JSTests:
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2
3         WTF::String and StringImpl overflow MaxLength
4         https://bugs.webkit.org/show_bug.cgi?id=192853
5         <rdar://problem/45726906>
6
7         Reviewed by Mark Lam.
8
9         * stress/string-16bit-repeat-overflow.js: Added.
10         (catch):
11
12 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
13
14         Unreviewed follow-up to r192914.
15
16         * test262/expectations.yaml:
17         Add the last 20 missing expectations.
18
19 2018-12-19  Keith Miller  <keith_miller@apple.com>
20
21         Fix test262 expectations
22         https://bugs.webkit.org/show_bug.cgi?id=192914
23
24         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
25
26         * test262/expectations.yaml:
27
28 2018-12-19  Keith Miller  <keith_miller@apple.com>
29
30         Update test262 tests.
31         https://bugs.webkit.org/show_bug.cgi?id=192907
32
33         Rubber stamped by Mark Lam.
34
35         * test262/*: Omitted because prepare-changelog crashes.
36
37 2018-12-19  Mark Lam  <mark.lam@apple.com>
38
39         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
40         https://bugs.webkit.org/show_bug.cgi?id=192464
41         <rdar://problem/46519455>
42
43         Reviewed by Saam Barati.
44
45         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
46         microbenchmark.
47
48         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
49         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
50
51 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
52
53         String overflow in JSC::createError results in ASSERT in WTF::makeString
54         https://bugs.webkit.org/show_bug.cgi?id=192833
55         <rdar://problem/45706868>
56
57         Reviewed by Mark Lam.
58
59         * stress/string-overflow-createError.js: Added.
60
61 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
62
63         Error message for `-x ** y` contains a typo.
64         https://bugs.webkit.org/show_bug.cgi?id=192832
65
66         Reviewed by Saam Barati.
67
68         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
69         (assert.assert.return.throws):
70         * stress/pow-expects-update-expression-on-lhs.js:
71         (throw.new.Error):
72         Update test expectations which match against the exact error message.
73
74 2018-12-18  Mark Lam  <mark.lam@apple.com>
75
76         Gardening: test options fix.
77         https://bugs.webkit.org/show_bug.cgi?id=192822
78
79         Unreviewed.
80
81         * stress/json-stringify-string-builder-overflow.js:
82
83 2018-12-18  Mark Lam  <mark.lam@apple.com>
84
85         JSON.stringify() should throw OOM on StringBuilder overflows.
86         https://bugs.webkit.org/show_bug.cgi?id=192822
87         <rdar://problem/46670577>
88
89         Reviewed by Saam Barati.
90
91         * stress/json-stringify-string-builder-overflow.js: Added.
92
93 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
94
95         Redeclaration of var over let/const/class should be a syntax error.
96         https://bugs.webkit.org/show_bug.cgi?id=192298
97
98         Reviewed by Keith Miller.
99
100         * test262.yaml:
101         * test262/expectations.yaml:
102         Mark 46 tests as passing.
103
104         * stress/block-scope-redeclarations.js:
105         Add some new tests.
106
107         * stress/for-in-invalidate-context-weird-assignments.js:
108         * stress/for-in-tests.js:
109         Replace tests for outdated behavior with tests for SyntaxError.
110
111         * ChakraCore/test/LetConst/defer3.baseline-jsc:
112         * ChakraCore/test/LetConst/letvar.baseline-jsc:
113         Update expectations.
114
115 2018-12-18  Mark Lam  <mark.lam@apple.com>
116
117         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
118         https://bugs.webkit.org/show_bug.cgi?id=191374
119         <rdar://problem/46525447>
120
121         Reviewed by Yusuke Suzuki.
122
123         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
124
125         * stress/elidable-new-object-roflcopter-then-exit.js:
126
127 2018-12-17  Mark Lam  <mark.lam@apple.com>
128
129         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
130         https://bugs.webkit.org/show_bug.cgi?id=192019
131         <rdar://problem/46525456>
132
133         Reviewed by Yusuke Suzuki.
134
135         The test runs too slow on 32-bit.
136
137         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
138
139 2018-12-17  Mark Lam  <mark.lam@apple.com>
140
141         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
142         https://bugs.webkit.org/show_bug.cgi?id=191373
143         <rdar://problem/46525458>
144
145         Reviewed by Yusuke Suzuki.
146
147         The test is already slow running with a JIT on 64-bit.  It will always timeout
148         on 32-bit without a JIT.
149
150         * stress/materialize-regexp-cyclic-regexp.js:
151
152 2018-12-17  Mark Lam  <mark.lam@apple.com>
153
154         Array unshift/shift should not race against the AI in the compiler thread.
155         https://bugs.webkit.org/show_bug.cgi?id=192795
156         <rdar://problem/46724263>
157
158         Reviewed by Saam Barati.
159
160         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
161
162 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
163
164         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
165         https://bugs.webkit.org/show_bug.cgi?id=190047
166
167         Reviewed by Saam Barati.
168
169         * stress/object-keys-cached-zero.js: Added.
170         (shouldBe):
171         (test):
172         * stress/object-keys-changed-attribute.js: Added.
173         (shouldBe):
174         (test):
175         * stress/object-keys-changed-index.js: Added.
176         (shouldBe):
177         (test):
178         * stress/object-keys-changed.js: Added.
179         (shouldBe):
180         (test):
181         * stress/object-keys-indexed-non-cache.js: Added.
182         (shouldBe):
183         (test):
184         * stress/object-keys-overrides-get-property-names.js: Added.
185         (shouldBe):
186         (test):
187         (noInline):
188
189 2018-12-17  Mark Lam  <mark.lam@apple.com>
190
191         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
192         https://bugs.webkit.org/show_bug.cgi?id=192779
193         <rdar://problem/46775869>
194
195         Reviewed by Saam Barati.
196
197         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
198
199 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
200
201         Unreviewed test gardening, address a syntax error in a new test.
202
203         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
204
205 2018-12-17  Mark Lam  <mark.lam@apple.com>
206
207         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
208         https://bugs.webkit.org/show_bug.cgi?id=192776
209         <rdar://problem/46772368>
210
211         Reviewed by Keith Miller.
212
213         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
214
215 2018-12-17  Mark Lam  <mark.lam@apple.com>
216
217         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
218         https://bugs.webkit.org/show_bug.cgi?id=192770
219         <rdar://problem/46449037>
220
221         Reviewed by Keith Miller.
222
223         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
224
225 2018-12-14  Mark Lam  <mark.lam@apple.com>
226
227         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
228         https://bugs.webkit.org/show_bug.cgi?id=192717
229         <rdar://problem/46660677>
230
231         Reviewed by Saam Barati.
232
233         * stress/regress-192717.js: Added.
234
235 2018-12-14  Commit Queue  <commit-queue@webkit.org>
236
237         Unreviewed, rolling out r239153, r239154, and r239155.
238         https://bugs.webkit.org/show_bug.cgi?id=192715
239
240         Caused flaky GC-related crashes seen with layout tests
241         (Requested by ryanhaddad on #webkit).
242
243         Reverted changesets:
244
245         "[JSC] Optimize Object.keys by caching own keys results in
246         StructureRareData"
247         https://bugs.webkit.org/show_bug.cgi?id=190047
248         https://trac.webkit.org/changeset/239153
249
250         "Unreviewed, build fix after r239153"
251         https://bugs.webkit.org/show_bug.cgi?id=190047
252         https://trac.webkit.org/changeset/239154
253
254         "Unreviewed, build fix after r239153, part 2"
255         https://bugs.webkit.org/show_bug.cgi?id=190047
256         https://trac.webkit.org/changeset/239155
257
258 2018-12-14  Keith Miller  <keith_miller@apple.com>
259
260         Callers of JSString::getIndex should check for OOM exceptions
261         https://bugs.webkit.org/show_bug.cgi?id=192709
262
263         Reviewed by Mark Lam.
264
265         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
266
267 2018-12-13  Mark Lam  <mark.lam@apple.com>
268
269         Add a missing exception check.
270         https://bugs.webkit.org/show_bug.cgi?id=192626
271         <rdar://problem/46662163>
272
273         Reviewed by Keith Miller.
274
275         * stress/regress-192626.js: Added.
276
277 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
278
279         [BigInt] Add ValueDiv into DFG
280         https://bugs.webkit.org/show_bug.cgi?id=186178
281
282         Reviewed by Yusuke Suzuki.
283
284         * stress/big-int-div-jit-osr.js: Added.
285         * stress/big-int-div-jit-untyped.js: Added.
286         * stress/value-div-fixup-int32-big-int.js: Added.
287
288 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
289
290         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
291         https://bugs.webkit.org/show_bug.cgi?id=190047
292
293         Reviewed by Keith Miller.
294
295         * stress/object-keys-cached-zero.js: Added.
296         (shouldBe):
297         (test):
298         * stress/object-keys-changed-attribute.js: Added.
299         (shouldBe):
300         (test):
301         * stress/object-keys-changed-index.js: Added.
302         (shouldBe):
303         (test):
304         * stress/object-keys-changed.js: Added.
305         (shouldBe):
306         (test):
307         * stress/object-keys-indexed-non-cache.js: Added.
308         (shouldBe):
309         (test):
310         * stress/object-keys-overrides-get-property-names.js: Added.
311         (shouldBe):
312         (test):
313         (noInline):
314
315 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
316
317         [DFG][FTL] Add NewSymbol
318         https://bugs.webkit.org/show_bug.cgi?id=192620
319
320         Reviewed by Saam Barati.
321
322         * microbenchmarks/symbol-creation.js: Added.
323         (test):
324         * stress/symbol-description-identity.js: Added.
325         (shouldBe):
326         (test):
327         * stress/symbol-identity.js: Added.
328         (shouldBe):
329         (test):
330         * stress/symbol-with-description-throw-error.js: Added.
331         (shouldBe):
332         (shouldThrow):
333         (test):
334         (object.toString):
335
336 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
337
338         [BigInt] Implement DFG/FTL typeof for BigInt
339         https://bugs.webkit.org/show_bug.cgi?id=192619
340
341         Reviewed by Keith Miller.
342
343         * stress/big-int-boolean-proven-type.js: Added.
344         (assert):
345         (bool):
346         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
347         (assert):
348         (typeOf):
349         (i.switch):
350         * stress/big-int-type-of-proven-type-non-constant.js: Added.
351         (assert):
352         (typeOf):
353         * stress/big-int-type-of.js:
354         (typeOf):
355         (func):
356
357 2018-12-10  Mark Lam  <mark.lam@apple.com>
358
359         PropertyAttribute needs a CustomValue bit.
360         https://bugs.webkit.org/show_bug.cgi?id=191993
361         <rdar://problem/46264467>
362
363         Reviewed by Saam Barati.
364
365         * stress/regress-191993.js: Added.
366
367 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
368
369         [BigInt] Add ValueMul into DFG
370         https://bugs.webkit.org/show_bug.cgi?id=186175
371
372         Reviewed by Yusuke Suzuki.
373
374         * stress/big-int-mul-jit-osr.js: Added.
375         * stress/big-int-mul-jit-untyped.js: Added.
376         * stress/value-mul-fixup-int32-big-int.js: Added.
377
378 2018-12-06  Keith Miller  <keith_miller@apple.com>
379
380         stress/big-wasm-memory tests failing on 32-bit JSC bot
381         https://bugs.webkit.org/show_bug.cgi?id=192020
382
383         Reviewed by Saam Barati.
384
385         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
386         the wasm stress tests if the WebAssembly object does not exist.
387
388         * stress/big-wasm-memory-grow-no-max.js:
389         (test.foo):
390         (test):
391         (foo): Deleted.
392         (catch): Deleted.
393         * stress/big-wasm-memory-grow.js:
394         (test.foo):
395         (test):
396         (foo): Deleted.
397         (catch): Deleted.
398         * stress/big-wasm-memory.js:
399         (test.foo):
400         (test):
401         (foo): Deleted.
402         (catch): Deleted.
403
404 2018-12-05  Mark Lam  <mark.lam@apple.com>
405
406         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
407         https://bugs.webkit.org/show_bug.cgi?id=192441
408         <rdar://problem/46480355>
409
410         Reviewed by Saam Barati.
411
412         * stress/regress-192441.js: Added.
413
414 2018-12-04  Mark Lam  <mark.lam@apple.com>
415
416         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
417         https://bugs.webkit.org/show_bug.cgi?id=192386
418         <rdar://problem/46445516>
419
420         Reviewed by Saam Barati.
421
422         * stress/regress-192386.js: Added.
423
424 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
425
426         [ESNext][BigInt] Support logic operations
427         https://bugs.webkit.org/show_bug.cgi?id=179903
428
429         Reviewed by Yusuke Suzuki.
430
431         * stress/big-int-branch-usage.js: Added.
432         * stress/big-int-logical-and.js: Added.
433         * stress/big-int-logical-not.js: Added.
434         * stress/big-int-logical-or.js: Added.
435
436 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
437
438         Unreviewed, rolling out r238833.
439
440         Breaks macOS and iOS debug builds.
441
442         Reverted changeset:
443
444         "[ESNext][BigInt] Support logic operations"
445         https://bugs.webkit.org/show_bug.cgi?id=179903
446         https://trac.webkit.org/changeset/238833
447
448 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
449
450         [ESNext][BigInt] Support logic operations
451         https://bugs.webkit.org/show_bug.cgi?id=179903
452
453         Reviewed by Yusuke Suzuki.
454
455         * stress/big-int-branch-usage.js: Added.
456         * stress/big-int-logical-and.js: Added.
457         * stress/big-int-logical-not.js: Added.
458         * stress/big-int-logical-or.js: Added.
459
460 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
461
462         [ESNext][BigInt] Implement support for "<<" and ">>"
463         https://bugs.webkit.org/show_bug.cgi?id=186233
464
465         Reviewed by Yusuke Suzuki.
466
467         * stress/big-int-left-shift-general.js: Added.
468         * stress/big-int-left-shift-range-error.js: Added.
469         * stress/big-int-left-shift-type-error.js: Added.
470         * stress/big-int-left-shift-wrapped-value.js: Added.
471         * stress/big-int-right-shift-general.js: Added.
472         * stress/big-int-right-shift-type-error.js: Added.
473         * stress/big-int-right-shift-wrapped-value.js: Added.
474         * stress/left-shift-to-primitive-precedence.js: Added.
475         * stress/right-shift-to-primitive-precedence.js: Added.
476
477 2018-11-30  Dean Jackson  <dino@apple.com>
478
479         Add first-class support for .mjs files in jsc binary
480         https://bugs.webkit.org/show_bug.cgi?id=192190
481         <rdar://problem/46375715>
482
483         Reviewed by Keith Miller.
484
485         * stress/simple-module.mjs: Added.
486         * stress/simple-script.js: Added.
487
488 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
489
490         [BigInt] Implement ValueBitXor into DFG
491         https://bugs.webkit.org/show_bug.cgi?id=190264
492
493         Reviewed by Yusuke Suzuki.
494
495         * stress/big-int-bitwise-xor-jit.js: Added.
496         * stress/big-int-bitwise-xor-memory-stress.js: Added.
497         * stress/big-int-bitwise-xor-untyped.js: Added.
498
499 2018-11-27  Saam barati  <sbarati@apple.com>
500
501         r238510 broke scopes of size zero
502         https://bugs.webkit.org/show_bug.cgi?id=192033
503         <rdar://problem/46281734>
504
505         Reviewed by Keith Miller.
506
507         * stress/r238510-bad-loop.js: Added.
508         (foo):
509
510 2018-11-27  Mark Lam  <mark.lam@apple.com>
511
512         [Re-landing] NaNs read from Wasm code needs to be be purified.
513         https://bugs.webkit.org/show_bug.cgi?id=191056
514         <rdar://problem/45660341>
515
516         Reviewed by Filip Pizlo.
517
518         * wasm/regress/regress-191056.js: Added.
519
520 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
521
522         Unreviewed, rolling out r238509.
523
524         Causes JSC tests to fail on iOS.
525
526         Reverted changeset:
527
528         "NaNs read from Wasm code needs to be be purified."
529         https://bugs.webkit.org/show_bug.cgi?id=191056
530         https://trac.webkit.org/changeset/238509
531
532 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
533
534         Re-introduce op_bitnot
535         https://bugs.webkit.org/show_bug.cgi?id=190923
536
537         Reviewed by Yusuke Suzuki.
538
539         * stress/bit-not-must-generate.js: Added.
540         * stress/bitwise-not-no-int32.js: Added.
541
542 2018-11-26  Saam barati  <sbarati@apple.com>
543
544         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
545         https://bugs.webkit.org/show_bug.cgi?id=191956
546         <rdar://problem/45665806>
547
548         Reviewed by Yusuke Suzuki.
549
550         * stress/end-basic-block-set-local-should-filter-type.js: Added.
551         (bar):
552         (foo):
553
554 2018-11-26  Saam barati  <sbarati@apple.com>
555
556         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
557         https://bugs.webkit.org/show_bug.cgi?id=191958
558         <rdar://problem/46221877>
559
560         Reviewed by Yusuke Suzuki.
561
562         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
563         (x):
564         (foo):
565
566 2018-11-26  Mark Lam  <mark.lam@apple.com>
567
568         NaNs read from Wasm code needs to be be purified.
569         https://bugs.webkit.org/show_bug.cgi?id=191056
570         <rdar://problem/45660341>
571
572         Reviewed by Filip Pizlo.
573
574         * wasm/regress/regress-191056.js: Added.
575
576 2018-11-26  Michael Saboff  <msaboff@apple.com>
577
578         32-bit JSC test failure: stress/regexp-compile-oom.js
579         https://bugs.webkit.org/show_bug.cgi?id=191375
580
581         Reviewed by Mark Lam.
582
583         Disabled the test for 32 bit platforms.
584
585         * stress/regexp-compile-oom.js:
586
587 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
588
589         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
590         https://bugs.webkit.org/show_bug.cgi?id=191716
591         <rdar://problem/45723878>
592
593         Reviewed by Saam Barati.
594
595         * stress/regress-187373.js: Added.
596         (async.fn):
597
598 2018-11-21  Saam barati  <sbarati@apple.com>
599
600         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
601         https://bugs.webkit.org/show_bug.cgi?id=191897
602         <rdar://problem/45871998>
603
604         Reviewed by Mark Lam.
605
606         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
607         (bar):
608         (foo):
609
610 2018-11-21  Saam barati  <sbarati@apple.com>
611
612         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
613         https://bugs.webkit.org/show_bug.cgi?id=191895
614         <rdar://problem/46167406>
615
616         Reviewed by Mark Lam.
617
618         * stress/known-cell-use-needs-type-check-assertion.js: Added.
619         (foo):
620         (bar):
621
622 2018-11-21  Mark Lam  <mark.lam@apple.com>
623
624         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
625         https://bugs.webkit.org/show_bug.cgi?id=191776
626         <rdar://problem/46152851>
627
628         Reviewed by Saam Barati.
629
630         * stress/big-wasm-memory-grow-no-max.js:
631         * stress/big-wasm-memory-grow.js:
632         * stress/big-wasm-memory.js:
633         - updated these to expect an OutOfMemoryError.
634
635         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
636         (Binary.prototype.emit_u8):
637         (Binary.prototype.emit_u32v):
638         (Binary.prototype.emit_header):
639         (Binary.prototype.emit_section):
640         (Binary):
641         (WasmModuleBuilder):
642         (WasmModuleBuilder.prototype.addMemory):
643         (WasmModuleBuilder.prototype.toArray):
644         (WasmModuleBuilder.prototype.toBuffer):
645         (WasmModuleBuilder.prototype.instantiate):
646         (catch):
647         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
648         (catch):
649
650 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
651
652         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
653         https://bugs.webkit.org/show_bug.cgi?id=190836
654
655         Reviewed by Saam Barati and Yusuke Suzuki.
656
657         * stress/big-int-out-of-memory-tests.js: Added.
658
659 2018-11-20  Mark Lam  <mark.lam@apple.com>
660
661         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
662         https://bugs.webkit.org/show_bug.cgi?id=191856
663         <rdar://problem/46089992>
664
665         Reviewed by Yusuke Suzuki.
666
667         * stress/regress-191856.js: Added.
668         - this test is skipped for now until we have a fix for webkit.org/b/191855.
669
670 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
671
672         Enable JIT on ARM/Linux
673         https://bugs.webkit.org/show_bug.cgi?id=191548
674
675         Reviewed by Yusuke Suzuki.
676
677         Disable test on system with limited memory. Program was killed by
678         the OS before the exception was thrown.
679
680         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
681
682 2018-11-20  Saam barati  <sbarati@apple.com>
683
684         Merging an IC variant may lead to the IC status containing overlapping structure sets
685         https://bugs.webkit.org/show_bug.cgi?id=191869
686         <rdar://problem/45403453>
687
688         Reviewed by Mark Lam.
689
690         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
691
692 2018-11-19  Mark Lam  <mark.lam@apple.com>
693
694         globalFuncImportModule() should return a promise when it clears exceptions.
695         https://bugs.webkit.org/show_bug.cgi?id=191792
696         <rdar://problem/46090763>
697
698         Reviewed by Michael Saboff.
699
700         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
701
702 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
703
704         Skip new memory-hungry tests on memory limited devices
705
706         Unreviewed gardening.
707
708         * stress/big-wasm-memory-grow-no-max.js:
709         * stress/big-wasm-memory-grow.js:
710         * stress/big-wasm-memory.js:
711
712 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
713
714         Unreviewed, rolling in the rest of r237254
715         https://bugs.webkit.org/show_bug.cgi?id=190340
716
717         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
718         * stress/function-cache-with-parameters-end-position.js: Added.
719         (shouldBe):
720         (shouldThrow):
721         (i.anonymous):
722         * stress/function-constructor-name.js: Added.
723         (shouldBe):
724         (GeneratorFunction):
725         (AsyncFunction.async):
726         (AsyncGeneratorFunction.async):
727         (anonymous):
728         (async.anonymous):
729         * test262/expectations.yaml:
730
731 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
732
733         All users of ArrayBuffer should agree on the same max size
734         https://bugs.webkit.org/show_bug.cgi?id=191771
735
736         Reviewed by Mark Lam.
737
738         * stress/big-wasm-memory-grow-no-max.js: Added.
739         (foo):
740         (catch):
741         * stress/big-wasm-memory-grow.js: Added.
742         (foo):
743         (catch):
744         * stress/big-wasm-memory.js: Added.
745         (foo):
746         (catch):
747
748 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
749
750         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
751         run for each JSC config since they're regression tests for runtime bugs.
752
753         * stress/json-stringified-overflow-2.js:
754         * stress/json-stringified-overflow.js:
755
756 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
757
758         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
759         config since they're regression tests for runtime bugs.
760
761         * stress/large-unshift-splice.js:
762         * stress/regress-185888.js:
763
764 2018-11-16  Saam Barati  <sbarati@apple.com>
765
766         KnownCellUse should also have SpecCellCheck as its type filter
767         https://bugs.webkit.org/show_bug.cgi?id=191729
768         <rdar://problem/45872852>
769
770         Reviewed by Filip Pizlo.
771
772         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
773         (C):
774
775 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
776
777         Fix assertion failure on BytecodeGenerator::recordOpcode
778         https://bugs.webkit.org/show_bug.cgi?id=191724
779         <rdar://problem/45724395>
780
781         Reviewed by Saam Barati.
782
783         * stress/regress-187373-2.js: Added.
784         (foo):
785
786 2018-11-15  Mark Lam  <mark.lam@apple.com>
787
788         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
789         https://bugs.webkit.org/show_bug.cgi?id=191730
790         <rdar://problem/46048517>
791
792         Reviewed by Saam Barati.
793
794         * stress/regress-187006.js: Removed.
795           - this test is invalid because its sole purpose is to test for the non-spec
796             compliant behavior that we just fixed.
797
798         * stress/regress-191730.js: Added.
799
800 2018-11-15  Mark Lam  <mark.lam@apple.com>
801
802         RegExp operations should not take fast patch if lastIndex is not numeric.
803         https://bugs.webkit.org/show_bug.cgi?id=191731
804         <rdar://problem/46017305>
805
806         Reviewed by Saam Barati.
807
808         * stress/regress-191731.js: Added.
809
810 2018-11-13  Saam Barati  <sbarati@apple.com>
811
812         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
813         https://bugs.webkit.org/show_bug.cgi?id=191600
814
815         Reviewed by Mark Lam.
816
817         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
818         (foo):
819         (test):
820         (bar):
821
822 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
823
824         Unreviewed, rolling out r238132.
825
826         The test added with this change is timing out on Debug JSC
827         bots.
828
829         Reverted changeset:
830
831         "[BigInt] JSBigInt::createWithLength should throw when length
832         is greater than JSBigInt::maxLength"
833         https://bugs.webkit.org/show_bug.cgi?id=190836
834         https://trac.webkit.org/changeset/238132
835
836 2018-11-13  Mark Lam  <mark.lam@apple.com>
837
838         Add OOM detection to StringPrototype's substituteBackreferences().
839         https://bugs.webkit.org/show_bug.cgi?id=191563
840         <rdar://problem/45720428>
841
842         Reviewed by Saam Barati.
843
844         * stress/regress-191563.js: Added.
845
846 2018-11-13  Mark Lam  <mark.lam@apple.com>
847
848         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
849         https://bugs.webkit.org/show_bug.cgi?id=191579
850         <rdar://problem/45942472>
851
852         Reviewed by Saam Barati.
853
854         * stress/regress-191579.js: Added.
855
856 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
857
858         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
859         https://bugs.webkit.org/show_bug.cgi?id=190836
860
861         Reviewed by Saam Barati.
862
863         * stress/big-int-out-of-memory-tests.js: Added.
864
865 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
866
867         U+180E is no longer a whitespace character
868         https://bugs.webkit.org/show_bug.cgi?id=191415
869
870         Reviewed by Saam Barati.
871
872         * ChakraCore/test/es5/regexSpace.baseline:
873         * ChakraCore/test/es6/unicode_whitespace.js:
874         Update tests to latest version.
875         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
876
877         * test262.yaml:
878         * test262/config.yaml:
879         * test262/expectations.yaml:
880         Update expectations.
881
882 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
883
884         [BigInt] Add support to BigInt into ValueAdd
885         https://bugs.webkit.org/show_bug.cgi?id=186177
886
887         Reviewed by Keith Miller.
888
889         * stress/big-int-negate-jit.js:
890         * stress/value-add-big-int-and-string.js: Added.
891         * stress/value-add-big-int-prediction-propagation.js: Added.
892         * stress/value-add-big-int-untyped.js: Added.
893
894 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
895
896         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
897         https://bugs.webkit.org/show_bug.cgi?id=191184
898
899         Reviewed by Saam Barati.
900
901         Most tests were failing due to timeouts, since they are too slow to
902         run on CLoop. The exceptions are:
903
904         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
905         dont-crash-on-stack-overflow-when-parsing-builtin.js and
906         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
907         to change the stack size since CLoop requires it to be page aligned.
908
909         * microbenchmarks/array-push-1.js:
910         * microbenchmarks/array-push-2.js:
911         * microbenchmarks/elidable-new-object-dag.js:
912         * microbenchmarks/elidable-new-object-roflcopter.js:
913         * microbenchmarks/elidable-new-object-tree.js:
914         * microbenchmarks/getter-richards.js:
915         * microbenchmarks/sinkable-new-object-dag.js:
916         * microbenchmarks/string-concat-long-convert.js:
917         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
918         * slowMicrobenchmarks/array-push-3.js:
919         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
920         * slowMicrobenchmarks/spread-small-array.js:
921         * slowMicrobenchmarks/undefined-property-access.js:
922         * stress/activation-sink-default-value-tdz-error.js:
923         * stress/activation-sink-default-value.js:
924         * stress/activation-sink-osrexit-default-value-tdz-error.js:
925         * stress/activation-sink-osrexit-default-value.js:
926         * stress/activation-sink-osrexit.js:
927         * stress/activation-sink.js:
928         * stress/allow-math-ic-b3-code-duplication.js:
929         * stress/array-push-multiple-int32.js:
930         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
931         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
932         * stress/arrowfunction-lexical-this-activation-sink.js:
933         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
934         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
935         * stress/elide-new-object-dag-then-exit.js:
936         * stress/materialize-regexp-cyclic.js:
937         * stress/new-regex-inline.js:
938         * stress/op_add.js:
939         * stress/op_bitand.js:
940         * stress/op_bitor.js:
941         * stress/op_bitxor.js:
942         * stress/op_div-ConstVar.js:
943         * stress/op_div-VarConst.js:
944         * stress/op_div-VarVar.js:
945         * stress/op_lshift-ConstVar.js:
946         * stress/op_lshift-VarConst.js:
947         * stress/op_lshift-VarVar.js:
948         * stress/op_mod-ConstVar.js:
949         * stress/op_mod-VarConst.js:
950         * stress/op_mod-VarVar.js:
951         * stress/op_mul-ConstVar.js:
952         * stress/op_mul-VarConst.js:
953         * stress/op_mul-VarVar.js:
954         * stress/op_rshift-ConstVar.js:
955         * stress/op_rshift-VarConst.js:
956         * stress/op_rshift-VarVar.js:
957         * stress/op_sub-ConstVar.js:
958         * stress/op_sub-VarConst.js:
959         * stress/op_sub-VarVar.js:
960         * stress/op_urshift-ConstVar.js:
961         * stress/op_urshift-VarConst.js:
962         * stress/op_urshift-VarVar.js:
963         * stress/proxy-get-set-correct-receiver.js:
964         * stress/regress-179562.js:
965         * stress/rest-parameter-many-arguments.js:
966         * stress/sampling-profiler-richards.js:
967         * stress/splay-flash-access-1ms.js:
968         * stress/tailCallForwardArguments.js:
969         * stress/typed-array-get-by-val-profiling.js:
970         * typeProfiler/getter-richards.js:
971
972 2018-11-06  Michael Saboff  <msaboff@apple.com>
973
974         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
975         https://bugs.webkit.org/show_bug.cgi?id=191271
976
977         Reviewed by Saam Barati.
978
979         Added more test cases and made all test cases run with the same deeply recursive stack
980         instead of finding that same point for each test case.
981
982         * stress/regexp-compile-oom.js:
983         (prototype.runTest):
984         (recurseAndTest):
985         (testList.push.new.TestAndExpectedException):
986
987 2018-11-05  Michael Saboff  <msaboff@apple.com>
988
989         Unreviewed build fix for linux.
990
991         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
992
993 2018-11-02  Michael Saboff  <msaboff@apple.com>
994
995         Rolling in r237753 with unreviewed build fix.
996
997         Fixed issues with DECLARE_THROW_SCOPE placement.
998
999 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1000
1001         Unreviewed, rolling out r237753.
1002
1003         Introduced JSC test failures
1004
1005         Reverted changeset:
1006
1007         "Running out of stack space not properly handled in
1008         RegExp::compile() and its callers"
1009         https://bugs.webkit.org/show_bug.cgi?id=191206
1010         https://trac.webkit.org/changeset/237753
1011
1012 2018-11-02  Michael Saboff  <msaboff@apple.com>
1013
1014         Running out of stack space not properly handled in RegExp::compile() and its callers
1015         https://bugs.webkit.org/show_bug.cgi?id=191206
1016
1017         Reviewed by Filip Pizlo.
1018
1019         New regression test.
1020
1021         * stress/regexp-compile-oom.js: Added.
1022         (recurseAndTest):
1023
1024 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1025
1026         Skip tests on arm/mips that time out now we're running on CLoop
1027
1028         Unreviewed gardening.
1029
1030         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1031         time out on the bots and need to be disabled. There's more tests
1032         disabled on arm because the timeout is longer on the mips bot (as the
1033         device is slower to start with), so many of the tests don't time out
1034         there.
1035
1036         * microbenchmarks/getter-richards.js: disable on arm and mips.
1037         * stress/op_add.js: disable on arm.
1038         * stress/op_bitand.js: disable on arm.
1039         * stress/op_bitor.js: disable on arm.
1040         * stress/op_bitxor.js: disable on arm.
1041         * stress/op_lshift-ConstVar.js: disable on arm.
1042         * stress/op_lshift-VarConst.js: disable on arm.
1043         * stress/op_lshift-VarVar.js: disable on arm.
1044         * stress/op_mod-ConstVar.js: disable on arm.
1045         * stress/op_mod-VarConst.js: disable on arm.
1046         * stress/op_mod-VarVar.js: disable on arm.
1047         * stress/op_mul-ConstVar.js: disable on arm.
1048         * stress/op_mul-VarConst.js: disable on arm.
1049         * stress/op_mul-VarVar.js: disable on arm.
1050         * stress/op_rshift-ConstVar.js: disable on arm.
1051         * stress/op_rshift-VarConst.js: disable on arm.
1052         * stress/op_rshift-VarVar.js: disable on arm.
1053         * stress/op_sub-ConstVar.js: disable on arm.
1054         * stress/op_sub-VarConst.js: disable on arm.
1055         * stress/op_sub-VarVar.js: disable on arm.
1056         * stress/op_urshift-ConstVar.js: disable on arm.
1057         * stress/op_urshift-VarConst.js: disable on arm.
1058         * stress/op_urshift-VarVar.js: disable on arm.
1059         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1060         * stress/value-to-boolean.js: disable on arm and mips.
1061
1062 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1063
1064         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1065         https://bugs.webkit.org/show_bug.cgi?id=191108
1066         <rdar://problem/45690700>
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/wide-op_catch.js: Added.
1071         (catch):
1072
1073 2018-10-29  Mark Lam  <mark.lam@apple.com>
1074
1075         Correctly detect string overflow when using the 'Function' constructor.
1076         https://bugs.webkit.org/show_bug.cgi?id=184883
1077         <rdar://problem/36320331>
1078
1079         Reviewed by Saam Barati.
1080
1081         I've verified that this passes on 32-bit as well.
1082
1083         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1084
1085 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1086
1087         Add support for GetStack FlushedDouble
1088         https://bugs.webkit.org/show_bug.cgi?id=191012
1089         <rdar://problem/45265141>
1090
1091         Reviewed by Saam Barati.
1092
1093         * stress/get-stack-double.js: Added.
1094         (bar):
1095         (noInline):
1096
1097 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1098
1099         New bytecode format for JSC
1100         https://bugs.webkit.org/show_bug.cgi?id=187373
1101         <rdar://problem/44186758>
1102
1103         Reviewed by Filip Pizlo.
1104
1105         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1106
1107         * stress/maximum-inline-capacity.js: Added.
1108         (test1):
1109         (test3.Foo):
1110         (test3):
1111
1112 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1113
1114         Unreviewed, rolling out r237479 and r237484.
1115         https://bugs.webkit.org/show_bug.cgi?id=190978
1116
1117         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1118
1119         Reverted changesets:
1120
1121         "New bytecode format for JSC"
1122         https://bugs.webkit.org/show_bug.cgi?id=187373
1123         https://trac.webkit.org/changeset/237479
1124
1125         "Gardening: Build fix after r237479."
1126         https://bugs.webkit.org/show_bug.cgi?id=187373
1127         https://trac.webkit.org/changeset/237484
1128
1129 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1130
1131         New bytecode format for JSC
1132         https://bugs.webkit.org/show_bug.cgi?id=187373
1133         <rdar://problem/44186758>
1134
1135         Reviewed by Filip Pizlo.
1136
1137         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1138
1139         * stress/maximum-inline-capacity.js: Added.
1140         (test1):
1141         (test3.Foo):
1142         (test3):
1143
1144 2018-10-26  Mark Lam  <mark.lam@apple.com>
1145
1146         Fix missing edge cases with JSGlobalObjects having a bad time.
1147         https://bugs.webkit.org/show_bug.cgi?id=189028
1148         <rdar://problem/45204939>
1149
1150         Reviewed by Saam Barati.
1151
1152         * stress/regress-189028.js: Added.
1153
1154 2018-10-22  Mark Lam  <mark.lam@apple.com>
1155
1156         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1157         https://bugs.webkit.org/show_bug.cgi?id=190515
1158         <rdar://problem/45222379>
1159
1160         Rubber-stamped by Saam Barati.
1161
1162         Adding another test.
1163
1164         * stress/regress-190515-2.js: Added.
1165
1166 2018-10-22  Mark Lam  <mark.lam@apple.com>
1167
1168         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1169         https://bugs.webkit.org/show_bug.cgi?id=190515
1170         <rdar://problem/45222379>
1171
1172         Reviewed by Saam Barati.
1173
1174         * stress/regress-190515.js: Added.
1175
1176 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1177
1178         Unreviewed, rolling out r237254.
1179         https://bugs.webkit.org/show_bug.cgi?id=190760
1180
1181         "It regresses JetStream 2 by 5% on some iOS devices"
1182         (Requested by saamyjoon on #webkit).
1183
1184         Reverted changeset:
1185
1186         "[JSC] JSC should have "parseFunction" to optimize Function
1187         constructor"
1188         https://bugs.webkit.org/show_bug.cgi?id=190340
1189         https://trac.webkit.org/changeset/237254
1190
1191 2018-10-19  Saam Barati  <sbarati@apple.com>
1192
1193         vmCall should check if we exit before emitting an OSR exit due to exceptions
1194         https://bugs.webkit.org/show_bug.cgi?id=190740
1195         <rdar://problem/45220139>
1196
1197         Reviewed by Mark Lam.
1198
1199         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1200         (foo):
1201
1202 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1203
1204         [ESNext][BigInt] Implement support for "^"
1205         https://bugs.webkit.org/show_bug.cgi?id=186235
1206
1207         Reviewed by Yusuke Suzuki.
1208
1209         * stress/big-int-bitwise-xor-general.js: Added.
1210         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1211         * stress/big-int-bitwise-xor-type-error.js: Added.
1212         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1213
1214 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1215
1216         [BigInt] Add ValueSub into DFG
1217         https://bugs.webkit.org/show_bug.cgi?id=186176
1218
1219         Reviewed by Yusuke Suzuki.
1220
1221         * stress/big-int-subtraction-jit.js:
1222         * stress/value-sub-big-int-prediction-propagation.js: Added.
1223         * stress/value-sub-big-int-untyped.js: Added.
1224         * stress/value-sub-spec-none-case.js: Added.
1225
1226 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1227
1228         [JSC] JSC should have "parseFunction" to optimize Function constructor
1229         https://bugs.webkit.org/show_bug.cgi?id=190340
1230
1231         Reviewed by Mark Lam.
1232
1233         This patch fixes the line number of syntax errors raised by the Function constructor,
1234         since we now parse the final code only once. And we no longer use block statement
1235         for Function constructor's parsing.
1236
1237         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1238         * stress/function-cache-with-parameters-end-position.js: Added.
1239         (shouldBe):
1240         (shouldThrow):
1241         (i.anonymous):
1242         * stress/function-constructor-name.js: Added.
1243         (shouldBe):
1244         (GeneratorFunction):
1245         (AsyncFunction.async):
1246         (AsyncGeneratorFunction.async):
1247         (anonymous):
1248         (async.anonymous):
1249         * test262/expectations.yaml:
1250
1251 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1252
1253         Unreviewed, rolling out r237242.
1254         https://bugs.webkit.org/show_bug.cgi?id=190701
1255
1256         it breaks "stress/sampling-profiler-basic.js" (Requested by
1257         caiolima on #webkit).
1258
1259         Reverted changeset:
1260
1261         "[BigInt] Add ValueSub into DFG"
1262         https://bugs.webkit.org/show_bug.cgi?id=186176
1263         https://trac.webkit.org/changeset/237242
1264
1265 2018-10-17  Keith Miller  <keith_miller@apple.com>
1266
1267         AI does not clear Phantom allocation nodes.
1268         https://bugs.webkit.org/show_bug.cgi?id=190694
1269
1270         Reviewed by Saam Barati.
1271
1272         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1273         (Day):
1274         (DaysInYear):
1275         (TimeInYear):
1276         (TimeFromYear):
1277         (DayFromYear):
1278         (InLeapYear):
1279         (YearFromTime):
1280         (WeekDay):
1281         (DaylightSavingTA):
1282         (GetSecondSundayInMarch):
1283         (TimeInMonth):
1284
1285 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1286
1287         [BigInt] Add ValueSub into DFG
1288         https://bugs.webkit.org/show_bug.cgi?id=186176
1289
1290         Reviewed by Yusuke Suzuki.
1291
1292         * stress/big-int-subtraction-jit.js:
1293         * stress/value-sub-big-int-prediction-propagation.js: Added.
1294         * stress/value-sub-big-int-untyped.js: Added.
1295
1296 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1297
1298         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1299         https://bugs.webkit.org/show_bug.cgi?id=190611
1300
1301         Reviewed by Saam Barati.
1302
1303         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1304         to improve test runtime. On ARM/MIPS this test even timed out when running all
1305         tests.
1306
1307         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1308         (test):
1309
1310 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1311
1312         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1313
1314         Unreviewed gardening.
1315
1316         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1317
1318 2018-10-15  Saam barati  <sbarati@apple.com>
1319
1320         Emit fjcvtzs on ARM64E on Darwin
1321         https://bugs.webkit.org/show_bug.cgi?id=184023
1322
1323         Reviewed by Yusuke Suzuki and Filip Pizlo.
1324
1325         * stress/double-to-int32-NaN.js: Added.
1326         (assert):
1327         (foo):
1328
1329 2018-10-15  Saam Barati  <sbarati@apple.com>
1330
1331         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1332         https://bugs.webkit.org/show_bug.cgi?id=190262
1333         <rdar://problem/44986241>
1334
1335         Reviewed by Mark Lam.
1336
1337         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1338         (test):
1339         * stress/slice-array-storage-with-holes.js: Added.
1340         (main):
1341
1342 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1343
1344         Unreviewed, rolling out r237054.
1345         https://bugs.webkit.org/show_bug.cgi?id=190593
1346
1347         "this regressed JetStream 2 by 6% on iOS" (Requested by
1348         saamyjoon on #webkit).
1349
1350         Reverted changeset:
1351
1352         "[JSC] JSC should have "parseFunction" to optimize Function
1353         constructor"
1354         https://bugs.webkit.org/show_bug.cgi?id=190340
1355         https://trac.webkit.org/changeset/237054
1356
1357 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1358
1359         [JSC] JSON.stringify can accept call-with-no-arguments
1360         https://bugs.webkit.org/show_bug.cgi?id=190343
1361
1362         Reviewed by Mark Lam.
1363
1364         * stress/json-stringify-no-arguments.js: Added.
1365         (shouldBe):
1366
1367 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1368
1369         [JSC] JSC should have "parseFunction" to optimize Function constructor
1370         https://bugs.webkit.org/show_bug.cgi?id=190340
1371
1372         Reviewed by Mark Lam.
1373
1374         This patch fixes the line number of syntax errors raised by the Function constructor,
1375         since we now parse the final code only once. And we no longer use block statement
1376         for Function constructor's parsing.
1377
1378         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1379         * stress/function-cache-with-parameters-end-position.js: Added.
1380         (shouldBe):
1381         (shouldThrow):
1382         (i.anonymous):
1383         * stress/function-constructor-name.js: Added.
1384         (shouldBe):
1385         (GeneratorFunction):
1386         (AsyncFunction.async):
1387         (AsyncGeneratorFunction.async):
1388         (anonymous):
1389         (async.anonymous):
1390         * test262/expectations.yaml:
1391
1392 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1393
1394         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1395         https://bugs.webkit.org/show_bug.cgi?id=190426
1396
1397         Unreviewed gardening.
1398
1399         * stress/sampling-profiler-richards.js:
1400
1401 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1402
1403         [ESNext][BigInt] Implement support for "|"
1404         https://bugs.webkit.org/show_bug.cgi?id=186229
1405
1406         Reviewed by Yusuke Suzuki.
1407
1408         * stress/big-int-bitwise-and-jit.js:
1409         * stress/big-int-bitwise-or-general.js: Added.
1410         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1411         * stress/big-int-bitwise-or-jit.js: Added.
1412         * stress/big-int-bitwise-or-memory-stress.js: Added.
1413         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1414         * stress/big-int-bitwise-or-type-error.js: Added.
1415         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1416
1417 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1418
1419         Skip test on systems with limited memory
1420         https://bugs.webkit.org/show_bug.cgi?id=190310
1421
1422         Invoking runDefault adds test to runlist, skipping the test in the next
1423         line does not prevent the test from executing. Change order of lines such
1424         that runDefault is only executed if test is not executed.
1425
1426         Reviewed by Mark Lam.
1427
1428         * stress/regress-190187.js:
1429
1430 2018-10-03  Saam barati  <sbarati@apple.com>
1431
1432         lowXYZ in FTLLower should always filter the type of the incoming edge
1433         https://bugs.webkit.org/show_bug.cgi?id=189939
1434         <rdar://problem/44407030>
1435
1436         Reviewed by Michael Saboff.
1437
1438         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1439         (foo):
1440         (test):
1441
1442 2018-10-03  Mark Lam  <mark.lam@apple.com>
1443
1444         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1445         https://bugs.webkit.org/show_bug.cgi?id=190187
1446         <rdar://problem/42512909>
1447
1448         Reviewed by Michael Saboff.
1449
1450         * stress/regress-190187.js: Added.
1451
1452 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1453
1454         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1455         https://bugs.webkit.org/show_bug.cgi?id=190033
1456
1457         Reviewed by Yusuke Suzuki.
1458
1459         * stress/big-int-to-string.js:
1460
1461 2018-10-01  Mark Lam  <mark.lam@apple.com>
1462
1463         Function.toString() should also copy the source code Functions that are class definitions.
1464         https://bugs.webkit.org/show_bug.cgi?id=190186
1465         <rdar://problem/44733360>
1466
1467         Reviewed by Saam Barati.
1468
1469         * stress/regress-190186.js: Added.
1470
1471 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1472
1473         Split NaN-check into separate test
1474         https://bugs.webkit.org/show_bug.cgi?id=190010
1475
1476         Reviewed by Saam Barati.
1477
1478         DataView exposes NaN-representation, which is not necessarily the same on each
1479         architecture. Therefore move the check of the NaN-representation into its own
1480         file such that we can disable this test on MIPS where NaN-representation can be
1481         different on older CPUs.
1482
1483         * stress/dataview-jit-set-nan.js: Added.
1484         (assert):
1485         (test.storeLittleEndian):
1486         (test.storeBigEndian):
1487         (test.store):
1488         (test):
1489         * stress/dataview-jit-set.js:
1490         (test5):
1491
1492 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1493
1494         Unreviewed, rolling out r236647.
1495         https://bugs.webkit.org/show_bug.cgi?id=190124
1496
1497         Breaking test stress/big-int-to-string.js (Requested by
1498         caiolima_ on #webkit).
1499
1500         Reverted changeset:
1501
1502         "[BigInt] BigInt.proptotype.toString is broken when radix is
1503         power of 2"
1504         https://bugs.webkit.org/show_bug.cgi?id=190033
1505         https://trac.webkit.org/changeset/236647
1506
1507 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1508
1509         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1510         https://bugs.webkit.org/show_bug.cgi?id=190033
1511
1512         Reviewed by Yusuke Suzuki.
1513
1514         * stress/big-int-to-string.js:
1515
1516 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1517
1518         [ESNext][BigInt] Implement support for "&"
1519         https://bugs.webkit.org/show_bug.cgi?id=186228
1520
1521         Reviewed by Yusuke Suzuki.
1522
1523         * stress/big-int-bitwise-and-general.js: Added.
1524         (assert):
1525         (assert.sameValue):
1526         * stress/big-int-bitwise-and-jit.js: Added.
1527         (let.assert.sameValue):
1528         (bigIntBitAnd):
1529         * stress/big-int-bitwise-and-memory-stress.js: Added.
1530         (assert):
1531         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1532         (assert.sameValue):
1533         (let.o.Symbol.toPrimitive):
1534         (catch):
1535         * stress/big-int-bitwise-and-type-error.js: Added.
1536         (assert):
1537         (assertThrowTypeError):
1538         (let.o.valueOf):
1539         (o.valueOf):
1540         (o.toString):
1541         (o.Symbol.toPrimitive):
1542         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1543         (assert.sameValue):
1544         (testBitAnd):
1545         (let.o.Symbol.toPrimitive):
1546         (o.valueOf):
1547         (o.toString):
1548
1549 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1550
1551         JSC test stress/jsc-read.js doesn't support CRLF
1552         https://bugs.webkit.org/show_bug.cgi?id=190063
1553
1554         Reviewed by Yusuke Suzuki.
1555
1556         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1557
1558         * stress/jsc-read.js:
1559         (test):
1560
1561 2018-09-27  Saam barati  <sbarati@apple.com>
1562
1563         Verify the contents of AssemblerBuffer on arm64e
1564         https://bugs.webkit.org/show_bug.cgi?id=190057
1565         <rdar://problem/38916630>
1566
1567         Reviewed by Mark Lam.
1568
1569         * stress/regress-189132.js:
1570
1571 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1572
1573         Disable test without LLInt on ARMv7
1574         https://bugs.webkit.org/show_bug.cgi?id=190037
1575
1576         Reviewed by Mark Lam.
1577
1578         Test runs out of executable memory on ARMv7, do not run
1579         this test without LLInt enabled.
1580
1581         * stress/regress-169445.js:
1582
1583 2018-09-26  Keith Miller  <keith_miller@apple.com>
1584
1585         We should zero unused property storage when rebalancing array storage.
1586         https://bugs.webkit.org/show_bug.cgi?id=188151
1587
1588         Reviewed by Michael Saboff.
1589
1590         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1591
1592 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1593
1594         [JSC] Optimize Array#lastIndexOf
1595         https://bugs.webkit.org/show_bug.cgi?id=189780
1596
1597         Reviewed by Saam Barati.
1598
1599         * stress/array-lastindexof-array-prototype-trap.js: Added.
1600         (shouldBe):
1601         (AncestorArray.prototype.get 2):
1602         (AncestorArray):
1603         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1604         (shouldBe):
1605         * stress/array-lastindexof-hole-nan.js: Added.
1606         (shouldBe):
1607         (throw.new.Error):
1608         * stress/array-lastindexof-infinity.js: Added.
1609         (shouldBe):
1610         (throw.new.Error):
1611         * stress/array-lastindexof-negative-zero.js: Added.
1612         (shouldBe):
1613         (throw.new.Error):
1614         * stress/array-lastindexof-own-getter.js: Added.
1615         (shouldBe):
1616         (throw.new.Error.get array):
1617         (get array):
1618         * stress/array-lastindexof-prototype-trap.js: Added.
1619         (shouldBe):
1620         (DerivedArray.prototype.get 2):
1621         (DerivedArray):
1622
1623 2018-09-25  Saam Barati  <sbarati@apple.com>
1624
1625         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1626         https://bugs.webkit.org/show_bug.cgi?id=189940
1627         <rdar://problem/43640987>
1628
1629         Reviewed by Mark Lam.
1630
1631         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1632
1633 2018-09-24  Saam Barati  <sbarati@apple.com>
1634
1635         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1636         https://bugs.webkit.org/show_bug.cgi?id=189922
1637         <rdar://problem/44651275>
1638
1639         Reviewed by Mark Lam.
1640
1641         * stress/array-indexof-fast-path-effects.js: Added.
1642         * stress/array-indexof-cached-length.js: Added.
1643
1644 2018-09-24  Saam barati  <sbarati@apple.com>
1645
1646         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1647         https://bugs.webkit.org/show_bug.cgi?id=189682
1648         <rdar://problem/43557315>
1649
1650         Reviewed by Mark Lam.
1651
1652         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1653         (foo):
1654
1655 2018-09-22  Saam barati  <sbarati@apple.com>
1656
1657         The sampling should not use Strong<CodeBlock> in its machineLocation field
1658         https://bugs.webkit.org/show_bug.cgi?id=189319
1659
1660         Reviewed by Filip Pizlo.
1661
1662         * stress/sampling-profiler-richards.js: Added.
1663
1664 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1665
1666         [JSC] Optimize Array#indexOf in C++ runtime
1667         https://bugs.webkit.org/show_bug.cgi?id=189507
1668
1669         Reviewed by Saam Barati.
1670
1671         * stress/array-indexof-array-prototype-trap.js: Added.
1672         (shouldBe):
1673         (AncestorArray.prototype.get 2):
1674         (AncestorArray):
1675         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1676         (shouldBe):
1677         * stress/array-indexof-hole-nan.js: Added.
1678         (shouldBe):
1679         (throw.new.Error):
1680         * stress/array-indexof-infinity.js: Added.
1681         (shouldBe):
1682         (throw.new.Error):
1683         * stress/array-indexof-negative-zero.js: Added.
1684         (shouldBe):
1685         (throw.new.Error):
1686         * stress/array-indexof-own-getter.js: Added.
1687         (shouldBe):
1688         (throw.new.Error.get array):
1689         (get array):
1690         * stress/array-indexof-prototype-trap.js: Added.
1691         (shouldBe):
1692         (DerivedArray.prototype.get 2):
1693         (DerivedArray):
1694
1695 2018-09-19  Saam barati  <sbarati@apple.com>
1696
1697         AI rule for MultiPutByOffset executes its effects in the wrong order
1698         https://bugs.webkit.org/show_bug.cgi?id=189757
1699         <rdar://problem/43535257>
1700
1701         Reviewed by Michael Saboff.
1702
1703         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1704         (foo):
1705         (Foo):
1706         (g):
1707
1708 2018-09-17  Mark Lam  <mark.lam@apple.com>
1709
1710         Ensure that ForInContexts are invalidated if their loop local is over-written.
1711         https://bugs.webkit.org/show_bug.cgi?id=189571
1712         <rdar://problem/44402277>
1713
1714         Reviewed by Saam Barati.
1715
1716         * stress/regress-189571.js: Added.
1717
1718 2018-09-17  Saam barati  <sbarati@apple.com>
1719
1720         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1721         https://bugs.webkit.org/show_bug.cgi?id=189676
1722         <rdar://problem/39682897>
1723
1724         Reviewed by Michael Saboff.
1725
1726         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1727         (A):
1728         (K):
1729         (i.catch):
1730
1731 2018-09-14  Saam barati  <sbarati@apple.com>
1732
1733         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1734         https://bugs.webkit.org/show_bug.cgi?id=189628
1735         <rdar://problem/39481690>
1736
1737         Reviewed by Mark Lam.
1738
1739         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1740         (foo):
1741
1742 2018-09-11  Mark Lam  <mark.lam@apple.com>
1743
1744         Test for array initialization in arrayProtoFuncSplice.
1745         https://bugs.webkit.org/show_bug.cgi?id=170253
1746         <rdar://problem/31328773>
1747
1748         Rubber-stamped by Saam Barati.
1749
1750         * stress/regress-170253.js: Added.
1751
1752 2018-09-11  Mark Lam  <mark.lam@apple.com>
1753
1754         Test for IntlObject initialization.
1755         https://bugs.webkit.org/show_bug.cgi?id=170251
1756         <rdar://problem/31328419>
1757
1758         Rubber-stamped by Saam Barati.
1759
1760         * stress/regress-170251.js: Added.
1761
1762 2018-09-11  Mark Lam  <mark.lam@apple.com>
1763
1764         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1765         https://bugs.webkit.org/show_bug.cgi?id=169889
1766         <rdar://problem/31155607>
1767
1768         Reviewed by Saam Barati.
1769
1770         * stress/regress-169889-array-concat.js: Added.
1771         * stress/regress-169889-array-concat1.js: Added.
1772         * stress/regress-169889-array-slice.js: Added.
1773
1774 2018-09-11  Mark Lam  <mark.lam@apple.com>
1775
1776         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1777         https://bugs.webkit.org/show_bug.cgi?id=169445
1778         <rdar://problem/30957435>
1779
1780         Reviewed by Saam Barati.
1781
1782         * stress/regress-169445.js: Added.
1783         (let.gun.eval.A):
1784         (let.gun.eval.B.C):
1785         (let.gun.eval.B.C.prototype.trigger):
1786         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1787         (let.gun.eval.B):
1788         (let.gun.eval):
1789
1790 == Rolled over to ChangeLog-2018-09-11 ==