Fixup uses KnownInt32 incorrectly in some nodes
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-14  Saam barati  <sbarati@apple.com>
2
3         Fixup uses KnownInt32 incorrectly in some nodes
4         https://bugs.webkit.org/show_bug.cgi?id=195279
5         <rdar://problem/47915654>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
10         (foo):
11
12 2019-03-14  Keith Miller  <keith_miller@apple.com>
13
14         DFG liveness can't skip tail caller inline frames
15         https://bugs.webkit.org/show_bug.cgi?id=195715
16
17         Reviewed by Saam Barati.
18
19         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
20         (i.foo):
21
22 2019-03-13  Mark Lam  <mark.lam@apple.com>
23
24         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
25         https://bugs.webkit.org/show_bug.cgi?id=195415
26
27         Not reviewed.
28
29         Changed these tests to only run the default configuration.
30         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
31         There's no strong need to run this test on that variant.
32
33         * stress/dfg-to-string-on-int-does-gc.js:
34         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
35
36 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
37
38         String overflow when using StringBuilder in JSC::createError
39         https://bugs.webkit.org/show_bug.cgi?id=194957
40
41         Reviewed by Mark Lam.
42
43         Add test string-overflow-createError-bulder.js that overflows
44         StringBuilder in notAFunctionSourceAppender. The second new test
45         string-overflow-createError-fit.js has an error message that doesn't
46         overflow, it still failed since the String's capacity can't be doubled.
47         Run test string-overflow-createError.js only in the default
48         configuration to reduce memory consumption when running the test
49         in all configurations on multiple CPUs in parallel.
50
51         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
52         (catch):
53         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
54         (catch):
55         * stress/string-overflow-createError.js:
56
57 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
58
59         [JSC] OSR entry should respect abstract values in addition to flush formats
60         https://bugs.webkit.org/show_bug.cgi?id=195653
61
62         Reviewed by Mark Lam.
63
64         * stress/osr-entry-locals-none.js: Added.
65
66 2019-03-12  Michael Saboff  <msaboff@apple.com>
67
68         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
69         https://bugs.webkit.org/show_bug.cgi?id=195613
70
71         Reviewed by Mark Lam.
72
73         New regression test.
74
75         * stress/regexp-backref-inbounds.js: Added.
76         (testRegExp):
77
78 2019-03-12  Mark Lam  <mark.lam@apple.com>
79
80         The HasIndexedProperty node does GC.
81         https://bugs.webkit.org/show_bug.cgi?id=195559
82         <rdar://problem/48767923>
83
84         Reviewed by Yusuke Suzuki.
85
86         * stress/HasIndexedProperty-does-gc.js: Added.
87
88 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
89
90         [ESNext][BigInt] Implement "~" unary operation
91         https://bugs.webkit.org/show_bug.cgi?id=182216
92
93         Reviewed by Keith Miller.
94
95         * stress/big-int-bit-not-general.js: Added.
96         * stress/big-int-bitwise-not-jit.js: Added.
97         * stress/big-int-bitwise-not-wrapped-value.js: Added.
98         * stress/bit-op-with-object-returning-int32.js:
99         * stress/bitwise-not-fixup-rules.js: Added.
100         * stress/value-bit-not-ai-rule.js: Added.
101
102 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
103
104         Invalid flags in a RegExp literal should be an early SyntaxError
105         https://bugs.webkit.org/show_bug.cgi?id=195514
106
107         Reviewed by Darin Adler.
108
109         * test262/expectations.yaml:
110         Mark 4 test cases as passing.
111
112         * stress/regexp-syntax-error-invalid-flags.js:
113         * stress/regress-161995.js: Removed.
114         Update existing test, merging in an older test for the same behavior.
115
116 2019-03-08  Mark Lam  <mark.lam@apple.com>
117
118         Stack overflow crash in JSC::JSObject::hasInstance.
119         https://bugs.webkit.org/show_bug.cgi?id=195458
120         <rdar://problem/48710195>
121
122         Reviewed by Yusuke Suzuki.
123
124         * stress/stack-overflow-in-custom-hasInstance.js: Added.
125
126 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
127
128         op_check_tdz does not def its argument
129         https://bugs.webkit.org/show_bug.cgi?id=192880
130         <rdar://problem/46221598>
131
132         Reviewed by Saam Barati.
133
134         * microbenchmarks/let-for-in.js: Added.
135         (foo):
136
137 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
138
139         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
140         https://bugs.webkit.org/show_bug.cgi?id=195429
141
142         Reviewed by Saam Barati.
143
144         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
145         (foo):
146         * stress/string-from-char-code-255.js: Added.
147
148 2019-03-06  Mark Lam  <mark.lam@apple.com>
149
150         Fix incorrect handling of try-finally completion values.
151         https://bugs.webkit.org/show_bug.cgi?id=195131
152         <rdar://problem/46222079>
153
154         Reviewed by Saam Barati and Yusuke Suzuki.
155
156         Added many permutations of new test case to test-finally.js.  test-finally.js has
157         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
158         tests passes there as well.
159
160         * stress/test-finally.js:
161
162 2019-03-06  Saam Barati  <sbarati@apple.com>
163
164         Air::reportUsedRegisters must padInterference
165         https://bugs.webkit.org/show_bug.cgi?id=195303
166         <rdar://problem/48270343>
167
168         Reviewed by Keith Miller.
169
170         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
171
172 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         [JSC] AI should not propagate AbstractValue relying on constant folding phase
175         https://bugs.webkit.org/show_bug.cgi?id=195375
176
177         Reviewed by Saam Barati.
178
179         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
180         (let.array):
181
182 2019-03-05  Saam barati  <sbarati@apple.com>
183
184         op_switch_char broken for rope strings after JSRopeString layout rewrite
185         https://bugs.webkit.org/show_bug.cgi?id=195339
186         <rdar://problem/48592545>
187
188         Reviewed by Yusuke Suzuki.
189
190         * stress/switch-on-char-llint-rope.js: Added.
191
192 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
193
194         [JSC] Store bits for JSRopeString in 3 stores
195         https://bugs.webkit.org/show_bug.cgi?id=195234
196
197         Reviewed by Saam Barati.
198
199         * stress/null-rope-and-collectors.js: Added.
200
201 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
202
203         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
204         https://bugs.webkit.org/show_bug.cgi?id=195207
205
206         Unreviewed. After test runtime was reduced in r242213, test can be
207         run again on ARM/MIPS.
208
209         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
210
211 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         [JSC] sizeof(JSString) should be 16
214         https://bugs.webkit.org/show_bug.cgi?id=194375
215
216         Reviewed by Saam Barati.
217
218         * microbenchmarks/make-rope.js: Added.
219         (makeRope):
220         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
221         (returnRope.helper): Deleted.
222         (returnRope): Deleted.
223
224 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
227         https://bugs.webkit.org/show_bug.cgi?id=195144
228
229         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
230         Change the number from 1e8 to 1e5.
231
232         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
233         (foo):
234
235 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
236
237         Test times out on ARM/MIPS
238         https://bugs.webkit.org/show_bug.cgi?id=195168
239
240         Unreviewed. Skip test on ARM/MIPS.
241
242         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
243
244 2019-02-27  Mark Lam  <mark.lam@apple.com>
245
246         The parser is failing to record the token location of new in new.target.
247         https://bugs.webkit.org/show_bug.cgi?id=195127
248         <rdar://problem/39645578>
249
250         Reviewed by Yusuke Suzuki.
251
252         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
253
254 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
257         https://bugs.webkit.org/show_bug.cgi?id=195144
258         <rdar://problem/47595961>
259
260         Reviewed by Mark Lam.
261
262         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
263         (bar):
264         (foo):
265         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
266         (bar):
267         (foo):
268
269 2019-02-27  Robin Morisset  <rmorisset@apple.com>
270
271         DFG: Loop-invariant code motion (LICM) should not hoist dead code
272         https://bugs.webkit.org/show_bug.cgi?id=194945
273         <rdar://problem/48311657>
274
275         Reviewed by Mark Lam.
276
277         * stress/licm-dead-code.js: Added.
278
279 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
280
281         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
282         https://bugs.webkit.org/show_bug.cgi?id=194677
283         <rdar://problem/48112492>
284
285         Reviewed by Mark Lam.
286
287         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
288         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
289         it immediately fails due the large size.
290
291         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
292         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
293         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
294         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
295
296         This patch changes the test to produce 16bit string from String.fromCharCode.
297
298         * stress/regress-178386.js:
299
300 2019-02-26  Mark Lam  <mark.lam@apple.com>
301
302         wasmToJS() should purify incoming NaNs.
303         https://bugs.webkit.org/show_bug.cgi?id=194807
304         <rdar://problem/48189132>
305
306         Reviewed by Saam Barati.
307
308         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
309
310 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
311
312         [JSC] Repeat string created from Array.prototype.join() take too much memory
313         https://bugs.webkit.org/show_bug.cgi?id=193912
314
315         Reviewed by Saam Barati.
316
317         Added a test and a microbenchmark for corner cases of
318         Array.prototype.join() with an uninitialized array.
319
320         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
321         * stress/array-prototype-join-uninitialized.js: Added.
322         (testArray):
323         (testABC):
324         (B):
325         (C):
326
327 2019-02-22  Robin Morisset  <rmorisset@apple.com>
328
329         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
330         https://bugs.webkit.org/show_bug.cgi?id=194953
331         <rdar://problem/47595253>
332
333         Reviewed by Saam Barati.
334
335         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
336
337         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
338
339 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
340
341         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
342         https://bugs.webkit.org/show_bug.cgi?id=172848
343         <rdar://problem/25709212>
344
345         Reviewed by Mark Lam.
346
347         * typeProfiler/inheritance.js:
348         Rewrite the test slightly for clarity. The hoisting was confusing.
349
350         * heapProfiler/class-names.js: Added.
351         (MyES5Class):
352         (MyES6Class):
353         (MyES6Subclass):
354         Test object types and improved class names.
355
356         * heapProfiler/driver/driver.js:
357         (CheapHeapSnapshotNode):
358         (CheapHeapSnapshot):
359         (createCheapHeapSnapshot):
360         (HeapSnapshot):
361         (createHeapSnapshot):
362         Update snapshot parsing from version 1 to version 2.
363
364 2019-02-19  Truitt Savell  <tsavell@apple.com>
365
366         Unreviewed, rolling out r241784.
367
368         Broke all OpenSource builds.
369
370         Reverted changeset:
371
372         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
373         instances view"
374         https://bugs.webkit.org/show_bug.cgi?id=172848
375         https://trac.webkit.org/changeset/241784
376
377 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
378
379         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
380         https://bugs.webkit.org/show_bug.cgi?id=172848
381         <rdar://problem/25709212>
382
383         Reviewed by Mark Lam.
384
385         * typeProfiler/inheritance.js:
386         Rewrite the test slightly for clarity. The hoisting was confusing.
387
388         * heapProfiler/class-names.js: Added.
389         (MyES5Class):
390         (MyES6Class):
391         (MyES6Subclass):
392         Test object types and improved class names.
393
394         * heapProfiler/driver/driver.js:
395         (CheapHeapSnapshotNode):
396         (CheapHeapSnapshot):
397         (createCheapHeapSnapshot):
398         (HeapSnapshot):
399         (createHeapSnapshot):
400         Update snapshot parsing from version 1 to version 2.
401
402 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
403
404         [ARM] Fix crash with sampling profiler
405         https://bugs.webkit.org/show_bug.cgi?id=194772
406
407         Reviewed by Mark Lam.
408
409         Do not skip test since crash with sampling profiler is now fixed.
410
411         * stress/sampling-profiler-richards.js:
412
413 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
414
415         [JSC] Add LazyClassStructure::getInitializedOnMainThread
416         https://bugs.webkit.org/show_bug.cgi?id=194784
417         <rdar://problem/48154820>
418
419         Reviewed by Mark Lam.
420
421         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
422         (getProperties):
423         (getRandomProperty):
424         (i.catch):
425
426 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
427
428         [ARM] Test gardening: Test running out of executable memory
429         https://bugs.webkit.org/show_bug.cgi?id=194771
430
431         Unreviewed. Do not run test without LLInt, test is running out of executable
432         memory on ARM otherwise.
433
434         * stress/tagged-template-object-collect.js:
435
436 2019-02-18  Tomas Popela  <tpopela@redhat.com>
437
438         Unreviewed, skip the test on platforms without sampling profiler
439
440         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
441         (platformSupportsSamplingProfiler.foo):
442         (platformSupportsSamplingProfiler.test):
443         (platformSupportsSamplingProfiler):
444         (foo): Deleted.
445         (test): Deleted.
446
447 2019-02-17  Saam Barati  <sbarati@apple.com>
448
449         Deadlock when adding a Structure property transition and then doing incremental marking
450         https://bugs.webkit.org/show_bug.cgi?id=194767
451
452         Reviewed by Mark Lam.
453
454         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
455
456 2019-02-15  Michael Saboff  <msaboff@apple.com>
457
458         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
459         https://bugs.webkit.org/show_bug.cgi?id=194558
460
461         Reviewed by Saam Barati.
462
463         New regression test.
464
465         * stress/regexp-unicode-within-string.js: Added.
466
467 2019-02-15  Mark Lam  <mark.lam@apple.com>
468
469         SamplingProfiler::stackTracesAsJSON() should escape strings.
470         https://bugs.webkit.org/show_bug.cgi?id=194649
471         <rdar://problem/48072386>
472
473         Reviewed by Saam Barati.
474
475         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
476         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
477         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
478         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
479
480 2019-02-15  Robin Morisset  <rmorisset@apple.com>
481         CodeBlock::jettison should clear related watchpoints
482         https://bugs.webkit.org/show_bug.cgi?id=194544
483
484         Reviewed by Mark Lam.
485
486         * stress/regexp-replace-double-watchpoint.js: Added.
487         (foo):
488
489 2019-02-15  Saam barati  <sbarati@apple.com>
490
491         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
492         https://bugs.webkit.org/show_bug.cgi?id=194036
493
494         Reviewed by Yusuke Suzuki.
495
496         * stress/tail-call-many-arguments.js: Added.
497         (foo):
498         (bar):
499
500 2019-02-14  Saam Barati  <sbarati@apple.com>
501
502         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
503         https://bugs.webkit.org/show_bug.cgi?id=194583
504         <rdar://problem/48028140>
505
506         Reviewed by Yusuke Suzuki.
507
508         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
509
510 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
511
512         [JSC] String.fromCharCode's slow path always generates 16bit string
513         https://bugs.webkit.org/show_bug.cgi?id=194466
514
515         Reviewed by Keith Miller.
516
517         * stress/string-from-char-code-slow-path.js: Added.
518         (shouldBe):
519         (testWithLength):
520
521 2019-02-08  Saam barati  <sbarati@apple.com>
522
523         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
524         https://bugs.webkit.org/show_bug.cgi?id=194334
525         <rdar://problem/47844327>
526
527         Reviewed by Mark Lam.
528
529         * stress/check-in-bounds-should-be-a-child-use.js: Added.
530         (func):
531
532 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
533
534         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
535         https://bugs.webkit.org/show_bug.cgi?id=194369
536         <rdar://problem/47813087>
537
538         Reviewed by Saam Barati.
539
540         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
541         (A):
542
543 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
544
545         [JSC] PrivateName to PublicName hash table is wasteful
546         https://bugs.webkit.org/show_bug.cgi?id=194277
547
548         Reviewed by Michael Saboff.
549
550         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
551
552         * ChakraCore.yaml:
553
554 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
555
556         [ARM] Test running out of executable memory
557         https://bugs.webkit.org/show_bug.cgi?id=194285
558
559         Unreviewed. Do no execute test with LLInt disabled, test runs out of
560         executable memory otherwise.
561
562         * stress/class-subclassing-function.js:
563
564 2019-02-04  Robin Morisset  <rmorisset@apple.com>
565
566         when lowering AssertNotEmpty, create the value before creating the patchpoint
567         https://bugs.webkit.org/show_bug.cgi?id=194231
568
569         Reviewed by Saam Barati.
570
571         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
572         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
573         So even tiny changes to this test can change the path code taken.
574
575         * stress/assert-not-empty.js: Added.
576         (foo):
577
578 2019-02-01  Mark Lam  <mark.lam@apple.com>
579
580         Remove invalid assertion in DFG's compileDoubleRep().
581         https://bugs.webkit.org/show_bug.cgi?id=194130
582         <rdar://problem/47699474>
583
584         Reviewed by Saam Barati.
585
586         * stress/constant-fold-double-rep-into-double-constant.js: Added.
587
588 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
589
590         Import latest Test262 updates.
591
592         Rubber-stamped by Keith Miller.
593
594         * test262.yaml: Deleted.
595         * test262/config.yaml:
596         * test262/expectations.yaml:
597         * test262/latest-changes-summary.txt:
598         * test262/test/:
599         * test262/test262-Revision.txt:
600
601 2019-01-30  Robin Morisset  <rmorisset@apple.com>
602
603         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
604         https://bugs.webkit.org/show_bug.cgi?id=194050
605         <rdar://problem/47595592>
606
607         Reviewed by Yusuke Suzuki.
608
609         * stress/object-keys-osr-exit.js: Added.
610         (foo):
611         (catch):
612
613 2019-01-29  Mark Lam  <mark.lam@apple.com>
614
615         ValueRecovery::recover() should purify NaN values it recovers.
616         https://bugs.webkit.org/show_bug.cgi?id=193978
617         <rdar://problem/47625488>
618
619         Reviewed by Saam Barati.
620
621         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
622
623 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
624
625         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
626         https://bugs.webkit.org/show_bug.cgi?id=193713
627
628         * stress/try-get-by-id-should-spill-registers-dfg.js:
629         (let.f.createBuiltin):
630
631 2019-01-28  Mark Lam  <mark.lam@apple.com>
632
633         ToString node actually does GC.
634         https://bugs.webkit.org/show_bug.cgi?id=193920
635         <rdar://problem/46695900>
636
637         Reviewed by Yusuke Suzuki.
638
639         * stress/dfg-to-string-on-int-does-gc.js: Added.
640         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
641         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
642
643 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] NativeErrorConstructor should not have own IsoSubspace
646         https://bugs.webkit.org/show_bug.cgi?id=193713
647
648         Reviewed by Saam Barati.
649
650         Remove @Error use.
651
652         * stress/try-get-by-id-should-spill-registers-dfg.js:
653         (let.f.createBuiltin):
654
655 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
656
657         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
658         https://bugs.webkit.org/show_bug.cgi?id=190693
659
660         Reviewed by Michael Saboff.
661
662         * stress/regress-190693.js: Added.
663         (truth):
664         (assert):
665         (shouldThrowInvalidConstAssignment):
666         (taz):
667
668 2019-01-24  Saam Barati  <sbarati@apple.com>
669
670         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
671         https://bugs.webkit.org/show_bug.cgi?id=193751
672         <rdar://problem/47280215>
673
674         Reviewed by Michael Saboff.
675
676         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
677         (let.thing):
678         (foo.let.hello):
679         (foo):
680
681 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
682
683         [JSC] Reenable baseline JIT on mips
684         https://bugs.webkit.org/show_bug.cgi?id=192983
685
686         Reviewed by Mark Lam.
687
688         Added a new test for a case that was triggering a RELEASE_ASSERT when
689         testing.
690         Disable some slow tests that were already disabled for arm and x86.
691
692         * stress/json-parse-big-object.js: Added.
693         * stress/new-largeish-contiguous-array-with-size.js:
694         * stress/op_add.js:
695         * stress/op_bitand.js:
696         * stress/op_bitor.js:
697         * stress/op_bitxor.js:
698         * stress/op_lshift-ConstVar.js:
699         * stress/op_lshift-VarConst.js:
700         * stress/op_lshift-VarVar.js:
701         * stress/op_mod-ConstVar.js:
702         * stress/op_mod-VarConst.js:
703         * stress/op_mod-VarVar.js:
704         * stress/op_mul-ConstVar.js:
705         * stress/op_mul-VarConst.js:
706         * stress/op_mul-VarVar.js:
707         * stress/op_rshift-ConstVar.js:
708         * stress/op_rshift-VarConst.js:
709         * stress/op_rshift-VarVar.js:
710         * stress/op_sub-ConstVar.js:
711         * stress/op_sub-VarConst.js:
712         * stress/op_sub-VarVar.js:
713         * stress/op_urshift-ConstVar.js:
714         * stress/op_urshift-VarConst.js:
715         * stress/op_urshift-VarVar.js:
716         * stress/sampling-profiler-richards.js:
717         * stress/spread-forward-call-varargs-stack-overflow.js:
718
719 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
720
721         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
722         https://bugs.webkit.org/show_bug.cgi?id=193711
723         <rdar://problem/47250262>
724
725         Reviewed by Saam Barati.
726
727         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
728         (shouldBe):
729         (foo):
730         (bar):
731         (baz):
732
733 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
734
735         Unreviewed, fix initial global lexical binding epoch
736         https://bugs.webkit.org/show_bug.cgi?id=193603
737         <rdar://problem/47380869>
738
739         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
740         (f1.f2.f3.f4):
741         (f1.f2.f3):
742         (f1.f2):
743         (f1):
744
745 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
746
747         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
748         https://bugs.webkit.org/show_bug.cgi?id=193709
749         <rdar://problem/47363838>
750
751         Unreviewed, rollout to watch the tests.
752
753         * stress/object-tostring-changed-proto.js: Removed.
754         * stress/object-tostring-changed.js: Removed.
755         * stress/object-tostring-misc.js: Removed.
756         * stress/object-tostring-other.js: Removed.
757         * stress/object-tostring-untyped.js: Removed.
758
759 2019-01-22  Saam Barati  <sbarati@apple.com>
760
761         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
762
763         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
764         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
765         (testUncheckedLessThanZero):
766         (testUncheckedLessThanOrEqualZero):
767         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
768         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
769
770 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
771
772         [JSC] Invalidate old scope operations using global lexical binding epoch
773         https://bugs.webkit.org/show_bug.cgi?id=193603
774         <rdar://problem/47380869>
775
776         Reviewed by Saam Barati.
777
778         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
779         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
780         (shouldThrow):
781         (bar):
782         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
783         (shouldBe):
784         (get1):
785         (get2):
786         (get1If):
787         (get2If):
788         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
789         (shouldThrow):
790         (foo):
791
792 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
793
794         Unreviewed, roll out r240220 due to date-format-xparb regression
795         https://bugs.webkit.org/show_bug.cgi?id=193603
796
797         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
798         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
799         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
800         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
801
802 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
803
804         DoesGC rule is wrong for nodes with BigIntUse
805         https://bugs.webkit.org/show_bug.cgi?id=193652
806
807         Reviewed by Saam Barati.
808
809         * stress/big-int-value-op-update-gc-rules.js: Added.
810         (assert):
811         (doesGCAdd):
812         (doesGCSub):
813         (doesGCDiv):
814         (doesGCMul):
815         (doesGCBitAnd):
816         (doesGCBitOr):
817         (doesGCBitXor):
818
819 2019-01-20  Saam Barati  <sbarati@apple.com>
820
821         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
822         https://bugs.webkit.org/show_bug.cgi?id=193644
823         <rdar://problem/46209745>
824
825         Reviewed by Yusuke Suzuki.
826
827         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
828         (foo):
829         * stress/data-view-set-intrinsic-undefined-result.js: Added.
830         (foo):
831         (bar):
832
833 2019-01-20  Saam Barati  <sbarati@apple.com>
834
835         MovHint must merge NodeBytecodeUsesAsValue for its child
836         https://bugs.webkit.org/show_bug.cgi?id=186916
837         <rdar://problem/41396612>
838
839         Reviewed by Yusuke Suzuki.
840
841         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
842         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
843
844 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] Invalidate old scope operations using global lexical binding epoch
847         https://bugs.webkit.org/show_bug.cgi?id=193603
848         <rdar://problem/47380869>
849
850         Reviewed by Saam Barati.
851
852         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
853         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
854         (shouldThrow):
855         (bar):
856         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
857         (shouldBe):
858         (get1):
859         (get2):
860         (get1If):
861         (get2If):
862         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
863         (shouldThrow):
864         (foo):
865
866 2019-01-17  Saam barati  <sbarati@apple.com>
867
868         StringObjectUse should not be a structure check for the original string object structure
869         https://bugs.webkit.org/show_bug.cgi?id=193483
870         <rdar://problem/47280522>
871
872         Reviewed by Yusuke Suzuki.
873
874         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
875         (foo):
876         (a.valueOf.0):
877
878 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
879
880         [JSC] ToThis omission in DFGByteCodeParser is wrong
881         https://bugs.webkit.org/show_bug.cgi?id=193513
882         <rdar://problem/45842236>
883
884         Reviewed by Saam Barati.
885
886         * stress/to-this-omission-with-different-strict-modes.js: Added.
887         (thisA):
888         (thisAStrictWrapper):
889
890 2019-01-15  Mark Lam  <mark.lam@apple.com>
891
892         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
893         https://bugs.webkit.org/show_bug.cgi?id=193423
894         <rdar://problem/46209355>
895
896         Reviewed by Saam Barati.
897
898         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
899         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
900         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
901         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
902
903 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
904
905         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
906         https://bugs.webkit.org/show_bug.cgi?id=193438
907         <rdar://problem/45581249>
908
909         Reviewed by Saam Barati and Keith Miller.
910
911         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
912         Then, GetByVal(String) crashed.
913
914         * stress/string-get-by-val-lowering.js: Added.
915         (shouldBe):
916         (test):
917         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
918         (Hello):
919         (foo):
920
921 2019-01-15  Tomas Popela  <tpopela@redhat.com>
922
923         Unreviewed, skip JIT tests if it's not enabled
924
925         * stress/bit-op-with-object-returning-int32.js:
926
927 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
928
929         DFGByteCodeParser rules for bitwise operations should consider type of their operands
930         https://bugs.webkit.org/show_bug.cgi?id=192966
931
932         Reviewed by Yusuke Suzuki.
933
934         * stress/bit-op-with-object-returning-int32.js: Added.
935
936 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
937
938         Skip a slow test and a flakey test on arm
939
940         Unreviewed gardening.
941
942         * typeProfiler/getter-richards.js:
943         this test always times out, it used to be always skipped on arm and
944         mips, but got accidentally enabled by r237919 now that we have DFG on
945         arm. Also skipping on mips as we plan to soon enable DFG for it too.
946
947 2019-01-14  Keith Miller  <keith_miller@apple.com>
948
949         Skip type-check-hoisting-phase-hoist... with no jit
950         https://bugs.webkit.org/show_bug.cgi?id=193421
951
952         Reviewed by Mark Lam.
953
954         It's timing out the 32-bit bots and takes 330 seconds
955         on my machine when run by itself.
956
957         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
958
959 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
960
961         [JSC] AI should check the given constant's array type when folding GetByVal into constant
962         https://bugs.webkit.org/show_bug.cgi?id=193413
963         <rdar://problem/46092389>
964
965         Reviewed by Keith Miller.
966
967         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
968         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
969         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
970         but GetByVal does not have appropriate ArrayModes, JSC crashes.
971
972         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
973         (compareArray):
974
975 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
976
977         [BigInt] Literal parsing is crashing when used inside a Object Literal
978         https://bugs.webkit.org/show_bug.cgi?id=193404
979
980         Reviewed by Yusuke Suzuki.
981
982         * stress/big-int-literal-inside-literal-object.js: Added.
983
984 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
985
986         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
987         https://bugs.webkit.org/show_bug.cgi?id=193372
988
989         Reviewed by Saam Barati.
990
991         * stress/typed-array-array-modes-profile.js: Added.
992         (foo):
993
994 2019-01-14  Mark Lam  <mark.lam@apple.com>
995
996         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
997         https://bugs.webkit.org/show_bug.cgi?id=193402
998         <rdar://problem/46012309>
999
1000         Reviewed by Keith Miller.
1001
1002         * stress/regexp-compile-oom.js:
1003         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1004           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1005
1006 2019-01-11  Saam barati  <sbarati@apple.com>
1007
1008         DFG combined liveness can be wrong for terminal basic blocks
1009         https://bugs.webkit.org/show_bug.cgi?id=193304
1010         <rdar://problem/45268632>
1011
1012         Reviewed by Yusuke Suzuki.
1013
1014         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1015
1016 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1017
1018         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1019         https://bugs.webkit.org/show_bug.cgi?id=193308
1020         <rdar://problem/45546542>
1021
1022         Reviewed by Saam Barati.
1023
1024         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1025         (shouldThrow):
1026         (shouldBe):
1027         (foo):
1028         (get shouldThrow):
1029         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1030         (shouldThrow):
1031         (shouldBe):
1032         (foo):
1033         (get shouldBe):
1034         (get shouldThrow):
1035         (get return):
1036         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1037         (shouldThrow):
1038         (shouldBe):
1039         (foo):
1040         (get shouldBe):
1041         (get shouldThrow):
1042         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1043         (shouldThrow):
1044         (shouldBe):
1045         (foo):
1046         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1047         (shouldThrow):
1048         (shouldBe):
1049         (foo):
1050         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1051         (shouldThrow):
1052         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1053         (shouldThrow):
1054         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1055         (shouldThrow):
1056         (shouldBe):
1057         (foo):
1058         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1059         (shouldThrow):
1060         (shouldBe):
1061         (foo):
1062         (get shouldBe):
1063         (get shouldThrow):
1064         (get return):
1065         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1066         (shouldThrow):
1067         (shouldBe):
1068         (foo):
1069         (get shouldBe):
1070         (get shouldThrow):
1071         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1072         (shouldThrow):
1073         (shouldBe):
1074         (foo):
1075         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1076         (shouldThrow):
1077         (shouldBe):
1078         (foo):
1079
1080 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1081
1082         Enable DFG on ARM/Linux again
1083         https://bugs.webkit.org/show_bug.cgi?id=192496
1084
1085         Reviewed by Yusuke Suzuki.
1086
1087         Test wasn't really skipped before moving the line with skip
1088         to the top.
1089
1090         * stress/regress-192717.js:
1091
1092 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1093
1094         Unreviewed, rolling out r239825.
1095         https://bugs.webkit.org/show_bug.cgi?id=193330
1096
1097         Broke tests on armv7/linux bots (Requested by guijemont on
1098         #webkit).
1099
1100         Reverted changeset:
1101
1102         "Enable DFG on ARM/Linux again"
1103         https://bugs.webkit.org/show_bug.cgi?id=192496
1104         https://trac.webkit.org/changeset/239825
1105
1106 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1107
1108         Enable DFG on ARM/Linux again
1109         https://bugs.webkit.org/show_bug.cgi?id=192496
1110
1111         Reviewed by Yusuke Suzuki.
1112
1113         Test wasn't really skipped before moving the line with skip
1114         to the top.
1115
1116         * stress/regress-192717.js:
1117
1118 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1119
1120         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1121         https://bugs.webkit.org/show_bug.cgi?id=193127
1122
1123         Reviewed by Saam Barati.
1124
1125         * stress/array-species-create-should-handle-masquerader.js: Added.
1126         (shouldThrow):
1127         * stress/is-undefined-or-null-builtin.js: Added.
1128         (shouldBe):
1129         (isUndefinedOrNull.vm.createBuiltin):
1130
1131 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1132
1133         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1134         https://bugs.webkit.org/show_bug.cgi?id=193221
1135
1136         Reviewed by Mark Lam.
1137
1138         * stress/put-by-id-flags.js: Added.
1139         (f):
1140         (g):
1141         (numberOfDFGCompiles):
1142
1143 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1144
1145         Baseline version of get_by_id may corrupt metadata
1146         https://bugs.webkit.org/show_bug.cgi?id=193085
1147         <rdar://problem/23453006>
1148
1149         Reviewed by Saam Barati.
1150
1151         * stress/get-by-id-change-mode.js: Added.
1152         (forEach):
1153
1154 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1155
1156         [JSC] Optimize Object.prototype.toString
1157         https://bugs.webkit.org/show_bug.cgi?id=193031
1158
1159         Reviewed by Saam Barati.
1160
1161         * stress/object-tostring-changed-proto.js: Added.
1162         (shouldBe):
1163         (test):
1164         * stress/object-tostring-changed.js: Added.
1165         (shouldBe):
1166         (test):
1167         * stress/object-tostring-misc.js: Added.
1168         (shouldBe):
1169         (test):
1170         (i.switch):
1171         * stress/object-tostring-other.js: Added.
1172         (shouldBe):
1173         (test):
1174         * stress/object-tostring-untyped.js: Added.
1175         (shouldBe):
1176         (test):
1177         (i.switch):
1178
1179 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1180
1181         test262-runner misbehaves when test file YAML has a trailing space
1182         https://bugs.webkit.org/show_bug.cgi?id=193053
1183
1184         Reviewed by Yusuke Suzuki.
1185
1186         * test262/expectations.yaml:
1187         Mark two dozen tests as passing (and correct the output of another).
1188
1189 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1190
1191         Unreviewed, JSTests gardening with memoryLimited
1192
1193         * stress/string-overflow-createError.js:
1194
1195 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1196
1197         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1198         https://bugs.webkit.org/show_bug.cgi?id=193050
1199
1200         Reviewed by Yusuke Suzuki.
1201
1202         * test262.yaml:
1203         * test262/expectations.yaml:
1204         Mark 16 tests as passing.
1205
1206 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1207
1208         [BigInt] Support BigInt in JSON.stringify
1209         https://bugs.webkit.org/show_bug.cgi?id=192624
1210
1211         Reviewed by Saam Barati.
1212
1213         * stress/big-int-json-stringify-to-json.js: Added.
1214         (shouldBe):
1215         (shouldThrow):
1216         (BigInt.prototype.toJSON):
1217         (shouldBe.JSON.stringify):
1218         * stress/big-int-json-stringify.js: Added.
1219         (shouldBe):
1220         (shouldThrow):
1221
1222 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1223
1224         [JSC] Implement "well-formed JSON.stringify" proposal
1225         https://bugs.webkit.org/show_bug.cgi?id=191677
1226
1227         Reviewed by Darin Adler.
1228
1229         * stress/json-surrogate-pair.js: Added.
1230         (shouldBe):
1231         * test262/expectations.yaml:
1232
1233 2018-12-20  Keith Miller  <keith_miller@apple.com>
1234
1235         Add support for globalThis
1236         https://bugs.webkit.org/show_bug.cgi?id=165171
1237
1238         Reviewed by Mark Lam.
1239
1240         * test262/config.yaml:
1241
1242 2018-12-19  Keith Miller  <keith_miller@apple.com>
1243
1244         Update test262 configuration to not run tests dependent on ICU version.
1245         https://bugs.webkit.org/show_bug.cgi?id=192920
1246
1247         Reviewed by Saam Barati.
1248
1249         * test262/expectations.yaml:
1250
1251 2018-12-20  Mark Lam  <mark.lam@apple.com>
1252
1253         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1254         https://bugs.webkit.org/show_bug.cgi?id=192939
1255         <rdar://problem/46869516>
1256
1257         Reviewed by Keith Miller.
1258
1259         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1260
1261 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1262
1263         WTF::String and StringImpl overflow MaxLength
1264         https://bugs.webkit.org/show_bug.cgi?id=192853
1265         <rdar://problem/45726906>
1266
1267         Reviewed by Mark Lam.
1268
1269         * stress/string-16bit-repeat-overflow.js: Added.
1270         (catch):
1271
1272 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1273
1274         Unreviewed follow-up to r192914.
1275
1276         * test262/expectations.yaml:
1277         Add the last 20 missing expectations.
1278
1279 2018-12-19  Keith Miller  <keith_miller@apple.com>
1280
1281         Fix test262 expectations
1282         https://bugs.webkit.org/show_bug.cgi?id=192914
1283
1284         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1285
1286         * test262/expectations.yaml:
1287
1288 2018-12-19  Keith Miller  <keith_miller@apple.com>
1289
1290         Update test262 tests.
1291         https://bugs.webkit.org/show_bug.cgi?id=192907
1292
1293         Rubber stamped by Mark Lam.
1294
1295         * test262/*: Omitted because prepare-changelog crashes.
1296
1297 2018-12-19  Mark Lam  <mark.lam@apple.com>
1298
1299         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1300         https://bugs.webkit.org/show_bug.cgi?id=192464
1301         <rdar://problem/46519455>
1302
1303         Reviewed by Saam Barati.
1304
1305         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1306         microbenchmark.
1307
1308         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1309         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1310
1311 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1312
1313         String overflow in JSC::createError results in ASSERT in WTF::makeString
1314         https://bugs.webkit.org/show_bug.cgi?id=192833
1315         <rdar://problem/45706868>
1316
1317         Reviewed by Mark Lam.
1318
1319         * stress/string-overflow-createError.js: Added.
1320
1321 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1322
1323         Error message for `-x ** y` contains a typo.
1324         https://bugs.webkit.org/show_bug.cgi?id=192832
1325
1326         Reviewed by Saam Barati.
1327
1328         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1329         (assert.assert.return.throws):
1330         * stress/pow-expects-update-expression-on-lhs.js:
1331         (throw.new.Error):
1332         Update test expectations which match against the exact error message.
1333
1334 2018-12-18  Mark Lam  <mark.lam@apple.com>
1335
1336         Gardening: test options fix.
1337         https://bugs.webkit.org/show_bug.cgi?id=192822
1338
1339         Unreviewed.
1340
1341         * stress/json-stringify-string-builder-overflow.js:
1342
1343 2018-12-18  Mark Lam  <mark.lam@apple.com>
1344
1345         JSON.stringify() should throw OOM on StringBuilder overflows.
1346         https://bugs.webkit.org/show_bug.cgi?id=192822
1347         <rdar://problem/46670577>
1348
1349         Reviewed by Saam Barati.
1350
1351         * stress/json-stringify-string-builder-overflow.js: Added.
1352
1353 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1354
1355         Redeclaration of var over let/const/class should be a syntax error.
1356         https://bugs.webkit.org/show_bug.cgi?id=192298
1357
1358         Reviewed by Keith Miller.
1359
1360         * test262.yaml:
1361         * test262/expectations.yaml:
1362         Mark 46 tests as passing.
1363
1364         * stress/block-scope-redeclarations.js:
1365         Add some new tests.
1366
1367         * stress/for-in-invalidate-context-weird-assignments.js:
1368         * stress/for-in-tests.js:
1369         Replace tests for outdated behavior with tests for SyntaxError.
1370
1371         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1372         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1373         Update expectations.
1374
1375 2018-12-18  Mark Lam  <mark.lam@apple.com>
1376
1377         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1378         https://bugs.webkit.org/show_bug.cgi?id=191374
1379         <rdar://problem/46525447>
1380
1381         Reviewed by Yusuke Suzuki.
1382
1383         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1384
1385         * stress/elidable-new-object-roflcopter-then-exit.js:
1386
1387 2018-12-17  Mark Lam  <mark.lam@apple.com>
1388
1389         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1390         https://bugs.webkit.org/show_bug.cgi?id=192019
1391         <rdar://problem/46525456>
1392
1393         Reviewed by Yusuke Suzuki.
1394
1395         The test runs too slow on 32-bit.
1396
1397         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1398
1399 2018-12-17  Mark Lam  <mark.lam@apple.com>
1400
1401         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1402         https://bugs.webkit.org/show_bug.cgi?id=191373
1403         <rdar://problem/46525458>
1404
1405         Reviewed by Yusuke Suzuki.
1406
1407         The test is already slow running with a JIT on 64-bit.  It will always timeout
1408         on 32-bit without a JIT.
1409
1410         * stress/materialize-regexp-cyclic-regexp.js:
1411
1412 2018-12-17  Mark Lam  <mark.lam@apple.com>
1413
1414         Array unshift/shift should not race against the AI in the compiler thread.
1415         https://bugs.webkit.org/show_bug.cgi?id=192795
1416         <rdar://problem/46724263>
1417
1418         Reviewed by Saam Barati.
1419
1420         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1421
1422 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1423
1424         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1425         https://bugs.webkit.org/show_bug.cgi?id=190047
1426
1427         Reviewed by Saam Barati.
1428
1429         * stress/object-keys-cached-zero.js: Added.
1430         (shouldBe):
1431         (test):
1432         * stress/object-keys-changed-attribute.js: Added.
1433         (shouldBe):
1434         (test):
1435         * stress/object-keys-changed-index.js: Added.
1436         (shouldBe):
1437         (test):
1438         * stress/object-keys-changed.js: Added.
1439         (shouldBe):
1440         (test):
1441         * stress/object-keys-indexed-non-cache.js: Added.
1442         (shouldBe):
1443         (test):
1444         * stress/object-keys-overrides-get-property-names.js: Added.
1445         (shouldBe):
1446         (test):
1447         (noInline):
1448
1449 2018-12-17  Mark Lam  <mark.lam@apple.com>
1450
1451         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1452         https://bugs.webkit.org/show_bug.cgi?id=192779
1453         <rdar://problem/46775869>
1454
1455         Reviewed by Saam Barati.
1456
1457         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1458
1459 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1460
1461         Unreviewed test gardening, address a syntax error in a new test.
1462
1463         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1464
1465 2018-12-17  Mark Lam  <mark.lam@apple.com>
1466
1467         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1468         https://bugs.webkit.org/show_bug.cgi?id=192776
1469         <rdar://problem/46772368>
1470
1471         Reviewed by Keith Miller.
1472
1473         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1474
1475 2018-12-17  Mark Lam  <mark.lam@apple.com>
1476
1477         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1478         https://bugs.webkit.org/show_bug.cgi?id=192770
1479         <rdar://problem/46449037>
1480
1481         Reviewed by Keith Miller.
1482
1483         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1484
1485 2018-12-14  Mark Lam  <mark.lam@apple.com>
1486
1487         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1488         https://bugs.webkit.org/show_bug.cgi?id=192717
1489         <rdar://problem/46660677>
1490
1491         Reviewed by Saam Barati.
1492
1493         * stress/regress-192717.js: Added.
1494
1495 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1496
1497         Unreviewed, rolling out r239153, r239154, and r239155.
1498         https://bugs.webkit.org/show_bug.cgi?id=192715
1499
1500         Caused flaky GC-related crashes seen with layout tests
1501         (Requested by ryanhaddad on #webkit).
1502
1503         Reverted changesets:
1504
1505         "[JSC] Optimize Object.keys by caching own keys results in
1506         StructureRareData"
1507         https://bugs.webkit.org/show_bug.cgi?id=190047
1508         https://trac.webkit.org/changeset/239153
1509
1510         "Unreviewed, build fix after r239153"
1511         https://bugs.webkit.org/show_bug.cgi?id=190047
1512         https://trac.webkit.org/changeset/239154
1513
1514         "Unreviewed, build fix after r239153, part 2"
1515         https://bugs.webkit.org/show_bug.cgi?id=190047
1516         https://trac.webkit.org/changeset/239155
1517
1518 2018-12-14  Keith Miller  <keith_miller@apple.com>
1519
1520         Callers of JSString::getIndex should check for OOM exceptions
1521         https://bugs.webkit.org/show_bug.cgi?id=192709
1522
1523         Reviewed by Mark Lam.
1524
1525         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1526
1527 2018-12-13  Mark Lam  <mark.lam@apple.com>
1528
1529         Add a missing exception check.
1530         https://bugs.webkit.org/show_bug.cgi?id=192626
1531         <rdar://problem/46662163>
1532
1533         Reviewed by Keith Miller.
1534
1535         * stress/regress-192626.js: Added.
1536
1537 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1538
1539         [BigInt] Add ValueDiv into DFG
1540         https://bugs.webkit.org/show_bug.cgi?id=186178
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         * stress/big-int-div-jit-osr.js: Added.
1545         * stress/big-int-div-jit-untyped.js: Added.
1546         * stress/value-div-fixup-int32-big-int.js: Added.
1547
1548 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1549
1550         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1551         https://bugs.webkit.org/show_bug.cgi?id=190047
1552
1553         Reviewed by Keith Miller.
1554
1555         * stress/object-keys-cached-zero.js: Added.
1556         (shouldBe):
1557         (test):
1558         * stress/object-keys-changed-attribute.js: Added.
1559         (shouldBe):
1560         (test):
1561         * stress/object-keys-changed-index.js: Added.
1562         (shouldBe):
1563         (test):
1564         * stress/object-keys-changed.js: Added.
1565         (shouldBe):
1566         (test):
1567         * stress/object-keys-indexed-non-cache.js: Added.
1568         (shouldBe):
1569         (test):
1570         * stress/object-keys-overrides-get-property-names.js: Added.
1571         (shouldBe):
1572         (test):
1573         (noInline):
1574
1575 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1576
1577         [DFG][FTL] Add NewSymbol
1578         https://bugs.webkit.org/show_bug.cgi?id=192620
1579
1580         Reviewed by Saam Barati.
1581
1582         * microbenchmarks/symbol-creation.js: Added.
1583         (test):
1584         * stress/symbol-description-identity.js: Added.
1585         (shouldBe):
1586         (test):
1587         * stress/symbol-identity.js: Added.
1588         (shouldBe):
1589         (test):
1590         * stress/symbol-with-description-throw-error.js: Added.
1591         (shouldBe):
1592         (shouldThrow):
1593         (test):
1594         (object.toString):
1595
1596 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1597
1598         [BigInt] Implement DFG/FTL typeof for BigInt
1599         https://bugs.webkit.org/show_bug.cgi?id=192619
1600
1601         Reviewed by Keith Miller.
1602
1603         * stress/big-int-boolean-proven-type.js: Added.
1604         (assert):
1605         (bool):
1606         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1607         (assert):
1608         (typeOf):
1609         (i.switch):
1610         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1611         (assert):
1612         (typeOf):
1613         * stress/big-int-type-of.js:
1614         (typeOf):
1615         (func):
1616
1617 2018-12-10  Mark Lam  <mark.lam@apple.com>
1618
1619         PropertyAttribute needs a CustomValue bit.
1620         https://bugs.webkit.org/show_bug.cgi?id=191993
1621         <rdar://problem/46264467>
1622
1623         Reviewed by Saam Barati.
1624
1625         * stress/regress-191993.js: Added.
1626
1627 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1628
1629         [BigInt] Add ValueMul into DFG
1630         https://bugs.webkit.org/show_bug.cgi?id=186175
1631
1632         Reviewed by Yusuke Suzuki.
1633
1634         * stress/big-int-mul-jit-osr.js: Added.
1635         * stress/big-int-mul-jit-untyped.js: Added.
1636         * stress/value-mul-fixup-int32-big-int.js: Added.
1637
1638 2018-12-06  Keith Miller  <keith_miller@apple.com>
1639
1640         stress/big-wasm-memory tests failing on 32-bit JSC bot
1641         https://bugs.webkit.org/show_bug.cgi?id=192020
1642
1643         Reviewed by Saam Barati.
1644
1645         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1646         the wasm stress tests if the WebAssembly object does not exist.
1647
1648         * stress/big-wasm-memory-grow-no-max.js:
1649         (test.foo):
1650         (test):
1651         (foo): Deleted.
1652         (catch): Deleted.
1653         * stress/big-wasm-memory-grow.js:
1654         (test.foo):
1655         (test):
1656         (foo): Deleted.
1657         (catch): Deleted.
1658         * stress/big-wasm-memory.js:
1659         (test.foo):
1660         (test):
1661         (foo): Deleted.
1662         (catch): Deleted.
1663
1664 2018-12-05  Mark Lam  <mark.lam@apple.com>
1665
1666         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1667         https://bugs.webkit.org/show_bug.cgi?id=192441
1668         <rdar://problem/46480355>
1669
1670         Reviewed by Saam Barati.
1671
1672         * stress/regress-192441.js: Added.
1673
1674 2018-12-04  Mark Lam  <mark.lam@apple.com>
1675
1676         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1677         https://bugs.webkit.org/show_bug.cgi?id=192386
1678         <rdar://problem/46445516>
1679
1680         Reviewed by Saam Barati.
1681
1682         * stress/regress-192386.js: Added.
1683
1684 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1685
1686         [ESNext][BigInt] Support logic operations
1687         https://bugs.webkit.org/show_bug.cgi?id=179903
1688
1689         Reviewed by Yusuke Suzuki.
1690
1691         * stress/big-int-branch-usage.js: Added.
1692         * stress/big-int-logical-and.js: Added.
1693         * stress/big-int-logical-not.js: Added.
1694         * stress/big-int-logical-or.js: Added.
1695
1696 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1697
1698         Unreviewed, rolling out r238833.
1699
1700         Breaks macOS and iOS debug builds.
1701
1702         Reverted changeset:
1703
1704         "[ESNext][BigInt] Support logic operations"
1705         https://bugs.webkit.org/show_bug.cgi?id=179903
1706         https://trac.webkit.org/changeset/238833
1707
1708 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1709
1710         [ESNext][BigInt] Support logic operations
1711         https://bugs.webkit.org/show_bug.cgi?id=179903
1712
1713         Reviewed by Yusuke Suzuki.
1714
1715         * stress/big-int-branch-usage.js: Added.
1716         * stress/big-int-logical-and.js: Added.
1717         * stress/big-int-logical-not.js: Added.
1718         * stress/big-int-logical-or.js: Added.
1719
1720 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1721
1722         [ESNext][BigInt] Implement support for "<<" and ">>"
1723         https://bugs.webkit.org/show_bug.cgi?id=186233
1724
1725         Reviewed by Yusuke Suzuki.
1726
1727         * stress/big-int-left-shift-general.js: Added.
1728         * stress/big-int-left-shift-range-error.js: Added.
1729         * stress/big-int-left-shift-type-error.js: Added.
1730         * stress/big-int-left-shift-wrapped-value.js: Added.
1731         * stress/big-int-right-shift-general.js: Added.
1732         * stress/big-int-right-shift-type-error.js: Added.
1733         * stress/big-int-right-shift-wrapped-value.js: Added.
1734         * stress/left-shift-to-primitive-precedence.js: Added.
1735         * stress/right-shift-to-primitive-precedence.js: Added.
1736
1737 2018-11-30  Dean Jackson  <dino@apple.com>
1738
1739         Add first-class support for .mjs files in jsc binary
1740         https://bugs.webkit.org/show_bug.cgi?id=192190
1741         <rdar://problem/46375715>
1742
1743         Reviewed by Keith Miller.
1744
1745         * stress/simple-module.mjs: Added.
1746         * stress/simple-script.js: Added.
1747
1748 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1749
1750         [BigInt] Implement ValueBitXor into DFG
1751         https://bugs.webkit.org/show_bug.cgi?id=190264
1752
1753         Reviewed by Yusuke Suzuki.
1754
1755         * stress/big-int-bitwise-xor-jit.js: Added.
1756         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1757         * stress/big-int-bitwise-xor-untyped.js: Added.
1758
1759 2018-11-27  Saam barati  <sbarati@apple.com>
1760
1761         r238510 broke scopes of size zero
1762         https://bugs.webkit.org/show_bug.cgi?id=192033
1763         <rdar://problem/46281734>
1764
1765         Reviewed by Keith Miller.
1766
1767         * stress/r238510-bad-loop.js: Added.
1768         (foo):
1769
1770 2018-11-27  Mark Lam  <mark.lam@apple.com>
1771
1772         [Re-landing] NaNs read from Wasm code needs to be be purified.
1773         https://bugs.webkit.org/show_bug.cgi?id=191056
1774         <rdar://problem/45660341>
1775
1776         Reviewed by Filip Pizlo.
1777
1778         * wasm/regress/regress-191056.js: Added.
1779
1780 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1781
1782         Unreviewed, rolling out r238509.
1783
1784         Causes JSC tests to fail on iOS.
1785
1786         Reverted changeset:
1787
1788         "NaNs read from Wasm code needs to be be purified."
1789         https://bugs.webkit.org/show_bug.cgi?id=191056
1790         https://trac.webkit.org/changeset/238509
1791
1792 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1793
1794         Re-introduce op_bitnot
1795         https://bugs.webkit.org/show_bug.cgi?id=190923
1796
1797         Reviewed by Yusuke Suzuki.
1798
1799         * stress/bit-not-must-generate.js: Added.
1800         * stress/bitwise-not-no-int32.js: Added.
1801
1802 2018-11-26  Saam barati  <sbarati@apple.com>
1803
1804         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1805         https://bugs.webkit.org/show_bug.cgi?id=191956
1806         <rdar://problem/45665806>
1807
1808         Reviewed by Yusuke Suzuki.
1809
1810         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1811         (bar):
1812         (foo):
1813
1814 2018-11-26  Saam barati  <sbarati@apple.com>
1815
1816         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1817         https://bugs.webkit.org/show_bug.cgi?id=191958
1818         <rdar://problem/46221877>
1819
1820         Reviewed by Yusuke Suzuki.
1821
1822         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1823         (x):
1824         (foo):
1825
1826 2018-11-26  Mark Lam  <mark.lam@apple.com>
1827
1828         NaNs read from Wasm code needs to be be purified.
1829         https://bugs.webkit.org/show_bug.cgi?id=191056
1830         <rdar://problem/45660341>
1831
1832         Reviewed by Filip Pizlo.
1833
1834         * wasm/regress/regress-191056.js: Added.
1835
1836 2018-11-26  Michael Saboff  <msaboff@apple.com>
1837
1838         32-bit JSC test failure: stress/regexp-compile-oom.js
1839         https://bugs.webkit.org/show_bug.cgi?id=191375
1840
1841         Reviewed by Mark Lam.
1842
1843         Disabled the test for 32 bit platforms.
1844
1845         * stress/regexp-compile-oom.js:
1846
1847 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1848
1849         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1850         https://bugs.webkit.org/show_bug.cgi?id=191716
1851         <rdar://problem/45723878>
1852
1853         Reviewed by Saam Barati.
1854
1855         * stress/regress-187373.js: Added.
1856         (async.fn):
1857
1858 2018-11-21  Saam barati  <sbarati@apple.com>
1859
1860         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1861         https://bugs.webkit.org/show_bug.cgi?id=191897
1862         <rdar://problem/45871998>
1863
1864         Reviewed by Mark Lam.
1865
1866         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1867         (bar):
1868         (foo):
1869
1870 2018-11-21  Saam barati  <sbarati@apple.com>
1871
1872         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1873         https://bugs.webkit.org/show_bug.cgi?id=191895
1874         <rdar://problem/46167406>
1875
1876         Reviewed by Mark Lam.
1877
1878         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1879         (foo):
1880         (bar):
1881
1882 2018-11-21  Mark Lam  <mark.lam@apple.com>
1883
1884         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1885         https://bugs.webkit.org/show_bug.cgi?id=191776
1886         <rdar://problem/46152851>
1887
1888         Reviewed by Saam Barati.
1889
1890         * stress/big-wasm-memory-grow-no-max.js:
1891         * stress/big-wasm-memory-grow.js:
1892         * stress/big-wasm-memory.js:
1893         - updated these to expect an OutOfMemoryError.
1894
1895         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1896         (Binary.prototype.emit_u8):
1897         (Binary.prototype.emit_u32v):
1898         (Binary.prototype.emit_header):
1899         (Binary.prototype.emit_section):
1900         (Binary):
1901         (WasmModuleBuilder):
1902         (WasmModuleBuilder.prototype.addMemory):
1903         (WasmModuleBuilder.prototype.toArray):
1904         (WasmModuleBuilder.prototype.toBuffer):
1905         (WasmModuleBuilder.prototype.instantiate):
1906         (catch):
1907         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1908         (catch):
1909
1910 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1911
1912         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1913         https://bugs.webkit.org/show_bug.cgi?id=190836
1914
1915         Reviewed by Saam Barati and Yusuke Suzuki.
1916
1917         * stress/big-int-out-of-memory-tests.js: Added.
1918
1919 2018-11-20  Mark Lam  <mark.lam@apple.com>
1920
1921         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1922         https://bugs.webkit.org/show_bug.cgi?id=191856
1923         <rdar://problem/46089992>
1924
1925         Reviewed by Yusuke Suzuki.
1926
1927         * stress/regress-191856.js: Added.
1928         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1929
1930 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1931
1932         Enable JIT on ARM/Linux
1933         https://bugs.webkit.org/show_bug.cgi?id=191548
1934
1935         Reviewed by Yusuke Suzuki.
1936
1937         Disable test on system with limited memory. Program was killed by
1938         the OS before the exception was thrown.
1939
1940         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1941
1942 2018-11-20  Saam barati  <sbarati@apple.com>
1943
1944         Merging an IC variant may lead to the IC status containing overlapping structure sets
1945         https://bugs.webkit.org/show_bug.cgi?id=191869
1946         <rdar://problem/45403453>
1947
1948         Reviewed by Mark Lam.
1949
1950         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1951
1952 2018-11-19  Mark Lam  <mark.lam@apple.com>
1953
1954         globalFuncImportModule() should return a promise when it clears exceptions.
1955         https://bugs.webkit.org/show_bug.cgi?id=191792
1956         <rdar://problem/46090763>
1957
1958         Reviewed by Michael Saboff.
1959
1960         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1961
1962 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1963
1964         Skip new memory-hungry tests on memory limited devices
1965
1966         Unreviewed gardening.
1967
1968         * stress/big-wasm-memory-grow-no-max.js:
1969         * stress/big-wasm-memory-grow.js:
1970         * stress/big-wasm-memory.js:
1971
1972 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1973
1974         Unreviewed, rolling in the rest of r237254
1975         https://bugs.webkit.org/show_bug.cgi?id=190340
1976
1977         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1978         * stress/function-cache-with-parameters-end-position.js: Added.
1979         (shouldBe):
1980         (shouldThrow):
1981         (i.anonymous):
1982         * stress/function-constructor-name.js: Added.
1983         (shouldBe):
1984         (GeneratorFunction):
1985         (AsyncFunction.async):
1986         (AsyncGeneratorFunction.async):
1987         (anonymous):
1988         (async.anonymous):
1989         * test262/expectations.yaml:
1990
1991 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1992
1993         All users of ArrayBuffer should agree on the same max size
1994         https://bugs.webkit.org/show_bug.cgi?id=191771
1995
1996         Reviewed by Mark Lam.
1997
1998         * stress/big-wasm-memory-grow-no-max.js: Added.
1999         (foo):
2000         (catch):
2001         * stress/big-wasm-memory-grow.js: Added.
2002         (foo):
2003         (catch):
2004         * stress/big-wasm-memory.js: Added.
2005         (foo):
2006         (catch):
2007
2008 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2009
2010         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2011         run for each JSC config since they're regression tests for runtime bugs.
2012
2013         * stress/json-stringified-overflow-2.js:
2014         * stress/json-stringified-overflow.js:
2015
2016 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2017
2018         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2019         config since they're regression tests for runtime bugs.
2020
2021         * stress/large-unshift-splice.js:
2022         * stress/regress-185888.js:
2023
2024 2018-11-16  Saam Barati  <sbarati@apple.com>
2025
2026         KnownCellUse should also have SpecCellCheck as its type filter
2027         https://bugs.webkit.org/show_bug.cgi?id=191729
2028         <rdar://problem/45872852>
2029
2030         Reviewed by Filip Pizlo.
2031
2032         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2033         (C):
2034
2035 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2036
2037         Fix assertion failure on BytecodeGenerator::recordOpcode
2038         https://bugs.webkit.org/show_bug.cgi?id=191724
2039         <rdar://problem/45724395>
2040
2041         Reviewed by Saam Barati.
2042
2043         * stress/regress-187373-2.js: Added.
2044         (foo):
2045
2046 2018-11-15  Mark Lam  <mark.lam@apple.com>
2047
2048         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2049         https://bugs.webkit.org/show_bug.cgi?id=191730
2050         <rdar://problem/46048517>
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/regress-187006.js: Removed.
2055           - this test is invalid because its sole purpose is to test for the non-spec
2056             compliant behavior that we just fixed.
2057
2058         * stress/regress-191730.js: Added.
2059
2060 2018-11-15  Mark Lam  <mark.lam@apple.com>
2061
2062         RegExp operations should not take fast patch if lastIndex is not numeric.
2063         https://bugs.webkit.org/show_bug.cgi?id=191731
2064         <rdar://problem/46017305>
2065
2066         Reviewed by Saam Barati.
2067
2068         * stress/regress-191731.js: Added.
2069
2070 2018-11-13  Saam Barati  <sbarati@apple.com>
2071
2072         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2073         https://bugs.webkit.org/show_bug.cgi?id=191600
2074
2075         Reviewed by Mark Lam.
2076
2077         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2078         (foo):
2079         (test):
2080         (bar):
2081
2082 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2083
2084         Unreviewed, rolling out r238132.
2085
2086         The test added with this change is timing out on Debug JSC
2087         bots.
2088
2089         Reverted changeset:
2090
2091         "[BigInt] JSBigInt::createWithLength should throw when length
2092         is greater than JSBigInt::maxLength"
2093         https://bugs.webkit.org/show_bug.cgi?id=190836
2094         https://trac.webkit.org/changeset/238132
2095
2096 2018-11-13  Mark Lam  <mark.lam@apple.com>
2097
2098         Add OOM detection to StringPrototype's substituteBackreferences().
2099         https://bugs.webkit.org/show_bug.cgi?id=191563
2100         <rdar://problem/45720428>
2101
2102         Reviewed by Saam Barati.
2103
2104         * stress/regress-191563.js: Added.
2105
2106 2018-11-13  Mark Lam  <mark.lam@apple.com>
2107
2108         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2109         https://bugs.webkit.org/show_bug.cgi?id=191579
2110         <rdar://problem/45942472>
2111
2112         Reviewed by Saam Barati.
2113
2114         * stress/regress-191579.js: Added.
2115
2116 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2117
2118         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2119         https://bugs.webkit.org/show_bug.cgi?id=190836
2120
2121         Reviewed by Saam Barati.
2122
2123         * stress/big-int-out-of-memory-tests.js: Added.
2124
2125 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2126
2127         U+180E is no longer a whitespace character
2128         https://bugs.webkit.org/show_bug.cgi?id=191415
2129
2130         Reviewed by Saam Barati.
2131
2132         * ChakraCore/test/es5/regexSpace.baseline:
2133         * ChakraCore/test/es6/unicode_whitespace.js:
2134         Update tests to latest version.
2135         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2136
2137         * test262.yaml:
2138         * test262/config.yaml:
2139         * test262/expectations.yaml:
2140         Update expectations.
2141
2142 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2143
2144         [BigInt] Add support to BigInt into ValueAdd
2145         https://bugs.webkit.org/show_bug.cgi?id=186177
2146
2147         Reviewed by Keith Miller.
2148
2149         * stress/big-int-negate-jit.js:
2150         * stress/value-add-big-int-and-string.js: Added.
2151         * stress/value-add-big-int-prediction-propagation.js: Added.
2152         * stress/value-add-big-int-untyped.js: Added.
2153
2154 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2155
2156         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2157         https://bugs.webkit.org/show_bug.cgi?id=191184
2158
2159         Reviewed by Saam Barati.
2160
2161         Most tests were failing due to timeouts, since they are too slow to
2162         run on CLoop. The exceptions are:
2163
2164         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2165         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2166         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2167         to change the stack size since CLoop requires it to be page aligned.
2168
2169         * microbenchmarks/array-push-1.js:
2170         * microbenchmarks/array-push-2.js:
2171         * microbenchmarks/elidable-new-object-dag.js:
2172         * microbenchmarks/elidable-new-object-roflcopter.js:
2173         * microbenchmarks/elidable-new-object-tree.js:
2174         * microbenchmarks/getter-richards.js:
2175         * microbenchmarks/sinkable-new-object-dag.js:
2176         * microbenchmarks/string-concat-long-convert.js:
2177         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2178         * slowMicrobenchmarks/array-push-3.js:
2179         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2180         * slowMicrobenchmarks/spread-small-array.js:
2181         * slowMicrobenchmarks/undefined-property-access.js:
2182         * stress/activation-sink-default-value-tdz-error.js:
2183         * stress/activation-sink-default-value.js:
2184         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2185         * stress/activation-sink-osrexit-default-value.js:
2186         * stress/activation-sink-osrexit.js:
2187         * stress/activation-sink.js:
2188         * stress/allow-math-ic-b3-code-duplication.js:
2189         * stress/array-push-multiple-int32.js:
2190         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2191         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2192         * stress/arrowfunction-lexical-this-activation-sink.js:
2193         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2194         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2195         * stress/elide-new-object-dag-then-exit.js:
2196         * stress/materialize-regexp-cyclic.js:
2197         * stress/new-regex-inline.js:
2198         * stress/op_add.js:
2199         * stress/op_bitand.js:
2200         * stress/op_bitor.js:
2201         * stress/op_bitxor.js:
2202         * stress/op_div-ConstVar.js:
2203         * stress/op_div-VarConst.js:
2204         * stress/op_div-VarVar.js:
2205         * stress/op_lshift-ConstVar.js:
2206         * stress/op_lshift-VarConst.js:
2207         * stress/op_lshift-VarVar.js:
2208         * stress/op_mod-ConstVar.js:
2209         * stress/op_mod-VarConst.js:
2210         * stress/op_mod-VarVar.js:
2211         * stress/op_mul-ConstVar.js:
2212         * stress/op_mul-VarConst.js:
2213         * stress/op_mul-VarVar.js:
2214         * stress/op_rshift-ConstVar.js:
2215         * stress/op_rshift-VarConst.js:
2216         * stress/op_rshift-VarVar.js:
2217         * stress/op_sub-ConstVar.js:
2218         * stress/op_sub-VarConst.js:
2219         * stress/op_sub-VarVar.js:
2220         * stress/op_urshift-ConstVar.js:
2221         * stress/op_urshift-VarConst.js:
2222         * stress/op_urshift-VarVar.js:
2223         * stress/proxy-get-set-correct-receiver.js:
2224         * stress/regress-179562.js:
2225         * stress/rest-parameter-many-arguments.js:
2226         * stress/sampling-profiler-richards.js:
2227         * stress/splay-flash-access-1ms.js:
2228         * stress/tailCallForwardArguments.js:
2229         * stress/typed-array-get-by-val-profiling.js:
2230         * typeProfiler/getter-richards.js:
2231
2232 2018-11-06  Michael Saboff  <msaboff@apple.com>
2233
2234         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2235         https://bugs.webkit.org/show_bug.cgi?id=191271
2236
2237         Reviewed by Saam Barati.
2238
2239         Added more test cases and made all test cases run with the same deeply recursive stack
2240         instead of finding that same point for each test case.
2241
2242         * stress/regexp-compile-oom.js:
2243         (prototype.runTest):
2244         (recurseAndTest):
2245         (testList.push.new.TestAndExpectedException):
2246
2247 2018-11-05  Michael Saboff  <msaboff@apple.com>
2248
2249         Unreviewed build fix for linux.
2250
2251         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2252
2253 2018-11-02  Michael Saboff  <msaboff@apple.com>
2254
2255         Rolling in r237753 with unreviewed build fix.
2256
2257         Fixed issues with DECLARE_THROW_SCOPE placement.
2258
2259 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2260
2261         Unreviewed, rolling out r237753.
2262
2263         Introduced JSC test failures
2264
2265         Reverted changeset:
2266
2267         "Running out of stack space not properly handled in
2268         RegExp::compile() and its callers"
2269         https://bugs.webkit.org/show_bug.cgi?id=191206
2270         https://trac.webkit.org/changeset/237753
2271
2272 2018-11-02  Michael Saboff  <msaboff@apple.com>
2273
2274         Running out of stack space not properly handled in RegExp::compile() and its callers
2275         https://bugs.webkit.org/show_bug.cgi?id=191206
2276
2277         Reviewed by Filip Pizlo.
2278
2279         New regression test.
2280
2281         * stress/regexp-compile-oom.js: Added.
2282         (recurseAndTest):
2283
2284 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2285
2286         Skip tests on arm/mips that time out now we're running on CLoop
2287
2288         Unreviewed gardening.
2289
2290         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2291         time out on the bots and need to be disabled. There's more tests
2292         disabled on arm because the timeout is longer on the mips bot (as the
2293         device is slower to start with), so many of the tests don't time out
2294         there.
2295
2296         * microbenchmarks/getter-richards.js: disable on arm and mips.
2297         * stress/op_add.js: disable on arm.
2298         * stress/op_bitand.js: disable on arm.
2299         * stress/op_bitor.js: disable on arm.
2300         * stress/op_bitxor.js: disable on arm.
2301         * stress/op_lshift-ConstVar.js: disable on arm.
2302         * stress/op_lshift-VarConst.js: disable on arm.
2303         * stress/op_lshift-VarVar.js: disable on arm.
2304         * stress/op_mod-ConstVar.js: disable on arm.
2305         * stress/op_mod-VarConst.js: disable on arm.
2306         * stress/op_mod-VarVar.js: disable on arm.
2307         * stress/op_mul-ConstVar.js: disable on arm.
2308         * stress/op_mul-VarConst.js: disable on arm.
2309         * stress/op_mul-VarVar.js: disable on arm.
2310         * stress/op_rshift-ConstVar.js: disable on arm.
2311         * stress/op_rshift-VarConst.js: disable on arm.
2312         * stress/op_rshift-VarVar.js: disable on arm.
2313         * stress/op_sub-ConstVar.js: disable on arm.
2314         * stress/op_sub-VarConst.js: disable on arm.
2315         * stress/op_sub-VarVar.js: disable on arm.
2316         * stress/op_urshift-ConstVar.js: disable on arm.
2317         * stress/op_urshift-VarConst.js: disable on arm.
2318         * stress/op_urshift-VarVar.js: disable on arm.
2319         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2320         * stress/value-to-boolean.js: disable on arm and mips.
2321
2322 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2323
2324         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2325         https://bugs.webkit.org/show_bug.cgi?id=191108
2326         <rdar://problem/45690700>
2327
2328         Reviewed by Saam Barati.
2329
2330         * stress/wide-op_catch.js: Added.
2331         (catch):
2332
2333 2018-10-29  Mark Lam  <mark.lam@apple.com>
2334
2335         Correctly detect string overflow when using the 'Function' constructor.
2336         https://bugs.webkit.org/show_bug.cgi?id=184883
2337         <rdar://problem/36320331>
2338
2339         Reviewed by Saam Barati.
2340
2341         I've verified that this passes on 32-bit as well.
2342
2343         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2344
2345 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2346
2347         Add support for GetStack FlushedDouble
2348         https://bugs.webkit.org/show_bug.cgi?id=191012
2349         <rdar://problem/45265141>
2350
2351         Reviewed by Saam Barati.
2352
2353         * stress/get-stack-double.js: Added.
2354         (bar):
2355         (noInline):
2356
2357 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2358
2359         New bytecode format for JSC
2360         https://bugs.webkit.org/show_bug.cgi?id=187373
2361         <rdar://problem/44186758>
2362
2363         Reviewed by Filip Pizlo.
2364
2365         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2366
2367         * stress/maximum-inline-capacity.js: Added.
2368         (test1):
2369         (test3.Foo):
2370         (test3):
2371
2372 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2373
2374         Unreviewed, rolling out r237479 and r237484.
2375         https://bugs.webkit.org/show_bug.cgi?id=190978
2376
2377         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2378
2379         Reverted changesets:
2380
2381         "New bytecode format for JSC"
2382         https://bugs.webkit.org/show_bug.cgi?id=187373
2383         https://trac.webkit.org/changeset/237479
2384
2385         "Gardening: Build fix after r237479."
2386         https://bugs.webkit.org/show_bug.cgi?id=187373
2387         https://trac.webkit.org/changeset/237484
2388
2389 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2390
2391         New bytecode format for JSC
2392         https://bugs.webkit.org/show_bug.cgi?id=187373
2393         <rdar://problem/44186758>
2394
2395         Reviewed by Filip Pizlo.
2396
2397         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2398
2399         * stress/maximum-inline-capacity.js: Added.
2400         (test1):
2401         (test3.Foo):
2402         (test3):
2403
2404 2018-10-26  Mark Lam  <mark.lam@apple.com>
2405
2406         Fix missing edge cases with JSGlobalObjects having a bad time.
2407         https://bugs.webkit.org/show_bug.cgi?id=189028
2408         <rdar://problem/45204939>
2409
2410         Reviewed by Saam Barati.
2411
2412         * stress/regress-189028.js: Added.
2413
2414 2018-10-22  Mark Lam  <mark.lam@apple.com>
2415
2416         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2417         https://bugs.webkit.org/show_bug.cgi?id=190515
2418         <rdar://problem/45222379>
2419
2420         Rubber-stamped by Saam Barati.
2421
2422         Adding another test.
2423
2424         * stress/regress-190515-2.js: Added.
2425
2426 2018-10-22  Mark Lam  <mark.lam@apple.com>
2427
2428         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2429         https://bugs.webkit.org/show_bug.cgi?id=190515
2430         <rdar://problem/45222379>
2431
2432         Reviewed by Saam Barati.
2433
2434         * stress/regress-190515.js: Added.
2435
2436 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2437
2438         Unreviewed, rolling out r237254.
2439         https://bugs.webkit.org/show_bug.cgi?id=190760
2440
2441         "It regresses JetStream 2 by 5% on some iOS devices"
2442         (Requested by saamyjoon on #webkit).
2443
2444         Reverted changeset:
2445
2446         "[JSC] JSC should have "parseFunction" to optimize Function
2447         constructor"
2448         https://bugs.webkit.org/show_bug.cgi?id=190340
2449         https://trac.webkit.org/changeset/237254
2450
2451 2018-10-19  Saam Barati  <sbarati@apple.com>
2452
2453         vmCall should check if we exit before emitting an OSR exit due to exceptions
2454         https://bugs.webkit.org/show_bug.cgi?id=190740
2455         <rdar://problem/45220139>
2456
2457         Reviewed by Mark Lam.
2458
2459         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2460         (foo):
2461
2462 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2463
2464         [ESNext][BigInt] Implement support for "^"
2465         https://bugs.webkit.org/show_bug.cgi?id=186235
2466
2467         Reviewed by Yusuke Suzuki.
2468
2469         * stress/big-int-bitwise-xor-general.js: Added.
2470         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2471         * stress/big-int-bitwise-xor-type-error.js: Added.
2472         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2473
2474 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2475
2476         [BigInt] Add ValueSub into DFG
2477         https://bugs.webkit.org/show_bug.cgi?id=186176
2478
2479         Reviewed by Yusuke Suzuki.
2480
2481         * stress/big-int-subtraction-jit.js:
2482         * stress/value-sub-big-int-prediction-propagation.js: Added.
2483         * stress/value-sub-big-int-untyped.js: Added.
2484         * stress/value-sub-spec-none-case.js: Added.
2485
2486 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2487
2488         [JSC] JSC should have "parseFunction" to optimize Function constructor
2489         https://bugs.webkit.org/show_bug.cgi?id=190340
2490
2491         Reviewed by Mark Lam.
2492
2493         This patch fixes the line number of syntax errors raised by the Function constructor,
2494         since we now parse the final code only once. And we no longer use block statement
2495         for Function constructor's parsing.
2496
2497         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2498         * stress/function-cache-with-parameters-end-position.js: Added.
2499         (shouldBe):
2500         (shouldThrow):
2501         (i.anonymous):
2502         * stress/function-constructor-name.js: Added.
2503         (shouldBe):
2504         (GeneratorFunction):
2505         (AsyncFunction.async):
2506         (AsyncGeneratorFunction.async):
2507         (anonymous):
2508         (async.anonymous):
2509         * test262/expectations.yaml:
2510
2511 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2512
2513         Unreviewed, rolling out r237242.
2514         https://bugs.webkit.org/show_bug.cgi?id=190701
2515
2516         it breaks "stress/sampling-profiler-basic.js" (Requested by
2517         caiolima on #webkit).
2518
2519         Reverted changeset:
2520
2521         "[BigInt] Add ValueSub into DFG"
2522         https://bugs.webkit.org/show_bug.cgi?id=186176
2523         https://trac.webkit.org/changeset/237242
2524
2525 2018-10-17  Keith Miller  <keith_miller@apple.com>
2526
2527         AI does not clear Phantom allocation nodes.
2528         https://bugs.webkit.org/show_bug.cgi?id=190694
2529
2530         Reviewed by Saam Barati.
2531
2532         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2533         (Day):
2534         (DaysInYear):
2535         (TimeInYear):
2536         (TimeFromYear):
2537         (DayFromYear):
2538         (InLeapYear):
2539         (YearFromTime):
2540         (WeekDay):
2541         (DaylightSavingTA):
2542         (GetSecondSundayInMarch):
2543         (TimeInMonth):
2544
2545 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2546
2547         [BigInt] Add ValueSub into DFG
2548         https://bugs.webkit.org/show_bug.cgi?id=186176
2549
2550         Reviewed by Yusuke Suzuki.
2551
2552         * stress/big-int-subtraction-jit.js:
2553         * stress/value-sub-big-int-prediction-propagation.js: Added.
2554         * stress/value-sub-big-int-untyped.js: Added.
2555
2556 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2557
2558         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2559         https://bugs.webkit.org/show_bug.cgi?id=190611
2560
2561         Reviewed by Saam Barati.
2562
2563         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2564         to improve test runtime. On ARM/MIPS this test even timed out when running all
2565         tests.
2566
2567         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2568         (test):
2569
2570 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2571
2572         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2573
2574         Unreviewed gardening.
2575
2576         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2577
2578 2018-10-15  Saam barati  <sbarati@apple.com>
2579
2580         Emit fjcvtzs on ARM64E on Darwin
2581         https://bugs.webkit.org/show_bug.cgi?id=184023
2582
2583         Reviewed by Yusuke Suzuki and Filip Pizlo.
2584
2585         * stress/double-to-int32-NaN.js: Added.
2586         (assert):
2587         (foo):
2588
2589 2018-10-15  Saam Barati  <sbarati@apple.com>
2590
2591         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2592         https://bugs.webkit.org/show_bug.cgi?id=190262
2593         <rdar://problem/44986241>
2594
2595         Reviewed by Mark Lam.
2596
2597         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2598         (test):
2599         * stress/slice-array-storage-with-holes.js: Added.
2600         (main):
2601
2602 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2603
2604         Unreviewed, rolling out r237054.
2605         https://bugs.webkit.org/show_bug.cgi?id=190593
2606
2607         "this regressed JetStream 2 by 6% on iOS" (Requested by
2608         saamyjoon on #webkit).
2609
2610         Reverted changeset:
2611
2612         "[JSC] JSC should have "parseFunction" to optimize Function
2613         constructor"
2614         https://bugs.webkit.org/show_bug.cgi?id=190340
2615         https://trac.webkit.org/changeset/237054
2616
2617 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2618
2619         [JSC] JSON.stringify can accept call-with-no-arguments
2620         https://bugs.webkit.org/show_bug.cgi?id=190343
2621
2622         Reviewed by Mark Lam.
2623
2624         * stress/json-stringify-no-arguments.js: Added.
2625         (shouldBe):
2626
2627 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2628
2629         [JSC] JSC should have "parseFunction" to optimize Function constructor
2630         https://bugs.webkit.org/show_bug.cgi?id=190340
2631
2632         Reviewed by Mark Lam.
2633
2634         This patch fixes the line number of syntax errors raised by the Function constructor,
2635         since we now parse the final code only once. And we no longer use block statement
2636         for Function constructor's parsing.
2637
2638         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2639         * stress/function-cache-with-parameters-end-position.js: Added.
2640         (shouldBe):
2641         (shouldThrow):
2642         (i.anonymous):
2643         * stress/function-constructor-name.js: Added.
2644         (shouldBe):
2645         (GeneratorFunction):
2646         (AsyncFunction.async):
2647         (AsyncGeneratorFunction.async):
2648         (anonymous):
2649         (async.anonymous):
2650         * test262/expectations.yaml:
2651
2652 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2653
2654         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2655         https://bugs.webkit.org/show_bug.cgi?id=190426
2656
2657         Unreviewed gardening.
2658
2659         * stress/sampling-profiler-richards.js:
2660
2661 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2662
2663         [ESNext][BigInt] Implement support for "|"
2664         https://bugs.webkit.org/show_bug.cgi?id=186229
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * stress/big-int-bitwise-and-jit.js:
2669         * stress/big-int-bitwise-or-general.js: Added.
2670         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2671         * stress/big-int-bitwise-or-jit.js: Added.
2672         * stress/big-int-bitwise-or-memory-stress.js: Added.
2673         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2674         * stress/big-int-bitwise-or-type-error.js: Added.
2675         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2676
2677 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2678
2679         Skip test on systems with limited memory
2680         https://bugs.webkit.org/show_bug.cgi?id=190310
2681
2682         Invoking runDefault adds test to runlist, skipping the test in the next
2683         line does not prevent the test from executing. Change order of lines such
2684         that runDefault is only executed if test is not executed.
2685
2686         Reviewed by Mark Lam.
2687
2688         * stress/regress-190187.js:
2689
2690 2018-10-03  Saam barati  <sbarati@apple.com>
2691
2692         lowXYZ in FTLLower should always filter the type of the incoming edge
2693         https://bugs.webkit.org/show_bug.cgi?id=189939
2694         <rdar://problem/44407030>
2695
2696         Reviewed by Michael Saboff.
2697
2698         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2699         (foo):
2700         (test):
2701
2702 2018-10-03  Mark Lam  <mark.lam@apple.com>
2703
2704         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2705         https://bugs.webkit.org/show_bug.cgi?id=190187
2706         <rdar://problem/42512909>
2707
2708         Reviewed by Michael Saboff.
2709
2710         * stress/regress-190187.js: Added.
2711
2712 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2713
2714         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2715         https://bugs.webkit.org/show_bug.cgi?id=190033
2716
2717         Reviewed by Yusuke Suzuki.
2718
2719         * stress/big-int-to-string.js:
2720
2721 2018-10-01  Mark Lam  <mark.lam@apple.com>
2722
2723         Function.toString() should also copy the source code Functions that are class definitions.
2724         https://bugs.webkit.org/show_bug.cgi?id=190186
2725         <rdar://problem/44733360>
2726
2727         Reviewed by Saam Barati.
2728
2729         * stress/regress-190186.js: Added.
2730
2731 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2732
2733         Split NaN-check into separate test
2734         https://bugs.webkit.org/show_bug.cgi?id=190010
2735
2736         Reviewed by Saam Barati.
2737
2738         DataView exposes NaN-representation, which is not necessarily the same on each
2739         architecture. Therefore move the check of the NaN-representation into its own
2740         file such that we can disable this test on MIPS where NaN-representation can be
2741         different on older CPUs.
2742
2743         * stress/dataview-jit-set-nan.js: Added.
2744         (assert):
2745         (test.storeLittleEndian):
2746         (test.storeBigEndian):
2747         (test.store):
2748         (test):
2749         * stress/dataview-jit-set.js:
2750         (test5):
2751
2752 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2753
2754         Unreviewed, rolling out r236647.
2755         https://bugs.webkit.org/show_bug.cgi?id=190124
2756
2757         Breaking test stress/big-int-to-string.js (Requested by
2758         caiolima_ on #webkit).
2759
2760         Reverted changeset:
2761
2762         "[BigInt] BigInt.proptotype.toString is broken when radix is
2763         power of 2"
2764         https://bugs.webkit.org/show_bug.cgi?id=190033
2765         https://trac.webkit.org/changeset/236647
2766
2767 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2768
2769         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2770         https://bugs.webkit.org/show_bug.cgi?id=190033
2771
2772         Reviewed by Yusuke Suzuki.
2773
2774         * stress/big-int-to-string.js:
2775
2776 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2777
2778         [ESNext][BigInt] Implement support for "&"
2779         https://bugs.webkit.org/show_bug.cgi?id=186228
2780
2781         Reviewed by Yusuke Suzuki.
2782
2783         * stress/big-int-bitwise-and-general.js: Added.
2784         (assert):
2785         (assert.sameValue):
2786         * stress/big-int-bitwise-and-jit.js: Added.
2787         (let.assert.sameValue):
2788         (bigIntBitAnd):
2789         * stress/big-int-bitwise-and-memory-stress.js: Added.
2790         (assert):
2791         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2792         (assert.sameValue):
2793         (let.o.Symbol.toPrimitive):
2794         (catch):
2795         * stress/big-int-bitwise-and-type-error.js: Added.
2796         (assert):
2797         (assertThrowTypeError):
2798         (let.o.valueOf):
2799         (o.valueOf):
2800         (o.toString):
2801         (o.Symbol.toPrimitive):
2802         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2803         (assert.sameValue):
2804         (testBitAnd):
2805         (let.o.Symbol.toPrimitive):
2806         (o.valueOf):
2807         (o.toString):
2808
2809 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2810
2811         JSC test stress/jsc-read.js doesn't support CRLF
2812         https://bugs.webkit.org/show_bug.cgi?id=190063
2813
2814         Reviewed by Yusuke Suzuki.
2815
2816         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2817
2818         * stress/jsc-read.js:
2819         (test):
2820
2821 2018-09-27  Saam barati  <sbarati@apple.com>
2822
2823         Verify the contents of AssemblerBuffer on arm64e
2824         https://bugs.webkit.org/show_bug.cgi?id=190057
2825         <rdar://problem/38916630>
2826
2827         Reviewed by Mark Lam.
2828
2829         * stress/regress-189132.js:
2830
2831 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2832
2833         Disable test without LLInt on ARMv7
2834         https://bugs.webkit.org/show_bug.cgi?id=190037
2835
2836         Reviewed by Mark Lam.
2837
2838         Test runs out of executable memory on ARMv7, do not run
2839         this test without LLInt enabled.
2840
2841         * stress/regress-169445.js:
2842
2843 2018-09-26  Keith Miller  <keith_miller@apple.com>
2844
2845         We should zero unused property storage when rebalancing array storage.
2846         https://bugs.webkit.org/show_bug.cgi?id=188151
2847
2848         Reviewed by Michael Saboff.
2849
2850         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2851
2852 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2853
2854         [JSC] Optimize Array#lastIndexOf
2855         https://bugs.webkit.org/show_bug.cgi?id=189780
2856
2857         Reviewed by Saam Barati.
2858
2859         * stress/array-lastindexof-array-prototype-trap.js: Added.
2860         (shouldBe):
2861         (AncestorArray.prototype.get 2):
2862         (AncestorArray):
2863         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2864         (shouldBe):
2865         * stress/array-lastindexof-hole-nan.js: Added.
2866         (shouldBe):
2867         (throw.new.Error):
2868         * stress/array-lastindexof-infinity.js: Added.
2869         (shouldBe):
2870         (throw.new.Error):
2871         * stress/array-lastindexof-negative-zero.js: Added.
2872         (shouldBe):
2873         (throw.new.Error):
2874         * stress/array-lastindexof-own-getter.js: Added.
2875         (shouldBe):
2876         (throw.new.Error.get array):
2877         (get array):
2878         * stress/array-lastindexof-prototype-trap.js: Added.
2879         (shouldBe):
2880         (DerivedArray.prototype.get 2):
2881         (DerivedArray):
2882
2883 2018-09-25  Saam Barati  <sbarati@apple.com>
2884
2885         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2886         https://bugs.webkit.org/show_bug.cgi?id=189940
2887         <rdar://problem/43640987>
2888
2889         Reviewed by Mark Lam.
2890
2891         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2892
2893 2018-09-24  Saam Barati  <sbarati@apple.com>
2894
2895         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2896         https://bugs.webkit.org/show_bug.cgi?id=189922
2897         <rdar://problem/44651275>
2898
2899         Reviewed by Mark Lam.
2900
2901         * stress/array-indexof-fast-path-effects.js: Added.
2902         * stress/array-indexof-cached-length.js: Added.
2903
2904 2018-09-24  Saam barati  <sbarati@apple.com>
2905
2906         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2907         https://bugs.webkit.org/show_bug.cgi?id=189682
2908         <rdar://problem/43557315>
2909
2910         Reviewed by Mark Lam.
2911
2912         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2913         (foo):
2914
2915 2018-09-22  Saam barati  <sbarati@apple.com>
2916
2917         The sampling should not use Strong<CodeBlock> in its machineLocation field
2918         https://bugs.webkit.org/show_bug.cgi?id=189319
2919
2920         Reviewed by Filip Pizlo.
2921
2922         * stress/sampling-profiler-richards.js: Added.
2923
2924 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2925
2926         [JSC] Optimize Array#indexOf in C++ runtime
2927         https://bugs.webkit.org/show_bug.cgi?id=189507
2928
2929         Reviewed by Saam Barati.
2930
2931         * stress/array-indexof-array-prototype-trap.js: Added.
2932         (shouldBe):
2933         (AncestorArray.prototype.get 2):
2934         (AncestorArray):
2935         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2936         (shouldBe):
2937         * stress/array-indexof-hole-nan.js: Added.
2938         (shouldBe):
2939         (throw.new.Error):
2940         * stress/array-indexof-infinity.js: Added.
2941         (shouldBe):
2942         (throw.new.Error):
2943         * stress/array-indexof-negative-zero.js: Added.
2944         (shouldBe):
2945         (throw.new.Error):
2946         * stress/array-indexof-own-getter.js: Added.
2947         (shouldBe):
2948         (throw.new.Error.get array):
2949         (get array):
2950         * stress/array-indexof-prototype-trap.js: Added.
2951         (shouldBe):
2952         (DerivedArray.prototype.get 2):
2953         (DerivedArray):
2954
2955 2018-09-19  Saam barati  <sbarati@apple.com>
2956
2957         AI rule for MultiPutByOffset executes its effects in the wrong order
2958         https://bugs.webkit.org/show_bug.cgi?id=189757
2959         <rdar://problem/43535257>
2960
2961         Reviewed by Michael Saboff.
2962
2963         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2964         (foo):
2965         (Foo):
2966         (g):
2967
2968 2018-09-17  Mark Lam  <mark.lam@apple.com>
2969
2970         Ensure that ForInContexts are invalidated if their loop local is over-written.
2971         https://bugs.webkit.org/show_bug.cgi?id=189571
2972         <rdar://problem/44402277>
2973
2974         Reviewed by Saam Barati.
2975
2976         * stress/regress-189571.js: Added.
2977
2978 2018-09-17  Saam barati  <sbarati@apple.com>
2979
2980         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2981         https://bugs.webkit.org/show_bug.cgi?id=189676
2982         <rdar://problem/39682897>
2983
2984         Reviewed by Michael Saboff.
2985
2986         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2987         (A):
2988         (K):
2989         (i.catch):
2990
2991 2018-09-14  Saam barati  <sbarati@apple.com>
2992
2993         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2994         https://bugs.webkit.org/show_bug.cgi?id=189628
2995         <rdar://problem/39481690>
2996
2997         Reviewed by Mark Lam.
2998
2999         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3000         (foo):
3001
3002 2018-09-11  Mark Lam  <mark.lam@apple.com>
3003
3004         Test for array initialization in arrayProtoFuncSplice.
3005         https://bugs.webkit.org/show_bug.cgi?id=170253
3006         <rdar://problem/31328773>
3007
3008         Rubber-stamped by Saam Barati.
3009
3010         * stress/regress-170253.js: Added.
3011
3012 2018-09-11  Mark Lam  <mark.lam@apple.com>
3013
3014         Test for IntlObject initialization.
3015         https://bugs.webkit.org/show_bug.cgi?id=170251
3016         <rdar://problem/31328419>
3017
3018         Rubber-stamped by Saam Barati.
3019
3020         * stress/regress-170251.js: Added.
3021
3022 2018-09-11  Mark Lam  <mark.lam@apple.com>
3023
3024         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3025         https://bugs.webkit.org/show_bug.cgi?id=169889
3026         <rdar://problem/31155607>
3027
3028         Reviewed by Saam Barati.
3029
3030         * stress/regress-169889-array-concat.js: Added.
3031         * stress/regress-169889-array-concat1.js: Added.
3032         * stress/regress-169889-array-slice.js: Added.
3033
3034 2018-09-11  Mark Lam  <mark.lam@apple.com>
3035
3036         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3037         https://bugs.webkit.org/show_bug.cgi?id=169445
3038         <rdar://problem/30957435>
3039
3040         Reviewed by Saam Barati.
3041
3042         * stress/regress-169445.js: Added.
3043         (let.gun.eval.A):
3044         (let.gun.eval.B.C):
3045         (let.gun.eval.B.C.prototype.trigger):
3046         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3047         (let.gun.eval.B):
3048         (let.gun.eval):
3049
3050 == Rolled over to ChangeLog-2018-09-11 ==