Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
4         https://bugs.webkit.org/show_bug.cgi?id=195207
5
6         Unreviewed. After test runtime was reduced in r242213, test can be
7         run again on ARM/MIPS.
8
9         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
10
11 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] sizeof(JSString) should be 16
14         https://bugs.webkit.org/show_bug.cgi?id=194375
15
16         Reviewed by Saam Barati.
17
18         * microbenchmarks/make-rope.js: Added.
19         (makeRope):
20         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
21         (returnRope.helper): Deleted.
22         (returnRope): Deleted.
23
24 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
25
26         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
27         https://bugs.webkit.org/show_bug.cgi?id=195144
28
29         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
30         Change the number from 1e8 to 1e5.
31
32         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
33         (foo):
34
35 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
36
37         Test times out on ARM/MIPS
38         https://bugs.webkit.org/show_bug.cgi?id=195168
39
40         Unreviewed. Skip test on ARM/MIPS.
41
42         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
43
44 2019-02-27  Mark Lam  <mark.lam@apple.com>
45
46         The parser is failing to record the token location of new in new.target.
47         https://bugs.webkit.org/show_bug.cgi?id=195127
48         <rdar://problem/39645578>
49
50         Reviewed by Yusuke Suzuki.
51
52         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
53
54 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
55
56         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
57         https://bugs.webkit.org/show_bug.cgi?id=195144
58         <rdar://problem/47595961>
59
60         Reviewed by Mark Lam.
61
62         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
63         (bar):
64         (foo):
65         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
66         (bar):
67         (foo):
68
69 2019-02-27  Robin Morisset  <rmorisset@apple.com>
70
71         DFG: Loop-invariant code motion (LICM) should not hoist dead code
72         https://bugs.webkit.org/show_bug.cgi?id=194945
73         <rdar://problem/48311657>
74
75         Reviewed by Mark Lam.
76
77         * stress/licm-dead-code.js: Added.
78
79 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
80
81         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
82         https://bugs.webkit.org/show_bug.cgi?id=194677
83         <rdar://problem/48112492>
84
85         Reviewed by Mark Lam.
86
87         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
88         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
89         it immediately fails due the large size.
90
91         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
92         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
93         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
94         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
95
96         This patch changes the test to produce 16bit string from String.fromCharCode.
97
98         * stress/regress-178386.js:
99
100 2019-02-26  Mark Lam  <mark.lam@apple.com>
101
102         wasmToJS() should purify incoming NaNs.
103         https://bugs.webkit.org/show_bug.cgi?id=194807
104         <rdar://problem/48189132>
105
106         Reviewed by Saam Barati.
107
108         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
109
110 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
111
112         [JSC] Repeat string created from Array.prototype.join() take too much memory
113         https://bugs.webkit.org/show_bug.cgi?id=193912
114
115         Reviewed by Saam Barati.
116
117         Added a test and a microbenchmark for corner cases of
118         Array.prototype.join() with an uninitialized array.
119
120         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
121         * stress/array-prototype-join-uninitialized.js: Added.
122         (testArray):
123         (testABC):
124         (B):
125         (C):
126
127 2019-02-22  Robin Morisset  <rmorisset@apple.com>
128
129         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
130         https://bugs.webkit.org/show_bug.cgi?id=194953
131         <rdar://problem/47595253>
132
133         Reviewed by Saam Barati.
134
135         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
136
137         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
138
139 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
140
141         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
142         https://bugs.webkit.org/show_bug.cgi?id=172848
143         <rdar://problem/25709212>
144
145         Reviewed by Mark Lam.
146
147         * typeProfiler/inheritance.js:
148         Rewrite the test slightly for clarity. The hoisting was confusing.
149
150         * heapProfiler/class-names.js: Added.
151         (MyES5Class):
152         (MyES6Class):
153         (MyES6Subclass):
154         Test object types and improved class names.
155
156         * heapProfiler/driver/driver.js:
157         (CheapHeapSnapshotNode):
158         (CheapHeapSnapshot):
159         (createCheapHeapSnapshot):
160         (HeapSnapshot):
161         (createHeapSnapshot):
162         Update snapshot parsing from version 1 to version 2.
163
164 2019-02-19  Truitt Savell  <tsavell@apple.com>
165
166         Unreviewed, rolling out r241784.
167
168         Broke all OpenSource builds.
169
170         Reverted changeset:
171
172         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
173         instances view"
174         https://bugs.webkit.org/show_bug.cgi?id=172848
175         https://trac.webkit.org/changeset/241784
176
177 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
178
179         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
180         https://bugs.webkit.org/show_bug.cgi?id=172848
181         <rdar://problem/25709212>
182
183         Reviewed by Mark Lam.
184
185         * typeProfiler/inheritance.js:
186         Rewrite the test slightly for clarity. The hoisting was confusing.
187
188         * heapProfiler/class-names.js: Added.
189         (MyES5Class):
190         (MyES6Class):
191         (MyES6Subclass):
192         Test object types and improved class names.
193
194         * heapProfiler/driver/driver.js:
195         (CheapHeapSnapshotNode):
196         (CheapHeapSnapshot):
197         (createCheapHeapSnapshot):
198         (HeapSnapshot):
199         (createHeapSnapshot):
200         Update snapshot parsing from version 1 to version 2.
201
202 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
203
204         [ARM] Fix crash with sampling profiler
205         https://bugs.webkit.org/show_bug.cgi?id=194772
206
207         Reviewed by Mark Lam.
208
209         Do not skip test since crash with sampling profiler is now fixed.
210
211         * stress/sampling-profiler-richards.js:
212
213 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
214
215         [JSC] Add LazyClassStructure::getInitializedOnMainThread
216         https://bugs.webkit.org/show_bug.cgi?id=194784
217         <rdar://problem/48154820>
218
219         Reviewed by Mark Lam.
220
221         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
222         (getProperties):
223         (getRandomProperty):
224         (i.catch):
225
226 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
227
228         [ARM] Test gardening: Test running out of executable memory
229         https://bugs.webkit.org/show_bug.cgi?id=194771
230
231         Unreviewed. Do not run test without LLInt, test is running out of executable
232         memory on ARM otherwise.
233
234         * stress/tagged-template-object-collect.js:
235
236 2019-02-18  Tomas Popela  <tpopela@redhat.com>
237
238         Unreviewed, skip the test on platforms without sampling profiler
239
240         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
241         (platformSupportsSamplingProfiler.foo):
242         (platformSupportsSamplingProfiler.test):
243         (platformSupportsSamplingProfiler):
244         (foo): Deleted.
245         (test): Deleted.
246
247 2019-02-17  Saam Barati  <sbarati@apple.com>
248
249         Deadlock when adding a Structure property transition and then doing incremental marking
250         https://bugs.webkit.org/show_bug.cgi?id=194767
251
252         Reviewed by Mark Lam.
253
254         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
255
256 2019-02-15  Michael Saboff  <msaboff@apple.com>
257
258         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
259         https://bugs.webkit.org/show_bug.cgi?id=194558
260
261         Reviewed by Saam Barati.
262
263         New regression test.
264
265         * stress/regexp-unicode-within-string.js: Added.
266
267 2019-02-15  Mark Lam  <mark.lam@apple.com>
268
269         SamplingProfiler::stackTracesAsJSON() should escape strings.
270         https://bugs.webkit.org/show_bug.cgi?id=194649
271         <rdar://problem/48072386>
272
273         Reviewed by Saam Barati.
274
275         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
276         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
277         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
278         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
279
280 2019-02-15  Robin Morisset  <rmorisset@apple.com>
281         CodeBlock::jettison should clear related watchpoints
282         https://bugs.webkit.org/show_bug.cgi?id=194544
283
284         Reviewed by Mark Lam.
285
286         * stress/regexp-replace-double-watchpoint.js: Added.
287         (foo):
288
289 2019-02-15  Saam barati  <sbarati@apple.com>
290
291         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
292         https://bugs.webkit.org/show_bug.cgi?id=194036
293
294         Reviewed by Yusuke Suzuki.
295
296         * stress/tail-call-many-arguments.js: Added.
297         (foo):
298         (bar):
299
300 2019-02-14  Saam Barati  <sbarati@apple.com>
301
302         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
303         https://bugs.webkit.org/show_bug.cgi?id=194583
304         <rdar://problem/48028140>
305
306         Reviewed by Yusuke Suzuki.
307
308         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
309
310 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
311
312         [JSC] String.fromCharCode's slow path always generates 16bit string
313         https://bugs.webkit.org/show_bug.cgi?id=194466
314
315         Reviewed by Keith Miller.
316
317         * stress/string-from-char-code-slow-path.js: Added.
318         (shouldBe):
319         (testWithLength):
320
321 2019-02-08  Saam barati  <sbarati@apple.com>
322
323         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
324         https://bugs.webkit.org/show_bug.cgi?id=194334
325         <rdar://problem/47844327>
326
327         Reviewed by Mark Lam.
328
329         * stress/check-in-bounds-should-be-a-child-use.js: Added.
330         (func):
331
332 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
333
334         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
335         https://bugs.webkit.org/show_bug.cgi?id=194369
336         <rdar://problem/47813087>
337
338         Reviewed by Saam Barati.
339
340         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
341         (A):
342
343 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
344
345         [JSC] PrivateName to PublicName hash table is wasteful
346         https://bugs.webkit.org/show_bug.cgi?id=194277
347
348         Reviewed by Michael Saboff.
349
350         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
351
352         * ChakraCore.yaml:
353
354 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
355
356         [ARM] Test running out of executable memory
357         https://bugs.webkit.org/show_bug.cgi?id=194285
358
359         Unreviewed. Do no execute test with LLInt disabled, test runs out of
360         executable memory otherwise.
361
362         * stress/class-subclassing-function.js:
363
364 2019-02-04  Robin Morisset  <rmorisset@apple.com>
365
366         when lowering AssertNotEmpty, create the value before creating the patchpoint
367         https://bugs.webkit.org/show_bug.cgi?id=194231
368
369         Reviewed by Saam Barati.
370
371         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
372         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
373         So even tiny changes to this test can change the path code taken.
374
375         * stress/assert-not-empty.js: Added.
376         (foo):
377
378 2019-02-01  Mark Lam  <mark.lam@apple.com>
379
380         Remove invalid assertion in DFG's compileDoubleRep().
381         https://bugs.webkit.org/show_bug.cgi?id=194130
382         <rdar://problem/47699474>
383
384         Reviewed by Saam Barati.
385
386         * stress/constant-fold-double-rep-into-double-constant.js: Added.
387
388 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
389
390         Import latest Test262 updates.
391
392         Rubber-stamped by Keith Miller.
393
394         * test262.yaml: Deleted.
395         * test262/config.yaml:
396         * test262/expectations.yaml:
397         * test262/latest-changes-summary.txt:
398         * test262/test/:
399         * test262/test262-Revision.txt:
400
401 2019-01-30  Robin Morisset  <rmorisset@apple.com>
402
403         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
404         https://bugs.webkit.org/show_bug.cgi?id=194050
405         <rdar://problem/47595592>
406
407         Reviewed by Yusuke Suzuki.
408
409         * stress/object-keys-osr-exit.js: Added.
410         (foo):
411         (catch):
412
413 2019-01-29  Mark Lam  <mark.lam@apple.com>
414
415         ValueRecovery::recover() should purify NaN values it recovers.
416         https://bugs.webkit.org/show_bug.cgi?id=193978
417         <rdar://problem/47625488>
418
419         Reviewed by Saam Barati.
420
421         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
422
423 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
424
425         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
426         https://bugs.webkit.org/show_bug.cgi?id=193713
427
428         * stress/try-get-by-id-should-spill-registers-dfg.js:
429         (let.f.createBuiltin):
430
431 2019-01-28  Mark Lam  <mark.lam@apple.com>
432
433         ToString node actually does GC.
434         https://bugs.webkit.org/show_bug.cgi?id=193920
435         <rdar://problem/46695900>
436
437         Reviewed by Yusuke Suzuki.
438
439         * stress/dfg-to-string-on-int-does-gc.js: Added.
440         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
441         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
442
443 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
444
445         [JSC] NativeErrorConstructor should not have own IsoSubspace
446         https://bugs.webkit.org/show_bug.cgi?id=193713
447
448         Reviewed by Saam Barati.
449
450         Remove @Error use.
451
452         * stress/try-get-by-id-should-spill-registers-dfg.js:
453         (let.f.createBuiltin):
454
455 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
456
457         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
458         https://bugs.webkit.org/show_bug.cgi?id=190693
459
460         Reviewed by Michael Saboff.
461
462         * stress/regress-190693.js: Added.
463         (truth):
464         (assert):
465         (shouldThrowInvalidConstAssignment):
466         (taz):
467
468 2019-01-24  Saam Barati  <sbarati@apple.com>
469
470         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
471         https://bugs.webkit.org/show_bug.cgi?id=193751
472         <rdar://problem/47280215>
473
474         Reviewed by Michael Saboff.
475
476         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
477         (let.thing):
478         (foo.let.hello):
479         (foo):
480
481 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
482
483         [JSC] Reenable baseline JIT on mips
484         https://bugs.webkit.org/show_bug.cgi?id=192983
485
486         Reviewed by Mark Lam.
487
488         Added a new test for a case that was triggering a RELEASE_ASSERT when
489         testing.
490         Disable some slow tests that were already disabled for arm and x86.
491
492         * stress/json-parse-big-object.js: Added.
493         * stress/new-largeish-contiguous-array-with-size.js:
494         * stress/op_add.js:
495         * stress/op_bitand.js:
496         * stress/op_bitor.js:
497         * stress/op_bitxor.js:
498         * stress/op_lshift-ConstVar.js:
499         * stress/op_lshift-VarConst.js:
500         * stress/op_lshift-VarVar.js:
501         * stress/op_mod-ConstVar.js:
502         * stress/op_mod-VarConst.js:
503         * stress/op_mod-VarVar.js:
504         * stress/op_mul-ConstVar.js:
505         * stress/op_mul-VarConst.js:
506         * stress/op_mul-VarVar.js:
507         * stress/op_rshift-ConstVar.js:
508         * stress/op_rshift-VarConst.js:
509         * stress/op_rshift-VarVar.js:
510         * stress/op_sub-ConstVar.js:
511         * stress/op_sub-VarConst.js:
512         * stress/op_sub-VarVar.js:
513         * stress/op_urshift-ConstVar.js:
514         * stress/op_urshift-VarConst.js:
515         * stress/op_urshift-VarVar.js:
516         * stress/sampling-profiler-richards.js:
517         * stress/spread-forward-call-varargs-stack-overflow.js:
518
519 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
520
521         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
522         https://bugs.webkit.org/show_bug.cgi?id=193711
523         <rdar://problem/47250262>
524
525         Reviewed by Saam Barati.
526
527         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
528         (shouldBe):
529         (foo):
530         (bar):
531         (baz):
532
533 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
534
535         Unreviewed, fix initial global lexical binding epoch
536         https://bugs.webkit.org/show_bug.cgi?id=193603
537         <rdar://problem/47380869>
538
539         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
540         (f1.f2.f3.f4):
541         (f1.f2.f3):
542         (f1.f2):
543         (f1):
544
545 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
546
547         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
548         https://bugs.webkit.org/show_bug.cgi?id=193709
549         <rdar://problem/47363838>
550
551         Unreviewed, rollout to watch the tests.
552
553         * stress/object-tostring-changed-proto.js: Removed.
554         * stress/object-tostring-changed.js: Removed.
555         * stress/object-tostring-misc.js: Removed.
556         * stress/object-tostring-other.js: Removed.
557         * stress/object-tostring-untyped.js: Removed.
558
559 2019-01-22  Saam Barati  <sbarati@apple.com>
560
561         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
562
563         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
564         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
565         (testUncheckedLessThanZero):
566         (testUncheckedLessThanOrEqualZero):
567         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
568         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
569
570 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
571
572         [JSC] Invalidate old scope operations using global lexical binding epoch
573         https://bugs.webkit.org/show_bug.cgi?id=193603
574         <rdar://problem/47380869>
575
576         Reviewed by Saam Barati.
577
578         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
579         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
580         (shouldThrow):
581         (bar):
582         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
583         (shouldBe):
584         (get1):
585         (get2):
586         (get1If):
587         (get2If):
588         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
589         (shouldThrow):
590         (foo):
591
592 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
593
594         Unreviewed, roll out r240220 due to date-format-xparb regression
595         https://bugs.webkit.org/show_bug.cgi?id=193603
596
597         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
598         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
599         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
600         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
601
602 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
603
604         DoesGC rule is wrong for nodes with BigIntUse
605         https://bugs.webkit.org/show_bug.cgi?id=193652
606
607         Reviewed by Saam Barati.
608
609         * stress/big-int-value-op-update-gc-rules.js: Added.
610         (assert):
611         (doesGCAdd):
612         (doesGCSub):
613         (doesGCDiv):
614         (doesGCMul):
615         (doesGCBitAnd):
616         (doesGCBitOr):
617         (doesGCBitXor):
618
619 2019-01-20  Saam Barati  <sbarati@apple.com>
620
621         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
622         https://bugs.webkit.org/show_bug.cgi?id=193644
623         <rdar://problem/46209745>
624
625         Reviewed by Yusuke Suzuki.
626
627         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
628         (foo):
629         * stress/data-view-set-intrinsic-undefined-result.js: Added.
630         (foo):
631         (bar):
632
633 2019-01-20  Saam Barati  <sbarati@apple.com>
634
635         MovHint must merge NodeBytecodeUsesAsValue for its child
636         https://bugs.webkit.org/show_bug.cgi?id=186916
637         <rdar://problem/41396612>
638
639         Reviewed by Yusuke Suzuki.
640
641         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
642         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
643
644 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
645
646         [JSC] Invalidate old scope operations using global lexical binding epoch
647         https://bugs.webkit.org/show_bug.cgi?id=193603
648         <rdar://problem/47380869>
649
650         Reviewed by Saam Barati.
651
652         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
653         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
654         (shouldThrow):
655         (bar):
656         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
657         (shouldBe):
658         (get1):
659         (get2):
660         (get1If):
661         (get2If):
662         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
663         (shouldThrow):
664         (foo):
665
666 2019-01-17  Saam barati  <sbarati@apple.com>
667
668         StringObjectUse should not be a structure check for the original string object structure
669         https://bugs.webkit.org/show_bug.cgi?id=193483
670         <rdar://problem/47280522>
671
672         Reviewed by Yusuke Suzuki.
673
674         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
675         (foo):
676         (a.valueOf.0):
677
678 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
679
680         [JSC] ToThis omission in DFGByteCodeParser is wrong
681         https://bugs.webkit.org/show_bug.cgi?id=193513
682         <rdar://problem/45842236>
683
684         Reviewed by Saam Barati.
685
686         * stress/to-this-omission-with-different-strict-modes.js: Added.
687         (thisA):
688         (thisAStrictWrapper):
689
690 2019-01-15  Mark Lam  <mark.lam@apple.com>
691
692         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
693         https://bugs.webkit.org/show_bug.cgi?id=193423
694         <rdar://problem/46209355>
695
696         Reviewed by Saam Barati.
697
698         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
699         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
700         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
701         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
702
703 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
704
705         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
706         https://bugs.webkit.org/show_bug.cgi?id=193438
707         <rdar://problem/45581249>
708
709         Reviewed by Saam Barati and Keith Miller.
710
711         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
712         Then, GetByVal(String) crashed.
713
714         * stress/string-get-by-val-lowering.js: Added.
715         (shouldBe):
716         (test):
717         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
718         (Hello):
719         (foo):
720
721 2019-01-15  Tomas Popela  <tpopela@redhat.com>
722
723         Unreviewed, skip JIT tests if it's not enabled
724
725         * stress/bit-op-with-object-returning-int32.js:
726
727 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
728
729         DFGByteCodeParser rules for bitwise operations should consider type of their operands
730         https://bugs.webkit.org/show_bug.cgi?id=192966
731
732         Reviewed by Yusuke Suzuki.
733
734         * stress/bit-op-with-object-returning-int32.js: Added.
735
736 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
737
738         Skip a slow test and a flakey test on arm
739
740         Unreviewed gardening.
741
742         * typeProfiler/getter-richards.js:
743         this test always times out, it used to be always skipped on arm and
744         mips, but got accidentally enabled by r237919 now that we have DFG on
745         arm. Also skipping on mips as we plan to soon enable DFG for it too.
746
747 2019-01-14  Keith Miller  <keith_miller@apple.com>
748
749         Skip type-check-hoisting-phase-hoist... with no jit
750         https://bugs.webkit.org/show_bug.cgi?id=193421
751
752         Reviewed by Mark Lam.
753
754         It's timing out the 32-bit bots and takes 330 seconds
755         on my machine when run by itself.
756
757         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
758
759 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
760
761         [JSC] AI should check the given constant's array type when folding GetByVal into constant
762         https://bugs.webkit.org/show_bug.cgi?id=193413
763         <rdar://problem/46092389>
764
765         Reviewed by Keith Miller.
766
767         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
768         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
769         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
770         but GetByVal does not have appropriate ArrayModes, JSC crashes.
771
772         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
773         (compareArray):
774
775 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
776
777         [BigInt] Literal parsing is crashing when used inside a Object Literal
778         https://bugs.webkit.org/show_bug.cgi?id=193404
779
780         Reviewed by Yusuke Suzuki.
781
782         * stress/big-int-literal-inside-literal-object.js: Added.
783
784 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
785
786         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
787         https://bugs.webkit.org/show_bug.cgi?id=193372
788
789         Reviewed by Saam Barati.
790
791         * stress/typed-array-array-modes-profile.js: Added.
792         (foo):
793
794 2019-01-14  Mark Lam  <mark.lam@apple.com>
795
796         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
797         https://bugs.webkit.org/show_bug.cgi?id=193402
798         <rdar://problem/46012309>
799
800         Reviewed by Keith Miller.
801
802         * stress/regexp-compile-oom.js:
803         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
804           is enabled.  As a result, it will fail on cloop builds though there is no bug.
805
806 2019-01-11  Saam barati  <sbarati@apple.com>
807
808         DFG combined liveness can be wrong for terminal basic blocks
809         https://bugs.webkit.org/show_bug.cgi?id=193304
810         <rdar://problem/45268632>
811
812         Reviewed by Yusuke Suzuki.
813
814         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
815
816 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
817
818         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
819         https://bugs.webkit.org/show_bug.cgi?id=193308
820         <rdar://problem/45546542>
821
822         Reviewed by Saam Barati.
823
824         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
825         (shouldThrow):
826         (shouldBe):
827         (foo):
828         (get shouldThrow):
829         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
830         (shouldThrow):
831         (shouldBe):
832         (foo):
833         (get shouldBe):
834         (get shouldThrow):
835         (get return):
836         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
837         (shouldThrow):
838         (shouldBe):
839         (foo):
840         (get shouldBe):
841         (get shouldThrow):
842         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
843         (shouldThrow):
844         (shouldBe):
845         (foo):
846         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
847         (shouldThrow):
848         (shouldBe):
849         (foo):
850         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
851         (shouldThrow):
852         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
853         (shouldThrow):
854         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
855         (shouldThrow):
856         (shouldBe):
857         (foo):
858         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
859         (shouldThrow):
860         (shouldBe):
861         (foo):
862         (get shouldBe):
863         (get shouldThrow):
864         (get return):
865         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
866         (shouldThrow):
867         (shouldBe):
868         (foo):
869         (get shouldBe):
870         (get shouldThrow):
871         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
872         (shouldThrow):
873         (shouldBe):
874         (foo):
875         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
876         (shouldThrow):
877         (shouldBe):
878         (foo):
879
880 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
881
882         Enable DFG on ARM/Linux again
883         https://bugs.webkit.org/show_bug.cgi?id=192496
884
885         Reviewed by Yusuke Suzuki.
886
887         Test wasn't really skipped before moving the line with skip
888         to the top.
889
890         * stress/regress-192717.js:
891
892 2019-01-10  Commit Queue  <commit-queue@webkit.org>
893
894         Unreviewed, rolling out r239825.
895         https://bugs.webkit.org/show_bug.cgi?id=193330
896
897         Broke tests on armv7/linux bots (Requested by guijemont on
898         #webkit).
899
900         Reverted changeset:
901
902         "Enable DFG on ARM/Linux again"
903         https://bugs.webkit.org/show_bug.cgi?id=192496
904         https://trac.webkit.org/changeset/239825
905
906 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
907
908         Enable DFG on ARM/Linux again
909         https://bugs.webkit.org/show_bug.cgi?id=192496
910
911         Reviewed by Yusuke Suzuki.
912
913         Test wasn't really skipped before moving the line with skip
914         to the top.
915
916         * stress/regress-192717.js:
917
918 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
919
920         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
921         https://bugs.webkit.org/show_bug.cgi?id=193127
922
923         Reviewed by Saam Barati.
924
925         * stress/array-species-create-should-handle-masquerader.js: Added.
926         (shouldThrow):
927         * stress/is-undefined-or-null-builtin.js: Added.
928         (shouldBe):
929         (isUndefinedOrNull.vm.createBuiltin):
930
931 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
932
933         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
934         https://bugs.webkit.org/show_bug.cgi?id=193221
935
936         Reviewed by Mark Lam.
937
938         * stress/put-by-id-flags.js: Added.
939         (f):
940         (g):
941         (numberOfDFGCompiles):
942
943 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
944
945         Baseline version of get_by_id may corrupt metadata
946         https://bugs.webkit.org/show_bug.cgi?id=193085
947         <rdar://problem/23453006>
948
949         Reviewed by Saam Barati.
950
951         * stress/get-by-id-change-mode.js: Added.
952         (forEach):
953
954 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
955
956         [JSC] Optimize Object.prototype.toString
957         https://bugs.webkit.org/show_bug.cgi?id=193031
958
959         Reviewed by Saam Barati.
960
961         * stress/object-tostring-changed-proto.js: Added.
962         (shouldBe):
963         (test):
964         * stress/object-tostring-changed.js: Added.
965         (shouldBe):
966         (test):
967         * stress/object-tostring-misc.js: Added.
968         (shouldBe):
969         (test):
970         (i.switch):
971         * stress/object-tostring-other.js: Added.
972         (shouldBe):
973         (test):
974         * stress/object-tostring-untyped.js: Added.
975         (shouldBe):
976         (test):
977         (i.switch):
978
979 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
980
981         test262-runner misbehaves when test file YAML has a trailing space
982         https://bugs.webkit.org/show_bug.cgi?id=193053
983
984         Reviewed by Yusuke Suzuki.
985
986         * test262/expectations.yaml:
987         Mark two dozen tests as passing (and correct the output of another).
988
989 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
990
991         Unreviewed, JSTests gardening with memoryLimited
992
993         * stress/string-overflow-createError.js:
994
995 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
996
997         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
998         https://bugs.webkit.org/show_bug.cgi?id=193050
999
1000         Reviewed by Yusuke Suzuki.
1001
1002         * test262.yaml:
1003         * test262/expectations.yaml:
1004         Mark 16 tests as passing.
1005
1006 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1007
1008         [BigInt] Support BigInt in JSON.stringify
1009         https://bugs.webkit.org/show_bug.cgi?id=192624
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/big-int-json-stringify-to-json.js: Added.
1014         (shouldBe):
1015         (shouldThrow):
1016         (BigInt.prototype.toJSON):
1017         (shouldBe.JSON.stringify):
1018         * stress/big-int-json-stringify.js: Added.
1019         (shouldBe):
1020         (shouldThrow):
1021
1022 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1023
1024         [JSC] Implement "well-formed JSON.stringify" proposal
1025         https://bugs.webkit.org/show_bug.cgi?id=191677
1026
1027         Reviewed by Darin Adler.
1028
1029         * stress/json-surrogate-pair.js: Added.
1030         (shouldBe):
1031         * test262/expectations.yaml:
1032
1033 2018-12-20  Keith Miller  <keith_miller@apple.com>
1034
1035         Add support for globalThis
1036         https://bugs.webkit.org/show_bug.cgi?id=165171
1037
1038         Reviewed by Mark Lam.
1039
1040         * test262/config.yaml:
1041
1042 2018-12-19  Keith Miller  <keith_miller@apple.com>
1043
1044         Update test262 configuration to not run tests dependent on ICU version.
1045         https://bugs.webkit.org/show_bug.cgi?id=192920
1046
1047         Reviewed by Saam Barati.
1048
1049         * test262/expectations.yaml:
1050
1051 2018-12-20  Mark Lam  <mark.lam@apple.com>
1052
1053         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1054         https://bugs.webkit.org/show_bug.cgi?id=192939
1055         <rdar://problem/46869516>
1056
1057         Reviewed by Keith Miller.
1058
1059         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1060
1061 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1062
1063         WTF::String and StringImpl overflow MaxLength
1064         https://bugs.webkit.org/show_bug.cgi?id=192853
1065         <rdar://problem/45726906>
1066
1067         Reviewed by Mark Lam.
1068
1069         * stress/string-16bit-repeat-overflow.js: Added.
1070         (catch):
1071
1072 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1073
1074         Unreviewed follow-up to r192914.
1075
1076         * test262/expectations.yaml:
1077         Add the last 20 missing expectations.
1078
1079 2018-12-19  Keith Miller  <keith_miller@apple.com>
1080
1081         Fix test262 expectations
1082         https://bugs.webkit.org/show_bug.cgi?id=192914
1083
1084         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1085
1086         * test262/expectations.yaml:
1087
1088 2018-12-19  Keith Miller  <keith_miller@apple.com>
1089
1090         Update test262 tests.
1091         https://bugs.webkit.org/show_bug.cgi?id=192907
1092
1093         Rubber stamped by Mark Lam.
1094
1095         * test262/*: Omitted because prepare-changelog crashes.
1096
1097 2018-12-19  Mark Lam  <mark.lam@apple.com>
1098
1099         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1100         https://bugs.webkit.org/show_bug.cgi?id=192464
1101         <rdar://problem/46519455>
1102
1103         Reviewed by Saam Barati.
1104
1105         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1106         microbenchmark.
1107
1108         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1109         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1110
1111 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1112
1113         String overflow in JSC::createError results in ASSERT in WTF::makeString
1114         https://bugs.webkit.org/show_bug.cgi?id=192833
1115         <rdar://problem/45706868>
1116
1117         Reviewed by Mark Lam.
1118
1119         * stress/string-overflow-createError.js: Added.
1120
1121 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1122
1123         Error message for `-x ** y` contains a typo.
1124         https://bugs.webkit.org/show_bug.cgi?id=192832
1125
1126         Reviewed by Saam Barati.
1127
1128         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1129         (assert.assert.return.throws):
1130         * stress/pow-expects-update-expression-on-lhs.js:
1131         (throw.new.Error):
1132         Update test expectations which match against the exact error message.
1133
1134 2018-12-18  Mark Lam  <mark.lam@apple.com>
1135
1136         Gardening: test options fix.
1137         https://bugs.webkit.org/show_bug.cgi?id=192822
1138
1139         Unreviewed.
1140
1141         * stress/json-stringify-string-builder-overflow.js:
1142
1143 2018-12-18  Mark Lam  <mark.lam@apple.com>
1144
1145         JSON.stringify() should throw OOM on StringBuilder overflows.
1146         https://bugs.webkit.org/show_bug.cgi?id=192822
1147         <rdar://problem/46670577>
1148
1149         Reviewed by Saam Barati.
1150
1151         * stress/json-stringify-string-builder-overflow.js: Added.
1152
1153 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1154
1155         Redeclaration of var over let/const/class should be a syntax error.
1156         https://bugs.webkit.org/show_bug.cgi?id=192298
1157
1158         Reviewed by Keith Miller.
1159
1160         * test262.yaml:
1161         * test262/expectations.yaml:
1162         Mark 46 tests as passing.
1163
1164         * stress/block-scope-redeclarations.js:
1165         Add some new tests.
1166
1167         * stress/for-in-invalidate-context-weird-assignments.js:
1168         * stress/for-in-tests.js:
1169         Replace tests for outdated behavior with tests for SyntaxError.
1170
1171         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1172         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1173         Update expectations.
1174
1175 2018-12-18  Mark Lam  <mark.lam@apple.com>
1176
1177         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1178         https://bugs.webkit.org/show_bug.cgi?id=191374
1179         <rdar://problem/46525447>
1180
1181         Reviewed by Yusuke Suzuki.
1182
1183         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1184
1185         * stress/elidable-new-object-roflcopter-then-exit.js:
1186
1187 2018-12-17  Mark Lam  <mark.lam@apple.com>
1188
1189         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1190         https://bugs.webkit.org/show_bug.cgi?id=192019
1191         <rdar://problem/46525456>
1192
1193         Reviewed by Yusuke Suzuki.
1194
1195         The test runs too slow on 32-bit.
1196
1197         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1198
1199 2018-12-17  Mark Lam  <mark.lam@apple.com>
1200
1201         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1202         https://bugs.webkit.org/show_bug.cgi?id=191373
1203         <rdar://problem/46525458>
1204
1205         Reviewed by Yusuke Suzuki.
1206
1207         The test is already slow running with a JIT on 64-bit.  It will always timeout
1208         on 32-bit without a JIT.
1209
1210         * stress/materialize-regexp-cyclic-regexp.js:
1211
1212 2018-12-17  Mark Lam  <mark.lam@apple.com>
1213
1214         Array unshift/shift should not race against the AI in the compiler thread.
1215         https://bugs.webkit.org/show_bug.cgi?id=192795
1216         <rdar://problem/46724263>
1217
1218         Reviewed by Saam Barati.
1219
1220         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1221
1222 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1223
1224         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1225         https://bugs.webkit.org/show_bug.cgi?id=190047
1226
1227         Reviewed by Saam Barati.
1228
1229         * stress/object-keys-cached-zero.js: Added.
1230         (shouldBe):
1231         (test):
1232         * stress/object-keys-changed-attribute.js: Added.
1233         (shouldBe):
1234         (test):
1235         * stress/object-keys-changed-index.js: Added.
1236         (shouldBe):
1237         (test):
1238         * stress/object-keys-changed.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/object-keys-indexed-non-cache.js: Added.
1242         (shouldBe):
1243         (test):
1244         * stress/object-keys-overrides-get-property-names.js: Added.
1245         (shouldBe):
1246         (test):
1247         (noInline):
1248
1249 2018-12-17  Mark Lam  <mark.lam@apple.com>
1250
1251         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1252         https://bugs.webkit.org/show_bug.cgi?id=192779
1253         <rdar://problem/46775869>
1254
1255         Reviewed by Saam Barati.
1256
1257         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1258
1259 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1260
1261         Unreviewed test gardening, address a syntax error in a new test.
1262
1263         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1264
1265 2018-12-17  Mark Lam  <mark.lam@apple.com>
1266
1267         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1268         https://bugs.webkit.org/show_bug.cgi?id=192776
1269         <rdar://problem/46772368>
1270
1271         Reviewed by Keith Miller.
1272
1273         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1274
1275 2018-12-17  Mark Lam  <mark.lam@apple.com>
1276
1277         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1278         https://bugs.webkit.org/show_bug.cgi?id=192770
1279         <rdar://problem/46449037>
1280
1281         Reviewed by Keith Miller.
1282
1283         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1284
1285 2018-12-14  Mark Lam  <mark.lam@apple.com>
1286
1287         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1288         https://bugs.webkit.org/show_bug.cgi?id=192717
1289         <rdar://problem/46660677>
1290
1291         Reviewed by Saam Barati.
1292
1293         * stress/regress-192717.js: Added.
1294
1295 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1296
1297         Unreviewed, rolling out r239153, r239154, and r239155.
1298         https://bugs.webkit.org/show_bug.cgi?id=192715
1299
1300         Caused flaky GC-related crashes seen with layout tests
1301         (Requested by ryanhaddad on #webkit).
1302
1303         Reverted changesets:
1304
1305         "[JSC] Optimize Object.keys by caching own keys results in
1306         StructureRareData"
1307         https://bugs.webkit.org/show_bug.cgi?id=190047
1308         https://trac.webkit.org/changeset/239153
1309
1310         "Unreviewed, build fix after r239153"
1311         https://bugs.webkit.org/show_bug.cgi?id=190047
1312         https://trac.webkit.org/changeset/239154
1313
1314         "Unreviewed, build fix after r239153, part 2"
1315         https://bugs.webkit.org/show_bug.cgi?id=190047
1316         https://trac.webkit.org/changeset/239155
1317
1318 2018-12-14  Keith Miller  <keith_miller@apple.com>
1319
1320         Callers of JSString::getIndex should check for OOM exceptions
1321         https://bugs.webkit.org/show_bug.cgi?id=192709
1322
1323         Reviewed by Mark Lam.
1324
1325         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1326
1327 2018-12-13  Mark Lam  <mark.lam@apple.com>
1328
1329         Add a missing exception check.
1330         https://bugs.webkit.org/show_bug.cgi?id=192626
1331         <rdar://problem/46662163>
1332
1333         Reviewed by Keith Miller.
1334
1335         * stress/regress-192626.js: Added.
1336
1337 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1338
1339         [BigInt] Add ValueDiv into DFG
1340         https://bugs.webkit.org/show_bug.cgi?id=186178
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         * stress/big-int-div-jit-osr.js: Added.
1345         * stress/big-int-div-jit-untyped.js: Added.
1346         * stress/value-div-fixup-int32-big-int.js: Added.
1347
1348 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1349
1350         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1351         https://bugs.webkit.org/show_bug.cgi?id=190047
1352
1353         Reviewed by Keith Miller.
1354
1355         * stress/object-keys-cached-zero.js: Added.
1356         (shouldBe):
1357         (test):
1358         * stress/object-keys-changed-attribute.js: Added.
1359         (shouldBe):
1360         (test):
1361         * stress/object-keys-changed-index.js: Added.
1362         (shouldBe):
1363         (test):
1364         * stress/object-keys-changed.js: Added.
1365         (shouldBe):
1366         (test):
1367         * stress/object-keys-indexed-non-cache.js: Added.
1368         (shouldBe):
1369         (test):
1370         * stress/object-keys-overrides-get-property-names.js: Added.
1371         (shouldBe):
1372         (test):
1373         (noInline):
1374
1375 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1376
1377         [DFG][FTL] Add NewSymbol
1378         https://bugs.webkit.org/show_bug.cgi?id=192620
1379
1380         Reviewed by Saam Barati.
1381
1382         * microbenchmarks/symbol-creation.js: Added.
1383         (test):
1384         * stress/symbol-description-identity.js: Added.
1385         (shouldBe):
1386         (test):
1387         * stress/symbol-identity.js: Added.
1388         (shouldBe):
1389         (test):
1390         * stress/symbol-with-description-throw-error.js: Added.
1391         (shouldBe):
1392         (shouldThrow):
1393         (test):
1394         (object.toString):
1395
1396 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1397
1398         [BigInt] Implement DFG/FTL typeof for BigInt
1399         https://bugs.webkit.org/show_bug.cgi?id=192619
1400
1401         Reviewed by Keith Miller.
1402
1403         * stress/big-int-boolean-proven-type.js: Added.
1404         (assert):
1405         (bool):
1406         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1407         (assert):
1408         (typeOf):
1409         (i.switch):
1410         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1411         (assert):
1412         (typeOf):
1413         * stress/big-int-type-of.js:
1414         (typeOf):
1415         (func):
1416
1417 2018-12-10  Mark Lam  <mark.lam@apple.com>
1418
1419         PropertyAttribute needs a CustomValue bit.
1420         https://bugs.webkit.org/show_bug.cgi?id=191993
1421         <rdar://problem/46264467>
1422
1423         Reviewed by Saam Barati.
1424
1425         * stress/regress-191993.js: Added.
1426
1427 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1428
1429         [BigInt] Add ValueMul into DFG
1430         https://bugs.webkit.org/show_bug.cgi?id=186175
1431
1432         Reviewed by Yusuke Suzuki.
1433
1434         * stress/big-int-mul-jit-osr.js: Added.
1435         * stress/big-int-mul-jit-untyped.js: Added.
1436         * stress/value-mul-fixup-int32-big-int.js: Added.
1437
1438 2018-12-06  Keith Miller  <keith_miller@apple.com>
1439
1440         stress/big-wasm-memory tests failing on 32-bit JSC bot
1441         https://bugs.webkit.org/show_bug.cgi?id=192020
1442
1443         Reviewed by Saam Barati.
1444
1445         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1446         the wasm stress tests if the WebAssembly object does not exist.
1447
1448         * stress/big-wasm-memory-grow-no-max.js:
1449         (test.foo):
1450         (test):
1451         (foo): Deleted.
1452         (catch): Deleted.
1453         * stress/big-wasm-memory-grow.js:
1454         (test.foo):
1455         (test):
1456         (foo): Deleted.
1457         (catch): Deleted.
1458         * stress/big-wasm-memory.js:
1459         (test.foo):
1460         (test):
1461         (foo): Deleted.
1462         (catch): Deleted.
1463
1464 2018-12-05  Mark Lam  <mark.lam@apple.com>
1465
1466         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1467         https://bugs.webkit.org/show_bug.cgi?id=192441
1468         <rdar://problem/46480355>
1469
1470         Reviewed by Saam Barati.
1471
1472         * stress/regress-192441.js: Added.
1473
1474 2018-12-04  Mark Lam  <mark.lam@apple.com>
1475
1476         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1477         https://bugs.webkit.org/show_bug.cgi?id=192386
1478         <rdar://problem/46445516>
1479
1480         Reviewed by Saam Barati.
1481
1482         * stress/regress-192386.js: Added.
1483
1484 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1485
1486         [ESNext][BigInt] Support logic operations
1487         https://bugs.webkit.org/show_bug.cgi?id=179903
1488
1489         Reviewed by Yusuke Suzuki.
1490
1491         * stress/big-int-branch-usage.js: Added.
1492         * stress/big-int-logical-and.js: Added.
1493         * stress/big-int-logical-not.js: Added.
1494         * stress/big-int-logical-or.js: Added.
1495
1496 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1497
1498         Unreviewed, rolling out r238833.
1499
1500         Breaks macOS and iOS debug builds.
1501
1502         Reverted changeset:
1503
1504         "[ESNext][BigInt] Support logic operations"
1505         https://bugs.webkit.org/show_bug.cgi?id=179903
1506         https://trac.webkit.org/changeset/238833
1507
1508 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1509
1510         [ESNext][BigInt] Support logic operations
1511         https://bugs.webkit.org/show_bug.cgi?id=179903
1512
1513         Reviewed by Yusuke Suzuki.
1514
1515         * stress/big-int-branch-usage.js: Added.
1516         * stress/big-int-logical-and.js: Added.
1517         * stress/big-int-logical-not.js: Added.
1518         * stress/big-int-logical-or.js: Added.
1519
1520 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1521
1522         [ESNext][BigInt] Implement support for "<<" and ">>"
1523         https://bugs.webkit.org/show_bug.cgi?id=186233
1524
1525         Reviewed by Yusuke Suzuki.
1526
1527         * stress/big-int-left-shift-general.js: Added.
1528         * stress/big-int-left-shift-range-error.js: Added.
1529         * stress/big-int-left-shift-type-error.js: Added.
1530         * stress/big-int-left-shift-wrapped-value.js: Added.
1531         * stress/big-int-right-shift-general.js: Added.
1532         * stress/big-int-right-shift-type-error.js: Added.
1533         * stress/big-int-right-shift-wrapped-value.js: Added.
1534         * stress/left-shift-to-primitive-precedence.js: Added.
1535         * stress/right-shift-to-primitive-precedence.js: Added.
1536
1537 2018-11-30  Dean Jackson  <dino@apple.com>
1538
1539         Add first-class support for .mjs files in jsc binary
1540         https://bugs.webkit.org/show_bug.cgi?id=192190
1541         <rdar://problem/46375715>
1542
1543         Reviewed by Keith Miller.
1544
1545         * stress/simple-module.mjs: Added.
1546         * stress/simple-script.js: Added.
1547
1548 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1549
1550         [BigInt] Implement ValueBitXor into DFG
1551         https://bugs.webkit.org/show_bug.cgi?id=190264
1552
1553         Reviewed by Yusuke Suzuki.
1554
1555         * stress/big-int-bitwise-xor-jit.js: Added.
1556         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1557         * stress/big-int-bitwise-xor-untyped.js: Added.
1558
1559 2018-11-27  Saam barati  <sbarati@apple.com>
1560
1561         r238510 broke scopes of size zero
1562         https://bugs.webkit.org/show_bug.cgi?id=192033
1563         <rdar://problem/46281734>
1564
1565         Reviewed by Keith Miller.
1566
1567         * stress/r238510-bad-loop.js: Added.
1568         (foo):
1569
1570 2018-11-27  Mark Lam  <mark.lam@apple.com>
1571
1572         [Re-landing] NaNs read from Wasm code needs to be be purified.
1573         https://bugs.webkit.org/show_bug.cgi?id=191056
1574         <rdar://problem/45660341>
1575
1576         Reviewed by Filip Pizlo.
1577
1578         * wasm/regress/regress-191056.js: Added.
1579
1580 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1581
1582         Unreviewed, rolling out r238509.
1583
1584         Causes JSC tests to fail on iOS.
1585
1586         Reverted changeset:
1587
1588         "NaNs read from Wasm code needs to be be purified."
1589         https://bugs.webkit.org/show_bug.cgi?id=191056
1590         https://trac.webkit.org/changeset/238509
1591
1592 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1593
1594         Re-introduce op_bitnot
1595         https://bugs.webkit.org/show_bug.cgi?id=190923
1596
1597         Reviewed by Yusuke Suzuki.
1598
1599         * stress/bit-not-must-generate.js: Added.
1600         * stress/bitwise-not-no-int32.js: Added.
1601
1602 2018-11-26  Saam barati  <sbarati@apple.com>
1603
1604         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1605         https://bugs.webkit.org/show_bug.cgi?id=191956
1606         <rdar://problem/45665806>
1607
1608         Reviewed by Yusuke Suzuki.
1609
1610         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1611         (bar):
1612         (foo):
1613
1614 2018-11-26  Saam barati  <sbarati@apple.com>
1615
1616         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1617         https://bugs.webkit.org/show_bug.cgi?id=191958
1618         <rdar://problem/46221877>
1619
1620         Reviewed by Yusuke Suzuki.
1621
1622         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1623         (x):
1624         (foo):
1625
1626 2018-11-26  Mark Lam  <mark.lam@apple.com>
1627
1628         NaNs read from Wasm code needs to be be purified.
1629         https://bugs.webkit.org/show_bug.cgi?id=191056
1630         <rdar://problem/45660341>
1631
1632         Reviewed by Filip Pizlo.
1633
1634         * wasm/regress/regress-191056.js: Added.
1635
1636 2018-11-26  Michael Saboff  <msaboff@apple.com>
1637
1638         32-bit JSC test failure: stress/regexp-compile-oom.js
1639         https://bugs.webkit.org/show_bug.cgi?id=191375
1640
1641         Reviewed by Mark Lam.
1642
1643         Disabled the test for 32 bit platforms.
1644
1645         * stress/regexp-compile-oom.js:
1646
1647 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1648
1649         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1650         https://bugs.webkit.org/show_bug.cgi?id=191716
1651         <rdar://problem/45723878>
1652
1653         Reviewed by Saam Barati.
1654
1655         * stress/regress-187373.js: Added.
1656         (async.fn):
1657
1658 2018-11-21  Saam barati  <sbarati@apple.com>
1659
1660         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1661         https://bugs.webkit.org/show_bug.cgi?id=191897
1662         <rdar://problem/45871998>
1663
1664         Reviewed by Mark Lam.
1665
1666         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1667         (bar):
1668         (foo):
1669
1670 2018-11-21  Saam barati  <sbarati@apple.com>
1671
1672         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1673         https://bugs.webkit.org/show_bug.cgi?id=191895
1674         <rdar://problem/46167406>
1675
1676         Reviewed by Mark Lam.
1677
1678         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1679         (foo):
1680         (bar):
1681
1682 2018-11-21  Mark Lam  <mark.lam@apple.com>
1683
1684         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1685         https://bugs.webkit.org/show_bug.cgi?id=191776
1686         <rdar://problem/46152851>
1687
1688         Reviewed by Saam Barati.
1689
1690         * stress/big-wasm-memory-grow-no-max.js:
1691         * stress/big-wasm-memory-grow.js:
1692         * stress/big-wasm-memory.js:
1693         - updated these to expect an OutOfMemoryError.
1694
1695         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1696         (Binary.prototype.emit_u8):
1697         (Binary.prototype.emit_u32v):
1698         (Binary.prototype.emit_header):
1699         (Binary.prototype.emit_section):
1700         (Binary):
1701         (WasmModuleBuilder):
1702         (WasmModuleBuilder.prototype.addMemory):
1703         (WasmModuleBuilder.prototype.toArray):
1704         (WasmModuleBuilder.prototype.toBuffer):
1705         (WasmModuleBuilder.prototype.instantiate):
1706         (catch):
1707         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1708         (catch):
1709
1710 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1711
1712         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1713         https://bugs.webkit.org/show_bug.cgi?id=190836
1714
1715         Reviewed by Saam Barati and Yusuke Suzuki.
1716
1717         * stress/big-int-out-of-memory-tests.js: Added.
1718
1719 2018-11-20  Mark Lam  <mark.lam@apple.com>
1720
1721         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1722         https://bugs.webkit.org/show_bug.cgi?id=191856
1723         <rdar://problem/46089992>
1724
1725         Reviewed by Yusuke Suzuki.
1726
1727         * stress/regress-191856.js: Added.
1728         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1729
1730 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1731
1732         Enable JIT on ARM/Linux
1733         https://bugs.webkit.org/show_bug.cgi?id=191548
1734
1735         Reviewed by Yusuke Suzuki.
1736
1737         Disable test on system with limited memory. Program was killed by
1738         the OS before the exception was thrown.
1739
1740         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1741
1742 2018-11-20  Saam barati  <sbarati@apple.com>
1743
1744         Merging an IC variant may lead to the IC status containing overlapping structure sets
1745         https://bugs.webkit.org/show_bug.cgi?id=191869
1746         <rdar://problem/45403453>
1747
1748         Reviewed by Mark Lam.
1749
1750         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1751
1752 2018-11-19  Mark Lam  <mark.lam@apple.com>
1753
1754         globalFuncImportModule() should return a promise when it clears exceptions.
1755         https://bugs.webkit.org/show_bug.cgi?id=191792
1756         <rdar://problem/46090763>
1757
1758         Reviewed by Michael Saboff.
1759
1760         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1761
1762 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1763
1764         Skip new memory-hungry tests on memory limited devices
1765
1766         Unreviewed gardening.
1767
1768         * stress/big-wasm-memory-grow-no-max.js:
1769         * stress/big-wasm-memory-grow.js:
1770         * stress/big-wasm-memory.js:
1771
1772 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1773
1774         Unreviewed, rolling in the rest of r237254
1775         https://bugs.webkit.org/show_bug.cgi?id=190340
1776
1777         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1778         * stress/function-cache-with-parameters-end-position.js: Added.
1779         (shouldBe):
1780         (shouldThrow):
1781         (i.anonymous):
1782         * stress/function-constructor-name.js: Added.
1783         (shouldBe):
1784         (GeneratorFunction):
1785         (AsyncFunction.async):
1786         (AsyncGeneratorFunction.async):
1787         (anonymous):
1788         (async.anonymous):
1789         * test262/expectations.yaml:
1790
1791 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1792
1793         All users of ArrayBuffer should agree on the same max size
1794         https://bugs.webkit.org/show_bug.cgi?id=191771
1795
1796         Reviewed by Mark Lam.
1797
1798         * stress/big-wasm-memory-grow-no-max.js: Added.
1799         (foo):
1800         (catch):
1801         * stress/big-wasm-memory-grow.js: Added.
1802         (foo):
1803         (catch):
1804         * stress/big-wasm-memory.js: Added.
1805         (foo):
1806         (catch):
1807
1808 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1809
1810         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1811         run for each JSC config since they're regression tests for runtime bugs.
1812
1813         * stress/json-stringified-overflow-2.js:
1814         * stress/json-stringified-overflow.js:
1815
1816 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1817
1818         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1819         config since they're regression tests for runtime bugs.
1820
1821         * stress/large-unshift-splice.js:
1822         * stress/regress-185888.js:
1823
1824 2018-11-16  Saam Barati  <sbarati@apple.com>
1825
1826         KnownCellUse should also have SpecCellCheck as its type filter
1827         https://bugs.webkit.org/show_bug.cgi?id=191729
1828         <rdar://problem/45872852>
1829
1830         Reviewed by Filip Pizlo.
1831
1832         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1833         (C):
1834
1835 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1836
1837         Fix assertion failure on BytecodeGenerator::recordOpcode
1838         https://bugs.webkit.org/show_bug.cgi?id=191724
1839         <rdar://problem/45724395>
1840
1841         Reviewed by Saam Barati.
1842
1843         * stress/regress-187373-2.js: Added.
1844         (foo):
1845
1846 2018-11-15  Mark Lam  <mark.lam@apple.com>
1847
1848         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1849         https://bugs.webkit.org/show_bug.cgi?id=191730
1850         <rdar://problem/46048517>
1851
1852         Reviewed by Saam Barati.
1853
1854         * stress/regress-187006.js: Removed.
1855           - this test is invalid because its sole purpose is to test for the non-spec
1856             compliant behavior that we just fixed.
1857
1858         * stress/regress-191730.js: Added.
1859
1860 2018-11-15  Mark Lam  <mark.lam@apple.com>
1861
1862         RegExp operations should not take fast patch if lastIndex is not numeric.
1863         https://bugs.webkit.org/show_bug.cgi?id=191731
1864         <rdar://problem/46017305>
1865
1866         Reviewed by Saam Barati.
1867
1868         * stress/regress-191731.js: Added.
1869
1870 2018-11-13  Saam Barati  <sbarati@apple.com>
1871
1872         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1873         https://bugs.webkit.org/show_bug.cgi?id=191600
1874
1875         Reviewed by Mark Lam.
1876
1877         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1878         (foo):
1879         (test):
1880         (bar):
1881
1882 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1883
1884         Unreviewed, rolling out r238132.
1885
1886         The test added with this change is timing out on Debug JSC
1887         bots.
1888
1889         Reverted changeset:
1890
1891         "[BigInt] JSBigInt::createWithLength should throw when length
1892         is greater than JSBigInt::maxLength"
1893         https://bugs.webkit.org/show_bug.cgi?id=190836
1894         https://trac.webkit.org/changeset/238132
1895
1896 2018-11-13  Mark Lam  <mark.lam@apple.com>
1897
1898         Add OOM detection to StringPrototype's substituteBackreferences().
1899         https://bugs.webkit.org/show_bug.cgi?id=191563
1900         <rdar://problem/45720428>
1901
1902         Reviewed by Saam Barati.
1903
1904         * stress/regress-191563.js: Added.
1905
1906 2018-11-13  Mark Lam  <mark.lam@apple.com>
1907
1908         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1909         https://bugs.webkit.org/show_bug.cgi?id=191579
1910         <rdar://problem/45942472>
1911
1912         Reviewed by Saam Barati.
1913
1914         * stress/regress-191579.js: Added.
1915
1916 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1917
1918         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1919         https://bugs.webkit.org/show_bug.cgi?id=190836
1920
1921         Reviewed by Saam Barati.
1922
1923         * stress/big-int-out-of-memory-tests.js: Added.
1924
1925 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1926
1927         U+180E is no longer a whitespace character
1928         https://bugs.webkit.org/show_bug.cgi?id=191415
1929
1930         Reviewed by Saam Barati.
1931
1932         * ChakraCore/test/es5/regexSpace.baseline:
1933         * ChakraCore/test/es6/unicode_whitespace.js:
1934         Update tests to latest version.
1935         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1936
1937         * test262.yaml:
1938         * test262/config.yaml:
1939         * test262/expectations.yaml:
1940         Update expectations.
1941
1942 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1943
1944         [BigInt] Add support to BigInt into ValueAdd
1945         https://bugs.webkit.org/show_bug.cgi?id=186177
1946
1947         Reviewed by Keith Miller.
1948
1949         * stress/big-int-negate-jit.js:
1950         * stress/value-add-big-int-and-string.js: Added.
1951         * stress/value-add-big-int-prediction-propagation.js: Added.
1952         * stress/value-add-big-int-untyped.js: Added.
1953
1954 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1955
1956         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1957         https://bugs.webkit.org/show_bug.cgi?id=191184
1958
1959         Reviewed by Saam Barati.
1960
1961         Most tests were failing due to timeouts, since they are too slow to
1962         run on CLoop. The exceptions are:
1963
1964         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1965         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1966         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1967         to change the stack size since CLoop requires it to be page aligned.
1968
1969         * microbenchmarks/array-push-1.js:
1970         * microbenchmarks/array-push-2.js:
1971         * microbenchmarks/elidable-new-object-dag.js:
1972         * microbenchmarks/elidable-new-object-roflcopter.js:
1973         * microbenchmarks/elidable-new-object-tree.js:
1974         * microbenchmarks/getter-richards.js:
1975         * microbenchmarks/sinkable-new-object-dag.js:
1976         * microbenchmarks/string-concat-long-convert.js:
1977         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1978         * slowMicrobenchmarks/array-push-3.js:
1979         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1980         * slowMicrobenchmarks/spread-small-array.js:
1981         * slowMicrobenchmarks/undefined-property-access.js:
1982         * stress/activation-sink-default-value-tdz-error.js:
1983         * stress/activation-sink-default-value.js:
1984         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1985         * stress/activation-sink-osrexit-default-value.js:
1986         * stress/activation-sink-osrexit.js:
1987         * stress/activation-sink.js:
1988         * stress/allow-math-ic-b3-code-duplication.js:
1989         * stress/array-push-multiple-int32.js:
1990         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1991         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1992         * stress/arrowfunction-lexical-this-activation-sink.js:
1993         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1994         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1995         * stress/elide-new-object-dag-then-exit.js:
1996         * stress/materialize-regexp-cyclic.js:
1997         * stress/new-regex-inline.js:
1998         * stress/op_add.js:
1999         * stress/op_bitand.js:
2000         * stress/op_bitor.js:
2001         * stress/op_bitxor.js:
2002         * stress/op_div-ConstVar.js:
2003         * stress/op_div-VarConst.js:
2004         * stress/op_div-VarVar.js:
2005         * stress/op_lshift-ConstVar.js:
2006         * stress/op_lshift-VarConst.js:
2007         * stress/op_lshift-VarVar.js:
2008         * stress/op_mod-ConstVar.js:
2009         * stress/op_mod-VarConst.js:
2010         * stress/op_mod-VarVar.js:
2011         * stress/op_mul-ConstVar.js:
2012         * stress/op_mul-VarConst.js:
2013         * stress/op_mul-VarVar.js:
2014         * stress/op_rshift-ConstVar.js:
2015         * stress/op_rshift-VarConst.js:
2016         * stress/op_rshift-VarVar.js:
2017         * stress/op_sub-ConstVar.js:
2018         * stress/op_sub-VarConst.js:
2019         * stress/op_sub-VarVar.js:
2020         * stress/op_urshift-ConstVar.js:
2021         * stress/op_urshift-VarConst.js:
2022         * stress/op_urshift-VarVar.js:
2023         * stress/proxy-get-set-correct-receiver.js:
2024         * stress/regress-179562.js:
2025         * stress/rest-parameter-many-arguments.js:
2026         * stress/sampling-profiler-richards.js:
2027         * stress/splay-flash-access-1ms.js:
2028         * stress/tailCallForwardArguments.js:
2029         * stress/typed-array-get-by-val-profiling.js:
2030         * typeProfiler/getter-richards.js:
2031
2032 2018-11-06  Michael Saboff  <msaboff@apple.com>
2033
2034         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2035         https://bugs.webkit.org/show_bug.cgi?id=191271
2036
2037         Reviewed by Saam Barati.
2038
2039         Added more test cases and made all test cases run with the same deeply recursive stack
2040         instead of finding that same point for each test case.
2041
2042         * stress/regexp-compile-oom.js:
2043         (prototype.runTest):
2044         (recurseAndTest):
2045         (testList.push.new.TestAndExpectedException):
2046
2047 2018-11-05  Michael Saboff  <msaboff@apple.com>
2048
2049         Unreviewed build fix for linux.
2050
2051         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2052
2053 2018-11-02  Michael Saboff  <msaboff@apple.com>
2054
2055         Rolling in r237753 with unreviewed build fix.
2056
2057         Fixed issues with DECLARE_THROW_SCOPE placement.
2058
2059 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2060
2061         Unreviewed, rolling out r237753.
2062
2063         Introduced JSC test failures
2064
2065         Reverted changeset:
2066
2067         "Running out of stack space not properly handled in
2068         RegExp::compile() and its callers"
2069         https://bugs.webkit.org/show_bug.cgi?id=191206
2070         https://trac.webkit.org/changeset/237753
2071
2072 2018-11-02  Michael Saboff  <msaboff@apple.com>
2073
2074         Running out of stack space not properly handled in RegExp::compile() and its callers
2075         https://bugs.webkit.org/show_bug.cgi?id=191206
2076
2077         Reviewed by Filip Pizlo.
2078
2079         New regression test.
2080
2081         * stress/regexp-compile-oom.js: Added.
2082         (recurseAndTest):
2083
2084 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2085
2086         Skip tests on arm/mips that time out now we're running on CLoop
2087
2088         Unreviewed gardening.
2089
2090         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2091         time out on the bots and need to be disabled. There's more tests
2092         disabled on arm because the timeout is longer on the mips bot (as the
2093         device is slower to start with), so many of the tests don't time out
2094         there.
2095
2096         * microbenchmarks/getter-richards.js: disable on arm and mips.
2097         * stress/op_add.js: disable on arm.
2098         * stress/op_bitand.js: disable on arm.
2099         * stress/op_bitor.js: disable on arm.
2100         * stress/op_bitxor.js: disable on arm.
2101         * stress/op_lshift-ConstVar.js: disable on arm.
2102         * stress/op_lshift-VarConst.js: disable on arm.
2103         * stress/op_lshift-VarVar.js: disable on arm.
2104         * stress/op_mod-ConstVar.js: disable on arm.
2105         * stress/op_mod-VarConst.js: disable on arm.
2106         * stress/op_mod-VarVar.js: disable on arm.
2107         * stress/op_mul-ConstVar.js: disable on arm.
2108         * stress/op_mul-VarConst.js: disable on arm.
2109         * stress/op_mul-VarVar.js: disable on arm.
2110         * stress/op_rshift-ConstVar.js: disable on arm.
2111         * stress/op_rshift-VarConst.js: disable on arm.
2112         * stress/op_rshift-VarVar.js: disable on arm.
2113         * stress/op_sub-ConstVar.js: disable on arm.
2114         * stress/op_sub-VarConst.js: disable on arm.
2115         * stress/op_sub-VarVar.js: disable on arm.
2116         * stress/op_urshift-ConstVar.js: disable on arm.
2117         * stress/op_urshift-VarConst.js: disable on arm.
2118         * stress/op_urshift-VarVar.js: disable on arm.
2119         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2120         * stress/value-to-boolean.js: disable on arm and mips.
2121
2122 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2123
2124         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2125         https://bugs.webkit.org/show_bug.cgi?id=191108
2126         <rdar://problem/45690700>
2127
2128         Reviewed by Saam Barati.
2129
2130         * stress/wide-op_catch.js: Added.
2131         (catch):
2132
2133 2018-10-29  Mark Lam  <mark.lam@apple.com>
2134
2135         Correctly detect string overflow when using the 'Function' constructor.
2136         https://bugs.webkit.org/show_bug.cgi?id=184883
2137         <rdar://problem/36320331>
2138
2139         Reviewed by Saam Barati.
2140
2141         I've verified that this passes on 32-bit as well.
2142
2143         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2144
2145 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2146
2147         Add support for GetStack FlushedDouble
2148         https://bugs.webkit.org/show_bug.cgi?id=191012
2149         <rdar://problem/45265141>
2150
2151         Reviewed by Saam Barati.
2152
2153         * stress/get-stack-double.js: Added.
2154         (bar):
2155         (noInline):
2156
2157 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2158
2159         New bytecode format for JSC
2160         https://bugs.webkit.org/show_bug.cgi?id=187373
2161         <rdar://problem/44186758>
2162
2163         Reviewed by Filip Pizlo.
2164
2165         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2166
2167         * stress/maximum-inline-capacity.js: Added.
2168         (test1):
2169         (test3.Foo):
2170         (test3):
2171
2172 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2173
2174         Unreviewed, rolling out r237479 and r237484.
2175         https://bugs.webkit.org/show_bug.cgi?id=190978
2176
2177         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2178
2179         Reverted changesets:
2180
2181         "New bytecode format for JSC"
2182         https://bugs.webkit.org/show_bug.cgi?id=187373
2183         https://trac.webkit.org/changeset/237479
2184
2185         "Gardening: Build fix after r237479."
2186         https://bugs.webkit.org/show_bug.cgi?id=187373
2187         https://trac.webkit.org/changeset/237484
2188
2189 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2190
2191         New bytecode format for JSC
2192         https://bugs.webkit.org/show_bug.cgi?id=187373
2193         <rdar://problem/44186758>
2194
2195         Reviewed by Filip Pizlo.
2196
2197         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2198
2199         * stress/maximum-inline-capacity.js: Added.
2200         (test1):
2201         (test3.Foo):
2202         (test3):
2203
2204 2018-10-26  Mark Lam  <mark.lam@apple.com>
2205
2206         Fix missing edge cases with JSGlobalObjects having a bad time.
2207         https://bugs.webkit.org/show_bug.cgi?id=189028
2208         <rdar://problem/45204939>
2209
2210         Reviewed by Saam Barati.
2211
2212         * stress/regress-189028.js: Added.
2213
2214 2018-10-22  Mark Lam  <mark.lam@apple.com>
2215
2216         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2217         https://bugs.webkit.org/show_bug.cgi?id=190515
2218         <rdar://problem/45222379>
2219
2220         Rubber-stamped by Saam Barati.
2221
2222         Adding another test.
2223
2224         * stress/regress-190515-2.js: Added.
2225
2226 2018-10-22  Mark Lam  <mark.lam@apple.com>
2227
2228         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2229         https://bugs.webkit.org/show_bug.cgi?id=190515
2230         <rdar://problem/45222379>
2231
2232         Reviewed by Saam Barati.
2233
2234         * stress/regress-190515.js: Added.
2235
2236 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2237
2238         Unreviewed, rolling out r237254.
2239         https://bugs.webkit.org/show_bug.cgi?id=190760
2240
2241         "It regresses JetStream 2 by 5% on some iOS devices"
2242         (Requested by saamyjoon on #webkit).
2243
2244         Reverted changeset:
2245
2246         "[JSC] JSC should have "parseFunction" to optimize Function
2247         constructor"
2248         https://bugs.webkit.org/show_bug.cgi?id=190340
2249         https://trac.webkit.org/changeset/237254
2250
2251 2018-10-19  Saam Barati  <sbarati@apple.com>
2252
2253         vmCall should check if we exit before emitting an OSR exit due to exceptions
2254         https://bugs.webkit.org/show_bug.cgi?id=190740
2255         <rdar://problem/45220139>
2256
2257         Reviewed by Mark Lam.
2258
2259         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2260         (foo):
2261
2262 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2263
2264         [ESNext][BigInt] Implement support for "^"
2265         https://bugs.webkit.org/show_bug.cgi?id=186235
2266
2267         Reviewed by Yusuke Suzuki.
2268
2269         * stress/big-int-bitwise-xor-general.js: Added.
2270         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2271         * stress/big-int-bitwise-xor-type-error.js: Added.
2272         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2273
2274 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2275
2276         [BigInt] Add ValueSub into DFG
2277         https://bugs.webkit.org/show_bug.cgi?id=186176
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         * stress/big-int-subtraction-jit.js:
2282         * stress/value-sub-big-int-prediction-propagation.js: Added.
2283         * stress/value-sub-big-int-untyped.js: Added.
2284         * stress/value-sub-spec-none-case.js: Added.
2285
2286 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2287
2288         [JSC] JSC should have "parseFunction" to optimize Function constructor
2289         https://bugs.webkit.org/show_bug.cgi?id=190340
2290
2291         Reviewed by Mark Lam.
2292
2293         This patch fixes the line number of syntax errors raised by the Function constructor,
2294         since we now parse the final code only once. And we no longer use block statement
2295         for Function constructor's parsing.
2296
2297         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2298         * stress/function-cache-with-parameters-end-position.js: Added.
2299         (shouldBe):
2300         (shouldThrow):
2301         (i.anonymous):
2302         * stress/function-constructor-name.js: Added.
2303         (shouldBe):
2304         (GeneratorFunction):
2305         (AsyncFunction.async):
2306         (AsyncGeneratorFunction.async):
2307         (anonymous):
2308         (async.anonymous):
2309         * test262/expectations.yaml:
2310
2311 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2312
2313         Unreviewed, rolling out r237242.
2314         https://bugs.webkit.org/show_bug.cgi?id=190701
2315
2316         it breaks "stress/sampling-profiler-basic.js" (Requested by
2317         caiolima on #webkit).
2318
2319         Reverted changeset:
2320
2321         "[BigInt] Add ValueSub into DFG"
2322         https://bugs.webkit.org/show_bug.cgi?id=186176
2323         https://trac.webkit.org/changeset/237242
2324
2325 2018-10-17  Keith Miller  <keith_miller@apple.com>
2326
2327         AI does not clear Phantom allocation nodes.
2328         https://bugs.webkit.org/show_bug.cgi?id=190694
2329
2330         Reviewed by Saam Barati.
2331
2332         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2333         (Day):
2334         (DaysInYear):
2335         (TimeInYear):
2336         (TimeFromYear):
2337         (DayFromYear):
2338         (InLeapYear):
2339         (YearFromTime):
2340         (WeekDay):
2341         (DaylightSavingTA):
2342         (GetSecondSundayInMarch):
2343         (TimeInMonth):
2344
2345 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2346
2347         [BigInt] Add ValueSub into DFG
2348         https://bugs.webkit.org/show_bug.cgi?id=186176
2349
2350         Reviewed by Yusuke Suzuki.
2351
2352         * stress/big-int-subtraction-jit.js:
2353         * stress/value-sub-big-int-prediction-propagation.js: Added.
2354         * stress/value-sub-big-int-untyped.js: Added.
2355
2356 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2357
2358         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2359         https://bugs.webkit.org/show_bug.cgi?id=190611
2360
2361         Reviewed by Saam Barati.
2362
2363         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2364         to improve test runtime. On ARM/MIPS this test even timed out when running all
2365         tests.
2366
2367         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2368         (test):
2369
2370 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2371
2372         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2373
2374         Unreviewed gardening.
2375
2376         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2377
2378 2018-10-15  Saam barati  <sbarati@apple.com>
2379
2380         Emit fjcvtzs on ARM64E on Darwin
2381         https://bugs.webkit.org/show_bug.cgi?id=184023
2382
2383         Reviewed by Yusuke Suzuki and Filip Pizlo.
2384
2385         * stress/double-to-int32-NaN.js: Added.
2386         (assert):
2387         (foo):
2388
2389 2018-10-15  Saam Barati  <sbarati@apple.com>
2390
2391         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2392         https://bugs.webkit.org/show_bug.cgi?id=190262
2393         <rdar://problem/44986241>
2394
2395         Reviewed by Mark Lam.
2396
2397         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2398         (test):
2399         * stress/slice-array-storage-with-holes.js: Added.
2400         (main):
2401
2402 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2403
2404         Unreviewed, rolling out r237054.
2405         https://bugs.webkit.org/show_bug.cgi?id=190593
2406
2407         "this regressed JetStream 2 by 6% on iOS" (Requested by
2408         saamyjoon on #webkit).
2409
2410         Reverted changeset:
2411
2412         "[JSC] JSC should have "parseFunction" to optimize Function
2413         constructor"
2414         https://bugs.webkit.org/show_bug.cgi?id=190340
2415         https://trac.webkit.org/changeset/237054
2416
2417 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2418
2419         [JSC] JSON.stringify can accept call-with-no-arguments
2420         https://bugs.webkit.org/show_bug.cgi?id=190343
2421
2422         Reviewed by Mark Lam.
2423
2424         * stress/json-stringify-no-arguments.js: Added.
2425         (shouldBe):
2426
2427 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2428
2429         [JSC] JSC should have "parseFunction" to optimize Function constructor
2430         https://bugs.webkit.org/show_bug.cgi?id=190340
2431
2432         Reviewed by Mark Lam.
2433
2434         This patch fixes the line number of syntax errors raised by the Function constructor,
2435         since we now parse the final code only once. And we no longer use block statement
2436         for Function constructor's parsing.
2437
2438         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2439         * stress/function-cache-with-parameters-end-position.js: Added.
2440         (shouldBe):
2441         (shouldThrow):
2442         (i.anonymous):
2443         * stress/function-constructor-name.js: Added.
2444         (shouldBe):
2445         (GeneratorFunction):
2446         (AsyncFunction.async):
2447         (AsyncGeneratorFunction.async):
2448         (anonymous):
2449         (async.anonymous):
2450         * test262/expectations.yaml:
2451
2452 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2453
2454         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2455         https://bugs.webkit.org/show_bug.cgi?id=190426
2456
2457         Unreviewed gardening.
2458
2459         * stress/sampling-profiler-richards.js:
2460
2461 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2462
2463         [ESNext][BigInt] Implement support for "|"
2464         https://bugs.webkit.org/show_bug.cgi?id=186229
2465
2466         Reviewed by Yusuke Suzuki.
2467
2468         * stress/big-int-bitwise-and-jit.js:
2469         * stress/big-int-bitwise-or-general.js: Added.
2470         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2471         * stress/big-int-bitwise-or-jit.js: Added.
2472         * stress/big-int-bitwise-or-memory-stress.js: Added.
2473         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2474         * stress/big-int-bitwise-or-type-error.js: Added.
2475         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2476
2477 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2478
2479         Skip test on systems with limited memory
2480         https://bugs.webkit.org/show_bug.cgi?id=190310
2481
2482         Invoking runDefault adds test to runlist, skipping the test in the next
2483         line does not prevent the test from executing. Change order of lines such
2484         that runDefault is only executed if test is not executed.
2485
2486         Reviewed by Mark Lam.
2487
2488         * stress/regress-190187.js:
2489
2490 2018-10-03  Saam barati  <sbarati@apple.com>
2491
2492         lowXYZ in FTLLower should always filter the type of the incoming edge
2493         https://bugs.webkit.org/show_bug.cgi?id=189939
2494         <rdar://problem/44407030>
2495
2496         Reviewed by Michael Saboff.
2497
2498         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2499         (foo):
2500         (test):
2501
2502 2018-10-03  Mark Lam  <mark.lam@apple.com>
2503
2504         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2505         https://bugs.webkit.org/show_bug.cgi?id=190187
2506         <rdar://problem/42512909>
2507
2508         Reviewed by Michael Saboff.
2509
2510         * stress/regress-190187.js: Added.
2511
2512 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2513
2514         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2515         https://bugs.webkit.org/show_bug.cgi?id=190033
2516
2517         Reviewed by Yusuke Suzuki.
2518
2519         * stress/big-int-to-string.js:
2520
2521 2018-10-01  Mark Lam  <mark.lam@apple.com>
2522
2523         Function.toString() should also copy the source code Functions that are class definitions.
2524         https://bugs.webkit.org/show_bug.cgi?id=190186
2525         <rdar://problem/44733360>
2526
2527         Reviewed by Saam Barati.
2528
2529         * stress/regress-190186.js: Added.
2530
2531 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2532
2533         Split NaN-check into separate test
2534         https://bugs.webkit.org/show_bug.cgi?id=190010
2535
2536         Reviewed by Saam Barati.
2537
2538         DataView exposes NaN-representation, which is not necessarily the same on each
2539         architecture. Therefore move the check of the NaN-representation into its own
2540         file such that we can disable this test on MIPS where NaN-representation can be
2541         different on older CPUs.
2542
2543         * stress/dataview-jit-set-nan.js: Added.
2544         (assert):
2545         (test.storeLittleEndian):
2546         (test.storeBigEndian):
2547         (test.store):
2548         (test):
2549         * stress/dataview-jit-set.js:
2550         (test5):
2551
2552 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2553
2554         Unreviewed, rolling out r236647.
2555         https://bugs.webkit.org/show_bug.cgi?id=190124
2556
2557         Breaking test stress/big-int-to-string.js (Requested by
2558         caiolima_ on #webkit).
2559
2560         Reverted changeset:
2561
2562         "[BigInt] BigInt.proptotype.toString is broken when radix is
2563         power of 2"
2564         https://bugs.webkit.org/show_bug.cgi?id=190033
2565         https://trac.webkit.org/changeset/236647
2566
2567 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2568
2569         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2570         https://bugs.webkit.org/show_bug.cgi?id=190033
2571
2572         Reviewed by Yusuke Suzuki.
2573
2574         * stress/big-int-to-string.js:
2575
2576 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2577
2578         [ESNext][BigInt] Implement support for "&"
2579         https://bugs.webkit.org/show_bug.cgi?id=186228
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         * stress/big-int-bitwise-and-general.js: Added.
2584         (assert):
2585         (assert.sameValue):
2586         * stress/big-int-bitwise-and-jit.js: Added.
2587         (let.assert.sameValue):
2588         (bigIntBitAnd):
2589         * stress/big-int-bitwise-and-memory-stress.js: Added.
2590         (assert):
2591         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2592         (assert.sameValue):
2593         (let.o.Symbol.toPrimitive):
2594         (catch):
2595         * stress/big-int-bitwise-and-type-error.js: Added.
2596         (assert):
2597         (assertThrowTypeError):
2598         (let.o.valueOf):
2599         (o.valueOf):
2600         (o.toString):
2601         (o.Symbol.toPrimitive):
2602         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2603         (assert.sameValue):
2604         (testBitAnd):
2605         (let.o.Symbol.toPrimitive):
2606         (o.valueOf):
2607         (o.toString):
2608
2609 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2610
2611         JSC test stress/jsc-read.js doesn't support CRLF
2612         https://bugs.webkit.org/show_bug.cgi?id=190063
2613
2614         Reviewed by Yusuke Suzuki.
2615
2616         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2617
2618         * stress/jsc-read.js:
2619         (test):
2620
2621 2018-09-27  Saam barati  <sbarati@apple.com>
2622
2623         Verify the contents of AssemblerBuffer on arm64e
2624         https://bugs.webkit.org/show_bug.cgi?id=190057
2625         <rdar://problem/38916630>
2626
2627         Reviewed by Mark Lam.
2628
2629         * stress/regress-189132.js:
2630
2631 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2632
2633         Disable test without LLInt on ARMv7
2634         https://bugs.webkit.org/show_bug.cgi?id=190037
2635
2636         Reviewed by Mark Lam.
2637
2638         Test runs out of executable memory on ARMv7, do not run
2639         this test without LLInt enabled.
2640
2641         * stress/regress-169445.js:
2642
2643 2018-09-26  Keith Miller  <keith_miller@apple.com>
2644
2645         We should zero unused property storage when rebalancing array storage.
2646         https://bugs.webkit.org/show_bug.cgi?id=188151
2647
2648         Reviewed by Michael Saboff.
2649
2650         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2651
2652 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2653
2654         [JSC] Optimize Array#lastIndexOf
2655         https://bugs.webkit.org/show_bug.cgi?id=189780
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/array-lastindexof-array-prototype-trap.js: Added.
2660         (shouldBe):
2661         (AncestorArray.prototype.get 2):
2662         (AncestorArray):
2663         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2664         (shouldBe):
2665         * stress/array-lastindexof-hole-nan.js: Added.
2666         (shouldBe):
2667         (throw.new.Error):
2668         * stress/array-lastindexof-infinity.js: Added.
2669         (shouldBe):
2670         (throw.new.Error):
2671         * stress/array-lastindexof-negative-zero.js: Added.
2672         (shouldBe):
2673         (throw.new.Error):
2674         * stress/array-lastindexof-own-getter.js: Added.
2675         (shouldBe):
2676         (throw.new.Error.get array):
2677         (get array):
2678         * stress/array-lastindexof-prototype-trap.js: Added.
2679         (shouldBe):
2680         (DerivedArray.prototype.get 2):
2681         (DerivedArray):
2682
2683 2018-09-25  Saam Barati  <sbarati@apple.com>
2684
2685         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2686         https://bugs.webkit.org/show_bug.cgi?id=189940
2687         <rdar://problem/43640987>
2688
2689         Reviewed by Mark Lam.
2690
2691         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2692
2693 2018-09-24  Saam Barati  <sbarati@apple.com>
2694
2695         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2696         https://bugs.webkit.org/show_bug.cgi?id=189922
2697         <rdar://problem/44651275>
2698
2699         Reviewed by Mark Lam.
2700
2701         * stress/array-indexof-fast-path-effects.js: Added.
2702         * stress/array-indexof-cached-length.js: Added.
2703
2704 2018-09-24  Saam barati  <sbarati@apple.com>
2705
2706         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2707         https://bugs.webkit.org/show_bug.cgi?id=189682
2708         <rdar://problem/43557315>
2709
2710         Reviewed by Mark Lam.
2711
2712         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2713         (foo):
2714
2715 2018-09-22  Saam barati  <sbarati@apple.com>
2716
2717         The sampling should not use Strong<CodeBlock> in its machineLocation field
2718         https://bugs.webkit.org/show_bug.cgi?id=189319
2719
2720         Reviewed by Filip Pizlo.
2721
2722         * stress/sampling-profiler-richards.js: Added.
2723
2724 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2725
2726         [JSC] Optimize Array#indexOf in C++ runtime
2727         https://bugs.webkit.org/show_bug.cgi?id=189507
2728
2729         Reviewed by Saam Barati.
2730
2731         * stress/array-indexof-array-prototype-trap.js: Added.
2732         (shouldBe):
2733         (AncestorArray.prototype.get 2):
2734         (AncestorArray):
2735         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2736         (shouldBe):
2737         * stress/array-indexof-hole-nan.js: Added.
2738         (shouldBe):
2739         (throw.new.Error):
2740         * stress/array-indexof-infinity.js: Added.
2741         (shouldBe):
2742         (throw.new.Error):
2743         * stress/array-indexof-negative-zero.js: Added.
2744         (shouldBe):
2745         (throw.new.Error):
2746         * stress/array-indexof-own-getter.js: Added.
2747         (shouldBe):
2748         (throw.new.Error.get array):
2749         (get array):
2750         * stress/array-indexof-prototype-trap.js: Added.
2751         (shouldBe):
2752         (DerivedArray.prototype.get 2):
2753         (DerivedArray):
2754
2755 2018-09-19  Saam barati  <sbarati@apple.com>
2756
2757         AI rule for MultiPutByOffset executes its effects in the wrong order
2758         https://bugs.webkit.org/show_bug.cgi?id=189757
2759         <rdar://problem/43535257>
2760
2761         Reviewed by Michael Saboff.
2762
2763         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2764         (foo):
2765         (Foo):
2766         (g):
2767
2768 2018-09-17  Mark Lam  <mark.lam@apple.com>
2769
2770         Ensure that ForInContexts are invalidated if their loop local is over-written.
2771         https://bugs.webkit.org/show_bug.cgi?id=189571
2772         <rdar://problem/44402277>
2773
2774         Reviewed by Saam Barati.
2775
2776         * stress/regress-189571.js: Added.
2777
2778 2018-09-17  Saam barati  <sbarati@apple.com>
2779
2780         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2781         https://bugs.webkit.org/show_bug.cgi?id=189676
2782         <rdar://problem/39682897>
2783
2784         Reviewed by Michael Saboff.
2785
2786         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2787         (A):
2788         (K):
2789         (i.catch):
2790
2791 2018-09-14  Saam barati  <sbarati@apple.com>
2792
2793         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2794         https://bugs.webkit.org/show_bug.cgi?id=189628
2795         <rdar://problem/39481690>
2796
2797         Reviewed by Mark Lam.
2798
2799         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2800         (foo):
2801
2802 2018-09-11  Mark Lam  <mark.lam@apple.com>
2803
2804         Test for array initialization in arrayProtoFuncSplice.
2805         https://bugs.webkit.org/show_bug.cgi?id=170253
2806         <rdar://problem/31328773>
2807
2808         Rubber-stamped by Saam Barati.
2809
2810         * stress/regress-170253.js: Added.
2811
2812 2018-09-11  Mark Lam  <mark.lam@apple.com>
2813
2814         Test for IntlObject initialization.
2815         https://bugs.webkit.org/show_bug.cgi?id=170251
2816         <rdar://problem/31328419>
2817
2818         Rubber-stamped by Saam Barati.
2819
2820         * stress/regress-170251.js: Added.
2821
2822 2018-09-11  Mark Lam  <mark.lam@apple.com>
2823
2824         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2825         https://bugs.webkit.org/show_bug.cgi?id=169889
2826         <rdar://problem/31155607>
2827
2828         Reviewed by Saam Barati.
2829
2830         * stress/regress-169889-array-concat.js: Added.
2831         * stress/regress-169889-array-concat1.js: Added.
2832         * stress/regress-169889-array-slice.js: Added.
2833
2834 2018-09-11  Mark Lam  <mark.lam@apple.com>
2835
2836         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2837         https://bugs.webkit.org/show_bug.cgi?id=169445
2838         <rdar://problem/30957435>
2839
2840         Reviewed by Saam Barati.
2841
2842         * stress/regress-169445.js: Added.
2843         (let.gun.eval.A):
2844         (let.gun.eval.B.C):
2845         (let.gun.eval.B.C.prototype.trigger):
2846         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2847         (let.gun.eval.B):
2848         (let.gun.eval):
2849
2850 == Rolled over to ChangeLog-2018-09-11 ==