DFG: Loop-invariant code motion (LICM) should not hoist dead code
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] sizeof(JSString) should be 16
4         https://bugs.webkit.org/show_bug.cgi?id=194375
5
6         Reviewed by Saam Barati.
7
8         * microbenchmarks/make-rope.js: Added.
9         (makeRope):
10         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
11         (returnRope.helper): Deleted.
12         (returnRope): Deleted.
13
14 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
15
16         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
17         https://bugs.webkit.org/show_bug.cgi?id=195144
18
19         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
20         Change the number from 1e8 to 1e5.
21
22         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
23         (foo):
24
25 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         Test times out on ARM/MIPS
28         https://bugs.webkit.org/show_bug.cgi?id=195168
29
30         Unreviewed. Skip test on ARM/MIPS.
31
32         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
33
34 2019-02-27  Mark Lam  <mark.lam@apple.com>
35
36         The parser is failing to record the token location of new in new.target.
37         https://bugs.webkit.org/show_bug.cgi?id=195127
38         <rdar://problem/39645578>
39
40         Reviewed by Yusuke Suzuki.
41
42         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
43
44 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
47         https://bugs.webkit.org/show_bug.cgi?id=195144
48         <rdar://problem/47595961>
49
50         Reviewed by Mark Lam.
51
52         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
53         (bar):
54         (foo):
55         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
56         (bar):
57         (foo):
58
59 2019-02-27  Robin Morisset  <rmorisset@apple.com>
60
61         DFG: Loop-invariant code motion (LICM) should not hoist dead code
62         https://bugs.webkit.org/show_bug.cgi?id=194945
63         <rdar://problem/48311657>
64
65         Reviewed by Mark Lam.
66
67         * stress/licm-dead-code.js: Added.
68
69 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
70
71         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
72         https://bugs.webkit.org/show_bug.cgi?id=194677
73         <rdar://problem/48112492>
74
75         Reviewed by Mark Lam.
76
77         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
78         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
79         it immediately fails due the large size.
80
81         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
82         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
83         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
84         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
85
86         This patch changes the test to produce 16bit string from String.fromCharCode.
87
88         * stress/regress-178386.js:
89
90 2019-02-26  Mark Lam  <mark.lam@apple.com>
91
92         wasmToJS() should purify incoming NaNs.
93         https://bugs.webkit.org/show_bug.cgi?id=194807
94         <rdar://problem/48189132>
95
96         Reviewed by Saam Barati.
97
98         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
99
100 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
101
102         [JSC] Repeat string created from Array.prototype.join() take too much memory
103         https://bugs.webkit.org/show_bug.cgi?id=193912
104
105         Reviewed by Saam Barati.
106
107         Added a test and a microbenchmark for corner cases of
108         Array.prototype.join() with an uninitialized array.
109
110         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
111         * stress/array-prototype-join-uninitialized.js: Added.
112         (testArray):
113         (testABC):
114         (B):
115         (C):
116
117 2019-02-22  Robin Morisset  <rmorisset@apple.com>
118
119         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
120         https://bugs.webkit.org/show_bug.cgi?id=194953
121         <rdar://problem/47595253>
122
123         Reviewed by Saam Barati.
124
125         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
126
127         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
128
129 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
130
131         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
132         https://bugs.webkit.org/show_bug.cgi?id=172848
133         <rdar://problem/25709212>
134
135         Reviewed by Mark Lam.
136
137         * typeProfiler/inheritance.js:
138         Rewrite the test slightly for clarity. The hoisting was confusing.
139
140         * heapProfiler/class-names.js: Added.
141         (MyES5Class):
142         (MyES6Class):
143         (MyES6Subclass):
144         Test object types and improved class names.
145
146         * heapProfiler/driver/driver.js:
147         (CheapHeapSnapshotNode):
148         (CheapHeapSnapshot):
149         (createCheapHeapSnapshot):
150         (HeapSnapshot):
151         (createHeapSnapshot):
152         Update snapshot parsing from version 1 to version 2.
153
154 2019-02-19  Truitt Savell  <tsavell@apple.com>
155
156         Unreviewed, rolling out r241784.
157
158         Broke all OpenSource builds.
159
160         Reverted changeset:
161
162         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
163         instances view"
164         https://bugs.webkit.org/show_bug.cgi?id=172848
165         https://trac.webkit.org/changeset/241784
166
167 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
168
169         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
170         https://bugs.webkit.org/show_bug.cgi?id=172848
171         <rdar://problem/25709212>
172
173         Reviewed by Mark Lam.
174
175         * typeProfiler/inheritance.js:
176         Rewrite the test slightly for clarity. The hoisting was confusing.
177
178         * heapProfiler/class-names.js: Added.
179         (MyES5Class):
180         (MyES6Class):
181         (MyES6Subclass):
182         Test object types and improved class names.
183
184         * heapProfiler/driver/driver.js:
185         (CheapHeapSnapshotNode):
186         (CheapHeapSnapshot):
187         (createCheapHeapSnapshot):
188         (HeapSnapshot):
189         (createHeapSnapshot):
190         Update snapshot parsing from version 1 to version 2.
191
192 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
193
194         [ARM] Fix crash with sampling profiler
195         https://bugs.webkit.org/show_bug.cgi?id=194772
196
197         Reviewed by Mark Lam.
198
199         Do not skip test since crash with sampling profiler is now fixed.
200
201         * stress/sampling-profiler-richards.js:
202
203 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
204
205         [JSC] Add LazyClassStructure::getInitializedOnMainThread
206         https://bugs.webkit.org/show_bug.cgi?id=194784
207         <rdar://problem/48154820>
208
209         Reviewed by Mark Lam.
210
211         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
212         (getProperties):
213         (getRandomProperty):
214         (i.catch):
215
216 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
217
218         [ARM] Test gardening: Test running out of executable memory
219         https://bugs.webkit.org/show_bug.cgi?id=194771
220
221         Unreviewed. Do not run test without LLInt, test is running out of executable
222         memory on ARM otherwise.
223
224         * stress/tagged-template-object-collect.js:
225
226 2019-02-18  Tomas Popela  <tpopela@redhat.com>
227
228         Unreviewed, skip the test on platforms without sampling profiler
229
230         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
231         (platformSupportsSamplingProfiler.foo):
232         (platformSupportsSamplingProfiler.test):
233         (platformSupportsSamplingProfiler):
234         (foo): Deleted.
235         (test): Deleted.
236
237 2019-02-17  Saam Barati  <sbarati@apple.com>
238
239         Deadlock when adding a Structure property transition and then doing incremental marking
240         https://bugs.webkit.org/show_bug.cgi?id=194767
241
242         Reviewed by Mark Lam.
243
244         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
245
246 2019-02-15  Michael Saboff  <msaboff@apple.com>
247
248         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
249         https://bugs.webkit.org/show_bug.cgi?id=194558
250
251         Reviewed by Saam Barati.
252
253         New regression test.
254
255         * stress/regexp-unicode-within-string.js: Added.
256
257 2019-02-15  Mark Lam  <mark.lam@apple.com>
258
259         SamplingProfiler::stackTracesAsJSON() should escape strings.
260         https://bugs.webkit.org/show_bug.cgi?id=194649
261         <rdar://problem/48072386>
262
263         Reviewed by Saam Barati.
264
265         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
266         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
267         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
268         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
269
270 2019-02-15  Robin Morisset  <rmorisset@apple.com>
271         CodeBlock::jettison should clear related watchpoints
272         https://bugs.webkit.org/show_bug.cgi?id=194544
273
274         Reviewed by Mark Lam.
275
276         * stress/regexp-replace-double-watchpoint.js: Added.
277         (foo):
278
279 2019-02-15  Saam barati  <sbarati@apple.com>
280
281         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
282         https://bugs.webkit.org/show_bug.cgi?id=194036
283
284         Reviewed by Yusuke Suzuki.
285
286         * stress/tail-call-many-arguments.js: Added.
287         (foo):
288         (bar):
289
290 2019-02-14  Saam Barati  <sbarati@apple.com>
291
292         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
293         https://bugs.webkit.org/show_bug.cgi?id=194583
294         <rdar://problem/48028140>
295
296         Reviewed by Yusuke Suzuki.
297
298         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
299
300 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
301
302         [JSC] String.fromCharCode's slow path always generates 16bit string
303         https://bugs.webkit.org/show_bug.cgi?id=194466
304
305         Reviewed by Keith Miller.
306
307         * stress/string-from-char-code-slow-path.js: Added.
308         (shouldBe):
309         (testWithLength):
310
311 2019-02-08  Saam barati  <sbarati@apple.com>
312
313         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
314         https://bugs.webkit.org/show_bug.cgi?id=194334
315         <rdar://problem/47844327>
316
317         Reviewed by Mark Lam.
318
319         * stress/check-in-bounds-should-be-a-child-use.js: Added.
320         (func):
321
322 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
323
324         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
325         https://bugs.webkit.org/show_bug.cgi?id=194369
326         <rdar://problem/47813087>
327
328         Reviewed by Saam Barati.
329
330         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
331         (A):
332
333 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         [JSC] PrivateName to PublicName hash table is wasteful
336         https://bugs.webkit.org/show_bug.cgi?id=194277
337
338         Reviewed by Michael Saboff.
339
340         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
341
342         * ChakraCore.yaml:
343
344 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
345
346         [ARM] Test running out of executable memory
347         https://bugs.webkit.org/show_bug.cgi?id=194285
348
349         Unreviewed. Do no execute test with LLInt disabled, test runs out of
350         executable memory otherwise.
351
352         * stress/class-subclassing-function.js:
353
354 2019-02-04  Robin Morisset  <rmorisset@apple.com>
355
356         when lowering AssertNotEmpty, create the value before creating the patchpoint
357         https://bugs.webkit.org/show_bug.cgi?id=194231
358
359         Reviewed by Saam Barati.
360
361         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
362         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
363         So even tiny changes to this test can change the path code taken.
364
365         * stress/assert-not-empty.js: Added.
366         (foo):
367
368 2019-02-01  Mark Lam  <mark.lam@apple.com>
369
370         Remove invalid assertion in DFG's compileDoubleRep().
371         https://bugs.webkit.org/show_bug.cgi?id=194130
372         <rdar://problem/47699474>
373
374         Reviewed by Saam Barati.
375
376         * stress/constant-fold-double-rep-into-double-constant.js: Added.
377
378 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
379
380         Import latest Test262 updates.
381
382         Rubber-stamped by Keith Miller.
383
384         * test262.yaml: Deleted.
385         * test262/config.yaml:
386         * test262/expectations.yaml:
387         * test262/latest-changes-summary.txt:
388         * test262/test/:
389         * test262/test262-Revision.txt:
390
391 2019-01-30  Robin Morisset  <rmorisset@apple.com>
392
393         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
394         https://bugs.webkit.org/show_bug.cgi?id=194050
395         <rdar://problem/47595592>
396
397         Reviewed by Yusuke Suzuki.
398
399         * stress/object-keys-osr-exit.js: Added.
400         (foo):
401         (catch):
402
403 2019-01-29  Mark Lam  <mark.lam@apple.com>
404
405         ValueRecovery::recover() should purify NaN values it recovers.
406         https://bugs.webkit.org/show_bug.cgi?id=193978
407         <rdar://problem/47625488>
408
409         Reviewed by Saam Barati.
410
411         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
412
413 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
414
415         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
416         https://bugs.webkit.org/show_bug.cgi?id=193713
417
418         * stress/try-get-by-id-should-spill-registers-dfg.js:
419         (let.f.createBuiltin):
420
421 2019-01-28  Mark Lam  <mark.lam@apple.com>
422
423         ToString node actually does GC.
424         https://bugs.webkit.org/show_bug.cgi?id=193920
425         <rdar://problem/46695900>
426
427         Reviewed by Yusuke Suzuki.
428
429         * stress/dfg-to-string-on-int-does-gc.js: Added.
430         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
431         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
432
433 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
434
435         [JSC] NativeErrorConstructor should not have own IsoSubspace
436         https://bugs.webkit.org/show_bug.cgi?id=193713
437
438         Reviewed by Saam Barati.
439
440         Remove @Error use.
441
442         * stress/try-get-by-id-should-spill-registers-dfg.js:
443         (let.f.createBuiltin):
444
445 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
446
447         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
448         https://bugs.webkit.org/show_bug.cgi?id=190693
449
450         Reviewed by Michael Saboff.
451
452         * stress/regress-190693.js: Added.
453         (truth):
454         (assert):
455         (shouldThrowInvalidConstAssignment):
456         (taz):
457
458 2019-01-24  Saam Barati  <sbarati@apple.com>
459
460         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
461         https://bugs.webkit.org/show_bug.cgi?id=193751
462         <rdar://problem/47280215>
463
464         Reviewed by Michael Saboff.
465
466         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
467         (let.thing):
468         (foo.let.hello):
469         (foo):
470
471 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
472
473         [JSC] Reenable baseline JIT on mips
474         https://bugs.webkit.org/show_bug.cgi?id=192983
475
476         Reviewed by Mark Lam.
477
478         Added a new test for a case that was triggering a RELEASE_ASSERT when
479         testing.
480         Disable some slow tests that were already disabled for arm and x86.
481
482         * stress/json-parse-big-object.js: Added.
483         * stress/new-largeish-contiguous-array-with-size.js:
484         * stress/op_add.js:
485         * stress/op_bitand.js:
486         * stress/op_bitor.js:
487         * stress/op_bitxor.js:
488         * stress/op_lshift-ConstVar.js:
489         * stress/op_lshift-VarConst.js:
490         * stress/op_lshift-VarVar.js:
491         * stress/op_mod-ConstVar.js:
492         * stress/op_mod-VarConst.js:
493         * stress/op_mod-VarVar.js:
494         * stress/op_mul-ConstVar.js:
495         * stress/op_mul-VarConst.js:
496         * stress/op_mul-VarVar.js:
497         * stress/op_rshift-ConstVar.js:
498         * stress/op_rshift-VarConst.js:
499         * stress/op_rshift-VarVar.js:
500         * stress/op_sub-ConstVar.js:
501         * stress/op_sub-VarConst.js:
502         * stress/op_sub-VarVar.js:
503         * stress/op_urshift-ConstVar.js:
504         * stress/op_urshift-VarConst.js:
505         * stress/op_urshift-VarVar.js:
506         * stress/sampling-profiler-richards.js:
507         * stress/spread-forward-call-varargs-stack-overflow.js:
508
509 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
510
511         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
512         https://bugs.webkit.org/show_bug.cgi?id=193711
513         <rdar://problem/47250262>
514
515         Reviewed by Saam Barati.
516
517         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
518         (shouldBe):
519         (foo):
520         (bar):
521         (baz):
522
523 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
524
525         Unreviewed, fix initial global lexical binding epoch
526         https://bugs.webkit.org/show_bug.cgi?id=193603
527         <rdar://problem/47380869>
528
529         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
530         (f1.f2.f3.f4):
531         (f1.f2.f3):
532         (f1.f2):
533         (f1):
534
535 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
538         https://bugs.webkit.org/show_bug.cgi?id=193709
539         <rdar://problem/47363838>
540
541         Unreviewed, rollout to watch the tests.
542
543         * stress/object-tostring-changed-proto.js: Removed.
544         * stress/object-tostring-changed.js: Removed.
545         * stress/object-tostring-misc.js: Removed.
546         * stress/object-tostring-other.js: Removed.
547         * stress/object-tostring-untyped.js: Removed.
548
549 2019-01-22  Saam Barati  <sbarati@apple.com>
550
551         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
552
553         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
554         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
555         (testUncheckedLessThanZero):
556         (testUncheckedLessThanOrEqualZero):
557         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
558         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
559
560 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
561
562         [JSC] Invalidate old scope operations using global lexical binding epoch
563         https://bugs.webkit.org/show_bug.cgi?id=193603
564         <rdar://problem/47380869>
565
566         Reviewed by Saam Barati.
567
568         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
569         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
570         (shouldThrow):
571         (bar):
572         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
573         (shouldBe):
574         (get1):
575         (get2):
576         (get1If):
577         (get2If):
578         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
579         (shouldThrow):
580         (foo):
581
582 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
583
584         Unreviewed, roll out r240220 due to date-format-xparb regression
585         https://bugs.webkit.org/show_bug.cgi?id=193603
586
587         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
588         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
589         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
590         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
591
592 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
593
594         DoesGC rule is wrong for nodes with BigIntUse
595         https://bugs.webkit.org/show_bug.cgi?id=193652
596
597         Reviewed by Saam Barati.
598
599         * stress/big-int-value-op-update-gc-rules.js: Added.
600         (assert):
601         (doesGCAdd):
602         (doesGCSub):
603         (doesGCDiv):
604         (doesGCMul):
605         (doesGCBitAnd):
606         (doesGCBitOr):
607         (doesGCBitXor):
608
609 2019-01-20  Saam Barati  <sbarati@apple.com>
610
611         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
612         https://bugs.webkit.org/show_bug.cgi?id=193644
613         <rdar://problem/46209745>
614
615         Reviewed by Yusuke Suzuki.
616
617         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
618         (foo):
619         * stress/data-view-set-intrinsic-undefined-result.js: Added.
620         (foo):
621         (bar):
622
623 2019-01-20  Saam Barati  <sbarati@apple.com>
624
625         MovHint must merge NodeBytecodeUsesAsValue for its child
626         https://bugs.webkit.org/show_bug.cgi?id=186916
627         <rdar://problem/41396612>
628
629         Reviewed by Yusuke Suzuki.
630
631         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
632         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
633
634 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
635
636         [JSC] Invalidate old scope operations using global lexical binding epoch
637         https://bugs.webkit.org/show_bug.cgi?id=193603
638         <rdar://problem/47380869>
639
640         Reviewed by Saam Barati.
641
642         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
643         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
644         (shouldThrow):
645         (bar):
646         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
647         (shouldBe):
648         (get1):
649         (get2):
650         (get1If):
651         (get2If):
652         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
653         (shouldThrow):
654         (foo):
655
656 2019-01-17  Saam barati  <sbarati@apple.com>
657
658         StringObjectUse should not be a structure check for the original string object structure
659         https://bugs.webkit.org/show_bug.cgi?id=193483
660         <rdar://problem/47280522>
661
662         Reviewed by Yusuke Suzuki.
663
664         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
665         (foo):
666         (a.valueOf.0):
667
668 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
669
670         [JSC] ToThis omission in DFGByteCodeParser is wrong
671         https://bugs.webkit.org/show_bug.cgi?id=193513
672         <rdar://problem/45842236>
673
674         Reviewed by Saam Barati.
675
676         * stress/to-this-omission-with-different-strict-modes.js: Added.
677         (thisA):
678         (thisAStrictWrapper):
679
680 2019-01-15  Mark Lam  <mark.lam@apple.com>
681
682         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
683         https://bugs.webkit.org/show_bug.cgi?id=193423
684         <rdar://problem/46209355>
685
686         Reviewed by Saam Barati.
687
688         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
689         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
690         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
691         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
692
693 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
694
695         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
696         https://bugs.webkit.org/show_bug.cgi?id=193438
697         <rdar://problem/45581249>
698
699         Reviewed by Saam Barati and Keith Miller.
700
701         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
702         Then, GetByVal(String) crashed.
703
704         * stress/string-get-by-val-lowering.js: Added.
705         (shouldBe):
706         (test):
707         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
708         (Hello):
709         (foo):
710
711 2019-01-15  Tomas Popela  <tpopela@redhat.com>
712
713         Unreviewed, skip JIT tests if it's not enabled
714
715         * stress/bit-op-with-object-returning-int32.js:
716
717 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
718
719         DFGByteCodeParser rules for bitwise operations should consider type of their operands
720         https://bugs.webkit.org/show_bug.cgi?id=192966
721
722         Reviewed by Yusuke Suzuki.
723
724         * stress/bit-op-with-object-returning-int32.js: Added.
725
726 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
727
728         Skip a slow test and a flakey test on arm
729
730         Unreviewed gardening.
731
732         * typeProfiler/getter-richards.js:
733         this test always times out, it used to be always skipped on arm and
734         mips, but got accidentally enabled by r237919 now that we have DFG on
735         arm. Also skipping on mips as we plan to soon enable DFG for it too.
736
737 2019-01-14  Keith Miller  <keith_miller@apple.com>
738
739         Skip type-check-hoisting-phase-hoist... with no jit
740         https://bugs.webkit.org/show_bug.cgi?id=193421
741
742         Reviewed by Mark Lam.
743
744         It's timing out the 32-bit bots and takes 330 seconds
745         on my machine when run by itself.
746
747         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
748
749 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
750
751         [JSC] AI should check the given constant's array type when folding GetByVal into constant
752         https://bugs.webkit.org/show_bug.cgi?id=193413
753         <rdar://problem/46092389>
754
755         Reviewed by Keith Miller.
756
757         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
758         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
759         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
760         but GetByVal does not have appropriate ArrayModes, JSC crashes.
761
762         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
763         (compareArray):
764
765 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
766
767         [BigInt] Literal parsing is crashing when used inside a Object Literal
768         https://bugs.webkit.org/show_bug.cgi?id=193404
769
770         Reviewed by Yusuke Suzuki.
771
772         * stress/big-int-literal-inside-literal-object.js: Added.
773
774 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
775
776         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
777         https://bugs.webkit.org/show_bug.cgi?id=193372
778
779         Reviewed by Saam Barati.
780
781         * stress/typed-array-array-modes-profile.js: Added.
782         (foo):
783
784 2019-01-14  Mark Lam  <mark.lam@apple.com>
785
786         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
787         https://bugs.webkit.org/show_bug.cgi?id=193402
788         <rdar://problem/46012309>
789
790         Reviewed by Keith Miller.
791
792         * stress/regexp-compile-oom.js:
793         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
794           is enabled.  As a result, it will fail on cloop builds though there is no bug.
795
796 2019-01-11  Saam barati  <sbarati@apple.com>
797
798         DFG combined liveness can be wrong for terminal basic blocks
799         https://bugs.webkit.org/show_bug.cgi?id=193304
800         <rdar://problem/45268632>
801
802         Reviewed by Yusuke Suzuki.
803
804         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
805
806 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
807
808         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
809         https://bugs.webkit.org/show_bug.cgi?id=193308
810         <rdar://problem/45546542>
811
812         Reviewed by Saam Barati.
813
814         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
815         (shouldThrow):
816         (shouldBe):
817         (foo):
818         (get shouldThrow):
819         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
820         (shouldThrow):
821         (shouldBe):
822         (foo):
823         (get shouldBe):
824         (get shouldThrow):
825         (get return):
826         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
827         (shouldThrow):
828         (shouldBe):
829         (foo):
830         (get shouldBe):
831         (get shouldThrow):
832         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
833         (shouldThrow):
834         (shouldBe):
835         (foo):
836         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
837         (shouldThrow):
838         (shouldBe):
839         (foo):
840         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
841         (shouldThrow):
842         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
843         (shouldThrow):
844         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
845         (shouldThrow):
846         (shouldBe):
847         (foo):
848         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
849         (shouldThrow):
850         (shouldBe):
851         (foo):
852         (get shouldBe):
853         (get shouldThrow):
854         (get return):
855         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
856         (shouldThrow):
857         (shouldBe):
858         (foo):
859         (get shouldBe):
860         (get shouldThrow):
861         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
862         (shouldThrow):
863         (shouldBe):
864         (foo):
865         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
866         (shouldThrow):
867         (shouldBe):
868         (foo):
869
870 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
871
872         Enable DFG on ARM/Linux again
873         https://bugs.webkit.org/show_bug.cgi?id=192496
874
875         Reviewed by Yusuke Suzuki.
876
877         Test wasn't really skipped before moving the line with skip
878         to the top.
879
880         * stress/regress-192717.js:
881
882 2019-01-10  Commit Queue  <commit-queue@webkit.org>
883
884         Unreviewed, rolling out r239825.
885         https://bugs.webkit.org/show_bug.cgi?id=193330
886
887         Broke tests on armv7/linux bots (Requested by guijemont on
888         #webkit).
889
890         Reverted changeset:
891
892         "Enable DFG on ARM/Linux again"
893         https://bugs.webkit.org/show_bug.cgi?id=192496
894         https://trac.webkit.org/changeset/239825
895
896 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
897
898         Enable DFG on ARM/Linux again
899         https://bugs.webkit.org/show_bug.cgi?id=192496
900
901         Reviewed by Yusuke Suzuki.
902
903         Test wasn't really skipped before moving the line with skip
904         to the top.
905
906         * stress/regress-192717.js:
907
908 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
909
910         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
911         https://bugs.webkit.org/show_bug.cgi?id=193127
912
913         Reviewed by Saam Barati.
914
915         * stress/array-species-create-should-handle-masquerader.js: Added.
916         (shouldThrow):
917         * stress/is-undefined-or-null-builtin.js: Added.
918         (shouldBe):
919         (isUndefinedOrNull.vm.createBuiltin):
920
921 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
922
923         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
924         https://bugs.webkit.org/show_bug.cgi?id=193221
925
926         Reviewed by Mark Lam.
927
928         * stress/put-by-id-flags.js: Added.
929         (f):
930         (g):
931         (numberOfDFGCompiles):
932
933 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
934
935         Baseline version of get_by_id may corrupt metadata
936         https://bugs.webkit.org/show_bug.cgi?id=193085
937         <rdar://problem/23453006>
938
939         Reviewed by Saam Barati.
940
941         * stress/get-by-id-change-mode.js: Added.
942         (forEach):
943
944 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
945
946         [JSC] Optimize Object.prototype.toString
947         https://bugs.webkit.org/show_bug.cgi?id=193031
948
949         Reviewed by Saam Barati.
950
951         * stress/object-tostring-changed-proto.js: Added.
952         (shouldBe):
953         (test):
954         * stress/object-tostring-changed.js: Added.
955         (shouldBe):
956         (test):
957         * stress/object-tostring-misc.js: Added.
958         (shouldBe):
959         (test):
960         (i.switch):
961         * stress/object-tostring-other.js: Added.
962         (shouldBe):
963         (test):
964         * stress/object-tostring-untyped.js: Added.
965         (shouldBe):
966         (test):
967         (i.switch):
968
969 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
970
971         test262-runner misbehaves when test file YAML has a trailing space
972         https://bugs.webkit.org/show_bug.cgi?id=193053
973
974         Reviewed by Yusuke Suzuki.
975
976         * test262/expectations.yaml:
977         Mark two dozen tests as passing (and correct the output of another).
978
979 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
980
981         Unreviewed, JSTests gardening with memoryLimited
982
983         * stress/string-overflow-createError.js:
984
985 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
986
987         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
988         https://bugs.webkit.org/show_bug.cgi?id=193050
989
990         Reviewed by Yusuke Suzuki.
991
992         * test262.yaml:
993         * test262/expectations.yaml:
994         Mark 16 tests as passing.
995
996 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
997
998         [BigInt] Support BigInt in JSON.stringify
999         https://bugs.webkit.org/show_bug.cgi?id=192624
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/big-int-json-stringify-to-json.js: Added.
1004         (shouldBe):
1005         (shouldThrow):
1006         (BigInt.prototype.toJSON):
1007         (shouldBe.JSON.stringify):
1008         * stress/big-int-json-stringify.js: Added.
1009         (shouldBe):
1010         (shouldThrow):
1011
1012 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1013
1014         [JSC] Implement "well-formed JSON.stringify" proposal
1015         https://bugs.webkit.org/show_bug.cgi?id=191677
1016
1017         Reviewed by Darin Adler.
1018
1019         * stress/json-surrogate-pair.js: Added.
1020         (shouldBe):
1021         * test262/expectations.yaml:
1022
1023 2018-12-20  Keith Miller  <keith_miller@apple.com>
1024
1025         Add support for globalThis
1026         https://bugs.webkit.org/show_bug.cgi?id=165171
1027
1028         Reviewed by Mark Lam.
1029
1030         * test262/config.yaml:
1031
1032 2018-12-19  Keith Miller  <keith_miller@apple.com>
1033
1034         Update test262 configuration to not run tests dependent on ICU version.
1035         https://bugs.webkit.org/show_bug.cgi?id=192920
1036
1037         Reviewed by Saam Barati.
1038
1039         * test262/expectations.yaml:
1040
1041 2018-12-20  Mark Lam  <mark.lam@apple.com>
1042
1043         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1044         https://bugs.webkit.org/show_bug.cgi?id=192939
1045         <rdar://problem/46869516>
1046
1047         Reviewed by Keith Miller.
1048
1049         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1050
1051 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1052
1053         WTF::String and StringImpl overflow MaxLength
1054         https://bugs.webkit.org/show_bug.cgi?id=192853
1055         <rdar://problem/45726906>
1056
1057         Reviewed by Mark Lam.
1058
1059         * stress/string-16bit-repeat-overflow.js: Added.
1060         (catch):
1061
1062 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1063
1064         Unreviewed follow-up to r192914.
1065
1066         * test262/expectations.yaml:
1067         Add the last 20 missing expectations.
1068
1069 2018-12-19  Keith Miller  <keith_miller@apple.com>
1070
1071         Fix test262 expectations
1072         https://bugs.webkit.org/show_bug.cgi?id=192914
1073
1074         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1075
1076         * test262/expectations.yaml:
1077
1078 2018-12-19  Keith Miller  <keith_miller@apple.com>
1079
1080         Update test262 tests.
1081         https://bugs.webkit.org/show_bug.cgi?id=192907
1082
1083         Rubber stamped by Mark Lam.
1084
1085         * test262/*: Omitted because prepare-changelog crashes.
1086
1087 2018-12-19  Mark Lam  <mark.lam@apple.com>
1088
1089         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1090         https://bugs.webkit.org/show_bug.cgi?id=192464
1091         <rdar://problem/46519455>
1092
1093         Reviewed by Saam Barati.
1094
1095         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1096         microbenchmark.
1097
1098         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1099         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1100
1101 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1102
1103         String overflow in JSC::createError results in ASSERT in WTF::makeString
1104         https://bugs.webkit.org/show_bug.cgi?id=192833
1105         <rdar://problem/45706868>
1106
1107         Reviewed by Mark Lam.
1108
1109         * stress/string-overflow-createError.js: Added.
1110
1111 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1112
1113         Error message for `-x ** y` contains a typo.
1114         https://bugs.webkit.org/show_bug.cgi?id=192832
1115
1116         Reviewed by Saam Barati.
1117
1118         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1119         (assert.assert.return.throws):
1120         * stress/pow-expects-update-expression-on-lhs.js:
1121         (throw.new.Error):
1122         Update test expectations which match against the exact error message.
1123
1124 2018-12-18  Mark Lam  <mark.lam@apple.com>
1125
1126         Gardening: test options fix.
1127         https://bugs.webkit.org/show_bug.cgi?id=192822
1128
1129         Unreviewed.
1130
1131         * stress/json-stringify-string-builder-overflow.js:
1132
1133 2018-12-18  Mark Lam  <mark.lam@apple.com>
1134
1135         JSON.stringify() should throw OOM on StringBuilder overflows.
1136         https://bugs.webkit.org/show_bug.cgi?id=192822
1137         <rdar://problem/46670577>
1138
1139         Reviewed by Saam Barati.
1140
1141         * stress/json-stringify-string-builder-overflow.js: Added.
1142
1143 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1144
1145         Redeclaration of var over let/const/class should be a syntax error.
1146         https://bugs.webkit.org/show_bug.cgi?id=192298
1147
1148         Reviewed by Keith Miller.
1149
1150         * test262.yaml:
1151         * test262/expectations.yaml:
1152         Mark 46 tests as passing.
1153
1154         * stress/block-scope-redeclarations.js:
1155         Add some new tests.
1156
1157         * stress/for-in-invalidate-context-weird-assignments.js:
1158         * stress/for-in-tests.js:
1159         Replace tests for outdated behavior with tests for SyntaxError.
1160
1161         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1162         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1163         Update expectations.
1164
1165 2018-12-18  Mark Lam  <mark.lam@apple.com>
1166
1167         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1168         https://bugs.webkit.org/show_bug.cgi?id=191374
1169         <rdar://problem/46525447>
1170
1171         Reviewed by Yusuke Suzuki.
1172
1173         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1174
1175         * stress/elidable-new-object-roflcopter-then-exit.js:
1176
1177 2018-12-17  Mark Lam  <mark.lam@apple.com>
1178
1179         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1180         https://bugs.webkit.org/show_bug.cgi?id=192019
1181         <rdar://problem/46525456>
1182
1183         Reviewed by Yusuke Suzuki.
1184
1185         The test runs too slow on 32-bit.
1186
1187         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1188
1189 2018-12-17  Mark Lam  <mark.lam@apple.com>
1190
1191         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1192         https://bugs.webkit.org/show_bug.cgi?id=191373
1193         <rdar://problem/46525458>
1194
1195         Reviewed by Yusuke Suzuki.
1196
1197         The test is already slow running with a JIT on 64-bit.  It will always timeout
1198         on 32-bit without a JIT.
1199
1200         * stress/materialize-regexp-cyclic-regexp.js:
1201
1202 2018-12-17  Mark Lam  <mark.lam@apple.com>
1203
1204         Array unshift/shift should not race against the AI in the compiler thread.
1205         https://bugs.webkit.org/show_bug.cgi?id=192795
1206         <rdar://problem/46724263>
1207
1208         Reviewed by Saam Barati.
1209
1210         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1211
1212 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1213
1214         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1215         https://bugs.webkit.org/show_bug.cgi?id=190047
1216
1217         Reviewed by Saam Barati.
1218
1219         * stress/object-keys-cached-zero.js: Added.
1220         (shouldBe):
1221         (test):
1222         * stress/object-keys-changed-attribute.js: Added.
1223         (shouldBe):
1224         (test):
1225         * stress/object-keys-changed-index.js: Added.
1226         (shouldBe):
1227         (test):
1228         * stress/object-keys-changed.js: Added.
1229         (shouldBe):
1230         (test):
1231         * stress/object-keys-indexed-non-cache.js: Added.
1232         (shouldBe):
1233         (test):
1234         * stress/object-keys-overrides-get-property-names.js: Added.
1235         (shouldBe):
1236         (test):
1237         (noInline):
1238
1239 2018-12-17  Mark Lam  <mark.lam@apple.com>
1240
1241         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1242         https://bugs.webkit.org/show_bug.cgi?id=192779
1243         <rdar://problem/46775869>
1244
1245         Reviewed by Saam Barati.
1246
1247         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1248
1249 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1250
1251         Unreviewed test gardening, address a syntax error in a new test.
1252
1253         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1254
1255 2018-12-17  Mark Lam  <mark.lam@apple.com>
1256
1257         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1258         https://bugs.webkit.org/show_bug.cgi?id=192776
1259         <rdar://problem/46772368>
1260
1261         Reviewed by Keith Miller.
1262
1263         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1264
1265 2018-12-17  Mark Lam  <mark.lam@apple.com>
1266
1267         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1268         https://bugs.webkit.org/show_bug.cgi?id=192770
1269         <rdar://problem/46449037>
1270
1271         Reviewed by Keith Miller.
1272
1273         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1274
1275 2018-12-14  Mark Lam  <mark.lam@apple.com>
1276
1277         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1278         https://bugs.webkit.org/show_bug.cgi?id=192717
1279         <rdar://problem/46660677>
1280
1281         Reviewed by Saam Barati.
1282
1283         * stress/regress-192717.js: Added.
1284
1285 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1286
1287         Unreviewed, rolling out r239153, r239154, and r239155.
1288         https://bugs.webkit.org/show_bug.cgi?id=192715
1289
1290         Caused flaky GC-related crashes seen with layout tests
1291         (Requested by ryanhaddad on #webkit).
1292
1293         Reverted changesets:
1294
1295         "[JSC] Optimize Object.keys by caching own keys results in
1296         StructureRareData"
1297         https://bugs.webkit.org/show_bug.cgi?id=190047
1298         https://trac.webkit.org/changeset/239153
1299
1300         "Unreviewed, build fix after r239153"
1301         https://bugs.webkit.org/show_bug.cgi?id=190047
1302         https://trac.webkit.org/changeset/239154
1303
1304         "Unreviewed, build fix after r239153, part 2"
1305         https://bugs.webkit.org/show_bug.cgi?id=190047
1306         https://trac.webkit.org/changeset/239155
1307
1308 2018-12-14  Keith Miller  <keith_miller@apple.com>
1309
1310         Callers of JSString::getIndex should check for OOM exceptions
1311         https://bugs.webkit.org/show_bug.cgi?id=192709
1312
1313         Reviewed by Mark Lam.
1314
1315         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1316
1317 2018-12-13  Mark Lam  <mark.lam@apple.com>
1318
1319         Add a missing exception check.
1320         https://bugs.webkit.org/show_bug.cgi?id=192626
1321         <rdar://problem/46662163>
1322
1323         Reviewed by Keith Miller.
1324
1325         * stress/regress-192626.js: Added.
1326
1327 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1328
1329         [BigInt] Add ValueDiv into DFG
1330         https://bugs.webkit.org/show_bug.cgi?id=186178
1331
1332         Reviewed by Yusuke Suzuki.
1333
1334         * stress/big-int-div-jit-osr.js: Added.
1335         * stress/big-int-div-jit-untyped.js: Added.
1336         * stress/value-div-fixup-int32-big-int.js: Added.
1337
1338 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1339
1340         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1341         https://bugs.webkit.org/show_bug.cgi?id=190047
1342
1343         Reviewed by Keith Miller.
1344
1345         * stress/object-keys-cached-zero.js: Added.
1346         (shouldBe):
1347         (test):
1348         * stress/object-keys-changed-attribute.js: Added.
1349         (shouldBe):
1350         (test):
1351         * stress/object-keys-changed-index.js: Added.
1352         (shouldBe):
1353         (test):
1354         * stress/object-keys-changed.js: Added.
1355         (shouldBe):
1356         (test):
1357         * stress/object-keys-indexed-non-cache.js: Added.
1358         (shouldBe):
1359         (test):
1360         * stress/object-keys-overrides-get-property-names.js: Added.
1361         (shouldBe):
1362         (test):
1363         (noInline):
1364
1365 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1366
1367         [DFG][FTL] Add NewSymbol
1368         https://bugs.webkit.org/show_bug.cgi?id=192620
1369
1370         Reviewed by Saam Barati.
1371
1372         * microbenchmarks/symbol-creation.js: Added.
1373         (test):
1374         * stress/symbol-description-identity.js: Added.
1375         (shouldBe):
1376         (test):
1377         * stress/symbol-identity.js: Added.
1378         (shouldBe):
1379         (test):
1380         * stress/symbol-with-description-throw-error.js: Added.
1381         (shouldBe):
1382         (shouldThrow):
1383         (test):
1384         (object.toString):
1385
1386 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1387
1388         [BigInt] Implement DFG/FTL typeof for BigInt
1389         https://bugs.webkit.org/show_bug.cgi?id=192619
1390
1391         Reviewed by Keith Miller.
1392
1393         * stress/big-int-boolean-proven-type.js: Added.
1394         (assert):
1395         (bool):
1396         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1397         (assert):
1398         (typeOf):
1399         (i.switch):
1400         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1401         (assert):
1402         (typeOf):
1403         * stress/big-int-type-of.js:
1404         (typeOf):
1405         (func):
1406
1407 2018-12-10  Mark Lam  <mark.lam@apple.com>
1408
1409         PropertyAttribute needs a CustomValue bit.
1410         https://bugs.webkit.org/show_bug.cgi?id=191993
1411         <rdar://problem/46264467>
1412
1413         Reviewed by Saam Barati.
1414
1415         * stress/regress-191993.js: Added.
1416
1417 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1418
1419         [BigInt] Add ValueMul into DFG
1420         https://bugs.webkit.org/show_bug.cgi?id=186175
1421
1422         Reviewed by Yusuke Suzuki.
1423
1424         * stress/big-int-mul-jit-osr.js: Added.
1425         * stress/big-int-mul-jit-untyped.js: Added.
1426         * stress/value-mul-fixup-int32-big-int.js: Added.
1427
1428 2018-12-06  Keith Miller  <keith_miller@apple.com>
1429
1430         stress/big-wasm-memory tests failing on 32-bit JSC bot
1431         https://bugs.webkit.org/show_bug.cgi?id=192020
1432
1433         Reviewed by Saam Barati.
1434
1435         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1436         the wasm stress tests if the WebAssembly object does not exist.
1437
1438         * stress/big-wasm-memory-grow-no-max.js:
1439         (test.foo):
1440         (test):
1441         (foo): Deleted.
1442         (catch): Deleted.
1443         * stress/big-wasm-memory-grow.js:
1444         (test.foo):
1445         (test):
1446         (foo): Deleted.
1447         (catch): Deleted.
1448         * stress/big-wasm-memory.js:
1449         (test.foo):
1450         (test):
1451         (foo): Deleted.
1452         (catch): Deleted.
1453
1454 2018-12-05  Mark Lam  <mark.lam@apple.com>
1455
1456         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1457         https://bugs.webkit.org/show_bug.cgi?id=192441
1458         <rdar://problem/46480355>
1459
1460         Reviewed by Saam Barati.
1461
1462         * stress/regress-192441.js: Added.
1463
1464 2018-12-04  Mark Lam  <mark.lam@apple.com>
1465
1466         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1467         https://bugs.webkit.org/show_bug.cgi?id=192386
1468         <rdar://problem/46445516>
1469
1470         Reviewed by Saam Barati.
1471
1472         * stress/regress-192386.js: Added.
1473
1474 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1475
1476         [ESNext][BigInt] Support logic operations
1477         https://bugs.webkit.org/show_bug.cgi?id=179903
1478
1479         Reviewed by Yusuke Suzuki.
1480
1481         * stress/big-int-branch-usage.js: Added.
1482         * stress/big-int-logical-and.js: Added.
1483         * stress/big-int-logical-not.js: Added.
1484         * stress/big-int-logical-or.js: Added.
1485
1486 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1487
1488         Unreviewed, rolling out r238833.
1489
1490         Breaks macOS and iOS debug builds.
1491
1492         Reverted changeset:
1493
1494         "[ESNext][BigInt] Support logic operations"
1495         https://bugs.webkit.org/show_bug.cgi?id=179903
1496         https://trac.webkit.org/changeset/238833
1497
1498 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1499
1500         [ESNext][BigInt] Support logic operations
1501         https://bugs.webkit.org/show_bug.cgi?id=179903
1502
1503         Reviewed by Yusuke Suzuki.
1504
1505         * stress/big-int-branch-usage.js: Added.
1506         * stress/big-int-logical-and.js: Added.
1507         * stress/big-int-logical-not.js: Added.
1508         * stress/big-int-logical-or.js: Added.
1509
1510 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1511
1512         [ESNext][BigInt] Implement support for "<<" and ">>"
1513         https://bugs.webkit.org/show_bug.cgi?id=186233
1514
1515         Reviewed by Yusuke Suzuki.
1516
1517         * stress/big-int-left-shift-general.js: Added.
1518         * stress/big-int-left-shift-range-error.js: Added.
1519         * stress/big-int-left-shift-type-error.js: Added.
1520         * stress/big-int-left-shift-wrapped-value.js: Added.
1521         * stress/big-int-right-shift-general.js: Added.
1522         * stress/big-int-right-shift-type-error.js: Added.
1523         * stress/big-int-right-shift-wrapped-value.js: Added.
1524         * stress/left-shift-to-primitive-precedence.js: Added.
1525         * stress/right-shift-to-primitive-precedence.js: Added.
1526
1527 2018-11-30  Dean Jackson  <dino@apple.com>
1528
1529         Add first-class support for .mjs files in jsc binary
1530         https://bugs.webkit.org/show_bug.cgi?id=192190
1531         <rdar://problem/46375715>
1532
1533         Reviewed by Keith Miller.
1534
1535         * stress/simple-module.mjs: Added.
1536         * stress/simple-script.js: Added.
1537
1538 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1539
1540         [BigInt] Implement ValueBitXor into DFG
1541         https://bugs.webkit.org/show_bug.cgi?id=190264
1542
1543         Reviewed by Yusuke Suzuki.
1544
1545         * stress/big-int-bitwise-xor-jit.js: Added.
1546         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1547         * stress/big-int-bitwise-xor-untyped.js: Added.
1548
1549 2018-11-27  Saam barati  <sbarati@apple.com>
1550
1551         r238510 broke scopes of size zero
1552         https://bugs.webkit.org/show_bug.cgi?id=192033
1553         <rdar://problem/46281734>
1554
1555         Reviewed by Keith Miller.
1556
1557         * stress/r238510-bad-loop.js: Added.
1558         (foo):
1559
1560 2018-11-27  Mark Lam  <mark.lam@apple.com>
1561
1562         [Re-landing] NaNs read from Wasm code needs to be be purified.
1563         https://bugs.webkit.org/show_bug.cgi?id=191056
1564         <rdar://problem/45660341>
1565
1566         Reviewed by Filip Pizlo.
1567
1568         * wasm/regress/regress-191056.js: Added.
1569
1570 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1571
1572         Unreviewed, rolling out r238509.
1573
1574         Causes JSC tests to fail on iOS.
1575
1576         Reverted changeset:
1577
1578         "NaNs read from Wasm code needs to be be purified."
1579         https://bugs.webkit.org/show_bug.cgi?id=191056
1580         https://trac.webkit.org/changeset/238509
1581
1582 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1583
1584         Re-introduce op_bitnot
1585         https://bugs.webkit.org/show_bug.cgi?id=190923
1586
1587         Reviewed by Yusuke Suzuki.
1588
1589         * stress/bit-not-must-generate.js: Added.
1590         * stress/bitwise-not-no-int32.js: Added.
1591
1592 2018-11-26  Saam barati  <sbarati@apple.com>
1593
1594         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1595         https://bugs.webkit.org/show_bug.cgi?id=191956
1596         <rdar://problem/45665806>
1597
1598         Reviewed by Yusuke Suzuki.
1599
1600         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1601         (bar):
1602         (foo):
1603
1604 2018-11-26  Saam barati  <sbarati@apple.com>
1605
1606         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1607         https://bugs.webkit.org/show_bug.cgi?id=191958
1608         <rdar://problem/46221877>
1609
1610         Reviewed by Yusuke Suzuki.
1611
1612         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1613         (x):
1614         (foo):
1615
1616 2018-11-26  Mark Lam  <mark.lam@apple.com>
1617
1618         NaNs read from Wasm code needs to be be purified.
1619         https://bugs.webkit.org/show_bug.cgi?id=191056
1620         <rdar://problem/45660341>
1621
1622         Reviewed by Filip Pizlo.
1623
1624         * wasm/regress/regress-191056.js: Added.
1625
1626 2018-11-26  Michael Saboff  <msaboff@apple.com>
1627
1628         32-bit JSC test failure: stress/regexp-compile-oom.js
1629         https://bugs.webkit.org/show_bug.cgi?id=191375
1630
1631         Reviewed by Mark Lam.
1632
1633         Disabled the test for 32 bit platforms.
1634
1635         * stress/regexp-compile-oom.js:
1636
1637 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1638
1639         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1640         https://bugs.webkit.org/show_bug.cgi?id=191716
1641         <rdar://problem/45723878>
1642
1643         Reviewed by Saam Barati.
1644
1645         * stress/regress-187373.js: Added.
1646         (async.fn):
1647
1648 2018-11-21  Saam barati  <sbarati@apple.com>
1649
1650         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1651         https://bugs.webkit.org/show_bug.cgi?id=191897
1652         <rdar://problem/45871998>
1653
1654         Reviewed by Mark Lam.
1655
1656         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1657         (bar):
1658         (foo):
1659
1660 2018-11-21  Saam barati  <sbarati@apple.com>
1661
1662         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1663         https://bugs.webkit.org/show_bug.cgi?id=191895
1664         <rdar://problem/46167406>
1665
1666         Reviewed by Mark Lam.
1667
1668         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1669         (foo):
1670         (bar):
1671
1672 2018-11-21  Mark Lam  <mark.lam@apple.com>
1673
1674         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1675         https://bugs.webkit.org/show_bug.cgi?id=191776
1676         <rdar://problem/46152851>
1677
1678         Reviewed by Saam Barati.
1679
1680         * stress/big-wasm-memory-grow-no-max.js:
1681         * stress/big-wasm-memory-grow.js:
1682         * stress/big-wasm-memory.js:
1683         - updated these to expect an OutOfMemoryError.
1684
1685         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1686         (Binary.prototype.emit_u8):
1687         (Binary.prototype.emit_u32v):
1688         (Binary.prototype.emit_header):
1689         (Binary.prototype.emit_section):
1690         (Binary):
1691         (WasmModuleBuilder):
1692         (WasmModuleBuilder.prototype.addMemory):
1693         (WasmModuleBuilder.prototype.toArray):
1694         (WasmModuleBuilder.prototype.toBuffer):
1695         (WasmModuleBuilder.prototype.instantiate):
1696         (catch):
1697         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1698         (catch):
1699
1700 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1701
1702         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1703         https://bugs.webkit.org/show_bug.cgi?id=190836
1704
1705         Reviewed by Saam Barati and Yusuke Suzuki.
1706
1707         * stress/big-int-out-of-memory-tests.js: Added.
1708
1709 2018-11-20  Mark Lam  <mark.lam@apple.com>
1710
1711         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1712         https://bugs.webkit.org/show_bug.cgi?id=191856
1713         <rdar://problem/46089992>
1714
1715         Reviewed by Yusuke Suzuki.
1716
1717         * stress/regress-191856.js: Added.
1718         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1719
1720 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1721
1722         Enable JIT on ARM/Linux
1723         https://bugs.webkit.org/show_bug.cgi?id=191548
1724
1725         Reviewed by Yusuke Suzuki.
1726
1727         Disable test on system with limited memory. Program was killed by
1728         the OS before the exception was thrown.
1729
1730         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1731
1732 2018-11-20  Saam barati  <sbarati@apple.com>
1733
1734         Merging an IC variant may lead to the IC status containing overlapping structure sets
1735         https://bugs.webkit.org/show_bug.cgi?id=191869
1736         <rdar://problem/45403453>
1737
1738         Reviewed by Mark Lam.
1739
1740         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1741
1742 2018-11-19  Mark Lam  <mark.lam@apple.com>
1743
1744         globalFuncImportModule() should return a promise when it clears exceptions.
1745         https://bugs.webkit.org/show_bug.cgi?id=191792
1746         <rdar://problem/46090763>
1747
1748         Reviewed by Michael Saboff.
1749
1750         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1751
1752 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1753
1754         Skip new memory-hungry tests on memory limited devices
1755
1756         Unreviewed gardening.
1757
1758         * stress/big-wasm-memory-grow-no-max.js:
1759         * stress/big-wasm-memory-grow.js:
1760         * stress/big-wasm-memory.js:
1761
1762 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1763
1764         Unreviewed, rolling in the rest of r237254
1765         https://bugs.webkit.org/show_bug.cgi?id=190340
1766
1767         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1768         * stress/function-cache-with-parameters-end-position.js: Added.
1769         (shouldBe):
1770         (shouldThrow):
1771         (i.anonymous):
1772         * stress/function-constructor-name.js: Added.
1773         (shouldBe):
1774         (GeneratorFunction):
1775         (AsyncFunction.async):
1776         (AsyncGeneratorFunction.async):
1777         (anonymous):
1778         (async.anonymous):
1779         * test262/expectations.yaml:
1780
1781 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1782
1783         All users of ArrayBuffer should agree on the same max size
1784         https://bugs.webkit.org/show_bug.cgi?id=191771
1785
1786         Reviewed by Mark Lam.
1787
1788         * stress/big-wasm-memory-grow-no-max.js: Added.
1789         (foo):
1790         (catch):
1791         * stress/big-wasm-memory-grow.js: Added.
1792         (foo):
1793         (catch):
1794         * stress/big-wasm-memory.js: Added.
1795         (foo):
1796         (catch):
1797
1798 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1799
1800         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1801         run for each JSC config since they're regression tests for runtime bugs.
1802
1803         * stress/json-stringified-overflow-2.js:
1804         * stress/json-stringified-overflow.js:
1805
1806 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1807
1808         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1809         config since they're regression tests for runtime bugs.
1810
1811         * stress/large-unshift-splice.js:
1812         * stress/regress-185888.js:
1813
1814 2018-11-16  Saam Barati  <sbarati@apple.com>
1815
1816         KnownCellUse should also have SpecCellCheck as its type filter
1817         https://bugs.webkit.org/show_bug.cgi?id=191729
1818         <rdar://problem/45872852>
1819
1820         Reviewed by Filip Pizlo.
1821
1822         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1823         (C):
1824
1825 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1826
1827         Fix assertion failure on BytecodeGenerator::recordOpcode
1828         https://bugs.webkit.org/show_bug.cgi?id=191724
1829         <rdar://problem/45724395>
1830
1831         Reviewed by Saam Barati.
1832
1833         * stress/regress-187373-2.js: Added.
1834         (foo):
1835
1836 2018-11-15  Mark Lam  <mark.lam@apple.com>
1837
1838         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1839         https://bugs.webkit.org/show_bug.cgi?id=191730
1840         <rdar://problem/46048517>
1841
1842         Reviewed by Saam Barati.
1843
1844         * stress/regress-187006.js: Removed.
1845           - this test is invalid because its sole purpose is to test for the non-spec
1846             compliant behavior that we just fixed.
1847
1848         * stress/regress-191730.js: Added.
1849
1850 2018-11-15  Mark Lam  <mark.lam@apple.com>
1851
1852         RegExp operations should not take fast patch if lastIndex is not numeric.
1853         https://bugs.webkit.org/show_bug.cgi?id=191731
1854         <rdar://problem/46017305>
1855
1856         Reviewed by Saam Barati.
1857
1858         * stress/regress-191731.js: Added.
1859
1860 2018-11-13  Saam Barati  <sbarati@apple.com>
1861
1862         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1863         https://bugs.webkit.org/show_bug.cgi?id=191600
1864
1865         Reviewed by Mark Lam.
1866
1867         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1868         (foo):
1869         (test):
1870         (bar):
1871
1872 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1873
1874         Unreviewed, rolling out r238132.
1875
1876         The test added with this change is timing out on Debug JSC
1877         bots.
1878
1879         Reverted changeset:
1880
1881         "[BigInt] JSBigInt::createWithLength should throw when length
1882         is greater than JSBigInt::maxLength"
1883         https://bugs.webkit.org/show_bug.cgi?id=190836
1884         https://trac.webkit.org/changeset/238132
1885
1886 2018-11-13  Mark Lam  <mark.lam@apple.com>
1887
1888         Add OOM detection to StringPrototype's substituteBackreferences().
1889         https://bugs.webkit.org/show_bug.cgi?id=191563
1890         <rdar://problem/45720428>
1891
1892         Reviewed by Saam Barati.
1893
1894         * stress/regress-191563.js: Added.
1895
1896 2018-11-13  Mark Lam  <mark.lam@apple.com>
1897
1898         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1899         https://bugs.webkit.org/show_bug.cgi?id=191579
1900         <rdar://problem/45942472>
1901
1902         Reviewed by Saam Barati.
1903
1904         * stress/regress-191579.js: Added.
1905
1906 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1907
1908         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1909         https://bugs.webkit.org/show_bug.cgi?id=190836
1910
1911         Reviewed by Saam Barati.
1912
1913         * stress/big-int-out-of-memory-tests.js: Added.
1914
1915 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1916
1917         U+180E is no longer a whitespace character
1918         https://bugs.webkit.org/show_bug.cgi?id=191415
1919
1920         Reviewed by Saam Barati.
1921
1922         * ChakraCore/test/es5/regexSpace.baseline:
1923         * ChakraCore/test/es6/unicode_whitespace.js:
1924         Update tests to latest version.
1925         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1926
1927         * test262.yaml:
1928         * test262/config.yaml:
1929         * test262/expectations.yaml:
1930         Update expectations.
1931
1932 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1933
1934         [BigInt] Add support to BigInt into ValueAdd
1935         https://bugs.webkit.org/show_bug.cgi?id=186177
1936
1937         Reviewed by Keith Miller.
1938
1939         * stress/big-int-negate-jit.js:
1940         * stress/value-add-big-int-and-string.js: Added.
1941         * stress/value-add-big-int-prediction-propagation.js: Added.
1942         * stress/value-add-big-int-untyped.js: Added.
1943
1944 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1945
1946         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1947         https://bugs.webkit.org/show_bug.cgi?id=191184
1948
1949         Reviewed by Saam Barati.
1950
1951         Most tests were failing due to timeouts, since they are too slow to
1952         run on CLoop. The exceptions are:
1953
1954         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1955         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1956         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1957         to change the stack size since CLoop requires it to be page aligned.
1958
1959         * microbenchmarks/array-push-1.js:
1960         * microbenchmarks/array-push-2.js:
1961         * microbenchmarks/elidable-new-object-dag.js:
1962         * microbenchmarks/elidable-new-object-roflcopter.js:
1963         * microbenchmarks/elidable-new-object-tree.js:
1964         * microbenchmarks/getter-richards.js:
1965         * microbenchmarks/sinkable-new-object-dag.js:
1966         * microbenchmarks/string-concat-long-convert.js:
1967         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1968         * slowMicrobenchmarks/array-push-3.js:
1969         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1970         * slowMicrobenchmarks/spread-small-array.js:
1971         * slowMicrobenchmarks/undefined-property-access.js:
1972         * stress/activation-sink-default-value-tdz-error.js:
1973         * stress/activation-sink-default-value.js:
1974         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1975         * stress/activation-sink-osrexit-default-value.js:
1976         * stress/activation-sink-osrexit.js:
1977         * stress/activation-sink.js:
1978         * stress/allow-math-ic-b3-code-duplication.js:
1979         * stress/array-push-multiple-int32.js:
1980         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1981         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1982         * stress/arrowfunction-lexical-this-activation-sink.js:
1983         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1984         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1985         * stress/elide-new-object-dag-then-exit.js:
1986         * stress/materialize-regexp-cyclic.js:
1987         * stress/new-regex-inline.js:
1988         * stress/op_add.js:
1989         * stress/op_bitand.js:
1990         * stress/op_bitor.js:
1991         * stress/op_bitxor.js:
1992         * stress/op_div-ConstVar.js:
1993         * stress/op_div-VarConst.js:
1994         * stress/op_div-VarVar.js:
1995         * stress/op_lshift-ConstVar.js:
1996         * stress/op_lshift-VarConst.js:
1997         * stress/op_lshift-VarVar.js:
1998         * stress/op_mod-ConstVar.js:
1999         * stress/op_mod-VarConst.js:
2000         * stress/op_mod-VarVar.js:
2001         * stress/op_mul-ConstVar.js:
2002         * stress/op_mul-VarConst.js:
2003         * stress/op_mul-VarVar.js:
2004         * stress/op_rshift-ConstVar.js:
2005         * stress/op_rshift-VarConst.js:
2006         * stress/op_rshift-VarVar.js:
2007         * stress/op_sub-ConstVar.js:
2008         * stress/op_sub-VarConst.js:
2009         * stress/op_sub-VarVar.js:
2010         * stress/op_urshift-ConstVar.js:
2011         * stress/op_urshift-VarConst.js:
2012         * stress/op_urshift-VarVar.js:
2013         * stress/proxy-get-set-correct-receiver.js:
2014         * stress/regress-179562.js:
2015         * stress/rest-parameter-many-arguments.js:
2016         * stress/sampling-profiler-richards.js:
2017         * stress/splay-flash-access-1ms.js:
2018         * stress/tailCallForwardArguments.js:
2019         * stress/typed-array-get-by-val-profiling.js:
2020         * typeProfiler/getter-richards.js:
2021
2022 2018-11-06  Michael Saboff  <msaboff@apple.com>
2023
2024         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2025         https://bugs.webkit.org/show_bug.cgi?id=191271
2026
2027         Reviewed by Saam Barati.
2028
2029         Added more test cases and made all test cases run with the same deeply recursive stack
2030         instead of finding that same point for each test case.
2031
2032         * stress/regexp-compile-oom.js:
2033         (prototype.runTest):
2034         (recurseAndTest):
2035         (testList.push.new.TestAndExpectedException):
2036
2037 2018-11-05  Michael Saboff  <msaboff@apple.com>
2038
2039         Unreviewed build fix for linux.
2040
2041         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2042
2043 2018-11-02  Michael Saboff  <msaboff@apple.com>
2044
2045         Rolling in r237753 with unreviewed build fix.
2046
2047         Fixed issues with DECLARE_THROW_SCOPE placement.
2048
2049 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2050
2051         Unreviewed, rolling out r237753.
2052
2053         Introduced JSC test failures
2054
2055         Reverted changeset:
2056
2057         "Running out of stack space not properly handled in
2058         RegExp::compile() and its callers"
2059         https://bugs.webkit.org/show_bug.cgi?id=191206
2060         https://trac.webkit.org/changeset/237753
2061
2062 2018-11-02  Michael Saboff  <msaboff@apple.com>
2063
2064         Running out of stack space not properly handled in RegExp::compile() and its callers
2065         https://bugs.webkit.org/show_bug.cgi?id=191206
2066
2067         Reviewed by Filip Pizlo.
2068
2069         New regression test.
2070
2071         * stress/regexp-compile-oom.js: Added.
2072         (recurseAndTest):
2073
2074 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2075
2076         Skip tests on arm/mips that time out now we're running on CLoop
2077
2078         Unreviewed gardening.
2079
2080         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2081         time out on the bots and need to be disabled. There's more tests
2082         disabled on arm because the timeout is longer on the mips bot (as the
2083         device is slower to start with), so many of the tests don't time out
2084         there.
2085
2086         * microbenchmarks/getter-richards.js: disable on arm and mips.
2087         * stress/op_add.js: disable on arm.
2088         * stress/op_bitand.js: disable on arm.
2089         * stress/op_bitor.js: disable on arm.
2090         * stress/op_bitxor.js: disable on arm.
2091         * stress/op_lshift-ConstVar.js: disable on arm.
2092         * stress/op_lshift-VarConst.js: disable on arm.
2093         * stress/op_lshift-VarVar.js: disable on arm.
2094         * stress/op_mod-ConstVar.js: disable on arm.
2095         * stress/op_mod-VarConst.js: disable on arm.
2096         * stress/op_mod-VarVar.js: disable on arm.
2097         * stress/op_mul-ConstVar.js: disable on arm.
2098         * stress/op_mul-VarConst.js: disable on arm.
2099         * stress/op_mul-VarVar.js: disable on arm.
2100         * stress/op_rshift-ConstVar.js: disable on arm.
2101         * stress/op_rshift-VarConst.js: disable on arm.
2102         * stress/op_rshift-VarVar.js: disable on arm.
2103         * stress/op_sub-ConstVar.js: disable on arm.
2104         * stress/op_sub-VarConst.js: disable on arm.
2105         * stress/op_sub-VarVar.js: disable on arm.
2106         * stress/op_urshift-ConstVar.js: disable on arm.
2107         * stress/op_urshift-VarConst.js: disable on arm.
2108         * stress/op_urshift-VarVar.js: disable on arm.
2109         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2110         * stress/value-to-boolean.js: disable on arm and mips.
2111
2112 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2113
2114         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2115         https://bugs.webkit.org/show_bug.cgi?id=191108
2116         <rdar://problem/45690700>
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/wide-op_catch.js: Added.
2121         (catch):
2122
2123 2018-10-29  Mark Lam  <mark.lam@apple.com>
2124
2125         Correctly detect string overflow when using the 'Function' constructor.
2126         https://bugs.webkit.org/show_bug.cgi?id=184883
2127         <rdar://problem/36320331>
2128
2129         Reviewed by Saam Barati.
2130
2131         I've verified that this passes on 32-bit as well.
2132
2133         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2134
2135 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2136
2137         Add support for GetStack FlushedDouble
2138         https://bugs.webkit.org/show_bug.cgi?id=191012
2139         <rdar://problem/45265141>
2140
2141         Reviewed by Saam Barati.
2142
2143         * stress/get-stack-double.js: Added.
2144         (bar):
2145         (noInline):
2146
2147 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2148
2149         New bytecode format for JSC
2150         https://bugs.webkit.org/show_bug.cgi?id=187373
2151         <rdar://problem/44186758>
2152
2153         Reviewed by Filip Pizlo.
2154
2155         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2156
2157         * stress/maximum-inline-capacity.js: Added.
2158         (test1):
2159         (test3.Foo):
2160         (test3):
2161
2162 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2163
2164         Unreviewed, rolling out r237479 and r237484.
2165         https://bugs.webkit.org/show_bug.cgi?id=190978
2166
2167         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2168
2169         Reverted changesets:
2170
2171         "New bytecode format for JSC"
2172         https://bugs.webkit.org/show_bug.cgi?id=187373
2173         https://trac.webkit.org/changeset/237479
2174
2175         "Gardening: Build fix after r237479."
2176         https://bugs.webkit.org/show_bug.cgi?id=187373
2177         https://trac.webkit.org/changeset/237484
2178
2179 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2180
2181         New bytecode format for JSC
2182         https://bugs.webkit.org/show_bug.cgi?id=187373
2183         <rdar://problem/44186758>
2184
2185         Reviewed by Filip Pizlo.
2186
2187         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2188
2189         * stress/maximum-inline-capacity.js: Added.
2190         (test1):
2191         (test3.Foo):
2192         (test3):
2193
2194 2018-10-26  Mark Lam  <mark.lam@apple.com>
2195
2196         Fix missing edge cases with JSGlobalObjects having a bad time.
2197         https://bugs.webkit.org/show_bug.cgi?id=189028
2198         <rdar://problem/45204939>
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/regress-189028.js: Added.
2203
2204 2018-10-22  Mark Lam  <mark.lam@apple.com>
2205
2206         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2207         https://bugs.webkit.org/show_bug.cgi?id=190515
2208         <rdar://problem/45222379>
2209
2210         Rubber-stamped by Saam Barati.
2211
2212         Adding another test.
2213
2214         * stress/regress-190515-2.js: Added.
2215
2216 2018-10-22  Mark Lam  <mark.lam@apple.com>
2217
2218         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2219         https://bugs.webkit.org/show_bug.cgi?id=190515
2220         <rdar://problem/45222379>
2221
2222         Reviewed by Saam Barati.
2223
2224         * stress/regress-190515.js: Added.
2225
2226 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2227
2228         Unreviewed, rolling out r237254.
2229         https://bugs.webkit.org/show_bug.cgi?id=190760
2230
2231         "It regresses JetStream 2 by 5% on some iOS devices"
2232         (Requested by saamyjoon on #webkit).
2233
2234         Reverted changeset:
2235
2236         "[JSC] JSC should have "parseFunction" to optimize Function
2237         constructor"
2238         https://bugs.webkit.org/show_bug.cgi?id=190340
2239         https://trac.webkit.org/changeset/237254
2240
2241 2018-10-19  Saam Barati  <sbarati@apple.com>
2242
2243         vmCall should check if we exit before emitting an OSR exit due to exceptions
2244         https://bugs.webkit.org/show_bug.cgi?id=190740
2245         <rdar://problem/45220139>
2246
2247         Reviewed by Mark Lam.
2248
2249         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2250         (foo):
2251
2252 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2253
2254         [ESNext][BigInt] Implement support for "^"
2255         https://bugs.webkit.org/show_bug.cgi?id=186235
2256
2257         Reviewed by Yusuke Suzuki.
2258
2259         * stress/big-int-bitwise-xor-general.js: Added.
2260         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2261         * stress/big-int-bitwise-xor-type-error.js: Added.
2262         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2263
2264 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2265
2266         [BigInt] Add ValueSub into DFG
2267         https://bugs.webkit.org/show_bug.cgi?id=186176
2268
2269         Reviewed by Yusuke Suzuki.
2270
2271         * stress/big-int-subtraction-jit.js:
2272         * stress/value-sub-big-int-prediction-propagation.js: Added.
2273         * stress/value-sub-big-int-untyped.js: Added.
2274         * stress/value-sub-spec-none-case.js: Added.
2275
2276 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2277
2278         [JSC] JSC should have "parseFunction" to optimize Function constructor
2279         https://bugs.webkit.org/show_bug.cgi?id=190340
2280
2281         Reviewed by Mark Lam.
2282
2283         This patch fixes the line number of syntax errors raised by the Function constructor,
2284         since we now parse the final code only once. And we no longer use block statement
2285         for Function constructor's parsing.
2286
2287         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2288         * stress/function-cache-with-parameters-end-position.js: Added.
2289         (shouldBe):
2290         (shouldThrow):
2291         (i.anonymous):
2292         * stress/function-constructor-name.js: Added.
2293         (shouldBe):
2294         (GeneratorFunction):
2295         (AsyncFunction.async):
2296         (AsyncGeneratorFunction.async):
2297         (anonymous):
2298         (async.anonymous):
2299         * test262/expectations.yaml:
2300
2301 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2302
2303         Unreviewed, rolling out r237242.
2304         https://bugs.webkit.org/show_bug.cgi?id=190701
2305
2306         it breaks "stress/sampling-profiler-basic.js" (Requested by
2307         caiolima on #webkit).
2308
2309         Reverted changeset:
2310
2311         "[BigInt] Add ValueSub into DFG"
2312         https://bugs.webkit.org/show_bug.cgi?id=186176
2313         https://trac.webkit.org/changeset/237242
2314
2315 2018-10-17  Keith Miller  <keith_miller@apple.com>
2316
2317         AI does not clear Phantom allocation nodes.
2318         https://bugs.webkit.org/show_bug.cgi?id=190694
2319
2320         Reviewed by Saam Barati.
2321
2322         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2323         (Day):
2324         (DaysInYear):
2325         (TimeInYear):
2326         (TimeFromYear):
2327         (DayFromYear):
2328         (InLeapYear):
2329         (YearFromTime):
2330         (WeekDay):
2331         (DaylightSavingTA):
2332         (GetSecondSundayInMarch):
2333         (TimeInMonth):
2334
2335 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2336
2337         [BigInt] Add ValueSub into DFG
2338         https://bugs.webkit.org/show_bug.cgi?id=186176
2339
2340         Reviewed by Yusuke Suzuki.
2341
2342         * stress/big-int-subtraction-jit.js:
2343         * stress/value-sub-big-int-prediction-propagation.js: Added.
2344         * stress/value-sub-big-int-untyped.js: Added.
2345
2346 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2347
2348         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2349         https://bugs.webkit.org/show_bug.cgi?id=190611
2350
2351         Reviewed by Saam Barati.
2352
2353         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2354         to improve test runtime. On ARM/MIPS this test even timed out when running all
2355         tests.
2356
2357         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2358         (test):
2359
2360 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2361
2362         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2363
2364         Unreviewed gardening.
2365
2366         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2367
2368 2018-10-15  Saam barati  <sbarati@apple.com>
2369
2370         Emit fjcvtzs on ARM64E on Darwin
2371         https://bugs.webkit.org/show_bug.cgi?id=184023
2372
2373         Reviewed by Yusuke Suzuki and Filip Pizlo.
2374
2375         * stress/double-to-int32-NaN.js: Added.
2376         (assert):
2377         (foo):
2378
2379 2018-10-15  Saam Barati  <sbarati@apple.com>
2380
2381         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2382         https://bugs.webkit.org/show_bug.cgi?id=190262
2383         <rdar://problem/44986241>
2384
2385         Reviewed by Mark Lam.
2386
2387         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2388         (test):
2389         * stress/slice-array-storage-with-holes.js: Added.
2390         (main):
2391
2392 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2393
2394         Unreviewed, rolling out r237054.
2395         https://bugs.webkit.org/show_bug.cgi?id=190593
2396
2397         "this regressed JetStream 2 by 6% on iOS" (Requested by
2398         saamyjoon on #webkit).
2399
2400         Reverted changeset:
2401
2402         "[JSC] JSC should have "parseFunction" to optimize Function
2403         constructor"
2404         https://bugs.webkit.org/show_bug.cgi?id=190340
2405         https://trac.webkit.org/changeset/237054
2406
2407 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2408
2409         [JSC] JSON.stringify can accept call-with-no-arguments
2410         https://bugs.webkit.org/show_bug.cgi?id=190343
2411
2412         Reviewed by Mark Lam.
2413
2414         * stress/json-stringify-no-arguments.js: Added.
2415         (shouldBe):
2416
2417 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2418
2419         [JSC] JSC should have "parseFunction" to optimize Function constructor
2420         https://bugs.webkit.org/show_bug.cgi?id=190340
2421
2422         Reviewed by Mark Lam.
2423
2424         This patch fixes the line number of syntax errors raised by the Function constructor,
2425         since we now parse the final code only once. And we no longer use block statement
2426         for Function constructor's parsing.
2427
2428         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2429         * stress/function-cache-with-parameters-end-position.js: Added.
2430         (shouldBe):
2431         (shouldThrow):
2432         (i.anonymous):
2433         * stress/function-constructor-name.js: Added.
2434         (shouldBe):
2435         (GeneratorFunction):
2436         (AsyncFunction.async):
2437         (AsyncGeneratorFunction.async):
2438         (anonymous):
2439         (async.anonymous):
2440         * test262/expectations.yaml:
2441
2442 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2443
2444         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2445         https://bugs.webkit.org/show_bug.cgi?id=190426
2446
2447         Unreviewed gardening.
2448
2449         * stress/sampling-profiler-richards.js:
2450
2451 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2452
2453         [ESNext][BigInt] Implement support for "|"
2454         https://bugs.webkit.org/show_bug.cgi?id=186229
2455
2456         Reviewed by Yusuke Suzuki.
2457
2458         * stress/big-int-bitwise-and-jit.js:
2459         * stress/big-int-bitwise-or-general.js: Added.
2460         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2461         * stress/big-int-bitwise-or-jit.js: Added.
2462         * stress/big-int-bitwise-or-memory-stress.js: Added.
2463         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2464         * stress/big-int-bitwise-or-type-error.js: Added.
2465         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2466
2467 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2468
2469         Skip test on systems with limited memory
2470         https://bugs.webkit.org/show_bug.cgi?id=190310
2471
2472         Invoking runDefault adds test to runlist, skipping the test in the next
2473         line does not prevent the test from executing. Change order of lines such
2474         that runDefault is only executed if test is not executed.
2475
2476         Reviewed by Mark Lam.
2477
2478         * stress/regress-190187.js:
2479
2480 2018-10-03  Saam barati  <sbarati@apple.com>
2481
2482         lowXYZ in FTLLower should always filter the type of the incoming edge
2483         https://bugs.webkit.org/show_bug.cgi?id=189939
2484         <rdar://problem/44407030>
2485
2486         Reviewed by Michael Saboff.
2487
2488         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2489         (foo):
2490         (test):
2491
2492 2018-10-03  Mark Lam  <mark.lam@apple.com>
2493
2494         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2495         https://bugs.webkit.org/show_bug.cgi?id=190187
2496         <rdar://problem/42512909>
2497
2498         Reviewed by Michael Saboff.
2499
2500         * stress/regress-190187.js: Added.
2501
2502 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2503
2504         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2505         https://bugs.webkit.org/show_bug.cgi?id=190033
2506
2507         Reviewed by Yusuke Suzuki.
2508
2509         * stress/big-int-to-string.js:
2510
2511 2018-10-01  Mark Lam  <mark.lam@apple.com>
2512
2513         Function.toString() should also copy the source code Functions that are class definitions.
2514         https://bugs.webkit.org/show_bug.cgi?id=190186
2515         <rdar://problem/44733360>
2516
2517         Reviewed by Saam Barati.
2518
2519         * stress/regress-190186.js: Added.
2520
2521 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2522
2523         Split NaN-check into separate test
2524         https://bugs.webkit.org/show_bug.cgi?id=190010
2525
2526         Reviewed by Saam Barati.
2527
2528         DataView exposes NaN-representation, which is not necessarily the same on each
2529         architecture. Therefore move the check of the NaN-representation into its own
2530         file such that we can disable this test on MIPS where NaN-representation can be
2531         different on older CPUs.
2532
2533         * stress/dataview-jit-set-nan.js: Added.
2534         (assert):
2535         (test.storeLittleEndian):
2536         (test.storeBigEndian):
2537         (test.store):
2538         (test):
2539         * stress/dataview-jit-set.js:
2540         (test5):
2541
2542 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2543
2544         Unreviewed, rolling out r236647.
2545         https://bugs.webkit.org/show_bug.cgi?id=190124
2546
2547         Breaking test stress/big-int-to-string.js (Requested by
2548         caiolima_ on #webkit).
2549
2550         Reverted changeset:
2551
2552         "[BigInt] BigInt.proptotype.toString is broken when radix is
2553         power of 2"
2554         https://bugs.webkit.org/show_bug.cgi?id=190033
2555         https://trac.webkit.org/changeset/236647
2556
2557 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2558
2559         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2560         https://bugs.webkit.org/show_bug.cgi?id=190033
2561
2562         Reviewed by Yusuke Suzuki.
2563
2564         * stress/big-int-to-string.js:
2565
2566 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2567
2568         [ESNext][BigInt] Implement support for "&"
2569         https://bugs.webkit.org/show_bug.cgi?id=186228
2570
2571         Reviewed by Yusuke Suzuki.
2572
2573         * stress/big-int-bitwise-and-general.js: Added.
2574         (assert):
2575         (assert.sameValue):
2576         * stress/big-int-bitwise-and-jit.js: Added.
2577         (let.assert.sameValue):
2578         (bigIntBitAnd):
2579         * stress/big-int-bitwise-and-memory-stress.js: Added.
2580         (assert):
2581         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2582         (assert.sameValue):
2583         (let.o.Symbol.toPrimitive):
2584         (catch):
2585         * stress/big-int-bitwise-and-type-error.js: Added.
2586         (assert):
2587         (assertThrowTypeError):
2588         (let.o.valueOf):
2589         (o.valueOf):
2590         (o.toString):
2591         (o.Symbol.toPrimitive):
2592         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2593         (assert.sameValue):
2594         (testBitAnd):
2595         (let.o.Symbol.toPrimitive):
2596         (o.valueOf):
2597         (o.toString):
2598
2599 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2600
2601         JSC test stress/jsc-read.js doesn't support CRLF
2602         https://bugs.webkit.org/show_bug.cgi?id=190063
2603
2604         Reviewed by Yusuke Suzuki.
2605
2606         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2607
2608         * stress/jsc-read.js:
2609         (test):
2610
2611 2018-09-27  Saam barati  <sbarati@apple.com>
2612
2613         Verify the contents of AssemblerBuffer on arm64e
2614         https://bugs.webkit.org/show_bug.cgi?id=190057
2615         <rdar://problem/38916630>
2616
2617         Reviewed by Mark Lam.
2618
2619         * stress/regress-189132.js:
2620
2621 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2622
2623         Disable test without LLInt on ARMv7
2624         https://bugs.webkit.org/show_bug.cgi?id=190037
2625
2626         Reviewed by Mark Lam.
2627
2628         Test runs out of executable memory on ARMv7, do not run
2629         this test without LLInt enabled.
2630
2631         * stress/regress-169445.js:
2632
2633 2018-09-26  Keith Miller  <keith_miller@apple.com>
2634
2635         We should zero unused property storage when rebalancing array storage.
2636         https://bugs.webkit.org/show_bug.cgi?id=188151
2637
2638         Reviewed by Michael Saboff.
2639
2640         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2641
2642 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2643
2644         [JSC] Optimize Array#lastIndexOf
2645         https://bugs.webkit.org/show_bug.cgi?id=189780
2646
2647         Reviewed by Saam Barati.
2648
2649         * stress/array-lastindexof-array-prototype-trap.js: Added.
2650         (shouldBe):
2651         (AncestorArray.prototype.get 2):
2652         (AncestorArray):
2653         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2654         (shouldBe):
2655         * stress/array-lastindexof-hole-nan.js: Added.
2656         (shouldBe):
2657         (throw.new.Error):
2658         * stress/array-lastindexof-infinity.js: Added.
2659         (shouldBe):
2660         (throw.new.Error):
2661         * stress/array-lastindexof-negative-zero.js: Added.
2662         (shouldBe):
2663         (throw.new.Error):
2664         * stress/array-lastindexof-own-getter.js: Added.
2665         (shouldBe):
2666         (throw.new.Error.get array):
2667         (get array):
2668         * stress/array-lastindexof-prototype-trap.js: Added.
2669         (shouldBe):
2670         (DerivedArray.prototype.get 2):
2671         (DerivedArray):
2672
2673 2018-09-25  Saam Barati  <sbarati@apple.com>
2674
2675         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2676         https://bugs.webkit.org/show_bug.cgi?id=189940
2677         <rdar://problem/43640987>
2678
2679         Reviewed by Mark Lam.
2680
2681         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2682
2683 2018-09-24  Saam Barati  <sbarati@apple.com>
2684
2685         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2686         https://bugs.webkit.org/show_bug.cgi?id=189922
2687         <rdar://problem/44651275>
2688
2689         Reviewed by Mark Lam.
2690
2691         * stress/array-indexof-fast-path-effects.js: Added.
2692         * stress/array-indexof-cached-length.js: Added.
2693
2694 2018-09-24  Saam barati  <sbarati@apple.com>
2695
2696         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2697         https://bugs.webkit.org/show_bug.cgi?id=189682
2698         <rdar://problem/43557315>
2699
2700         Reviewed by Mark Lam.
2701
2702         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2703         (foo):
2704
2705 2018-09-22  Saam barati  <sbarati@apple.com>
2706
2707         The sampling should not use Strong<CodeBlock> in its machineLocation field
2708         https://bugs.webkit.org/show_bug.cgi?id=189319
2709
2710         Reviewed by Filip Pizlo.
2711
2712         * stress/sampling-profiler-richards.js: Added.
2713
2714 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2715
2716         [JSC] Optimize Array#indexOf in C++ runtime
2717         https://bugs.webkit.org/show_bug.cgi?id=189507
2718
2719         Reviewed by Saam Barati.
2720
2721         * stress/array-indexof-array-prototype-trap.js: Added.
2722         (shouldBe):
2723         (AncestorArray.prototype.get 2):
2724         (AncestorArray):
2725         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2726         (shouldBe):
2727         * stress/array-indexof-hole-nan.js: Added.
2728         (shouldBe):
2729         (throw.new.Error):
2730         * stress/array-indexof-infinity.js: Added.
2731         (shouldBe):
2732         (throw.new.Error):
2733         * stress/array-indexof-negative-zero.js: Added.
2734         (shouldBe):
2735         (throw.new.Error):
2736         * stress/array-indexof-own-getter.js: Added.
2737         (shouldBe):
2738         (throw.new.Error.get array):
2739         (get array):
2740         * stress/array-indexof-prototype-trap.js: Added.
2741         (shouldBe):
2742         (DerivedArray.prototype.get 2):
2743         (DerivedArray):
2744
2745 2018-09-19  Saam barati  <sbarati@apple.com>
2746
2747         AI rule for MultiPutByOffset executes its effects in the wrong order
2748         https://bugs.webkit.org/show_bug.cgi?id=189757
2749         <rdar://problem/43535257>
2750
2751         Reviewed by Michael Saboff.
2752
2753         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2754         (foo):
2755         (Foo):
2756         (g):
2757
2758 2018-09-17  Mark Lam  <mark.lam@apple.com>
2759
2760         Ensure that ForInContexts are invalidated if their loop local is over-written.
2761         https://bugs.webkit.org/show_bug.cgi?id=189571
2762         <rdar://problem/44402277>
2763
2764         Reviewed by Saam Barati.
2765
2766         * stress/regress-189571.js: Added.
2767
2768 2018-09-17  Saam barati  <sbarati@apple.com>
2769
2770         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2771         https://bugs.webkit.org/show_bug.cgi?id=189676
2772         <rdar://problem/39682897>
2773
2774         Reviewed by Michael Saboff.
2775
2776         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2777         (A):
2778         (K):
2779         (i.catch):
2780
2781 2018-09-14  Saam barati  <sbarati@apple.com>
2782
2783         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2784         https://bugs.webkit.org/show_bug.cgi?id=189628
2785         <rdar://problem/39481690>
2786
2787         Reviewed by Mark Lam.
2788
2789         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2790         (foo):
2791
2792 2018-09-11  Mark Lam  <mark.lam@apple.com>
2793
2794         Test for array initialization in arrayProtoFuncSplice.
2795         https://bugs.webkit.org/show_bug.cgi?id=170253
2796         <rdar://problem/31328773>
2797
2798         Rubber-stamped by Saam Barati.
2799
2800         * stress/regress-170253.js: Added.
2801
2802 2018-09-11  Mark Lam  <mark.lam@apple.com>
2803
2804         Test for IntlObject initialization.
2805         https://bugs.webkit.org/show_bug.cgi?id=170251
2806         <rdar://problem/31328419>
2807
2808         Rubber-stamped by Saam Barati.
2809
2810         * stress/regress-170251.js: Added.
2811
2812 2018-09-11  Mark Lam  <mark.lam@apple.com>
2813
2814         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2815         https://bugs.webkit.org/show_bug.cgi?id=169889
2816         <rdar://problem/31155607>
2817
2818         Reviewed by Saam Barati.
2819
2820         * stress/regress-169889-array-concat.js: Added.
2821         * stress/regress-169889-array-concat1.js: Added.
2822         * stress/regress-169889-array-slice.js: Added.
2823
2824 2018-09-11  Mark Lam  <mark.lam@apple.com>
2825
2826         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2827         https://bugs.webkit.org/show_bug.cgi?id=169445
2828         <rdar://problem/30957435>
2829
2830         Reviewed by Saam Barati.
2831
2832         * stress/regress-169445.js: Added.
2833         (let.gun.eval.A):
2834         (let.gun.eval.B.C):
2835         (let.gun.eval.B.C.prototype.trigger):
2836         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2837         (let.gun.eval.B):
2838         (let.gun.eval):
2839
2840 == Rolled over to ChangeLog-2018-09-11 ==