Stack overflow crash in JSC::JSObject::hasInstance.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-08  Mark Lam  <mark.lam@apple.com>
2
3         Stack overflow crash in JSC::JSObject::hasInstance.
4         https://bugs.webkit.org/show_bug.cgi?id=195458
5         <rdar://problem/48710195>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/stack-overflow-in-custom-hasInstance.js: Added.
10
11 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
12
13         op_check_tdz does not def its argument
14         https://bugs.webkit.org/show_bug.cgi?id=192880
15         <rdar://problem/46221598>
16
17         Reviewed by Saam Barati.
18
19         * microbenchmarks/let-for-in.js: Added.
20         (foo):
21
22 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
25         https://bugs.webkit.org/show_bug.cgi?id=195429
26
27         Reviewed by Saam Barati.
28
29         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
30         (foo):
31         * stress/string-from-char-code-255.js: Added.
32
33 2019-03-06  Mark Lam  <mark.lam@apple.com>
34
35         Fix incorrect handling of try-finally completion values.
36         https://bugs.webkit.org/show_bug.cgi?id=195131
37         <rdar://problem/46222079>
38
39         Reviewed by Saam Barati and Yusuke Suzuki.
40
41         Added many permutations of new test case to test-finally.js.  test-finally.js has
42         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
43         tests passes there as well.
44
45         * stress/test-finally.js:
46
47 2019-03-06  Saam Barati  <sbarati@apple.com>
48
49         Air::reportUsedRegisters must padInterference
50         https://bugs.webkit.org/show_bug.cgi?id=195303
51         <rdar://problem/48270343>
52
53         Reviewed by Keith Miller.
54
55         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
56
57 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
58
59         [JSC] AI should not propagate AbstractValue relying on constant folding phase
60         https://bugs.webkit.org/show_bug.cgi?id=195375
61
62         Reviewed by Saam Barati.
63
64         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
65         (let.array):
66
67 2019-03-05  Saam barati  <sbarati@apple.com>
68
69         op_switch_char broken for rope strings after JSRopeString layout rewrite
70         https://bugs.webkit.org/show_bug.cgi?id=195339
71         <rdar://problem/48592545>
72
73         Reviewed by Yusuke Suzuki.
74
75         * stress/switch-on-char-llint-rope.js: Added.
76
77 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
78
79         [JSC] Store bits for JSRopeString in 3 stores
80         https://bugs.webkit.org/show_bug.cgi?id=195234
81
82         Reviewed by Saam Barati.
83
84         * stress/null-rope-and-collectors.js: Added.
85
86 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
87
88         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
89         https://bugs.webkit.org/show_bug.cgi?id=195207
90
91         Unreviewed. After test runtime was reduced in r242213, test can be
92         run again on ARM/MIPS.
93
94         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
95
96 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
97
98         [JSC] sizeof(JSString) should be 16
99         https://bugs.webkit.org/show_bug.cgi?id=194375
100
101         Reviewed by Saam Barati.
102
103         * microbenchmarks/make-rope.js: Added.
104         (makeRope):
105         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
106         (returnRope.helper): Deleted.
107         (returnRope): Deleted.
108
109 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
110
111         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
112         https://bugs.webkit.org/show_bug.cgi?id=195144
113
114         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
115         Change the number from 1e8 to 1e5.
116
117         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
118         (foo):
119
120 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
121
122         Test times out on ARM/MIPS
123         https://bugs.webkit.org/show_bug.cgi?id=195168
124
125         Unreviewed. Skip test on ARM/MIPS.
126
127         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
128
129 2019-02-27  Mark Lam  <mark.lam@apple.com>
130
131         The parser is failing to record the token location of new in new.target.
132         https://bugs.webkit.org/show_bug.cgi?id=195127
133         <rdar://problem/39645578>
134
135         Reviewed by Yusuke Suzuki.
136
137         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
138
139 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
140
141         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
142         https://bugs.webkit.org/show_bug.cgi?id=195144
143         <rdar://problem/47595961>
144
145         Reviewed by Mark Lam.
146
147         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
148         (bar):
149         (foo):
150         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
151         (bar):
152         (foo):
153
154 2019-02-27  Robin Morisset  <rmorisset@apple.com>
155
156         DFG: Loop-invariant code motion (LICM) should not hoist dead code
157         https://bugs.webkit.org/show_bug.cgi?id=194945
158         <rdar://problem/48311657>
159
160         Reviewed by Mark Lam.
161
162         * stress/licm-dead-code.js: Added.
163
164 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
165
166         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
167         https://bugs.webkit.org/show_bug.cgi?id=194677
168         <rdar://problem/48112492>
169
170         Reviewed by Mark Lam.
171
172         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
173         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
174         it immediately fails due the large size.
175
176         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
177         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
178         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
179         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
180
181         This patch changes the test to produce 16bit string from String.fromCharCode.
182
183         * stress/regress-178386.js:
184
185 2019-02-26  Mark Lam  <mark.lam@apple.com>
186
187         wasmToJS() should purify incoming NaNs.
188         https://bugs.webkit.org/show_bug.cgi?id=194807
189         <rdar://problem/48189132>
190
191         Reviewed by Saam Barati.
192
193         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
194
195 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
196
197         [JSC] Repeat string created from Array.prototype.join() take too much memory
198         https://bugs.webkit.org/show_bug.cgi?id=193912
199
200         Reviewed by Saam Barati.
201
202         Added a test and a microbenchmark for corner cases of
203         Array.prototype.join() with an uninitialized array.
204
205         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
206         * stress/array-prototype-join-uninitialized.js: Added.
207         (testArray):
208         (testABC):
209         (B):
210         (C):
211
212 2019-02-22  Robin Morisset  <rmorisset@apple.com>
213
214         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
215         https://bugs.webkit.org/show_bug.cgi?id=194953
216         <rdar://problem/47595253>
217
218         Reviewed by Saam Barati.
219
220         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
221
222         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
223
224 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
225
226         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
227         https://bugs.webkit.org/show_bug.cgi?id=172848
228         <rdar://problem/25709212>
229
230         Reviewed by Mark Lam.
231
232         * typeProfiler/inheritance.js:
233         Rewrite the test slightly for clarity. The hoisting was confusing.
234
235         * heapProfiler/class-names.js: Added.
236         (MyES5Class):
237         (MyES6Class):
238         (MyES6Subclass):
239         Test object types and improved class names.
240
241         * heapProfiler/driver/driver.js:
242         (CheapHeapSnapshotNode):
243         (CheapHeapSnapshot):
244         (createCheapHeapSnapshot):
245         (HeapSnapshot):
246         (createHeapSnapshot):
247         Update snapshot parsing from version 1 to version 2.
248
249 2019-02-19  Truitt Savell  <tsavell@apple.com>
250
251         Unreviewed, rolling out r241784.
252
253         Broke all OpenSource builds.
254
255         Reverted changeset:
256
257         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
258         instances view"
259         https://bugs.webkit.org/show_bug.cgi?id=172848
260         https://trac.webkit.org/changeset/241784
261
262 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
263
264         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
265         https://bugs.webkit.org/show_bug.cgi?id=172848
266         <rdar://problem/25709212>
267
268         Reviewed by Mark Lam.
269
270         * typeProfiler/inheritance.js:
271         Rewrite the test slightly for clarity. The hoisting was confusing.
272
273         * heapProfiler/class-names.js: Added.
274         (MyES5Class):
275         (MyES6Class):
276         (MyES6Subclass):
277         Test object types and improved class names.
278
279         * heapProfiler/driver/driver.js:
280         (CheapHeapSnapshotNode):
281         (CheapHeapSnapshot):
282         (createCheapHeapSnapshot):
283         (HeapSnapshot):
284         (createHeapSnapshot):
285         Update snapshot parsing from version 1 to version 2.
286
287 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
288
289         [ARM] Fix crash with sampling profiler
290         https://bugs.webkit.org/show_bug.cgi?id=194772
291
292         Reviewed by Mark Lam.
293
294         Do not skip test since crash with sampling profiler is now fixed.
295
296         * stress/sampling-profiler-richards.js:
297
298 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
299
300         [JSC] Add LazyClassStructure::getInitializedOnMainThread
301         https://bugs.webkit.org/show_bug.cgi?id=194784
302         <rdar://problem/48154820>
303
304         Reviewed by Mark Lam.
305
306         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
307         (getProperties):
308         (getRandomProperty):
309         (i.catch):
310
311 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
312
313         [ARM] Test gardening: Test running out of executable memory
314         https://bugs.webkit.org/show_bug.cgi?id=194771
315
316         Unreviewed. Do not run test without LLInt, test is running out of executable
317         memory on ARM otherwise.
318
319         * stress/tagged-template-object-collect.js:
320
321 2019-02-18  Tomas Popela  <tpopela@redhat.com>
322
323         Unreviewed, skip the test on platforms without sampling profiler
324
325         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
326         (platformSupportsSamplingProfiler.foo):
327         (platformSupportsSamplingProfiler.test):
328         (platformSupportsSamplingProfiler):
329         (foo): Deleted.
330         (test): Deleted.
331
332 2019-02-17  Saam Barati  <sbarati@apple.com>
333
334         Deadlock when adding a Structure property transition and then doing incremental marking
335         https://bugs.webkit.org/show_bug.cgi?id=194767
336
337         Reviewed by Mark Lam.
338
339         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
340
341 2019-02-15  Michael Saboff  <msaboff@apple.com>
342
343         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
344         https://bugs.webkit.org/show_bug.cgi?id=194558
345
346         Reviewed by Saam Barati.
347
348         New regression test.
349
350         * stress/regexp-unicode-within-string.js: Added.
351
352 2019-02-15  Mark Lam  <mark.lam@apple.com>
353
354         SamplingProfiler::stackTracesAsJSON() should escape strings.
355         https://bugs.webkit.org/show_bug.cgi?id=194649
356         <rdar://problem/48072386>
357
358         Reviewed by Saam Barati.
359
360         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
361         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
362         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
363         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
364
365 2019-02-15  Robin Morisset  <rmorisset@apple.com>
366         CodeBlock::jettison should clear related watchpoints
367         https://bugs.webkit.org/show_bug.cgi?id=194544
368
369         Reviewed by Mark Lam.
370
371         * stress/regexp-replace-double-watchpoint.js: Added.
372         (foo):
373
374 2019-02-15  Saam barati  <sbarati@apple.com>
375
376         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
377         https://bugs.webkit.org/show_bug.cgi?id=194036
378
379         Reviewed by Yusuke Suzuki.
380
381         * stress/tail-call-many-arguments.js: Added.
382         (foo):
383         (bar):
384
385 2019-02-14  Saam Barati  <sbarati@apple.com>
386
387         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
388         https://bugs.webkit.org/show_bug.cgi?id=194583
389         <rdar://problem/48028140>
390
391         Reviewed by Yusuke Suzuki.
392
393         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
394
395 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] String.fromCharCode's slow path always generates 16bit string
398         https://bugs.webkit.org/show_bug.cgi?id=194466
399
400         Reviewed by Keith Miller.
401
402         * stress/string-from-char-code-slow-path.js: Added.
403         (shouldBe):
404         (testWithLength):
405
406 2019-02-08  Saam barati  <sbarati@apple.com>
407
408         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
409         https://bugs.webkit.org/show_bug.cgi?id=194334
410         <rdar://problem/47844327>
411
412         Reviewed by Mark Lam.
413
414         * stress/check-in-bounds-should-be-a-child-use.js: Added.
415         (func):
416
417 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
418
419         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
420         https://bugs.webkit.org/show_bug.cgi?id=194369
421         <rdar://problem/47813087>
422
423         Reviewed by Saam Barati.
424
425         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
426         (A):
427
428 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
429
430         [JSC] PrivateName to PublicName hash table is wasteful
431         https://bugs.webkit.org/show_bug.cgi?id=194277
432
433         Reviewed by Michael Saboff.
434
435         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
436
437         * ChakraCore.yaml:
438
439 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
440
441         [ARM] Test running out of executable memory
442         https://bugs.webkit.org/show_bug.cgi?id=194285
443
444         Unreviewed. Do no execute test with LLInt disabled, test runs out of
445         executable memory otherwise.
446
447         * stress/class-subclassing-function.js:
448
449 2019-02-04  Robin Morisset  <rmorisset@apple.com>
450
451         when lowering AssertNotEmpty, create the value before creating the patchpoint
452         https://bugs.webkit.org/show_bug.cgi?id=194231
453
454         Reviewed by Saam Barati.
455
456         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
457         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
458         So even tiny changes to this test can change the path code taken.
459
460         * stress/assert-not-empty.js: Added.
461         (foo):
462
463 2019-02-01  Mark Lam  <mark.lam@apple.com>
464
465         Remove invalid assertion in DFG's compileDoubleRep().
466         https://bugs.webkit.org/show_bug.cgi?id=194130
467         <rdar://problem/47699474>
468
469         Reviewed by Saam Barati.
470
471         * stress/constant-fold-double-rep-into-double-constant.js: Added.
472
473 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
474
475         Import latest Test262 updates.
476
477         Rubber-stamped by Keith Miller.
478
479         * test262.yaml: Deleted.
480         * test262/config.yaml:
481         * test262/expectations.yaml:
482         * test262/latest-changes-summary.txt:
483         * test262/test/:
484         * test262/test262-Revision.txt:
485
486 2019-01-30  Robin Morisset  <rmorisset@apple.com>
487
488         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
489         https://bugs.webkit.org/show_bug.cgi?id=194050
490         <rdar://problem/47595592>
491
492         Reviewed by Yusuke Suzuki.
493
494         * stress/object-keys-osr-exit.js: Added.
495         (foo):
496         (catch):
497
498 2019-01-29  Mark Lam  <mark.lam@apple.com>
499
500         ValueRecovery::recover() should purify NaN values it recovers.
501         https://bugs.webkit.org/show_bug.cgi?id=193978
502         <rdar://problem/47625488>
503
504         Reviewed by Saam Barati.
505
506         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
507
508 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
509
510         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
511         https://bugs.webkit.org/show_bug.cgi?id=193713
512
513         * stress/try-get-by-id-should-spill-registers-dfg.js:
514         (let.f.createBuiltin):
515
516 2019-01-28  Mark Lam  <mark.lam@apple.com>
517
518         ToString node actually does GC.
519         https://bugs.webkit.org/show_bug.cgi?id=193920
520         <rdar://problem/46695900>
521
522         Reviewed by Yusuke Suzuki.
523
524         * stress/dfg-to-string-on-int-does-gc.js: Added.
525         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
526         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
527
528 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
529
530         [JSC] NativeErrorConstructor should not have own IsoSubspace
531         https://bugs.webkit.org/show_bug.cgi?id=193713
532
533         Reviewed by Saam Barati.
534
535         Remove @Error use.
536
537         * stress/try-get-by-id-should-spill-registers-dfg.js:
538         (let.f.createBuiltin):
539
540 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
541
542         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
543         https://bugs.webkit.org/show_bug.cgi?id=190693
544
545         Reviewed by Michael Saboff.
546
547         * stress/regress-190693.js: Added.
548         (truth):
549         (assert):
550         (shouldThrowInvalidConstAssignment):
551         (taz):
552
553 2019-01-24  Saam Barati  <sbarati@apple.com>
554
555         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
556         https://bugs.webkit.org/show_bug.cgi?id=193751
557         <rdar://problem/47280215>
558
559         Reviewed by Michael Saboff.
560
561         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
562         (let.thing):
563         (foo.let.hello):
564         (foo):
565
566 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
567
568         [JSC] Reenable baseline JIT on mips
569         https://bugs.webkit.org/show_bug.cgi?id=192983
570
571         Reviewed by Mark Lam.
572
573         Added a new test for a case that was triggering a RELEASE_ASSERT when
574         testing.
575         Disable some slow tests that were already disabled for arm and x86.
576
577         * stress/json-parse-big-object.js: Added.
578         * stress/new-largeish-contiguous-array-with-size.js:
579         * stress/op_add.js:
580         * stress/op_bitand.js:
581         * stress/op_bitor.js:
582         * stress/op_bitxor.js:
583         * stress/op_lshift-ConstVar.js:
584         * stress/op_lshift-VarConst.js:
585         * stress/op_lshift-VarVar.js:
586         * stress/op_mod-ConstVar.js:
587         * stress/op_mod-VarConst.js:
588         * stress/op_mod-VarVar.js:
589         * stress/op_mul-ConstVar.js:
590         * stress/op_mul-VarConst.js:
591         * stress/op_mul-VarVar.js:
592         * stress/op_rshift-ConstVar.js:
593         * stress/op_rshift-VarConst.js:
594         * stress/op_rshift-VarVar.js:
595         * stress/op_sub-ConstVar.js:
596         * stress/op_sub-VarConst.js:
597         * stress/op_sub-VarVar.js:
598         * stress/op_urshift-ConstVar.js:
599         * stress/op_urshift-VarConst.js:
600         * stress/op_urshift-VarVar.js:
601         * stress/sampling-profiler-richards.js:
602         * stress/spread-forward-call-varargs-stack-overflow.js:
603
604 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
605
606         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
607         https://bugs.webkit.org/show_bug.cgi?id=193711
608         <rdar://problem/47250262>
609
610         Reviewed by Saam Barati.
611
612         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
613         (shouldBe):
614         (foo):
615         (bar):
616         (baz):
617
618 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
619
620         Unreviewed, fix initial global lexical binding epoch
621         https://bugs.webkit.org/show_bug.cgi?id=193603
622         <rdar://problem/47380869>
623
624         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
625         (f1.f2.f3.f4):
626         (f1.f2.f3):
627         (f1.f2):
628         (f1):
629
630 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
631
632         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
633         https://bugs.webkit.org/show_bug.cgi?id=193709
634         <rdar://problem/47363838>
635
636         Unreviewed, rollout to watch the tests.
637
638         * stress/object-tostring-changed-proto.js: Removed.
639         * stress/object-tostring-changed.js: Removed.
640         * stress/object-tostring-misc.js: Removed.
641         * stress/object-tostring-other.js: Removed.
642         * stress/object-tostring-untyped.js: Removed.
643
644 2019-01-22  Saam Barati  <sbarati@apple.com>
645
646         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
647
648         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
649         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
650         (testUncheckedLessThanZero):
651         (testUncheckedLessThanOrEqualZero):
652         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
653         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
654
655 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
656
657         [JSC] Invalidate old scope operations using global lexical binding epoch
658         https://bugs.webkit.org/show_bug.cgi?id=193603
659         <rdar://problem/47380869>
660
661         Reviewed by Saam Barati.
662
663         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
664         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
665         (shouldThrow):
666         (bar):
667         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
668         (shouldBe):
669         (get1):
670         (get2):
671         (get1If):
672         (get2If):
673         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
674         (shouldThrow):
675         (foo):
676
677 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
678
679         Unreviewed, roll out r240220 due to date-format-xparb regression
680         https://bugs.webkit.org/show_bug.cgi?id=193603
681
682         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
683         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
684         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
685         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
686
687 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
688
689         DoesGC rule is wrong for nodes with BigIntUse
690         https://bugs.webkit.org/show_bug.cgi?id=193652
691
692         Reviewed by Saam Barati.
693
694         * stress/big-int-value-op-update-gc-rules.js: Added.
695         (assert):
696         (doesGCAdd):
697         (doesGCSub):
698         (doesGCDiv):
699         (doesGCMul):
700         (doesGCBitAnd):
701         (doesGCBitOr):
702         (doesGCBitXor):
703
704 2019-01-20  Saam Barati  <sbarati@apple.com>
705
706         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
707         https://bugs.webkit.org/show_bug.cgi?id=193644
708         <rdar://problem/46209745>
709
710         Reviewed by Yusuke Suzuki.
711
712         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
713         (foo):
714         * stress/data-view-set-intrinsic-undefined-result.js: Added.
715         (foo):
716         (bar):
717
718 2019-01-20  Saam Barati  <sbarati@apple.com>
719
720         MovHint must merge NodeBytecodeUsesAsValue for its child
721         https://bugs.webkit.org/show_bug.cgi?id=186916
722         <rdar://problem/41396612>
723
724         Reviewed by Yusuke Suzuki.
725
726         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
727         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
728
729 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
730
731         [JSC] Invalidate old scope operations using global lexical binding epoch
732         https://bugs.webkit.org/show_bug.cgi?id=193603
733         <rdar://problem/47380869>
734
735         Reviewed by Saam Barati.
736
737         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
738         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
739         (shouldThrow):
740         (bar):
741         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
742         (shouldBe):
743         (get1):
744         (get2):
745         (get1If):
746         (get2If):
747         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
748         (shouldThrow):
749         (foo):
750
751 2019-01-17  Saam barati  <sbarati@apple.com>
752
753         StringObjectUse should not be a structure check for the original string object structure
754         https://bugs.webkit.org/show_bug.cgi?id=193483
755         <rdar://problem/47280522>
756
757         Reviewed by Yusuke Suzuki.
758
759         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
760         (foo):
761         (a.valueOf.0):
762
763 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
764
765         [JSC] ToThis omission in DFGByteCodeParser is wrong
766         https://bugs.webkit.org/show_bug.cgi?id=193513
767         <rdar://problem/45842236>
768
769         Reviewed by Saam Barati.
770
771         * stress/to-this-omission-with-different-strict-modes.js: Added.
772         (thisA):
773         (thisAStrictWrapper):
774
775 2019-01-15  Mark Lam  <mark.lam@apple.com>
776
777         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
778         https://bugs.webkit.org/show_bug.cgi?id=193423
779         <rdar://problem/46209355>
780
781         Reviewed by Saam Barati.
782
783         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
784         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
785         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
786         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
787
788 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
789
790         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
791         https://bugs.webkit.org/show_bug.cgi?id=193438
792         <rdar://problem/45581249>
793
794         Reviewed by Saam Barati and Keith Miller.
795
796         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
797         Then, GetByVal(String) crashed.
798
799         * stress/string-get-by-val-lowering.js: Added.
800         (shouldBe):
801         (test):
802         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
803         (Hello):
804         (foo):
805
806 2019-01-15  Tomas Popela  <tpopela@redhat.com>
807
808         Unreviewed, skip JIT tests if it's not enabled
809
810         * stress/bit-op-with-object-returning-int32.js:
811
812 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
813
814         DFGByteCodeParser rules for bitwise operations should consider type of their operands
815         https://bugs.webkit.org/show_bug.cgi?id=192966
816
817         Reviewed by Yusuke Suzuki.
818
819         * stress/bit-op-with-object-returning-int32.js: Added.
820
821 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
822
823         Skip a slow test and a flakey test on arm
824
825         Unreviewed gardening.
826
827         * typeProfiler/getter-richards.js:
828         this test always times out, it used to be always skipped on arm and
829         mips, but got accidentally enabled by r237919 now that we have DFG on
830         arm. Also skipping on mips as we plan to soon enable DFG for it too.
831
832 2019-01-14  Keith Miller  <keith_miller@apple.com>
833
834         Skip type-check-hoisting-phase-hoist... with no jit
835         https://bugs.webkit.org/show_bug.cgi?id=193421
836
837         Reviewed by Mark Lam.
838
839         It's timing out the 32-bit bots and takes 330 seconds
840         on my machine when run by itself.
841
842         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
843
844 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
845
846         [JSC] AI should check the given constant's array type when folding GetByVal into constant
847         https://bugs.webkit.org/show_bug.cgi?id=193413
848         <rdar://problem/46092389>
849
850         Reviewed by Keith Miller.
851
852         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
853         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
854         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
855         but GetByVal does not have appropriate ArrayModes, JSC crashes.
856
857         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
858         (compareArray):
859
860 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
861
862         [BigInt] Literal parsing is crashing when used inside a Object Literal
863         https://bugs.webkit.org/show_bug.cgi?id=193404
864
865         Reviewed by Yusuke Suzuki.
866
867         * stress/big-int-literal-inside-literal-object.js: Added.
868
869 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
870
871         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
872         https://bugs.webkit.org/show_bug.cgi?id=193372
873
874         Reviewed by Saam Barati.
875
876         * stress/typed-array-array-modes-profile.js: Added.
877         (foo):
878
879 2019-01-14  Mark Lam  <mark.lam@apple.com>
880
881         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
882         https://bugs.webkit.org/show_bug.cgi?id=193402
883         <rdar://problem/46012309>
884
885         Reviewed by Keith Miller.
886
887         * stress/regexp-compile-oom.js:
888         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
889           is enabled.  As a result, it will fail on cloop builds though there is no bug.
890
891 2019-01-11  Saam barati  <sbarati@apple.com>
892
893         DFG combined liveness can be wrong for terminal basic blocks
894         https://bugs.webkit.org/show_bug.cgi?id=193304
895         <rdar://problem/45268632>
896
897         Reviewed by Yusuke Suzuki.
898
899         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
900
901 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
902
903         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
904         https://bugs.webkit.org/show_bug.cgi?id=193308
905         <rdar://problem/45546542>
906
907         Reviewed by Saam Barati.
908
909         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
910         (shouldThrow):
911         (shouldBe):
912         (foo):
913         (get shouldThrow):
914         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
915         (shouldThrow):
916         (shouldBe):
917         (foo):
918         (get shouldBe):
919         (get shouldThrow):
920         (get return):
921         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
922         (shouldThrow):
923         (shouldBe):
924         (foo):
925         (get shouldBe):
926         (get shouldThrow):
927         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
928         (shouldThrow):
929         (shouldBe):
930         (foo):
931         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
932         (shouldThrow):
933         (shouldBe):
934         (foo):
935         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
936         (shouldThrow):
937         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
938         (shouldThrow):
939         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
940         (shouldThrow):
941         (shouldBe):
942         (foo):
943         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
944         (shouldThrow):
945         (shouldBe):
946         (foo):
947         (get shouldBe):
948         (get shouldThrow):
949         (get return):
950         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
951         (shouldThrow):
952         (shouldBe):
953         (foo):
954         (get shouldBe):
955         (get shouldThrow):
956         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
957         (shouldThrow):
958         (shouldBe):
959         (foo):
960         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
961         (shouldThrow):
962         (shouldBe):
963         (foo):
964
965 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
966
967         Enable DFG on ARM/Linux again
968         https://bugs.webkit.org/show_bug.cgi?id=192496
969
970         Reviewed by Yusuke Suzuki.
971
972         Test wasn't really skipped before moving the line with skip
973         to the top.
974
975         * stress/regress-192717.js:
976
977 2019-01-10  Commit Queue  <commit-queue@webkit.org>
978
979         Unreviewed, rolling out r239825.
980         https://bugs.webkit.org/show_bug.cgi?id=193330
981
982         Broke tests on armv7/linux bots (Requested by guijemont on
983         #webkit).
984
985         Reverted changeset:
986
987         "Enable DFG on ARM/Linux again"
988         https://bugs.webkit.org/show_bug.cgi?id=192496
989         https://trac.webkit.org/changeset/239825
990
991 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
992
993         Enable DFG on ARM/Linux again
994         https://bugs.webkit.org/show_bug.cgi?id=192496
995
996         Reviewed by Yusuke Suzuki.
997
998         Test wasn't really skipped before moving the line with skip
999         to the top.
1000
1001         * stress/regress-192717.js:
1002
1003 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1004
1005         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1006         https://bugs.webkit.org/show_bug.cgi?id=193127
1007
1008         Reviewed by Saam Barati.
1009
1010         * stress/array-species-create-should-handle-masquerader.js: Added.
1011         (shouldThrow):
1012         * stress/is-undefined-or-null-builtin.js: Added.
1013         (shouldBe):
1014         (isUndefinedOrNull.vm.createBuiltin):
1015
1016 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1017
1018         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1019         https://bugs.webkit.org/show_bug.cgi?id=193221
1020
1021         Reviewed by Mark Lam.
1022
1023         * stress/put-by-id-flags.js: Added.
1024         (f):
1025         (g):
1026         (numberOfDFGCompiles):
1027
1028 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1029
1030         Baseline version of get_by_id may corrupt metadata
1031         https://bugs.webkit.org/show_bug.cgi?id=193085
1032         <rdar://problem/23453006>
1033
1034         Reviewed by Saam Barati.
1035
1036         * stress/get-by-id-change-mode.js: Added.
1037         (forEach):
1038
1039 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1040
1041         [JSC] Optimize Object.prototype.toString
1042         https://bugs.webkit.org/show_bug.cgi?id=193031
1043
1044         Reviewed by Saam Barati.
1045
1046         * stress/object-tostring-changed-proto.js: Added.
1047         (shouldBe):
1048         (test):
1049         * stress/object-tostring-changed.js: Added.
1050         (shouldBe):
1051         (test):
1052         * stress/object-tostring-misc.js: Added.
1053         (shouldBe):
1054         (test):
1055         (i.switch):
1056         * stress/object-tostring-other.js: Added.
1057         (shouldBe):
1058         (test):
1059         * stress/object-tostring-untyped.js: Added.
1060         (shouldBe):
1061         (test):
1062         (i.switch):
1063
1064 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1065
1066         test262-runner misbehaves when test file YAML has a trailing space
1067         https://bugs.webkit.org/show_bug.cgi?id=193053
1068
1069         Reviewed by Yusuke Suzuki.
1070
1071         * test262/expectations.yaml:
1072         Mark two dozen tests as passing (and correct the output of another).
1073
1074 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1075
1076         Unreviewed, JSTests gardening with memoryLimited
1077
1078         * stress/string-overflow-createError.js:
1079
1080 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1081
1082         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1083         https://bugs.webkit.org/show_bug.cgi?id=193050
1084
1085         Reviewed by Yusuke Suzuki.
1086
1087         * test262.yaml:
1088         * test262/expectations.yaml:
1089         Mark 16 tests as passing.
1090
1091 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1092
1093         [BigInt] Support BigInt in JSON.stringify
1094         https://bugs.webkit.org/show_bug.cgi?id=192624
1095
1096         Reviewed by Saam Barati.
1097
1098         * stress/big-int-json-stringify-to-json.js: Added.
1099         (shouldBe):
1100         (shouldThrow):
1101         (BigInt.prototype.toJSON):
1102         (shouldBe.JSON.stringify):
1103         * stress/big-int-json-stringify.js: Added.
1104         (shouldBe):
1105         (shouldThrow):
1106
1107 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1108
1109         [JSC] Implement "well-formed JSON.stringify" proposal
1110         https://bugs.webkit.org/show_bug.cgi?id=191677
1111
1112         Reviewed by Darin Adler.
1113
1114         * stress/json-surrogate-pair.js: Added.
1115         (shouldBe):
1116         * test262/expectations.yaml:
1117
1118 2018-12-20  Keith Miller  <keith_miller@apple.com>
1119
1120         Add support for globalThis
1121         https://bugs.webkit.org/show_bug.cgi?id=165171
1122
1123         Reviewed by Mark Lam.
1124
1125         * test262/config.yaml:
1126
1127 2018-12-19  Keith Miller  <keith_miller@apple.com>
1128
1129         Update test262 configuration to not run tests dependent on ICU version.
1130         https://bugs.webkit.org/show_bug.cgi?id=192920
1131
1132         Reviewed by Saam Barati.
1133
1134         * test262/expectations.yaml:
1135
1136 2018-12-20  Mark Lam  <mark.lam@apple.com>
1137
1138         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1139         https://bugs.webkit.org/show_bug.cgi?id=192939
1140         <rdar://problem/46869516>
1141
1142         Reviewed by Keith Miller.
1143
1144         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1145
1146 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1147
1148         WTF::String and StringImpl overflow MaxLength
1149         https://bugs.webkit.org/show_bug.cgi?id=192853
1150         <rdar://problem/45726906>
1151
1152         Reviewed by Mark Lam.
1153
1154         * stress/string-16bit-repeat-overflow.js: Added.
1155         (catch):
1156
1157 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1158
1159         Unreviewed follow-up to r192914.
1160
1161         * test262/expectations.yaml:
1162         Add the last 20 missing expectations.
1163
1164 2018-12-19  Keith Miller  <keith_miller@apple.com>
1165
1166         Fix test262 expectations
1167         https://bugs.webkit.org/show_bug.cgi?id=192914
1168
1169         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1170
1171         * test262/expectations.yaml:
1172
1173 2018-12-19  Keith Miller  <keith_miller@apple.com>
1174
1175         Update test262 tests.
1176         https://bugs.webkit.org/show_bug.cgi?id=192907
1177
1178         Rubber stamped by Mark Lam.
1179
1180         * test262/*: Omitted because prepare-changelog crashes.
1181
1182 2018-12-19  Mark Lam  <mark.lam@apple.com>
1183
1184         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1185         https://bugs.webkit.org/show_bug.cgi?id=192464
1186         <rdar://problem/46519455>
1187
1188         Reviewed by Saam Barati.
1189
1190         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1191         microbenchmark.
1192
1193         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1194         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1195
1196 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1197
1198         String overflow in JSC::createError results in ASSERT in WTF::makeString
1199         https://bugs.webkit.org/show_bug.cgi?id=192833
1200         <rdar://problem/45706868>
1201
1202         Reviewed by Mark Lam.
1203
1204         * stress/string-overflow-createError.js: Added.
1205
1206 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1207
1208         Error message for `-x ** y` contains a typo.
1209         https://bugs.webkit.org/show_bug.cgi?id=192832
1210
1211         Reviewed by Saam Barati.
1212
1213         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1214         (assert.assert.return.throws):
1215         * stress/pow-expects-update-expression-on-lhs.js:
1216         (throw.new.Error):
1217         Update test expectations which match against the exact error message.
1218
1219 2018-12-18  Mark Lam  <mark.lam@apple.com>
1220
1221         Gardening: test options fix.
1222         https://bugs.webkit.org/show_bug.cgi?id=192822
1223
1224         Unreviewed.
1225
1226         * stress/json-stringify-string-builder-overflow.js:
1227
1228 2018-12-18  Mark Lam  <mark.lam@apple.com>
1229
1230         JSON.stringify() should throw OOM on StringBuilder overflows.
1231         https://bugs.webkit.org/show_bug.cgi?id=192822
1232         <rdar://problem/46670577>
1233
1234         Reviewed by Saam Barati.
1235
1236         * stress/json-stringify-string-builder-overflow.js: Added.
1237
1238 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1239
1240         Redeclaration of var over let/const/class should be a syntax error.
1241         https://bugs.webkit.org/show_bug.cgi?id=192298
1242
1243         Reviewed by Keith Miller.
1244
1245         * test262.yaml:
1246         * test262/expectations.yaml:
1247         Mark 46 tests as passing.
1248
1249         * stress/block-scope-redeclarations.js:
1250         Add some new tests.
1251
1252         * stress/for-in-invalidate-context-weird-assignments.js:
1253         * stress/for-in-tests.js:
1254         Replace tests for outdated behavior with tests for SyntaxError.
1255
1256         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1257         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1258         Update expectations.
1259
1260 2018-12-18  Mark Lam  <mark.lam@apple.com>
1261
1262         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1263         https://bugs.webkit.org/show_bug.cgi?id=191374
1264         <rdar://problem/46525447>
1265
1266         Reviewed by Yusuke Suzuki.
1267
1268         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1269
1270         * stress/elidable-new-object-roflcopter-then-exit.js:
1271
1272 2018-12-17  Mark Lam  <mark.lam@apple.com>
1273
1274         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1275         https://bugs.webkit.org/show_bug.cgi?id=192019
1276         <rdar://problem/46525456>
1277
1278         Reviewed by Yusuke Suzuki.
1279
1280         The test runs too slow on 32-bit.
1281
1282         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1283
1284 2018-12-17  Mark Lam  <mark.lam@apple.com>
1285
1286         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1287         https://bugs.webkit.org/show_bug.cgi?id=191373
1288         <rdar://problem/46525458>
1289
1290         Reviewed by Yusuke Suzuki.
1291
1292         The test is already slow running with a JIT on 64-bit.  It will always timeout
1293         on 32-bit without a JIT.
1294
1295         * stress/materialize-regexp-cyclic-regexp.js:
1296
1297 2018-12-17  Mark Lam  <mark.lam@apple.com>
1298
1299         Array unshift/shift should not race against the AI in the compiler thread.
1300         https://bugs.webkit.org/show_bug.cgi?id=192795
1301         <rdar://problem/46724263>
1302
1303         Reviewed by Saam Barati.
1304
1305         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1306
1307 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1308
1309         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1310         https://bugs.webkit.org/show_bug.cgi?id=190047
1311
1312         Reviewed by Saam Barati.
1313
1314         * stress/object-keys-cached-zero.js: Added.
1315         (shouldBe):
1316         (test):
1317         * stress/object-keys-changed-attribute.js: Added.
1318         (shouldBe):
1319         (test):
1320         * stress/object-keys-changed-index.js: Added.
1321         (shouldBe):
1322         (test):
1323         * stress/object-keys-changed.js: Added.
1324         (shouldBe):
1325         (test):
1326         * stress/object-keys-indexed-non-cache.js: Added.
1327         (shouldBe):
1328         (test):
1329         * stress/object-keys-overrides-get-property-names.js: Added.
1330         (shouldBe):
1331         (test):
1332         (noInline):
1333
1334 2018-12-17  Mark Lam  <mark.lam@apple.com>
1335
1336         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1337         https://bugs.webkit.org/show_bug.cgi?id=192779
1338         <rdar://problem/46775869>
1339
1340         Reviewed by Saam Barati.
1341
1342         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1343
1344 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1345
1346         Unreviewed test gardening, address a syntax error in a new test.
1347
1348         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1349
1350 2018-12-17  Mark Lam  <mark.lam@apple.com>
1351
1352         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1353         https://bugs.webkit.org/show_bug.cgi?id=192776
1354         <rdar://problem/46772368>
1355
1356         Reviewed by Keith Miller.
1357
1358         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1359
1360 2018-12-17  Mark Lam  <mark.lam@apple.com>
1361
1362         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1363         https://bugs.webkit.org/show_bug.cgi?id=192770
1364         <rdar://problem/46449037>
1365
1366         Reviewed by Keith Miller.
1367
1368         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1369
1370 2018-12-14  Mark Lam  <mark.lam@apple.com>
1371
1372         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1373         https://bugs.webkit.org/show_bug.cgi?id=192717
1374         <rdar://problem/46660677>
1375
1376         Reviewed by Saam Barati.
1377
1378         * stress/regress-192717.js: Added.
1379
1380 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1381
1382         Unreviewed, rolling out r239153, r239154, and r239155.
1383         https://bugs.webkit.org/show_bug.cgi?id=192715
1384
1385         Caused flaky GC-related crashes seen with layout tests
1386         (Requested by ryanhaddad on #webkit).
1387
1388         Reverted changesets:
1389
1390         "[JSC] Optimize Object.keys by caching own keys results in
1391         StructureRareData"
1392         https://bugs.webkit.org/show_bug.cgi?id=190047
1393         https://trac.webkit.org/changeset/239153
1394
1395         "Unreviewed, build fix after r239153"
1396         https://bugs.webkit.org/show_bug.cgi?id=190047
1397         https://trac.webkit.org/changeset/239154
1398
1399         "Unreviewed, build fix after r239153, part 2"
1400         https://bugs.webkit.org/show_bug.cgi?id=190047
1401         https://trac.webkit.org/changeset/239155
1402
1403 2018-12-14  Keith Miller  <keith_miller@apple.com>
1404
1405         Callers of JSString::getIndex should check for OOM exceptions
1406         https://bugs.webkit.org/show_bug.cgi?id=192709
1407
1408         Reviewed by Mark Lam.
1409
1410         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1411
1412 2018-12-13  Mark Lam  <mark.lam@apple.com>
1413
1414         Add a missing exception check.
1415         https://bugs.webkit.org/show_bug.cgi?id=192626
1416         <rdar://problem/46662163>
1417
1418         Reviewed by Keith Miller.
1419
1420         * stress/regress-192626.js: Added.
1421
1422 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1423
1424         [BigInt] Add ValueDiv into DFG
1425         https://bugs.webkit.org/show_bug.cgi?id=186178
1426
1427         Reviewed by Yusuke Suzuki.
1428
1429         * stress/big-int-div-jit-osr.js: Added.
1430         * stress/big-int-div-jit-untyped.js: Added.
1431         * stress/value-div-fixup-int32-big-int.js: Added.
1432
1433 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1434
1435         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1436         https://bugs.webkit.org/show_bug.cgi?id=190047
1437
1438         Reviewed by Keith Miller.
1439
1440         * stress/object-keys-cached-zero.js: Added.
1441         (shouldBe):
1442         (test):
1443         * stress/object-keys-changed-attribute.js: Added.
1444         (shouldBe):
1445         (test):
1446         * stress/object-keys-changed-index.js: Added.
1447         (shouldBe):
1448         (test):
1449         * stress/object-keys-changed.js: Added.
1450         (shouldBe):
1451         (test):
1452         * stress/object-keys-indexed-non-cache.js: Added.
1453         (shouldBe):
1454         (test):
1455         * stress/object-keys-overrides-get-property-names.js: Added.
1456         (shouldBe):
1457         (test):
1458         (noInline):
1459
1460 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1461
1462         [DFG][FTL] Add NewSymbol
1463         https://bugs.webkit.org/show_bug.cgi?id=192620
1464
1465         Reviewed by Saam Barati.
1466
1467         * microbenchmarks/symbol-creation.js: Added.
1468         (test):
1469         * stress/symbol-description-identity.js: Added.
1470         (shouldBe):
1471         (test):
1472         * stress/symbol-identity.js: Added.
1473         (shouldBe):
1474         (test):
1475         * stress/symbol-with-description-throw-error.js: Added.
1476         (shouldBe):
1477         (shouldThrow):
1478         (test):
1479         (object.toString):
1480
1481 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1482
1483         [BigInt] Implement DFG/FTL typeof for BigInt
1484         https://bugs.webkit.org/show_bug.cgi?id=192619
1485
1486         Reviewed by Keith Miller.
1487
1488         * stress/big-int-boolean-proven-type.js: Added.
1489         (assert):
1490         (bool):
1491         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1492         (assert):
1493         (typeOf):
1494         (i.switch):
1495         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1496         (assert):
1497         (typeOf):
1498         * stress/big-int-type-of.js:
1499         (typeOf):
1500         (func):
1501
1502 2018-12-10  Mark Lam  <mark.lam@apple.com>
1503
1504         PropertyAttribute needs a CustomValue bit.
1505         https://bugs.webkit.org/show_bug.cgi?id=191993
1506         <rdar://problem/46264467>
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/regress-191993.js: Added.
1511
1512 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1513
1514         [BigInt] Add ValueMul into DFG
1515         https://bugs.webkit.org/show_bug.cgi?id=186175
1516
1517         Reviewed by Yusuke Suzuki.
1518
1519         * stress/big-int-mul-jit-osr.js: Added.
1520         * stress/big-int-mul-jit-untyped.js: Added.
1521         * stress/value-mul-fixup-int32-big-int.js: Added.
1522
1523 2018-12-06  Keith Miller  <keith_miller@apple.com>
1524
1525         stress/big-wasm-memory tests failing on 32-bit JSC bot
1526         https://bugs.webkit.org/show_bug.cgi?id=192020
1527
1528         Reviewed by Saam Barati.
1529
1530         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1531         the wasm stress tests if the WebAssembly object does not exist.
1532
1533         * stress/big-wasm-memory-grow-no-max.js:
1534         (test.foo):
1535         (test):
1536         (foo): Deleted.
1537         (catch): Deleted.
1538         * stress/big-wasm-memory-grow.js:
1539         (test.foo):
1540         (test):
1541         (foo): Deleted.
1542         (catch): Deleted.
1543         * stress/big-wasm-memory.js:
1544         (test.foo):
1545         (test):
1546         (foo): Deleted.
1547         (catch): Deleted.
1548
1549 2018-12-05  Mark Lam  <mark.lam@apple.com>
1550
1551         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1552         https://bugs.webkit.org/show_bug.cgi?id=192441
1553         <rdar://problem/46480355>
1554
1555         Reviewed by Saam Barati.
1556
1557         * stress/regress-192441.js: Added.
1558
1559 2018-12-04  Mark Lam  <mark.lam@apple.com>
1560
1561         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1562         https://bugs.webkit.org/show_bug.cgi?id=192386
1563         <rdar://problem/46445516>
1564
1565         Reviewed by Saam Barati.
1566
1567         * stress/regress-192386.js: Added.
1568
1569 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1570
1571         [ESNext][BigInt] Support logic operations
1572         https://bugs.webkit.org/show_bug.cgi?id=179903
1573
1574         Reviewed by Yusuke Suzuki.
1575
1576         * stress/big-int-branch-usage.js: Added.
1577         * stress/big-int-logical-and.js: Added.
1578         * stress/big-int-logical-not.js: Added.
1579         * stress/big-int-logical-or.js: Added.
1580
1581 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1582
1583         Unreviewed, rolling out r238833.
1584
1585         Breaks macOS and iOS debug builds.
1586
1587         Reverted changeset:
1588
1589         "[ESNext][BigInt] Support logic operations"
1590         https://bugs.webkit.org/show_bug.cgi?id=179903
1591         https://trac.webkit.org/changeset/238833
1592
1593 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1594
1595         [ESNext][BigInt] Support logic operations
1596         https://bugs.webkit.org/show_bug.cgi?id=179903
1597
1598         Reviewed by Yusuke Suzuki.
1599
1600         * stress/big-int-branch-usage.js: Added.
1601         * stress/big-int-logical-and.js: Added.
1602         * stress/big-int-logical-not.js: Added.
1603         * stress/big-int-logical-or.js: Added.
1604
1605 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1606
1607         [ESNext][BigInt] Implement support for "<<" and ">>"
1608         https://bugs.webkit.org/show_bug.cgi?id=186233
1609
1610         Reviewed by Yusuke Suzuki.
1611
1612         * stress/big-int-left-shift-general.js: Added.
1613         * stress/big-int-left-shift-range-error.js: Added.
1614         * stress/big-int-left-shift-type-error.js: Added.
1615         * stress/big-int-left-shift-wrapped-value.js: Added.
1616         * stress/big-int-right-shift-general.js: Added.
1617         * stress/big-int-right-shift-type-error.js: Added.
1618         * stress/big-int-right-shift-wrapped-value.js: Added.
1619         * stress/left-shift-to-primitive-precedence.js: Added.
1620         * stress/right-shift-to-primitive-precedence.js: Added.
1621
1622 2018-11-30  Dean Jackson  <dino@apple.com>
1623
1624         Add first-class support for .mjs files in jsc binary
1625         https://bugs.webkit.org/show_bug.cgi?id=192190
1626         <rdar://problem/46375715>
1627
1628         Reviewed by Keith Miller.
1629
1630         * stress/simple-module.mjs: Added.
1631         * stress/simple-script.js: Added.
1632
1633 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1634
1635         [BigInt] Implement ValueBitXor into DFG
1636         https://bugs.webkit.org/show_bug.cgi?id=190264
1637
1638         Reviewed by Yusuke Suzuki.
1639
1640         * stress/big-int-bitwise-xor-jit.js: Added.
1641         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1642         * stress/big-int-bitwise-xor-untyped.js: Added.
1643
1644 2018-11-27  Saam barati  <sbarati@apple.com>
1645
1646         r238510 broke scopes of size zero
1647         https://bugs.webkit.org/show_bug.cgi?id=192033
1648         <rdar://problem/46281734>
1649
1650         Reviewed by Keith Miller.
1651
1652         * stress/r238510-bad-loop.js: Added.
1653         (foo):
1654
1655 2018-11-27  Mark Lam  <mark.lam@apple.com>
1656
1657         [Re-landing] NaNs read from Wasm code needs to be be purified.
1658         https://bugs.webkit.org/show_bug.cgi?id=191056
1659         <rdar://problem/45660341>
1660
1661         Reviewed by Filip Pizlo.
1662
1663         * wasm/regress/regress-191056.js: Added.
1664
1665 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1666
1667         Unreviewed, rolling out r238509.
1668
1669         Causes JSC tests to fail on iOS.
1670
1671         Reverted changeset:
1672
1673         "NaNs read from Wasm code needs to be be purified."
1674         https://bugs.webkit.org/show_bug.cgi?id=191056
1675         https://trac.webkit.org/changeset/238509
1676
1677 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1678
1679         Re-introduce op_bitnot
1680         https://bugs.webkit.org/show_bug.cgi?id=190923
1681
1682         Reviewed by Yusuke Suzuki.
1683
1684         * stress/bit-not-must-generate.js: Added.
1685         * stress/bitwise-not-no-int32.js: Added.
1686
1687 2018-11-26  Saam barati  <sbarati@apple.com>
1688
1689         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1690         https://bugs.webkit.org/show_bug.cgi?id=191956
1691         <rdar://problem/45665806>
1692
1693         Reviewed by Yusuke Suzuki.
1694
1695         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1696         (bar):
1697         (foo):
1698
1699 2018-11-26  Saam barati  <sbarati@apple.com>
1700
1701         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1702         https://bugs.webkit.org/show_bug.cgi?id=191958
1703         <rdar://problem/46221877>
1704
1705         Reviewed by Yusuke Suzuki.
1706
1707         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1708         (x):
1709         (foo):
1710
1711 2018-11-26  Mark Lam  <mark.lam@apple.com>
1712
1713         NaNs read from Wasm code needs to be be purified.
1714         https://bugs.webkit.org/show_bug.cgi?id=191056
1715         <rdar://problem/45660341>
1716
1717         Reviewed by Filip Pizlo.
1718
1719         * wasm/regress/regress-191056.js: Added.
1720
1721 2018-11-26  Michael Saboff  <msaboff@apple.com>
1722
1723         32-bit JSC test failure: stress/regexp-compile-oom.js
1724         https://bugs.webkit.org/show_bug.cgi?id=191375
1725
1726         Reviewed by Mark Lam.
1727
1728         Disabled the test for 32 bit platforms.
1729
1730         * stress/regexp-compile-oom.js:
1731
1732 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1733
1734         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1735         https://bugs.webkit.org/show_bug.cgi?id=191716
1736         <rdar://problem/45723878>
1737
1738         Reviewed by Saam Barati.
1739
1740         * stress/regress-187373.js: Added.
1741         (async.fn):
1742
1743 2018-11-21  Saam barati  <sbarati@apple.com>
1744
1745         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1746         https://bugs.webkit.org/show_bug.cgi?id=191897
1747         <rdar://problem/45871998>
1748
1749         Reviewed by Mark Lam.
1750
1751         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1752         (bar):
1753         (foo):
1754
1755 2018-11-21  Saam barati  <sbarati@apple.com>
1756
1757         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1758         https://bugs.webkit.org/show_bug.cgi?id=191895
1759         <rdar://problem/46167406>
1760
1761         Reviewed by Mark Lam.
1762
1763         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1764         (foo):
1765         (bar):
1766
1767 2018-11-21  Mark Lam  <mark.lam@apple.com>
1768
1769         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1770         https://bugs.webkit.org/show_bug.cgi?id=191776
1771         <rdar://problem/46152851>
1772
1773         Reviewed by Saam Barati.
1774
1775         * stress/big-wasm-memory-grow-no-max.js:
1776         * stress/big-wasm-memory-grow.js:
1777         * stress/big-wasm-memory.js:
1778         - updated these to expect an OutOfMemoryError.
1779
1780         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1781         (Binary.prototype.emit_u8):
1782         (Binary.prototype.emit_u32v):
1783         (Binary.prototype.emit_header):
1784         (Binary.prototype.emit_section):
1785         (Binary):
1786         (WasmModuleBuilder):
1787         (WasmModuleBuilder.prototype.addMemory):
1788         (WasmModuleBuilder.prototype.toArray):
1789         (WasmModuleBuilder.prototype.toBuffer):
1790         (WasmModuleBuilder.prototype.instantiate):
1791         (catch):
1792         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1793         (catch):
1794
1795 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1796
1797         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1798         https://bugs.webkit.org/show_bug.cgi?id=190836
1799
1800         Reviewed by Saam Barati and Yusuke Suzuki.
1801
1802         * stress/big-int-out-of-memory-tests.js: Added.
1803
1804 2018-11-20  Mark Lam  <mark.lam@apple.com>
1805
1806         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1807         https://bugs.webkit.org/show_bug.cgi?id=191856
1808         <rdar://problem/46089992>
1809
1810         Reviewed by Yusuke Suzuki.
1811
1812         * stress/regress-191856.js: Added.
1813         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1814
1815 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1816
1817         Enable JIT on ARM/Linux
1818         https://bugs.webkit.org/show_bug.cgi?id=191548
1819
1820         Reviewed by Yusuke Suzuki.
1821
1822         Disable test on system with limited memory. Program was killed by
1823         the OS before the exception was thrown.
1824
1825         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1826
1827 2018-11-20  Saam barati  <sbarati@apple.com>
1828
1829         Merging an IC variant may lead to the IC status containing overlapping structure sets
1830         https://bugs.webkit.org/show_bug.cgi?id=191869
1831         <rdar://problem/45403453>
1832
1833         Reviewed by Mark Lam.
1834
1835         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1836
1837 2018-11-19  Mark Lam  <mark.lam@apple.com>
1838
1839         globalFuncImportModule() should return a promise when it clears exceptions.
1840         https://bugs.webkit.org/show_bug.cgi?id=191792
1841         <rdar://problem/46090763>
1842
1843         Reviewed by Michael Saboff.
1844
1845         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1846
1847 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1848
1849         Skip new memory-hungry tests on memory limited devices
1850
1851         Unreviewed gardening.
1852
1853         * stress/big-wasm-memory-grow-no-max.js:
1854         * stress/big-wasm-memory-grow.js:
1855         * stress/big-wasm-memory.js:
1856
1857 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1858
1859         Unreviewed, rolling in the rest of r237254
1860         https://bugs.webkit.org/show_bug.cgi?id=190340
1861
1862         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1863         * stress/function-cache-with-parameters-end-position.js: Added.
1864         (shouldBe):
1865         (shouldThrow):
1866         (i.anonymous):
1867         * stress/function-constructor-name.js: Added.
1868         (shouldBe):
1869         (GeneratorFunction):
1870         (AsyncFunction.async):
1871         (AsyncGeneratorFunction.async):
1872         (anonymous):
1873         (async.anonymous):
1874         * test262/expectations.yaml:
1875
1876 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1877
1878         All users of ArrayBuffer should agree on the same max size
1879         https://bugs.webkit.org/show_bug.cgi?id=191771
1880
1881         Reviewed by Mark Lam.
1882
1883         * stress/big-wasm-memory-grow-no-max.js: Added.
1884         (foo):
1885         (catch):
1886         * stress/big-wasm-memory-grow.js: Added.
1887         (foo):
1888         (catch):
1889         * stress/big-wasm-memory.js: Added.
1890         (foo):
1891         (catch):
1892
1893 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1894
1895         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1896         run for each JSC config since they're regression tests for runtime bugs.
1897
1898         * stress/json-stringified-overflow-2.js:
1899         * stress/json-stringified-overflow.js:
1900
1901 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1902
1903         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1904         config since they're regression tests for runtime bugs.
1905
1906         * stress/large-unshift-splice.js:
1907         * stress/regress-185888.js:
1908
1909 2018-11-16  Saam Barati  <sbarati@apple.com>
1910
1911         KnownCellUse should also have SpecCellCheck as its type filter
1912         https://bugs.webkit.org/show_bug.cgi?id=191729
1913         <rdar://problem/45872852>
1914
1915         Reviewed by Filip Pizlo.
1916
1917         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1918         (C):
1919
1920 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1921
1922         Fix assertion failure on BytecodeGenerator::recordOpcode
1923         https://bugs.webkit.org/show_bug.cgi?id=191724
1924         <rdar://problem/45724395>
1925
1926         Reviewed by Saam Barati.
1927
1928         * stress/regress-187373-2.js: Added.
1929         (foo):
1930
1931 2018-11-15  Mark Lam  <mark.lam@apple.com>
1932
1933         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1934         https://bugs.webkit.org/show_bug.cgi?id=191730
1935         <rdar://problem/46048517>
1936
1937         Reviewed by Saam Barati.
1938
1939         * stress/regress-187006.js: Removed.
1940           - this test is invalid because its sole purpose is to test for the non-spec
1941             compliant behavior that we just fixed.
1942
1943         * stress/regress-191730.js: Added.
1944
1945 2018-11-15  Mark Lam  <mark.lam@apple.com>
1946
1947         RegExp operations should not take fast patch if lastIndex is not numeric.
1948         https://bugs.webkit.org/show_bug.cgi?id=191731
1949         <rdar://problem/46017305>
1950
1951         Reviewed by Saam Barati.
1952
1953         * stress/regress-191731.js: Added.
1954
1955 2018-11-13  Saam Barati  <sbarati@apple.com>
1956
1957         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1958         https://bugs.webkit.org/show_bug.cgi?id=191600
1959
1960         Reviewed by Mark Lam.
1961
1962         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1963         (foo):
1964         (test):
1965         (bar):
1966
1967 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1968
1969         Unreviewed, rolling out r238132.
1970
1971         The test added with this change is timing out on Debug JSC
1972         bots.
1973
1974         Reverted changeset:
1975
1976         "[BigInt] JSBigInt::createWithLength should throw when length
1977         is greater than JSBigInt::maxLength"
1978         https://bugs.webkit.org/show_bug.cgi?id=190836
1979         https://trac.webkit.org/changeset/238132
1980
1981 2018-11-13  Mark Lam  <mark.lam@apple.com>
1982
1983         Add OOM detection to StringPrototype's substituteBackreferences().
1984         https://bugs.webkit.org/show_bug.cgi?id=191563
1985         <rdar://problem/45720428>
1986
1987         Reviewed by Saam Barati.
1988
1989         * stress/regress-191563.js: Added.
1990
1991 2018-11-13  Mark Lam  <mark.lam@apple.com>
1992
1993         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1994         https://bugs.webkit.org/show_bug.cgi?id=191579
1995         <rdar://problem/45942472>
1996
1997         Reviewed by Saam Barati.
1998
1999         * stress/regress-191579.js: Added.
2000
2001 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2002
2003         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2004         https://bugs.webkit.org/show_bug.cgi?id=190836
2005
2006         Reviewed by Saam Barati.
2007
2008         * stress/big-int-out-of-memory-tests.js: Added.
2009
2010 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2011
2012         U+180E is no longer a whitespace character
2013         https://bugs.webkit.org/show_bug.cgi?id=191415
2014
2015         Reviewed by Saam Barati.
2016
2017         * ChakraCore/test/es5/regexSpace.baseline:
2018         * ChakraCore/test/es6/unicode_whitespace.js:
2019         Update tests to latest version.
2020         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2021
2022         * test262.yaml:
2023         * test262/config.yaml:
2024         * test262/expectations.yaml:
2025         Update expectations.
2026
2027 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2028
2029         [BigInt] Add support to BigInt into ValueAdd
2030         https://bugs.webkit.org/show_bug.cgi?id=186177
2031
2032         Reviewed by Keith Miller.
2033
2034         * stress/big-int-negate-jit.js:
2035         * stress/value-add-big-int-and-string.js: Added.
2036         * stress/value-add-big-int-prediction-propagation.js: Added.
2037         * stress/value-add-big-int-untyped.js: Added.
2038
2039 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2040
2041         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2042         https://bugs.webkit.org/show_bug.cgi?id=191184
2043
2044         Reviewed by Saam Barati.
2045
2046         Most tests were failing due to timeouts, since they are too slow to
2047         run on CLoop. The exceptions are:
2048
2049         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2050         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2051         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2052         to change the stack size since CLoop requires it to be page aligned.
2053
2054         * microbenchmarks/array-push-1.js:
2055         * microbenchmarks/array-push-2.js:
2056         * microbenchmarks/elidable-new-object-dag.js:
2057         * microbenchmarks/elidable-new-object-roflcopter.js:
2058         * microbenchmarks/elidable-new-object-tree.js:
2059         * microbenchmarks/getter-richards.js:
2060         * microbenchmarks/sinkable-new-object-dag.js:
2061         * microbenchmarks/string-concat-long-convert.js:
2062         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2063         * slowMicrobenchmarks/array-push-3.js:
2064         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2065         * slowMicrobenchmarks/spread-small-array.js:
2066         * slowMicrobenchmarks/undefined-property-access.js:
2067         * stress/activation-sink-default-value-tdz-error.js:
2068         * stress/activation-sink-default-value.js:
2069         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2070         * stress/activation-sink-osrexit-default-value.js:
2071         * stress/activation-sink-osrexit.js:
2072         * stress/activation-sink.js:
2073         * stress/allow-math-ic-b3-code-duplication.js:
2074         * stress/array-push-multiple-int32.js:
2075         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2076         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2077         * stress/arrowfunction-lexical-this-activation-sink.js:
2078         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2079         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2080         * stress/elide-new-object-dag-then-exit.js:
2081         * stress/materialize-regexp-cyclic.js:
2082         * stress/new-regex-inline.js:
2083         * stress/op_add.js:
2084         * stress/op_bitand.js:
2085         * stress/op_bitor.js:
2086         * stress/op_bitxor.js:
2087         * stress/op_div-ConstVar.js:
2088         * stress/op_div-VarConst.js:
2089         * stress/op_div-VarVar.js:
2090         * stress/op_lshift-ConstVar.js:
2091         * stress/op_lshift-VarConst.js:
2092         * stress/op_lshift-VarVar.js:
2093         * stress/op_mod-ConstVar.js:
2094         * stress/op_mod-VarConst.js:
2095         * stress/op_mod-VarVar.js:
2096         * stress/op_mul-ConstVar.js:
2097         * stress/op_mul-VarConst.js:
2098         * stress/op_mul-VarVar.js:
2099         * stress/op_rshift-ConstVar.js:
2100         * stress/op_rshift-VarConst.js:
2101         * stress/op_rshift-VarVar.js:
2102         * stress/op_sub-ConstVar.js:
2103         * stress/op_sub-VarConst.js:
2104         * stress/op_sub-VarVar.js:
2105         * stress/op_urshift-ConstVar.js:
2106         * stress/op_urshift-VarConst.js:
2107         * stress/op_urshift-VarVar.js:
2108         * stress/proxy-get-set-correct-receiver.js:
2109         * stress/regress-179562.js:
2110         * stress/rest-parameter-many-arguments.js:
2111         * stress/sampling-profiler-richards.js:
2112         * stress/splay-flash-access-1ms.js:
2113         * stress/tailCallForwardArguments.js:
2114         * stress/typed-array-get-by-val-profiling.js:
2115         * typeProfiler/getter-richards.js:
2116
2117 2018-11-06  Michael Saboff  <msaboff@apple.com>
2118
2119         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2120         https://bugs.webkit.org/show_bug.cgi?id=191271
2121
2122         Reviewed by Saam Barati.
2123
2124         Added more test cases and made all test cases run with the same deeply recursive stack
2125         instead of finding that same point for each test case.
2126
2127         * stress/regexp-compile-oom.js:
2128         (prototype.runTest):
2129         (recurseAndTest):
2130         (testList.push.new.TestAndExpectedException):
2131
2132 2018-11-05  Michael Saboff  <msaboff@apple.com>
2133
2134         Unreviewed build fix for linux.
2135
2136         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2137
2138 2018-11-02  Michael Saboff  <msaboff@apple.com>
2139
2140         Rolling in r237753 with unreviewed build fix.
2141
2142         Fixed issues with DECLARE_THROW_SCOPE placement.
2143
2144 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2145
2146         Unreviewed, rolling out r237753.
2147
2148         Introduced JSC test failures
2149
2150         Reverted changeset:
2151
2152         "Running out of stack space not properly handled in
2153         RegExp::compile() and its callers"
2154         https://bugs.webkit.org/show_bug.cgi?id=191206
2155         https://trac.webkit.org/changeset/237753
2156
2157 2018-11-02  Michael Saboff  <msaboff@apple.com>
2158
2159         Running out of stack space not properly handled in RegExp::compile() and its callers
2160         https://bugs.webkit.org/show_bug.cgi?id=191206
2161
2162         Reviewed by Filip Pizlo.
2163
2164         New regression test.
2165
2166         * stress/regexp-compile-oom.js: Added.
2167         (recurseAndTest):
2168
2169 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2170
2171         Skip tests on arm/mips that time out now we're running on CLoop
2172
2173         Unreviewed gardening.
2174
2175         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2176         time out on the bots and need to be disabled. There's more tests
2177         disabled on arm because the timeout is longer on the mips bot (as the
2178         device is slower to start with), so many of the tests don't time out
2179         there.
2180
2181         * microbenchmarks/getter-richards.js: disable on arm and mips.
2182         * stress/op_add.js: disable on arm.
2183         * stress/op_bitand.js: disable on arm.
2184         * stress/op_bitor.js: disable on arm.
2185         * stress/op_bitxor.js: disable on arm.
2186         * stress/op_lshift-ConstVar.js: disable on arm.
2187         * stress/op_lshift-VarConst.js: disable on arm.
2188         * stress/op_lshift-VarVar.js: disable on arm.
2189         * stress/op_mod-ConstVar.js: disable on arm.
2190         * stress/op_mod-VarConst.js: disable on arm.
2191         * stress/op_mod-VarVar.js: disable on arm.
2192         * stress/op_mul-ConstVar.js: disable on arm.
2193         * stress/op_mul-VarConst.js: disable on arm.
2194         * stress/op_mul-VarVar.js: disable on arm.
2195         * stress/op_rshift-ConstVar.js: disable on arm.
2196         * stress/op_rshift-VarConst.js: disable on arm.
2197         * stress/op_rshift-VarVar.js: disable on arm.
2198         * stress/op_sub-ConstVar.js: disable on arm.
2199         * stress/op_sub-VarConst.js: disable on arm.
2200         * stress/op_sub-VarVar.js: disable on arm.
2201         * stress/op_urshift-ConstVar.js: disable on arm.
2202         * stress/op_urshift-VarConst.js: disable on arm.
2203         * stress/op_urshift-VarVar.js: disable on arm.
2204         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2205         * stress/value-to-boolean.js: disable on arm and mips.
2206
2207 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2208
2209         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2210         https://bugs.webkit.org/show_bug.cgi?id=191108
2211         <rdar://problem/45690700>
2212
2213         Reviewed by Saam Barati.
2214
2215         * stress/wide-op_catch.js: Added.
2216         (catch):
2217
2218 2018-10-29  Mark Lam  <mark.lam@apple.com>
2219
2220         Correctly detect string overflow when using the 'Function' constructor.
2221         https://bugs.webkit.org/show_bug.cgi?id=184883
2222         <rdar://problem/36320331>
2223
2224         Reviewed by Saam Barati.
2225
2226         I've verified that this passes on 32-bit as well.
2227
2228         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2229
2230 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2231
2232         Add support for GetStack FlushedDouble
2233         https://bugs.webkit.org/show_bug.cgi?id=191012
2234         <rdar://problem/45265141>
2235
2236         Reviewed by Saam Barati.
2237
2238         * stress/get-stack-double.js: Added.
2239         (bar):
2240         (noInline):
2241
2242 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2243
2244         New bytecode format for JSC
2245         https://bugs.webkit.org/show_bug.cgi?id=187373
2246         <rdar://problem/44186758>
2247
2248         Reviewed by Filip Pizlo.
2249
2250         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2251
2252         * stress/maximum-inline-capacity.js: Added.
2253         (test1):
2254         (test3.Foo):
2255         (test3):
2256
2257 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2258
2259         Unreviewed, rolling out r237479 and r237484.
2260         https://bugs.webkit.org/show_bug.cgi?id=190978
2261
2262         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2263
2264         Reverted changesets:
2265
2266         "New bytecode format for JSC"
2267         https://bugs.webkit.org/show_bug.cgi?id=187373
2268         https://trac.webkit.org/changeset/237479
2269
2270         "Gardening: Build fix after r237479."
2271         https://bugs.webkit.org/show_bug.cgi?id=187373
2272         https://trac.webkit.org/changeset/237484
2273
2274 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2275
2276         New bytecode format for JSC
2277         https://bugs.webkit.org/show_bug.cgi?id=187373
2278         <rdar://problem/44186758>
2279
2280         Reviewed by Filip Pizlo.
2281
2282         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2283
2284         * stress/maximum-inline-capacity.js: Added.
2285         (test1):
2286         (test3.Foo):
2287         (test3):
2288
2289 2018-10-26  Mark Lam  <mark.lam@apple.com>
2290
2291         Fix missing edge cases with JSGlobalObjects having a bad time.
2292         https://bugs.webkit.org/show_bug.cgi?id=189028
2293         <rdar://problem/45204939>
2294
2295         Reviewed by Saam Barati.
2296
2297         * stress/regress-189028.js: Added.
2298
2299 2018-10-22  Mark Lam  <mark.lam@apple.com>
2300
2301         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2302         https://bugs.webkit.org/show_bug.cgi?id=190515
2303         <rdar://problem/45222379>
2304
2305         Rubber-stamped by Saam Barati.
2306
2307         Adding another test.
2308
2309         * stress/regress-190515-2.js: Added.
2310
2311 2018-10-22  Mark Lam  <mark.lam@apple.com>
2312
2313         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2314         https://bugs.webkit.org/show_bug.cgi?id=190515
2315         <rdar://problem/45222379>
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/regress-190515.js: Added.
2320
2321 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2322
2323         Unreviewed, rolling out r237254.
2324         https://bugs.webkit.org/show_bug.cgi?id=190760
2325
2326         "It regresses JetStream 2 by 5% on some iOS devices"
2327         (Requested by saamyjoon on #webkit).
2328
2329         Reverted changeset:
2330
2331         "[JSC] JSC should have "parseFunction" to optimize Function
2332         constructor"
2333         https://bugs.webkit.org/show_bug.cgi?id=190340
2334         https://trac.webkit.org/changeset/237254
2335
2336 2018-10-19  Saam Barati  <sbarati@apple.com>
2337
2338         vmCall should check if we exit before emitting an OSR exit due to exceptions
2339         https://bugs.webkit.org/show_bug.cgi?id=190740
2340         <rdar://problem/45220139>
2341
2342         Reviewed by Mark Lam.
2343
2344         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2345         (foo):
2346
2347 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2348
2349         [ESNext][BigInt] Implement support for "^"
2350         https://bugs.webkit.org/show_bug.cgi?id=186235
2351
2352         Reviewed by Yusuke Suzuki.
2353
2354         * stress/big-int-bitwise-xor-general.js: Added.
2355         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2356         * stress/big-int-bitwise-xor-type-error.js: Added.
2357         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2358
2359 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2360
2361         [BigInt] Add ValueSub into DFG
2362         https://bugs.webkit.org/show_bug.cgi?id=186176
2363
2364         Reviewed by Yusuke Suzuki.
2365
2366         * stress/big-int-subtraction-jit.js:
2367         * stress/value-sub-big-int-prediction-propagation.js: Added.
2368         * stress/value-sub-big-int-untyped.js: Added.
2369         * stress/value-sub-spec-none-case.js: Added.
2370
2371 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2372
2373         [JSC] JSC should have "parseFunction" to optimize Function constructor
2374         https://bugs.webkit.org/show_bug.cgi?id=190340
2375
2376         Reviewed by Mark Lam.
2377
2378         This patch fixes the line number of syntax errors raised by the Function constructor,
2379         since we now parse the final code only once. And we no longer use block statement
2380         for Function constructor's parsing.
2381
2382         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2383         * stress/function-cache-with-parameters-end-position.js: Added.
2384         (shouldBe):
2385         (shouldThrow):
2386         (i.anonymous):
2387         * stress/function-constructor-name.js: Added.
2388         (shouldBe):
2389         (GeneratorFunction):
2390         (AsyncFunction.async):
2391         (AsyncGeneratorFunction.async):
2392         (anonymous):
2393         (async.anonymous):
2394         * test262/expectations.yaml:
2395
2396 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2397
2398         Unreviewed, rolling out r237242.
2399         https://bugs.webkit.org/show_bug.cgi?id=190701
2400
2401         it breaks "stress/sampling-profiler-basic.js" (Requested by
2402         caiolima on #webkit).
2403
2404         Reverted changeset:
2405
2406         "[BigInt] Add ValueSub into DFG"
2407         https://bugs.webkit.org/show_bug.cgi?id=186176
2408         https://trac.webkit.org/changeset/237242
2409
2410 2018-10-17  Keith Miller  <keith_miller@apple.com>
2411
2412         AI does not clear Phantom allocation nodes.
2413         https://bugs.webkit.org/show_bug.cgi?id=190694
2414
2415         Reviewed by Saam Barati.
2416
2417         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2418         (Day):
2419         (DaysInYear):
2420         (TimeInYear):
2421         (TimeFromYear):
2422         (DayFromYear):
2423         (InLeapYear):
2424         (YearFromTime):
2425         (WeekDay):
2426         (DaylightSavingTA):
2427         (GetSecondSundayInMarch):
2428         (TimeInMonth):
2429
2430 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2431
2432         [BigInt] Add ValueSub into DFG
2433         https://bugs.webkit.org/show_bug.cgi?id=186176
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         * stress/big-int-subtraction-jit.js:
2438         * stress/value-sub-big-int-prediction-propagation.js: Added.
2439         * stress/value-sub-big-int-untyped.js: Added.
2440
2441 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2442
2443         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2444         https://bugs.webkit.org/show_bug.cgi?id=190611
2445
2446         Reviewed by Saam Barati.
2447
2448         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2449         to improve test runtime. On ARM/MIPS this test even timed out when running all
2450         tests.
2451
2452         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2453         (test):
2454
2455 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2456
2457         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2458
2459         Unreviewed gardening.
2460
2461         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2462
2463 2018-10-15  Saam barati  <sbarati@apple.com>
2464
2465         Emit fjcvtzs on ARM64E on Darwin
2466         https://bugs.webkit.org/show_bug.cgi?id=184023
2467
2468         Reviewed by Yusuke Suzuki and Filip Pizlo.
2469
2470         * stress/double-to-int32-NaN.js: Added.
2471         (assert):
2472         (foo):
2473
2474 2018-10-15  Saam Barati  <sbarati@apple.com>
2475
2476         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2477         https://bugs.webkit.org/show_bug.cgi?id=190262
2478         <rdar://problem/44986241>
2479
2480         Reviewed by Mark Lam.
2481
2482         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2483         (test):
2484         * stress/slice-array-storage-with-holes.js: Added.
2485         (main):
2486
2487 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2488
2489         Unreviewed, rolling out r237054.
2490         https://bugs.webkit.org/show_bug.cgi?id=190593
2491
2492         "this regressed JetStream 2 by 6% on iOS" (Requested by
2493         saamyjoon on #webkit).
2494
2495         Reverted changeset:
2496
2497         "[JSC] JSC should have "parseFunction" to optimize Function
2498         constructor"
2499         https://bugs.webkit.org/show_bug.cgi?id=190340
2500         https://trac.webkit.org/changeset/237054
2501
2502 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2503
2504         [JSC] JSON.stringify can accept call-with-no-arguments
2505         https://bugs.webkit.org/show_bug.cgi?id=190343
2506
2507         Reviewed by Mark Lam.
2508
2509         * stress/json-stringify-no-arguments.js: Added.
2510         (shouldBe):
2511
2512 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2513
2514         [JSC] JSC should have "parseFunction" to optimize Function constructor
2515         https://bugs.webkit.org/show_bug.cgi?id=190340
2516
2517         Reviewed by Mark Lam.
2518
2519         This patch fixes the line number of syntax errors raised by the Function constructor,
2520         since we now parse the final code only once. And we no longer use block statement
2521         for Function constructor's parsing.
2522
2523         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2524         * stress/function-cache-with-parameters-end-position.js: Added.
2525         (shouldBe):
2526         (shouldThrow):
2527         (i.anonymous):
2528         * stress/function-constructor-name.js: Added.
2529         (shouldBe):
2530         (GeneratorFunction):
2531         (AsyncFunction.async):
2532         (AsyncGeneratorFunction.async):
2533         (anonymous):
2534         (async.anonymous):
2535         * test262/expectations.yaml:
2536
2537 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2538
2539         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2540         https://bugs.webkit.org/show_bug.cgi?id=190426
2541
2542         Unreviewed gardening.
2543
2544         * stress/sampling-profiler-richards.js:
2545
2546 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2547
2548         [ESNext][BigInt] Implement support for "|"
2549         https://bugs.webkit.org/show_bug.cgi?id=186229
2550
2551         Reviewed by Yusuke Suzuki.
2552
2553         * stress/big-int-bitwise-and-jit.js:
2554         * stress/big-int-bitwise-or-general.js: Added.
2555         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2556         * stress/big-int-bitwise-or-jit.js: Added.
2557         * stress/big-int-bitwise-or-memory-stress.js: Added.
2558         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2559         * stress/big-int-bitwise-or-type-error.js: Added.
2560         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2561
2562 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2563
2564         Skip test on systems with limited memory
2565         https://bugs.webkit.org/show_bug.cgi?id=190310
2566
2567         Invoking runDefault adds test to runlist, skipping the test in the next
2568         line does not prevent the test from executing. Change order of lines such
2569         that runDefault is only executed if test is not executed.
2570
2571         Reviewed by Mark Lam.
2572
2573         * stress/regress-190187.js:
2574
2575 2018-10-03  Saam barati  <sbarati@apple.com>
2576
2577         lowXYZ in FTLLower should always filter the type of the incoming edge
2578         https://bugs.webkit.org/show_bug.cgi?id=189939
2579         <rdar://problem/44407030>
2580
2581         Reviewed by Michael Saboff.
2582
2583         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2584         (foo):
2585         (test):
2586
2587 2018-10-03  Mark Lam  <mark.lam@apple.com>
2588
2589         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2590         https://bugs.webkit.org/show_bug.cgi?id=190187
2591         <rdar://problem/42512909>
2592
2593         Reviewed by Michael Saboff.
2594
2595         * stress/regress-190187.js: Added.
2596
2597 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2598
2599         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2600         https://bugs.webkit.org/show_bug.cgi?id=190033
2601
2602         Reviewed by Yusuke Suzuki.
2603
2604         * stress/big-int-to-string.js:
2605
2606 2018-10-01  Mark Lam  <mark.lam@apple.com>
2607
2608         Function.toString() should also copy the source code Functions that are class definitions.
2609         https://bugs.webkit.org/show_bug.cgi?id=190186
2610         <rdar://problem/44733360>
2611
2612         Reviewed by Saam Barati.
2613
2614         * stress/regress-190186.js: Added.
2615
2616 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2617
2618         Split NaN-check into separate test
2619         https://bugs.webkit.org/show_bug.cgi?id=190010
2620
2621         Reviewed by Saam Barati.
2622
2623         DataView exposes NaN-representation, which is not necessarily the same on each
2624         architecture. Therefore move the check of the NaN-representation into its own
2625         file such that we can disable this test on MIPS where NaN-representation can be
2626         different on older CPUs.
2627
2628         * stress/dataview-jit-set-nan.js: Added.
2629         (assert):
2630         (test.storeLittleEndian):
2631         (test.storeBigEndian):
2632         (test.store):
2633         (test):
2634         * stress/dataview-jit-set.js:
2635         (test5):
2636
2637 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2638
2639         Unreviewed, rolling out r236647.
2640         https://bugs.webkit.org/show_bug.cgi?id=190124
2641
2642         Breaking test stress/big-int-to-string.js (Requested by
2643         caiolima_ on #webkit).
2644
2645         Reverted changeset:
2646
2647         "[BigInt] BigInt.proptotype.toString is broken when radix is
2648         power of 2"
2649         https://bugs.webkit.org/show_bug.cgi?id=190033
2650         https://trac.webkit.org/changeset/236647
2651
2652 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2653
2654         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2655         https://bugs.webkit.org/show_bug.cgi?id=190033
2656
2657         Reviewed by Yusuke Suzuki.
2658
2659         * stress/big-int-to-string.js:
2660
2661 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2662
2663         [ESNext][BigInt] Implement support for "&"
2664         https://bugs.webkit.org/show_bug.cgi?id=186228
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * stress/big-int-bitwise-and-general.js: Added.
2669         (assert):
2670         (assert.sameValue):
2671         * stress/big-int-bitwise-and-jit.js: Added.
2672         (let.assert.sameValue):
2673         (bigIntBitAnd):
2674         * stress/big-int-bitwise-and-memory-stress.js: Added.
2675         (assert):
2676         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2677         (assert.sameValue):
2678         (let.o.Symbol.toPrimitive):
2679         (catch):
2680         * stress/big-int-bitwise-and-type-error.js: Added.
2681         (assert):
2682         (assertThrowTypeError):
2683         (let.o.valueOf):
2684         (o.valueOf):
2685         (o.toString):
2686         (o.Symbol.toPrimitive):
2687         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2688         (assert.sameValue):
2689         (testBitAnd):
2690         (let.o.Symbol.toPrimitive):
2691         (o.valueOf):
2692         (o.toString):
2693
2694 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2695
2696         JSC test stress/jsc-read.js doesn't support CRLF
2697         https://bugs.webkit.org/show_bug.cgi?id=190063
2698
2699         Reviewed by Yusuke Suzuki.
2700
2701         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2702
2703         * stress/jsc-read.js:
2704         (test):
2705
2706 2018-09-27  Saam barati  <sbarati@apple.com>
2707
2708         Verify the contents of AssemblerBuffer on arm64e
2709         https://bugs.webkit.org/show_bug.cgi?id=190057
2710         <rdar://problem/38916630>
2711
2712         Reviewed by Mark Lam.
2713
2714         * stress/regress-189132.js:
2715
2716 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2717
2718         Disable test without LLInt on ARMv7
2719         https://bugs.webkit.org/show_bug.cgi?id=190037
2720
2721         Reviewed by Mark Lam.
2722
2723         Test runs out of executable memory on ARMv7, do not run
2724         this test without LLInt enabled.
2725
2726         * stress/regress-169445.js:
2727
2728 2018-09-26  Keith Miller  <keith_miller@apple.com>
2729
2730         We should zero unused property storage when rebalancing array storage.
2731         https://bugs.webkit.org/show_bug.cgi?id=188151
2732
2733         Reviewed by Michael Saboff.
2734
2735         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2736
2737 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2738
2739         [JSC] Optimize Array#lastIndexOf
2740         https://bugs.webkit.org/show_bug.cgi?id=189780
2741
2742         Reviewed by Saam Barati.
2743
2744         * stress/array-lastindexof-array-prototype-trap.js: Added.
2745         (shouldBe):
2746         (AncestorArray.prototype.get 2):
2747         (AncestorArray):
2748         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2749         (shouldBe):
2750         * stress/array-lastindexof-hole-nan.js: Added.
2751         (shouldBe):
2752         (throw.new.Error):
2753         * stress/array-lastindexof-infinity.js: Added.
2754         (shouldBe):
2755         (throw.new.Error):
2756         * stress/array-lastindexof-negative-zero.js: Added.
2757         (shouldBe):
2758         (throw.new.Error):
2759         * stress/array-lastindexof-own-getter.js: Added.
2760         (shouldBe):
2761         (throw.new.Error.get array):
2762         (get array):
2763         * stress/array-lastindexof-prototype-trap.js: Added.
2764         (shouldBe):
2765         (DerivedArray.prototype.get 2):
2766         (DerivedArray):
2767
2768 2018-09-25  Saam Barati  <sbarati@apple.com>
2769
2770         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2771         https://bugs.webkit.org/show_bug.cgi?id=189940
2772         <rdar://problem/43640987>
2773
2774         Reviewed by Mark Lam.
2775
2776         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2777
2778 2018-09-24  Saam Barati  <sbarati@apple.com>
2779
2780         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2781         https://bugs.webkit.org/show_bug.cgi?id=189922
2782         <rdar://problem/44651275>
2783
2784         Reviewed by Mark Lam.
2785
2786         * stress/array-indexof-fast-path-effects.js: Added.
2787         * stress/array-indexof-cached-length.js: Added.
2788
2789 2018-09-24  Saam barati  <sbarati@apple.com>
2790
2791         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2792         https://bugs.webkit.org/show_bug.cgi?id=189682
2793         <rdar://problem/43557315>
2794
2795         Reviewed by Mark Lam.
2796
2797         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2798         (foo):
2799
2800 2018-09-22  Saam barati  <sbarati@apple.com>
2801
2802         The sampling should not use Strong<CodeBlock> in its machineLocation field
2803         https://bugs.webkit.org/show_bug.cgi?id=189319
2804
2805         Reviewed by Filip Pizlo.
2806
2807         * stress/sampling-profiler-richards.js: Added.
2808
2809 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2810
2811         [JSC] Optimize Array#indexOf in C++ runtime
2812         https://bugs.webkit.org/show_bug.cgi?id=189507
2813
2814         Reviewed by Saam Barati.
2815
2816         * stress/array-indexof-array-prototype-trap.js: Added.
2817         (shouldBe):
2818         (AncestorArray.prototype.get 2):
2819         (AncestorArray):
2820         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2821         (shouldBe):
2822         * stress/array-indexof-hole-nan.js: Added.
2823         (shouldBe):
2824         (throw.new.Error):
2825         * stress/array-indexof-infinity.js: Added.
2826         (shouldBe):
2827         (throw.new.Error):
2828         * stress/array-indexof-negative-zero.js: Added.
2829         (shouldBe):
2830         (throw.new.Error):
2831         * stress/array-indexof-own-getter.js: Added.
2832         (shouldBe):
2833         (throw.new.Error.get array):
2834         (get array):
2835         * stress/array-indexof-prototype-trap.js: Added.
2836         (shouldBe):
2837         (DerivedArray.prototype.get 2):
2838         (DerivedArray):
2839
2840 2018-09-19  Saam barati  <sbarati@apple.com>
2841
2842         AI rule for MultiPutByOffset executes its effects in the wrong order
2843         https://bugs.webkit.org/show_bug.cgi?id=189757
2844         <rdar://problem/43535257>
2845
2846         Reviewed by Michael Saboff.
2847
2848         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2849         (foo):
2850         (Foo):
2851         (g):
2852
2853 2018-09-17  Mark Lam  <mark.lam@apple.com>
2854
2855         Ensure that ForInContexts are invalidated if their loop local is over-written.
2856         https://bugs.webkit.org/show_bug.cgi?id=189571
2857         <rdar://problem/44402277>
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/regress-189571.js: Added.
2862
2863 2018-09-17  Saam barati  <sbarati@apple.com>
2864
2865         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2866         https://bugs.webkit.org/show_bug.cgi?id=189676
2867         <rdar://problem/39682897>
2868
2869         Reviewed by Michael Saboff.
2870
2871         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2872         (A):
2873         (K):
2874         (i.catch):
2875
2876 2018-09-14  Saam barati  <sbarati@apple.com>
2877
2878         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2879         https://bugs.webkit.org/show_bug.cgi?id=189628
2880         <rdar://problem/39481690>
2881
2882         Reviewed by Mark Lam.
2883
2884         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2885         (foo):
2886
2887 2018-09-11  Mark Lam  <mark.lam@apple.com>
2888
2889         Test for array initialization in arrayProtoFuncSplice.
2890         https://bugs.webkit.org/show_bug.cgi?id=170253
2891         <rdar://problem/31328773>
2892
2893         Rubber-stamped by Saam Barati.
2894
2895         * stress/regress-170253.js: Added.
2896
2897 2018-09-11  Mark Lam  <mark.lam@apple.com>
2898
2899         Test for IntlObject initialization.
2900         https://bugs.webkit.org/show_bug.cgi?id=170251
2901         <rdar://problem/31328419>
2902
2903         Rubber-stamped by Saam Barati.
2904
2905         * stress/regress-170251.js: Added.
2906
2907 2018-09-11  Mark Lam  <mark.lam@apple.com>
2908
2909         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2910         https://bugs.webkit.org/show_bug.cgi?id=169889
2911         <rdar://problem/31155607>
2912
2913         Reviewed by Saam Barati.
2914
2915         * stress/regress-169889-array-concat.js: Added.
2916         * stress/regress-169889-array-concat1.js: Added.
2917         * stress/regress-169889-array-slice.js: Added.
2918
2919 2018-09-11  Mark Lam  <mark.lam@apple.com>
2920
2921         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2922         https://bugs.webkit.org/show_bug.cgi?id=169445
2923         <rdar://problem/30957435>
2924
2925         Reviewed by Saam Barati.
2926
2927         * stress/regress-169445.js: Added.
2928         (let.gun.eval.A):
2929         (let.gun.eval.B.C):
2930         (let.gun.eval.B.C.prototype.trigger):
2931         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2932         (let.gun.eval.B):
2933         (let.gun.eval):
2934
2935 == Rolled over to ChangeLog-2018-09-11 ==