-04-03  Robin Morisset  <rmorisset@apple.com>
322
323         B3 should use associativity to optimize expression trees
324         https://bugs.webkit.org/show_bug.cgi?id=194081
325
326         Reviewed by Filip Pizlo.
327
328         Added three microbenchmarks:
329         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
330         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
331           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
332         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
333
334         * microbenchmarks/add-tree.js: Added.
335         * microbenchmarks/bit-or-tree.js: Added.
336         * microbenchmarks/bit-xor-tree.js: Added.
337
338 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
339
340         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
341         https://bugs.webkit.org/show_bug.cgi?id=196574
342
343         Reviewed by Saam Barati.
344
345         * stress/string-index-of-exception-check.js: Added.
346         (blurType):
347         (1.forEach):
348
349 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
350
351         Assertion failed in JSC::createError
352         https://bugs.webkit.org/show_bug.cgi?id=196305
353         <rdar://problem/49387382>
354
355         Reviewed by Saam Barati.
356
357         * stress/create-error-out-of-memory-rope-string-2.js: Added.
358         (assert):
359         (catch):
360
361 2019-03-28  Saam Barati  <sbarati@apple.com>
362
363         BackwardsGraph needs to consider back edges as the backward's root successor
364         https://bugs.webkit.org/show_bug.cgi?id=195991
365
366         Reviewed by Filip Pizlo.
367
368         * stress/map-b3-licm-infinite-loop.js: Added.
369
370 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
371
372         CodeBlock::jettison() should disallow repatching its own calls
373         https://bugs.webkit.org/show_bug.cgi?id=196359
374         <rdar://problem/48973663>
375
376         Reviewed by Saam Barati.
377
378         * stress/call-link-info-osrexit-repatch.js: Added.
379         (foo):
380
381 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
382
383         [JSC] imports-oom.js intermittently fails
384         https://bugs.webkit.org/show_bug.cgi?id=196373
385
386         Reviewed by Saam Barati.
387
388         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
389         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
390         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
391         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
392         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
393
394         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
395         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
396
397         * wasm/lowExecutableMemory/imports-oom.js:
398
399 2019-03-27  Saam Barati  <sbarati@apple.com>
400
401         validateOSREntryValue with Int52 should box the value being checked into double format
402         https://bugs.webkit.org/show_bug.cgi?id=196313
403         <rdar://problem/49306703>
404
405         Reviewed by Yusuke Suzuki.
406
407         * stress/validate-int-52-ai-state.js: Added.
408
409 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
410
411         [JSC] Owner of watchpoints should validate at GC finalizing phase
412         https://bugs.webkit.org/show_bug.cgi?id=195827
413
414         Reviewed by Filip Pizlo.
415
416         * stress/gc-should-reap-dead-watchpoints.js: Added.
417         (foo):
418         (A.prototype.y):
419         (A):
420
421 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
422
423         Skip WebAssembly test on 32-bit systems
424         https://bugs.webkit.org/show_bug.cgi?id=196206
425
426         Reviewed by Saam Barati.
427
428         Invoking runDefault executes test immediately even though
429         that test should be skipped due to missing WASM support.
430         Therefore remove runDefault.
431
432         * wasm/regress/web-assembly-link-error-exception-check.js:
433
434 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
435
436         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
437         https://bugs.webkit.org/show_bug.cgi?id=196217
438
439         Reviewed by Saam Barati.
440
441         Re-enable all NaN tests for f32.min, f64.min and f64.max.
442
443         * wasm/spec-tests/f32.wast.js:
444         * wasm/spec-tests/f64.wast.js:
445         * wasm/wasm.json:
446
447 2019-03-25  Keith Miller  <keith_miller@apple.com>
448
449         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
450         https://bugs.webkit.org/show_bug.cgi?id=196176
451
452         Reviewed by Saam Barati.
453
454         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
455         (main.v10):
456         (main):
457
458 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
459
460         WebAssembly: f32.max with NaN generates incorrect result
461         https://bugs.webkit.org/show_bug.cgi?id=175691
462         <rdar://problem/33952228>
463
464         Reviewed by Saam Barati.
465
466         Enable all f32.max NaN tests
467
468         * wasm/spec-tests/f32.wast.js:
469         * wasm/wasm.json:
470
471 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
472
473         [JSC] Move test into directory for WASM tests
474         https://bugs.webkit.org/show_bug.cgi?id=196187
475
476         Reviewed by Mark Lam.
477
478         Move Test into wasm-directory. Otherwise this test
479         is also executed on systems without WASM support.
480
481         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
482
483 2019-03-23  Mark Lam  <mark.lam@apple.com>
484
485         Rolling out r243032 and r243071 because the fix is incorrect.
486         https://bugs.webkit.org/show_bug.cgi?id=195892
487         <rdar://problem/48981239>
488
489         Not reviewed.
490
491         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
492
493 2019-03-22  Mark Lam  <mark.lam@apple.com>
494
495         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
496         https://bugs.webkit.org/show_bug.cgi?id=196154
497         <rdar://problem/49145307>
498
499         Reviewed by Filip Pizlo.
500
501         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
502         There's no need to run this test on more than 1 test configuration.
503
504         * stress/typed-array-lastIndexOf-exception-check.js: Added.
505         * stress/web-assembly-link-error-exception-check.js:
506
507 2019-03-22  Mark Lam  <mark.lam@apple.com>
508
509         Placate exception check validation in constructJSWebAssemblyLinkError().
510         https://bugs.webkit.org/show_bug.cgi?id=196152
511         <rdar://problem/49145257>
512
513         Reviewed by Michael Saboff.
514
515         * stress/web-assembly-link-error-exception-check.js: Added.
516
517 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
518
519         Skip tests running out of memory on ARM/MIPS
520         https://bugs.webkit.org/show_bug.cgi?id=196131
521
522         Unreviewed. Skip test if memory is limited.
523
524         * microbenchmarks/put-by-val-direct-large-index.js:
525
526 2019-03-21  Mark Lam  <mark.lam@apple.com>
527
528         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
529         https://bugs.webkit.org/show_bug.cgi?id=196116
530         <rdar://problem/48976951>
531
532         Reviewed by Filip Pizlo.
533
534         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
535
536 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
537
538         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
539         https://bugs.webkit.org/show_bug.cgi?id=196078
540         <rdar://problem/35925380>
541
542         Reviewed by Mark Lam.
543
544         Add a new benchmark that allocates several objects and invokes put_by_val_direct
545         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
546
547         * microbenchmarks/put-by-val-direct-large-index.js: Added.
548
549 2019-03-21  Mark Lam  <mark.lam@apple.com>
550
551         Placate exception check validation in operationArrayIndexOfString().
552         https://bugs.webkit.org/show_bug.cgi?id=196067
553         <rdar://problem/49056572>
554
555         Reviewed by Michael Saboff.
556
557         * stress/string-equal-exception-check.js: Added.
558
559 2019-03-21  Mark Lam  <mark.lam@apple.com>
560
561         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
562         https://bugs.webkit.org/show_bug.cgi?id=196055
563         <rdar://problem/49067448>
564
565         Reviewed by Yusuke Suzuki.
566
567         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
568
569 2019-03-20  Saam Barati  <sbarati@apple.com>
570
571         typeOfDoubleSum is wrong for when NaN can be produced
572         https://bugs.webkit.org/show_bug.cgi?id=196030
573
574         Reviewed by Filip Pizlo.
575
576         * stress/double-add-sub-mul-can-produce-nan.js: Added.
577         (assert):
578         (noInline.sub):
579         (noInline):
580         (assert.mul):
581         (assert.add):
582
583 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
584
585         Update the test to ensure OutOfMemoryError is thrown as intended
586         https://bugs.webkit.org/show_bug.cgi?id=196032
587         <rdar://problem/46842740>
588
589         Rubber stamped by Saam Barati.
590
591         * stress/create-error-out-of-memory-rope-string.js:
592         (assert):
593         (catch):
594
595 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
596
597         JSC::createError needs to check for OOM in errorDescriptionForValue
598         https://bugs.webkit.org/show_bug.cgi?id=196032
599         <rdar://problem/46842740>
600
601         Reviewed by Mark Lam.
602
603         * stress/create-error-out-of-memory-rope-string.js: Added.
604
605 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
606
607         Unreviewed, reduce # of iterations to avoid timing out after r242991
608         https://bugs.webkit.org/show_bug.cgi?id=195791
609
610         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
611
612         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
613
614 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
615
616         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
617         https://bugs.webkit.org/show_bug.cgi?id=195950
618
619         Unreviewed, reducing the amount of memory used on this test to avoid
620         OOM on devices with memory restrictions.
621
622         * microbenchmarks/generate-multiple-llint-entrypoints.js:
623
624 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
625
626         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
627         https://bugs.webkit.org/show_bug.cgi?id=194648
628
629         Reviewed by Keith Miller.
630
631         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
632
633 2019-03-18  Mark Lam  <mark.lam@apple.com>
634
635         Missing a ThrowScope release in JSObject::toString().
636         https://bugs.webkit.org/show_bug.cgi?id=195893
637         <rdar://problem/48970986>
638
639         Reviewed by Michael Saboff.
640
641         * stress/to-string-exception-check-release.js: Added.
642
643 2019-03-18  Mark Lam  <mark.lam@apple.com>
644
645         Structure::flattenDictionary() should clear unused property slots.
646         https://bugs.webkit.org/show_bug.cgi?id=195871
647         <rdar://problem/48959497>
648
649         Reviewed by Michael Saboff.
650
651         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
652
653 2019-03-15  Mark Lam  <mark.lam@apple.com>
654
655         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
656         https://bugs.webkit.org/show_bug.cgi?id=195827
657         <rdar://problem/48845513>
658
659         Reviewed by Filip Pizlo.
660
661         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
662
663 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
664
665         [ARM,MIPS] Skip slow tests
666         https://bugs.webkit.org/show_bug.cgi?id=195799
667
668         Unreviewed, test does not finish on ARM and MIPS within the
669         timeout limit.
670
671         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
672
673 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
676         https://bugs.webkit.org/show_bug.cgi?id=195791
677         <rdar://problem/48806130>
678
679         Reviewed by Mark Lam.
680
681         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
682         (foo):
683
684 2019-03-14  Saam barati  <sbarati@apple.com>
685
686         We can't remove code after ForceOSRExit until after FixupPhase
687         https://bugs.webkit.org/show_bug.cgi?id=186916
688         <rdar://problem/41396612>
689
690         Reviewed by Yusuke Suzuki.
691
692         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
693         (foo):
694         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
695         (foo):
696
697 2019-03-13  Michael Saboff  <msaboff@apple.com>
698
699         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
700         https://bugs.webkit.org/show_bug.cgi?id=195735
701
702         Reviewed by Mark Lam.
703
704         New regression test.
705
706         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
707         (foo):
708         (bar):
709
710 2019-03-14  Saam barati  <sbarati@apple.com>
711
712         Fixup uses KnownInt32 incorrectly in some nodes
713         https://bugs.webkit.org/show_bug.cgi?id=195279
714         <rdar://problem/47915654>
715
716         Reviewed by Yusuke Suzuki.
717
718         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
719         (foo):
720
721 2019-03-14  Keith Miller  <keith_miller@apple.com>
722
723         DFG liveness can't skip tail caller inline frames
724         https://bugs.webkit.org/show_bug.cgi?id=195715
725
726         Reviewed by Saam Barati.
727
728         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
729         (i.foo):
730
731 2019-03-13  Mark Lam  <mark.lam@apple.com>
732
733         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
734         https://bugs.webkit.org/show_bug.cgi?id=195415
735
736         Not reviewed.
737
738         Changed these tests to only run the default configuration.
739         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
740         There's no strong need to run this test on that variant.
741
742         * stress/dfg-to-string-on-int-does-gc.js:
743         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
744
745 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
746
747         String overflow when using StringBuilder in JSC::createError
748         https://bugs.webkit.org/show_bug.cgi?id=194957
749
750         Reviewed by Mark Lam.
751
752         Add test string-overflow-createError-bulder.js that overflows
753         StringBuilder in notAFunctionSourceAppender. The second new test
754         string-overflow-createError-fit.js has an error message that doesn't
755         overflow, it still failed since the String's capacity can't be doubled.
756         Run test string-overflow-createError.js only in the default
757         configuration to reduce memory consumption when running the test
758         in all configurations on multiple CPUs in parallel.
759
760         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
761         (catch):
762         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
763         (catch):
764         * stress/string-overflow-createError.js:
765
766 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
767
768         [JSC] OSR entry should respect abstract values in addition to flush formats
769         https://bugs.webkit.org/show_bug.cgi?id=195653
770
771         Reviewed by Mark Lam.
772
773         * stress/osr-entry-locals-none.js: Added.
774
775 2019-03-12  Michael Saboff  <msaboff@apple.com>
776
777         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
778         https://bugs.webkit.org/show_bug.cgi?id=195613
779
780         Reviewed by Mark Lam.
781
782         New regression test.
783
784         * stress/regexp-backref-inbounds.js: Added.
785         (testRegExp):
786
787 2019-03-12  Mark Lam  <mark.lam@apple.com>
788
789         The HasIndexedProperty node does GC.
790         https://bugs.webkit.org/show_bug.cgi?id=195559
791         <rdar://problem/48767923>
792
793         Reviewed by Yusuke Suzuki.
794
795         * stress/HasIndexedProperty-does-gc.js: Added.
796
797 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
798
799         [ESNext][BigInt] Implement "~" unary operation
800         https://bugs.webkit.org/show_bug.cgi?id=182216
801
802         Reviewed by Keith Miller.
803
804         * stress/big-int-bit-not-general.js: Added.
805         * stress/big-int-bitwise-not-jit.js: Added.
806         * stress/big-int-bitwise-not-wrapped-value.js: Added.
807         * stress/bit-op-with-object-returning-int32.js:
808         * stress/bitwise-not-fixup-rules.js: Added.
809         * stress/value-bit-not-ai-rule.js: Added.
810
811 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
812
813         Invalid flags in a RegExp literal should be an early SyntaxError
814         https://bugs.webkit.org/show_bug.cgi?id=195514
815
816         Reviewed by Darin Adler.
817
818         * test262/expectations.yaml:
819         Mark 4 test cases as passing.
820
821         * stress/regexp-syntax-error-invalid-flags.js:
822         * stress/regress-161995.js: Removed.
823         Update existing test, merging in an older test for the same behavior.
824
825 2019-03-08  Mark Lam  <mark.lam@apple.com>
826
827         Stack overflow crash in JSC::JSObject::hasInstance.
828         https://bugs.webkit.org/show_bug.cgi?id=195458
829         <rdar://problem/48710195>
830
831         Reviewed by Yusuke Suzuki.
832
833         * stress/stack-overflow-in-custom-hasInstance.js: Added.
834
835 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
836
837         op_check_tdz does not def its argument
838         https://bugs.webkit.org/show_bug.cgi?id=192880
839         <rdar://problem/46221598>
840
841         Reviewed by Saam Barati.
842
843         * microbenchmarks/let-for-in.js: Added.
844         (foo):
845
846 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
847
848         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
849         https://bugs.webkit.org/show_bug.cgi?id=195429
850
851         Reviewed by Saam Barati.
852
853         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
854         (foo):
855         * stress/string-from-char-code-255.js: Added.
856
857 2019-03-06  Mark Lam  <mark.lam@apple.com>
858
859         Fix incorrect handling of try-finally completion values.
860         https://bugs.webkit.org/show_bug.cgi?id=195131
861         <rdar://problem/46222079>
862
863         Reviewed by Saam Barati and Yusuke Suzuki.
864
865         Added many permutations of new test case to test-finally.js.  test-finally.js has
866         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
867         tests passes there as well.
868
869         * stress/test-finally.js:
870
871 2019-03-06  Saam Barati  <sbarati@apple.com>
872
873         Air::reportUsedRegisters must padInterference
874         https://bugs.webkit.org/show_bug.cgi?id=195303
875         <rdar://problem/48270343>
876
877         Reviewed by Keith Miller.
878
879         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
880
881 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] AI should not propagate AbstractValue relying on constant folding phase
884         https://bugs.webkit.org/show_bug.cgi?id=195375
885
886         Reviewed by Saam Barati.
887
888         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
889         (let.array):
890
891 2019-03-05  Saam barati  <sbarati@apple.com>
892
893         op_switch_char broken for rope strings after JSRopeString layout rewrite
894         https://bugs.webkit.org/show_bug.cgi?id=195339
895         <rdar://problem/48592545>
896
897         Reviewed by Yusuke Suzuki.
898
899         * stress/switch-on-char-llint-rope.js: Added.
900
901 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
902
903         [JSC] Store bits for JSRopeString in 3 stores
904         https://bugs.webkit.org/show_bug.cgi?id=195234
905
906         Reviewed by Saam Barati.
907
908         * stress/null-rope-and-collectors.js: Added.
909
910 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
911
912         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
913         https://bugs.webkit.org/show_bug.cgi?id=195207
914
915         Unreviewed. After test runtime was reduced in r242213, test can be
916         run again on ARM/MIPS.
917
918         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
919
920 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
921
922         [JSC] sizeof(JSString) should be 16
923         https://bugs.webkit.org/show_bug.cgi?id=194375
924
925         Reviewed by Saam Barati.
926
927         * microbenchmarks/make-rope.js: Added.
928         (makeRope):
929         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
930         (returnRope.helper): Deleted.
931         (returnRope): Deleted.
932
933 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
934
935         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
936         https://bugs.webkit.org/show_bug.cgi?id=195144
937
938         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
939         Change the number from 1e8 to 1e5.
940
941         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
942         (foo):
943
944 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
945
946         Test times out on ARM/MIPS
947         https://bugs.webkit.org/show_bug.cgi?id=195168
948
949         Unreviewed. Skip test on ARM/MIPS.
950
951         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
952
953 2019-02-27  Mark Lam  <mark.lam@apple.com>
954
955         The parser is failing to record the token location of new in new.target.
956         https://bugs.webkit.org/show_bug.cgi?id=195127
957         <rdar://problem/39645578>
958
959         Reviewed by Yusuke Suzuki.
960
961         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
962
963 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
964
965         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
966         https://bugs.webkit.org/show_bug.cgi?id=195144
967         <rdar://problem/47595961>
968
969         Reviewed by Mark Lam.
970
971         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
972         (bar):
973         (foo):
974         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
975         (bar):
976         (foo):
977
978 2019-02-27  Robin Morisset  <rmorisset@apple.com>
979
980         DFG: Loop-invariant code motion (LICM) should not hoist dead code
981         https://bugs.webkit.org/show_bug.cgi?id=194945
982         <rdar://problem/48311657>
983
984         Reviewed by Mark Lam.
985
986         * stress/licm-dead-code.js: Added.
987
988 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
989
990         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
991         https://bugs.webkit.org/show_bug.cgi?id=194677
992         <rdar://problem/48112492>
993
994         Reviewed by Mark Lam.
995
996         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
997         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
998         it immediately fails due the large size.
999
1000         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1001         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1002         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1003         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1004
1005         This patch changes the test to produce 16bit string from String.fromCharCode.
1006
1007         * stress/regress-178386.js:
1008
1009 2019-02-26  Mark Lam  <mark.lam@apple.com>
1010
1011         wasmToJS() should purify incoming NaNs.
1012         https://bugs.webkit.org/show_bug.cgi?id=194807
1013         <rdar://problem/48189132>
1014
1015         Reviewed by Saam Barati.
1016
1017         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1018
1019 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1020
1021         [JSC] Repeat string created from Array.prototype.join() take too much memory
1022         https://bugs.webkit.org/show_bug.cgi?id=193912
1023
1024         Reviewed by Saam Barati.
1025
1026         Added a test and a microbenchmark for corner cases of
1027         Array.prototype.join() with an uninitialized array.
1028
1029         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1030         * stress/array-prototype-join-uninitialized.js: Added.
1031         (testArray):
1032         (testABC):
1033         (B):
1034         (C):
1035
1036 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1037
1038         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1039         https://bugs.webkit.org/show_bug.cgi?id=194953
1040         <rdar://problem/47595253>
1041
1042         Reviewed by Saam Barati.
1043
1044         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1045
1046         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1047
1048 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1049
1050         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1051         https://bugs.webkit.org/show_bug.cgi?id=172848
1052         <rdar://problem/25709212>
1053
1054         Reviewed by Mark Lam.
1055
1056         * typeProfiler/inheritance.js:
1057         Rewrite the test slightly for clarity. The hoisting was confusing.
1058
1059         * heapProfiler/class-names.js: Added.
1060         (MyES5Class):
1061         (MyES6Class):
1062         (MyES6Subclass):
1063         Test object types and improved class names.
1064
1065         * heapProfiler/driver/driver.js:
1066         (CheapHeapSnapshotNode):
1067         (CheapHeapSnapshot):
1068         (createCheapHeapSnapshot):
1069         (HeapSnapshot):
1070         (createHeapSnapshot):
1071         Update snapshot parsing from version 1 to version 2.
1072
1073 2019-02-19  Truitt Savell  <tsavell@apple.com>
1074
1075         Unreviewed, rolling out r241784.
1076
1077         Broke all OpenSource builds.
1078
1079         Reverted changeset:
1080
1081         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1082         instances view"
1083         https://bugs.webkit.org/show_bug.cgi?id=172848
1084         https://trac.webkit.org/changeset/241784
1085
1086 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1087
1088         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1089         https://bugs.webkit.org/show_bug.cgi?id=172848
1090         <rdar://problem/25709212>
1091
1092         Reviewed by Mark Lam.
1093
1094         * typeProfiler/inheritance.js:
1095         Rewrite the test slightly for clarity. The hoisting was confusing.
1096
1097         * heapProfiler/class-names.js: Added.
1098         (MyES5Class):
1099         (MyES6Class):
1100         (MyES6Subclass):
1101         Test object types and improved class names.
1102
1103         * heapProfiler/driver/driver.js:
1104         (CheapHeapSnapshotNode):
1105         (CheapHeapSnapshot):
1106         (createCheapHeapSnapshot):
1107         (HeapSnapshot):
1108         (createHeapSnapshot):
1109         Update snapshot parsing from version 1 to version 2.
1110
1111 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1112
1113         [ARM] Fix crash with sampling profiler
1114         https://bugs.webkit.org/show_bug.cgi?id=194772
1115
1116         Reviewed by Mark Lam.
1117
1118         Do not skip test since crash with sampling profiler is now fixed.
1119
1120         * stress/sampling-profiler-richards.js:
1121
1122 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1123
1124         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1125         https://bugs.webkit.org/show_bug.cgi?id=194784
1126         <rdar://problem/48154820>
1127
1128         Reviewed by Mark Lam.
1129
1130         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1131         (getProperties):
1132         (getRandomProperty):
1133         (i.catch):
1134
1135 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1136
1137         [ARM] Test gardening: Test running out of executable memory
1138         https://bugs.webkit.org/show_bug.cgi?id=194771
1139
1140         Unreviewed. Do not run test without LLInt, test is running out of executable
1141         memory on ARM otherwise.
1142
1143         * stress/tagged-template-object-collect.js:
1144
1145 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1146
1147         Unreviewed, skip the test on platforms without sampling profiler
1148
1149         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1150         (platformSupportsSamplingProfiler.foo):
1151         (platformSupportsSamplingProfiler.test):
1152         (platformSupportsSamplingProfiler):
1153         (foo): Deleted.
1154         (test): Deleted.
1155
1156 2019-02-17  Saam Barati  <sbarati@apple.com>
1157
1158         Deadlock when adding a Structure property transition and then doing incremental marking
1159         https://bugs.webkit.org/show_bug.cgi?id=194767
1160
1161         Reviewed by Mark Lam.
1162
1163         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1164
1165 2019-02-15  Michael Saboff  <msaboff@apple.com>
1166
1167         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1168         https://bugs.webkit.org/show_bug.cgi?id=194558
1169
1170         Reviewed by Saam Barati.
1171
1172         New regression test.
1173
1174         * stress/regexp-unicode-within-string.js: Added.
1175
1176 2019-02-15  Mark Lam  <mark.lam@apple.com>
1177
1178         SamplingProfiler::stackTracesAsJSON() should escape strings.
1179         https://bugs.webkit.org/show_bug.cgi?id=194649
1180         <rdar://problem/48072386>
1181
1182         Reviewed by Saam Barati.
1183
1184         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1185         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1186         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1187         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1188
1189 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1190         CodeBlock::jettison should clear related watchpoints
1191         https://bugs.webkit.org/show_bug.cgi?id=194544
1192
1193         Reviewed by Mark Lam.
1194
1195         * stress/regexp-replace-double-watchpoint.js: Added.
1196         (foo):
1197
1198 2019-02-15  Saam barati  <sbarati@apple.com>
1199
1200         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1201         https://bugs.webkit.org/show_bug.cgi?id=194036
1202
1203         Reviewed by Yusuke Suzuki.
1204
1205         * stress/tail-call-many-arguments.js: Added.
1206         (foo):
1207         (bar):
1208
1209 2019-02-14  Saam Barati  <sbarati@apple.com>
1210
1211         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1212         https://bugs.webkit.org/show_bug.cgi?id=194583
1213         <rdar://problem/48028140>
1214
1215         Reviewed by Yusuke Suzuki.
1216
1217         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1218
1219 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         [JSC] String.fromCharCode's slow path always generates 16bit string
1222         https://bugs.webkit.org/show_bug.cgi?id=194466
1223
1224         Reviewed by Keith Miller.
1225
1226         * stress/string-from-char-code-slow-path.js: Added.
1227         (shouldBe):
1228         (testWithLength):
1229
1230 2019-02-08  Saam barati  <sbarati@apple.com>
1231
1232         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1233         https://bugs.webkit.org/show_bug.cgi?id=194334
1234         <rdar://problem/47844327>
1235
1236         Reviewed by Mark Lam.
1237
1238         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1239         (func):
1240
1241 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1242
1243         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1244         https://bugs.webkit.org/show_bug.cgi?id=194369
1245         <rdar://problem/47813087>
1246
1247         Reviewed by Saam Barati.
1248
1249         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1250         (A):
1251
1252 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1253
1254         [JSC] PrivateName to PublicName hash table is wasteful
1255         https://bugs.webkit.org/show_bug.cgi?id=194277
1256
1257         Reviewed by Michael Saboff.
1258
1259         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1260
1261         * ChakraCore.yaml:
1262
1263 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1264
1265         [ARM] Test running out of executable memory
1266         https://bugs.webkit.org/show_bug.cgi?id=194285
1267
1268         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1269         executable memory otherwise.
1270
1271         * stress/class-subclassing-function.js:
1272
1273 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1274
1275         when lowering AssertNotEmpty, create the value before creating the patchpoint
1276         https://bugs.webkit.org/show_bug.cgi?id=194231
1277
1278         Reviewed by Saam Barati.
1279
1280         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1281         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1282         So even tiny changes to this test can change the path code taken.
1283
1284         * stress/assert-not-empty.js: Added.
1285         (foo):
1286
1287 2019-02-01  Mark Lam  <mark.lam@apple.com>
1288
1289         Remove invalid assertion in DFG's compileDoubleRep().
1290         https://bugs.webkit.org/show_bug.cgi?id=194130
1291         <rdar://problem/47699474>
1292
1293         Reviewed by Saam Barati.
1294
1295         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1296
1297 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1298
1299         Import latest Test262 updates.
1300
1301         Rubber-stamped by Keith Miller.
1302
1303         * test262.yaml: Deleted.
1304         * test262/config.yaml:
1305         * test262/expectations.yaml:
1306         * test262/latest-changes-summary.txt:
1307         * test262/test/:
1308         * test262/test262-Revision.txt:
1309
1310 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1311
1312         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1313         https://bugs.webkit.org/show_bug.cgi?id=194050
1314         <rdar://problem/47595592>
1315
1316         Reviewed by Yusuke Suzuki.
1317
1318         * stress/object-keys-osr-exit.js: Added.
1319         (foo):
1320         (catch):
1321
1322 2019-01-29  Mark Lam  <mark.lam@apple.com>
1323
1324         ValueRecovery::recover() should purify NaN values it recovers.
1325         https://bugs.webkit.org/show_bug.cgi?id=193978
1326         <rdar://problem/47625488>
1327
1328         Reviewed by Saam Barati.
1329
1330         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1331
1332 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1333
1334         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1335         https://bugs.webkit.org/show_bug.cgi?id=193713
1336
1337         * stress/try-get-by-id-should-spill-registers-dfg.js:
1338         (let.f.createBuiltin):
1339
1340 2019-01-28  Mark Lam  <mark.lam@apple.com>
1341
1342         ToString node actually does GC.
1343         https://bugs.webkit.org/show_bug.cgi?id=193920
1344         <rdar://problem/46695900>
1345
1346         Reviewed by Yusuke Suzuki.
1347
1348         * stress/dfg-to-string-on-int-does-gc.js: Added.
1349         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1350         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1351
1352 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1353
1354         [JSC] NativeErrorConstructor should not have own IsoSubspace
1355         https://bugs.webkit.org/show_bug.cgi?id=193713
1356
1357         Reviewed by Saam Barati.
1358
1359         Remove @Error use.
1360
1361         * stress/try-get-by-id-should-spill-registers-dfg.js:
1362         (let.f.createBuiltin):
1363
1364 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1365
1366         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1367         https://bugs.webkit.org/show_bug.cgi?id=190693
1368
1369         Reviewed by Michael Saboff.
1370
1371         * stress/regress-190693.js: Added.
1372         (truth):
1373         (assert):
1374         (shouldThrowInvalidConstAssignment):
1375         (taz):
1376
1377 2019-01-24  Saam Barati  <sbarati@apple.com>
1378
1379         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1380         https://bugs.webkit.org/show_bug.cgi?id=193751
1381         <rdar://problem/47280215>
1382
1383         Reviewed by Michael Saboff.
1384
1385         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1386         (let.thing):
1387         (foo.let.hello):
1388         (foo):
1389
1390 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1391
1392         [JSC] Reenable baseline JIT on mips
1393         https://bugs.webkit.org/show_bug.cgi?id=192983
1394
1395         Reviewed by Mark Lam.
1396
1397         Added a new test for a case that was triggering a RELEASE_ASSERT when
1398         testing.
1399         Disable some slow tests that were already disabled for arm and x86.
1400
1401         * stress/json-parse-big-object.js: Added.
1402         * stress/new-largeish-contiguous-array-with-size.js:
1403         * stress/op_add.js:
1404         * stress/op_bitand.js:
1405         * stress/op_bitor.js:
1406         * stress/op_bitxor.js:
1407         * stress/op_lshift-ConstVar.js:
1408         * stress/op_lshift-VarConst.js:
1409         * stress/op_lshift-VarVar.js:
1410         * stress/op_mod-ConstVar.js:
1411         * stress/op_mod-VarConst.js:
1412         * stress/op_mod-VarVar.js:
1413         * stress/op_mul-ConstVar.js:
1414         * stress/op_mul-VarConst.js:
1415         * stress/op_mul-VarVar.js:
1416         * stress/op_rshift-ConstVar.js:
1417         * stress/op_rshift-VarConst.js:
1418         * stress/op_rshift-VarVar.js:
1419         * stress/op_sub-ConstVar.js:
1420         * stress/op_sub-VarConst.js:
1421         * stress/op_sub-VarVar.js:
1422         * stress/op_urshift-ConstVar.js:
1423         * stress/op_urshift-VarConst.js:
1424         * stress/op_urshift-VarVar.js:
1425         * stress/sampling-profiler-richards.js:
1426         * stress/spread-forward-call-varargs-stack-overflow.js:
1427
1428 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1429
1430         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1431         https://bugs.webkit.org/show_bug.cgi?id=193711
1432         <rdar://problem/47250262>
1433
1434         Reviewed by Saam Barati.
1435
1436         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1437         (shouldBe):
1438         (foo):
1439         (bar):
1440         (baz):
1441
1442 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1443
1444         Unreviewed, fix initial global lexical binding epoch
1445         https://bugs.webkit.org/show_bug.cgi?id=193603
1446         <rdar://problem/47380869>
1447
1448         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1449         (f1.f2.f3.f4):
1450         (f1.f2.f3):
1451         (f1.f2):
1452         (f1):
1453
1454 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1455
1456         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1457         https://bugs.webkit.org/show_bug.cgi?id=193709
1458         <rdar://problem/47363838>
1459
1460         Unreviewed, rollout to watch the tests.
1461
1462         * stress/object-tostring-changed-proto.js: Removed.
1463         * stress/object-tostring-changed.js: Removed.
1464         * stress/object-tostring-misc.js: Removed.
1465         * stress/object-tostring-other.js: Removed.
1466         * stress/object-tostring-untyped.js: Removed.
1467
1468 2019-01-22  Saam Barati  <sbarati@apple.com>
1469
1470         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1471
1472         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1473         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1474         (testUncheckedLessThanZero):
1475         (testUncheckedLessThanOrEqualZero):
1476         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1477         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1478
1479 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1480
1481         [JSC] Invalidate old scope operations using global lexical binding epoch
1482         https://bugs.webkit.org/show_bug.cgi?id=193603
1483         <rdar://problem/47380869>
1484
1485         Reviewed by Saam Barati.
1486
1487         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1488         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1489         (shouldThrow):
1490         (bar):
1491         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1492         (shouldBe):
1493         (get1):
1494         (get2):
1495         (get1If):
1496         (get2If):
1497         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1498         (shouldThrow):
1499         (foo):
1500
1501 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1502
1503         Unreviewed, roll out r240220 due to date-format-xparb regression
1504         https://bugs.webkit.org/show_bug.cgi?id=193603
1505
1506         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1507         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1508         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1509         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1510
1511 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1512
1513         DoesGC rule is wrong for nodes with BigIntUse
1514         https://bugs.webkit.org/show_bug.cgi?id=193652
1515
1516         Reviewed by Saam Barati.
1517
1518         * stress/big-int-value-op-update-gc-rules.js: Added.
1519         (assert):
1520         (doesGCAdd):
1521         (doesGCSub):
1522         (doesGCDiv):
1523         (doesGCMul):
1524         (doesGCBitAnd):
1525         (doesGCBitOr):
1526         (doesGCBitXor):
1527
1528 2019-01-20  Saam Barati  <sbarati@apple.com>
1529
1530         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1531         https://bugs.webkit.org/show_bug.cgi?id=193644
1532         <rdar://problem/46209745>
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1537         (foo):
1538         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1539         (foo):
1540         (bar):
1541
1542 2019-01-20  Saam Barati  <sbarati@apple.com>
1543
1544         MovHint must merge NodeBytecodeUsesAsValue for its child
1545         https://bugs.webkit.org/show_bug.cgi?id=186916
1546         <rdar://problem/41396612>
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1551         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1552
1553 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1554
1555         [JSC] Invalidate old scope operations using global lexical binding epoch
1556         https://bugs.webkit.org/show_bug.cgi?id=193603
1557         <rdar://problem/47380869>
1558
1559         Reviewed by Saam Barati.
1560
1561         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1562         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1563         (shouldThrow):
1564         (bar):
1565         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1566         (shouldBe):
1567         (get1):
1568         (get2):
1569         (get1If):
1570         (get2If):
1571         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1572         (shouldThrow):
1573         (foo):
1574
1575 2019-01-17  Saam barati  <sbarati@apple.com>
1576
1577         StringObjectUse should not be a structure check for the original string object structure
1578         https://bugs.webkit.org/show_bug.cgi?id=193483
1579         <rdar://problem/47280522>
1580
1581         Reviewed by Yusuke Suzuki.
1582
1583         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1584         (foo):
1585         (a.valueOf.0):
1586
1587 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1588
1589         [JSC] ToThis omission in DFGByteCodeParser is wrong
1590         https://bugs.webkit.org/show_bug.cgi?id=193513
1591         <rdar://problem/45842236>
1592
1593         Reviewed by Saam Barati.
1594
1595         * stress/to-this-omission-with-different-strict-modes.js: Added.
1596         (thisA):
1597         (thisAStrictWrapper):
1598
1599 2019-01-15  Mark Lam  <mark.lam@apple.com>
1600
1601         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1602         https://bugs.webkit.org/show_bug.cgi?id=193423
1603         <rdar://problem/46209355>
1604
1605         Reviewed by Saam Barati.
1606
1607         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1608         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1609         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1610         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1611
1612 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1613
1614         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1615         https://bugs.webkit.org/show_bug.cgi?id=193438
1616         <rdar://problem/45581249>
1617
1618         Reviewed by Saam Barati and Keith Miller.
1619
1620         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1621         Then, GetByVal(String) crashed.
1622
1623         * stress/string-get-by-val-lowering.js: Added.
1624         (shouldBe):
1625         (test):
1626         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1627         (Hello):
1628         (foo):
1629
1630 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1631
1632         Unreviewed, skip JIT tests if it's not enabled
1633
1634         * stress/bit-op-with-object-returning-int32.js:
1635
1636 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1637
1638         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1639         https://bugs.webkit.org/show_bug.cgi?id=192966
1640
1641         Reviewed by Yusuke Suzuki.
1642
1643         * stress/bit-op-with-object-returning-int32.js: Added.
1644
1645 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1646
1647         Skip a slow test and a flakey test on arm
1648
1649         Unreviewed gardening.
1650
1651         * typeProfiler/getter-richards.js:
1652         this test always times out, it used to be always skipped on arm and
1653         mips, but got accidentally enabled by r237919 now that we have DFG on
1654         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1655
1656 2019-01-14  Keith Miller  <keith_miller@apple.com>
1657
1658         Skip type-check-hoisting-phase-hoist... with no jit
1659         https://bugs.webkit.org/show_bug.cgi?id=193421
1660
1661         Reviewed by Mark Lam.
1662
1663         It's timing out the 32-bit bots and takes 330 seconds
1664         on my machine when run by itself.
1665
1666         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1667
1668 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1669
1670         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1671         https://bugs.webkit.org/show_bug.cgi?id=193413
1672         <rdar://problem/46092389>
1673
1674         Reviewed by Keith Miller.
1675
1676         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1677         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1678         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1679         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1680
1681         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1682         (compareArray):
1683
1684 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1685
1686         [BigInt] Literal parsing is crashing when used inside a Object Literal
1687         https://bugs.webkit.org/show_bug.cgi?id=193404
1688
1689         Reviewed by Yusuke Suzuki.
1690
1691         * stress/big-int-literal-inside-literal-object.js: Added.
1692
1693 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1694
1695         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1696         https://bugs.webkit.org/show_bug.cgi?id=193372
1697
1698         Reviewed by Saam Barati.
1699
1700         * stress/typed-array-array-modes-profile.js: Added.
1701         (foo):
1702
1703 2019-01-14  Mark Lam  <mark.lam@apple.com>
1704
1705         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1706         https://bugs.webkit.org/show_bug.cgi?id=193402
1707         <rdar://problem/46012309>
1708
1709         Reviewed by Keith Miller.
1710
1711         * stress/regexp-compile-oom.js:
1712         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1713           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1714
1715 2019-01-11  Saam barati  <sbarati@apple.com>
1716
1717         DFG combined liveness can be wrong for terminal basic blocks
1718         https://bugs.webkit.org/show_bug.cgi?id=193304
1719         <rdar://problem/45268632>
1720
1721         Reviewed by Yusuke Suzuki.
1722
1723         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1724
1725 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1726
1727         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1728         https://bugs.webkit.org/show_bug.cgi?id=193308
1729         <rdar://problem/45546542>
1730
1731         Reviewed by Saam Barati.
1732
1733         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1734         (shouldThrow):
1735         (shouldBe):
1736         (foo):
1737         (get shouldThrow):
1738         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1739         (shouldThrow):
1740         (shouldBe):
1741         (foo):
1742         (get shouldBe):
1743         (get shouldThrow):
1744         (get return):
1745         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1746         (shouldThrow):
1747         (shouldBe):
1748         (foo):
1749         (get shouldBe):
1750         (get shouldThrow):
1751         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1752         (shouldThrow):
1753         (shouldBe):
1754         (foo):
1755         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1756         (shouldThrow):
1757         (shouldBe):
1758         (foo):
1759         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1760         (shouldThrow):
1761         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1762         (shouldThrow):
1763         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1764         (shouldThrow):
1765         (shouldBe):
1766         (foo):
1767         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1768         (shouldThrow):
1769         (shouldBe):
1770         (foo):
1771         (get shouldBe):
1772         (get shouldThrow):
1773         (get return):
1774         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1775         (shouldThrow):
1776         (shouldBe):
1777         (foo):
1778         (get shouldBe):
1779         (get shouldThrow):
1780         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1781         (shouldThrow):
1782         (shouldBe):
1783         (foo):
1784         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1785         (shouldThrow):
1786         (shouldBe):
1787         (foo):
1788
1789 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1790
1791         Enable DFG on ARM/Linux again
1792         https://bugs.webkit.org/show_bug.cgi?id=192496
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         Test wasn't really skipped before moving the line with skip
1797         to the top.
1798
1799         * stress/regress-192717.js:
1800
1801 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1802
1803         Unreviewed, rolling out r239825.
1804         https://bugs.webkit.org/show_bug.cgi?id=193330
1805
1806         Broke tests on armv7/linux bots (Requested by guijemont on
1807         #webkit).
1808
1809         Reverted changeset:
1810
1811         "Enable DFG on ARM/Linux again"
1812         https://bugs.webkit.org/show_bug.cgi?id=192496
1813         https://trac.webkit.org/changeset/239825
1814
1815 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1816
1817         Enable DFG on ARM/Linux again
1818         https://bugs.webkit.org/show_bug.cgi?id=192496
1819
1820         Reviewed by Yusuke Suzuki.
1821
1822         Test wasn't really skipped before moving the line with skip
1823         to the top.
1824
1825         * stress/regress-192717.js:
1826
1827 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1828
1829         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1830         https://bugs.webkit.org/show_bug.cgi?id=193127
1831
1832         Reviewed by Saam Barati.
1833
1834         * stress/array-species-create-should-handle-masquerader.js: Added.
1835         (shouldThrow):
1836         * stress/is-undefined-or-null-builtin.js: Added.
1837         (shouldBe):
1838         (isUndefinedOrNull.vm.createBuiltin):
1839
1840 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1841
1842         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1843         https://bugs.webkit.org/show_bug.cgi?id=193221
1844
1845         Reviewed by Mark Lam.
1846
1847         * stress/put-by-id-flags.js: Added.
1848         (f):
1849         (g):
1850         (numberOfDFGCompiles):
1851
1852 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1853
1854         Baseline version of get_by_id may corrupt metadata
1855         https://bugs.webkit.org/show_bug.cgi?id=193085
1856         <rdar://problem/23453006>
1857
1858         Reviewed by Saam Barati.
1859
1860         * stress/get-by-id-change-mode.js: Added.
1861         (forEach):
1862
1863 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1864
1865         [JSC] Optimize Object.prototype.toString
1866         https://bugs.webkit.org/show_bug.cgi?id=193031
1867
1868         Reviewed by Saam Barati.
1869
1870         * stress/object-tostring-changed-proto.js: Added.
1871         (shouldBe):
1872         (test):
1873         * stress/object-tostring-changed.js: Added.
1874         (shouldBe):
1875         (test):
1876         * stress/object-tostring-misc.js: Added.
1877         (shouldBe):
1878         (test):
1879         (i.switch):
1880         * stress/object-tostring-other.js: Added.
1881         (shouldBe):
1882         (test):
1883         * stress/object-tostring-untyped.js: Added.
1884         (shouldBe):
1885         (test):
1886         (i.switch):
1887
1888 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1889
1890         test262-runner misbehaves when test file YAML has a trailing space
1891         https://bugs.webkit.org/show_bug.cgi?id=193053
1892
1893         Reviewed by Yusuke Suzuki.
1894
1895         * test262/expectations.yaml:
1896         Mark two dozen tests as passing (and correct the output of another).
1897
1898 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1899
1900         Unreviewed, JSTests gardening with memoryLimited
1901
1902         * stress/string-overflow-createError.js:
1903
1904 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1905
1906         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1907         https://bugs.webkit.org/show_bug.cgi?id=193050
1908
1909         Reviewed by Yusuke Suzuki.
1910
1911         * test262.yaml:
1912         * test262/expectations.yaml:
1913         Mark 16 tests as passing.
1914
1915 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1916
1917         [BigInt] Support BigInt in JSON.stringify
1918         https://bugs.webkit.org/show_bug.cgi?id=192624
1919
1920         Reviewed by Saam Barati.
1921
1922         * stress/big-int-json-stringify-to-json.js: Added.
1923         (shouldBe):
1924         (shouldThrow):
1925         (BigInt.prototype.toJSON):
1926         (shouldBe.JSON.stringify):
1927         * stress/big-int-json-stringify.js: Added.
1928         (shouldBe):
1929         (shouldThrow):
1930
1931 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1932
1933         [JSC] Implement "well-formed JSON.stringify" proposal
1934         https://bugs.webkit.org/show_bug.cgi?id=191677
1935
1936         Reviewed by Darin Adler.
1937
1938         * stress/json-surrogate-pair.js: Added.
1939         (shouldBe):
1940         * test262/expectations.yaml:
1941
1942 2018-12-20  Keith Miller  <keith_miller@apple.com>
1943
1944         Add support for globalThis
1945         https://bugs.webkit.org/show_bug.cgi?id=165171
1946
1947         Reviewed by Mark Lam.
1948
1949         * test262/config.yaml:
1950
1951 2018-12-19  Keith Miller  <keith_miller@apple.com>
1952
1953         Update test262 configuration to not run tests dependent on ICU version.
1954         https://bugs.webkit.org/show_bug.cgi?id=192920
1955
1956         Reviewed by Saam Barati.
1957
1958         * test262/expectations.yaml:
1959
1960 2018-12-20  Mark Lam  <mark.lam@apple.com>
1961
1962         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1963         https://bugs.webkit.org/show_bug.cgi?id=192939
1964         <rdar://problem/46869516>
1965
1966         Reviewed by Keith Miller.
1967
1968         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1969
1970 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1971
1972         WTF::String and StringImpl overflow MaxLength
1973         https://bugs.webkit.org/show_bug.cgi?id=192853
1974         <rdar://problem/45726906>
1975
1976         Reviewed by Mark Lam.
1977
1978         * stress/string-16bit-repeat-overflow.js: Added.
1979         (catch):
1980
1981 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1982
1983         Unreviewed follow-up to r192914.
1984
1985         * test262/expectations.yaml:
1986         Add the last 20 missing expectations.
1987
1988 2018-12-19  Keith Miller  <keith_miller@apple.com>
1989
1990         Fix test262 expectations
1991         https://bugs.webkit.org/show_bug.cgi?id=192914
1992
1993         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1994
1995         * test262/expectations.yaml:
1996
1997 2018-12-19  Keith Miller  <keith_miller@apple.com>
1998
1999         Update test262 tests.
2000         https://bugs.webkit.org/show_bug.cgi?id=192907
2001
2002         Rubber stamped by Mark Lam.
2003
2004         * test262/*: Omitted because prepare-changelog crashes.
2005
2006 2018-12-19  Mark Lam  <mark.lam@apple.com>
2007
2008         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2009         https://bugs.webkit.org/show_bug.cgi?id=192464
2010         <rdar://problem/46519455>
2011
2012         Reviewed by Saam Barati.
2013
2014         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2015         microbenchmark.
2016
2017         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2018         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2019
2020 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2021
2022         String overflow in JSC::createError results in ASSERT in WTF::makeString
2023         https://bugs.webkit.org/show_bug.cgi?id=192833
2024         <rdar://problem/45706868>
2025
2026         Reviewed by Mark Lam.
2027
2028         * stress/string-overflow-createError.js: Added.
2029
2030 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2031
2032         Error message for `-x ** y` contains a typo.
2033         https://bugs.webkit.org/show_bug.cgi?id=192832
2034
2035         Reviewed by Saam Barati.
2036
2037         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2038         (assert.assert.return.throws):
2039         * stress/pow-expects-update-expression-on-lhs.js:
2040         (throw.new.Error):
2041         Update test expectations which match against the exact error message.
2042
2043 2018-12-18  Mark Lam  <mark.lam@apple.com>
2044
2045         Gardening: test options fix.
2046         https://bugs.webkit.org/show_bug.cgi?id=192822
2047
2048         Unreviewed.
2049
2050         * stress/json-stringify-string-builder-overflow.js:
2051
2052 2018-12-18  Mark Lam  <mark.lam@apple.com>
2053
2054         JSON.stringify() should throw OOM on StringBuilder overflows.
2055         https://bugs.webkit.org/show_bug.cgi?id=192822
2056         <rdar://problem/46670577>
2057
2058         Reviewed by Saam Barati.
2059
2060         * stress/json-stringify-string-builder-overflow.js: Added.
2061
2062 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2063
2064         Redeclaration of var over let/const/class should be a syntax error.
2065         https://bugs.webkit.org/show_bug.cgi?id=192298
2066
2067         Reviewed by Keith Miller.
2068
2069         * test262.yaml:
2070         * test262/expectations.yaml:
2071         Mark 46 tests as passing.
2072
2073         * stress/block-scope-redeclarations.js:
2074         Add some new tests.
2075
2076         * stress/for-in-invalidate-context-weird-assignments.js:
2077         * stress/for-in-tests.js:
2078         Replace tests for outdated behavior with tests for SyntaxError.
2079
2080         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2081         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2082         Update expectations.
2083
2084 2018-12-18  Mark Lam  <mark.lam@apple.com>
2085
2086         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2087         https://bugs.webkit.org/show_bug.cgi?id=191374
2088         <rdar://problem/46525447>
2089
2090         Reviewed by Yusuke Suzuki.
2091
2092         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2093
2094         * stress/elidable-new-object-roflcopter-then-exit.js:
2095
2096 2018-12-17  Mark Lam  <mark.lam@apple.com>
2097
2098         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2099         https://bugs.webkit.org/show_bug.cgi?id=192019
2100         <rdar://problem/46525456>
2101
2102         Reviewed by Yusuke Suzuki.
2103
2104         The test runs too slow on 32-bit.
2105
2106         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2107
2108 2018-12-17  Mark Lam  <mark.lam@apple.com>
2109
2110         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2111         https://bugs.webkit.org/show_bug.cgi?id=191373
2112         <rdar://problem/46525458>
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         The test is already slow running with a JIT on 64-bit.  It will always timeout
2117         on 32-bit without a JIT.
2118
2119         * stress/materialize-regexp-cyclic-regexp.js:
2120
2121 2018-12-17  Mark Lam  <mark.lam@apple.com>
2122
2123         Array unshift/shift should not race against the AI in the compiler thread.
2124         https://bugs.webkit.org/show_bug.cgi?id=192795
2125         <rdar://problem/46724263>
2126
2127         Reviewed by Saam Barati.
2128
2129         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2130
2131 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2132
2133         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2134         https://bugs.webkit.org/show_bug.cgi?id=190047
2135
2136         Reviewed by Saam Barati.
2137
2138         * stress/object-keys-cached-zero.js: Added.
2139         (shouldBe):
2140         (test):
2141         * stress/object-keys-changed-attribute.js: Added.
2142         (shouldBe):
2143         (test):
2144         * stress/object-keys-changed-index.js: Added.
2145         (shouldBe):
2146         (test):
2147         * stress/object-keys-changed.js: Added.
2148         (shouldBe):
2149         (test):
2150         * stress/object-keys-indexed-non-cache.js: Added.
2151         (shouldBe):
2152         (test):
2153         * stress/object-keys-overrides-get-property-names.js: Added.
2154         (shouldBe):
2155         (test):
2156         (noInline):
2157
2158 2018-12-17  Mark Lam  <mark.lam@apple.com>
2159
2160         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2161         https://bugs.webkit.org/show_bug.cgi?id=192779
2162         <rdar://problem/46775869>
2163
2164         Reviewed by Saam Barati.
2165
2166         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2167
2168 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2169
2170         Unreviewed test gardening, address a syntax error in a new test.
2171
2172         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2173
2174 2018-12-17  Mark Lam  <mark.lam@apple.com>
2175
2176         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2177         https://bugs.webkit.org/show_bug.cgi?id=192776
2178         <rdar://problem/46772368>
2179
2180         Reviewed by Keith Miller.
2181
2182         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2183
2184 2018-12-17  Mark Lam  <mark.lam@apple.com>
2185
2186         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2187         https://bugs.webkit.org/show_bug.cgi?id=192770
2188         <rdar://problem/46449037>
2189
2190         Reviewed by Keith Miller.
2191
2192         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2193
2194 2018-12-14  Mark Lam  <mark.lam@apple.com>
2195
2196         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2197         https://bugs.webkit.org/show_bug.cgi?id=192717
2198         <rdar://problem/46660677>
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/regress-192717.js: Added.
2203
2204 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2205
2206         Unreviewed, rolling out r239153, r239154, and r239155.
2207         https://bugs.webkit.org/show_bug.cgi?id=192715
2208
2209         Caused flaky GC-related crashes seen with layout tests
2210         (Requested by ryanhaddad on #webkit).
2211
2212         Reverted changesets:
2213
2214         "[JSC] Optimize Object.keys by caching own keys results in
2215         StructureRareData"
2216         https://bugs.webkit.org/show_bug.cgi?id=190047
2217         https://trac.webkit.org/changeset/239153
2218
2219         "Unreviewed, build fix after r239153"
2220         https://bugs.webkit.org/show_bug.cgi?id=190047
2221         https://trac.webkit.org/changeset/239154
2222
2223         "Unreviewed, build fix after r239153, part 2"
2224         https://bugs.webkit.org/show_bug.cgi?id=190047
2225         https://trac.webkit.org/changeset/239155
2226
2227 2018-12-14  Keith Miller  <keith_miller@apple.com>
2228
2229         Callers of JSString::getIndex should check for OOM exceptions
2230         https://bugs.webkit.org/show_bug.cgi?id=192709
2231
2232         Reviewed by Mark Lam.
2233
2234         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2235
2236 2018-12-13  Mark Lam  <mark.lam@apple.com>
2237
2238         Add a missing exception check.
2239         https://bugs.webkit.org/show_bug.cgi?id=192626
2240         <rdar://problem/46662163>
2241
2242         Reviewed by Keith Miller.
2243
2244         * stress/regress-192626.js: Added.
2245
2246 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2247
2248         [BigInt] Add ValueDiv into DFG
2249         https://bugs.webkit.org/show_bug.cgi?id=186178
2250
2251         Reviewed by Yusuke Suzuki.
2252
2253         * stress/big-int-div-jit-osr.js: Added.
2254         * stress/big-int-div-jit-untyped.js: Added.
2255         * stress/value-div-fixup-int32-big-int.js: Added.
2256
2257 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2258
2259         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2260         https://bugs.webkit.org/show_bug.cgi?id=190047
2261
2262         Reviewed by Keith Miller.
2263
2264         * stress/object-keys-cached-zero.js: Added.
2265         (shouldBe):
2266         (test):
2267         * stress/object-keys-changed-attribute.js: Added.
2268         (shouldBe):
2269         (test):
2270         * stress/object-keys-changed-index.js: Added.
2271         (shouldBe):
2272         (test):
2273         * stress/object-keys-changed.js: Added.
2274         (shouldBe):
2275         (test):
2276         * stress/object-keys-indexed-non-cache.js: Added.
2277         (shouldBe):
2278         (test):
2279         * stress/object-keys-overrides-get-property-names.js: Added.
2280         (shouldBe):
2281         (test):
2282         (noInline):
2283
2284 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2285
2286         [DFG][FTL] Add NewSymbol
2287         https://bugs.webkit.org/show_bug.cgi?id=192620
2288
2289         Reviewed by Saam Barati.
2290
2291         * microbenchmarks/symbol-creation.js: Added.
2292         (test):
2293         * stress/symbol-description-identity.js: Added.
2294         (shouldBe):
2295         (test):
2296         * stress/symbol-identity.js: Added.
2297         (shouldBe):
2298         (test):
2299         * stress/symbol-with-description-throw-error.js: Added.
2300         (shouldBe):
2301         (shouldThrow):
2302         (test):
2303         (object.toString):
2304
2305 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2306
2307         [BigInt] Implement DFG/FTL typeof for BigInt
2308         https://bugs.webkit.org/show_bug.cgi?id=192619
2309
2310         Reviewed by Keith Miller.
2311
2312         * stress/big-int-boolean-proven-type.js: Added.
2313         (assert):
2314         (bool):
2315         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2316         (assert):
2317         (typeOf):
2318         (i.switch):
2319         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2320         (assert):
2321         (typeOf):
2322         * stress/big-int-type-of.js:
2323         (typeOf):
2324         (func):
2325
2326 2018-12-10  Mark Lam  <mark.lam@apple.com>
2327
2328         PropertyAttribute needs a CustomValue bit.
2329         https://bugs.webkit.org/show_bug.cgi?id=191993
2330         <rdar://problem/46264467>
2331
2332         Reviewed by Saam Barati.
2333
2334         * stress/regress-191993.js: Added.
2335
2336 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2337
2338         [BigInt] Add ValueMul into DFG
2339         https://bugs.webkit.org/show_bug.cgi?id=186175
2340
2341         Reviewed by Yusuke Suzuki.
2342
2343         * stress/big-int-mul-jit-osr.js: Added.
2344         * stress/big-int-mul-jit-untyped.js: Added.
2345         * stress/value-mul-fixup-int32-big-int.js: Added.
2346
2347 2018-12-06  Keith Miller  <keith_miller@apple.com>
2348
2349         stress/big-wasm-memory tests failing on 32-bit JSC bot
2350         https://bugs.webkit.org/show_bug.cgi?id=192020
2351
2352         Reviewed by Saam Barati.
2353
2354         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2355         the wasm stress tests if the WebAssembly object does not exist.
2356
2357         * stress/big-wasm-memory-grow-no-max.js:
2358         (test.foo):
2359         (test):
2360         (foo): Deleted.
2361         (catch): Deleted.
2362         * stress/big-wasm-memory-grow.js:
2363         (test.foo):
2364         (test):
2365         (foo): Deleted.
2366         (catch): Deleted.
2367         * stress/big-wasm-memory.js:
2368         (test.foo):
2369         (test):
2370         (foo): Deleted.
2371         (catch): Deleted.
2372
2373 2018-12-05  Mark Lam  <mark.lam@apple.com>
2374
2375         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2376         https://bugs.webkit.org/show_bug.cgi?id=192441
2377         <rdar://problem/46480355>
2378
2379         Reviewed by Saam Barati.
2380
2381         * stress/regress-192441.js: Added.
2382
2383 2018-12-04  Mark Lam  <mark.lam@apple.com>
2384
2385         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2386         https://bugs.webkit.org/show_bug.cgi?id=192386
2387         <rdar://problem/46445516>
2388
2389         Reviewed by Saam Barati.
2390
2391         * stress/regress-192386.js: Added.
2392
2393 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2394
2395         [ESNext][BigInt] Support logic operations
2396         https://bugs.webkit.org/show_bug.cgi?id=179903
2397
2398         Reviewed by Yusuke Suzuki.
2399
2400         * stress/big-int-branch-usage.js: Added.
2401         * stress/big-int-logical-and.js: Added.
2402         * stress/big-int-logical-not.js: Added.
2403         * stress/big-int-logical-or.js: Added.
2404
2405 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2406
2407         Unreviewed, rolling out r238833.
2408
2409         Breaks macOS and iOS debug builds.
2410
2411         Reverted changeset:
2412
2413         "[ESNext][BigInt] Support logic operations"
2414         https://bugs.webkit.org/show_bug.cgi?id=179903
2415         https://trac.webkit.org/changeset/238833
2416
2417 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2418
2419         [ESNext][BigInt] Support logic operations
2420         https://bugs.webkit.org/show_bug.cgi?id=179903
2421
2422         Reviewed by Yusuke Suzuki.
2423
2424         * stress/big-int-branch-usage.js: Added.
2425         * stress/big-int-logical-and.js: Added.
2426         * stress/big-int-logical-not.js: Added.
2427         * stress/big-int-logical-or.js: Added.
2428
2429 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2430
2431         [ESNext][BigInt] Implement support for "<<" and ">>"
2432         https://bugs.webkit.org/show_bug.cgi?id=186233
2433
2434         Reviewed by Yusuke Suzuki.
2435
2436         * stress/big-int-left-shift-general.js: Added.
2437         * stress/big-int-left-shift-range-error.js: Added.
2438         * stress/big-int-left-shift-type-error.js: Added.
2439         * stress/big-int-left-shift-wrapped-value.js: Added.
2440         * stress/big-int-right-shift-general.js: Added.
2441         * stress/big-int-right-shift-type-error.js: Added.
2442         * stress/big-int-right-shift-wrapped-value.js: Added.
2443         * stress/left-shift-to-primitive-precedence.js: Added.
2444         * stress/right-shift-to-primitive-precedence.js: Added.
2445
2446 2018-11-30  Dean Jackson  <dino@apple.com>
2447
2448         Add first-class support for .mjs files in jsc binary
2449         https://bugs.webkit.org/show_bug.cgi?id=192190
2450         <rdar://problem/46375715>
2451
2452         Reviewed by Keith Miller.
2453
2454         * stress/simple-module.mjs: Added.
2455         * stress/simple-script.js: Added.
2456
2457 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2458
2459         [BigInt] Implement ValueBitXor into DFG
2460         https://bugs.webkit.org/show_bug.cgi?id=190264
2461
2462         Reviewed by Yusuke Suzuki.
2463
2464         * stress/big-int-bitwise-xor-jit.js: Added.
2465         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2466         * stress/big-int-bitwise-xor-untyped.js: Added.
2467
2468 2018-11-27  Saam barati  <sbarati@apple.com>
2469
2470         r238510 broke scopes of size zero
2471         https://bugs.webkit.org/show_bug.cgi?id=192033
2472         <rdar://problem/46281734>
2473
2474         Reviewed by Keith Miller.
2475
2476         * stress/r238510-bad-loop.js: Added.
2477         (foo):
2478
2479 2018-11-27  Mark Lam  <mark.lam@apple.com>
2480
2481         [Re-landing] NaNs read from Wasm code needs to be be purified.
2482         https://bugs.webkit.org/show_bug.cgi?id=191056
2483         <rdar://problem/45660341>
2484
2485         Reviewed by Filip Pizlo.
2486
2487         * wasm/regress/regress-191056.js: Added.
2488
2489 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2490
2491         Unreviewed, rolling out r238509.
2492
2493         Causes JSC tests to fail on iOS.
2494
2495         Reverted changeset:
2496
2497         "NaNs read from Wasm code needs to be be purified."
2498         https://bugs.webkit.org/show_bug.cgi?id=191056
2499         https://trac.webkit.org/changeset/238509
2500
2501 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2502
2503         Re-introduce op_bitnot
2504         https://bugs.webkit.org/show_bug.cgi?id=190923
2505
2506         Reviewed by Yusuke Suzuki.
2507
2508         * stress/bit-not-must-generate.js: Added.
2509         * stress/bitwise-not-no-int32.js: Added.
2510
2511 2018-11-26  Saam barati  <sbarati@apple.com>
2512
2513         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2514         https://bugs.webkit.org/show_bug.cgi?id=191956
2515         <rdar://problem/45665806>
2516
2517         Reviewed by Yusuke Suzuki.
2518
2519         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2520         (bar):
2521         (foo):
2522
2523 2018-11-26  Saam barati  <sbarati@apple.com>
2524
2525         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2526         https://bugs.webkit.org/show_bug.cgi?id=191958
2527         <rdar://problem/46221877>
2528
2529         Reviewed by Yusuke Suzuki.
2530
2531         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2532         (x):
2533         (foo):
2534
2535 2018-11-26  Mark Lam  <mark.lam@apple.com>
2536
2537         NaNs read from Wasm code needs to be be purified.
2538         https://bugs.webkit.org/show_bug.cgi?id=191056
2539         <rdar://problem/45660341>
2540
2541         Reviewed by Filip Pizlo.
2542
2543         * wasm/regress/regress-191056.js: Added.
2544
2545 2018-11-26  Michael Saboff  <msaboff@apple.com>
2546
2547         32-bit JSC test failure: stress/regexp-compile-oom.js
2548         https://bugs.webkit.org/show_bug.cgi?id=191375
2549
2550         Reviewed by Mark Lam.
2551
2552         Disabled the test for 32 bit platforms.
2553
2554         * stress/regexp-compile-oom.js:
2555
2556 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2557
2558         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2559         https://bugs.webkit.org/show_bug.cgi?id=191716
2560         <rdar://problem/45723878>
2561
2562         Reviewed by Saam Barati.
2563
2564         * stress/regress-187373.js: Added.
2565         (async.fn):
2566
2567 2018-11-21  Saam barati  <sbarati@apple.com>
2568
2569         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2570         https://bugs.webkit.org/show_bug.cgi?id=191897
2571         <rdar://problem/45871998>
2572
2573         Reviewed by Mark Lam.
2574
2575         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2576         (bar):
2577         (foo):
2578
2579 2018-11-21  Saam barati  <sbarati@apple.com>
2580
2581         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2582         https://bugs.webkit.org/show_bug.cgi?id=191895
2583         <rdar://problem/46167406>
2584
2585         Reviewed by Mark Lam.
2586
2587         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2588         (foo):
2589         (bar):
2590
2591 2018-11-21  Mark Lam  <mark.lam@apple.com>
2592
2593         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2594         https://bugs.webkit.org/show_bug.cgi?id=191776
2595         <rdar://problem/46152851>
2596
2597         Reviewed by Saam Barati.
2598
2599         * stress/big-wasm-memory-grow-no-max.js:
2600         * stress/big-wasm-memory-grow.js:
2601         * stress/big-wasm-memory.js:
2602         - updated these to expect an OutOfMemoryError.
2603
2604         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2605         (Binary.prototype.emit_u8):
2606         (Binary.prototype.emit_u32v):
2607         (Binary.prototype.emit_header):
2608         (Binary.prototype.emit_section):
2609         (Binary):
2610         (WasmModuleBuilder):
2611         (WasmModuleBuilder.prototype.addMemory):
2612         (WasmModuleBuilder.prototype.toArray):
2613         (WasmModuleBuilder.prototype.toBuffer):
2614         (WasmModuleBuilder.prototype.instantiate):
2615         (catch):
2616         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2617         (catch):
2618
2619 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2620
2621         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2622         https://bugs.webkit.org/show_bug.cgi?id=190836
2623
2624         Reviewed by Saam Barati and Yusuke Suzuki.
2625
2626         * stress/big-int-out-of-memory-tests.js: Added.
2627
2628 2018-11-20  Mark Lam  <mark.lam@apple.com>
2629
2630         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2631         https://bugs.webkit.org/show_bug.cgi?id=191856
2632         <rdar://problem/46089992>
2633
2634         Reviewed by Yusuke Suzuki.
2635
2636         * stress/regress-191856.js: Added.
2637         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2638
2639 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2640
2641         Enable JIT on ARM/Linux
2642         https://bugs.webkit.org/show_bug.cgi?id=191548
2643
2644         Reviewed by Yusuke Suzuki.
2645
2646         Disable test on system with limited memory. Program was killed by
2647         the OS before the exception was thrown.
2648
2649         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2650
2651 2018-11-20  Saam barati  <sbarati@apple.com>
2652
2653         Merging an IC variant may lead to the IC status containing overlapping structure sets
2654         https://bugs.webkit.org/show_bug.cgi?id=191869
2655         <rdar://problem/45403453>
2656
2657         Reviewed by Mark Lam.
2658
2659         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2660
2661 2018-11-19  Mark Lam  <mark.lam@apple.com>
2662
2663         globalFuncImportModule() should return a promise when it clears exceptions.
2664         https://bugs.webkit.org/show_bug.cgi?id=191792
2665         <rdar://problem/46090763>
2666
2667         Reviewed by Michael Saboff.
2668
2669         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2670
2671 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2672
2673         Skip new memory-hungry tests on memory limited devices
2674
2675         Unreviewed gardening.
2676
2677         * stress/big-wasm-memory-grow-no-max.js:
2678         * stress/big-wasm-memory-grow.js:
2679         * stress/big-wasm-memory.js:
2680
2681 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2682
2683         Unreviewed, rolling in the rest of r237254
2684         https://bugs.webkit.org/show_bug.cgi?id=190340
2685
2686         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2687         * stress/function-cache-with-parameters-end-position.js: Added.
2688         (shouldBe):
2689         (shouldThrow):
2690         (i.anonymous):
2691         * stress/function-constructor-name.js: Added.
2692         (shouldBe):
2693         (GeneratorFunction):
2694         (AsyncFunction.async):
2695         (AsyncGeneratorFunction.async):
2696         (anonymous):
2697         (async.anonymous):
2698         * test262/expectations.yaml:
2699
2700 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2701
2702         All users of ArrayBuffer should agree on the same max size
2703         https://bugs.webkit.org/show_bug.cgi?id=191771
2704
2705         Reviewed by Mark Lam.
2706
2707         * stress/big-wasm-memory-grow-no-max.js: Added.
2708         (foo):
2709         (catch):
2710         * stress/big-wasm-memory-grow.js: Added.
2711         (foo):
2712         (catch):
2713         * stress/big-wasm-memory.js: Added.
2714         (foo):
2715         (catch):
2716
2717 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2718
2719         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2720         run for each JSC config since they're regression tests for runtime bugs.
2721
2722         * stress/json-stringified-overflow-2.js:
2723         * stress/json-stringified-overflow.js:
2724
2725 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2726
2727         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2728         config since they're regression tests for runtime bugs.
2729
2730         * stress/large-unshift-splice.js:
2731         * stress/regress-185888.js:
2732
2733 2018-11-16  Saam Barati  <sbarati@apple.com>
2734
2735         KnownCellUse should also have SpecCellCheck as its type filter
2736         https://bugs.webkit.org/show_bug.cgi?id=191729
2737         <rdar://problem/45872852>
2738
2739         Reviewed by Filip Pizlo.
2740
2741         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2742         (C):
2743
2744 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2745
2746         Fix assertion failure on BytecodeGenerator::recordOpcode
2747         https://bugs.webkit.org/show_bug.cgi?id=191724
2748         <rdar://problem/45724395>
2749
2750         Reviewed by Saam Barati.
2751
2752         * stress/regress-187373-2.js: Added.
2753         (foo):
2754
2755 2018-11-15  Mark Lam  <mark.lam@apple.com>
2756
2757         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2758         https://bugs.webkit.org/show_bug.cgi?id=191730
2759         <rdar://problem/46048517>
2760
2761         Reviewed by Saam Barati.
2762
2763         * stress/regress-187006.js: Removed.
2764           - this test is invalid because its sole purpose is to test for the non-spec
2765             compliant behavior that we just fixed.
2766
2767         * stress/regress-191730.js: Added.
2768
2769 2018-11-15  Mark Lam  <mark.lam@apple.com>
2770
2771         RegExp operations should not take fast patch if lastIndex is not numeric.
2772         https://bugs.webkit.org/show_bug.cgi?id=191731
2773         <rdar://problem/46017305>
2774
2775         Reviewed by Saam Barati.
2776
2777         * stress/regress-191731.js: Added.
2778
2779 2018-11-13  Saam Barati  <sbarati@apple.com>
2780
2781         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2782         https://bugs.webkit.org/show_bug.cgi?id=191600
2783
2784         Reviewed by Mark Lam.
2785
2786         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2787         (foo):
2788         (test):
2789         (bar):
2790
2791 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2792
2793         Unreviewed, rolling out r238132.
2794
2795         The test added with this change is timing out on Debug JSC
2796         bots.
2797
2798         Reverted changeset:
2799
2800         "[BigInt] JSBigInt::createWithLength should throw when length
2801         is greater than JSBigInt::maxLength"
2802         https://bugs.webkit.org/show_bug.cgi?id=190836
2803         https://trac.webkit.org/changeset/238132
2804
2805 2018-11-13  Mark Lam  <mark.lam@apple.com>
2806
2807         Add OOM detection to StringPrototype's substituteBackreferences().
2808         https://bugs.webkit.org/show_bug.cgi?id=191563
2809         <rdar://problem/45720428>
2810
2811         Reviewed by Saam Barati.
2812
2813         * stress/regress-191563.js: Added.
2814
2815 2018-11-13  Mark Lam  <mark.lam@apple.com>
2816
2817         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2818         https://bugs.webkit.org/show_bug.cgi?id=191579
2819         <rdar://problem/45942472>
2820
2821         Reviewed by Saam Barati.
2822
2823         * stress/regress-191579.js: Added.
2824
2825 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2826
2827         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2828         https://bugs.webkit.org/show_bug.cgi?id=190836
2829
2830         Reviewed by Saam Barati.
2831
2832         * stress/big-int-out-of-memory-tests.js: Added.
2833
2834 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2835
2836         U+180E is no longer a whitespace character
2837         https://bugs.webkit.org/show_bug.cgi?id=191415
2838
2839         Reviewed by Saam Barati.
2840
2841         * ChakraCore/test/es5/regexSpace.baseline:
2842         * ChakraCore/test/es6/unicode_whitespace.js:
2843         Update tests to latest version.
2844         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2845
2846         * test262.yaml:
2847         * test262/config.yaml:
2848         * test262/expectations.yaml:
2849         Update expectations.
2850
2851 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2852
2853         [BigInt] Add support to BigInt into ValueAdd
2854         https://bugs.webkit.org/show_bug.cgi?id=186177
2855
2856         Reviewed by Keith Miller.
2857
2858         * stress/big-int-negate-jit.js:
2859         * stress/value-add-big-int-and-string.js: Added.
2860         * stress/value-add-big-int-prediction-propagation.js: Added.
2861         * stress/value-add-big-int-untyped.js: Added.
2862
2863 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2864
2865         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2866         https://bugs.webkit.org/show_bug.cgi?id=191184
2867
2868         Reviewed by Saam Barati.
2869
2870         Most tests were failing due to timeouts, since they are too slow to
2871         run on CLoop. The exceptions are:
2872
2873         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2874         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2875         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2876         to change the stack size since CLoop requires it to be page aligned.
2877
2878         * microbenchmarks/array-push-1.js:
2879         * microbenchmarks/array-push-2.js:
2880         * microbenchmarks/elidable-new-object-dag.js:
2881         * microbenchmarks/elidable-new-object-roflcopter.js:
2882         * microbenchmarks/elidable-new-object-tree.js:
2883         * microbenchmarks/getter-richards.js:
2884         * microbenchmarks/sinkable-new-object-dag.js:
2885         * microbenchmarks/string-concat-long-convert.js:
2886         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2887         * slowMicrobenchmarks/array-push-3.js:
2888         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2889         * slowMicrobenchmarks/spread-small-array.js:
2890         * slowMicrobenchmarks/undefined-property-access.js:
2891         * stress/activation-sink-default-value-tdz-error.js:
2892         * stress/activation-sink-default-value.js:
2893         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2894         * stress/activation-sink-osrexit-default-value.js:
2895         * stress/activation-sink-osrexit.js:
2896         * stress/activation-sink.js:
2897         * stress/allow-math-ic-b3-code-duplication.js:
2898         * stress/array-push-multiple-int32.js:
2899         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2900         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2901         * stress/arrowfunction-lexical-this-activation-sink.js:
2902         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2903         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2904         * stress/elide-new-object-dag-then-exit.js:
2905         * stress/materialize-regexp-cyclic.js:
2906         * stress/new-regex-inline.js:
2907         * stress/op_add.js:
2908         * stress/op_bitand.js:
2909         * stress/op_bitor.js:
2910         * stress/op_bitxor.js:
2911         * stress/op_div-ConstVar.js:
2912         * stress/op_div-VarConst.js:
2913         * stress/op_div-VarVar.js:
2914         * stress/op_lshift-ConstVar.js:
2915         * stress/op_lshift-VarConst.js:
2916         * stress/op_lshift-VarVar.js:
2917         * stress/op_mod-ConstVar.js:
2918         * stress/op_mod-VarConst.js:
2919         * stress/op_mod-VarVar.js:
2920         * stress/op_mul-ConstVar.js:
2921         * stress/op_mul-VarConst.js:
2922         * stress/op_mul-VarVar.js:
2923         * stress/op_rshift-ConstVar.js:
2924         * stress/op_rshift-VarConst.js:
2925         * stress/op_rshift-VarVar.js:
2926         * stress/op_sub-ConstVar.js:
2927         * stress/op_sub-VarConst.js:
2928         * stress/op_sub-VarVar.js:
2929         * stress/op_urshift-ConstVar.js:
2930         * stress/op_urshift-VarConst.js:
2931         * stress/op_urshift-VarVar.js:
2932         * stress/proxy-get-set-correct-receiver.js:
2933         * stress/regress-179562.js:
2934         * stress/rest-parameter-many-arguments.js:
2935         * stress/sampling-profiler-richards.js:
2936         * stress/splay-flash-access-1ms.js:
2937         * stress/tailCallForwardArguments.js:
2938         * stress/typed-array-get-by-val-profiling.js:
2939         * typeProfiler/getter-richards.js:
2940
2941 2018-11-06  Michael Saboff  <msaboff@apple.com>
2942
2943         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2944         https://bugs.webkit.org/show_bug.cgi?id=191271
2945
2946         Reviewed by Saam Barati.
2947
2948         Added more test cases and made all test cases run with the same deeply recursive stack
2949         instead of finding that same point for each test case.
2950
2951         * stress/regexp-compile-oom.js:
2952         (prototype.runTest):
2953         (recurseAndTest):
2954         (testList.push.new.TestAndExpectedException):
2955
2956 2018-11-05  Michael Saboff  <msaboff@apple.com>
2957
2958         Unreviewed build fix for linux.
2959
2960         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2961
2962 2018-11-02  Michael Saboff  <msaboff@apple.com>
2963
2964         Rolling in r237753 with unreviewed build fix.
2965
2966         Fixed issues with DECLARE_THROW_SCOPE placement.
2967
2968 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2969
2970         Unreviewed, rolling out r237753.
2971
2972         Introduced JSC test failures
2973
2974         Reverted changeset:
2975
2976         "Running out of stack space not properly handled in
2977         RegExp::compile() and its callers"
2978         https://bugs.webkit.org/show_bug.cgi?id=191206
2979         https://trac.webkit.org/changeset/237753
2980
2981 2018-11-02  Michael Saboff  <msaboff@apple.com>
2982
2983         Running out of stack space not properly handled in RegExp::compile() and its callers
2984         https://bugs.webkit.org/show_bug.cgi?id=191206
2985
2986         Reviewed by Filip Pizlo.
2987
2988         New regression test.
2989
2990         * stress/regexp-compile-oom.js: Added.
2991         (recurseAndTest):
2992
2993 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2994
2995         Skip tests on arm/mips that time out now we're running on CLoop
2996
2997         Unreviewed gardening.
2998
2999         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3000         time out on the bots and need to be disabled. There's more tests
3001         disabled on arm because the timeout is longer on the mips bot (as the
3002         device is slower to start with), so many of the tests don't time out
3003         there.
3004
3005         * microbenchmarks/getter-richards.js: disable on arm and mips.
3006         * stress/op_add.js: disable on arm.
3007         * stress/op_bitand.js: disable on arm.
3008         * stress/op_bitor.js: disable on arm.
3009         * stress/op_bitxor.js: disable on arm.
3010         * stress/op_lshift-ConstVar.js: disable on arm.
3011         * stress/op_lshift-VarConst.js: disable on arm.
3012         * stress/op_lshift-VarVar.js: disable on arm.
3013         * stress/op_mod-ConstVar.js: disable on arm.
3014         * stress/op_mod-VarConst.js: disable on arm.
3015         * stress/op_mod-VarVar.js: disable on arm.
3016         * stress/op_mul-ConstVar.js: disable on arm.
3017         * stress/op_mul-VarConst.js: disable on arm.
3018         * stress/op_mul-VarVar.js: disable on arm.
3019         * stress/op_rshift-ConstVar.js: disable on arm.
3020         * stress/op_rshift-VarConst.js: disable on arm.
3021         * stress/op_rshift-VarVar.js: disable on arm.
3022         * stress/op_sub-ConstVar.js: disable on arm.
3023         * stress/op_sub-VarConst.js: disable on arm.
3024         * stress/op_sub-VarVar.js: disable on arm.
3025         * stress/op_urshift-ConstVar.js: disable on arm.
3026         * stress/op_urshift-VarConst.js: disable on arm.
3027         * stress/op_urshift-VarVar.js: disable on arm.
3028         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3029         * stress/value-to-boolean.js: disable on arm and mips.
3030
3031 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3032
3033         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3034         https://bugs.webkit.org/show_bug.cgi?id=191108
3035         <rdar://problem/45690700>
3036
3037         Reviewed by Saam Barati.
3038
3039         * stress/wide-op_catch.js: Added.
3040         (catch):
3041
3042 2018-10-29  Mark Lam  <mark.lam@apple.com>
3043
3044         Correctly detect string overflow when using the 'Function' constructor.
3045         https://bugs.webkit.org/show_bug.cgi?id=184883
3046         <rdar://problem/36320331>
3047
3048         Reviewed by Saam Barati.
3049
3050         I've verified that this passes on 32-bit as well.
3051
3052         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3053
3054 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3055
3056         Add support for GetStack FlushedDouble
3057         https://bugs.webkit.org/show_bug.cgi?id=191012
3058         <rdar://problem/45265141>
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/get-stack-double.js: Added.
3063         (bar):
3064         (noInline):
3065
3066 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3067
3068         New bytecode format for JSC
3069         https://bugs.webkit.org/show_bug.cgi?id=187373
3070         <rdar://problem/44186758>
3071
3072         Reviewed by Filip Pizlo.
3073
3074         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3075
3076         * stress/maximum-inline-capacity.js: Added.
3077         (test1):
3078         (test3.Foo):
3079         (test3):
3080
3081 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3082
3083         Unreviewed, rolling out r237479 and r237484.
3084         https://bugs.webkit.org/show_bug.cgi?id=190978
3085
3086         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3087
3088         Reverted changesets:
3089
3090         "New bytecode format for JSC"
3091         https://bugs.webkit.org/show_bug.cgi?id=187373
3092         https://trac.webkit.org/changeset/237479
3093
3094         "Gardening: Build fix after r237479."
3095         https://bugs.webkit.org/show_bug.cgi?id=187373
3096         https://trac.webkit.org/changeset/237484
3097
3098 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3099
3100         New bytecode format for JSC
3101         https://bugs.webkit.org/show_bug.cgi?id=187373
3102         <rdar://problem/44186758>
3103
3104         Reviewed by Filip Pizlo.
3105
3106         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3107
3108         * stress/maximum-inline-capacity.js: Added.
3109         (test1):
3110         (test3.Foo):
3111         (test3):
3112
3113 2018-10-26  Mark Lam  <mark.lam@apple.com>
3114
3115         Fix missing edge cases with JSGlobalObjects having a bad time.
3116         https://bugs.webkit.org/show_bug.cgi?id=189028
3117         <rdar://problem/45204939>
3118
3119         Reviewed by Saam Barati.
3120
3121         * stress/regress-189028.js: Added.
3122
3123 2018-10-22  Mark Lam  <mark.lam@apple.com>
3124
3125         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3126         https://bugs.webkit.org/show_bug.cgi?id=190515
3127         <rdar://problem/45222379>
3128
3129         Rubber-stamped by Saam Barati.
3130
3131         Adding another test.
3132
3133         * stress/regress-190515-2.js: Added.
3134
3135 2018-10-22  Mark Lam  <mark.lam@apple.com>
3136
3137         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3138         https://bugs.webkit.org/show_bug.cgi?id=190515
3139         <rdar://problem/45222379>
3140
3141         Reviewed by Saam Barati.
3142
3143         * stress/regress-190515.js: Added.
3144
3145 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3146
3147         Unreviewed, rolling out r237254.
3148         https://bugs.webkit.org/show_bug.cgi?id=190760
3149
3150         "It regresses JetStream 2 by 5% on some iOS devices"
3151         (Requested by saamyjoon on #webkit).
3152
3153         Reverted changeset:
3154
3155         "[JSC] JSC should have "parseFunction" to optimize Function
3156         constructor"
3157         https://bugs.webkit.org/show_bug.cgi?id=190340
3158         https://trac.webkit.org/changeset/237254
3159
3160 2018-10-19  Saam Barati  <sbarati@apple.com>
3161
3162         vmCall should check if we exit before emitting an OSR exit due to exceptions
3163         https://bugs.webkit.org/show_bug.cgi?id=190740
3164         <rdar://problem/45220139>
3165
3166         Reviewed by Mark Lam.
3167
3168         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3169         (foo):
3170
3171 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3172
3173         [ESNext][BigInt] Implement support for "^"
3174         https://bugs.webkit.org/show_bug.cgi?id=186235
3175
3176         Reviewed by Yusuke Suzuki.
3177
3178         * stress/big-int-bitwise-xor-general.js: Added.
3179         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3180         * stress/big-int-bitwise-xor-type-error.js: Added.
3181         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3182
3183 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3184
3185         [BigInt] Add ValueSub into DFG
3186         https://bugs.webkit.org/show_bug.cgi?id=186176
3187
3188         Reviewed by Yusuke Suzuki.
3189
3190         * stress/big-int-subtraction-jit.js:
3191         * stress/value-sub-big-int-prediction-propagation.js: Added.
3192         * stress/value-sub-big-int-untyped.js: Added.
3193         * stress/value-sub-spec-none-case.js: Added.
3194
3195 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3196
3197         [JSC] JSC should have "parseFunction" to optimize Function constructor
3198         https://bugs.webkit.org/show_bug.cgi?id=190340
3199
3200         Reviewed by Mark Lam.
3201
3202         This patch fixes the line number of syntax errors raised by the Function constructor,
3203         since we now parse the final code only once. And we no longer use block statement
3204         for Function constructor's parsing.
3205
3206         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3207         * stress/function-cache-with-parameters-end-position.js: Added.
3208         (shouldBe):
3209         (shouldThrow):
3210         (i.anonymous):
3211         * stress/function-constructor-name.js: Added.
3212         (shouldBe):
3213         (GeneratorFunction):
3214         (AsyncFunction.async):
3215         (AsyncGeneratorFunction.async):
3216         (anonymous):
3217         (async.anonymous):
3218         * test262/expectations.yaml:
3219
3220 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3221
3222         Unreviewed, rolling out r237242.
3223         https://bugs.webkit.org/show_bug.cgi?id=190701
3224
3225         it breaks "stress/sampling-profiler-basic.js" (Requested by
3226         caiolima on #webkit).
3227
3228         Reverted changeset:
3229
3230         "[BigInt] Add ValueSub into DFG"
3231         https://bugs.webkit.org/show_bug.cgi?id=186176
3232         https://trac.webkit.org/changeset/237242
3233
3234 2018-10-17  Keith Miller  <keith_miller@apple.com>
3235
3236         AI does not clear Phantom allocation nodes.
3237         https://bugs.webkit.org/show_bug.cgi?id=190694
3238
3239         Reviewed by Saam Barati.
3240
3241         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3242         (Day):
3243         (DaysInYear):
3244         (TimeInYear):
3245         (TimeFromYear):
3246         (DayFromYear):
3247         (InLeapYear):
3248         (YearFromTime):
3249         (WeekDay):
3250         (DaylightSavingTA):
3251         (GetSecondSundayInMarch):
3252         (TimeInMonth):
3253
3254 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3255
3256         [BigInt] Add ValueSub into DFG
3257         https://bugs.webkit.org/show_bug.cgi?id=186176
3258
3259         Reviewed by Yusuke Suzuki.
3260
3261         * stress/big-int-subtraction-jit.js:
3262         * stress/value-sub-big-int-prediction-propagation.js: Added.
3263         * stress/value-sub-big-int-untyped.js: Added.
3264
3265 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3266
3267         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3268         https://bugs.webkit.org/show_bug.cgi?id=190611
3269
3270         Reviewed by Saam Barati.
3271
3272         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3273         to improve test runtime. On ARM/MIPS this test even timed out when running all
3274         tests.
3275
3276         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3277         (test):
3278
3279 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3280
3281         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3282
3283         Unreviewed gardening.
3284
3285         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3286
3287 2018-10-15  Saam barati  <sbarati@apple.com>
3288
3289         Emit fjcvtzs on ARM64E on Darwin
3290         https://bugs.webkit.org/show_bug.cgi?id=184023
3291
3292         Reviewed by Yusuke Suzuki and Filip Pizlo.
3293
3294         * stress/double-to-int32-NaN.js: Added.
3295         (assert):
3296         (foo):
3297
3298 2018-10-15  Saam Barati  <sbarati@apple.com>
3299
3300         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3301         https://bugs.webkit.org/show_bug.cgi?id=190262
3302         <rdar://problem/44986241>
3303
3304         Reviewed by Mark Lam.
3305
3306         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3307         (test):
3308         * stress/slice-array-storage-with-holes.js: Added.
3309         (main):
3310
3311 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3312
3313         Unreviewed, rolling out r237054.
3314         https://bugs.webkit.org/show_bug.cgi?id=190593
3315
3316         "this regressed JetStream 2 by 6% on iOS" (Requested by
3317         saamyjoon on #webkit).
3318
3319         Reverted changeset:
3320
3321         "[JSC] JSC should have "parseFunction" to optimize Function
3322         constructor"
3323         https://bugs.webkit.org/show_bug.cgi?id=190340
3324         https://trac.webkit.org/changeset/237054
3325
3326 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3327
3328         [JSC] JSON.stringify can accept call-with-no-arguments
3329         https://bugs.webkit.org/show_bug.cgi?id=190343
3330
3331         Reviewed by Mark Lam.
3332
3333         * stress/json-stringify-no-arguments.js: Added.
3334         (shouldBe):
3335
3336 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3337
3338         [JSC] JSC should have "parseFunction" to optimize Function constructor
3339         https://bugs.webkit.org/show_bug.cgi?id=190340
3340
3341         Reviewed by Mark Lam.
3342
3343         This patch fixes the line number of syntax errors raised by the Function constructor,
3344         since we now parse the final code only once. And we no longer use block statement
3345         for Function constructor's parsing.
3346
3347         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3348         * stress/function-cache-with-parameters-end-position.js: Added.
3349         (shouldBe):
3350         (shouldThrow):
3351         (i.anonymous):
3352         * stress/function-constructor-name.js: Added.
3353         (shouldBe):
3354         (GeneratorFunction):
3355         (AsyncFunction.async):
3356         (AsyncGeneratorFunction.async):
3357         (anonymous):
3358         (async.anonymous):
3359         * test262/expectations.yaml:
3360
3361 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3362
3363         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3364         https://bugs.webkit.org/show_bug.cgi?id=190426
3365
3366         Unreviewed gardening.
3367
3368         * stress/sampling-profiler-richards.js:
3369
3370 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3371
3372         [ESNext][BigInt] Implement support for "|"
3373         https://bugs.webkit.org/show_bug.cgi?id=186229
3374
3375         Reviewed by Yusuke Suzuki.
3376
3377         * stress/big-int-bitwise-and-jit.js:
3378         * stress/big-int-bitwise-or-general.js: Added.
3379         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3380         * stress/big-int-bitwise-or-jit.js: Added.
3381         * stress/big-int-bitwise-or-memory-stress.js: Added.
3382         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3383         * stress/big-int-bitwise-or-type-error.js: Added.
3384         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3385
3386 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3387
3388         Skip test on systems with limited memory
3389         https://bugs.webkit.org/show_bug.cgi?id=190310
3390
3391         Invoking runDefault adds test to runlist, skipping the test in the next
3392         line does not prevent the test from executing. Change order of lines such
3393         that runDefault is only executed if test is not executed.
3394
3395         Reviewed by Mark Lam.
3396
3397         * stress/regress-190187.js:
3398
3399 2018-10-03  Saam barati  <sbarati@apple.com>
3400
3401         lowXYZ in FTLLower should always filter the type of the incoming edge
3402         https://bugs.webkit.org/show_bug.cgi?id=189939
3403         <rdar://problem/44407030>
3404
3405         Reviewed by Michael Saboff.
3406
3407         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3408         (foo):
3409         (test):
3410
3411 2018-10-03  Mark Lam  <mark.lam@apple.com>
3412
3413         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3414         https://bugs.webkit.org/show_bug.cgi?id=190187
3415         <rdar://problem/42512909>
3416
3417         Reviewed by Michael Saboff.
3418
3419         * stress/regress-190187.js: Added.
3420
3421 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3422
3423         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3424         https://bugs.webkit.org/show_bug.cgi?id=190033
3425
3426         Reviewed by Yusuke Suzuki.
3427
3428         * stress/big-int-to-string.js:
3429
3430 2018-10-01  Mark Lam  <mark.lam@apple.com>
3431
3432         Function.toString() should also copy the source code Functions that are class definitions.
3433         https://bugs.webkit.org/show_bug.cgi?id=190186
3434         <rdar://problem/44733360>
3435
3436         Reviewed by Saam Barati.
3437
3438         * stress/regress-190186.js: Added.
3439
3440 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3441
3442         Split NaN-check into separate test
3443         https://bugs.webkit.org/show_bug.cgi?id=190010
3444
3445         Reviewed by Saam Barati.
3446
3447         DataView exposes NaN-representation, which is not necessarily the same on each
3448         architecture. Therefore move the check of the NaN-representation into its own
3449         file such that we can disable this test on MIPS where NaN-representation can be
3450         different on older CPUs.
3451
3452         * stress/dataview-jit-set-nan.js: Added.
3453         (assert):
3454         (test.storeLittleEndian):
3455         (test.storeBigEndian):
3456         (test.store):
3457         (test):
3458         * stress/dataview-jit-set.js:
3459         (test5):
3460
3461 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3462
3463         Unreviewed, rolling out r236647.
3464         https://bugs.webkit.org/show_bug.cgi?id=190124
3465
3466         Breaking test stress/big-int-to-string.js (Requested by
3467         caiolima_ on #webkit).
3468
3469         Reverted changeset:
3470
3471         "[BigInt] BigInt.proptotype.toString is broken when radix is
3472         power of 2"
3473         https://bugs.webkit.org/show_bug.cgi?id=190033
3474         https://trac.webkit.org/changeset/236647
3475
3476 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3477
3478         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3479         https://bugs.webkit.org/show_bug.cgi?id=190033
3480
3481         Reviewed by Yusuke Suzuki.
3482
3483         * stress/big-int-to-string.js:
3484
3485 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3486
3487         [ESNext][BigInt] Implement support for "&"
3488         https://bugs.webkit.org/show_bug.cgi?id=186228
3489
3490         Reviewed by Yusuke Suzuki.
3491
3492         * stress/big-int-bitwise-and-general.js: Added.
3493         (assert):
3494         (assert.sameValue):
3495         * stress/big-int-bitwise-and-jit.js: Added.
3496         (let.assert.sameValue):
3497         (bigIntBitAnd):
3498         * stress/big-int-bitwise-and-memory-stress.js: Added.
3499         (assert):
3500         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3501         (assert.sameValue):
3502         (let.o.Symbol.toPrimitive):
3503         (catch):
3504         * stress/big-int-bitwise-and-type-error.js: Added.
3505         (assert):
3506         (assertThrowTypeError):
3507         (let.o.valueOf):
3508         (o.valueOf):
3509         (o.toString):
3510         (o.Symbol.toPrimitive):
3511         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3512         (assert.sameValue):
3513         (testBitAnd):
3514         (let.o.Symbol.toPrimitive):
3515         (o.valueOf):
3516         (o.toString):
3517
3518 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3519
3520         JSC test stress/jsc-read.js doesn't support CRLF
3521         https://bugs.webkit.org/show_bug.cgi?id=190063
3522
3523         Reviewed by Yusuke Suzuki.
3524
3525         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3526
3527         * stress/jsc-read.js:
3528         (test):
3529
3530 2018-09-27  Saam barati  <sbarati@apple.com>
3531
3532         Verify the contents of AssemblerBuffer on arm64e
3533         https://bugs.webkit.org/show_bug.cgi?id=190057
3534         <rdar://problem/38916630>
3535
3536         Reviewed by Mark Lam.
3537
3538         * stress/regress-189132.js:
3539
3540 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3541
3542         Disable test without LLInt on ARMv7
3543         https://bugs.webkit.org/show_bug.cgi?id=190037
3544
3545         Reviewed by Mark Lam.
3546
3547         Test runs out of executable memory on ARMv7, do not run
3548         this test without LLInt enabled.
3549
3550         * stress/regress-169445.js:
3551
3552 2018-09-26  Keith Miller  <keith_miller@apple.com>
3553
3554         We should zero unused property storage when rebalancing array storage.
3555         https://bugs.webkit.org/show_bug.cgi?id=188151
3556
3557         Reviewed by Michael Saboff.
3558
3559         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3560
3561 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3562
3563         [JSC] Optimize Array#lastIndexOf
3564         https://bugs.webkit.org/show_bug.cgi?id=189780
3565
3566         Reviewed by Saam Barati.
3567
3568         * stress/array-lastindexof-array-prototype-trap.js: Added.
3569         (shouldBe):
3570         (AncestorArray.prototype.get 2):
3571         (AncestorArray):
3572         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3573         (shouldBe):
3574         * stress/array-lastindexof-hole-nan.js: Added.
3575         (shouldBe):
3576         (throw.new.Error):
3577         * stress/array-lastindexof-infinity.js: Added.
3578         (shouldBe):
3579         (throw.new.Error):
3580         * stress/array-lastindexof-negative-zero.js: Added.
3581         (shouldBe):
3582         (throw.new.Error):
3583         * stress/array-lastindexof-own-getter.js: Added.
3584         (shouldBe):
3585         (throw.new.Error.get array):
3586         (get array):
3587         * stress/array-lastindexof-prototype-trap.js: Added.
3588         (shouldBe):
3589         (DerivedArray.prototype.get 2):
3590         (DerivedArray):
3591
3592 2018-09-25  Saam Barati  <sbarati@apple.com>
3593
3594         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3595         https://bugs.webkit.org/show_bug.cgi?id=189940
3596         <rdar://problem/43640987>
3597
3598         Reviewed by Mark Lam.
3599
3600         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3601
3602 2018-09-24  Saam Barati  <sbarati@apple.com>
3603
3604         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3605         https://bugs.webkit.org/show_bug.cgi?id=189922
3606         <rdar://problem/44651275>
3607
3608         Reviewed by Mark Lam.
3609
3610         * stress/array-indexof-fast-path-effects.js: Added.
3611         * stress/array-indexof-cached-length.js: Added.
3612
3613 2018-09-24  Saam barati  <sbarati@apple.com>
3614
3615         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3616         https://bugs.webkit.org/show_bug.cgi?id=189682
3617         <rdar://problem/43557315>
3618
3619         Reviewed by Mark Lam.
3620
3621         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3622         (foo):
3623
3624 2018-09-22  Saam barati  <sbarati@apple.com>
3625
3626         The sampling should not use Strong<CodeBlock> in its machineLocation field
3627         https://bugs.webkit.org/show_bug.cgi?id=189319
3628
3629         Reviewed by Filip Pizlo.
3630
3631         * stress/sampling-profiler-richards.js: Added.
3632
3633 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3634
3635         [JSC] Optimize Array#indexOf in C++ runtime
3636         https://bugs.webkit.org/show_bug.cgi?id=189507
3637
3638         Reviewed by Saam Barati.
3639
3640         * stress/array-indexof-array-prototype-trap.js: Added.
3641         (shouldBe):
3642         (AncestorArray.prototype.get 2):
3643         (AncestorArray):
3644         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3645         (shouldBe):
3646         * stress/array-indexof-hole-nan.js: Added.
3647         (shouldBe):
3648         (throw.new.Error):
3649         * stress/array-indexof-infinity.js: Added.
3650         (shouldBe):
3651         (throw.new.Error):
3652         * stress/array-indexof-negative-zero.js: Added.
3653         (shouldBe):
3654         (throw.new.Error):
3655         * stress/array-indexof-own-getter.js: Added.
3656         (shouldBe):
3657         (throw.new.Error.get array):
3658         (get array):
3659         * stress/array-indexof-prototype-trap.js: Added.
3660         (shouldBe):
3661         (DerivedArray.prototype.get 2):
3662         (DerivedArray):
3663
3664 2018-09-19  Saam barati  <sbarati@apple.com>
3665
3666         AI rule for MultiPutByOffset executes its effects in the wrong order
3667         https://bugs.webkit.org/show_bug.cgi?id=189757
3668         <rdar://problem/43535257>
3669
3670         Reviewed by Michael Saboff.
3671
3672         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3673         (foo):
3674         (Foo):
3675         (g):
3676
3677 2018-09-17  Mark Lam  <mark.lam@apple.com>
3678
3679         Ensure that ForInContexts are invalidated if their loop local is over-written.
3680         https://bugs.webkit.org/show_bug.cgi?id=189571
3681         <rdar://problem/44402277>
3682
3683         Reviewed by Saam Barati.
3684
3685         * stress/regress-189571.js: Added.
3686
3687 2018-09-17  Saam barati  <sbarati@apple.com>
3688
3689         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3690         https://bugs.webkit.org/show_bug.cgi?id=189676
3691         <rdar://problem/39682897>
3692
3693         Reviewed by Michael Saboff.
3694
3695         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3696         (A):
3697         (K):
3698         (i.catch):
3699
3700 2018-09-14  Saam barati  <sbarati@apple.com>
3701
3702         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3703         https://bugs.webkit.org/show_bug.cgi?id=189628
3704         <rdar://problem/39481690>
3705
3706         Reviewed by Mark Lam.
3707
3708         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3709         (foo):
3710
3711 2018-09-11  Mark Lam  <mark.lam@apple.com>
3712
3713         Test for array initialization in arrayProtoFuncSplice.
3714         https://bugs.webkit.org/show_bug.cgi?id=170253
3715         <rdar://problem/31328773>
3716
3717         Rubber-stamped by Saam Barati.
3718
3719         * stress/regress-170253.js: Added.
3720
3721 2018-09-11  Mark Lam  <mark.lam@apple.com>
3722
3723         Test for IntlObject initialization.
3724         https://bugs.webkit.org/show_bug.cgi?id=170251
3725         <rdar://problem/31328419>
3726
3727         Rubber-stamped by Saam Barati.
3728
3729         * stress/regress-170251.js: Added.
3730
3731 2018-09-11  Mark Lam  <mark.lam@apple.com>
3732
3733         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3734         https://bugs.webkit.org/show_bug.cgi?id=169889
3735         <rdar://problem/31155607>
3736
3737         Reviewed by Saam Barati.
3738
3739         * stress/regress-169889-array-concat.js: Added.
3740         * stress/regress-169889-array-concat1.js: Added.
3741         * stress/regress-169889-array-slice.js: Added.
3742
3743 2018-09-11  Mark Lam  <mark.lam@apple.com>
3744
3745         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3746         https://bugs.webkit.org/show_bug.cgi?id=169445
3747         <rdar://problem/30957435>
3748
3749         Reviewed by Saam Barati.
3750
3751         * stress/regress-169445.js: Added.
3752         (let.gun.eval.A):
3753         (let.gun.eval.B.C):
3754         (let.gun.eval.B.C.prototype.trigger):
3755         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3756         (let.gun.eval.B):
3757         (let.gun.eval):
3758
3759 == Rolled over to ChangeLog-2018-09-11 ==