[DFG][FTL] Add NewSymbol
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [DFG][FTL] Add NewSymbol
4         https://bugs.webkit.org/show_bug.cgi?id=192620
5
6         Reviewed by Saam Barati.
7
8         * microbenchmarks/symbol-creation.js: Added.
9         (test):
10         * stress/symbol-description-identity.js: Added.
11         (shouldBe):
12         (test):
13         * stress/symbol-identity.js: Added.
14         (shouldBe):
15         (test):
16         * stress/symbol-with-description-throw-error.js: Added.
17         (shouldBe):
18         (shouldThrow):
19         (test):
20         (object.toString):
21
22 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
23
24         [BigInt] Implement DFG/FTL typeof for BigInt
25         https://bugs.webkit.org/show_bug.cgi?id=192619
26
27         Reviewed by Keith Miller.
28
29         * stress/big-int-boolean-proven-type.js: Added.
30         (assert):
31         (bool):
32         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
33         (assert):
34         (typeOf):
35         (i.switch):
36         * stress/big-int-type-of-proven-type-non-constant.js: Added.
37         (assert):
38         (typeOf):
39         * stress/big-int-type-of.js:
40         (typeOf):
41         (func):
42
43 2018-12-10  Mark Lam  <mark.lam@apple.com>
44
45         PropertyAttribute needs a CustomValue bit.
46         https://bugs.webkit.org/show_bug.cgi?id=191993
47         <rdar://problem/46264467>
48
49         Reviewed by Saam Barati.
50
51         * stress/regress-191993.js: Added.
52
53 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
54
55         [BigInt] Add ValueMul into DFG
56         https://bugs.webkit.org/show_bug.cgi?id=186175
57
58         Reviewed by Yusuke Suzuki.
59
60         * stress/big-int-mul-jit-osr.js: Added.
61         * stress/big-int-mul-jit-untyped.js: Added.
62         * stress/value-mul-fixup-int32-big-int.js: Added.
63
64 2018-12-06  Keith Miller  <keith_miller@apple.com>
65
66         stress/big-wasm-memory tests failing on 32-bit JSC bot
67         https://bugs.webkit.org/show_bug.cgi?id=192020
68
69         Reviewed by Saam Barati.
70
71         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
72         the wasm stress tests if the WebAssembly object does not exist.
73
74         * stress/big-wasm-memory-grow-no-max.js:
75         (test.foo):
76         (test):
77         (foo): Deleted.
78         (catch): Deleted.
79         * stress/big-wasm-memory-grow.js:
80         (test.foo):
81         (test):
82         (foo): Deleted.
83         (catch): Deleted.
84         * stress/big-wasm-memory.js:
85         (test.foo):
86         (test):
87         (foo): Deleted.
88         (catch): Deleted.
89
90 2018-12-05  Mark Lam  <mark.lam@apple.com>
91
92         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
93         https://bugs.webkit.org/show_bug.cgi?id=192441
94         <rdar://problem/46480355>
95
96         Reviewed by Saam Barati.
97
98         * stress/regress-192441.js: Added.
99
100 2018-12-04  Mark Lam  <mark.lam@apple.com>
101
102         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
103         https://bugs.webkit.org/show_bug.cgi?id=192386
104         <rdar://problem/46445516>
105
106         Reviewed by Saam Barati.
107
108         * stress/regress-192386.js: Added.
109
110 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
111
112         [ESNext][BigInt] Support logic operations
113         https://bugs.webkit.org/show_bug.cgi?id=179903
114
115         Reviewed by Yusuke Suzuki.
116
117         * stress/big-int-branch-usage.js: Added.
118         * stress/big-int-logical-and.js: Added.
119         * stress/big-int-logical-not.js: Added.
120         * stress/big-int-logical-or.js: Added.
121
122 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
123
124         Unreviewed, rolling out r238833.
125
126         Breaks macOS and iOS debug builds.
127
128         Reverted changeset:
129
130         "[ESNext][BigInt] Support logic operations"
131         https://bugs.webkit.org/show_bug.cgi?id=179903
132         https://trac.webkit.org/changeset/238833
133
134 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
135
136         [ESNext][BigInt] Support logic operations
137         https://bugs.webkit.org/show_bug.cgi?id=179903
138
139         Reviewed by Yusuke Suzuki.
140
141         * stress/big-int-branch-usage.js: Added.
142         * stress/big-int-logical-and.js: Added.
143         * stress/big-int-logical-not.js: Added.
144         * stress/big-int-logical-or.js: Added.
145
146 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
147
148         [ESNext][BigInt] Implement support for "<<" and ">>"
149         https://bugs.webkit.org/show_bug.cgi?id=186233
150
151         Reviewed by Yusuke Suzuki.
152
153         * stress/big-int-left-shift-general.js: Added.
154         * stress/big-int-left-shift-range-error.js: Added.
155         * stress/big-int-left-shift-type-error.js: Added.
156         * stress/big-int-left-shift-wrapped-value.js: Added.
157         * stress/big-int-right-shift-general.js: Added.
158         * stress/big-int-right-shift-type-error.js: Added.
159         * stress/big-int-right-shift-wrapped-value.js: Added.
160         * stress/left-shift-to-primitive-precedence.js: Added.
161         * stress/right-shift-to-primitive-precedence.js: Added.
162
163 2018-11-30  Dean Jackson  <dino@apple.com>
164
165         Add first-class support for .mjs files in jsc binary
166         https://bugs.webkit.org/show_bug.cgi?id=192190
167         <rdar://problem/46375715>
168
169         Reviewed by Keith Miller.
170
171         * stress/simple-module.mjs: Added.
172         * stress/simple-script.js: Added.
173
174 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
175
176         [BigInt] Implement ValueBitXor into DFG
177         https://bugs.webkit.org/show_bug.cgi?id=190264
178
179         Reviewed by Yusuke Suzuki.
180
181         * stress/big-int-bitwise-xor-jit.js: Added.
182         * stress/big-int-bitwise-xor-memory-stress.js: Added.
183         * stress/big-int-bitwise-xor-untyped.js: Added.
184
185 2018-11-27  Saam barati  <sbarati@apple.com>
186
187         r238510 broke scopes of size zero
188         https://bugs.webkit.org/show_bug.cgi?id=192033
189         <rdar://problem/46281734>
190
191         Reviewed by Keith Miller.
192
193         * stress/r238510-bad-loop.js: Added.
194         (foo):
195
196 2018-11-27  Mark Lam  <mark.lam@apple.com>
197
198         [Re-landing] NaNs read from Wasm code needs to be be purified.
199         https://bugs.webkit.org/show_bug.cgi?id=191056
200         <rdar://problem/45660341>
201
202         Reviewed by Filip Pizlo.
203
204         * wasm/regress/regress-191056.js: Added.
205
206 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
207
208         Unreviewed, rolling out r238509.
209
210         Causes JSC tests to fail on iOS.
211
212         Reverted changeset:
213
214         "NaNs read from Wasm code needs to be be purified."
215         https://bugs.webkit.org/show_bug.cgi?id=191056
216         https://trac.webkit.org/changeset/238509
217
218 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
219
220         Re-introduce op_bitnot
221         https://bugs.webkit.org/show_bug.cgi?id=190923
222
223         Reviewed by Yusuke Suzuki.
224
225         * stress/bit-not-must-generate.js: Added.
226         * stress/bitwise-not-no-int32.js: Added.
227
228 2018-11-26  Saam barati  <sbarati@apple.com>
229
230         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
231         https://bugs.webkit.org/show_bug.cgi?id=191956
232         <rdar://problem/45665806>
233
234         Reviewed by Yusuke Suzuki.
235
236         * stress/end-basic-block-set-local-should-filter-type.js: Added.
237         (bar):
238         (foo):
239
240 2018-11-26  Saam barati  <sbarati@apple.com>
241
242         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
243         https://bugs.webkit.org/show_bug.cgi?id=191958
244         <rdar://problem/46221877>
245
246         Reviewed by Yusuke Suzuki.
247
248         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
249         (x):
250         (foo):
251
252 2018-11-26  Mark Lam  <mark.lam@apple.com>
253
254         NaNs read from Wasm code needs to be be purified.
255         https://bugs.webkit.org/show_bug.cgi?id=191056
256         <rdar://problem/45660341>
257
258         Reviewed by Filip Pizlo.
259
260         * wasm/regress/regress-191056.js: Added.
261
262 2018-11-26  Michael Saboff  <msaboff@apple.com>
263
264         32-bit JSC test failure: stress/regexp-compile-oom.js
265         https://bugs.webkit.org/show_bug.cgi?id=191375
266
267         Reviewed by Mark Lam.
268
269         Disabled the test for 32 bit platforms.
270
271         * stress/regexp-compile-oom.js:
272
273 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
274
275         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
276         https://bugs.webkit.org/show_bug.cgi?id=191716
277         <rdar://problem/45723878>
278
279         Reviewed by Saam Barati.
280
281         * stress/regress-187373.js: Added.
282         (async.fn):
283
284 2018-11-21  Saam barati  <sbarati@apple.com>
285
286         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
287         https://bugs.webkit.org/show_bug.cgi?id=191897
288         <rdar://problem/45871998>
289
290         Reviewed by Mark Lam.
291
292         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
293         (bar):
294         (foo):
295
296 2018-11-21  Saam barati  <sbarati@apple.com>
297
298         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
299         https://bugs.webkit.org/show_bug.cgi?id=191895
300         <rdar://problem/46167406>
301
302         Reviewed by Mark Lam.
303
304         * stress/known-cell-use-needs-type-check-assertion.js: Added.
305         (foo):
306         (bar):
307
308 2018-11-21  Mark Lam  <mark.lam@apple.com>
309
310         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
311         https://bugs.webkit.org/show_bug.cgi?id=191776
312         <rdar://problem/46152851>
313
314         Reviewed by Saam Barati.
315
316         * stress/big-wasm-memory-grow-no-max.js:
317         * stress/big-wasm-memory-grow.js:
318         * stress/big-wasm-memory.js:
319         - updated these to expect an OutOfMemoryError.
320
321         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
322         (Binary.prototype.emit_u8):
323         (Binary.prototype.emit_u32v):
324         (Binary.prototype.emit_header):
325         (Binary.prototype.emit_section):
326         (Binary):
327         (WasmModuleBuilder):
328         (WasmModuleBuilder.prototype.addMemory):
329         (WasmModuleBuilder.prototype.toArray):
330         (WasmModuleBuilder.prototype.toBuffer):
331         (WasmModuleBuilder.prototype.instantiate):
332         (catch):
333         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
334         (catch):
335
336 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
337
338         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
339         https://bugs.webkit.org/show_bug.cgi?id=190836
340
341         Reviewed by Saam Barati and Yusuke Suzuki.
342
343         * stress/big-int-out-of-memory-tests.js: Added.
344
345 2018-11-20  Mark Lam  <mark.lam@apple.com>
346
347         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
348         https://bugs.webkit.org/show_bug.cgi?id=191856
349         <rdar://problem/46089992>
350
351         Reviewed by Yusuke Suzuki.
352
353         * stress/regress-191856.js: Added.
354         - this test is skipped for now until we have a fix for webkit.org/b/191855.
355
356 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
357
358         Enable JIT on ARM/Linux
359         https://bugs.webkit.org/show_bug.cgi?id=191548
360
361         Reviewed by Yusuke Suzuki.
362
363         Disable test on system with limited memory. Program was killed by
364         the OS before the exception was thrown.
365
366         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
367
368 2018-11-20  Saam barati  <sbarati@apple.com>
369
370         Merging an IC variant may lead to the IC status containing overlapping structure sets
371         https://bugs.webkit.org/show_bug.cgi?id=191869
372         <rdar://problem/45403453>
373
374         Reviewed by Mark Lam.
375
376         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
377
378 2018-11-19  Mark Lam  <mark.lam@apple.com>
379
380         globalFuncImportModule() should return a promise when it clears exceptions.
381         https://bugs.webkit.org/show_bug.cgi?id=191792
382         <rdar://problem/46090763>
383
384         Reviewed by Michael Saboff.
385
386         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
387
388 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
389
390         Skip new memory-hungry tests on memory limited devices
391
392         Unreviewed gardening.
393
394         * stress/big-wasm-memory-grow-no-max.js:
395         * stress/big-wasm-memory-grow.js:
396         * stress/big-wasm-memory.js:
397
398 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
399
400         Unreviewed, rolling in the rest of r237254
401         https://bugs.webkit.org/show_bug.cgi?id=190340
402
403         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
404         * stress/function-cache-with-parameters-end-position.js: Added.
405         (shouldBe):
406         (shouldThrow):
407         (i.anonymous):
408         * stress/function-constructor-name.js: Added.
409         (shouldBe):
410         (GeneratorFunction):
411         (AsyncFunction.async):
412         (AsyncGeneratorFunction.async):
413         (anonymous):
414         (async.anonymous):
415         * test262/expectations.yaml:
416
417 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
418
419         All users of ArrayBuffer should agree on the same max size
420         https://bugs.webkit.org/show_bug.cgi?id=191771
421
422         Reviewed by Mark Lam.
423
424         * stress/big-wasm-memory-grow-no-max.js: Added.
425         (foo):
426         (catch):
427         * stress/big-wasm-memory-grow.js: Added.
428         (foo):
429         (catch):
430         * stress/big-wasm-memory.js: Added.
431         (foo):
432         (catch):
433
434 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
435
436         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
437         run for each JSC config since they're regression tests for runtime bugs.
438
439         * stress/json-stringified-overflow-2.js:
440         * stress/json-stringified-overflow.js:
441
442 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
443
444         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
445         config since they're regression tests for runtime bugs.
446
447         * stress/large-unshift-splice.js:
448         * stress/regress-185888.js:
449
450 2018-11-16  Saam Barati  <sbarati@apple.com>
451
452         KnownCellUse should also have SpecCellCheck as its type filter
453         https://bugs.webkit.org/show_bug.cgi?id=191729
454         <rdar://problem/45872852>
455
456         Reviewed by Filip Pizlo.
457
458         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
459         (C):
460
461 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
462
463         Fix assertion failure on BytecodeGenerator::recordOpcode
464         https://bugs.webkit.org/show_bug.cgi?id=191724
465         <rdar://problem/45724395>
466
467         Reviewed by Saam Barati.
468
469         * stress/regress-187373-2.js: Added.
470         (foo):
471
472 2018-11-15  Mark Lam  <mark.lam@apple.com>
473
474         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
475         https://bugs.webkit.org/show_bug.cgi?id=191730
476         <rdar://problem/46048517>
477
478         Reviewed by Saam Barati.
479
480         * stress/regress-187006.js: Removed.
481           - this test is invalid because its sole purpose is to test for the non-spec
482             compliant behavior that we just fixed.
483
484         * stress/regress-191730.js: Added.
485
486 2018-11-15  Mark Lam  <mark.lam@apple.com>
487
488         RegExp operations should not take fast patch if lastIndex is not numeric.
489         https://bugs.webkit.org/show_bug.cgi?id=191731
490         <rdar://problem/46017305>
491
492         Reviewed by Saam Barati.
493
494         * stress/regress-191731.js: Added.
495
496 2018-11-13  Saam Barati  <sbarati@apple.com>
497
498         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
499         https://bugs.webkit.org/show_bug.cgi?id=191600
500
501         Reviewed by Mark Lam.
502
503         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
504         (foo):
505         (test):
506         (bar):
507
508 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
509
510         Unreviewed, rolling out r238132.
511
512         The test added with this change is timing out on Debug JSC
513         bots.
514
515         Reverted changeset:
516
517         "[BigInt] JSBigInt::createWithLength should throw when length
518         is greater than JSBigInt::maxLength"
519         https://bugs.webkit.org/show_bug.cgi?id=190836
520         https://trac.webkit.org/changeset/238132
521
522 2018-11-13  Mark Lam  <mark.lam@apple.com>
523
524         Add OOM detection to StringPrototype's substituteBackreferences().
525         https://bugs.webkit.org/show_bug.cgi?id=191563
526         <rdar://problem/45720428>
527
528         Reviewed by Saam Barati.
529
530         * stress/regress-191563.js: Added.
531
532 2018-11-13  Mark Lam  <mark.lam@apple.com>
533
534         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
535         https://bugs.webkit.org/show_bug.cgi?id=191579
536         <rdar://problem/45942472>
537
538         Reviewed by Saam Barati.
539
540         * stress/regress-191579.js: Added.
541
542 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
543
544         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
545         https://bugs.webkit.org/show_bug.cgi?id=190836
546
547         Reviewed by Saam Barati.
548
549         * stress/big-int-out-of-memory-tests.js: Added.
550
551 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
552
553         U+180E is no longer a whitespace character
554         https://bugs.webkit.org/show_bug.cgi?id=191415
555
556         Reviewed by Saam Barati.
557
558         * ChakraCore/test/es5/regexSpace.baseline:
559         * ChakraCore/test/es6/unicode_whitespace.js:
560         Update tests to latest version.
561         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
562
563         * test262.yaml:
564         * test262/config.yaml:
565         * test262/expectations.yaml:
566         Update expectations.
567
568 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
569
570         [BigInt] Add support to BigInt into ValueAdd
571         https://bugs.webkit.org/show_bug.cgi?id=186177
572
573         Reviewed by Keith Miller.
574
575         * stress/big-int-negate-jit.js:
576         * stress/value-add-big-int-and-string.js: Added.
577         * stress/value-add-big-int-prediction-propagation.js: Added.
578         * stress/value-add-big-int-untyped.js: Added.
579
580 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
581
582         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
583         https://bugs.webkit.org/show_bug.cgi?id=191184
584
585         Reviewed by Saam Barati.
586
587         Most tests were failing due to timeouts, since they are too slow to
588         run on CLoop. The exceptions are:
589
590         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
591         dont-crash-on-stack-overflow-when-parsing-builtin.js and
592         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
593         to change the stack size since CLoop requires it to be page aligned.
594
595         * microbenchmarks/array-push-1.js:
596         * microbenchmarks/array-push-2.js:
597         * microbenchmarks/elidable-new-object-dag.js:
598         * microbenchmarks/elidable-new-object-roflcopter.js:
599         * microbenchmarks/elidable-new-object-tree.js:
600         * microbenchmarks/getter-richards.js:
601         * microbenchmarks/sinkable-new-object-dag.js:
602         * microbenchmarks/string-concat-long-convert.js:
603         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
604         * slowMicrobenchmarks/array-push-3.js:
605         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
606         * slowMicrobenchmarks/spread-small-array.js:
607         * slowMicrobenchmarks/undefined-property-access.js:
608         * stress/activation-sink-default-value-tdz-error.js:
609         * stress/activation-sink-default-value.js:
610         * stress/activation-sink-osrexit-default-value-tdz-error.js:
611         * stress/activation-sink-osrexit-default-value.js:
612         * stress/activation-sink-osrexit.js:
613         * stress/activation-sink.js:
614         * stress/allow-math-ic-b3-code-duplication.js:
615         * stress/array-push-multiple-int32.js:
616         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
617         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
618         * stress/arrowfunction-lexical-this-activation-sink.js:
619         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
620         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
621         * stress/elide-new-object-dag-then-exit.js:
622         * stress/materialize-regexp-cyclic.js:
623         * stress/new-regex-inline.js:
624         * stress/op_add.js:
625         * stress/op_bitand.js:
626         * stress/op_bitor.js:
627         * stress/op_bitxor.js:
628         * stress/op_div-ConstVar.js:
629         * stress/op_div-VarConst.js:
630         * stress/op_div-VarVar.js:
631         * stress/op_lshift-ConstVar.js:
632         * stress/op_lshift-VarConst.js:
633         * stress/op_lshift-VarVar.js:
634         * stress/op_mod-ConstVar.js:
635         * stress/op_mod-VarConst.js:
636         * stress/op_mod-VarVar.js:
637         * stress/op_mul-ConstVar.js:
638         * stress/op_mul-VarConst.js:
639         * stress/op_mul-VarVar.js:
640         * stress/op_rshift-ConstVar.js:
641         * stress/op_rshift-VarConst.js:
642         * stress/op_rshift-VarVar.js:
643         * stress/op_sub-ConstVar.js:
644         * stress/op_sub-VarConst.js:
645         * stress/op_sub-VarVar.js:
646         * stress/op_urshift-ConstVar.js:
647         * stress/op_urshift-VarConst.js:
648         * stress/op_urshift-VarVar.js:
649         * stress/proxy-get-set-correct-receiver.js:
650         * stress/regress-179562.js:
651         * stress/rest-parameter-many-arguments.js:
652         * stress/sampling-profiler-richards.js:
653         * stress/splay-flash-access-1ms.js:
654         * stress/tailCallForwardArguments.js:
655         * stress/typed-array-get-by-val-profiling.js:
656         * typeProfiler/getter-richards.js:
657
658 2018-11-06  Michael Saboff  <msaboff@apple.com>
659
660         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
661         https://bugs.webkit.org/show_bug.cgi?id=191271
662
663         Reviewed by Saam Barati.
664
665         Added more test cases and made all test cases run with the same deeply recursive stack
666         instead of finding that same point for each test case.
667
668         * stress/regexp-compile-oom.js:
669         (prototype.runTest):
670         (recurseAndTest):
671         (testList.push.new.TestAndExpectedException):
672
673 2018-11-05  Michael Saboff  <msaboff@apple.com>
674
675         Unreviewed build fix for linux.
676
677         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
678
679 2018-11-02  Michael Saboff  <msaboff@apple.com>
680
681         Rolling in r237753 with unreviewed build fix.
682
683         Fixed issues with DECLARE_THROW_SCOPE placement.
684
685 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
686
687         Unreviewed, rolling out r237753.
688
689         Introduced JSC test failures
690
691         Reverted changeset:
692
693         "Running out of stack space not properly handled in
694         RegExp::compile() and its callers"
695         https://bugs.webkit.org/show_bug.cgi?id=191206
696         https://trac.webkit.org/changeset/237753
697
698 2018-11-02  Michael Saboff  <msaboff@apple.com>
699
700         Running out of stack space not properly handled in RegExp::compile() and its callers
701         https://bugs.webkit.org/show_bug.cgi?id=191206
702
703         Reviewed by Filip Pizlo.
704
705         New regression test.
706
707         * stress/regexp-compile-oom.js: Added.
708         (recurseAndTest):
709
710 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
711
712         Skip tests on arm/mips that time out now we're running on CLoop
713
714         Unreviewed gardening.
715
716         Since the JIT is temporarily disabled on 32-bit platforms, these tests
717         time out on the bots and need to be disabled. There's more tests
718         disabled on arm because the timeout is longer on the mips bot (as the
719         device is slower to start with), so many of the tests don't time out
720         there.
721
722         * microbenchmarks/getter-richards.js: disable on arm and mips.
723         * stress/op_add.js: disable on arm.
724         * stress/op_bitand.js: disable on arm.
725         * stress/op_bitor.js: disable on arm.
726         * stress/op_bitxor.js: disable on arm.
727         * stress/op_lshift-ConstVar.js: disable on arm.
728         * stress/op_lshift-VarConst.js: disable on arm.
729         * stress/op_lshift-VarVar.js: disable on arm.
730         * stress/op_mod-ConstVar.js: disable on arm.
731         * stress/op_mod-VarConst.js: disable on arm.
732         * stress/op_mod-VarVar.js: disable on arm.
733         * stress/op_mul-ConstVar.js: disable on arm.
734         * stress/op_mul-VarConst.js: disable on arm.
735         * stress/op_mul-VarVar.js: disable on arm.
736         * stress/op_rshift-ConstVar.js: disable on arm.
737         * stress/op_rshift-VarConst.js: disable on arm.
738         * stress/op_rshift-VarVar.js: disable on arm.
739         * stress/op_sub-ConstVar.js: disable on arm.
740         * stress/op_sub-VarConst.js: disable on arm.
741         * stress/op_sub-VarVar.js: disable on arm.
742         * stress/op_urshift-ConstVar.js: disable on arm.
743         * stress/op_urshift-VarConst.js: disable on arm.
744         * stress/op_urshift-VarVar.js: disable on arm.
745         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
746         * stress/value-to-boolean.js: disable on arm and mips.
747
748 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
749
750         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
751         https://bugs.webkit.org/show_bug.cgi?id=191108
752         <rdar://problem/45690700>
753
754         Reviewed by Saam Barati.
755
756         * stress/wide-op_catch.js: Added.
757         (catch):
758
759 2018-10-29  Mark Lam  <mark.lam@apple.com>
760
761         Correctly detect string overflow when using the 'Function' constructor.
762         https://bugs.webkit.org/show_bug.cgi?id=184883
763         <rdar://problem/36320331>
764
765         Reviewed by Saam Barati.
766
767         I've verified that this passes on 32-bit as well.
768
769         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
770
771 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
772
773         Add support for GetStack FlushedDouble
774         https://bugs.webkit.org/show_bug.cgi?id=191012
775         <rdar://problem/45265141>
776
777         Reviewed by Saam Barati.
778
779         * stress/get-stack-double.js: Added.
780         (bar):
781         (noInline):
782
783 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
784
785         New bytecode format for JSC
786         https://bugs.webkit.org/show_bug.cgi?id=187373
787         <rdar://problem/44186758>
788
789         Reviewed by Filip Pizlo.
790
791         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
792
793         * stress/maximum-inline-capacity.js: Added.
794         (test1):
795         (test3.Foo):
796         (test3):
797
798 2018-10-26  Commit Queue  <commit-queue@webkit.org>
799
800         Unreviewed, rolling out r237479 and r237484.
801         https://bugs.webkit.org/show_bug.cgi?id=190978
802
803         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
804
805         Reverted changesets:
806
807         "New bytecode format for JSC"
808         https://bugs.webkit.org/show_bug.cgi?id=187373
809         https://trac.webkit.org/changeset/237479
810
811         "Gardening: Build fix after r237479."
812         https://bugs.webkit.org/show_bug.cgi?id=187373
813         https://trac.webkit.org/changeset/237484
814
815 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
816
817         New bytecode format for JSC
818         https://bugs.webkit.org/show_bug.cgi?id=187373
819         <rdar://problem/44186758>
820
821         Reviewed by Filip Pizlo.
822
823         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
824
825         * stress/maximum-inline-capacity.js: Added.
826         (test1):
827         (test3.Foo):
828         (test3):
829
830 2018-10-26  Mark Lam  <mark.lam@apple.com>
831
832         Fix missing edge cases with JSGlobalObjects having a bad time.
833         https://bugs.webkit.org/show_bug.cgi?id=189028
834         <rdar://problem/45204939>
835
836         Reviewed by Saam Barati.
837
838         * stress/regress-189028.js: Added.
839
840 2018-10-22  Mark Lam  <mark.lam@apple.com>
841
842         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
843         https://bugs.webkit.org/show_bug.cgi?id=190515
844         <rdar://problem/45222379>
845
846         Rubber-stamped by Saam Barati.
847
848         Adding another test.
849
850         * stress/regress-190515-2.js: Added.
851
852 2018-10-22  Mark Lam  <mark.lam@apple.com>
853
854         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
855         https://bugs.webkit.org/show_bug.cgi?id=190515
856         <rdar://problem/45222379>
857
858         Reviewed by Saam Barati.
859
860         * stress/regress-190515.js: Added.
861
862 2018-10-19  Commit Queue  <commit-queue@webkit.org>
863
864         Unreviewed, rolling out r237254.
865         https://bugs.webkit.org/show_bug.cgi?id=190760
866
867         "It regresses JetStream 2 by 5% on some iOS devices"
868         (Requested by saamyjoon on #webkit).
869
870         Reverted changeset:
871
872         "[JSC] JSC should have "parseFunction" to optimize Function
873         constructor"
874         https://bugs.webkit.org/show_bug.cgi?id=190340
875         https://trac.webkit.org/changeset/237254
876
877 2018-10-19  Saam Barati  <sbarati@apple.com>
878
879         vmCall should check if we exit before emitting an OSR exit due to exceptions
880         https://bugs.webkit.org/show_bug.cgi?id=190740
881         <rdar://problem/45220139>
882
883         Reviewed by Mark Lam.
884
885         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
886         (foo):
887
888 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
889
890         [ESNext][BigInt] Implement support for "^"
891         https://bugs.webkit.org/show_bug.cgi?id=186235
892
893         Reviewed by Yusuke Suzuki.
894
895         * stress/big-int-bitwise-xor-general.js: Added.
896         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
897         * stress/big-int-bitwise-xor-type-error.js: Added.
898         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
899
900 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
901
902         [BigInt] Add ValueSub into DFG
903         https://bugs.webkit.org/show_bug.cgi?id=186176
904
905         Reviewed by Yusuke Suzuki.
906
907         * stress/big-int-subtraction-jit.js:
908         * stress/value-sub-big-int-prediction-propagation.js: Added.
909         * stress/value-sub-big-int-untyped.js: Added.
910         * stress/value-sub-spec-none-case.js: Added.
911
912 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
913
914         [JSC] JSC should have "parseFunction" to optimize Function constructor
915         https://bugs.webkit.org/show_bug.cgi?id=190340
916
917         Reviewed by Mark Lam.
918
919         This patch fixes the line number of syntax errors raised by the Function constructor,
920         since we now parse the final code only once. And we no longer use block statement
921         for Function constructor's parsing.
922
923         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
924         * stress/function-cache-with-parameters-end-position.js: Added.
925         (shouldBe):
926         (shouldThrow):
927         (i.anonymous):
928         * stress/function-constructor-name.js: Added.
929         (shouldBe):
930         (GeneratorFunction):
931         (AsyncFunction.async):
932         (AsyncGeneratorFunction.async):
933         (anonymous):
934         (async.anonymous):
935         * test262/expectations.yaml:
936
937 2018-10-18  Commit Queue  <commit-queue@webkit.org>
938
939         Unreviewed, rolling out r237242.
940         https://bugs.webkit.org/show_bug.cgi?id=190701
941
942         it breaks "stress/sampling-profiler-basic.js" (Requested by
943         caiolima on #webkit).
944
945         Reverted changeset:
946
947         "[BigInt] Add ValueSub into DFG"
948         https://bugs.webkit.org/show_bug.cgi?id=186176
949         https://trac.webkit.org/changeset/237242
950
951 2018-10-17  Keith Miller  <keith_miller@apple.com>
952
953         AI does not clear Phantom allocation nodes.
954         https://bugs.webkit.org/show_bug.cgi?id=190694
955
956         Reviewed by Saam Barati.
957
958         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
959         (Day):
960         (DaysInYear):
961         (TimeInYear):
962         (TimeFromYear):
963         (DayFromYear):
964         (InLeapYear):
965         (YearFromTime):
966         (WeekDay):
967         (DaylightSavingTA):
968         (GetSecondSundayInMarch):
969         (TimeInMonth):
970
971 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
972
973         [BigInt] Add ValueSub into DFG
974         https://bugs.webkit.org/show_bug.cgi?id=186176
975
976         Reviewed by Yusuke Suzuki.
977
978         * stress/big-int-subtraction-jit.js:
979         * stress/value-sub-big-int-prediction-propagation.js: Added.
980         * stress/value-sub-big-int-untyped.js: Added.
981
982 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
983
984         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
985         https://bugs.webkit.org/show_bug.cgi?id=190611
986
987         Reviewed by Saam Barati.
988
989         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
990         to improve test runtime. On ARM/MIPS this test even timed out when running all
991         tests.
992
993         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
994         (test):
995
996 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
997
998         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
999
1000         Unreviewed gardening.
1001
1002         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1003
1004 2018-10-15  Saam barati  <sbarati@apple.com>
1005
1006         Emit fjcvtzs on ARM64E on Darwin
1007         https://bugs.webkit.org/show_bug.cgi?id=184023
1008
1009         Reviewed by Yusuke Suzuki and Filip Pizlo.
1010
1011         * stress/double-to-int32-NaN.js: Added.
1012         (assert):
1013         (foo):
1014
1015 2018-10-15  Saam Barati  <sbarati@apple.com>
1016
1017         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1018         https://bugs.webkit.org/show_bug.cgi?id=190262
1019         <rdar://problem/44986241>
1020
1021         Reviewed by Mark Lam.
1022
1023         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1024         (test):
1025         * stress/slice-array-storage-with-holes.js: Added.
1026         (main):
1027
1028 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1029
1030         Unreviewed, rolling out r237054.
1031         https://bugs.webkit.org/show_bug.cgi?id=190593
1032
1033         "this regressed JetStream 2 by 6% on iOS" (Requested by
1034         saamyjoon on #webkit).
1035
1036         Reverted changeset:
1037
1038         "[JSC] JSC should have "parseFunction" to optimize Function
1039         constructor"
1040         https://bugs.webkit.org/show_bug.cgi?id=190340
1041         https://trac.webkit.org/changeset/237054
1042
1043 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1044
1045         [JSC] JSON.stringify can accept call-with-no-arguments
1046         https://bugs.webkit.org/show_bug.cgi?id=190343
1047
1048         Reviewed by Mark Lam.
1049
1050         * stress/json-stringify-no-arguments.js: Added.
1051         (shouldBe):
1052
1053 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1054
1055         [JSC] JSC should have "parseFunction" to optimize Function constructor
1056         https://bugs.webkit.org/show_bug.cgi?id=190340
1057
1058         Reviewed by Mark Lam.
1059
1060         This patch fixes the line number of syntax errors raised by the Function constructor,
1061         since we now parse the final code only once. And we no longer use block statement
1062         for Function constructor's parsing.
1063
1064         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1065         * stress/function-cache-with-parameters-end-position.js: Added.
1066         (shouldBe):
1067         (shouldThrow):
1068         (i.anonymous):
1069         * stress/function-constructor-name.js: Added.
1070         (shouldBe):
1071         (GeneratorFunction):
1072         (AsyncFunction.async):
1073         (AsyncGeneratorFunction.async):
1074         (anonymous):
1075         (async.anonymous):
1076         * test262/expectations.yaml:
1077
1078 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1079
1080         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1081         https://bugs.webkit.org/show_bug.cgi?id=190426
1082
1083         Unreviewed gardening.
1084
1085         * stress/sampling-profiler-richards.js:
1086
1087 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1088
1089         [ESNext][BigInt] Implement support for "|"
1090         https://bugs.webkit.org/show_bug.cgi?id=186229
1091
1092         Reviewed by Yusuke Suzuki.
1093
1094         * stress/big-int-bitwise-and-jit.js:
1095         * stress/big-int-bitwise-or-general.js: Added.
1096         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1097         * stress/big-int-bitwise-or-jit.js: Added.
1098         * stress/big-int-bitwise-or-memory-stress.js: Added.
1099         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1100         * stress/big-int-bitwise-or-type-error.js: Added.
1101         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1102
1103 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1104
1105         Skip test on systems with limited memory
1106         https://bugs.webkit.org/show_bug.cgi?id=190310
1107
1108         Invoking runDefault adds test to runlist, skipping the test in the next
1109         line does not prevent the test from executing. Change order of lines such
1110         that runDefault is only executed if test is not executed.
1111
1112         Reviewed by Mark Lam.
1113
1114         * stress/regress-190187.js:
1115
1116 2018-10-03  Saam barati  <sbarati@apple.com>
1117
1118         lowXYZ in FTLLower should always filter the type of the incoming edge
1119         https://bugs.webkit.org/show_bug.cgi?id=189939
1120         <rdar://problem/44407030>
1121
1122         Reviewed by Michael Saboff.
1123
1124         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1125         (foo):
1126         (test):
1127
1128 2018-10-03  Mark Lam  <mark.lam@apple.com>
1129
1130         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1131         https://bugs.webkit.org/show_bug.cgi?id=190187
1132         <rdar://problem/42512909>
1133
1134         Reviewed by Michael Saboff.
1135
1136         * stress/regress-190187.js: Added.
1137
1138 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1139
1140         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1141         https://bugs.webkit.org/show_bug.cgi?id=190033
1142
1143         Reviewed by Yusuke Suzuki.
1144
1145         * stress/big-int-to-string.js:
1146
1147 2018-10-01  Mark Lam  <mark.lam@apple.com>
1148
1149         Function.toString() should also copy the source code Functions that are class definitions.
1150         https://bugs.webkit.org/show_bug.cgi?id=190186
1151         <rdar://problem/44733360>
1152
1153         Reviewed by Saam Barati.
1154
1155         * stress/regress-190186.js: Added.
1156
1157 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1158
1159         Split NaN-check into separate test
1160         https://bugs.webkit.org/show_bug.cgi?id=190010
1161
1162         Reviewed by Saam Barati.
1163
1164         DataView exposes NaN-representation, which is not necessarily the same on each
1165         architecture. Therefore move the check of the NaN-representation into its own
1166         file such that we can disable this test on MIPS where NaN-representation can be
1167         different on older CPUs.
1168
1169         * stress/dataview-jit-set-nan.js: Added.
1170         (assert):
1171         (test.storeLittleEndian):
1172         (test.storeBigEndian):
1173         (test.store):
1174         (test):
1175         * stress/dataview-jit-set.js:
1176         (test5):
1177
1178 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1179
1180         Unreviewed, rolling out r236647.
1181         https://bugs.webkit.org/show_bug.cgi?id=190124
1182
1183         Breaking test stress/big-int-to-string.js (Requested by
1184         caiolima_ on #webkit).
1185
1186         Reverted changeset:
1187
1188         "[BigInt] BigInt.proptotype.toString is broken when radix is
1189         power of 2"
1190         https://bugs.webkit.org/show_bug.cgi?id=190033
1191         https://trac.webkit.org/changeset/236647
1192
1193 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1194
1195         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1196         https://bugs.webkit.org/show_bug.cgi?id=190033
1197
1198         Reviewed by Yusuke Suzuki.
1199
1200         * stress/big-int-to-string.js:
1201
1202 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1203
1204         [ESNext][BigInt] Implement support for "&"
1205         https://bugs.webkit.org/show_bug.cgi?id=186228
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         * stress/big-int-bitwise-and-general.js: Added.
1210         (assert):
1211         (assert.sameValue):
1212         * stress/big-int-bitwise-and-jit.js: Added.
1213         (let.assert.sameValue):
1214         (bigIntBitAnd):
1215         * stress/big-int-bitwise-and-memory-stress.js: Added.
1216         (assert):
1217         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1218         (assert.sameValue):
1219         (let.o.Symbol.toPrimitive):
1220         (catch):
1221         * stress/big-int-bitwise-and-type-error.js: Added.
1222         (assert):
1223         (assertThrowTypeError):
1224         (let.o.valueOf):
1225         (o.valueOf):
1226         (o.toString):
1227         (o.Symbol.toPrimitive):
1228         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1229         (assert.sameValue):
1230         (testBitAnd):
1231         (let.o.Symbol.toPrimitive):
1232         (o.valueOf):
1233         (o.toString):
1234
1235 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1236
1237         JSC test stress/jsc-read.js doesn't support CRLF
1238         https://bugs.webkit.org/show_bug.cgi?id=190063
1239
1240         Reviewed by Yusuke Suzuki.
1241
1242         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1243
1244         * stress/jsc-read.js:
1245         (test):
1246
1247 2018-09-27  Saam barati  <sbarati@apple.com>
1248
1249         Verify the contents of AssemblerBuffer on arm64e
1250         https://bugs.webkit.org/show_bug.cgi?id=190057
1251         <rdar://problem/38916630>
1252
1253         Reviewed by Mark Lam.
1254
1255         * stress/regress-189132.js:
1256
1257 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1258
1259         Disable test without LLInt on ARMv7
1260         https://bugs.webkit.org/show_bug.cgi?id=190037
1261
1262         Reviewed by Mark Lam.
1263
1264         Test runs out of executable memory on ARMv7, do not run
1265         this test without LLInt enabled.
1266
1267         * stress/regress-169445.js:
1268
1269 2018-09-26  Keith Miller  <keith_miller@apple.com>
1270
1271         We should zero unused property storage when rebalancing array storage.
1272         https://bugs.webkit.org/show_bug.cgi?id=188151
1273
1274         Reviewed by Michael Saboff.
1275
1276         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1277
1278 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1279
1280         [JSC] Optimize Array#lastIndexOf
1281         https://bugs.webkit.org/show_bug.cgi?id=189780
1282
1283         Reviewed by Saam Barati.
1284
1285         * stress/array-lastindexof-array-prototype-trap.js: Added.
1286         (shouldBe):
1287         (AncestorArray.prototype.get 2):
1288         (AncestorArray):
1289         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1290         (shouldBe):
1291         * stress/array-lastindexof-hole-nan.js: Added.
1292         (shouldBe):
1293         (throw.new.Error):
1294         * stress/array-lastindexof-infinity.js: Added.
1295         (shouldBe):
1296         (throw.new.Error):
1297         * stress/array-lastindexof-negative-zero.js: Added.
1298         (shouldBe):
1299         (throw.new.Error):
1300         * stress/array-lastindexof-own-getter.js: Added.
1301         (shouldBe):
1302         (throw.new.Error.get array):
1303         (get array):
1304         * stress/array-lastindexof-prototype-trap.js: Added.
1305         (shouldBe):
1306         (DerivedArray.prototype.get 2):
1307         (DerivedArray):
1308
1309 2018-09-25  Saam Barati  <sbarati@apple.com>
1310
1311         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1312         https://bugs.webkit.org/show_bug.cgi?id=189940
1313         <rdar://problem/43640987>
1314
1315         Reviewed by Mark Lam.
1316
1317         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1318
1319 2018-09-24  Saam Barati  <sbarati@apple.com>
1320
1321         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1322         https://bugs.webkit.org/show_bug.cgi?id=189922
1323         <rdar://problem/44651275>
1324
1325         Reviewed by Mark Lam.
1326
1327         * stress/array-indexof-fast-path-effects.js: Added.
1328         * stress/array-indexof-cached-length.js: Added.
1329
1330 2018-09-24  Saam barati  <sbarati@apple.com>
1331
1332         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1333         https://bugs.webkit.org/show_bug.cgi?id=189682
1334         <rdar://problem/43557315>
1335
1336         Reviewed by Mark Lam.
1337
1338         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1339         (foo):
1340
1341 2018-09-22  Saam barati  <sbarati@apple.com>
1342
1343         The sampling should not use Strong<CodeBlock> in its machineLocation field
1344         https://bugs.webkit.org/show_bug.cgi?id=189319
1345
1346         Reviewed by Filip Pizlo.
1347
1348         * stress/sampling-profiler-richards.js: Added.
1349
1350 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1351
1352         [JSC] Optimize Array#indexOf in C++ runtime
1353         https://bugs.webkit.org/show_bug.cgi?id=189507
1354
1355         Reviewed by Saam Barati.
1356
1357         * stress/array-indexof-array-prototype-trap.js: Added.
1358         (shouldBe):
1359         (AncestorArray.prototype.get 2):
1360         (AncestorArray):
1361         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1362         (shouldBe):
1363         * stress/array-indexof-hole-nan.js: Added.
1364         (shouldBe):
1365         (throw.new.Error):
1366         * stress/array-indexof-infinity.js: Added.
1367         (shouldBe):
1368         (throw.new.Error):
1369         * stress/array-indexof-negative-zero.js: Added.
1370         (shouldBe):
1371         (throw.new.Error):
1372         * stress/array-indexof-own-getter.js: Added.
1373         (shouldBe):
1374         (throw.new.Error.get array):
1375         (get array):
1376         * stress/array-indexof-prototype-trap.js: Added.
1377         (shouldBe):
1378         (DerivedArray.prototype.get 2):
1379         (DerivedArray):
1380
1381 2018-09-19  Saam barati  <sbarati@apple.com>
1382
1383         AI rule for MultiPutByOffset executes its effects in the wrong order
1384         https://bugs.webkit.org/show_bug.cgi?id=189757
1385         <rdar://problem/43535257>
1386
1387         Reviewed by Michael Saboff.
1388
1389         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1390         (foo):
1391         (Foo):
1392         (g):
1393
1394 2018-09-17  Mark Lam  <mark.lam@apple.com>
1395
1396         Ensure that ForInContexts are invalidated if their loop local is over-written.
1397         https://bugs.webkit.org/show_bug.cgi?id=189571
1398         <rdar://problem/44402277>
1399
1400         Reviewed by Saam Barati.
1401
1402         * stress/regress-189571.js: Added.
1403
1404 2018-09-17  Saam barati  <sbarati@apple.com>
1405
1406         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1407         https://bugs.webkit.org/show_bug.cgi?id=189676
1408         <rdar://problem/39682897>
1409
1410         Reviewed by Michael Saboff.
1411
1412         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1413         (A):
1414         (K):
1415         (i.catch):
1416
1417 2018-09-14  Saam barati  <sbarati@apple.com>
1418
1419         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1420         https://bugs.webkit.org/show_bug.cgi?id=189628
1421         <rdar://problem/39481690>
1422
1423         Reviewed by Mark Lam.
1424
1425         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1426         (foo):
1427
1428 2018-09-11  Mark Lam  <mark.lam@apple.com>
1429
1430         Test for array initialization in arrayProtoFuncSplice.
1431         https://bugs.webkit.org/show_bug.cgi?id=170253
1432         <rdar://problem/31328773>
1433
1434         Rubber-stamped by Saam Barati.
1435
1436         * stress/regress-170253.js: Added.
1437
1438 2018-09-11  Mark Lam  <mark.lam@apple.com>
1439
1440         Test for IntlObject initialization.
1441         https://bugs.webkit.org/show_bug.cgi?id=170251
1442         <rdar://problem/31328419>
1443
1444         Rubber-stamped by Saam Barati.
1445
1446         * stress/regress-170251.js: Added.
1447
1448 2018-09-11  Mark Lam  <mark.lam@apple.com>
1449
1450         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1451         https://bugs.webkit.org/show_bug.cgi?id=169889
1452         <rdar://problem/31155607>
1453
1454         Reviewed by Saam Barati.
1455
1456         * stress/regress-169889-array-concat.js: Added.
1457         * stress/regress-169889-array-concat1.js: Added.
1458         * stress/regress-169889-array-slice.js: Added.
1459
1460 2018-09-11  Mark Lam  <mark.lam@apple.com>
1461
1462         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1463         https://bugs.webkit.org/show_bug.cgi?id=169445
1464         <rdar://problem/30957435>
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/regress-169445.js: Added.
1469         (let.gun.eval.A):
1470         (let.gun.eval.B.C):
1471         (let.gun.eval.B.C.prototype.trigger):
1472         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1473         (let.gun.eval.B):
1474         (let.gun.eval):
1475
1476 == Rolled over to ChangeLog-2018-09-11 ==