[ARM] Fix crash with sampling profiler
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         [ARM] Fix crash with sampling profiler
4         https://bugs.webkit.org/show_bug.cgi?id=194772
5
6         Reviewed by Mark Lam.
7
8         Do not skip test since crash with sampling profiler is now fixed.
9
10         * stress/sampling-profiler-richards.js:
11
12 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         [JSC] Add LazyClassStructure::getInitializedOnMainThread
15         https://bugs.webkit.org/show_bug.cgi?id=194784
16         <rdar://problem/48154820>
17
18         Reviewed by Mark Lam.
19
20         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
21         (getProperties):
22         (getRandomProperty):
23         (i.catch):
24
25 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         [ARM] Test gardening: Test running out of executable memory
28         https://bugs.webkit.org/show_bug.cgi?id=194771
29
30         Unreviewed. Do not run test without LLInt, test is running out of executable
31         memory on ARM otherwise.
32
33         * stress/tagged-template-object-collect.js:
34
35 2019-02-18  Tomas Popela  <tpopela@redhat.com>
36
37         Unreviewed, skip the test on platforms without sampling profiler
38
39         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
40         (platformSupportsSamplingProfiler.foo):
41         (platformSupportsSamplingProfiler.test):
42         (platformSupportsSamplingProfiler):
43         (foo): Deleted.
44         (test): Deleted.
45
46 2019-02-17  Saam Barati  <sbarati@apple.com>
47
48         Deadlock when adding a Structure property transition and then doing incremental marking
49         https://bugs.webkit.org/show_bug.cgi?id=194767
50
51         Reviewed by Mark Lam.
52
53         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
54
55 2019-02-15  Michael Saboff  <msaboff@apple.com>
56
57         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
58         https://bugs.webkit.org/show_bug.cgi?id=194558
59
60         Reviewed by Saam Barati.
61
62         New regression test.
63
64         * stress/regexp-unicode-within-string.js: Added.
65
66 2019-02-15  Mark Lam  <mark.lam@apple.com>
67
68         SamplingProfiler::stackTracesAsJSON() should escape strings.
69         https://bugs.webkit.org/show_bug.cgi?id=194649
70         <rdar://problem/48072386>
71
72         Reviewed by Saam Barati.
73
74         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
75         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
76         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
77         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
78
79 2019-02-15  Robin Morisset  <rmorisset@apple.com>
80         CodeBlock::jettison should clear related watchpoints
81         https://bugs.webkit.org/show_bug.cgi?id=194544
82
83         Reviewed by Mark Lam.
84
85         * stress/regexp-replace-double-watchpoint.js: Added.
86         (foo):
87
88 2019-02-15  Saam barati  <sbarati@apple.com>
89
90         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
91         https://bugs.webkit.org/show_bug.cgi?id=194036
92
93         Reviewed by Yusuke Suzuki.
94
95         * stress/tail-call-many-arguments.js: Added.
96         (foo):
97         (bar):
98
99 2019-02-14  Saam Barati  <sbarati@apple.com>
100
101         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
102         https://bugs.webkit.org/show_bug.cgi?id=194583
103         <rdar://problem/48028140>
104
105         Reviewed by Yusuke Suzuki.
106
107         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
108
109 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
110
111         [JSC] String.fromCharCode's slow path always generates 16bit string
112         https://bugs.webkit.org/show_bug.cgi?id=194466
113
114         Reviewed by Keith Miller.
115
116         * stress/string-from-char-code-slow-path.js: Added.
117         (shouldBe):
118         (testWithLength):
119
120 2019-02-08  Saam barati  <sbarati@apple.com>
121
122         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
123         https://bugs.webkit.org/show_bug.cgi?id=194334
124         <rdar://problem/47844327>
125
126         Reviewed by Mark Lam.
127
128         * stress/check-in-bounds-should-be-a-child-use.js: Added.
129         (func):
130
131 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
132
133         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
134         https://bugs.webkit.org/show_bug.cgi?id=194369
135         <rdar://problem/47813087>
136
137         Reviewed by Saam Barati.
138
139         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
140         (A):
141
142 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
143
144         [JSC] PrivateName to PublicName hash table is wasteful
145         https://bugs.webkit.org/show_bug.cgi?id=194277
146
147         Reviewed by Michael Saboff.
148
149         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
150
151         * ChakraCore.yaml:
152
153 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
154
155         [ARM] Test running out of executable memory
156         https://bugs.webkit.org/show_bug.cgi?id=194285
157
158         Unreviewed. Do no execute test with LLInt disabled, test runs out of
159         executable memory otherwise.
160
161         * stress/class-subclassing-function.js:
162
163 2019-02-04  Robin Morisset  <rmorisset@apple.com>
164
165         when lowering AssertNotEmpty, create the value before creating the patchpoint
166         https://bugs.webkit.org/show_bug.cgi?id=194231
167
168         Reviewed by Saam Barati.
169
170         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
171         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
172         So even tiny changes to this test can change the path code taken.
173
174         * stress/assert-not-empty.js: Added.
175         (foo):
176
177 2019-02-01  Mark Lam  <mark.lam@apple.com>
178
179         Remove invalid assertion in DFG's compileDoubleRep().
180         https://bugs.webkit.org/show_bug.cgi?id=194130
181         <rdar://problem/47699474>
182
183         Reviewed by Saam Barati.
184
185         * stress/constant-fold-double-rep-into-double-constant.js: Added.
186
187 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
188
189         Import latest Test262 updates.
190
191         Rubber-stamped by Keith Miller.
192
193         * test262.yaml: Deleted.
194         * test262/config.yaml:
195         * test262/expectations.yaml:
196         * test262/latest-changes-summary.txt:
197         * test262/test/:
198         * test262/test262-Revision.txt:
199
200 2019-01-30  Robin Morisset  <rmorisset@apple.com>
201
202         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
203         https://bugs.webkit.org/show_bug.cgi?id=194050
204         <rdar://problem/47595592>
205
206         Reviewed by Yusuke Suzuki.
207
208         * stress/object-keys-osr-exit.js: Added.
209         (foo):
210         (catch):
211
212 2019-01-29  Mark Lam  <mark.lam@apple.com>
213
214         ValueRecovery::recover() should purify NaN values it recovers.
215         https://bugs.webkit.org/show_bug.cgi?id=193978
216         <rdar://problem/47625488>
217
218         Reviewed by Saam Barati.
219
220         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
221
222 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
223
224         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
225         https://bugs.webkit.org/show_bug.cgi?id=193713
226
227         * stress/try-get-by-id-should-spill-registers-dfg.js:
228         (let.f.createBuiltin):
229
230 2019-01-28  Mark Lam  <mark.lam@apple.com>
231
232         ToString node actually does GC.
233         https://bugs.webkit.org/show_bug.cgi?id=193920
234         <rdar://problem/46695900>
235
236         Reviewed by Yusuke Suzuki.
237
238         * stress/dfg-to-string-on-int-does-gc.js: Added.
239         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
240         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
241
242 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
243
244         [JSC] NativeErrorConstructor should not have own IsoSubspace
245         https://bugs.webkit.org/show_bug.cgi?id=193713
246
247         Reviewed by Saam Barati.
248
249         Remove @Error use.
250
251         * stress/try-get-by-id-should-spill-registers-dfg.js:
252         (let.f.createBuiltin):
253
254 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
257         https://bugs.webkit.org/show_bug.cgi?id=190693
258
259         Reviewed by Michael Saboff.
260
261         * stress/regress-190693.js: Added.
262         (truth):
263         (assert):
264         (shouldThrowInvalidConstAssignment):
265         (taz):
266
267 2019-01-24  Saam Barati  <sbarati@apple.com>
268
269         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
270         https://bugs.webkit.org/show_bug.cgi?id=193751
271         <rdar://problem/47280215>
272
273         Reviewed by Michael Saboff.
274
275         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
276         (let.thing):
277         (foo.let.hello):
278         (foo):
279
280 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
281
282         [JSC] Reenable baseline JIT on mips
283         https://bugs.webkit.org/show_bug.cgi?id=192983
284
285         Reviewed by Mark Lam.
286
287         Added a new test for a case that was triggering a RELEASE_ASSERT when
288         testing.
289         Disable some slow tests that were already disabled for arm and x86.
290
291         * stress/json-parse-big-object.js: Added.
292         * stress/new-largeish-contiguous-array-with-size.js:
293         * stress/op_add.js:
294         * stress/op_bitand.js:
295         * stress/op_bitor.js:
296         * stress/op_bitxor.js:
297         * stress/op_lshift-ConstVar.js:
298         * stress/op_lshift-VarConst.js:
299         * stress/op_lshift-VarVar.js:
300         * stress/op_mod-ConstVar.js:
301         * stress/op_mod-VarConst.js:
302         * stress/op_mod-VarVar.js:
303         * stress/op_mul-ConstVar.js:
304         * stress/op_mul-VarConst.js:
305         * stress/op_mul-VarVar.js:
306         * stress/op_rshift-ConstVar.js:
307         * stress/op_rshift-VarConst.js:
308         * stress/op_rshift-VarVar.js:
309         * stress/op_sub-ConstVar.js:
310         * stress/op_sub-VarConst.js:
311         * stress/op_sub-VarVar.js:
312         * stress/op_urshift-ConstVar.js:
313         * stress/op_urshift-VarConst.js:
314         * stress/op_urshift-VarVar.js:
315         * stress/sampling-profiler-richards.js:
316         * stress/spread-forward-call-varargs-stack-overflow.js:
317
318 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
319
320         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
321         https://bugs.webkit.org/show_bug.cgi?id=193711
322         <rdar://problem/47250262>
323
324         Reviewed by Saam Barati.
325
326         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
327         (shouldBe):
328         (foo):
329         (bar):
330         (baz):
331
332 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
333
334         Unreviewed, fix initial global lexical binding epoch
335         https://bugs.webkit.org/show_bug.cgi?id=193603
336         <rdar://problem/47380869>
337
338         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
339         (f1.f2.f3.f4):
340         (f1.f2.f3):
341         (f1.f2):
342         (f1):
343
344 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
345
346         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
347         https://bugs.webkit.org/show_bug.cgi?id=193709
348         <rdar://problem/47363838>
349
350         Unreviewed, rollout to watch the tests.
351
352         * stress/object-tostring-changed-proto.js: Removed.
353         * stress/object-tostring-changed.js: Removed.
354         * stress/object-tostring-misc.js: Removed.
355         * stress/object-tostring-other.js: Removed.
356         * stress/object-tostring-untyped.js: Removed.
357
358 2019-01-22  Saam Barati  <sbarati@apple.com>
359
360         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
361
362         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
363         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
364         (testUncheckedLessThanZero):
365         (testUncheckedLessThanOrEqualZero):
366         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
367         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
368
369 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
370
371         [JSC] Invalidate old scope operations using global lexical binding epoch
372         https://bugs.webkit.org/show_bug.cgi?id=193603
373         <rdar://problem/47380869>
374
375         Reviewed by Saam Barati.
376
377         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
378         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
379         (shouldThrow):
380         (bar):
381         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
382         (shouldBe):
383         (get1):
384         (get2):
385         (get1If):
386         (get2If):
387         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
388         (shouldThrow):
389         (foo):
390
391 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
392
393         Unreviewed, roll out r240220 due to date-format-xparb regression
394         https://bugs.webkit.org/show_bug.cgi?id=193603
395
396         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
397         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
398         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
399         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
400
401 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
402
403         DoesGC rule is wrong for nodes with BigIntUse
404         https://bugs.webkit.org/show_bug.cgi?id=193652
405
406         Reviewed by Saam Barati.
407
408         * stress/big-int-value-op-update-gc-rules.js: Added.
409         (assert):
410         (doesGCAdd):
411         (doesGCSub):
412         (doesGCDiv):
413         (doesGCMul):
414         (doesGCBitAnd):
415         (doesGCBitOr):
416         (doesGCBitXor):
417
418 2019-01-20  Saam Barati  <sbarati@apple.com>
419
420         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
421         https://bugs.webkit.org/show_bug.cgi?id=193644
422         <rdar://problem/46209745>
423
424         Reviewed by Yusuke Suzuki.
425
426         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
427         (foo):
428         * stress/data-view-set-intrinsic-undefined-result.js: Added.
429         (foo):
430         (bar):
431
432 2019-01-20  Saam Barati  <sbarati@apple.com>
433
434         MovHint must merge NodeBytecodeUsesAsValue for its child
435         https://bugs.webkit.org/show_bug.cgi?id=186916
436         <rdar://problem/41396612>
437
438         Reviewed by Yusuke Suzuki.
439
440         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
441         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
442
443 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
444
445         [JSC] Invalidate old scope operations using global lexical binding epoch
446         https://bugs.webkit.org/show_bug.cgi?id=193603
447         <rdar://problem/47380869>
448
449         Reviewed by Saam Barati.
450
451         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
452         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
453         (shouldThrow):
454         (bar):
455         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
456         (shouldBe):
457         (get1):
458         (get2):
459         (get1If):
460         (get2If):
461         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
462         (shouldThrow):
463         (foo):
464
465 2019-01-17  Saam barati  <sbarati@apple.com>
466
467         StringObjectUse should not be a structure check for the original string object structure
468         https://bugs.webkit.org/show_bug.cgi?id=193483
469         <rdar://problem/47280522>
470
471         Reviewed by Yusuke Suzuki.
472
473         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
474         (foo):
475         (a.valueOf.0):
476
477 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
478
479         [JSC] ToThis omission in DFGByteCodeParser is wrong
480         https://bugs.webkit.org/show_bug.cgi?id=193513
481         <rdar://problem/45842236>
482
483         Reviewed by Saam Barati.
484
485         * stress/to-this-omission-with-different-strict-modes.js: Added.
486         (thisA):
487         (thisAStrictWrapper):
488
489 2019-01-15  Mark Lam  <mark.lam@apple.com>
490
491         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
492         https://bugs.webkit.org/show_bug.cgi?id=193423
493         <rdar://problem/46209355>
494
495         Reviewed by Saam Barati.
496
497         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
498         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
499         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
500         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
501
502 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
503
504         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
505         https://bugs.webkit.org/show_bug.cgi?id=193438
506         <rdar://problem/45581249>
507
508         Reviewed by Saam Barati and Keith Miller.
509
510         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
511         Then, GetByVal(String) crashed.
512
513         * stress/string-get-by-val-lowering.js: Added.
514         (shouldBe):
515         (test):
516         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
517         (Hello):
518         (foo):
519
520 2019-01-15  Tomas Popela  <tpopela@redhat.com>
521
522         Unreviewed, skip JIT tests if it's not enabled
523
524         * stress/bit-op-with-object-returning-int32.js:
525
526 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
527
528         DFGByteCodeParser rules for bitwise operations should consider type of their operands
529         https://bugs.webkit.org/show_bug.cgi?id=192966
530
531         Reviewed by Yusuke Suzuki.
532
533         * stress/bit-op-with-object-returning-int32.js: Added.
534
535 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
536
537         Skip a slow test and a flakey test on arm
538
539         Unreviewed gardening.
540
541         * typeProfiler/getter-richards.js:
542         this test always times out, it used to be always skipped on arm and
543         mips, but got accidentally enabled by r237919 now that we have DFG on
544         arm. Also skipping on mips as we plan to soon enable DFG for it too.
545
546 2019-01-14  Keith Miller  <keith_miller@apple.com>
547
548         Skip type-check-hoisting-phase-hoist... with no jit
549         https://bugs.webkit.org/show_bug.cgi?id=193421
550
551         Reviewed by Mark Lam.
552
553         It's timing out the 32-bit bots and takes 330 seconds
554         on my machine when run by itself.
555
556         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
557
558 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
559
560         [JSC] AI should check the given constant's array type when folding GetByVal into constant
561         https://bugs.webkit.org/show_bug.cgi?id=193413
562         <rdar://problem/46092389>
563
564         Reviewed by Keith Miller.
565
566         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
567         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
568         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
569         but GetByVal does not have appropriate ArrayModes, JSC crashes.
570
571         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
572         (compareArray):
573
574 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
575
576         [BigInt] Literal parsing is crashing when used inside a Object Literal
577         https://bugs.webkit.org/show_bug.cgi?id=193404
578
579         Reviewed by Yusuke Suzuki.
580
581         * stress/big-int-literal-inside-literal-object.js: Added.
582
583 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
584
585         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
586         https://bugs.webkit.org/show_bug.cgi?id=193372
587
588         Reviewed by Saam Barati.
589
590         * stress/typed-array-array-modes-profile.js: Added.
591         (foo):
592
593 2019-01-14  Mark Lam  <mark.lam@apple.com>
594
595         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
596         https://bugs.webkit.org/show_bug.cgi?id=193402
597         <rdar://problem/46012309>
598
599         Reviewed by Keith Miller.
600
601         * stress/regexp-compile-oom.js:
602         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
603           is enabled.  As a result, it will fail on cloop builds though there is no bug.
604
605 2019-01-11  Saam barati  <sbarati@apple.com>
606
607         DFG combined liveness can be wrong for terminal basic blocks
608         https://bugs.webkit.org/show_bug.cgi?id=193304
609         <rdar://problem/45268632>
610
611         Reviewed by Yusuke Suzuki.
612
613         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
614
615 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
616
617         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
618         https://bugs.webkit.org/show_bug.cgi?id=193308
619         <rdar://problem/45546542>
620
621         Reviewed by Saam Barati.
622
623         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
624         (shouldThrow):
625         (shouldBe):
626         (foo):
627         (get shouldThrow):
628         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
629         (shouldThrow):
630         (shouldBe):
631         (foo):
632         (get shouldBe):
633         (get shouldThrow):
634         (get return):
635         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
636         (shouldThrow):
637         (shouldBe):
638         (foo):
639         (get shouldBe):
640         (get shouldThrow):
641         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
642         (shouldThrow):
643         (shouldBe):
644         (foo):
645         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
646         (shouldThrow):
647         (shouldBe):
648         (foo):
649         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
650         (shouldThrow):
651         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
652         (shouldThrow):
653         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
654         (shouldThrow):
655         (shouldBe):
656         (foo):
657         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
658         (shouldThrow):
659         (shouldBe):
660         (foo):
661         (get shouldBe):
662         (get shouldThrow):
663         (get return):
664         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
665         (shouldThrow):
666         (shouldBe):
667         (foo):
668         (get shouldBe):
669         (get shouldThrow):
670         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
671         (shouldThrow):
672         (shouldBe):
673         (foo):
674         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
675         (shouldThrow):
676         (shouldBe):
677         (foo):
678
679 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
680
681         Enable DFG on ARM/Linux again
682         https://bugs.webkit.org/show_bug.cgi?id=192496
683
684         Reviewed by Yusuke Suzuki.
685
686         Test wasn't really skipped before moving the line with skip
687         to the top.
688
689         * stress/regress-192717.js:
690
691 2019-01-10  Commit Queue  <commit-queue@webkit.org>
692
693         Unreviewed, rolling out r239825.
694         https://bugs.webkit.org/show_bug.cgi?id=193330
695
696         Broke tests on armv7/linux bots (Requested by guijemont on
697         #webkit).
698
699         Reverted changeset:
700
701         "Enable DFG on ARM/Linux again"
702         https://bugs.webkit.org/show_bug.cgi?id=192496
703         https://trac.webkit.org/changeset/239825
704
705 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
706
707         Enable DFG on ARM/Linux again
708         https://bugs.webkit.org/show_bug.cgi?id=192496
709
710         Reviewed by Yusuke Suzuki.
711
712         Test wasn't really skipped before moving the line with skip
713         to the top.
714
715         * stress/regress-192717.js:
716
717 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
718
719         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
720         https://bugs.webkit.org/show_bug.cgi?id=193127
721
722         Reviewed by Saam Barati.
723
724         * stress/array-species-create-should-handle-masquerader.js: Added.
725         (shouldThrow):
726         * stress/is-undefined-or-null-builtin.js: Added.
727         (shouldBe):
728         (isUndefinedOrNull.vm.createBuiltin):
729
730 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
731
732         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
733         https://bugs.webkit.org/show_bug.cgi?id=193221
734
735         Reviewed by Mark Lam.
736
737         * stress/put-by-id-flags.js: Added.
738         (f):
739         (g):
740         (numberOfDFGCompiles):
741
742 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
743
744         Baseline version of get_by_id may corrupt metadata
745         https://bugs.webkit.org/show_bug.cgi?id=193085
746         <rdar://problem/23453006>
747
748         Reviewed by Saam Barati.
749
750         * stress/get-by-id-change-mode.js: Added.
751         (forEach):
752
753 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
754
755         [JSC] Optimize Object.prototype.toString
756         https://bugs.webkit.org/show_bug.cgi?id=193031
757
758         Reviewed by Saam Barati.
759
760         * stress/object-tostring-changed-proto.js: Added.
761         (shouldBe):
762         (test):
763         * stress/object-tostring-changed.js: Added.
764         (shouldBe):
765         (test):
766         * stress/object-tostring-misc.js: Added.
767         (shouldBe):
768         (test):
769         (i.switch):
770         * stress/object-tostring-other.js: Added.
771         (shouldBe):
772         (test):
773         * stress/object-tostring-untyped.js: Added.
774         (shouldBe):
775         (test):
776         (i.switch):
777
778 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
779
780         test262-runner misbehaves when test file YAML has a trailing space
781         https://bugs.webkit.org/show_bug.cgi?id=193053
782
783         Reviewed by Yusuke Suzuki.
784
785         * test262/expectations.yaml:
786         Mark two dozen tests as passing (and correct the output of another).
787
788 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
789
790         Unreviewed, JSTests gardening with memoryLimited
791
792         * stress/string-overflow-createError.js:
793
794 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
795
796         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
797         https://bugs.webkit.org/show_bug.cgi?id=193050
798
799         Reviewed by Yusuke Suzuki.
800
801         * test262.yaml:
802         * test262/expectations.yaml:
803         Mark 16 tests as passing.
804
805 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
806
807         [BigInt] Support BigInt in JSON.stringify
808         https://bugs.webkit.org/show_bug.cgi?id=192624
809
810         Reviewed by Saam Barati.
811
812         * stress/big-int-json-stringify-to-json.js: Added.
813         (shouldBe):
814         (shouldThrow):
815         (BigInt.prototype.toJSON):
816         (shouldBe.JSON.stringify):
817         * stress/big-int-json-stringify.js: Added.
818         (shouldBe):
819         (shouldThrow):
820
821 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
822
823         [JSC] Implement "well-formed JSON.stringify" proposal
824         https://bugs.webkit.org/show_bug.cgi?id=191677
825
826         Reviewed by Darin Adler.
827
828         * stress/json-surrogate-pair.js: Added.
829         (shouldBe):
830         * test262/expectations.yaml:
831
832 2018-12-20  Keith Miller  <keith_miller@apple.com>
833
834         Add support for globalThis
835         https://bugs.webkit.org/show_bug.cgi?id=165171
836
837         Reviewed by Mark Lam.
838
839         * test262/config.yaml:
840
841 2018-12-19  Keith Miller  <keith_miller@apple.com>
842
843         Update test262 configuration to not run tests dependent on ICU version.
844         https://bugs.webkit.org/show_bug.cgi?id=192920
845
846         Reviewed by Saam Barati.
847
848         * test262/expectations.yaml:
849
850 2018-12-20  Mark Lam  <mark.lam@apple.com>
851
852         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
853         https://bugs.webkit.org/show_bug.cgi?id=192939
854         <rdar://problem/46869516>
855
856         Reviewed by Keith Miller.
857
858         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
859
860 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
861
862         WTF::String and StringImpl overflow MaxLength
863         https://bugs.webkit.org/show_bug.cgi?id=192853
864         <rdar://problem/45726906>
865
866         Reviewed by Mark Lam.
867
868         * stress/string-16bit-repeat-overflow.js: Added.
869         (catch):
870
871 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
872
873         Unreviewed follow-up to r192914.
874
875         * test262/expectations.yaml:
876         Add the last 20 missing expectations.
877
878 2018-12-19  Keith Miller  <keith_miller@apple.com>
879
880         Fix test262 expectations
881         https://bugs.webkit.org/show_bug.cgi?id=192914
882
883         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
884
885         * test262/expectations.yaml:
886
887 2018-12-19  Keith Miller  <keith_miller@apple.com>
888
889         Update test262 tests.
890         https://bugs.webkit.org/show_bug.cgi?id=192907
891
892         Rubber stamped by Mark Lam.
893
894         * test262/*: Omitted because prepare-changelog crashes.
895
896 2018-12-19  Mark Lam  <mark.lam@apple.com>
897
898         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
899         https://bugs.webkit.org/show_bug.cgi?id=192464
900         <rdar://problem/46519455>
901
902         Reviewed by Saam Barati.
903
904         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
905         microbenchmark.
906
907         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
908         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
909
910 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
911
912         String overflow in JSC::createError results in ASSERT in WTF::makeString
913         https://bugs.webkit.org/show_bug.cgi?id=192833
914         <rdar://problem/45706868>
915
916         Reviewed by Mark Lam.
917
918         * stress/string-overflow-createError.js: Added.
919
920 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
921
922         Error message for `-x ** y` contains a typo.
923         https://bugs.webkit.org/show_bug.cgi?id=192832
924
925         Reviewed by Saam Barati.
926
927         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
928         (assert.assert.return.throws):
929         * stress/pow-expects-update-expression-on-lhs.js:
930         (throw.new.Error):
931         Update test expectations which match against the exact error message.
932
933 2018-12-18  Mark Lam  <mark.lam@apple.com>
934
935         Gardening: test options fix.
936         https://bugs.webkit.org/show_bug.cgi?id=192822
937
938         Unreviewed.
939
940         * stress/json-stringify-string-builder-overflow.js:
941
942 2018-12-18  Mark Lam  <mark.lam@apple.com>
943
944         JSON.stringify() should throw OOM on StringBuilder overflows.
945         https://bugs.webkit.org/show_bug.cgi?id=192822
946         <rdar://problem/46670577>
947
948         Reviewed by Saam Barati.
949
950         * stress/json-stringify-string-builder-overflow.js: Added.
951
952 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
953
954         Redeclaration of var over let/const/class should be a syntax error.
955         https://bugs.webkit.org/show_bug.cgi?id=192298
956
957         Reviewed by Keith Miller.
958
959         * test262.yaml:
960         * test262/expectations.yaml:
961         Mark 46 tests as passing.
962
963         * stress/block-scope-redeclarations.js:
964         Add some new tests.
965
966         * stress/for-in-invalidate-context-weird-assignments.js:
967         * stress/for-in-tests.js:
968         Replace tests for outdated behavior with tests for SyntaxError.
969
970         * ChakraCore/test/LetConst/defer3.baseline-jsc:
971         * ChakraCore/test/LetConst/letvar.baseline-jsc:
972         Update expectations.
973
974 2018-12-18  Mark Lam  <mark.lam@apple.com>
975
976         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
977         https://bugs.webkit.org/show_bug.cgi?id=191374
978         <rdar://problem/46525447>
979
980         Reviewed by Yusuke Suzuki.
981
982         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
983
984         * stress/elidable-new-object-roflcopter-then-exit.js:
985
986 2018-12-17  Mark Lam  <mark.lam@apple.com>
987
988         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
989         https://bugs.webkit.org/show_bug.cgi?id=192019
990         <rdar://problem/46525456>
991
992         Reviewed by Yusuke Suzuki.
993
994         The test runs too slow on 32-bit.
995
996         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
997
998 2018-12-17  Mark Lam  <mark.lam@apple.com>
999
1000         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1001         https://bugs.webkit.org/show_bug.cgi?id=191373
1002         <rdar://problem/46525458>
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         The test is already slow running with a JIT on 64-bit.  It will always timeout
1007         on 32-bit without a JIT.
1008
1009         * stress/materialize-regexp-cyclic-regexp.js:
1010
1011 2018-12-17  Mark Lam  <mark.lam@apple.com>
1012
1013         Array unshift/shift should not race against the AI in the compiler thread.
1014         https://bugs.webkit.org/show_bug.cgi?id=192795
1015         <rdar://problem/46724263>
1016
1017         Reviewed by Saam Barati.
1018
1019         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1020
1021 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1022
1023         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1024         https://bugs.webkit.org/show_bug.cgi?id=190047
1025
1026         Reviewed by Saam Barati.
1027
1028         * stress/object-keys-cached-zero.js: Added.
1029         (shouldBe):
1030         (test):
1031         * stress/object-keys-changed-attribute.js: Added.
1032         (shouldBe):
1033         (test):
1034         * stress/object-keys-changed-index.js: Added.
1035         (shouldBe):
1036         (test):
1037         * stress/object-keys-changed.js: Added.
1038         (shouldBe):
1039         (test):
1040         * stress/object-keys-indexed-non-cache.js: Added.
1041         (shouldBe):
1042         (test):
1043         * stress/object-keys-overrides-get-property-names.js: Added.
1044         (shouldBe):
1045         (test):
1046         (noInline):
1047
1048 2018-12-17  Mark Lam  <mark.lam@apple.com>
1049
1050         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1051         https://bugs.webkit.org/show_bug.cgi?id=192779
1052         <rdar://problem/46775869>
1053
1054         Reviewed by Saam Barati.
1055
1056         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1057
1058 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1059
1060         Unreviewed test gardening, address a syntax error in a new test.
1061
1062         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1063
1064 2018-12-17  Mark Lam  <mark.lam@apple.com>
1065
1066         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1067         https://bugs.webkit.org/show_bug.cgi?id=192776
1068         <rdar://problem/46772368>
1069
1070         Reviewed by Keith Miller.
1071
1072         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1073
1074 2018-12-17  Mark Lam  <mark.lam@apple.com>
1075
1076         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1077         https://bugs.webkit.org/show_bug.cgi?id=192770
1078         <rdar://problem/46449037>
1079
1080         Reviewed by Keith Miller.
1081
1082         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1083
1084 2018-12-14  Mark Lam  <mark.lam@apple.com>
1085
1086         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1087         https://bugs.webkit.org/show_bug.cgi?id=192717
1088         <rdar://problem/46660677>
1089
1090         Reviewed by Saam Barati.
1091
1092         * stress/regress-192717.js: Added.
1093
1094 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1095
1096         Unreviewed, rolling out r239153, r239154, and r239155.
1097         https://bugs.webkit.org/show_bug.cgi?id=192715
1098
1099         Caused flaky GC-related crashes seen with layout tests
1100         (Requested by ryanhaddad on #webkit).
1101
1102         Reverted changesets:
1103
1104         "[JSC] Optimize Object.keys by caching own keys results in
1105         StructureRareData"
1106         https://bugs.webkit.org/show_bug.cgi?id=190047
1107         https://trac.webkit.org/changeset/239153
1108
1109         "Unreviewed, build fix after r239153"
1110         https://bugs.webkit.org/show_bug.cgi?id=190047
1111         https://trac.webkit.org/changeset/239154
1112
1113         "Unreviewed, build fix after r239153, part 2"
1114         https://bugs.webkit.org/show_bug.cgi?id=190047
1115         https://trac.webkit.org/changeset/239155
1116
1117 2018-12-14  Keith Miller  <keith_miller@apple.com>
1118
1119         Callers of JSString::getIndex should check for OOM exceptions
1120         https://bugs.webkit.org/show_bug.cgi?id=192709
1121
1122         Reviewed by Mark Lam.
1123
1124         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1125
1126 2018-12-13  Mark Lam  <mark.lam@apple.com>
1127
1128         Add a missing exception check.
1129         https://bugs.webkit.org/show_bug.cgi?id=192626
1130         <rdar://problem/46662163>
1131
1132         Reviewed by Keith Miller.
1133
1134         * stress/regress-192626.js: Added.
1135
1136 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1137
1138         [BigInt] Add ValueDiv into DFG
1139         https://bugs.webkit.org/show_bug.cgi?id=186178
1140
1141         Reviewed by Yusuke Suzuki.
1142
1143         * stress/big-int-div-jit-osr.js: Added.
1144         * stress/big-int-div-jit-untyped.js: Added.
1145         * stress/value-div-fixup-int32-big-int.js: Added.
1146
1147 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1148
1149         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1150         https://bugs.webkit.org/show_bug.cgi?id=190047
1151
1152         Reviewed by Keith Miller.
1153
1154         * stress/object-keys-cached-zero.js: Added.
1155         (shouldBe):
1156         (test):
1157         * stress/object-keys-changed-attribute.js: Added.
1158         (shouldBe):
1159         (test):
1160         * stress/object-keys-changed-index.js: Added.
1161         (shouldBe):
1162         (test):
1163         * stress/object-keys-changed.js: Added.
1164         (shouldBe):
1165         (test):
1166         * stress/object-keys-indexed-non-cache.js: Added.
1167         (shouldBe):
1168         (test):
1169         * stress/object-keys-overrides-get-property-names.js: Added.
1170         (shouldBe):
1171         (test):
1172         (noInline):
1173
1174 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1175
1176         [DFG][FTL] Add NewSymbol
1177         https://bugs.webkit.org/show_bug.cgi?id=192620
1178
1179         Reviewed by Saam Barati.
1180
1181         * microbenchmarks/symbol-creation.js: Added.
1182         (test):
1183         * stress/symbol-description-identity.js: Added.
1184         (shouldBe):
1185         (test):
1186         * stress/symbol-identity.js: Added.
1187         (shouldBe):
1188         (test):
1189         * stress/symbol-with-description-throw-error.js: Added.
1190         (shouldBe):
1191         (shouldThrow):
1192         (test):
1193         (object.toString):
1194
1195 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1196
1197         [BigInt] Implement DFG/FTL typeof for BigInt
1198         https://bugs.webkit.org/show_bug.cgi?id=192619
1199
1200         Reviewed by Keith Miller.
1201
1202         * stress/big-int-boolean-proven-type.js: Added.
1203         (assert):
1204         (bool):
1205         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1206         (assert):
1207         (typeOf):
1208         (i.switch):
1209         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1210         (assert):
1211         (typeOf):
1212         * stress/big-int-type-of.js:
1213         (typeOf):
1214         (func):
1215
1216 2018-12-10  Mark Lam  <mark.lam@apple.com>
1217
1218         PropertyAttribute needs a CustomValue bit.
1219         https://bugs.webkit.org/show_bug.cgi?id=191993
1220         <rdar://problem/46264467>
1221
1222         Reviewed by Saam Barati.
1223
1224         * stress/regress-191993.js: Added.
1225
1226 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1227
1228         [BigInt] Add ValueMul into DFG
1229         https://bugs.webkit.org/show_bug.cgi?id=186175
1230
1231         Reviewed by Yusuke Suzuki.
1232
1233         * stress/big-int-mul-jit-osr.js: Added.
1234         * stress/big-int-mul-jit-untyped.js: Added.
1235         * stress/value-mul-fixup-int32-big-int.js: Added.
1236
1237 2018-12-06  Keith Miller  <keith_miller@apple.com>
1238
1239         stress/big-wasm-memory tests failing on 32-bit JSC bot
1240         https://bugs.webkit.org/show_bug.cgi?id=192020
1241
1242         Reviewed by Saam Barati.
1243
1244         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1245         the wasm stress tests if the WebAssembly object does not exist.
1246
1247         * stress/big-wasm-memory-grow-no-max.js:
1248         (test.foo):
1249         (test):
1250         (foo): Deleted.
1251         (catch): Deleted.
1252         * stress/big-wasm-memory-grow.js:
1253         (test.foo):
1254         (test):
1255         (foo): Deleted.
1256         (catch): Deleted.
1257         * stress/big-wasm-memory.js:
1258         (test.foo):
1259         (test):
1260         (foo): Deleted.
1261         (catch): Deleted.
1262
1263 2018-12-05  Mark Lam  <mark.lam@apple.com>
1264
1265         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1266         https://bugs.webkit.org/show_bug.cgi?id=192441
1267         <rdar://problem/46480355>
1268
1269         Reviewed by Saam Barati.
1270
1271         * stress/regress-192441.js: Added.
1272
1273 2018-12-04  Mark Lam  <mark.lam@apple.com>
1274
1275         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1276         https://bugs.webkit.org/show_bug.cgi?id=192386
1277         <rdar://problem/46445516>
1278
1279         Reviewed by Saam Barati.
1280
1281         * stress/regress-192386.js: Added.
1282
1283 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1284
1285         [ESNext][BigInt] Support logic operations
1286         https://bugs.webkit.org/show_bug.cgi?id=179903
1287
1288         Reviewed by Yusuke Suzuki.
1289
1290         * stress/big-int-branch-usage.js: Added.
1291         * stress/big-int-logical-and.js: Added.
1292         * stress/big-int-logical-not.js: Added.
1293         * stress/big-int-logical-or.js: Added.
1294
1295 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1296
1297         Unreviewed, rolling out r238833.
1298
1299         Breaks macOS and iOS debug builds.
1300
1301         Reverted changeset:
1302
1303         "[ESNext][BigInt] Support logic operations"
1304         https://bugs.webkit.org/show_bug.cgi?id=179903
1305         https://trac.webkit.org/changeset/238833
1306
1307 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1308
1309         [ESNext][BigInt] Support logic operations
1310         https://bugs.webkit.org/show_bug.cgi?id=179903
1311
1312         Reviewed by Yusuke Suzuki.
1313
1314         * stress/big-int-branch-usage.js: Added.
1315         * stress/big-int-logical-and.js: Added.
1316         * stress/big-int-logical-not.js: Added.
1317         * stress/big-int-logical-or.js: Added.
1318
1319 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1320
1321         [ESNext][BigInt] Implement support for "<<" and ">>"
1322         https://bugs.webkit.org/show_bug.cgi?id=186233
1323
1324         Reviewed by Yusuke Suzuki.
1325
1326         * stress/big-int-left-shift-general.js: Added.
1327         * stress/big-int-left-shift-range-error.js: Added.
1328         * stress/big-int-left-shift-type-error.js: Added.
1329         * stress/big-int-left-shift-wrapped-value.js: Added.
1330         * stress/big-int-right-shift-general.js: Added.
1331         * stress/big-int-right-shift-type-error.js: Added.
1332         * stress/big-int-right-shift-wrapped-value.js: Added.
1333         * stress/left-shift-to-primitive-precedence.js: Added.
1334         * stress/right-shift-to-primitive-precedence.js: Added.
1335
1336 2018-11-30  Dean Jackson  <dino@apple.com>
1337
1338         Add first-class support for .mjs files in jsc binary
1339         https://bugs.webkit.org/show_bug.cgi?id=192190
1340         <rdar://problem/46375715>
1341
1342         Reviewed by Keith Miller.
1343
1344         * stress/simple-module.mjs: Added.
1345         * stress/simple-script.js: Added.
1346
1347 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1348
1349         [BigInt] Implement ValueBitXor into DFG
1350         https://bugs.webkit.org/show_bug.cgi?id=190264
1351
1352         Reviewed by Yusuke Suzuki.
1353
1354         * stress/big-int-bitwise-xor-jit.js: Added.
1355         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1356         * stress/big-int-bitwise-xor-untyped.js: Added.
1357
1358 2018-11-27  Saam barati  <sbarati@apple.com>
1359
1360         r238510 broke scopes of size zero
1361         https://bugs.webkit.org/show_bug.cgi?id=192033
1362         <rdar://problem/46281734>
1363
1364         Reviewed by Keith Miller.
1365
1366         * stress/r238510-bad-loop.js: Added.
1367         (foo):
1368
1369 2018-11-27  Mark Lam  <mark.lam@apple.com>
1370
1371         [Re-landing] NaNs read from Wasm code needs to be be purified.
1372         https://bugs.webkit.org/show_bug.cgi?id=191056
1373         <rdar://problem/45660341>
1374
1375         Reviewed by Filip Pizlo.
1376
1377         * wasm/regress/regress-191056.js: Added.
1378
1379 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1380
1381         Unreviewed, rolling out r238509.
1382
1383         Causes JSC tests to fail on iOS.
1384
1385         Reverted changeset:
1386
1387         "NaNs read from Wasm code needs to be be purified."
1388         https://bugs.webkit.org/show_bug.cgi?id=191056
1389         https://trac.webkit.org/changeset/238509
1390
1391 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1392
1393         Re-introduce op_bitnot
1394         https://bugs.webkit.org/show_bug.cgi?id=190923
1395
1396         Reviewed by Yusuke Suzuki.
1397
1398         * stress/bit-not-must-generate.js: Added.
1399         * stress/bitwise-not-no-int32.js: Added.
1400
1401 2018-11-26  Saam barati  <sbarati@apple.com>
1402
1403         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1404         https://bugs.webkit.org/show_bug.cgi?id=191956
1405         <rdar://problem/45665806>
1406
1407         Reviewed by Yusuke Suzuki.
1408
1409         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1410         (bar):
1411         (foo):
1412
1413 2018-11-26  Saam barati  <sbarati@apple.com>
1414
1415         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1416         https://bugs.webkit.org/show_bug.cgi?id=191958
1417         <rdar://problem/46221877>
1418
1419         Reviewed by Yusuke Suzuki.
1420
1421         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1422         (x):
1423         (foo):
1424
1425 2018-11-26  Mark Lam  <mark.lam@apple.com>
1426
1427         NaNs read from Wasm code needs to be be purified.
1428         https://bugs.webkit.org/show_bug.cgi?id=191056
1429         <rdar://problem/45660341>
1430
1431         Reviewed by Filip Pizlo.
1432
1433         * wasm/regress/regress-191056.js: Added.
1434
1435 2018-11-26  Michael Saboff  <msaboff@apple.com>
1436
1437         32-bit JSC test failure: stress/regexp-compile-oom.js
1438         https://bugs.webkit.org/show_bug.cgi?id=191375
1439
1440         Reviewed by Mark Lam.
1441
1442         Disabled the test for 32 bit platforms.
1443
1444         * stress/regexp-compile-oom.js:
1445
1446 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1447
1448         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1449         https://bugs.webkit.org/show_bug.cgi?id=191716
1450         <rdar://problem/45723878>
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/regress-187373.js: Added.
1455         (async.fn):
1456
1457 2018-11-21  Saam barati  <sbarati@apple.com>
1458
1459         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1460         https://bugs.webkit.org/show_bug.cgi?id=191897
1461         <rdar://problem/45871998>
1462
1463         Reviewed by Mark Lam.
1464
1465         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1466         (bar):
1467         (foo):
1468
1469 2018-11-21  Saam barati  <sbarati@apple.com>
1470
1471         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1472         https://bugs.webkit.org/show_bug.cgi?id=191895
1473         <rdar://problem/46167406>
1474
1475         Reviewed by Mark Lam.
1476
1477         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1478         (foo):
1479         (bar):
1480
1481 2018-11-21  Mark Lam  <mark.lam@apple.com>
1482
1483         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1484         https://bugs.webkit.org/show_bug.cgi?id=191776
1485         <rdar://problem/46152851>
1486
1487         Reviewed by Saam Barati.
1488
1489         * stress/big-wasm-memory-grow-no-max.js:
1490         * stress/big-wasm-memory-grow.js:
1491         * stress/big-wasm-memory.js:
1492         - updated these to expect an OutOfMemoryError.
1493
1494         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1495         (Binary.prototype.emit_u8):
1496         (Binary.prototype.emit_u32v):
1497         (Binary.prototype.emit_header):
1498         (Binary.prototype.emit_section):
1499         (Binary):
1500         (WasmModuleBuilder):
1501         (WasmModuleBuilder.prototype.addMemory):
1502         (WasmModuleBuilder.prototype.toArray):
1503         (WasmModuleBuilder.prototype.toBuffer):
1504         (WasmModuleBuilder.prototype.instantiate):
1505         (catch):
1506         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1507         (catch):
1508
1509 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1510
1511         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1512         https://bugs.webkit.org/show_bug.cgi?id=190836
1513
1514         Reviewed by Saam Barati and Yusuke Suzuki.
1515
1516         * stress/big-int-out-of-memory-tests.js: Added.
1517
1518 2018-11-20  Mark Lam  <mark.lam@apple.com>
1519
1520         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1521         https://bugs.webkit.org/show_bug.cgi?id=191856
1522         <rdar://problem/46089992>
1523
1524         Reviewed by Yusuke Suzuki.
1525
1526         * stress/regress-191856.js: Added.
1527         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1528
1529 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1530
1531         Enable JIT on ARM/Linux
1532         https://bugs.webkit.org/show_bug.cgi?id=191548
1533
1534         Reviewed by Yusuke Suzuki.
1535
1536         Disable test on system with limited memory. Program was killed by
1537         the OS before the exception was thrown.
1538
1539         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1540
1541 2018-11-20  Saam barati  <sbarati@apple.com>
1542
1543         Merging an IC variant may lead to the IC status containing overlapping structure sets
1544         https://bugs.webkit.org/show_bug.cgi?id=191869
1545         <rdar://problem/45403453>
1546
1547         Reviewed by Mark Lam.
1548
1549         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1550
1551 2018-11-19  Mark Lam  <mark.lam@apple.com>
1552
1553         globalFuncImportModule() should return a promise when it clears exceptions.
1554         https://bugs.webkit.org/show_bug.cgi?id=191792
1555         <rdar://problem/46090763>
1556
1557         Reviewed by Michael Saboff.
1558
1559         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1560
1561 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1562
1563         Skip new memory-hungry tests on memory limited devices
1564
1565         Unreviewed gardening.
1566
1567         * stress/big-wasm-memory-grow-no-max.js:
1568         * stress/big-wasm-memory-grow.js:
1569         * stress/big-wasm-memory.js:
1570
1571 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1572
1573         Unreviewed, rolling in the rest of r237254
1574         https://bugs.webkit.org/show_bug.cgi?id=190340
1575
1576         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1577         * stress/function-cache-with-parameters-end-position.js: Added.
1578         (shouldBe):
1579         (shouldThrow):
1580         (i.anonymous):
1581         * stress/function-constructor-name.js: Added.
1582         (shouldBe):
1583         (GeneratorFunction):
1584         (AsyncFunction.async):
1585         (AsyncGeneratorFunction.async):
1586         (anonymous):
1587         (async.anonymous):
1588         * test262/expectations.yaml:
1589
1590 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1591
1592         All users of ArrayBuffer should agree on the same max size
1593         https://bugs.webkit.org/show_bug.cgi?id=191771
1594
1595         Reviewed by Mark Lam.
1596
1597         * stress/big-wasm-memory-grow-no-max.js: Added.
1598         (foo):
1599         (catch):
1600         * stress/big-wasm-memory-grow.js: Added.
1601         (foo):
1602         (catch):
1603         * stress/big-wasm-memory.js: Added.
1604         (foo):
1605         (catch):
1606
1607 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1608
1609         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1610         run for each JSC config since they're regression tests for runtime bugs.
1611
1612         * stress/json-stringified-overflow-2.js:
1613         * stress/json-stringified-overflow.js:
1614
1615 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1616
1617         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1618         config since they're regression tests for runtime bugs.
1619
1620         * stress/large-unshift-splice.js:
1621         * stress/regress-185888.js:
1622
1623 2018-11-16  Saam Barati  <sbarati@apple.com>
1624
1625         KnownCellUse should also have SpecCellCheck as its type filter
1626         https://bugs.webkit.org/show_bug.cgi?id=191729
1627         <rdar://problem/45872852>
1628
1629         Reviewed by Filip Pizlo.
1630
1631         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1632         (C):
1633
1634 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1635
1636         Fix assertion failure on BytecodeGenerator::recordOpcode
1637         https://bugs.webkit.org/show_bug.cgi?id=191724
1638         <rdar://problem/45724395>
1639
1640         Reviewed by Saam Barati.
1641
1642         * stress/regress-187373-2.js: Added.
1643         (foo):
1644
1645 2018-11-15  Mark Lam  <mark.lam@apple.com>
1646
1647         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1648         https://bugs.webkit.org/show_bug.cgi?id=191730
1649         <rdar://problem/46048517>
1650
1651         Reviewed by Saam Barati.
1652
1653         * stress/regress-187006.js: Removed.
1654           - this test is invalid because its sole purpose is to test for the non-spec
1655             compliant behavior that we just fixed.
1656
1657         * stress/regress-191730.js: Added.
1658
1659 2018-11-15  Mark Lam  <mark.lam@apple.com>
1660
1661         RegExp operations should not take fast patch if lastIndex is not numeric.
1662         https://bugs.webkit.org/show_bug.cgi?id=191731
1663         <rdar://problem/46017305>
1664
1665         Reviewed by Saam Barati.
1666
1667         * stress/regress-191731.js: Added.
1668
1669 2018-11-13  Saam Barati  <sbarati@apple.com>
1670
1671         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1672         https://bugs.webkit.org/show_bug.cgi?id=191600
1673
1674         Reviewed by Mark Lam.
1675
1676         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1677         (foo):
1678         (test):
1679         (bar):
1680
1681 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1682
1683         Unreviewed, rolling out r238132.
1684
1685         The test added with this change is timing out on Debug JSC
1686         bots.
1687
1688         Reverted changeset:
1689
1690         "[BigInt] JSBigInt::createWithLength should throw when length
1691         is greater than JSBigInt::maxLength"
1692         https://bugs.webkit.org/show_bug.cgi?id=190836
1693         https://trac.webkit.org/changeset/238132
1694
1695 2018-11-13  Mark Lam  <mark.lam@apple.com>
1696
1697         Add OOM detection to StringPrototype's substituteBackreferences().
1698         https://bugs.webkit.org/show_bug.cgi?id=191563
1699         <rdar://problem/45720428>
1700
1701         Reviewed by Saam Barati.
1702
1703         * stress/regress-191563.js: Added.
1704
1705 2018-11-13  Mark Lam  <mark.lam@apple.com>
1706
1707         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1708         https://bugs.webkit.org/show_bug.cgi?id=191579
1709         <rdar://problem/45942472>
1710
1711         Reviewed by Saam Barati.
1712
1713         * stress/regress-191579.js: Added.
1714
1715 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1716
1717         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1718         https://bugs.webkit.org/show_bug.cgi?id=190836
1719
1720         Reviewed by Saam Barati.
1721
1722         * stress/big-int-out-of-memory-tests.js: Added.
1723
1724 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1725
1726         U+180E is no longer a whitespace character
1727         https://bugs.webkit.org/show_bug.cgi?id=191415
1728
1729         Reviewed by Saam Barati.
1730
1731         * ChakraCore/test/es5/regexSpace.baseline:
1732         * ChakraCore/test/es6/unicode_whitespace.js:
1733         Update tests to latest version.
1734         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1735
1736         * test262.yaml:
1737         * test262/config.yaml:
1738         * test262/expectations.yaml:
1739         Update expectations.
1740
1741 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1742
1743         [BigInt] Add support to BigInt into ValueAdd
1744         https://bugs.webkit.org/show_bug.cgi?id=186177
1745
1746         Reviewed by Keith Miller.
1747
1748         * stress/big-int-negate-jit.js:
1749         * stress/value-add-big-int-and-string.js: Added.
1750         * stress/value-add-big-int-prediction-propagation.js: Added.
1751         * stress/value-add-big-int-untyped.js: Added.
1752
1753 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1754
1755         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1756         https://bugs.webkit.org/show_bug.cgi?id=191184
1757
1758         Reviewed by Saam Barati.
1759
1760         Most tests were failing due to timeouts, since they are too slow to
1761         run on CLoop. The exceptions are:
1762
1763         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1764         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1765         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1766         to change the stack size since CLoop requires it to be page aligned.
1767
1768         * microbenchmarks/array-push-1.js:
1769         * microbenchmarks/array-push-2.js:
1770         * microbenchmarks/elidable-new-object-dag.js:
1771         * microbenchmarks/elidable-new-object-roflcopter.js:
1772         * microbenchmarks/elidable-new-object-tree.js:
1773         * microbenchmarks/getter-richards.js:
1774         * microbenchmarks/sinkable-new-object-dag.js:
1775         * microbenchmarks/string-concat-long-convert.js:
1776         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1777         * slowMicrobenchmarks/array-push-3.js:
1778         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1779         * slowMicrobenchmarks/spread-small-array.js:
1780         * slowMicrobenchmarks/undefined-property-access.js:
1781         * stress/activation-sink-default-value-tdz-error.js:
1782         * stress/activation-sink-default-value.js:
1783         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1784         * stress/activation-sink-osrexit-default-value.js:
1785         * stress/activation-sink-osrexit.js:
1786         * stress/activation-sink.js:
1787         * stress/allow-math-ic-b3-code-duplication.js:
1788         * stress/array-push-multiple-int32.js:
1789         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1790         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1791         * stress/arrowfunction-lexical-this-activation-sink.js:
1792         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1793         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1794         * stress/elide-new-object-dag-then-exit.js:
1795         * stress/materialize-regexp-cyclic.js:
1796         * stress/new-regex-inline.js:
1797         * stress/op_add.js:
1798         * stress/op_bitand.js:
1799         * stress/op_bitor.js:
1800         * stress/op_bitxor.js:
1801         * stress/op_div-ConstVar.js:
1802         * stress/op_div-VarConst.js:
1803         * stress/op_div-VarVar.js:
1804         * stress/op_lshift-ConstVar.js:
1805         * stress/op_lshift-VarConst.js:
1806         * stress/op_lshift-VarVar.js:
1807         * stress/op_mod-ConstVar.js:
1808         * stress/op_mod-VarConst.js:
1809         * stress/op_mod-VarVar.js:
1810         * stress/op_mul-ConstVar.js:
1811         * stress/op_mul-VarConst.js:
1812         * stress/op_mul-VarVar.js:
1813         * stress/op_rshift-ConstVar.js:
1814         * stress/op_rshift-VarConst.js:
1815         * stress/op_rshift-VarVar.js:
1816         * stress/op_sub-ConstVar.js:
1817         * stress/op_sub-VarConst.js:
1818         * stress/op_sub-VarVar.js:
1819         * stress/op_urshift-ConstVar.js:
1820         * stress/op_urshift-VarConst.js:
1821         * stress/op_urshift-VarVar.js:
1822         * stress/proxy-get-set-correct-receiver.js:
1823         * stress/regress-179562.js:
1824         * stress/rest-parameter-many-arguments.js:
1825         * stress/sampling-profiler-richards.js:
1826         * stress/splay-flash-access-1ms.js:
1827         * stress/tailCallForwardArguments.js:
1828         * stress/typed-array-get-by-val-profiling.js:
1829         * typeProfiler/getter-richards.js:
1830
1831 2018-11-06  Michael Saboff  <msaboff@apple.com>
1832
1833         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1834         https://bugs.webkit.org/show_bug.cgi?id=191271
1835
1836         Reviewed by Saam Barati.
1837
1838         Added more test cases and made all test cases run with the same deeply recursive stack
1839         instead of finding that same point for each test case.
1840
1841         * stress/regexp-compile-oom.js:
1842         (prototype.runTest):
1843         (recurseAndTest):
1844         (testList.push.new.TestAndExpectedException):
1845
1846 2018-11-05  Michael Saboff  <msaboff@apple.com>
1847
1848         Unreviewed build fix for linux.
1849
1850         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1851
1852 2018-11-02  Michael Saboff  <msaboff@apple.com>
1853
1854         Rolling in r237753 with unreviewed build fix.
1855
1856         Fixed issues with DECLARE_THROW_SCOPE placement.
1857
1858 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1859
1860         Unreviewed, rolling out r237753.
1861
1862         Introduced JSC test failures
1863
1864         Reverted changeset:
1865
1866         "Running out of stack space not properly handled in
1867         RegExp::compile() and its callers"
1868         https://bugs.webkit.org/show_bug.cgi?id=191206
1869         https://trac.webkit.org/changeset/237753
1870
1871 2018-11-02  Michael Saboff  <msaboff@apple.com>
1872
1873         Running out of stack space not properly handled in RegExp::compile() and its callers
1874         https://bugs.webkit.org/show_bug.cgi?id=191206
1875
1876         Reviewed by Filip Pizlo.
1877
1878         New regression test.
1879
1880         * stress/regexp-compile-oom.js: Added.
1881         (recurseAndTest):
1882
1883 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1884
1885         Skip tests on arm/mips that time out now we're running on CLoop
1886
1887         Unreviewed gardening.
1888
1889         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1890         time out on the bots and need to be disabled. There's more tests
1891         disabled on arm because the timeout is longer on the mips bot (as the
1892         device is slower to start with), so many of the tests don't time out
1893         there.
1894
1895         * microbenchmarks/getter-richards.js: disable on arm and mips.
1896         * stress/op_add.js: disable on arm.
1897         * stress/op_bitand.js: disable on arm.
1898         * stress/op_bitor.js: disable on arm.
1899         * stress/op_bitxor.js: disable on arm.
1900         * stress/op_lshift-ConstVar.js: disable on arm.
1901         * stress/op_lshift-VarConst.js: disable on arm.
1902         * stress/op_lshift-VarVar.js: disable on arm.
1903         * stress/op_mod-ConstVar.js: disable on arm.
1904         * stress/op_mod-VarConst.js: disable on arm.
1905         * stress/op_mod-VarVar.js: disable on arm.
1906         * stress/op_mul-ConstVar.js: disable on arm.
1907         * stress/op_mul-VarConst.js: disable on arm.
1908         * stress/op_mul-VarVar.js: disable on arm.
1909         * stress/op_rshift-ConstVar.js: disable on arm.
1910         * stress/op_rshift-VarConst.js: disable on arm.
1911         * stress/op_rshift-VarVar.js: disable on arm.
1912         * stress/op_sub-ConstVar.js: disable on arm.
1913         * stress/op_sub-VarConst.js: disable on arm.
1914         * stress/op_sub-VarVar.js: disable on arm.
1915         * stress/op_urshift-ConstVar.js: disable on arm.
1916         * stress/op_urshift-VarConst.js: disable on arm.
1917         * stress/op_urshift-VarVar.js: disable on arm.
1918         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1919         * stress/value-to-boolean.js: disable on arm and mips.
1920
1921 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1922
1923         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1924         https://bugs.webkit.org/show_bug.cgi?id=191108
1925         <rdar://problem/45690700>
1926
1927         Reviewed by Saam Barati.
1928
1929         * stress/wide-op_catch.js: Added.
1930         (catch):
1931
1932 2018-10-29  Mark Lam  <mark.lam@apple.com>
1933
1934         Correctly detect string overflow when using the 'Function' constructor.
1935         https://bugs.webkit.org/show_bug.cgi?id=184883
1936         <rdar://problem/36320331>
1937
1938         Reviewed by Saam Barati.
1939
1940         I've verified that this passes on 32-bit as well.
1941
1942         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1943
1944 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1945
1946         Add support for GetStack FlushedDouble
1947         https://bugs.webkit.org/show_bug.cgi?id=191012
1948         <rdar://problem/45265141>
1949
1950         Reviewed by Saam Barati.
1951
1952         * stress/get-stack-double.js: Added.
1953         (bar):
1954         (noInline):
1955
1956 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1957
1958         New bytecode format for JSC
1959         https://bugs.webkit.org/show_bug.cgi?id=187373
1960         <rdar://problem/44186758>
1961
1962         Reviewed by Filip Pizlo.
1963
1964         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1965
1966         * stress/maximum-inline-capacity.js: Added.
1967         (test1):
1968         (test3.Foo):
1969         (test3):
1970
1971 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1972
1973         Unreviewed, rolling out r237479 and r237484.
1974         https://bugs.webkit.org/show_bug.cgi?id=190978
1975
1976         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1977
1978         Reverted changesets:
1979
1980         "New bytecode format for JSC"
1981         https://bugs.webkit.org/show_bug.cgi?id=187373
1982         https://trac.webkit.org/changeset/237479
1983
1984         "Gardening: Build fix after r237479."
1985         https://bugs.webkit.org/show_bug.cgi?id=187373
1986         https://trac.webkit.org/changeset/237484
1987
1988 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1989
1990         New bytecode format for JSC
1991         https://bugs.webkit.org/show_bug.cgi?id=187373
1992         <rdar://problem/44186758>
1993
1994         Reviewed by Filip Pizlo.
1995
1996         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1997
1998         * stress/maximum-inline-capacity.js: Added.
1999         (test1):
2000         (test3.Foo):
2001         (test3):
2002
2003 2018-10-26  Mark Lam  <mark.lam@apple.com>
2004
2005         Fix missing edge cases with JSGlobalObjects having a bad time.
2006         https://bugs.webkit.org/show_bug.cgi?id=189028
2007         <rdar://problem/45204939>
2008
2009         Reviewed by Saam Barati.
2010
2011         * stress/regress-189028.js: Added.
2012
2013 2018-10-22  Mark Lam  <mark.lam@apple.com>
2014
2015         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2016         https://bugs.webkit.org/show_bug.cgi?id=190515
2017         <rdar://problem/45222379>
2018
2019         Rubber-stamped by Saam Barati.
2020
2021         Adding another test.
2022
2023         * stress/regress-190515-2.js: Added.
2024
2025 2018-10-22  Mark Lam  <mark.lam@apple.com>
2026
2027         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2028         https://bugs.webkit.org/show_bug.cgi?id=190515
2029         <rdar://problem/45222379>
2030
2031         Reviewed by Saam Barati.
2032
2033         * stress/regress-190515.js: Added.
2034
2035 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2036
2037         Unreviewed, rolling out r237254.
2038         https://bugs.webkit.org/show_bug.cgi?id=190760
2039
2040         "It regresses JetStream 2 by 5% on some iOS devices"
2041         (Requested by saamyjoon on #webkit).
2042
2043         Reverted changeset:
2044
2045         "[JSC] JSC should have "parseFunction" to optimize Function
2046         constructor"
2047         https://bugs.webkit.org/show_bug.cgi?id=190340
2048         https://trac.webkit.org/changeset/237254
2049
2050 2018-10-19  Saam Barati  <sbarati@apple.com>
2051
2052         vmCall should check if we exit before emitting an OSR exit due to exceptions
2053         https://bugs.webkit.org/show_bug.cgi?id=190740
2054         <rdar://problem/45220139>
2055
2056         Reviewed by Mark Lam.
2057
2058         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2059         (foo):
2060
2061 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2062
2063         [ESNext][BigInt] Implement support for "^"
2064         https://bugs.webkit.org/show_bug.cgi?id=186235
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         * stress/big-int-bitwise-xor-general.js: Added.
2069         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2070         * stress/big-int-bitwise-xor-type-error.js: Added.
2071         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2072
2073 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2074
2075         [BigInt] Add ValueSub into DFG
2076         https://bugs.webkit.org/show_bug.cgi?id=186176
2077
2078         Reviewed by Yusuke Suzuki.
2079
2080         * stress/big-int-subtraction-jit.js:
2081         * stress/value-sub-big-int-prediction-propagation.js: Added.
2082         * stress/value-sub-big-int-untyped.js: Added.
2083         * stress/value-sub-spec-none-case.js: Added.
2084
2085 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2086
2087         [JSC] JSC should have "parseFunction" to optimize Function constructor
2088         https://bugs.webkit.org/show_bug.cgi?id=190340
2089
2090         Reviewed by Mark Lam.
2091
2092         This patch fixes the line number of syntax errors raised by the Function constructor,
2093         since we now parse the final code only once. And we no longer use block statement
2094         for Function constructor's parsing.
2095
2096         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2097         * stress/function-cache-with-parameters-end-position.js: Added.
2098         (shouldBe):
2099         (shouldThrow):
2100         (i.anonymous):
2101         * stress/function-constructor-name.js: Added.
2102         (shouldBe):
2103         (GeneratorFunction):
2104         (AsyncFunction.async):
2105         (AsyncGeneratorFunction.async):
2106         (anonymous):
2107         (async.anonymous):
2108         * test262/expectations.yaml:
2109
2110 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2111
2112         Unreviewed, rolling out r237242.
2113         https://bugs.webkit.org/show_bug.cgi?id=190701
2114
2115         it breaks "stress/sampling-profiler-basic.js" (Requested by
2116         caiolima on #webkit).
2117
2118         Reverted changeset:
2119
2120         "[BigInt] Add ValueSub into DFG"
2121         https://bugs.webkit.org/show_bug.cgi?id=186176
2122         https://trac.webkit.org/changeset/237242
2123
2124 2018-10-17  Keith Miller  <keith_miller@apple.com>
2125
2126         AI does not clear Phantom allocation nodes.
2127         https://bugs.webkit.org/show_bug.cgi?id=190694
2128
2129         Reviewed by Saam Barati.
2130
2131         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2132         (Day):
2133         (DaysInYear):
2134         (TimeInYear):
2135         (TimeFromYear):
2136         (DayFromYear):
2137         (InLeapYear):
2138         (YearFromTime):
2139         (WeekDay):
2140         (DaylightSavingTA):
2141         (GetSecondSundayInMarch):
2142         (TimeInMonth):
2143
2144 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2145
2146         [BigInt] Add ValueSub into DFG
2147         https://bugs.webkit.org/show_bug.cgi?id=186176
2148
2149         Reviewed by Yusuke Suzuki.
2150
2151         * stress/big-int-subtraction-jit.js:
2152         * stress/value-sub-big-int-prediction-propagation.js: Added.
2153         * stress/value-sub-big-int-untyped.js: Added.
2154
2155 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2156
2157         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2158         https://bugs.webkit.org/show_bug.cgi?id=190611
2159
2160         Reviewed by Saam Barati.
2161
2162         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2163         to improve test runtime. On ARM/MIPS this test even timed out when running all
2164         tests.
2165
2166         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2167         (test):
2168
2169 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2170
2171         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2172
2173         Unreviewed gardening.
2174
2175         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2176
2177 2018-10-15  Saam barati  <sbarati@apple.com>
2178
2179         Emit fjcvtzs on ARM64E on Darwin
2180         https://bugs.webkit.org/show_bug.cgi?id=184023
2181
2182         Reviewed by Yusuke Suzuki and Filip Pizlo.
2183
2184         * stress/double-to-int32-NaN.js: Added.
2185         (assert):
2186         (foo):
2187
2188 2018-10-15  Saam Barati  <sbarati@apple.com>
2189
2190         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2191         https://bugs.webkit.org/show_bug.cgi?id=190262
2192         <rdar://problem/44986241>
2193
2194         Reviewed by Mark Lam.
2195
2196         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2197         (test):
2198         * stress/slice-array-storage-with-holes.js: Added.
2199         (main):
2200
2201 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2202
2203         Unreviewed, rolling out r237054.
2204         https://bugs.webkit.org/show_bug.cgi?id=190593
2205
2206         "this regressed JetStream 2 by 6% on iOS" (Requested by
2207         saamyjoon on #webkit).
2208
2209         Reverted changeset:
2210
2211         "[JSC] JSC should have "parseFunction" to optimize Function
2212         constructor"
2213         https://bugs.webkit.org/show_bug.cgi?id=190340
2214         https://trac.webkit.org/changeset/237054
2215
2216 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2217
2218         [JSC] JSON.stringify can accept call-with-no-arguments
2219         https://bugs.webkit.org/show_bug.cgi?id=190343
2220
2221         Reviewed by Mark Lam.
2222
2223         * stress/json-stringify-no-arguments.js: Added.
2224         (shouldBe):
2225
2226 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2227
2228         [JSC] JSC should have "parseFunction" to optimize Function constructor
2229         https://bugs.webkit.org/show_bug.cgi?id=190340
2230
2231         Reviewed by Mark Lam.
2232
2233         This patch fixes the line number of syntax errors raised by the Function constructor,
2234         since we now parse the final code only once. And we no longer use block statement
2235         for Function constructor's parsing.
2236
2237         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2238         * stress/function-cache-with-parameters-end-position.js: Added.
2239         (shouldBe):
2240         (shouldThrow):
2241         (i.anonymous):
2242         * stress/function-constructor-name.js: Added.
2243         (shouldBe):
2244         (GeneratorFunction):
2245         (AsyncFunction.async):
2246         (AsyncGeneratorFunction.async):
2247         (anonymous):
2248         (async.anonymous):
2249         * test262/expectations.yaml:
2250
2251 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2252
2253         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2254         https://bugs.webkit.org/show_bug.cgi?id=190426
2255
2256         Unreviewed gardening.
2257
2258         * stress/sampling-profiler-richards.js:
2259
2260 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2261
2262         [ESNext][BigInt] Implement support for "|"
2263         https://bugs.webkit.org/show_bug.cgi?id=186229
2264
2265         Reviewed by Yusuke Suzuki.
2266
2267         * stress/big-int-bitwise-and-jit.js:
2268         * stress/big-int-bitwise-or-general.js: Added.
2269         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2270         * stress/big-int-bitwise-or-jit.js: Added.
2271         * stress/big-int-bitwise-or-memory-stress.js: Added.
2272         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2273         * stress/big-int-bitwise-or-type-error.js: Added.
2274         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2275
2276 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2277
2278         Skip test on systems with limited memory
2279         https://bugs.webkit.org/show_bug.cgi?id=190310
2280
2281         Invoking runDefault adds test to runlist, skipping the test in the next
2282         line does not prevent the test from executing. Change order of lines such
2283         that runDefault is only executed if test is not executed.
2284
2285         Reviewed by Mark Lam.
2286
2287         * stress/regress-190187.js:
2288
2289 2018-10-03  Saam barati  <sbarati@apple.com>
2290
2291         lowXYZ in FTLLower should always filter the type of the incoming edge
2292         https://bugs.webkit.org/show_bug.cgi?id=189939
2293         <rdar://problem/44407030>
2294
2295         Reviewed by Michael Saboff.
2296
2297         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2298         (foo):
2299         (test):
2300
2301 2018-10-03  Mark Lam  <mark.lam@apple.com>
2302
2303         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2304         https://bugs.webkit.org/show_bug.cgi?id=190187
2305         <rdar://problem/42512909>
2306
2307         Reviewed by Michael Saboff.
2308
2309         * stress/regress-190187.js: Added.
2310
2311 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2312
2313         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2314         https://bugs.webkit.org/show_bug.cgi?id=190033
2315
2316         Reviewed by Yusuke Suzuki.
2317
2318         * stress/big-int-to-string.js:
2319
2320 2018-10-01  Mark Lam  <mark.lam@apple.com>
2321
2322         Function.toString() should also copy the source code Functions that are class definitions.
2323         https://bugs.webkit.org/show_bug.cgi?id=190186
2324         <rdar://problem/44733360>
2325
2326         Reviewed by Saam Barati.
2327
2328         * stress/regress-190186.js: Added.
2329
2330 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2331
2332         Split NaN-check into separate test
2333         https://bugs.webkit.org/show_bug.cgi?id=190010
2334
2335         Reviewed by Saam Barati.
2336
2337         DataView exposes NaN-representation, which is not necessarily the same on each
2338         architecture. Therefore move the check of the NaN-representation into its own
2339         file such that we can disable this test on MIPS where NaN-representation can be
2340         different on older CPUs.
2341
2342         * stress/dataview-jit-set-nan.js: Added.
2343         (assert):
2344         (test.storeLittleEndian):
2345         (test.storeBigEndian):
2346         (test.store):
2347         (test):
2348         * stress/dataview-jit-set.js:
2349         (test5):
2350
2351 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2352
2353         Unreviewed, rolling out r236647.
2354         https://bugs.webkit.org/show_bug.cgi?id=190124
2355
2356         Breaking test stress/big-int-to-string.js (Requested by
2357         caiolima_ on #webkit).
2358
2359         Reverted changeset:
2360
2361         "[BigInt] BigInt.proptotype.toString is broken when radix is
2362         power of 2"
2363         https://bugs.webkit.org/show_bug.cgi?id=190033
2364         https://trac.webkit.org/changeset/236647
2365
2366 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2367
2368         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2369         https://bugs.webkit.org/show_bug.cgi?id=190033
2370
2371         Reviewed by Yusuke Suzuki.
2372
2373         * stress/big-int-to-string.js:
2374
2375 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2376
2377         [ESNext][BigInt] Implement support for "&"
2378         https://bugs.webkit.org/show_bug.cgi?id=186228
2379
2380         Reviewed by Yusuke Suzuki.
2381
2382         * stress/big-int-bitwise-and-general.js: Added.
2383         (assert):
2384         (assert.sameValue):
2385         * stress/big-int-bitwise-and-jit.js: Added.
2386         (let.assert.sameValue):
2387         (bigIntBitAnd):
2388         * stress/big-int-bitwise-and-memory-stress.js: Added.
2389         (assert):
2390         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2391         (assert.sameValue):
2392         (let.o.Symbol.toPrimitive):
2393         (catch):
2394         * stress/big-int-bitwise-and-type-error.js: Added.
2395         (assert):
2396         (assertThrowTypeError):
2397         (let.o.valueOf):
2398         (o.valueOf):
2399         (o.toString):
2400         (o.Symbol.toPrimitive):
2401         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2402         (assert.sameValue):
2403         (testBitAnd):
2404         (let.o.Symbol.toPrimitive):
2405         (o.valueOf):
2406         (o.toString):
2407
2408 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2409
2410         JSC test stress/jsc-read.js doesn't support CRLF
2411         https://bugs.webkit.org/show_bug.cgi?id=190063
2412
2413         Reviewed by Yusuke Suzuki.
2414
2415         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2416
2417         * stress/jsc-read.js:
2418         (test):
2419
2420 2018-09-27  Saam barati  <sbarati@apple.com>
2421
2422         Verify the contents of AssemblerBuffer on arm64e
2423         https://bugs.webkit.org/show_bug.cgi?id=190057
2424         <rdar://problem/38916630>
2425
2426         Reviewed by Mark Lam.
2427
2428         * stress/regress-189132.js:
2429
2430 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2431
2432         Disable test without LLInt on ARMv7
2433         https://bugs.webkit.org/show_bug.cgi?id=190037
2434
2435         Reviewed by Mark Lam.
2436
2437         Test runs out of executable memory on ARMv7, do not run
2438         this test without LLInt enabled.
2439
2440         * stress/regress-169445.js:
2441
2442 2018-09-26  Keith Miller  <keith_miller@apple.com>
2443
2444         We should zero unused property storage when rebalancing array storage.
2445         https://bugs.webkit.org/show_bug.cgi?id=188151
2446
2447         Reviewed by Michael Saboff.
2448
2449         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2450
2451 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2452
2453         [JSC] Optimize Array#lastIndexOf
2454         https://bugs.webkit.org/show_bug.cgi?id=189780
2455
2456         Reviewed by Saam Barati.
2457
2458         * stress/array-lastindexof-array-prototype-trap.js: Added.
2459         (shouldBe):
2460         (AncestorArray.prototype.get 2):
2461         (AncestorArray):
2462         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2463         (shouldBe):
2464         * stress/array-lastindexof-hole-nan.js: Added.
2465         (shouldBe):
2466         (throw.new.Error):
2467         * stress/array-lastindexof-infinity.js: Added.
2468         (shouldBe):
2469         (throw.new.Error):
2470         * stress/array-lastindexof-negative-zero.js: Added.
2471         (shouldBe):
2472         (throw.new.Error):
2473         * stress/array-lastindexof-own-getter.js: Added.
2474         (shouldBe):
2475         (throw.new.Error.get array):
2476         (get array):
2477         * stress/array-lastindexof-prototype-trap.js: Added.
2478         (shouldBe):
2479         (DerivedArray.prototype.get 2):
2480         (DerivedArray):
2481
2482 2018-09-25  Saam Barati  <sbarati@apple.com>
2483
2484         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2485         https://bugs.webkit.org/show_bug.cgi?id=189940
2486         <rdar://problem/43640987>
2487
2488         Reviewed by Mark Lam.
2489
2490         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2491
2492 2018-09-24  Saam Barati  <sbarati@apple.com>
2493
2494         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2495         https://bugs.webkit.org/show_bug.cgi?id=189922
2496         <rdar://problem/44651275>
2497
2498         Reviewed by Mark Lam.
2499
2500         * stress/array-indexof-fast-path-effects.js: Added.
2501         * stress/array-indexof-cached-length.js: Added.
2502
2503 2018-09-24  Saam barati  <sbarati@apple.com>
2504
2505         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2506         https://bugs.webkit.org/show_bug.cgi?id=189682
2507         <rdar://problem/43557315>
2508
2509         Reviewed by Mark Lam.
2510
2511         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2512         (foo):
2513
2514 2018-09-22  Saam barati  <sbarati@apple.com>
2515
2516         The sampling should not use Strong<CodeBlock> in its machineLocation field
2517         https://bugs.webkit.org/show_bug.cgi?id=189319
2518
2519         Reviewed by Filip Pizlo.
2520
2521         * stress/sampling-profiler-richards.js: Added.
2522
2523 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2524
2525         [JSC] Optimize Array#indexOf in C++ runtime
2526         https://bugs.webkit.org/show_bug.cgi?id=189507
2527
2528         Reviewed by Saam Barati.
2529
2530         * stress/array-indexof-array-prototype-trap.js: Added.
2531         (shouldBe):
2532         (AncestorArray.prototype.get 2):
2533         (AncestorArray):
2534         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2535         (shouldBe):
2536         * stress/array-indexof-hole-nan.js: Added.
2537         (shouldBe):
2538         (throw.new.Error):
2539         * stress/array-indexof-infinity.js: Added.
2540         (shouldBe):
2541         (throw.new.Error):
2542         * stress/array-indexof-negative-zero.js: Added.
2543         (shouldBe):
2544         (throw.new.Error):
2545         * stress/array-indexof-own-getter.js: Added.
2546         (shouldBe):
2547         (throw.new.Error.get array):
2548         (get array):
2549         * stress/array-indexof-prototype-trap.js: Added.
2550         (shouldBe):
2551         (DerivedArray.prototype.get 2):
2552         (DerivedArray):
2553
2554 2018-09-19  Saam barati  <sbarati@apple.com>
2555
2556         AI rule for MultiPutByOffset executes its effects in the wrong order
2557         https://bugs.webkit.org/show_bug.cgi?id=189757
2558         <rdar://problem/43535257>
2559
2560         Reviewed by Michael Saboff.
2561
2562         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2563         (foo):
2564         (Foo):
2565         (g):
2566
2567 2018-09-17  Mark Lam  <mark.lam@apple.com>
2568
2569         Ensure that ForInContexts are invalidated if their loop local is over-written.
2570         https://bugs.webkit.org/show_bug.cgi?id=189571
2571         <rdar://problem/44402277>
2572
2573         Reviewed by Saam Barati.
2574
2575         * stress/regress-189571.js: Added.
2576
2577 2018-09-17  Saam barati  <sbarati@apple.com>
2578
2579         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2580         https://bugs.webkit.org/show_bug.cgi?id=189676
2581         <rdar://problem/39682897>
2582
2583         Reviewed by Michael Saboff.
2584
2585         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2586         (A):
2587         (K):
2588         (i.catch):
2589
2590 2018-09-14  Saam barati  <sbarati@apple.com>
2591
2592         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2593         https://bugs.webkit.org/show_bug.cgi?id=189628
2594         <rdar://problem/39481690>
2595
2596         Reviewed by Mark Lam.
2597
2598         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2599         (foo):
2600
2601 2018-09-11  Mark Lam  <mark.lam@apple.com>
2602
2603         Test for array initialization in arrayProtoFuncSplice.
2604         https://bugs.webkit.org/show_bug.cgi?id=170253
2605         <rdar://problem/31328773>
2606
2607         Rubber-stamped by Saam Barati.
2608
2609         * stress/regress-170253.js: Added.
2610
2611 2018-09-11  Mark Lam  <mark.lam@apple.com>
2612
2613         Test for IntlObject initialization.
2614         https://bugs.webkit.org/show_bug.cgi?id=170251
2615         <rdar://problem/31328419>
2616
2617         Rubber-stamped by Saam Barati.
2618
2619         * stress/regress-170251.js: Added.
2620
2621 2018-09-11  Mark Lam  <mark.lam@apple.com>
2622
2623         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2624         https://bugs.webkit.org/show_bug.cgi?id=169889
2625         <rdar://problem/31155607>
2626
2627         Reviewed by Saam Barati.
2628
2629         * stress/regress-169889-array-concat.js: Added.
2630         * stress/regress-169889-array-concat1.js: Added.
2631         * stress/regress-169889-array-slice.js: Added.
2632
2633 2018-09-11  Mark Lam  <mark.lam@apple.com>
2634
2635         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2636         https://bugs.webkit.org/show_bug.cgi?id=169445
2637         <rdar://problem/30957435>
2638
2639         Reviewed by Saam Barati.
2640
2641         * stress/regress-169445.js: Added.
2642         (let.gun.eval.A):
2643         (let.gun.eval.B.C):
2644         (let.gun.eval.B.C.prototype.trigger):
2645         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2646         (let.gun.eval.B):
2647         (let.gun.eval):
2648
2649 == Rolled over to ChangeLog-2018-09-11 ==