AbstractValue::validateOSREntryValue is wrong for Int52 constants
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-10  Saam Barati  <sbarati@apple.com>
2
3         AbstractValue::validateOSREntryValue is wrong for Int52 constants
4         https://bugs.webkit.org/show_bug.cgi?id=196801
5         <rdar://problem/49771122>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
10
11 2019-04-10  Robin Morisset  <rmorisset@apple.com>
12
13         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
14         https://bugs.webkit.org/show_bug.cgi?id=196746
15
16         Reviewed by Yusuke Suzuki.
17
18         * stress/cyclic-define-properties.js: Added.
19         (foo):
20
21 2019-04-09  Saam barati  <sbarati@apple.com>
22
23         Clean up Int52 code and some bugs in it
24         https://bugs.webkit.org/show_bug.cgi?id=196639
25         <rdar://problem/49515757>
26
27         Reviewed by Yusuke Suzuki.
28
29         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
30
31 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
32
33         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
34         https://bugs.webkit.org/show_bug.cgi?id=196708
35         <rdar://problem/49556803>
36
37         Reviewed by Yusuke Suzuki.
38
39         * stress/proxy-getter-stack-overflow.js: Added.
40         (const.handler.get target):
41         (const.handler.has):
42         (try.with):
43         (catch):
44
45 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
46
47         [JSC] DFG should respect node's strict flag
48         https://bugs.webkit.org/show_bug.cgi?id=196617
49
50         Reviewed by Saam Barati.
51
52         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
53         (shouldEqual):
54         (makeUnwriteableUnconfigurableObject):
55         (runTest):
56         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
57         (shouldBe):
58         (shouldThrow):
59         (with.result):
60         (with.putValueStrict):
61         (with.putValueSloppy):
62
63 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
64
65         [JSC] isRope jump in StringSlice should not jump over register allocations
66         https://bugs.webkit.org/show_bug.cgi?id=196716
67
68         Reviewed by Saam Barati.
69
70         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
71         (foo.bar):
72         (foo):
73
74 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
75
76         [JSC] to_index_string should not assume incoming value is Uint32
77         https://bugs.webkit.org/show_bug.cgi?id=196713
78
79         Reviewed by Saam Barati.
80
81         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
82         (foo):
83
84 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
85
86         [JSC] Add more tests for r243966
87         https://bugs.webkit.org/show_bug.cgi?id=196711
88
89         Reviewed by Saam Barati.
90
91         Adding one more test for r243966 fix. The added test will not crash after r243966.
92
93         * stress/stress-cleared-calllinkinfo.js: Added.
94         (runNearStackLimit.t):
95         (runNearStackLimit):
96         (repeat):
97         (cls):
98         (let.item.of.array.runNearStackLimit):
99
100 2019-04-08  Saam Barati  <sbarati@apple.com>
101
102         WebAssembly.RuntimeError missing exception check
103         https://bugs.webkit.org/show_bug.cgi?id=196700
104         <rdar://problem/49693932>
105
106         Reviewed by Yusuke Suzuki.
107
108         * wasm/js-api/runtime-error-should-exception-check.js: Added.
109
110 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         Unreviewed, rolling in r243948 with test fix
113         https://bugs.webkit.org/show_bug.cgi?id=196486
114
115         * stress/arrow-function-and-use-strict-directive.js: Added.
116         * stress/arrow-function-syntax.js: Added.
117         (checkSyntax):
118         (checkSyntaxError):
119
120 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
121
122         Unreviewed, rolling out r243948.
123
124         Caused inspector/runtime/parse.html to fail
125
126         Reverted changeset:
127
128         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
129         https://bugs.webkit.org/show_bug.cgi?id=196486
130         https://trac.webkit.org/changeset/243948
131
132 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
133
134         Unreviewed, rolling out r243943.
135
136         Caused test262 failures.
137
138         Reverted changeset:
139
140         "[JSC] Filter DontEnum properties in
141         ProxyObject::getOwnPropertyNames()"
142         https://bugs.webkit.org/show_bug.cgi?id=176810
143         https://trac.webkit.org/changeset/243943
144
145 2019-04-07  Michael Saboff  <msaboff@apple.com>
146
147         REGRESSION (r243642): Crash in reddit.com page
148         https://bugs.webkit.org/show_bug.cgi?id=196684
149
150         Reviewed by Geoffrey Garen.
151
152         New regression test.
153
154         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
155
156 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
157
158         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
159         https://bugs.webkit.org/show_bug.cgi?id=196683
160
161         Reviewed by Saam Barati.
162
163         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
164         (foo):
165
166 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
167
168         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
169         https://bugs.webkit.org/show_bug.cgi?id=196582
170
171         Reviewed by Saam Barati.
172
173         * stress/add-overflow-check-with-three-same-registers.js: Added.
174         (foo):
175         (Number.prototype.valueOf):
176         (runWithNumber):
177
178 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
179
180         Unreviewed, rolling out r243665.
181
182         Caused iOS JSC tests to exit with an exception.
183
184         Reverted changeset:
185
186         "Assertion failed in JSC::createError"
187         https://bugs.webkit.org/show_bug.cgi?id=196305
188         https://trac.webkit.org/changeset/243665
189
190 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
191
192         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
193         https://bugs.webkit.org/show_bug.cgi?id=196486
194
195         Reviewed by Saam Barati.
196
197         * stress/arrow-function-and-use-strict-directive.js: Added.
198         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
199         (checkSyntax):
200         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
201
202 2019-04-05  Caitlin Potter  <caitp@igalia.com>
203
204         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
205         https://bugs.webkit.org/show_bug.cgi?id=176810
206
207         Reviewed by Saam Barati.
208
209         Add tests for the DontEnum filtering, and variations of other tests
210         take the DontEnum-filtering path.
211
212         * stress/proxy-own-keys.js:
213         (i.catch):
214         (set assert):
215         (set add):
216         (let.set new):
217         (get let):
218
219 2019-04-05  Caitlin Potter  <caitp@igalia.com>
220
221         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
222         https://bugs.webkit.org/show_bug.cgi?id=185211
223
224         Reviewed by Saam Barati.
225
226         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
227
228         This changes several assertions to expect a TypeError to be thrown (in some cases,
229         changing thee expected message).
230
231         * es6/Proxy_ownKeys_duplicates.js:
232         (handler):
233         (shouldThrow):
234         (test):
235         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
236         (shouldThrow):
237         * stress/proxy-own-keys.js:
238         (i.catch):
239         (assert):
240
241 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
242
243         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
244         https://bugs.webkit.org/show_bug.cgi?id=196631
245
246         Reviewed by Saam Barati.
247
248         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
249         (assert):
250         (test):
251         (foo):
252
253 2019-04-04  Saam Barati  <sbarati@apple.com>
254
255         Unreviewed. Make the test from r243906 catch the thrown exceptions.
256
257         * stress/inferred-types-regex-matches-array.js:
258
259 2019-04-04  Saam Barati  <sbarati@apple.com>
260
261         createRegExpMatchesArray does not respect inferred types
262         https://bugs.webkit.org/show_bug.cgi?id=193287
263
264         Reviewed by Yusuke Suzuki.
265
266         This checks in the test case for 193287. This issue was discovered by
267         Samuel GroƟ of Google Project Zero.
268
269         * stress/inferred-types-regex-matches-array.js: Added.
270
271 2019-04-04  Saam barati  <sbarati@apple.com>
272
273         Teach Call ICs how to call Wasm
274         https://bugs.webkit.org/show_bug.cgi?id=196387
275
276         Reviewed by Filip Pizlo.
277
278         * wasm/function-tests/stack-trace.js:
279
280 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
281
282         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
283         https://bugs.webkit.org/show_bug.cgi?id=194944
284
285         Reviewed by Keith Miller.
286
287         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
288
289 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
290
291         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
292         https://bugs.webkit.org/show_bug.cgi?id=196409
293
294         Reviewed by Saam Barati.
295
296         * stress/bytecode-cache-cached-string-impl.js: Added.
297         (f):
298         (g):
299         * stress/bytecode-cache-run-string.js: Added.
300
301 2019-04-03  Robin Morisset  <rmorisset@apple.com>
302
303         B3 should use associativity to optimize expression trees
304         https://bugs.webkit.org/show_bug.cgi?id=194081
305
306         Reviewed by Filip Pizlo.
307
308         Added three microbenchmarks:
309         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
310         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
311           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
312         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
313
314         * microbenchmarks/add-tree.js: Added.
315         * microbenchmarks/bit-or-tree.js: Added.
316         * microbenchmarks/bit-xor-tree.js: Added.
317
318 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
319
320         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
321         https://bugs.webkit.org/show_bug.cgi?id=196574
322
323         Reviewed by Saam Barati.
324
325         * stress/string-index-of-exception-check.js: Added.
326         (blurType):
327         (1.forEach):
328
329 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
330
331         Assertion failed in JSC::createError
332         https://bugs.webkit.org/show_bug.cgi?id=196305
333         <rdar://problem/49387382>
334
335         Reviewed by Saam Barati.
336
337         * stress/create-error-out-of-memory-rope-string-2.js: Added.
338         (assert):
339         (catch):
340
341 2019-03-28  Saam Barati  <sbarati@apple.com>
342
343         BackwardsGraph needs to consider back edges as the backward's root successor
344         https://bugs.webkit.org/show_bug.cgi?id=195991
345
346         Reviewed by Filip Pizlo.
347
348         * stress/map-b3-licm-infinite-loop.js: Added.
349
350 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
351
352         CodeBlock::jettison() should disallow repatching its own calls
353         https://bugs.webkit.org/show_bug.cgi?id=196359
354         <rdar://problem/48973663>
355
356         Reviewed by Saam Barati.
357
358         * stress/call-link-info-osrexit-repatch.js: Added.
359         (foo):
360
361 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
362
363         [JSC] imports-oom.js intermittently fails
364         https://bugs.webkit.org/show_bug.cgi?id=196373
365
366         Reviewed by Saam Barati.
367
368         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
369         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
370         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
371         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
372         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
373
374         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
375         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
376
377         * wasm/lowExecutableMemory/imports-oom.js:
378
379 2019-03-27  Saam Barati  <sbarati@apple.com>
380
381         validateOSREntryValue with Int52 should box the value being checked into double format
382         https://bugs.webkit.org/show_bug.cgi?id=196313
383         <rdar://problem/49306703>
384
385         Reviewed by Yusuke Suzuki.
386
387         * stress/validate-int-52-ai-state.js: Added.
388
389 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
390
391         [JSC] Owner of watchpoints should validate at GC finalizing phase
392         https://bugs.webkit.org/show_bug.cgi?id=195827
393
394         Reviewed by Filip Pizlo.
395
396         * stress/gc-should-reap-dead-watchpoints.js: Added.
397         (foo):
398         (A.prototype.y):
399         (A):
400
401 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
402
403         Skip WebAssembly test on 32-bit systems
404         https://bugs.webkit.org/show_bug.cgi?id=196206
405
406         Reviewed by Saam Barati.
407
408         Invoking runDefault executes test immediately even though
409         that test should be skipped due to missing WASM support.
410         Therefore remove runDefault.
411
412         * wasm/regress/web-assembly-link-error-exception-check.js:
413
414 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
415
416         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
417         https://bugs.webkit.org/show_bug.cgi?id=196217
418
419         Reviewed by Saam Barati.
420
421         Re-enable all NaN tests for f32.min, f64.min and f64.max.
422
423         * wasm/spec-tests/f32.wast.js:
424         * wasm/spec-tests/f64.wast.js:
425         * wasm/wasm.json:
426
427 2019-03-25  Keith Miller  <keith_miller@apple.com>
428
429         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
430         https://bugs.webkit.org/show_bug.cgi?id=196176
431
432         Reviewed by Saam Barati.
433
434         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
435         (main.v10):
436         (main):
437
438 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
439
440         WebAssembly: f32.max with NaN generates incorrect result
441         https://bugs.webkit.org/show_bug.cgi?id=175691
442         <rdar://problem/33952228>
443
444         Reviewed by Saam Barati.
445
446         Enable all f32.max NaN tests
447
448         * wasm/spec-tests/f32.wast.js:
449         * wasm/wasm.json:
450
451 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
452
453         [JSC] Move test into directory for WASM tests
454         https://bugs.webkit.org/show_bug.cgi?id=196187
455
456         Reviewed by Mark Lam.
457
458         Move Test into wasm-directory. Otherwise this test
459         is also executed on systems without WASM support.
460
461         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
462
463 2019-03-23  Mark Lam  <mark.lam@apple.com>
464
465         Rolling out r243032 and r243071 because the fix is incorrect.
466         https://bugs.webkit.org/show_bug.cgi?id=195892
467         <rdar://problem/48981239>
468
469         Not reviewed.
470
471         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
472
473 2019-03-22  Mark Lam  <mark.lam@apple.com>
474
475         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
476         https://bugs.webkit.org/show_bug.cgi?id=196154
477         <rdar://problem/49145307>
478
479         Reviewed by Filip Pizlo.
480
481         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
482         There's no need to run this test on more than 1 test configuration.
483
484         * stress/typed-array-lastIndexOf-exception-check.js: Added.
485         * stress/web-assembly-link-error-exception-check.js:
486
487 2019-03-22  Mark Lam  <mark.lam@apple.com>
488
489         Placate exception check validation in constructJSWebAssemblyLinkError().
490         https://bugs.webkit.org/show_bug.cgi?id=196152
491         <rdar://problem/49145257>
492
493         Reviewed by Michael Saboff.
494
495         * stress/web-assembly-link-error-exception-check.js: Added.
496
497 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
498
499         Skip tests running out of memory on ARM/MIPS
500         https://bugs.webkit.org/show_bug.cgi?id=196131
501
502         Unreviewed. Skip test if memory is limited.
503
504         * microbenchmarks/put-by-val-direct-large-index.js:
505
506 2019-03-21  Mark Lam  <mark.lam@apple.com>
507
508         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
509         https://bugs.webkit.org/show_bug.cgi?id=196116
510         <rdar://problem/48976951>
511
512         Reviewed by Filip Pizlo.
513
514         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
515
516 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
517
518         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
519         https://bugs.webkit.org/show_bug.cgi?id=196078
520         <rdar://problem/35925380>
521
522         Reviewed by Mark Lam.
523
524         Add a new benchmark that allocates several objects and invokes put_by_val_direct
525         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
526
527         * microbenchmarks/put-by-val-direct-large-index.js: Added.
528
529 2019-03-21  Mark Lam  <mark.lam@apple.com>
530
531         Placate exception check validation in operationArrayIndexOfString().
532         https://bugs.webkit.org/show_bug.cgi?id=196067
533         <rdar://problem/49056572>
534
535         Reviewed by Michael Saboff.
536
537         * stress/string-equal-exception-check.js: Added.
538
539 2019-03-21  Mark Lam  <mark.lam@apple.com>
540
541         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
542         https://bugs.webkit.org/show_bug.cgi?id=196055
543         <rdar://problem/49067448>
544
545         Reviewed by Yusuke Suzuki.
546
547         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
548
549 2019-03-20  Saam Barati  <sbarati@apple.com>
550
551         typeOfDoubleSum is wrong for when NaN can be produced
552         https://bugs.webkit.org/show_bug.cgi?id=196030
553
554         Reviewed by Filip Pizlo.
555
556         * stress/double-add-sub-mul-can-produce-nan.js: Added.
557         (assert):
558         (noInline.sub):
559         (noInline):
560         (assert.mul):
561         (assert.add):
562
563 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
564
565         Update the test to ensure OutOfMemoryError is thrown as intended
566         https://bugs.webkit.org/show_bug.cgi?id=196032
567         <rdar://problem/46842740>
568
569         Rubber stamped by Saam Barati.
570
571         * stress/create-error-out-of-memory-rope-string.js:
572         (assert):
573         (catch):
574
575 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
576
577         JSC::createError needs to check for OOM in errorDescriptionForValue
578         https://bugs.webkit.org/show_bug.cgi?id=196032
579         <rdar://problem/46842740>
580
581         Reviewed by Mark Lam.
582
583         * stress/create-error-out-of-memory-rope-string.js: Added.
584
585 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
586
587         Unreviewed, reduce # of iterations to avoid timing out after r242991
588         https://bugs.webkit.org/show_bug.cgi?id=195791
589
590         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
591
592         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
593
594 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
595
596         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
597         https://bugs.webkit.org/show_bug.cgi?id=195950
598
599         Unreviewed, reducing the amount of memory used on this test to avoid
600         OOM on devices with memory restrictions.
601
602         * microbenchmarks/generate-multiple-llint-entrypoints.js:
603
604 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
605
606         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
607         https://bugs.webkit.org/show_bug.cgi?id=194648
608
609         Reviewed by Keith Miller.
610
611         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
612
613 2019-03-18  Mark Lam  <mark.lam@apple.com>
614
615         Missing a ThrowScope release in JSObject::toString().
616         https://bugs.webkit.org/show_bug.cgi?id=195893
617         <rdar://problem/48970986>
618
619         Reviewed by Michael Saboff.
620
621         * stress/to-string-exception-check-release.js: Added.
622
623 2019-03-18  Mark Lam  <mark.lam@apple.com>
624
625         Structure::flattenDictionary() should clear unused property slots.
626         https://bugs.webkit.org/show_bug.cgi?id=195871
627         <rdar://problem/48959497>
628
629         Reviewed by Michael Saboff.
630
631         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
632
633 2019-03-15  Mark Lam  <mark.lam@apple.com>
634
635         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
636         https://bugs.webkit.org/show_bug.cgi?id=195827
637         <rdar://problem/48845513>
638
639         Reviewed by Filip Pizlo.
640
641         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
642
643 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
644
645         [ARM,MIPS] Skip slow tests
646         https://bugs.webkit.org/show_bug.cgi?id=195799
647
648         Unreviewed, test does not finish on ARM and MIPS within the
649         timeout limit.
650
651         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
652
653 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
654
655         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
656         https://bugs.webkit.org/show_bug.cgi?id=195791
657         <rdar://problem/48806130>
658
659         Reviewed by Mark Lam.
660
661         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
662         (foo):
663
664 2019-03-14  Saam barati  <sbarati@apple.com>
665
666         We can't remove code after ForceOSRExit until after FixupPhase
667         https://bugs.webkit.org/show_bug.cgi?id=186916
668         <rdar://problem/41396612>
669
670         Reviewed by Yusuke Suzuki.
671
672         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
673         (foo):
674         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
675         (foo):
676
677 2019-03-13  Michael Saboff  <msaboff@apple.com>
678
679         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
680         https://bugs.webkit.org/show_bug.cgi?id=195735
681
682         Reviewed by Mark Lam.
683
684         New regression test.
685
686         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
687         (foo):
688         (bar):
689
690 2019-03-14  Saam barati  <sbarati@apple.com>
691
692         Fixup uses KnownInt32 incorrectly in some nodes
693         https://bugs.webkit.org/show_bug.cgi?id=195279
694         <rdar://problem/47915654>
695
696         Reviewed by Yusuke Suzuki.
697
698         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
699         (foo):
700
701 2019-03-14  Keith Miller  <keith_miller@apple.com>
702
703         DFG liveness can't skip tail caller inline frames
704         https://bugs.webkit.org/show_bug.cgi?id=195715
705
706         Reviewed by Saam Barati.
707
708         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
709         (i.foo):
710
711 2019-03-13  Mark Lam  <mark.lam@apple.com>
712
713         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
714         https://bugs.webkit.org/show_bug.cgi?id=195415
715
716         Not reviewed.
717
718         Changed these tests to only run the default configuration.
719         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
720         There's no strong need to run this test on that variant.
721
722         * stress/dfg-to-string-on-int-does-gc.js:
723         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
724
725 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
726
727         String overflow when using StringBuilder in JSC::createError
728         https://bugs.webkit.org/show_bug.cgi?id=194957
729
730         Reviewed by Mark Lam.
731
732         Add test string-overflow-createError-bulder.js that overflows
733         StringBuilder in notAFunctionSourceAppender. The second new test
734         string-overflow-createError-fit.js has an error message that doesn't
735         overflow, it still failed since the String's capacity can't be doubled.
736         Run test string-overflow-createError.js only in the default
737         configuration to reduce memory consumption when running the test
738         in all configurations on multiple CPUs in parallel.
739
740         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
741         (catch):
742         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
743         (catch):
744         * stress/string-overflow-createError.js:
745
746 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
747
748         [JSC] OSR entry should respect abstract values in addition to flush formats
749         https://bugs.webkit.org/show_bug.cgi?id=195653
750
751         Reviewed by Mark Lam.
752
753         * stress/osr-entry-locals-none.js: Added.
754
755 2019-03-12  Michael Saboff  <msaboff@apple.com>
756
757         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
758         https://bugs.webkit.org/show_bug.cgi?id=195613
759
760         Reviewed by Mark Lam.
761
762         New regression test.
763
764         * stress/regexp-backref-inbounds.js: Added.
765         (testRegExp):
766
767 2019-03-12  Mark Lam  <mark.lam@apple.com>
768
769         The HasIndexedProperty node does GC.
770         https://bugs.webkit.org/show_bug.cgi?id=195559
771         <rdar://problem/48767923>
772
773         Reviewed by Yusuke Suzuki.
774
775         * stress/HasIndexedProperty-does-gc.js: Added.
776
777 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
778
779         [ESNext][BigInt] Implement "~" unary operation
780         https://bugs.webkit.org/show_bug.cgi?id=182216
781
782         Reviewed by Keith Miller.
783
784         * stress/big-int-bit-not-general.js: Added.
785         * stress/big-int-bitwise-not-jit.js: Added.
786         * stress/big-int-bitwise-not-wrapped-value.js: Added.
787         * stress/bit-op-with-object-returning-int32.js:
788         * stress/bitwise-not-fixup-rules.js: Added.
789         * stress/value-bit-not-ai-rule.js: Added.
790
791 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
792
793         Invalid flags in a RegExp literal should be an early SyntaxError
794         https://bugs.webkit.org/show_bug.cgi?id=195514
795
796         Reviewed by Darin Adler.
797
798         * test262/expectations.yaml:
799         Mark 4 test cases as passing.
800
801         * stress/regexp-syntax-error-invalid-flags.js:
802         * stress/regress-161995.js: Removed.
803         Update existing test, merging in an older test for the same behavior.
804
805 2019-03-08  Mark Lam  <mark.lam@apple.com>
806
807         Stack overflow crash in JSC::JSObject::hasInstance.
808         https://bugs.webkit.org/show_bug.cgi?id=195458
809         <rdar://problem/48710195>
810
811         Reviewed by Yusuke Suzuki.
812
813         * stress/stack-overflow-in-custom-hasInstance.js: Added.
814
815 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
816
817         op_check_tdz does not def its argument
818         https://bugs.webkit.org/show_bug.cgi?id=192880
819         <rdar://problem/46221598>
820
821         Reviewed by Saam Barati.
822
823         * microbenchmarks/let-for-in.js: Added.
824         (foo):
825
826 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
827
828         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
829         https://bugs.webkit.org/show_bug.cgi?id=195429
830
831         Reviewed by Saam Barati.
832
833         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
834         (foo):
835         * stress/string-from-char-code-255.js: Added.
836
837 2019-03-06  Mark Lam  <mark.lam@apple.com>
838
839         Fix incorrect handling of try-finally completion values.
840         https://bugs.webkit.org/show_bug.cgi?id=195131
841         <rdar://problem/46222079>
842
843         Reviewed by Saam Barati and Yusuke Suzuki.
844
845         Added many permutations of new test case to test-finally.js.  test-finally.js has
846         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
847         tests passes there as well.
848
849         * stress/test-finally.js:
850
851 2019-03-06  Saam Barati  <sbarati@apple.com>
852
853         Air::reportUsedRegisters must padInterference
854         https://bugs.webkit.org/show_bug.cgi?id=195303
855         <rdar://problem/48270343>
856
857         Reviewed by Keith Miller.
858
859         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
860
861 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
862
863         [JSC] AI should not propagate AbstractValue relying on constant folding phase
864         https://bugs.webkit.org/show_bug.cgi?id=195375
865
866         Reviewed by Saam Barati.
867
868         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
869         (let.array):
870
871 2019-03-05  Saam barati  <sbarati@apple.com>
872
873         op_switch_char broken for rope strings after JSRopeString layout rewrite
874         https://bugs.webkit.org/show_bug.cgi?id=195339
875         <rdar://problem/48592545>
876
877         Reviewed by Yusuke Suzuki.
878
879         * stress/switch-on-char-llint-rope.js: Added.
880
881 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] Store bits for JSRopeString in 3 stores
884         https://bugs.webkit.org/show_bug.cgi?id=195234
885
886         Reviewed by Saam Barati.
887
888         * stress/null-rope-and-collectors.js: Added.
889
890 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
891
892         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
893         https://bugs.webkit.org/show_bug.cgi?id=195207
894
895         Unreviewed. After test runtime was reduced in r242213, test can be
896         run again on ARM/MIPS.
897
898         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
899
900 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
901
902         [JSC] sizeof(JSString) should be 16
903         https://bugs.webkit.org/show_bug.cgi?id=194375
904
905         Reviewed by Saam Barati.
906
907         * microbenchmarks/make-rope.js: Added.
908         (makeRope):
909         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
910         (returnRope.helper): Deleted.
911         (returnRope): Deleted.
912
913 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
916         https://bugs.webkit.org/show_bug.cgi?id=195144
917
918         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
919         Change the number from 1e8 to 1e5.
920
921         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
922         (foo):
923
924 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
925
926         Test times out on ARM/MIPS
927         https://bugs.webkit.org/show_bug.cgi?id=195168
928
929         Unreviewed. Skip test on ARM/MIPS.
930
931         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
932
933 2019-02-27  Mark Lam  <mark.lam@apple.com>
934
935         The parser is failing to record the token location of new in new.target.
936         https://bugs.webkit.org/show_bug.cgi?id=195127
937         <rdar://problem/39645578>
938
939         Reviewed by Yusuke Suzuki.
940
941         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
942
943 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
944
945         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
946         https://bugs.webkit.org/show_bug.cgi?id=195144
947         <rdar://problem/47595961>
948
949         Reviewed by Mark Lam.
950
951         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
952         (bar):
953         (foo):
954         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
955         (bar):
956         (foo):
957
958 2019-02-27  Robin Morisset  <rmorisset@apple.com>
959
960         DFG: Loop-invariant code motion (LICM) should not hoist dead code
961         https://bugs.webkit.org/show_bug.cgi?id=194945
962         <rdar://problem/48311657>
963
964         Reviewed by Mark Lam.
965
966         * stress/licm-dead-code.js: Added.
967
968 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
969
970         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
971         https://bugs.webkit.org/show_bug.cgi?id=194677
972         <rdar://problem/48112492>
973
974         Reviewed by Mark Lam.
975
976         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
977         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
978         it immediately fails due the large size.
979
980         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
981         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
982         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
983         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
984
985         This patch changes the test to produce 16bit string from String.fromCharCode.
986
987         * stress/regress-178386.js:
988
989 2019-02-26  Mark Lam  <mark.lam@apple.com>
990
991         wasmToJS() should purify incoming NaNs.
992         https://bugs.webkit.org/show_bug.cgi?id=194807
993         <rdar://problem/48189132>
994
995         Reviewed by Saam Barati.
996
997         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
998
999 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1000
1001         [JSC] Repeat string created from Array.prototype.join() take too much memory
1002         https://bugs.webkit.org/show_bug.cgi?id=193912
1003
1004         Reviewed by Saam Barati.
1005
1006         Added a test and a microbenchmark for corner cases of
1007         Array.prototype.join() with an uninitialized array.
1008
1009         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1010         * stress/array-prototype-join-uninitialized.js: Added.
1011         (testArray):
1012         (testABC):
1013         (B):
1014         (C):
1015
1016 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1017
1018         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1019         https://bugs.webkit.org/show_bug.cgi?id=194953
1020         <rdar://problem/47595253>
1021
1022         Reviewed by Saam Barati.
1023
1024         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1025
1026         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1027
1028 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1029
1030         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1031         https://bugs.webkit.org/show_bug.cgi?id=172848
1032         <rdar://problem/25709212>
1033
1034         Reviewed by Mark Lam.
1035
1036         * typeProfiler/inheritance.js:
1037         Rewrite the test slightly for clarity. The hoisting was confusing.
1038
1039         * heapProfiler/class-names.js: Added.
1040         (MyES5Class):
1041         (MyES6Class):
1042         (MyES6Subclass):
1043         Test object types and improved class names.
1044
1045         * heapProfiler/driver/driver.js:
1046         (CheapHeapSnapshotNode):
1047         (CheapHeapSnapshot):
1048         (createCheapHeapSnapshot):
1049         (HeapSnapshot):
1050         (createHeapSnapshot):
1051         Update snapshot parsing from version 1 to version 2.
1052
1053 2019-02-19  Truitt Savell  <tsavell@apple.com>
1054
1055         Unreviewed, rolling out r241784.
1056
1057         Broke all OpenSource builds.
1058
1059         Reverted changeset:
1060
1061         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1062         instances view"
1063         https://bugs.webkit.org/show_bug.cgi?id=172848
1064         https://trac.webkit.org/changeset/241784
1065
1066 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1067
1068         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1069         https://bugs.webkit.org/show_bug.cgi?id=172848
1070         <rdar://problem/25709212>
1071
1072         Reviewed by Mark Lam.
1073
1074         * typeProfiler/inheritance.js:
1075         Rewrite the test slightly for clarity. The hoisting was confusing.
1076
1077         * heapProfiler/class-names.js: Added.
1078         (MyES5Class):
1079         (MyES6Class):
1080         (MyES6Subclass):
1081         Test object types and improved class names.
1082
1083         * heapProfiler/driver/driver.js:
1084         (CheapHeapSnapshotNode):
1085         (CheapHeapSnapshot):
1086         (createCheapHeapSnapshot):
1087         (HeapSnapshot):
1088         (createHeapSnapshot):
1089         Update snapshot parsing from version 1 to version 2.
1090
1091 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1092
1093         [ARM] Fix crash with sampling profiler
1094         https://bugs.webkit.org/show_bug.cgi?id=194772
1095
1096         Reviewed by Mark Lam.
1097
1098         Do not skip test since crash with sampling profiler is now fixed.
1099
1100         * stress/sampling-profiler-richards.js:
1101
1102 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1103
1104         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1105         https://bugs.webkit.org/show_bug.cgi?id=194784
1106         <rdar://problem/48154820>
1107
1108         Reviewed by Mark Lam.
1109
1110         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1111         (getProperties):
1112         (getRandomProperty):
1113         (i.catch):
1114
1115 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1116
1117         [ARM] Test gardening: Test running out of executable memory
1118         https://bugs.webkit.org/show_bug.cgi?id=194771
1119
1120         Unreviewed. Do not run test without LLInt, test is running out of executable
1121         memory on ARM otherwise.
1122
1123         * stress/tagged-template-object-collect.js:
1124
1125 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1126
1127         Unreviewed, skip the test on platforms without sampling profiler
1128
1129         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1130         (platformSupportsSamplingProfiler.foo):
1131         (platformSupportsSamplingProfiler.test):
1132         (platformSupportsSamplingProfiler):
1133         (foo): Deleted.
1134         (test): Deleted.
1135
1136 2019-02-17  Saam Barati  <sbarati@apple.com>
1137
1138         Deadlock when adding a Structure property transition and then doing incremental marking
1139         https://bugs.webkit.org/show_bug.cgi?id=194767
1140
1141         Reviewed by Mark Lam.
1142
1143         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1144
1145 2019-02-15  Michael Saboff  <msaboff@apple.com>
1146
1147         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1148         https://bugs.webkit.org/show_bug.cgi?id=194558
1149
1150         Reviewed by Saam Barati.
1151
1152         New regression test.
1153
1154         * stress/regexp-unicode-within-string.js: Added.
1155
1156 2019-02-15  Mark Lam  <mark.lam@apple.com>
1157
1158         SamplingProfiler::stackTracesAsJSON() should escape strings.
1159         https://bugs.webkit.org/show_bug.cgi?id=194649
1160         <rdar://problem/48072386>
1161
1162         Reviewed by Saam Barati.
1163
1164         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1165         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1166         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1167         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1168
1169 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1170         CodeBlock::jettison should clear related watchpoints
1171         https://bugs.webkit.org/show_bug.cgi?id=194544
1172
1173         Reviewed by Mark Lam.
1174
1175         * stress/regexp-replace-double-watchpoint.js: Added.
1176         (foo):
1177
1178 2019-02-15  Saam barati  <sbarati@apple.com>
1179
1180         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1181         https://bugs.webkit.org/show_bug.cgi?id=194036
1182
1183         Reviewed by Yusuke Suzuki.
1184
1185         * stress/tail-call-many-arguments.js: Added.
1186         (foo):
1187         (bar):
1188
1189 2019-02-14  Saam Barati  <sbarati@apple.com>
1190
1191         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1192         https://bugs.webkit.org/show_bug.cgi?id=194583
1193         <rdar://problem/48028140>
1194
1195         Reviewed by Yusuke Suzuki.
1196
1197         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1198
1199 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1200
1201         [JSC] String.fromCharCode's slow path always generates 16bit string
1202         https://bugs.webkit.org/show_bug.cgi?id=194466
1203
1204         Reviewed by Keith Miller.
1205
1206         * stress/string-from-char-code-slow-path.js: Added.
1207         (shouldBe):
1208         (testWithLength):
1209
1210 2019-02-08  Saam barati  <sbarati@apple.com>
1211
1212         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1213         https://bugs.webkit.org/show_bug.cgi?id=194334
1214         <rdar://problem/47844327>
1215
1216         Reviewed by Mark Lam.
1217
1218         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1219         (func):
1220
1221 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1222
1223         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1224         https://bugs.webkit.org/show_bug.cgi?id=194369
1225         <rdar://problem/47813087>
1226
1227         Reviewed by Saam Barati.
1228
1229         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1230         (A):
1231
1232 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1233
1234         [JSC] PrivateName to PublicName hash table is wasteful
1235         https://bugs.webkit.org/show_bug.cgi?id=194277
1236
1237         Reviewed by Michael Saboff.
1238
1239         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1240
1241         * ChakraCore.yaml:
1242
1243 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1244
1245         [ARM] Test running out of executable memory
1246         https://bugs.webkit.org/show_bug.cgi?id=194285
1247
1248         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1249         executable memory otherwise.
1250
1251         * stress/class-subclassing-function.js:
1252
1253 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1254
1255         when lowering AssertNotEmpty, create the value before creating the patchpoint
1256         https://bugs.webkit.org/show_bug.cgi?id=194231
1257
1258         Reviewed by Saam Barati.
1259
1260         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1261         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1262         So even tiny changes to this test can change the path code taken.
1263
1264         * stress/assert-not-empty.js: Added.
1265         (foo):
1266
1267 2019-02-01  Mark Lam  <mark.lam@apple.com>
1268
1269         Remove invalid assertion in DFG's compileDoubleRep().
1270         https://bugs.webkit.org/show_bug.cgi?id=194130
1271         <rdar://problem/47699474>
1272
1273         Reviewed by Saam Barati.
1274
1275         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1276
1277 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1278
1279         Import latest Test262 updates.
1280
1281         Rubber-stamped by Keith Miller.
1282
1283         * test262.yaml: Deleted.
1284         * test262/config.yaml:
1285         * test262/expectations.yaml:
1286         * test262/latest-changes-summary.txt:
1287         * test262/test/:
1288         * test262/test262-Revision.txt:
1289
1290 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1291
1292         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1293         https://bugs.webkit.org/show_bug.cgi?id=194050
1294         <rdar://problem/47595592>
1295
1296         Reviewed by Yusuke Suzuki.
1297
1298         * stress/object-keys-osr-exit.js: Added.
1299         (foo):
1300         (catch):
1301
1302 2019-01-29  Mark Lam  <mark.lam@apple.com>
1303
1304         ValueRecovery::recover() should purify NaN values it recovers.
1305         https://bugs.webkit.org/show_bug.cgi?id=193978
1306         <rdar://problem/47625488>
1307
1308         Reviewed by Saam Barati.
1309
1310         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1311
1312 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1313
1314         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1315         https://bugs.webkit.org/show_bug.cgi?id=193713
1316
1317         * stress/try-get-by-id-should-spill-registers-dfg.js:
1318         (let.f.createBuiltin):
1319
1320 2019-01-28  Mark Lam  <mark.lam@apple.com>
1321
1322         ToString node actually does GC.
1323         https://bugs.webkit.org/show_bug.cgi?id=193920
1324         <rdar://problem/46695900>
1325
1326         Reviewed by Yusuke Suzuki.
1327
1328         * stress/dfg-to-string-on-int-does-gc.js: Added.
1329         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1330         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1331
1332 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1333
1334         [JSC] NativeErrorConstructor should not have own IsoSubspace
1335         https://bugs.webkit.org/show_bug.cgi?id=193713
1336
1337         Reviewed by Saam Barati.
1338
1339         Remove @Error use.
1340
1341         * stress/try-get-by-id-should-spill-registers-dfg.js:
1342         (let.f.createBuiltin):
1343
1344 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1345
1346         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1347         https://bugs.webkit.org/show_bug.cgi?id=190693
1348
1349         Reviewed by Michael Saboff.
1350
1351         * stress/regress-190693.js: Added.
1352         (truth):
1353         (assert):
1354         (shouldThrowInvalidConstAssignment):
1355         (taz):
1356
1357 2019-01-24  Saam Barati  <sbarati@apple.com>
1358
1359         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1360         https://bugs.webkit.org/show_bug.cgi?id=193751
1361         <rdar://problem/47280215>
1362
1363         Reviewed by Michael Saboff.
1364
1365         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1366         (let.thing):
1367         (foo.let.hello):
1368         (foo):
1369
1370 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1371
1372         [JSC] Reenable baseline JIT on mips
1373         https://bugs.webkit.org/show_bug.cgi?id=192983
1374
1375         Reviewed by Mark Lam.
1376
1377         Added a new test for a case that was triggering a RELEASE_ASSERT when
1378         testing.
1379         Disable some slow tests that were already disabled for arm and x86.
1380
1381         * stress/json-parse-big-object.js: Added.
1382         * stress/new-largeish-contiguous-array-with-size.js:
1383         * stress/op_add.js:
1384         * stress/op_bitand.js:
1385         * stress/op_bitor.js:
1386         * stress/op_bitxor.js:
1387         * stress/op_lshift-ConstVar.js:
1388         * stress/op_lshift-VarConst.js:
1389         * stress/op_lshift-VarVar.js:
1390         * stress/op_mod-ConstVar.js:
1391         * stress/op_mod-VarConst.js:
1392         * stress/op_mod-VarVar.js:
1393         * stress/op_mul-ConstVar.js:
1394         * stress/op_mul-VarConst.js:
1395         * stress/op_mul-VarVar.js:
1396         * stress/op_rshift-ConstVar.js:
1397         * stress/op_rshift-VarConst.js:
1398         * stress/op_rshift-VarVar.js:
1399         * stress/op_sub-ConstVar.js:
1400         * stress/op_sub-VarConst.js:
1401         * stress/op_sub-VarVar.js:
1402         * stress/op_urshift-ConstVar.js:
1403         * stress/op_urshift-VarConst.js:
1404         * stress/op_urshift-VarVar.js:
1405         * stress/sampling-profiler-richards.js:
1406         * stress/spread-forward-call-varargs-stack-overflow.js:
1407
1408 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1409
1410         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1411         https://bugs.webkit.org/show_bug.cgi?id=193711
1412         <rdar://problem/47250262>
1413
1414         Reviewed by Saam Barati.
1415
1416         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1417         (shouldBe):
1418         (foo):
1419         (bar):
1420         (baz):
1421
1422 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1423
1424         Unreviewed, fix initial global lexical binding epoch
1425         https://bugs.webkit.org/show_bug.cgi?id=193603
1426         <rdar://problem/47380869>
1427
1428         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1429         (f1.f2.f3.f4):
1430         (f1.f2.f3):
1431         (f1.f2):
1432         (f1):
1433
1434 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1435
1436         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1437         https://bugs.webkit.org/show_bug.cgi?id=193709
1438         <rdar://problem/47363838>
1439
1440         Unreviewed, rollout to watch the tests.
1441
1442         * stress/object-tostring-changed-proto.js: Removed.
1443         * stress/object-tostring-changed.js: Removed.
1444         * stress/object-tostring-misc.js: Removed.
1445         * stress/object-tostring-other.js: Removed.
1446         * stress/object-tostring-untyped.js: Removed.
1447
1448 2019-01-22  Saam Barati  <sbarati@apple.com>
1449
1450         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1451
1452         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1453         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1454         (testUncheckedLessThanZero):
1455         (testUncheckedLessThanOrEqualZero):
1456         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1457         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1458
1459 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1460
1461         [JSC] Invalidate old scope operations using global lexical binding epoch
1462         https://bugs.webkit.org/show_bug.cgi?id=193603
1463         <rdar://problem/47380869>
1464
1465         Reviewed by Saam Barati.
1466
1467         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1468         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1469         (shouldThrow):
1470         (bar):
1471         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1472         (shouldBe):
1473         (get1):
1474         (get2):
1475         (get1If):
1476         (get2If):
1477         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1478         (shouldThrow):
1479         (foo):
1480
1481 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1482
1483         Unreviewed, roll out r240220 due to date-format-xparb regression
1484         https://bugs.webkit.org/show_bug.cgi?id=193603
1485
1486         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1487         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1488         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1489         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1490
1491 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1492
1493         DoesGC rule is wrong for nodes with BigIntUse
1494         https://bugs.webkit.org/show_bug.cgi?id=193652
1495
1496         Reviewed by Saam Barati.
1497
1498         * stress/big-int-value-op-update-gc-rules.js: Added.
1499         (assert):
1500         (doesGCAdd):
1501         (doesGCSub):
1502         (doesGCDiv):
1503         (doesGCMul):
1504         (doesGCBitAnd):
1505         (doesGCBitOr):
1506         (doesGCBitXor):
1507
1508 2019-01-20  Saam Barati  <sbarati@apple.com>
1509
1510         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1511         https://bugs.webkit.org/show_bug.cgi?id=193644
1512         <rdar://problem/46209745>
1513
1514         Reviewed by Yusuke Suzuki.
1515
1516         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1517         (foo):
1518         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1519         (foo):
1520         (bar):
1521
1522 2019-01-20  Saam Barati  <sbarati@apple.com>
1523
1524         MovHint must merge NodeBytecodeUsesAsValue for its child
1525         https://bugs.webkit.org/show_bug.cgi?id=186916
1526         <rdar://problem/41396612>
1527
1528         Reviewed by Yusuke Suzuki.
1529
1530         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1531         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1532
1533 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1534
1535         [JSC] Invalidate old scope operations using global lexical binding epoch
1536         https://bugs.webkit.org/show_bug.cgi?id=193603
1537         <rdar://problem/47380869>
1538
1539         Reviewed by Saam Barati.
1540
1541         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1542         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1543         (shouldThrow):
1544         (bar):
1545         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1546         (shouldBe):
1547         (get1):
1548         (get2):
1549         (get1If):
1550         (get2If):
1551         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1552         (shouldThrow):
1553         (foo):
1554
1555 2019-01-17  Saam barati  <sbarati@apple.com>
1556
1557         StringObjectUse should not be a structure check for the original string object structure
1558         https://bugs.webkit.org/show_bug.cgi?id=193483
1559         <rdar://problem/47280522>
1560
1561         Reviewed by Yusuke Suzuki.
1562
1563         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1564         (foo):
1565         (a.valueOf.0):
1566
1567 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1568
1569         [JSC] ToThis omission in DFGByteCodeParser is wrong
1570         https://bugs.webkit.org/show_bug.cgi?id=193513
1571         <rdar://problem/45842236>
1572
1573         Reviewed by Saam Barati.
1574
1575         * stress/to-this-omission-with-different-strict-modes.js: Added.
1576         (thisA):
1577         (thisAStrictWrapper):
1578
1579 2019-01-15  Mark Lam  <mark.lam@apple.com>
1580
1581         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1582         https://bugs.webkit.org/show_bug.cgi?id=193423
1583         <rdar://problem/46209355>
1584
1585         Reviewed by Saam Barati.
1586
1587         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1588         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1589         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1590         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1591
1592 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1593
1594         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1595         https://bugs.webkit.org/show_bug.cgi?id=193438
1596         <rdar://problem/45581249>
1597
1598         Reviewed by Saam Barati and Keith Miller.
1599
1600         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1601         Then, GetByVal(String) crashed.
1602
1603         * stress/string-get-by-val-lowering.js: Added.
1604         (shouldBe):
1605         (test):
1606         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1607         (Hello):
1608         (foo):
1609
1610 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1611
1612         Unreviewed, skip JIT tests if it's not enabled
1613
1614         * stress/bit-op-with-object-returning-int32.js:
1615
1616 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1617
1618         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1619         https://bugs.webkit.org/show_bug.cgi?id=192966
1620
1621         Reviewed by Yusuke Suzuki.
1622
1623         * stress/bit-op-with-object-returning-int32.js: Added.
1624
1625 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1626
1627         Skip a slow test and a flakey test on arm
1628
1629         Unreviewed gardening.
1630
1631         * typeProfiler/getter-richards.js:
1632         this test always times out, it used to be always skipped on arm and
1633         mips, but got accidentally enabled by r237919 now that we have DFG on
1634         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1635
1636 2019-01-14  Keith Miller  <keith_miller@apple.com>
1637
1638         Skip type-check-hoisting-phase-hoist... with no jit
1639         https://bugs.webkit.org/show_bug.cgi?id=193421
1640
1641         Reviewed by Mark Lam.
1642
1643         It's timing out the 32-bit bots and takes 330 seconds
1644         on my machine when run by itself.
1645
1646         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1647
1648 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1649
1650         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1651         https://bugs.webkit.org/show_bug.cgi?id=193413
1652         <rdar://problem/46092389>
1653
1654         Reviewed by Keith Miller.
1655
1656         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1657         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1658         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1659         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1660
1661         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1662         (compareArray):
1663
1664 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1665
1666         [BigInt] Literal parsing is crashing when used inside a Object Literal
1667         https://bugs.webkit.org/show_bug.cgi?id=193404
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         * stress/big-int-literal-inside-literal-object.js: Added.
1672
1673 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1674
1675         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1676         https://bugs.webkit.org/show_bug.cgi?id=193372
1677
1678         Reviewed by Saam Barati.
1679
1680         * stress/typed-array-array-modes-profile.js: Added.
1681         (foo):
1682
1683 2019-01-14  Mark Lam  <mark.lam@apple.com>
1684
1685         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1686         https://bugs.webkit.org/show_bug.cgi?id=193402
1687         <rdar://problem/46012309>
1688
1689         Reviewed by Keith Miller.
1690
1691         * stress/regexp-compile-oom.js:
1692         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1693           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1694
1695 2019-01-11  Saam barati  <sbarati@apple.com>
1696
1697         DFG combined liveness can be wrong for terminal basic blocks
1698         https://bugs.webkit.org/show_bug.cgi?id=193304
1699         <rdar://problem/45268632>
1700
1701         Reviewed by Yusuke Suzuki.
1702
1703         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1704
1705 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1706
1707         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1708         https://bugs.webkit.org/show_bug.cgi?id=193308
1709         <rdar://problem/45546542>
1710
1711         Reviewed by Saam Barati.
1712
1713         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1714         (shouldThrow):
1715         (shouldBe):
1716         (foo):
1717         (get shouldThrow):
1718         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1719         (shouldThrow):
1720         (shouldBe):
1721         (foo):
1722         (get shouldBe):
1723         (get shouldThrow):
1724         (get return):
1725         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1726         (shouldThrow):
1727         (shouldBe):
1728         (foo):
1729         (get shouldBe):
1730         (get shouldThrow):
1731         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1732         (shouldThrow):
1733         (shouldBe):
1734         (foo):
1735         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1736         (shouldThrow):
1737         (shouldBe):
1738         (foo):
1739         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1740         (shouldThrow):
1741         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1742         (shouldThrow):
1743         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1744         (shouldThrow):
1745         (shouldBe):
1746         (foo):
1747         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1748         (shouldThrow):
1749         (shouldBe):
1750         (foo):
1751         (get shouldBe):
1752         (get shouldThrow):
1753         (get return):
1754         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1755         (shouldThrow):
1756         (shouldBe):
1757         (foo):
1758         (get shouldBe):
1759         (get shouldThrow):
1760         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1761         (shouldThrow):
1762         (shouldBe):
1763         (foo):
1764         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1765         (shouldThrow):
1766         (shouldBe):
1767         (foo):
1768
1769 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1770
1771         Enable DFG on ARM/Linux again
1772         https://bugs.webkit.org/show_bug.cgi?id=192496
1773
1774         Reviewed by Yusuke Suzuki.
1775
1776         Test wasn't really skipped before moving the line with skip
1777         to the top.
1778
1779         * stress/regress-192717.js:
1780
1781 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1782
1783         Unreviewed, rolling out r239825.
1784         https://bugs.webkit.org/show_bug.cgi?id=193330
1785
1786         Broke tests on armv7/linux bots (Requested by guijemont on
1787         #webkit).
1788
1789         Reverted changeset:
1790
1791         "Enable DFG on ARM/Linux again"
1792         https://bugs.webkit.org/show_bug.cgi?id=192496
1793         https://trac.webkit.org/changeset/239825
1794
1795 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1796
1797         Enable DFG on ARM/Linux again
1798         https://bugs.webkit.org/show_bug.cgi?id=192496
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         Test wasn't really skipped before moving the line with skip
1803         to the top.
1804
1805         * stress/regress-192717.js:
1806
1807 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1808
1809         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1810         https://bugs.webkit.org/show_bug.cgi?id=193127
1811
1812         Reviewed by Saam Barati.
1813
1814         * stress/array-species-create-should-handle-masquerader.js: Added.
1815         (shouldThrow):
1816         * stress/is-undefined-or-null-builtin.js: Added.
1817         (shouldBe):
1818         (isUndefinedOrNull.vm.createBuiltin):
1819
1820 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1821
1822         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1823         https://bugs.webkit.org/show_bug.cgi?id=193221
1824
1825         Reviewed by Mark Lam.
1826
1827         * stress/put-by-id-flags.js: Added.
1828         (f):
1829         (g):
1830         (numberOfDFGCompiles):
1831
1832 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1833
1834         Baseline version of get_by_id may corrupt metadata
1835         https://bugs.webkit.org/show_bug.cgi?id=193085
1836         <rdar://problem/23453006>
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/get-by-id-change-mode.js: Added.
1841         (forEach):
1842
1843 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1844
1845         [JSC] Optimize Object.prototype.toString
1846         https://bugs.webkit.org/show_bug.cgi?id=193031
1847
1848         Reviewed by Saam Barati.
1849
1850         * stress/object-tostring-changed-proto.js: Added.
1851         (shouldBe):
1852         (test):
1853         * stress/object-tostring-changed.js: Added.
1854         (shouldBe):
1855         (test):
1856         * stress/object-tostring-misc.js: Added.
1857         (shouldBe):
1858         (test):
1859         (i.switch):
1860         * stress/object-tostring-other.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/object-tostring-untyped.js: Added.
1864         (shouldBe):
1865         (test):
1866         (i.switch):
1867
1868 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1869
1870         test262-runner misbehaves when test file YAML has a trailing space
1871         https://bugs.webkit.org/show_bug.cgi?id=193053
1872
1873         Reviewed by Yusuke Suzuki.
1874
1875         * test262/expectations.yaml:
1876         Mark two dozen tests as passing (and correct the output of another).
1877
1878 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1879
1880         Unreviewed, JSTests gardening with memoryLimited
1881
1882         * stress/string-overflow-createError.js:
1883
1884 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1885
1886         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1887         https://bugs.webkit.org/show_bug.cgi?id=193050
1888
1889         Reviewed by Yusuke Suzuki.
1890
1891         * test262.yaml:
1892         * test262/expectations.yaml:
1893         Mark 16 tests as passing.
1894
1895 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1896
1897         [BigInt] Support BigInt in JSON.stringify
1898         https://bugs.webkit.org/show_bug.cgi?id=192624
1899
1900         Reviewed by Saam Barati.
1901
1902         * stress/big-int-json-stringify-to-json.js: Added.
1903         (shouldBe):
1904         (shouldThrow):
1905         (BigInt.prototype.toJSON):
1906         (shouldBe.JSON.stringify):
1907         * stress/big-int-json-stringify.js: Added.
1908         (shouldBe):
1909         (shouldThrow):
1910
1911 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1912
1913         [JSC] Implement "well-formed JSON.stringify" proposal
1914         https://bugs.webkit.org/show_bug.cgi?id=191677
1915
1916         Reviewed by Darin Adler.
1917
1918         * stress/json-surrogate-pair.js: Added.
1919         (shouldBe):
1920         * test262/expectations.yaml:
1921
1922 2018-12-20  Keith Miller  <keith_miller@apple.com>
1923
1924         Add support for globalThis
1925         https://bugs.webkit.org/show_bug.cgi?id=165171
1926
1927         Reviewed by Mark Lam.
1928
1929         * test262/config.yaml:
1930
1931 2018-12-19  Keith Miller  <keith_miller@apple.com>
1932
1933         Update test262 configuration to not run tests dependent on ICU version.
1934         https://bugs.webkit.org/show_bug.cgi?id=192920
1935
1936         Reviewed by Saam Barati.
1937
1938         * test262/expectations.yaml:
1939
1940 2018-12-20  Mark Lam  <mark.lam@apple.com>
1941
1942         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1943         https://bugs.webkit.org/show_bug.cgi?id=192939
1944         <rdar://problem/46869516>
1945
1946         Reviewed by Keith Miller.
1947
1948         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1949
1950 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1951
1952         WTF::String and StringImpl overflow MaxLength
1953         https://bugs.webkit.org/show_bug.cgi?id=192853
1954         <rdar://problem/45726906>
1955
1956         Reviewed by Mark Lam.
1957
1958         * stress/string-16bit-repeat-overflow.js: Added.
1959         (catch):
1960
1961 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1962
1963         Unreviewed follow-up to r192914.
1964
1965         * test262/expectations.yaml:
1966         Add the last 20 missing expectations.
1967
1968 2018-12-19  Keith Miller  <keith_miller@apple.com>
1969
1970         Fix test262 expectations
1971         https://bugs.webkit.org/show_bug.cgi?id=192914
1972
1973         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1974
1975         * test262/expectations.yaml:
1976
1977 2018-12-19  Keith Miller  <keith_miller@apple.com>
1978
1979         Update test262 tests.
1980         https://bugs.webkit.org/show_bug.cgi?id=192907
1981
1982         Rubber stamped by Mark Lam.
1983
1984         * test262/*: Omitted because prepare-changelog crashes.
1985
1986 2018-12-19  Mark Lam  <mark.lam@apple.com>
1987
1988         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1989         https://bugs.webkit.org/show_bug.cgi?id=192464
1990         <rdar://problem/46519455>
1991
1992         Reviewed by Saam Barati.
1993
1994         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1995         microbenchmark.
1996
1997         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1998         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1999
2000 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2001
2002         String overflow in JSC::createError results in ASSERT in WTF::makeString
2003         https://bugs.webkit.org/show_bug.cgi?id=192833
2004         <rdar://problem/45706868>
2005
2006         Reviewed by Mark Lam.
2007
2008         * stress/string-overflow-createError.js: Added.
2009
2010 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2011
2012         Error message for `-x ** y` contains a typo.
2013         https://bugs.webkit.org/show_bug.cgi?id=192832
2014
2015         Reviewed by Saam Barati.
2016
2017         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2018         (assert.assert.return.throws):
2019         * stress/pow-expects-update-expression-on-lhs.js:
2020         (throw.new.Error):
2021         Update test expectations which match against the exact error message.
2022
2023 2018-12-18  Mark Lam  <mark.lam@apple.com>
2024
2025         Gardening: test options fix.
2026         https://bugs.webkit.org/show_bug.cgi?id=192822
2027
2028         Unreviewed.
2029
2030         * stress/json-stringify-string-builder-overflow.js:
2031
2032 2018-12-18  Mark Lam  <mark.lam@apple.com>
2033
2034         JSON.stringify() should throw OOM on StringBuilder overflows.
2035         https://bugs.webkit.org/show_bug.cgi?id=192822
2036         <rdar://problem/46670577>
2037
2038         Reviewed by Saam Barati.
2039
2040         * stress/json-stringify-string-builder-overflow.js: Added.
2041
2042 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2043
2044         Redeclaration of var over let/const/class should be a syntax error.
2045         https://bugs.webkit.org/show_bug.cgi?id=192298
2046
2047         Reviewed by Keith Miller.
2048
2049         * test262.yaml:
2050         * test262/expectations.yaml:
2051         Mark 46 tests as passing.
2052
2053         * stress/block-scope-redeclarations.js:
2054         Add some new tests.
2055
2056         * stress/for-in-invalidate-context-weird-assignments.js:
2057         * stress/for-in-tests.js:
2058         Replace tests for outdated behavior with tests for SyntaxError.
2059
2060         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2061         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2062         Update expectations.
2063
2064 2018-12-18  Mark Lam  <mark.lam@apple.com>
2065
2066         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2067         https://bugs.webkit.org/show_bug.cgi?id=191374
2068         <rdar://problem/46525447>
2069
2070         Reviewed by Yusuke Suzuki.
2071
2072         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2073
2074         * stress/elidable-new-object-roflcopter-then-exit.js:
2075
2076 2018-12-17  Mark Lam  <mark.lam@apple.com>
2077
2078         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2079         https://bugs.webkit.org/show_bug.cgi?id=192019
2080         <rdar://problem/46525456>
2081
2082         Reviewed by Yusuke Suzuki.
2083
2084         The test runs too slow on 32-bit.
2085
2086         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2087
2088 2018-12-17  Mark Lam  <mark.lam@apple.com>
2089
2090         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2091         https://bugs.webkit.org/show_bug.cgi?id=191373
2092         <rdar://problem/46525458>
2093
2094         Reviewed by Yusuke Suzuki.
2095
2096         The test is already slow running with a JIT on 64-bit.  It will always timeout
2097         on 32-bit without a JIT.
2098
2099         * stress/materialize-regexp-cyclic-regexp.js:
2100
2101 2018-12-17  Mark Lam  <mark.lam@apple.com>
2102
2103         Array unshift/shift should not race against the AI in the compiler thread.
2104         https://bugs.webkit.org/show_bug.cgi?id=192795
2105         <rdar://problem/46724263>
2106
2107         Reviewed by Saam Barati.
2108
2109         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2110
2111 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2112
2113         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2114         https://bugs.webkit.org/show_bug.cgi?id=190047
2115
2116         Reviewed by Saam Barati.
2117
2118         * stress/object-keys-cached-zero.js: Added.
2119         (shouldBe):
2120         (test):
2121         * stress/object-keys-changed-attribute.js: Added.
2122         (shouldBe):
2123         (test):
2124         * stress/object-keys-changed-index.js: Added.
2125         (shouldBe):
2126         (test):
2127         * stress/object-keys-changed.js: Added.
2128         (shouldBe):
2129         (test):
2130         * stress/object-keys-indexed-non-cache.js: Added.
2131         (shouldBe):
2132         (test):
2133         * stress/object-keys-overrides-get-property-names.js: Added.
2134         (shouldBe):
2135         (test):
2136         (noInline):
2137
2138 2018-12-17  Mark Lam  <mark.lam@apple.com>
2139
2140         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2141         https://bugs.webkit.org/show_bug.cgi?id=192779
2142         <rdar://problem/46775869>
2143
2144         Reviewed by Saam Barati.
2145
2146         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2147
2148 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2149
2150         Unreviewed test gardening, address a syntax error in a new test.
2151
2152         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2153
2154 2018-12-17  Mark Lam  <mark.lam@apple.com>
2155
2156         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2157         https://bugs.webkit.org/show_bug.cgi?id=192776
2158         <rdar://problem/46772368>
2159
2160         Reviewed by Keith Miller.
2161
2162         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2163
2164 2018-12-17  Mark Lam  <mark.lam@apple.com>
2165
2166         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2167         https://bugs.webkit.org/show_bug.cgi?id=192770
2168         <rdar://problem/46449037>
2169
2170         Reviewed by Keith Miller.
2171
2172         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2173
2174 2018-12-14  Mark Lam  <mark.lam@apple.com>
2175
2176         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2177         https://bugs.webkit.org/show_bug.cgi?id=192717
2178         <rdar://problem/46660677>
2179
2180         Reviewed by Saam Barati.
2181
2182         * stress/regress-192717.js: Added.
2183
2184 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2185
2186         Unreviewed, rolling out r239153, r239154, and r239155.
2187         https://bugs.webkit.org/show_bug.cgi?id=192715
2188
2189         Caused flaky GC-related crashes seen with layout tests
2190         (Requested by ryanhaddad on #webkit).
2191
2192         Reverted changesets:
2193
2194         "[JSC] Optimize Object.keys by caching own keys results in
2195         StructureRareData"
2196         https://bugs.webkit.org/show_bug.cgi?id=190047
2197         https://trac.webkit.org/changeset/239153
2198
2199         "Unreviewed, build fix after r239153"
2200         https://bugs.webkit.org/show_bug.cgi?id=190047
2201         https://trac.webkit.org/changeset/239154
2202
2203         "Unreviewed, build fix after r239153, part 2"
2204         https://bugs.webkit.org/show_bug.cgi?id=190047
2205         https://trac.webkit.org/changeset/239155
2206
2207 2018-12-14  Keith Miller  <keith_miller@apple.com>
2208
2209         Callers of JSString::getIndex should check for OOM exceptions
2210         https://bugs.webkit.org/show_bug.cgi?id=192709
2211
2212         Reviewed by Mark Lam.
2213
2214         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2215
2216 2018-12-13  Mark Lam  <mark.lam@apple.com>
2217
2218         Add a missing exception check.
2219         https://bugs.webkit.org/show_bug.cgi?id=192626
2220         <rdar://problem/46662163>
2221
2222         Reviewed by Keith Miller.
2223
2224         * stress/regress-192626.js: Added.
2225
2226 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2227
2228         [BigInt] Add ValueDiv into DFG
2229         https://bugs.webkit.org/show_bug.cgi?id=186178
2230
2231         Reviewed by Yusuke Suzuki.
2232
2233         * stress/big-int-div-jit-osr.js: Added.
2234         * stress/big-int-div-jit-untyped.js: Added.
2235         * stress/value-div-fixup-int32-big-int.js: Added.
2236
2237 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2238
2239         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2240         https://bugs.webkit.org/show_bug.cgi?id=190047
2241
2242         Reviewed by Keith Miller.
2243
2244         * stress/object-keys-cached-zero.js: Added.
2245         (shouldBe):
2246         (test):
2247         * stress/object-keys-changed-attribute.js: Added.
2248         (shouldBe):
2249         (test):
2250         * stress/object-keys-changed-index.js: Added.
2251         (shouldBe):
2252         (test):
2253         * stress/object-keys-changed.js: Added.
2254         (shouldBe):
2255         (test):
2256         * stress/object-keys-indexed-non-cache.js: Added.
2257         (shouldBe):
2258         (test):
2259         * stress/object-keys-overrides-get-property-names.js: Added.
2260         (shouldBe):
2261         (test):
2262         (noInline):
2263
2264 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2265
2266         [DFG][FTL] Add NewSymbol
2267         https://bugs.webkit.org/show_bug.cgi?id=192620
2268
2269         Reviewed by Saam Barati.
2270
2271         * microbenchmarks/symbol-creation.js: Added.
2272         (test):
2273         * stress/symbol-description-identity.js: Added.
2274         (shouldBe):
2275         (test):
2276         * stress/symbol-identity.js: Added.
2277         (shouldBe):
2278         (test):
2279         * stress/symbol-with-description-throw-error.js: Added.
2280         (shouldBe):
2281         (shouldThrow):
2282         (test):
2283         (object.toString):
2284
2285 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2286
2287         [BigInt] Implement DFG/FTL typeof for BigInt
2288         https://bugs.webkit.org/show_bug.cgi?id=192619
2289
2290         Reviewed by Keith Miller.
2291
2292         * stress/big-int-boolean-proven-type.js: Added.
2293         (assert):
2294         (bool):
2295         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2296         (assert):
2297         (typeOf):
2298         (i.switch):
2299         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2300         (assert):
2301         (typeOf):
2302         * stress/big-int-type-of.js:
2303         (typeOf):
2304         (func):
2305
2306 2018-12-10  Mark Lam  <mark.lam@apple.com>
2307
2308         PropertyAttribute needs a CustomValue bit.
2309         https://bugs.webkit.org/show_bug.cgi?id=191993
2310         <rdar://problem/46264467>
2311
2312         Reviewed by Saam Barati.
2313
2314         * stress/regress-191993.js: Added.
2315
2316 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2317
2318         [BigInt] Add ValueMul into DFG
2319         https://bugs.webkit.org/show_bug.cgi?id=186175
2320
2321         Reviewed by Yusuke Suzuki.
2322
2323         * stress/big-int-mul-jit-osr.js: Added.
2324         * stress/big-int-mul-jit-untyped.js: Added.
2325         * stress/value-mul-fixup-int32-big-int.js: Added.
2326
2327 2018-12-06  Keith Miller  <keith_miller@apple.com>
2328
2329         stress/big-wasm-memory tests failing on 32-bit JSC bot
2330         https://bugs.webkit.org/show_bug.cgi?id=192020
2331
2332         Reviewed by Saam Barati.
2333
2334         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2335         the wasm stress tests if the WebAssembly object does not exist.
2336
2337         * stress/big-wasm-memory-grow-no-max.js:
2338         (test.foo):
2339         (test):
2340         (foo): Deleted.
2341         (catch): Deleted.
2342         * stress/big-wasm-memory-grow.js:
2343         (test.foo):
2344         (test):
2345         (foo): Deleted.
2346         (catch): Deleted.
2347         * stress/big-wasm-memory.js:
2348         (test.foo):
2349         (test):
2350         (foo): Deleted.
2351         (catch): Deleted.
2352
2353 2018-12-05  Mark Lam  <mark.lam@apple.com>
2354
2355         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2356         https://bugs.webkit.org/show_bug.cgi?id=192441
2357         <rdar://problem/46480355>
2358
2359         Reviewed by Saam Barati.
2360
2361         * stress/regress-192441.js: Added.
2362
2363 2018-12-04  Mark Lam  <mark.lam@apple.com>
2364
2365         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2366         https://bugs.webkit.org/show_bug.cgi?id=192386
2367         <rdar://problem/46445516>
2368
2369         Reviewed by Saam Barati.
2370
2371         * stress/regress-192386.js: Added.
2372
2373 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2374
2375         [ESNext][BigInt] Support logic operations
2376         https://bugs.webkit.org/show_bug.cgi?id=179903
2377
2378         Reviewed by Yusuke Suzuki.
2379
2380         * stress/big-int-branch-usage.js: Added.
2381         * stress/big-int-logical-and.js: Added.
2382         * stress/big-int-logical-not.js: Added.
2383         * stress/big-int-logical-or.js: Added.
2384
2385 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2386
2387         Unreviewed, rolling out r238833.
2388
2389         Breaks macOS and iOS debug builds.
2390
2391         Reverted changeset:
2392
2393         "[ESNext][BigInt] Support logic operations"
2394         https://bugs.webkit.org/show_bug.cgi?id=179903
2395         https://trac.webkit.org/changeset/238833
2396
2397 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2398
2399         [ESNext][BigInt] Support logic operations
2400         https://bugs.webkit.org/show_bug.cgi?id=179903
2401
2402         Reviewed by Yusuke Suzuki.
2403
2404         * stress/big-int-branch-usage.js: Added.
2405         * stress/big-int-logical-and.js: Added.
2406         * stress/big-int-logical-not.js: Added.
2407         * stress/big-int-logical-or.js: Added.
2408
2409 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2410
2411         [ESNext][BigInt] Implement support for "<<" and ">>"
2412         https://bugs.webkit.org/show_bug.cgi?id=186233
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         * stress/big-int-left-shift-general.js: Added.
2417         * stress/big-int-left-shift-range-error.js: Added.
2418         * stress/big-int-left-shift-type-error.js: Added.
2419         * stress/big-int-left-shift-wrapped-value.js: Added.
2420         * stress/big-int-right-shift-general.js: Added.
2421         * stress/big-int-right-shift-type-error.js: Added.
2422         * stress/big-int-right-shift-wrapped-value.js: Added.
2423         * stress/left-shift-to-primitive-precedence.js: Added.
2424         * stress/right-shift-to-primitive-precedence.js: Added.
2425
2426 2018-11-30  Dean Jackson  <dino@apple.com>
2427
2428         Add first-class support for .mjs files in jsc binary
2429         https://bugs.webkit.org/show_bug.cgi?id=192190
2430         <rdar://problem/46375715>
2431
2432         Reviewed by Keith Miller.
2433
2434         * stress/simple-module.mjs: Added.
2435         * stress/simple-script.js: Added.
2436
2437 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2438
2439         [BigInt] Implement ValueBitXor into DFG
2440         https://bugs.webkit.org/show_bug.cgi?id=190264
2441
2442         Reviewed by Yusuke Suzuki.
2443
2444         * stress/big-int-bitwise-xor-jit.js: Added.
2445         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2446         * stress/big-int-bitwise-xor-untyped.js: Added.
2447
2448 2018-11-27  Saam barati  <sbarati@apple.com>
2449
2450         r238510 broke scopes of size zero
2451         https://bugs.webkit.org/show_bug.cgi?id=192033
2452         <rdar://problem/46281734>
2453
2454         Reviewed by Keith Miller.
2455
2456         * stress/r238510-bad-loop.js: Added.
2457         (foo):
2458
2459 2018-11-27  Mark Lam  <mark.lam@apple.com>
2460
2461         [Re-landing] NaNs read from Wasm code needs to be be purified.
2462         https://bugs.webkit.org/show_bug.cgi?id=191056
2463         <rdar://problem/45660341>
2464
2465         Reviewed by Filip Pizlo.
2466
2467         * wasm/regress/regress-191056.js: Added.
2468
2469 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2470
2471         Unreviewed, rolling out r238509.
2472
2473         Causes JSC tests to fail on iOS.
2474
2475         Reverted changeset:
2476
2477         "NaNs read from Wasm code needs to be be purified."
2478         https://bugs.webkit.org/show_bug.cgi?id=191056
2479         https://trac.webkit.org/changeset/238509
2480
2481 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2482
2483         Re-introduce op_bitnot
2484         https://bugs.webkit.org/show_bug.cgi?id=190923
2485
2486         Reviewed by Yusuke Suzuki.
2487
2488         * stress/bit-not-must-generate.js: Added.
2489         * stress/bitwise-not-no-int32.js: Added.
2490
2491 2018-11-26  Saam barati  <sbarati@apple.com>
2492
2493         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2494         https://bugs.webkit.org/show_bug.cgi?id=191956
2495         <rdar://problem/45665806>
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2500         (bar):
2501         (foo):
2502
2503 2018-11-26  Saam barati  <sbarati@apple.com>
2504
2505         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2506         https://bugs.webkit.org/show_bug.cgi?id=191958
2507         <rdar://problem/46221877>
2508
2509         Reviewed by Yusuke Suzuki.
2510
2511         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2512         (x):
2513         (foo):
2514
2515 2018-11-26  Mark Lam  <mark.lam@apple.com>
2516
2517         NaNs read from Wasm code needs to be be purified.
2518         https://bugs.webkit.org/show_bug.cgi?id=191056
2519         <rdar://problem/45660341>
2520
2521         Reviewed by Filip Pizlo.
2522
2523         * wasm/regress/regress-191056.js: Added.
2524
2525 2018-11-26  Michael Saboff  <msaboff@apple.com>
2526
2527         32-bit JSC test failure: stress/regexp-compile-oom.js
2528         https://bugs.webkit.org/show_bug.cgi?id=191375
2529
2530         Reviewed by Mark Lam.
2531
2532         Disabled the test for 32 bit platforms.
2533
2534         * stress/regexp-compile-oom.js:
2535
2536 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2537
2538         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2539         https://bugs.webkit.org/show_bug.cgi?id=191716
2540         <rdar://problem/45723878>
2541
2542         Reviewed by Saam Barati.
2543
2544         * stress/regress-187373.js: Added.
2545         (async.fn):
2546
2547 2018-11-21  Saam barati  <sbarati@apple.com>
2548
2549         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2550         https://bugs.webkit.org/show_bug.cgi?id=191897
2551         <rdar://problem/45871998>
2552
2553         Reviewed by Mark Lam.
2554
2555         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2556         (bar):
2557         (foo):
2558
2559 2018-11-21  Saam barati  <sbarati@apple.com>
2560
2561         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2562         https://bugs.webkit.org/show_bug.cgi?id=191895
2563         <rdar://problem/46167406>
2564
2565         Reviewed by Mark Lam.
2566
2567         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2568         (foo):
2569         (bar):
2570
2571 2018-11-21  Mark Lam  <mark.lam@apple.com>
2572
2573         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2574         https://bugs.webkit.org/show_bug.cgi?id=191776
2575         <rdar://problem/46152851>
2576
2577         Reviewed by Saam Barati.
2578
2579         * stress/big-wasm-memory-grow-no-max.js:
2580         * stress/big-wasm-memory-grow.js:
2581         * stress/big-wasm-memory.js:
2582         - updated these to expect an OutOfMemoryError.
2583
2584         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2585         (Binary.prototype.emit_u8):
2586         (Binary.prototype.emit_u32v):
2587         (Binary.prototype.emit_header):
2588         (Binary.prototype.emit_section):
2589         (Binary):
2590         (WasmModuleBuilder):
2591         (WasmModuleBuilder.prototype.addMemory):
2592         (WasmModuleBuilder.prototype.toArray):
2593         (WasmModuleBuilder.prototype.toBuffer):
2594         (WasmModuleBuilder.prototype.instantiate):
2595         (catch):
2596         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2597         (catch):
2598
2599 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2600
2601         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2602         https://bugs.webkit.org/show_bug.cgi?id=190836
2603
2604         Reviewed by Saam Barati and Yusuke Suzuki.
2605
2606         * stress/big-int-out-of-memory-tests.js: Added.
2607
2608 2018-11-20  Mark Lam  <mark.lam@apple.com>
2609
2610         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2611         https://bugs.webkit.org/show_bug.cgi?id=191856
2612         <rdar://problem/46089992>
2613
2614         Reviewed by Yusuke Suzuki.
2615
2616         * stress/regress-191856.js: Added.
2617         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2618
2619 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2620
2621         Enable JIT on ARM/Linux
2622         https://bugs.webkit.org/show_bug.cgi?id=191548
2623
2624         Reviewed by Yusuke Suzuki.
2625
2626         Disable test on system with limited memory. Program was killed by
2627         the OS before the exception was thrown.
2628
2629         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2630
2631 2018-11-20  Saam barati  <sbarati@apple.com>
2632
2633         Merging an IC variant may lead to the IC status containing overlapping structure sets
2634         https://bugs.webkit.org/show_bug.cgi?id=191869
2635         <rdar://problem/45403453>
2636
2637         Reviewed by Mark Lam.
2638
2639         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2640
2641 2018-11-19  Mark Lam  <mark.lam@apple.com>
2642
2643         globalFuncImportModule() should return a promise when it clears exceptions.
2644         https://bugs.webkit.org/show_bug.cgi?id=191792
2645         <rdar://problem/46090763>
2646
2647         Reviewed by Michael Saboff.
2648
2649         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2650
2651 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2652
2653         Skip new memory-hungry tests on memory limited devices
2654
2655         Unreviewed gardening.
2656
2657         * stress/big-wasm-memory-grow-no-max.js:
2658         * stress/big-wasm-memory-grow.js:
2659         * stress/big-wasm-memory.js:
2660
2661 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2662
2663         Unreviewed, rolling in the rest of r237254
2664         https://bugs.webkit.org/show_bug.cgi?id=190340
2665
2666         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2667         * stress/function-cache-with-parameters-end-position.js: Added.
2668         (shouldBe):
2669         (shouldThrow):
2670         (i.anonymous):
2671         * stress/function-constructor-name.js: Added.
2672         (shouldBe):
2673         (GeneratorFunction):
2674         (AsyncFunction.async):
2675         (AsyncGeneratorFunction.async):
2676         (anonymous):
2677         (async.anonymous):
2678         * test262/expectations.yaml:
2679
2680 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2681
2682         All users of ArrayBuffer should agree on the same max size
2683         https://bugs.webkit.org/show_bug.cgi?id=191771
2684
2685         Reviewed by Mark Lam.
2686
2687         * stress/big-wasm-memory-grow-no-max.js: Added.
2688         (foo):
2689         (catch):
2690         * stress/big-wasm-memory-grow.js: Added.
2691         (foo):
2692         (catch):
2693         * stress/big-wasm-memory.js: Added.
2694         (foo):
2695         (catch):
2696
2697 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2698
2699         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2700         run for each JSC config since they're regression tests for runtime bugs.
2701
2702         * stress/json-stringified-overflow-2.js:
2703         * stress/json-stringified-overflow.js:
2704
2705 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2706
2707         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2708         config since they're regression tests for runtime bugs.
2709
2710         * stress/large-unshift-splice.js:
2711         * stress/regress-185888.js:
2712
2713 2018-11-16  Saam Barati  <sbarati@apple.com>
2714
2715         KnownCellUse should also have SpecCellCheck as its type filter
2716         https://bugs.webkit.org/show_bug.cgi?id=191729
2717         <rdar://problem/45872852>
2718
2719         Reviewed by Filip Pizlo.
2720
2721         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2722         (C):
2723
2724 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2725
2726         Fix assertion failure on BytecodeGenerator::recordOpcode
2727         https://bugs.webkit.org/show_bug.cgi?id=191724
2728         <rdar://problem/45724395>
2729
2730         Reviewed by Saam Barati.
2731
2732         * stress/regress-187373-2.js: Added.
2733         (foo):
2734
2735 2018-11-15  Mark Lam  <mark.lam@apple.com>
2736
2737         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2738         https://bugs.webkit.org/show_bug.cgi?id=191730
2739         <rdar://problem/46048517>
2740
2741         Reviewed by Saam Barati.
2742
2743         * stress/regress-187006.js: Removed.
2744           - this test is invalid because its sole purpose is to test for the non-spec
2745             compliant behavior that we just fixed.
2746
2747         * stress/regress-191730.js: Added.
2748
2749 2018-11-15  Mark Lam  <mark.lam@apple.com>
2750
2751         RegExp operations should not take fast patch if lastIndex is not numeric.
2752         https://bugs.webkit.org/show_bug.cgi?id=191731
2753         <rdar://problem/46017305>
2754
2755         Reviewed by Saam Barati.
2756
2757         * stress/regress-191731.js: Added.
2758
2759 2018-11-13  Saam Barati  <sbarati@apple.com>
2760
2761         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2762         https://bugs.webkit.org/show_bug.cgi?id=191600
2763
2764         Reviewed by Mark Lam.
2765
2766         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2767         (foo):
2768         (test):
2769         (bar):
2770
2771 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2772
2773         Unreviewed, rolling out r238132.
2774
2775         The test added with this change is timing out on Debug JSC
2776         bots.
2777
2778         Reverted changeset:
2779
2780         "[BigInt] JSBigInt::createWithLength should throw when length
2781         is greater than JSBigInt::maxLength"
2782         https://bugs.webkit.org/show_bug.cgi?id=190836
2783         https://trac.webkit.org/changeset/238132
2784
2785 2018-11-13  Mark Lam  <mark.lam@apple.com>
2786
2787         Add OOM detection to StringPrototype's substituteBackreferences().
2788         https://bugs.webkit.org/show_bug.cgi?id=191563
2789         <rdar://problem/45720428>
2790
2791         Reviewed by Saam Barati.
2792
2793         * stress/regress-191563.js: Added.
2794
2795 2018-11-13  Mark Lam  <mark.lam@apple.com>
2796
2797         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2798         https://bugs.webkit.org/show_bug.cgi?id=191579
2799         <rdar://problem/45942472>
2800
2801         Reviewed by Saam Barati.
2802
2803         * stress/regress-191579.js: Added.
2804
2805 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2806
2807         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2808         https://bugs.webkit.org/show_bug.cgi?id=190836
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/big-int-out-of-memory-tests.js: Added.
2813
2814 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2815
2816         U+180E is no longer a whitespace character
2817         https://bugs.webkit.org/show_bug.cgi?id=191415
2818
2819         Reviewed by Saam Barati.
2820
2821         * ChakraCore/test/es5/regexSpace.baseline:
2822         * ChakraCore/test/es6/unicode_whitespace.js:
2823         Update tests to latest version.
2824         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2825
2826         * test262.yaml:
2827         * test262/config.yaml:
2828         * test262/expectations.yaml:
2829         Update expectations.
2830
2831 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2832
2833         [BigInt] Add support to BigInt into ValueAdd
2834         https://bugs.webkit.org/show_bug.cgi?id=186177
2835
2836         Reviewed by Keith Miller.
2837
2838         * stress/big-int-negate-jit.js:
2839         * stress/value-add-big-int-and-string.js: Added.
2840         * stress/value-add-big-int-prediction-propagation.js: Added.
2841         * stress/value-add-big-int-untyped.js: Added.
2842
2843 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2844
2845         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2846         https://bugs.webkit.org/show_bug.cgi?id=191184
2847
2848         Reviewed by Saam Barati.
2849
2850         Most tests were failing due to timeouts, since they are too slow to
2851         run on CLoop. The exceptions are:
2852
2853         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2854         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2855         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2856         to change the stack size since CLoop requires it to be page aligned.
2857
2858         * microbenchmarks/array-push-1.js:
2859         * microbenchmarks/array-push-2.js:
2860         * microbenchmarks/elidable-new-object-dag.js:
2861         * microbenchmarks/elidable-new-object-roflcopter.js:
2862         * microbenchmarks/elidable-new-object-tree.js:
2863         * microbenchmarks/getter-richards.js:
2864         * microbenchmarks/sinkable-new-object-dag.js:
2865         * microbenchmarks/string-concat-long-convert.js:
2866         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2867         * slowMicrobenchmarks/array-push-3.js:
2868         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2869         * slowMicrobenchmarks/spread-small-array.js:
2870         * slowMicrobenchmarks/undefined-property-access.js:
2871         * stress/activation-sink-default-value-tdz-error.js:
2872         * stress/activation-sink-default-value.js:
2873         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2874         * stress/activation-sink-osrexit-default-value.js:
2875         * stress/activation-sink-osrexit.js:
2876         * stress/activation-sink.js:
2877         * stress/allow-math-ic-b3-code-duplication.js:
2878         * stress/array-push-multiple-int32.js:
2879         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2880         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2881         * stress/arrowfunction-lexical-this-activation-sink.js:
2882         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2883         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2884         * stress/elide-new-object-dag-then-exit.js:
2885         * stress/materialize-regexp-cyclic.js:
2886         * stress/new-regex-inline.js:
2887         * stress/op_add.js:
2888         * stress/op_bitand.js:
2889         * stress/op_bitor.js:
2890         * stress/op_bitxor.js:
2891         * stress/op_div-ConstVar.js:
2892         * stress/op_div-VarConst.js:
2893         * stress/op_div-VarVar.js:
2894         * stress/op_lshift-ConstVar.js:
2895         * stress/op_lshift-VarConst.js:
2896         * stress/op_lshift-VarVar.js:
2897         * stress/op_mod-ConstVar.js:
2898         * stress/op_mod-VarConst.js:
2899         * stress/op_mod-VarVar.js:
2900         * stress/op_mul-ConstVar.js:
2901         * stress/op_mul-VarConst.js:
2902         * stress/op_mul-VarVar.js:
2903         * stress/op_rshift-ConstVar.js:
2904         * stress/op_rshift-VarConst.js:
2905         * stress/op_rshift-VarVar.js:
2906         * stress/op_sub-ConstVar.js:
2907         * stress/op_sub-VarConst.js:
2908         * stress/op_sub-VarVar.js:
2909         * stress/op_urshift-ConstVar.js:
2910         * stress/op_urshift-VarConst.js:
2911         * stress/op_urshift-VarVar.js:
2912         * stress/proxy-get-set-correct-receiver.js:
2913         * stress/regress-179562.js:
2914         * stress/rest-parameter-many-arguments.js:
2915         * stress/sampling-profiler-richards.js:
2916         * stress/splay-flash-access-1ms.js:
2917         * stress/tailCallForwardArguments.js:
2918         * stress/typed-array-get-by-val-profiling.js:
2919         * typeProfiler/getter-richards.js:
2920
2921 2018-11-06  Michael Saboff  <msaboff@apple.com>
2922
2923         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2924         https://bugs.webkit.org/show_bug.cgi?id=191271
2925
2926         Reviewed by Saam Barati.
2927
2928         Added more test cases and made all test cases run with the same deeply recursive stack
2929         instead of finding that same point for each test case.
2930
2931         * stress/regexp-compile-oom.js:
2932         (prototype.runTest):
2933         (recurseAndTest):
2934         (testList.push.new.TestAndExpectedException):
2935
2936 2018-11-05  Michael Saboff  <msaboff@apple.com>
2937
2938         Unreviewed build fix for linux.
2939
2940         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2941
2942 2018-11-02  Michael Saboff  <msaboff@apple.com>
2943
2944         Rolling in r237753 with unreviewed build fix.
2945
2946         Fixed issues with DECLARE_THROW_SCOPE placement.
2947
2948 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2949
2950         Unreviewed, rolling out r237753.
2951
2952         Introduced JSC test failures
2953
2954         Reverted changeset:
2955
2956         "Running out of stack space not properly handled in
2957         RegExp::compile() and its callers"
2958         https://bugs.webkit.org/show_bug.cgi?id=191206
2959         https://trac.webkit.org/changeset/237753
2960
2961 2018-11-02  Michael Saboff  <msaboff@apple.com>
2962
2963         Running out of stack space not properly handled in RegExp::compile() and its callers
2964         https://bugs.webkit.org/show_bug.cgi?id=191206
2965
2966         Reviewed by Filip Pizlo.
2967
2968         New regression test.
2969
2970         * stress/regexp-compile-oom.js: Added.
2971         (recurseAndTest):
2972
2973 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2974
2975         Skip tests on arm/mips that time out now we're running on CLoop
2976
2977         Unreviewed gardening.
2978
2979         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2980         time out on the bots and need to be disabled. There's more tests
2981         disabled on arm because the timeout is longer on the mips bot (as the
2982         device is slower to start with), so many of the tests don't time out
2983         there.
2984
2985         * microbenchmarks/getter-richards.js: disable on arm and mips.
2986         * stress/op_add.js: disable on arm.
2987         * stress/op_bitand.js: disable on arm.
2988         * stress/op_bitor.js: disable on arm.
2989         * stress/op_bitxor.js: disable on arm.
2990         * stress/op_lshift-ConstVar.js: disable on arm.
2991         * stress/op_lshift-VarConst.js: disable on arm.
2992         * stress/op_lshift-VarVar.js: disable on arm.
2993         * stress/op_mod-ConstVar.js: disable on arm.
2994         * stress/op_mod-VarConst.js: disable on arm.
2995         * stress/op_mod-VarVar.js: disable on arm.
2996         * stress/op_mul-ConstVar.js: disable on arm.
2997         * stress/op_mul-VarConst.js: disable on arm.
2998         * stress/op_mul-VarVar.js: disable on arm.
2999         * stress/op_rshift-ConstVar.js: disable on arm.
3000         * stress/op_rshift-VarConst.js: disable on arm.
3001         * stress/op_rshift-VarVar.js: disable on arm.
3002         * stress/op_sub-ConstVar.js: disable on arm.
3003         * stress/op_sub-VarConst.js: disable on arm.
3004         * stress/op_sub-VarVar.js: disable on arm.
3005         * stress/op_urshift-ConstVar.js: disable on arm.
3006         * stress/op_urshift-VarConst.js: disable on arm.
3007         * stress/op_urshift-VarVar.js: disable on arm.
3008         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3009         * stress/value-to-boolean.js: disable on arm and mips.
3010
3011 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3012
3013         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3014         https://bugs.webkit.org/show_bug.cgi?id=191108
3015         <rdar://problem/45690700>
3016
3017         Reviewed by Saam Barati.
3018
3019         * stress/wide-op_catch.js: Added.
3020         (catch):
3021
3022 2018-10-29  Mark Lam  <mark.lam@apple.com>
3023
3024         Correctly detect string overflow when using the 'Function' constructor.
3025         https://bugs.webkit.org/show_bug.cgi?id=184883
3026         <rdar://problem/36320331>
3027
3028         Reviewed by Saam Barati.
3029
3030         I've verified that this passes on 32-bit as well.
3031
3032         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3033
3034 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3035
3036         Add support for GetStack FlushedDouble
3037         https://bugs.webkit.org/show_bug.cgi?id=191012
3038         <rdar://problem/45265141>
3039
3040         Reviewed by Saam Barati.
3041
3042         * stress/get-stack-double.js: Added.
3043         (bar):
3044         (noInline):
3045
3046 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3047
3048         New bytecode format for JSC
3049         https://bugs.webkit.org/show_bug.cgi?id=187373
3050         <rdar://problem/44186758>
3051
3052         Reviewed by Filip Pizlo.
3053
3054         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3055
3056         * stress/maximum-inline-capacity.js: Added.
3057         (test1):
3058         (test3.Foo):
3059         (test3):
3060
3061 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3062
3063         Unreviewed, rolling out r237479 and r237484.
3064         https://bugs.webkit.org/show_bug.cgi?id=190978
3065
3066         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3067
3068         Reverted changesets:
3069
3070         "New bytecode format for JSC"
3071         https://bugs.webkit.org/show_bug.cgi?id=187373
3072         https://trac.webkit.org/changeset/237479
3073
3074         "Gardening: Build fix after r237479."
3075         https://bugs.webkit.org/show_bug.cgi?id=187373
3076         https://trac.webkit.org/changeset/237484
3077
3078 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3079
3080         New bytecode format for JSC
3081         https://bugs.webkit.org/show_bug.cgi?id=187373
3082         <rdar://problem/44186758>
3083
3084         Reviewed by Filip Pizlo.
3085
3086         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3087
3088         * stress/maximum-inline-capacity.js: Added.
3089         (test1):
3090         (test3.Foo):
3091         (test3):
3092
3093 2018-10-26  Mark Lam  <mark.lam@apple.com>
3094
3095         Fix missing edge cases with JSGlobalObjects having a bad time.
3096         https://bugs.webkit.org/show_bug.cgi?id=189028
3097         <rdar://problem/45204939>
3098
3099         Reviewed by Saam Barati.
3100
3101         * stress/regress-189028.js: Added.
3102
3103 2018-10-22  Mark Lam  <mark.lam@apple.com>
3104
3105         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3106         https://bugs.webkit.org/show_bug.cgi?id=190515
3107         <rdar://problem/45222379>
3108
3109         Rubber-stamped by Saam Barati.
3110
3111         Adding another test.
3112
3113         * stress/regress-190515-2.js: Added.
3114
3115 2018-10-22  Mark Lam  <mark.lam@apple.com>
3116
3117         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3118         https://bugs.webkit.org/show_bug.cgi?id=190515
3119         <rdar://problem/45222379>
3120
3121         Reviewed by Saam Barati.
3122
3123         * stress/regress-190515.js: Added.
3124
3125 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3126
3127         Unreviewed, rolling out r237254.
3128         https://bugs.webkit.org/show_bug.cgi?id=190760
3129
3130         "It regresses JetStream 2 by 5% on some iOS devices"
3131         (Requested by saamyjoon on #webkit).
3132
3133         Reverted changeset:
3134
3135         "[JSC] JSC should have "parseFunction" to optimize Function
3136         constructor"
3137         https://bugs.webkit.org/show_bug.cgi?id=190340
3138         https://trac.webkit.org/changeset/237254
3139
3140 2018-10-19  Saam Barati  <sbarati@apple.com>
3141
3142         vmCall should check if we exit before emitting an OSR exit due to exceptions
3143         https://bugs.webkit.org/show_bug.cgi?id=190740
3144         <rdar://problem/45220139>
3145
3146         Reviewed by Mark Lam.
3147
3148         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3149         (foo):
3150
3151 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3152
3153         [ESNext][BigInt] Implement support for "^"
3154         https://bugs.webkit.org/show_bug.cgi?id=186235
3155
3156         Reviewed by Yusuke Suzuki.
3157
3158         * stress/big-int-bitwise-xor-general.js: Added.
3159         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3160         * stress/big-int-bitwise-xor-type-error.js: Added.
3161         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3162
3163 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3164
3165         [BigInt] Add ValueSub into DFG
3166         https://bugs.webkit.org/show_bug.cgi?id=186176
3167
3168         Reviewed by Yusuke Suzuki.
3169
3170         * stress/big-int-subtraction-jit.js:
3171         * stress/value-sub-big-int-prediction-propagation.js: Added.
3172         * stress/value-sub-big-int-untyped.js: Added.
3173         * stress/value-sub-spec-none-case.js: Added.
3174
3175 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3176
3177         [JSC] JSC should have "parseFunction" to optimize Function constructor
3178         https://bugs.webkit.org/show_bug.cgi?id=190340
3179
3180         Reviewed by Mark Lam.
3181
3182         This patch fixes the line number of syntax errors raised by the Function constructor,
3183         since we now parse the final code only once. And we no longer use block statement
3184         for Function constructor's parsing.
3185
3186         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3187         * stress/function-cache-with-parameters-end-position.js: Added.
3188         (shouldBe):
3189         (shouldThrow):
3190         (i.anonymous):
3191         * stress/function-constructor-name.js: Added.
3192         (shouldBe):
3193         (GeneratorFunction):
3194         (AsyncFunction.async):
3195         (AsyncGeneratorFunction.async):
3196         (anonymous):
3197         (async.anonymous):
3198         * test262/expectations.yaml:
3199
3200 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3201
3202         Unreviewed, rolling out r237242.
3203         https://bugs.webkit.org/show_bug.cgi?id=190701
3204
3205         it breaks "stress/sampling-profiler-basic.js" (Requested by
3206         caiolima on #webkit).
3207
3208         Reverted changeset:
3209
3210         "[BigInt] Add ValueSub into DFG"
3211         https://bugs.webkit.org/show_bug.cgi?id=186176
3212         https://trac.webkit.org/changeset/237242
3213
3214 2018-10-17  Keith Miller  <keith_miller@apple.com>
3215
3216         AI does not clear Phantom allocation nodes.
3217         https://bugs.webkit.org/show_bug.cgi?id=190694
3218
3219         Reviewed by Saam Barati.
3220
3221         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3222         (Day):
3223         (DaysInYear):
3224         (TimeInYear):
3225         (TimeFromYear):
3226         (DayFromYear):
3227         (InLeapYear):
3228         (YearFromTime):
3229         (WeekDay):
3230         (DaylightSavingTA):
3231         (GetSecondSundayInMarch):
3232         (TimeInMonth):
3233
3234 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3235
3236         [BigInt] Add ValueSub into DFG
3237         https://bugs.webkit.org/show_bug.cgi?id=186176
3238
3239         Reviewed by Yusuke Suzuki.
3240
3241         * stress/big-int-subtraction-jit.js:
3242         * stress/value-sub-big-int-prediction-propagation.js: Added.
3243         * stress/value-sub-big-int-untyped.js: Added.
3244
3245 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3246
3247         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3248         https://bugs.webkit.org/show_bug.cgi?id=190611
3249
3250         Reviewed by Saam Barati.
3251
3252         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3253         to improve test runtime. On ARM/MIPS this test even timed out when running all
3254         tests.
3255
3256         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3257         (test):
3258
3259 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3260
3261         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3262
3263         Unreviewed gardening.
3264
3265         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3266
3267 2018-10-15  Saam barati  <sbarati@apple.com>
3268
3269         Emit fjcvtzs on ARM64E on Darwin
3270         https://bugs.webkit.org/show_bug.cgi?id=184023
3271
3272         Reviewed by Yusuke Suzuki and Filip Pizlo.
3273
3274         * stress/double-to-int32-NaN.js: Added.
3275         (assert):
3276         (foo):
3277
3278 2018-10-15  Saam Barati  <sbarati@apple.com>
3279
3280         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3281         https://bugs.webkit.org/show_bug.cgi?id=190262
3282         <rdar://problem/44986241>
3283
3284         Reviewed by Mark Lam.
3285
3286         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3287         (test):
3288         * stress/slice-array-storage-with-holes.js: Added.
3289         (main):
3290
3291 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3292
3293         Unreviewed, rolling out r237054.
3294         https://bugs.webkit.org/show_bug.cgi?id=190593
3295
3296         "this regressed JetStream 2 by 6% on iOS" (Requested by
3297         saamyjoon on #webkit).
3298
3299         Reverted changeset:
3300
3301         "[JSC] JSC should have "parseFunction" to optimize Function
3302         constructor"
3303         https://bugs.webkit.org/show_bug.cgi?id=190340
3304         https://trac.webkit.org/changeset/237054
3305
3306 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3307
3308         [JSC] JSON.stringify can accept call-with-no-arguments
3309         https://bugs.webkit.org/show_bug.cgi?id=190343
3310
3311         Reviewed by Mark Lam.
3312
3313         * stress/json-stringify-no-arguments.js: Added.
3314         (shouldBe):
3315
3316 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3317
3318         [JSC] JSC should have "parseFunction" to optimize Function constructor
3319         https://bugs.webkit.org/show_bug.cgi?id=190340
3320
3321         Reviewed by Mark Lam.
3322
3323         This patch fixes the line number of syntax errors raised by the Function constructor,
3324         since we now parse the final code only once. And we no longer use block statement
3325         for Function constructor's parsing.
3326
3327         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3328         * stress/function-cache-with-parameters-end-position.js: Added.
3329         (shouldBe):
3330         (shouldThrow):
3331         (i.anonymous):
3332         * stress/function-constructor-name.js: Added.
3333         (shouldBe):
3334         (GeneratorFunction):
3335         (AsyncFunction.async):
3336         (AsyncGeneratorFunction.async):
3337         (anonymous):
3338         (async.anonymous):
3339         * test262/expectations.yaml:
3340
3341 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3342
3343         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3344         https://bugs.webkit.org/show_bug.cgi?id=190426
3345
3346         Unreviewed gardening.
3347
3348         * stress/sampling-profiler-richards.js:
3349
3350 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3351
3352         [ESNext][BigInt] Implement support for "|"
3353         https://bugs.webkit.org/show_bug.cgi?id=186229
3354
3355         Reviewed by Yusuke Suzuki.
3356
3357         * stress/big-int-bitwise-and-jit.js:
3358         * stress/big-int-bitwise-or-general.js: Added.
3359         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3360         * stress/big-int-bitwise-or-jit.js: Added.
3361         * stress/big-int-bitwise-or-memory-stress.js: Added.
3362         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3363         * stress/big-int-bitwise-or-type-error.js: Added.
3364         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3365
3366 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3367
3368         Skip test on systems with limited memory
3369         https://bugs.webkit.org/show_bug.cgi?id=190310
3370
3371         Invoking runDefault adds test to runlist, skipping the test in the next
3372         line does not prevent the test from executing. Change order of lines such
3373         that runDefault is only executed if test is not executed.
3374
3375         Reviewed by Mark Lam.
3376
3377         * stress/regress-190187.js:
3378
3379 2018-10-03  Saam barati  <sbarati@apple.com>
3380
3381         lowXYZ in FTLLower should always filter the type of the incoming edge
3382         https://bugs.webkit.org/show_bug.cgi?id=189939
3383         <rdar://problem/44407030>
3384
3385         Reviewed by Michael Saboff.
3386
3387         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3388         (foo):
3389         (test):
3390
3391 2018-10-03  Mark Lam  <mark.lam@apple.com>
3392
3393         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3394         https://bugs.webkit.org/show_bug.cgi?id=190187
3395         <rdar://problem/42512909>
3396
3397         Reviewed by Michael Saboff.
3398
3399         * stress/regress-190187.js: Added.
3400
3401 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3402
3403         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3404         https://bugs.webkit.org/show_bug.cgi?id=190033
3405
3406         Reviewed by Yusuke Suzuki.
3407
3408         * stress/big-int-to-string.js:
3409
3410 2018-10-01  Mark Lam  <mark.lam@apple.com>
3411
3412         Function.toString() should also copy the source code Functions that are class definitions.
3413         https://bugs.webkit.org/show_bug.cgi?id=190186
3414         <rdar://problem/44733360>
3415
3416         Reviewed by Saam Barati.
3417
3418         * stress/regress-190186.js: Added.
3419
3420 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3421
3422         Split NaN-check into separate test
3423         https://bugs.webkit.org/show_bug.cgi?id=190010
3424
3425         Reviewed by Saam Barati.
3426
3427         DataView exposes NaN-representation, which is not necessarily the same on each
3428         architecture. Therefore move the check of the NaN-representation into its own
3429         file such that we can disable this test on MIPS where NaN-representation can be
3430         different on older CPUs.
3431
3432         * stress/dataview-jit-set-nan.js: Added.
3433         (assert):
3434         (test.storeLittleEndian):
3435         (test.storeBigEndian):
3436         (test.store):
3437         (test):
3438         * stress/dataview-jit-set.js:
3439         (test5):
3440
3441 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3442
3443         Unreviewed, rolling out r236647.
3444         https://bugs.webkit.org/show_bug.cgi?id=190124
3445
3446         Breaking test stress/big-int-to-string.js (Requested by
3447         caiolima_ on #webkit).
3448
3449         Reverted changeset:
3450
3451         "[BigInt] BigInt.proptotype.toString is broken when radix is
3452         power of 2"
3453         https://bugs.webkit.org/show_bug.cgi?id=190033
3454         https://trac.webkit.org/changeset/236647
3455
3456 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3457
3458         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3459         https://bugs.webkit.org/show_bug.cgi?id=190033
3460
3461         Reviewed by Yusuke Suzuki.
3462
3463         * stress/big-int-to-string.js:
3464
3465 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3466
3467         [ESNext][BigInt] Implement support for "&"
3468         https://bugs.webkit.org/show_bug.cgi?id=186228
3469
3470         Reviewed by Yusuke Suzuki.
3471
3472         * stress/big-int-bitwise-and-general.js: Added.
3473         (assert):
3474         (assert.sameValue):
3475         * stress/big-int-bitwise-and-jit.js: Added.
3476         (let.assert.sameValue):
3477         (bigIntBitAnd):
3478         * stress/big-int-bitwise-and-memory-stress.js: Added.
3479         (assert):
3480         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3481         (assert.sameValue):
3482         (let.o.Symbol.toPrimitive):
3483         (catch):
3484         * stress/big-int-bitwise-and-type-error.js: Added.
3485         (assert):
3486         (assertThrowTypeError):
3487         (let.o.valueOf):
3488         (o.valueOf):
3489         (o.toString):
3490         (o.Symbol.toPrimitive):
3491         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3492         (assert.sameValue):
3493         (testBitAnd):
3494         (let.o.Symbol.toPrimitive):
3495         (o.valueOf):
3496         (o.toString):
3497
3498 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3499
3500         JSC test stress/jsc-read.js doesn't support CRLF
3501         https://bugs.webkit.org/show_bug.cgi?id=190063
3502
3503         Reviewed by Yusuke Suzuki.
3504
3505         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3506
3507         * stress/jsc-read.js:
3508         (test):
3509
3510 2018-09-27  Saam barati  <sbarati@apple.com>
3511
3512         Verify the contents of AssemblerBuffer on arm64e
3513         https://bugs.webkit.org/show_bug.cgi?id=190057
3514         <rdar://problem/38916630>
3515
3516         Reviewed by Mark Lam.
3517
3518         * stress/regress-189132.js:
3519
3520 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3521
3522         Disable test without LLInt on ARMv7
3523         https://bugs.webkit.org/show_bug.cgi?id=190037
3524
3525         Reviewed by Mark Lam.
3526
3527         Test runs out of executable memory on ARMv7, do not run
3528         this test without LLInt enabled.
3529
3530         * stress/regress-169445.js:
3531
3532 2018-09-26  Keith Miller  <keith_miller@apple.com>
3533
3534         We should zero unused property storage when rebalancing array storage.
3535         https://bugs.webkit.org/show_bug.cgi?id=188151
3536
3537         Reviewed by Michael Saboff.
3538
3539         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3540
3541 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3542
3543         [JSC] Optimize Array#lastIndexOf
3544         https://bugs.webkit.org/show_bug.cgi?id=189780
3545
3546         Reviewed by Saam Barati.
3547
3548         * stress/array-lastindexof-array-prototype-trap.js: Added.
3549         (shouldBe):
3550         (AncestorArray.prototype.get 2):
3551         (AncestorArray):
3552         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3553         (shouldBe):
3554         * stress/array-lastindexof-hole-nan.js: Added.
3555         (shouldBe):
3556         (throw.new.Error):
3557         * stress/array-lastindexof-infinity.js: Added.
3558         (shouldBe):
3559         (throw.new.Error):
3560         * stress/array-lastindexof-negative-zero.js: Added.
3561         (shouldBe):
3562         (throw.new.Error):
3563         * stress/array-lastindexof-own-getter.js: Added.
3564         (shouldBe):
3565         (throw.new.Error.get array):
3566         (get array):
3567         * stress/array-lastindexof-prototype-trap.js: Added.
3568         (shouldBe):
3569         (DerivedArray.prototype.get 2):
3570         (DerivedArray):
3571
3572 2018-09-25  Saam Barati  <sbarati@apple.com>
3573
3574         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3575         https://bugs.webkit.org/show_bug.cgi?id=189940
3576         <rdar://problem/43640987>
3577
3578         Reviewed by Mark Lam.
3579
3580         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3581
3582 2018-09-24  Saam Barati  <sbarati@apple.com>
3583
3584         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3585         https://bugs.webkit.org/show_bug.cgi?id=189922
3586         <rdar://problem/44651275>
3587
3588         Reviewed by Mark Lam.
3589
3590         * stress/array-indexof-fast-path-effects.js: Added.
3591         * stress/array-indexof-cached-length.js: Added.
3592
3593 2018-09-24  Saam barati  <sbarati@apple.com>
3594
3595         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3596         https://bugs.webkit.org/show_bug.cgi?id=189682
3597         <rdar://problem/43557315>
3598
3599         Reviewed by Mark Lam.
3600
3601         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3602         (foo):
3603
3604 2018-09-22  Saam barati  <sbarati@apple.com>
3605
3606         The sampling should not use Strong<CodeBlock> in its machineLocation field
3607         https://bugs.webkit.org/show_bug.cgi?id=189319
3608
3609         Reviewed by Filip Pizlo.
3610
3611         * stress/sampling-profiler-richards.js: Added.
3612
3613 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3614
3615         [JSC] Optimize Array#indexOf in C++ runtime
3616         https://bugs.webkit.org/show_bug.cgi?id=189507
3617
3618         Reviewed by Saam Barati.
3619
3620         * stress/array-indexof-array-prototype-trap.js: Added.
3621         (shouldBe):
3622         (AncestorArray.prototype.get 2):
3623         (AncestorArray):
3624         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3625         (shouldBe):
3626         * stress/array-indexof-hole-nan.js: Added.
3627         (shouldBe):
3628         (throw.new.Error):
3629         * stress/array-indexof-infinity.js: Added.
3630         (shouldBe):
3631         (throw.new.Error):
3632         * stress/array-indexof-negative-zero.js: Added.
3633         (shouldBe):
3634         (throw.new.Error):
3635         * stress/array-indexof-own-getter.js: Added.
3636         (shouldBe):
3637         (throw.new.Error.get array):
3638         (get array):
3639         * stress/array-indexof-prototype-trap.js: Added.
3640         (shouldBe):
3641         (DerivedArray.prototype.get 2):
3642         (DerivedArray):
3643
3644 2018-09-19  Saam barati  <sbarati@apple.com>
3645
3646         AI rule for MultiPutByOffset executes its effects in the wrong order
3647         https://bugs.webkit.org/show_bug.cgi?id=189757
3648         <rdar://problem/43535257>
3649
3650         Reviewed by Michael Saboff.
3651
3652         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3653         (foo):
3654         (Foo):
3655         (g):
3656
3657 2018-09-17  Mark Lam  <mark.lam@apple.com>
3658
3659         Ensure that ForInContexts are invalidated if their loop local is over-written.
3660         https://bugs.webkit.org/show_bug.cgi?id=189571
3661         <rdar://problem/44402277>
3662
3663         Reviewed by Saam Barati.
3664
3665         * stress/regress-189571.js: Added.
3666
3667 2018-09-17  Saam barati  <sbarati@apple.com>
3668
3669         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3670         https://bugs.webkit.org/show_bug.cgi?id=189676
3671         <rdar://problem/39682897>
3672
3673         Reviewed by Michael Saboff.
3674
3675         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3676         (A):
3677         (K):
3678         (i.catch):
3679
3680 2018-09-14  Saam barati  <sbarati@apple.com>
3681
3682         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3683         https://bugs.webkit.org/show_bug.cgi?id=189628
3684         <rdar://problem/39481690>
3685
3686         Reviewed by Mark Lam.
3687
3688         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3689         (foo):
3690
3691 2018-09-11  Mark Lam  <mark.lam@apple.com>
3692
3693         Test for array initialization in arrayProtoFuncSplice.
3694         https://bugs.webkit.org/show_bug.cgi?id=170253
3695         <rdar://problem/31328773>
3696
3697         Rubber-stamped by Saam Barati.
3698
3699         * stress/regress-170253.js: Added.
3700
3701 2018-09-11  Mark Lam  <mark.lam@apple.com>
3702
3703         Test for IntlObject initialization.
3704         https://bugs.webkit.org/show_bug.cgi?id=170251
3705         <rdar://problem/31328419>
3706
3707         Rubber-stamped by Saam Barati.
3708
3709         * stress/regress-170251.js: Added.
3710
3711 2018-09-11  Mark Lam  <mark.lam@apple.com>
3712
3713         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3714         https://bugs.webkit.org/show_bug.cgi?id=169889
3715         <rdar://problem/31155607>
3716
3717         Reviewed by Saam Barati.
3718
3719         * stress/regress-169889-array-concat.js: Added.
3720         * stress/regress-169889-array-concat1.js: Added.
3721         * stress/regress-169889-array-slice.js: Added.
3722
3723 2018-09-11  Mark Lam  <mark.lam@apple.com>
3724
3725         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3726         https://bugs.webkit.org/show_bug.cgi?id=169445
3727         <rdar://problem/30957435>
3728
3729         Reviewed by Saam Barati.
3730
3731         * stress/regress-169445.js: Added.
3732         (let.gun.eval.A):
3733         (let.gun.eval.B.C):
3734         (let.gun.eval.B.C.prototype.trigger):
3735         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3736         (let.gun.eval.B):
3737         (let.gun.eval):
3738
3739 == Rolled over to ChangeLog-2018-09-11 ==