Need to check ObjectPropertyCondition liveness before accessing it when firing watchp...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-15  Mark Lam  <mark.lam@apple.com>
2
3         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
4         https://bugs.webkit.org/show_bug.cgi?id=195827
5         <rdar://problem/48845513>
6
7         Reviewed by Filip Pizlo.
8
9         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
10
11 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
12
13         [ARM,MIPS] Skip slow tests
14         https://bugs.webkit.org/show_bug.cgi?id=195799
15
16         Unreviewed, test does not finish on ARM and MIPS within the
17         timeout limit.
18
19         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
20
21 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
22
23         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
24         https://bugs.webkit.org/show_bug.cgi?id=195791
25         <rdar://problem/48806130>
26
27         Reviewed by Mark Lam.
28
29         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
30         (foo):
31
32 2019-03-14  Saam barati  <sbarati@apple.com>
33
34         We can't remove code after ForceOSRExit until after FixupPhase
35         https://bugs.webkit.org/show_bug.cgi?id=186916
36         <rdar://problem/41396612>
37
38         Reviewed by Yusuke Suzuki.
39
40         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
41         (foo):
42         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
43         (foo):
44
45 2019-03-13  Michael Saboff  <msaboff@apple.com>
46
47         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
48         https://bugs.webkit.org/show_bug.cgi?id=195735
49
50         Reviewed by Mark Lam.
51
52         New regression test.
53
54         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
55         (foo):
56         (bar):
57
58 2019-03-14  Saam barati  <sbarati@apple.com>
59
60         Fixup uses KnownInt32 incorrectly in some nodes
61         https://bugs.webkit.org/show_bug.cgi?id=195279
62         <rdar://problem/47915654>
63
64         Reviewed by Yusuke Suzuki.
65
66         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
67         (foo):
68
69 2019-03-14  Keith Miller  <keith_miller@apple.com>
70
71         DFG liveness can't skip tail caller inline frames
72         https://bugs.webkit.org/show_bug.cgi?id=195715
73
74         Reviewed by Saam Barati.
75
76         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
77         (i.foo):
78
79 2019-03-13  Mark Lam  <mark.lam@apple.com>
80
81         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
82         https://bugs.webkit.org/show_bug.cgi?id=195415
83
84         Not reviewed.
85
86         Changed these tests to only run the default configuration.
87         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
88         There's no strong need to run this test on that variant.
89
90         * stress/dfg-to-string-on-int-does-gc.js:
91         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
92
93 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
94
95         String overflow when using StringBuilder in JSC::createError
96         https://bugs.webkit.org/show_bug.cgi?id=194957
97
98         Reviewed by Mark Lam.
99
100         Add test string-overflow-createError-bulder.js that overflows
101         StringBuilder in notAFunctionSourceAppender. The second new test
102         string-overflow-createError-fit.js has an error message that doesn't
103         overflow, it still failed since the String's capacity can't be doubled.
104         Run test string-overflow-createError.js only in the default
105         configuration to reduce memory consumption when running the test
106         in all configurations on multiple CPUs in parallel.
107
108         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
109         (catch):
110         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
111         (catch):
112         * stress/string-overflow-createError.js:
113
114 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         [JSC] OSR entry should respect abstract values in addition to flush formats
117         https://bugs.webkit.org/show_bug.cgi?id=195653
118
119         Reviewed by Mark Lam.
120
121         * stress/osr-entry-locals-none.js: Added.
122
123 2019-03-12  Michael Saboff  <msaboff@apple.com>
124
125         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
126         https://bugs.webkit.org/show_bug.cgi?id=195613
127
128         Reviewed by Mark Lam.
129
130         New regression test.
131
132         * stress/regexp-backref-inbounds.js: Added.
133         (testRegExp):
134
135 2019-03-12  Mark Lam  <mark.lam@apple.com>
136
137         The HasIndexedProperty node does GC.
138         https://bugs.webkit.org/show_bug.cgi?id=195559
139         <rdar://problem/48767923>
140
141         Reviewed by Yusuke Suzuki.
142
143         * stress/HasIndexedProperty-does-gc.js: Added.
144
145 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
146
147         [ESNext][BigInt] Implement "~" unary operation
148         https://bugs.webkit.org/show_bug.cgi?id=182216
149
150         Reviewed by Keith Miller.
151
152         * stress/big-int-bit-not-general.js: Added.
153         * stress/big-int-bitwise-not-jit.js: Added.
154         * stress/big-int-bitwise-not-wrapped-value.js: Added.
155         * stress/bit-op-with-object-returning-int32.js:
156         * stress/bitwise-not-fixup-rules.js: Added.
157         * stress/value-bit-not-ai-rule.js: Added.
158
159 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
160
161         Invalid flags in a RegExp literal should be an early SyntaxError
162         https://bugs.webkit.org/show_bug.cgi?id=195514
163
164         Reviewed by Darin Adler.
165
166         * test262/expectations.yaml:
167         Mark 4 test cases as passing.
168
169         * stress/regexp-syntax-error-invalid-flags.js:
170         * stress/regress-161995.js: Removed.
171         Update existing test, merging in an older test for the same behavior.
172
173 2019-03-08  Mark Lam  <mark.lam@apple.com>
174
175         Stack overflow crash in JSC::JSObject::hasInstance.
176         https://bugs.webkit.org/show_bug.cgi?id=195458
177         <rdar://problem/48710195>
178
179         Reviewed by Yusuke Suzuki.
180
181         * stress/stack-overflow-in-custom-hasInstance.js: Added.
182
183 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
184
185         op_check_tdz does not def its argument
186         https://bugs.webkit.org/show_bug.cgi?id=192880
187         <rdar://problem/46221598>
188
189         Reviewed by Saam Barati.
190
191         * microbenchmarks/let-for-in.js: Added.
192         (foo):
193
194 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
195
196         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
197         https://bugs.webkit.org/show_bug.cgi?id=195429
198
199         Reviewed by Saam Barati.
200
201         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
202         (foo):
203         * stress/string-from-char-code-255.js: Added.
204
205 2019-03-06  Mark Lam  <mark.lam@apple.com>
206
207         Fix incorrect handling of try-finally completion values.
208         https://bugs.webkit.org/show_bug.cgi?id=195131
209         <rdar://problem/46222079>
210
211         Reviewed by Saam Barati and Yusuke Suzuki.
212
213         Added many permutations of new test case to test-finally.js.  test-finally.js has
214         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
215         tests passes there as well.
216
217         * stress/test-finally.js:
218
219 2019-03-06  Saam Barati  <sbarati@apple.com>
220
221         Air::reportUsedRegisters must padInterference
222         https://bugs.webkit.org/show_bug.cgi?id=195303
223         <rdar://problem/48270343>
224
225         Reviewed by Keith Miller.
226
227         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
228
229 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
230
231         [JSC] AI should not propagate AbstractValue relying on constant folding phase
232         https://bugs.webkit.org/show_bug.cgi?id=195375
233
234         Reviewed by Saam Barati.
235
236         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
237         (let.array):
238
239 2019-03-05  Saam barati  <sbarati@apple.com>
240
241         op_switch_char broken for rope strings after JSRopeString layout rewrite
242         https://bugs.webkit.org/show_bug.cgi?id=195339
243         <rdar://problem/48592545>
244
245         Reviewed by Yusuke Suzuki.
246
247         * stress/switch-on-char-llint-rope.js: Added.
248
249 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
250
251         [JSC] Store bits for JSRopeString in 3 stores
252         https://bugs.webkit.org/show_bug.cgi?id=195234
253
254         Reviewed by Saam Barati.
255
256         * stress/null-rope-and-collectors.js: Added.
257
258 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
259
260         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
261         https://bugs.webkit.org/show_bug.cgi?id=195207
262
263         Unreviewed. After test runtime was reduced in r242213, test can be
264         run again on ARM/MIPS.
265
266         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
267
268 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
269
270         [JSC] sizeof(JSString) should be 16
271         https://bugs.webkit.org/show_bug.cgi?id=194375
272
273         Reviewed by Saam Barati.
274
275         * microbenchmarks/make-rope.js: Added.
276         (makeRope):
277         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
278         (returnRope.helper): Deleted.
279         (returnRope): Deleted.
280
281 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
282
283         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
284         https://bugs.webkit.org/show_bug.cgi?id=195144
285
286         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
287         Change the number from 1e8 to 1e5.
288
289         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
290         (foo):
291
292 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
293
294         Test times out on ARM/MIPS
295         https://bugs.webkit.org/show_bug.cgi?id=195168
296
297         Unreviewed. Skip test on ARM/MIPS.
298
299         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
300
301 2019-02-27  Mark Lam  <mark.lam@apple.com>
302
303         The parser is failing to record the token location of new in new.target.
304         https://bugs.webkit.org/show_bug.cgi?id=195127
305         <rdar://problem/39645578>
306
307         Reviewed by Yusuke Suzuki.
308
309         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
310
311 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
314         https://bugs.webkit.org/show_bug.cgi?id=195144
315         <rdar://problem/47595961>
316
317         Reviewed by Mark Lam.
318
319         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
320         (bar):
321         (foo):
322         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
323         (bar):
324         (foo):
325
326 2019-02-27  Robin Morisset  <rmorisset@apple.com>
327
328         DFG: Loop-invariant code motion (LICM) should not hoist dead code
329         https://bugs.webkit.org/show_bug.cgi?id=194945
330         <rdar://problem/48311657>
331
332         Reviewed by Mark Lam.
333
334         * stress/licm-dead-code.js: Added.
335
336 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
337
338         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
339         https://bugs.webkit.org/show_bug.cgi?id=194677
340         <rdar://problem/48112492>
341
342         Reviewed by Mark Lam.
343
344         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
345         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
346         it immediately fails due the large size.
347
348         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
349         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
350         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
351         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
352
353         This patch changes the test to produce 16bit string from String.fromCharCode.
354
355         * stress/regress-178386.js:
356
357 2019-02-26  Mark Lam  <mark.lam@apple.com>
358
359         wasmToJS() should purify incoming NaNs.
360         https://bugs.webkit.org/show_bug.cgi?id=194807
361         <rdar://problem/48189132>
362
363         Reviewed by Saam Barati.
364
365         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
366
367 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
368
369         [JSC] Repeat string created from Array.prototype.join() take too much memory
370         https://bugs.webkit.org/show_bug.cgi?id=193912
371
372         Reviewed by Saam Barati.
373
374         Added a test and a microbenchmark for corner cases of
375         Array.prototype.join() with an uninitialized array.
376
377         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
378         * stress/array-prototype-join-uninitialized.js: Added.
379         (testArray):
380         (testABC):
381         (B):
382         (C):
383
384 2019-02-22  Robin Morisset  <rmorisset@apple.com>
385
386         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
387         https://bugs.webkit.org/show_bug.cgi?id=194953
388         <rdar://problem/47595253>
389
390         Reviewed by Saam Barati.
391
392         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
393
394         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
395
396 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
397
398         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
399         https://bugs.webkit.org/show_bug.cgi?id=172848
400         <rdar://problem/25709212>
401
402         Reviewed by Mark Lam.
403
404         * typeProfiler/inheritance.js:
405         Rewrite the test slightly for clarity. The hoisting was confusing.
406
407         * heapProfiler/class-names.js: Added.
408         (MyES5Class):
409         (MyES6Class):
410         (MyES6Subclass):
411         Test object types and improved class names.
412
413         * heapProfiler/driver/driver.js:
414         (CheapHeapSnapshotNode):
415         (CheapHeapSnapshot):
416         (createCheapHeapSnapshot):
417         (HeapSnapshot):
418         (createHeapSnapshot):
419         Update snapshot parsing from version 1 to version 2.
420
421 2019-02-19  Truitt Savell  <tsavell@apple.com>
422
423         Unreviewed, rolling out r241784.
424
425         Broke all OpenSource builds.
426
427         Reverted changeset:
428
429         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
430         instances view"
431         https://bugs.webkit.org/show_bug.cgi?id=172848
432         https://trac.webkit.org/changeset/241784
433
434 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
435
436         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
437         https://bugs.webkit.org/show_bug.cgi?id=172848
438         <rdar://problem/25709212>
439
440         Reviewed by Mark Lam.
441
442         * typeProfiler/inheritance.js:
443         Rewrite the test slightly for clarity. The hoisting was confusing.
444
445         * heapProfiler/class-names.js: Added.
446         (MyES5Class):
447         (MyES6Class):
448         (MyES6Subclass):
449         Test object types and improved class names.
450
451         * heapProfiler/driver/driver.js:
452         (CheapHeapSnapshotNode):
453         (CheapHeapSnapshot):
454         (createCheapHeapSnapshot):
455         (HeapSnapshot):
456         (createHeapSnapshot):
457         Update snapshot parsing from version 1 to version 2.
458
459 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
460
461         [ARM] Fix crash with sampling profiler
462         https://bugs.webkit.org/show_bug.cgi?id=194772
463
464         Reviewed by Mark Lam.
465
466         Do not skip test since crash with sampling profiler is now fixed.
467
468         * stress/sampling-profiler-richards.js:
469
470 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
471
472         [JSC] Add LazyClassStructure::getInitializedOnMainThread
473         https://bugs.webkit.org/show_bug.cgi?id=194784
474         <rdar://problem/48154820>
475
476         Reviewed by Mark Lam.
477
478         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
479         (getProperties):
480         (getRandomProperty):
481         (i.catch):
482
483 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
484
485         [ARM] Test gardening: Test running out of executable memory
486         https://bugs.webkit.org/show_bug.cgi?id=194771
487
488         Unreviewed. Do not run test without LLInt, test is running out of executable
489         memory on ARM otherwise.
490
491         * stress/tagged-template-object-collect.js:
492
493 2019-02-18  Tomas Popela  <tpopela@redhat.com>
494
495         Unreviewed, skip the test on platforms without sampling profiler
496
497         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
498         (platformSupportsSamplingProfiler.foo):
499         (platformSupportsSamplingProfiler.test):
500         (platformSupportsSamplingProfiler):
501         (foo): Deleted.
502         (test): Deleted.
503
504 2019-02-17  Saam Barati  <sbarati@apple.com>
505
506         Deadlock when adding a Structure property transition and then doing incremental marking
507         https://bugs.webkit.org/show_bug.cgi?id=194767
508
509         Reviewed by Mark Lam.
510
511         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
512
513 2019-02-15  Michael Saboff  <msaboff@apple.com>
514
515         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
516         https://bugs.webkit.org/show_bug.cgi?id=194558
517
518         Reviewed by Saam Barati.
519
520         New regression test.
521
522         * stress/regexp-unicode-within-string.js: Added.
523
524 2019-02-15  Mark Lam  <mark.lam@apple.com>
525
526         SamplingProfiler::stackTracesAsJSON() should escape strings.
527         https://bugs.webkit.org/show_bug.cgi?id=194649
528         <rdar://problem/48072386>
529
530         Reviewed by Saam Barati.
531
532         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
533         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
534         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
535         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
536
537 2019-02-15  Robin Morisset  <rmorisset@apple.com>
538         CodeBlock::jettison should clear related watchpoints
539         https://bugs.webkit.org/show_bug.cgi?id=194544
540
541         Reviewed by Mark Lam.
542
543         * stress/regexp-replace-double-watchpoint.js: Added.
544         (foo):
545
546 2019-02-15  Saam barati  <sbarati@apple.com>
547
548         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
549         https://bugs.webkit.org/show_bug.cgi?id=194036
550
551         Reviewed by Yusuke Suzuki.
552
553         * stress/tail-call-many-arguments.js: Added.
554         (foo):
555         (bar):
556
557 2019-02-14  Saam Barati  <sbarati@apple.com>
558
559         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
560         https://bugs.webkit.org/show_bug.cgi?id=194583
561         <rdar://problem/48028140>
562
563         Reviewed by Yusuke Suzuki.
564
565         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
566
567 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
568
569         [JSC] String.fromCharCode's slow path always generates 16bit string
570         https://bugs.webkit.org/show_bug.cgi?id=194466
571
572         Reviewed by Keith Miller.
573
574         * stress/string-from-char-code-slow-path.js: Added.
575         (shouldBe):
576         (testWithLength):
577
578 2019-02-08  Saam barati  <sbarati@apple.com>
579
580         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
581         https://bugs.webkit.org/show_bug.cgi?id=194334
582         <rdar://problem/47844327>
583
584         Reviewed by Mark Lam.
585
586         * stress/check-in-bounds-should-be-a-child-use.js: Added.
587         (func):
588
589 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
590
591         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
592         https://bugs.webkit.org/show_bug.cgi?id=194369
593         <rdar://problem/47813087>
594
595         Reviewed by Saam Barati.
596
597         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
598         (A):
599
600 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
601
602         [JSC] PrivateName to PublicName hash table is wasteful
603         https://bugs.webkit.org/show_bug.cgi?id=194277
604
605         Reviewed by Michael Saboff.
606
607         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
608
609         * ChakraCore.yaml:
610
611 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
612
613         [ARM] Test running out of executable memory
614         https://bugs.webkit.org/show_bug.cgi?id=194285
615
616         Unreviewed. Do no execute test with LLInt disabled, test runs out of
617         executable memory otherwise.
618
619         * stress/class-subclassing-function.js:
620
621 2019-02-04  Robin Morisset  <rmorisset@apple.com>
622
623         when lowering AssertNotEmpty, create the value before creating the patchpoint
624         https://bugs.webkit.org/show_bug.cgi?id=194231
625
626         Reviewed by Saam Barati.
627
628         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
629         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
630         So even tiny changes to this test can change the path code taken.
631
632         * stress/assert-not-empty.js: Added.
633         (foo):
634
635 2019-02-01  Mark Lam  <mark.lam@apple.com>
636
637         Remove invalid assertion in DFG's compileDoubleRep().
638         https://bugs.webkit.org/show_bug.cgi?id=194130
639         <rdar://problem/47699474>
640
641         Reviewed by Saam Barati.
642
643         * stress/constant-fold-double-rep-into-double-constant.js: Added.
644
645 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
646
647         Import latest Test262 updates.
648
649         Rubber-stamped by Keith Miller.
650
651         * test262.yaml: Deleted.
652         * test262/config.yaml:
653         * test262/expectations.yaml:
654         * test262/latest-changes-summary.txt:
655         * test262/test/:
656         * test262/test262-Revision.txt:
657
658 2019-01-30  Robin Morisset  <rmorisset@apple.com>
659
660         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
661         https://bugs.webkit.org/show_bug.cgi?id=194050
662         <rdar://problem/47595592>
663
664         Reviewed by Yusuke Suzuki.
665
666         * stress/object-keys-osr-exit.js: Added.
667         (foo):
668         (catch):
669
670 2019-01-29  Mark Lam  <mark.lam@apple.com>
671
672         ValueRecovery::recover() should purify NaN values it recovers.
673         https://bugs.webkit.org/show_bug.cgi?id=193978
674         <rdar://problem/47625488>
675
676         Reviewed by Saam Barati.
677
678         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
679
680 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
681
682         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
683         https://bugs.webkit.org/show_bug.cgi?id=193713
684
685         * stress/try-get-by-id-should-spill-registers-dfg.js:
686         (let.f.createBuiltin):
687
688 2019-01-28  Mark Lam  <mark.lam@apple.com>
689
690         ToString node actually does GC.
691         https://bugs.webkit.org/show_bug.cgi?id=193920
692         <rdar://problem/46695900>
693
694         Reviewed by Yusuke Suzuki.
695
696         * stress/dfg-to-string-on-int-does-gc.js: Added.
697         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
698         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
699
700 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
701
702         [JSC] NativeErrorConstructor should not have own IsoSubspace
703         https://bugs.webkit.org/show_bug.cgi?id=193713
704
705         Reviewed by Saam Barati.
706
707         Remove @Error use.
708
709         * stress/try-get-by-id-should-spill-registers-dfg.js:
710         (let.f.createBuiltin):
711
712 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
713
714         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
715         https://bugs.webkit.org/show_bug.cgi?id=190693
716
717         Reviewed by Michael Saboff.
718
719         * stress/regress-190693.js: Added.
720         (truth):
721         (assert):
722         (shouldThrowInvalidConstAssignment):
723         (taz):
724
725 2019-01-24  Saam Barati  <sbarati@apple.com>
726
727         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
728         https://bugs.webkit.org/show_bug.cgi?id=193751
729         <rdar://problem/47280215>
730
731         Reviewed by Michael Saboff.
732
733         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
734         (let.thing):
735         (foo.let.hello):
736         (foo):
737
738 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
739
740         [JSC] Reenable baseline JIT on mips
741         https://bugs.webkit.org/show_bug.cgi?id=192983
742
743         Reviewed by Mark Lam.
744
745         Added a new test for a case that was triggering a RELEASE_ASSERT when
746         testing.
747         Disable some slow tests that were already disabled for arm and x86.
748
749         * stress/json-parse-big-object.js: Added.
750         * stress/new-largeish-contiguous-array-with-size.js:
751         * stress/op_add.js:
752         * stress/op_bitand.js:
753         * stress/op_bitor.js:
754         * stress/op_bitxor.js:
755         * stress/op_lshift-ConstVar.js:
756         * stress/op_lshift-VarConst.js:
757         * stress/op_lshift-VarVar.js:
758         * stress/op_mod-ConstVar.js:
759         * stress/op_mod-VarConst.js:
760         * stress/op_mod-VarVar.js:
761         * stress/op_mul-ConstVar.js:
762         * stress/op_mul-VarConst.js:
763         * stress/op_mul-VarVar.js:
764         * stress/op_rshift-ConstVar.js:
765         * stress/op_rshift-VarConst.js:
766         * stress/op_rshift-VarVar.js:
767         * stress/op_sub-ConstVar.js:
768         * stress/op_sub-VarConst.js:
769         * stress/op_sub-VarVar.js:
770         * stress/op_urshift-ConstVar.js:
771         * stress/op_urshift-VarConst.js:
772         * stress/op_urshift-VarVar.js:
773         * stress/sampling-profiler-richards.js:
774         * stress/spread-forward-call-varargs-stack-overflow.js:
775
776 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
777
778         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
779         https://bugs.webkit.org/show_bug.cgi?id=193711
780         <rdar://problem/47250262>
781
782         Reviewed by Saam Barati.
783
784         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
785         (shouldBe):
786         (foo):
787         (bar):
788         (baz):
789
790 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
791
792         Unreviewed, fix initial global lexical binding epoch
793         https://bugs.webkit.org/show_bug.cgi?id=193603
794         <rdar://problem/47380869>
795
796         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
797         (f1.f2.f3.f4):
798         (f1.f2.f3):
799         (f1.f2):
800         (f1):
801
802 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
803
804         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
805         https://bugs.webkit.org/show_bug.cgi?id=193709
806         <rdar://problem/47363838>
807
808         Unreviewed, rollout to watch the tests.
809
810         * stress/object-tostring-changed-proto.js: Removed.
811         * stress/object-tostring-changed.js: Removed.
812         * stress/object-tostring-misc.js: Removed.
813         * stress/object-tostring-other.js: Removed.
814         * stress/object-tostring-untyped.js: Removed.
815
816 2019-01-22  Saam Barati  <sbarati@apple.com>
817
818         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
819
820         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
821         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
822         (testUncheckedLessThanZero):
823         (testUncheckedLessThanOrEqualZero):
824         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
825         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
826
827 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         [JSC] Invalidate old scope operations using global lexical binding epoch
830         https://bugs.webkit.org/show_bug.cgi?id=193603
831         <rdar://problem/47380869>
832
833         Reviewed by Saam Barati.
834
835         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
836         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
837         (shouldThrow):
838         (bar):
839         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
840         (shouldBe):
841         (get1):
842         (get2):
843         (get1If):
844         (get2If):
845         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
846         (shouldThrow):
847         (foo):
848
849 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         Unreviewed, roll out r240220 due to date-format-xparb regression
852         https://bugs.webkit.org/show_bug.cgi?id=193603
853
854         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
855         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
856         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
857         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
858
859 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
860
861         DoesGC rule is wrong for nodes with BigIntUse
862         https://bugs.webkit.org/show_bug.cgi?id=193652
863
864         Reviewed by Saam Barati.
865
866         * stress/big-int-value-op-update-gc-rules.js: Added.
867         (assert):
868         (doesGCAdd):
869         (doesGCSub):
870         (doesGCDiv):
871         (doesGCMul):
872         (doesGCBitAnd):
873         (doesGCBitOr):
874         (doesGCBitXor):
875
876 2019-01-20  Saam Barati  <sbarati@apple.com>
877
878         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
879         https://bugs.webkit.org/show_bug.cgi?id=193644
880         <rdar://problem/46209745>
881
882         Reviewed by Yusuke Suzuki.
883
884         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
885         (foo):
886         * stress/data-view-set-intrinsic-undefined-result.js: Added.
887         (foo):
888         (bar):
889
890 2019-01-20  Saam Barati  <sbarati@apple.com>
891
892         MovHint must merge NodeBytecodeUsesAsValue for its child
893         https://bugs.webkit.org/show_bug.cgi?id=186916
894         <rdar://problem/41396612>
895
896         Reviewed by Yusuke Suzuki.
897
898         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
899         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
900
901 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
902
903         [JSC] Invalidate old scope operations using global lexical binding epoch
904         https://bugs.webkit.org/show_bug.cgi?id=193603
905         <rdar://problem/47380869>
906
907         Reviewed by Saam Barati.
908
909         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
910         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
911         (shouldThrow):
912         (bar):
913         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
914         (shouldBe):
915         (get1):
916         (get2):
917         (get1If):
918         (get2If):
919         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
920         (shouldThrow):
921         (foo):
922
923 2019-01-17  Saam barati  <sbarati@apple.com>
924
925         StringObjectUse should not be a structure check for the original string object structure
926         https://bugs.webkit.org/show_bug.cgi?id=193483
927         <rdar://problem/47280522>
928
929         Reviewed by Yusuke Suzuki.
930
931         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
932         (foo):
933         (a.valueOf.0):
934
935 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
936
937         [JSC] ToThis omission in DFGByteCodeParser is wrong
938         https://bugs.webkit.org/show_bug.cgi?id=193513
939         <rdar://problem/45842236>
940
941         Reviewed by Saam Barati.
942
943         * stress/to-this-omission-with-different-strict-modes.js: Added.
944         (thisA):
945         (thisAStrictWrapper):
946
947 2019-01-15  Mark Lam  <mark.lam@apple.com>
948
949         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
950         https://bugs.webkit.org/show_bug.cgi?id=193423
951         <rdar://problem/46209355>
952
953         Reviewed by Saam Barati.
954
955         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
956         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
957         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
958         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
959
960 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
961
962         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
963         https://bugs.webkit.org/show_bug.cgi?id=193438
964         <rdar://problem/45581249>
965
966         Reviewed by Saam Barati and Keith Miller.
967
968         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
969         Then, GetByVal(String) crashed.
970
971         * stress/string-get-by-val-lowering.js: Added.
972         (shouldBe):
973         (test):
974         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
975         (Hello):
976         (foo):
977
978 2019-01-15  Tomas Popela  <tpopela@redhat.com>
979
980         Unreviewed, skip JIT tests if it's not enabled
981
982         * stress/bit-op-with-object-returning-int32.js:
983
984 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
985
986         DFGByteCodeParser rules for bitwise operations should consider type of their operands
987         https://bugs.webkit.org/show_bug.cgi?id=192966
988
989         Reviewed by Yusuke Suzuki.
990
991         * stress/bit-op-with-object-returning-int32.js: Added.
992
993 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
994
995         Skip a slow test and a flakey test on arm
996
997         Unreviewed gardening.
998
999         * typeProfiler/getter-richards.js:
1000         this test always times out, it used to be always skipped on arm and
1001         mips, but got accidentally enabled by r237919 now that we have DFG on
1002         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1003
1004 2019-01-14  Keith Miller  <keith_miller@apple.com>
1005
1006         Skip type-check-hoisting-phase-hoist... with no jit
1007         https://bugs.webkit.org/show_bug.cgi?id=193421
1008
1009         Reviewed by Mark Lam.
1010
1011         It's timing out the 32-bit bots and takes 330 seconds
1012         on my machine when run by itself.
1013
1014         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1015
1016 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1017
1018         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1019         https://bugs.webkit.org/show_bug.cgi?id=193413
1020         <rdar://problem/46092389>
1021
1022         Reviewed by Keith Miller.
1023
1024         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1025         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1026         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1027         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1028
1029         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1030         (compareArray):
1031
1032 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1033
1034         [BigInt] Literal parsing is crashing when used inside a Object Literal
1035         https://bugs.webkit.org/show_bug.cgi?id=193404
1036
1037         Reviewed by Yusuke Suzuki.
1038
1039         * stress/big-int-literal-inside-literal-object.js: Added.
1040
1041 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1042
1043         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1044         https://bugs.webkit.org/show_bug.cgi?id=193372
1045
1046         Reviewed by Saam Barati.
1047
1048         * stress/typed-array-array-modes-profile.js: Added.
1049         (foo):
1050
1051 2019-01-14  Mark Lam  <mark.lam@apple.com>
1052
1053         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1054         https://bugs.webkit.org/show_bug.cgi?id=193402
1055         <rdar://problem/46012309>
1056
1057         Reviewed by Keith Miller.
1058
1059         * stress/regexp-compile-oom.js:
1060         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1061           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1062
1063 2019-01-11  Saam barati  <sbarati@apple.com>
1064
1065         DFG combined liveness can be wrong for terminal basic blocks
1066         https://bugs.webkit.org/show_bug.cgi?id=193304
1067         <rdar://problem/45268632>
1068
1069         Reviewed by Yusuke Suzuki.
1070
1071         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1072
1073 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1074
1075         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1076         https://bugs.webkit.org/show_bug.cgi?id=193308
1077         <rdar://problem/45546542>
1078
1079         Reviewed by Saam Barati.
1080
1081         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1082         (shouldThrow):
1083         (shouldBe):
1084         (foo):
1085         (get shouldThrow):
1086         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1087         (shouldThrow):
1088         (shouldBe):
1089         (foo):
1090         (get shouldBe):
1091         (get shouldThrow):
1092         (get return):
1093         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1094         (shouldThrow):
1095         (shouldBe):
1096         (foo):
1097         (get shouldBe):
1098         (get shouldThrow):
1099         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1100         (shouldThrow):
1101         (shouldBe):
1102         (foo):
1103         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1104         (shouldThrow):
1105         (shouldBe):
1106         (foo):
1107         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1108         (shouldThrow):
1109         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1110         (shouldThrow):
1111         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1112         (shouldThrow):
1113         (shouldBe):
1114         (foo):
1115         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1116         (shouldThrow):
1117         (shouldBe):
1118         (foo):
1119         (get shouldBe):
1120         (get shouldThrow):
1121         (get return):
1122         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1123         (shouldThrow):
1124         (shouldBe):
1125         (foo):
1126         (get shouldBe):
1127         (get shouldThrow):
1128         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1129         (shouldThrow):
1130         (shouldBe):
1131         (foo):
1132         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1133         (shouldThrow):
1134         (shouldBe):
1135         (foo):
1136
1137 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1138
1139         Enable DFG on ARM/Linux again
1140         https://bugs.webkit.org/show_bug.cgi?id=192496
1141
1142         Reviewed by Yusuke Suzuki.
1143
1144         Test wasn't really skipped before moving the line with skip
1145         to the top.
1146
1147         * stress/regress-192717.js:
1148
1149 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1150
1151         Unreviewed, rolling out r239825.
1152         https://bugs.webkit.org/show_bug.cgi?id=193330
1153
1154         Broke tests on armv7/linux bots (Requested by guijemont on
1155         #webkit).
1156
1157         Reverted changeset:
1158
1159         "Enable DFG on ARM/Linux again"
1160         https://bugs.webkit.org/show_bug.cgi?id=192496
1161         https://trac.webkit.org/changeset/239825
1162
1163 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1164
1165         Enable DFG on ARM/Linux again
1166         https://bugs.webkit.org/show_bug.cgi?id=192496
1167
1168         Reviewed by Yusuke Suzuki.
1169
1170         Test wasn't really skipped before moving the line with skip
1171         to the top.
1172
1173         * stress/regress-192717.js:
1174
1175 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1176
1177         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1178         https://bugs.webkit.org/show_bug.cgi?id=193127
1179
1180         Reviewed by Saam Barati.
1181
1182         * stress/array-species-create-should-handle-masquerader.js: Added.
1183         (shouldThrow):
1184         * stress/is-undefined-or-null-builtin.js: Added.
1185         (shouldBe):
1186         (isUndefinedOrNull.vm.createBuiltin):
1187
1188 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1189
1190         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1191         https://bugs.webkit.org/show_bug.cgi?id=193221
1192
1193         Reviewed by Mark Lam.
1194
1195         * stress/put-by-id-flags.js: Added.
1196         (f):
1197         (g):
1198         (numberOfDFGCompiles):
1199
1200 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1201
1202         Baseline version of get_by_id may corrupt metadata
1203         https://bugs.webkit.org/show_bug.cgi?id=193085
1204         <rdar://problem/23453006>
1205
1206         Reviewed by Saam Barati.
1207
1208         * stress/get-by-id-change-mode.js: Added.
1209         (forEach):
1210
1211 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1212
1213         [JSC] Optimize Object.prototype.toString
1214         https://bugs.webkit.org/show_bug.cgi?id=193031
1215
1216         Reviewed by Saam Barati.
1217
1218         * stress/object-tostring-changed-proto.js: Added.
1219         (shouldBe):
1220         (test):
1221         * stress/object-tostring-changed.js: Added.
1222         (shouldBe):
1223         (test):
1224         * stress/object-tostring-misc.js: Added.
1225         (shouldBe):
1226         (test):
1227         (i.switch):
1228         * stress/object-tostring-other.js: Added.
1229         (shouldBe):
1230         (test):
1231         * stress/object-tostring-untyped.js: Added.
1232         (shouldBe):
1233         (test):
1234         (i.switch):
1235
1236 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1237
1238         test262-runner misbehaves when test file YAML has a trailing space
1239         https://bugs.webkit.org/show_bug.cgi?id=193053
1240
1241         Reviewed by Yusuke Suzuki.
1242
1243         * test262/expectations.yaml:
1244         Mark two dozen tests as passing (and correct the output of another).
1245
1246 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1247
1248         Unreviewed, JSTests gardening with memoryLimited
1249
1250         * stress/string-overflow-createError.js:
1251
1252 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1253
1254         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1255         https://bugs.webkit.org/show_bug.cgi?id=193050
1256
1257         Reviewed by Yusuke Suzuki.
1258
1259         * test262.yaml:
1260         * test262/expectations.yaml:
1261         Mark 16 tests as passing.
1262
1263 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1264
1265         [BigInt] Support BigInt in JSON.stringify
1266         https://bugs.webkit.org/show_bug.cgi?id=192624
1267
1268         Reviewed by Saam Barati.
1269
1270         * stress/big-int-json-stringify-to-json.js: Added.
1271         (shouldBe):
1272         (shouldThrow):
1273         (BigInt.prototype.toJSON):
1274         (shouldBe.JSON.stringify):
1275         * stress/big-int-json-stringify.js: Added.
1276         (shouldBe):
1277         (shouldThrow):
1278
1279 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1280
1281         [JSC] Implement "well-formed JSON.stringify" proposal
1282         https://bugs.webkit.org/show_bug.cgi?id=191677
1283
1284         Reviewed by Darin Adler.
1285
1286         * stress/json-surrogate-pair.js: Added.
1287         (shouldBe):
1288         * test262/expectations.yaml:
1289
1290 2018-12-20  Keith Miller  <keith_miller@apple.com>
1291
1292         Add support for globalThis
1293         https://bugs.webkit.org/show_bug.cgi?id=165171
1294
1295         Reviewed by Mark Lam.
1296
1297         * test262/config.yaml:
1298
1299 2018-12-19  Keith Miller  <keith_miller@apple.com>
1300
1301         Update test262 configuration to not run tests dependent on ICU version.
1302         https://bugs.webkit.org/show_bug.cgi?id=192920
1303
1304         Reviewed by Saam Barati.
1305
1306         * test262/expectations.yaml:
1307
1308 2018-12-20  Mark Lam  <mark.lam@apple.com>
1309
1310         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1311         https://bugs.webkit.org/show_bug.cgi?id=192939
1312         <rdar://problem/46869516>
1313
1314         Reviewed by Keith Miller.
1315
1316         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1317
1318 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1319
1320         WTF::String and StringImpl overflow MaxLength
1321         https://bugs.webkit.org/show_bug.cgi?id=192853
1322         <rdar://problem/45726906>
1323
1324         Reviewed by Mark Lam.
1325
1326         * stress/string-16bit-repeat-overflow.js: Added.
1327         (catch):
1328
1329 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1330
1331         Unreviewed follow-up to r192914.
1332
1333         * test262/expectations.yaml:
1334         Add the last 20 missing expectations.
1335
1336 2018-12-19  Keith Miller  <keith_miller@apple.com>
1337
1338         Fix test262 expectations
1339         https://bugs.webkit.org/show_bug.cgi?id=192914
1340
1341         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1342
1343         * test262/expectations.yaml:
1344
1345 2018-12-19  Keith Miller  <keith_miller@apple.com>
1346
1347         Update test262 tests.
1348         https://bugs.webkit.org/show_bug.cgi?id=192907
1349
1350         Rubber stamped by Mark Lam.
1351
1352         * test262/*: Omitted because prepare-changelog crashes.
1353
1354 2018-12-19  Mark Lam  <mark.lam@apple.com>
1355
1356         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1357         https://bugs.webkit.org/show_bug.cgi?id=192464
1358         <rdar://problem/46519455>
1359
1360         Reviewed by Saam Barati.
1361
1362         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1363         microbenchmark.
1364
1365         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1366         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1367
1368 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1369
1370         String overflow in JSC::createError results in ASSERT in WTF::makeString
1371         https://bugs.webkit.org/show_bug.cgi?id=192833
1372         <rdar://problem/45706868>
1373
1374         Reviewed by Mark Lam.
1375
1376         * stress/string-overflow-createError.js: Added.
1377
1378 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1379
1380         Error message for `-x ** y` contains a typo.
1381         https://bugs.webkit.org/show_bug.cgi?id=192832
1382
1383         Reviewed by Saam Barati.
1384
1385         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1386         (assert.assert.return.throws):
1387         * stress/pow-expects-update-expression-on-lhs.js:
1388         (throw.new.Error):
1389         Update test expectations which match against the exact error message.
1390
1391 2018-12-18  Mark Lam  <mark.lam@apple.com>
1392
1393         Gardening: test options fix.
1394         https://bugs.webkit.org/show_bug.cgi?id=192822
1395
1396         Unreviewed.
1397
1398         * stress/json-stringify-string-builder-overflow.js:
1399
1400 2018-12-18  Mark Lam  <mark.lam@apple.com>
1401
1402         JSON.stringify() should throw OOM on StringBuilder overflows.
1403         https://bugs.webkit.org/show_bug.cgi?id=192822
1404         <rdar://problem/46670577>
1405
1406         Reviewed by Saam Barati.
1407
1408         * stress/json-stringify-string-builder-overflow.js: Added.
1409
1410 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1411
1412         Redeclaration of var over let/const/class should be a syntax error.
1413         https://bugs.webkit.org/show_bug.cgi?id=192298
1414
1415         Reviewed by Keith Miller.
1416
1417         * test262.yaml:
1418         * test262/expectations.yaml:
1419         Mark 46 tests as passing.
1420
1421         * stress/block-scope-redeclarations.js:
1422         Add some new tests.
1423
1424         * stress/for-in-invalidate-context-weird-assignments.js:
1425         * stress/for-in-tests.js:
1426         Replace tests for outdated behavior with tests for SyntaxError.
1427
1428         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1429         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1430         Update expectations.
1431
1432 2018-12-18  Mark Lam  <mark.lam@apple.com>
1433
1434         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1435         https://bugs.webkit.org/show_bug.cgi?id=191374
1436         <rdar://problem/46525447>
1437
1438         Reviewed by Yusuke Suzuki.
1439
1440         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1441
1442         * stress/elidable-new-object-roflcopter-then-exit.js:
1443
1444 2018-12-17  Mark Lam  <mark.lam@apple.com>
1445
1446         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1447         https://bugs.webkit.org/show_bug.cgi?id=192019
1448         <rdar://problem/46525456>
1449
1450         Reviewed by Yusuke Suzuki.
1451
1452         The test runs too slow on 32-bit.
1453
1454         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1455
1456 2018-12-17  Mark Lam  <mark.lam@apple.com>
1457
1458         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1459         https://bugs.webkit.org/show_bug.cgi?id=191373
1460         <rdar://problem/46525458>
1461
1462         Reviewed by Yusuke Suzuki.
1463
1464         The test is already slow running with a JIT on 64-bit.  It will always timeout
1465         on 32-bit without a JIT.
1466
1467         * stress/materialize-regexp-cyclic-regexp.js:
1468
1469 2018-12-17  Mark Lam  <mark.lam@apple.com>
1470
1471         Array unshift/shift should not race against the AI in the compiler thread.
1472         https://bugs.webkit.org/show_bug.cgi?id=192795
1473         <rdar://problem/46724263>
1474
1475         Reviewed by Saam Barati.
1476
1477         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1478
1479 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1480
1481         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1482         https://bugs.webkit.org/show_bug.cgi?id=190047
1483
1484         Reviewed by Saam Barati.
1485
1486         * stress/object-keys-cached-zero.js: Added.
1487         (shouldBe):
1488         (test):
1489         * stress/object-keys-changed-attribute.js: Added.
1490         (shouldBe):
1491         (test):
1492         * stress/object-keys-changed-index.js: Added.
1493         (shouldBe):
1494         (test):
1495         * stress/object-keys-changed.js: Added.
1496         (shouldBe):
1497         (test):
1498         * stress/object-keys-indexed-non-cache.js: Added.
1499         (shouldBe):
1500         (test):
1501         * stress/object-keys-overrides-get-property-names.js: Added.
1502         (shouldBe):
1503         (test):
1504         (noInline):
1505
1506 2018-12-17  Mark Lam  <mark.lam@apple.com>
1507
1508         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1509         https://bugs.webkit.org/show_bug.cgi?id=192779
1510         <rdar://problem/46775869>
1511
1512         Reviewed by Saam Barati.
1513
1514         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1515
1516 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1517
1518         Unreviewed test gardening, address a syntax error in a new test.
1519
1520         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1521
1522 2018-12-17  Mark Lam  <mark.lam@apple.com>
1523
1524         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1525         https://bugs.webkit.org/show_bug.cgi?id=192776
1526         <rdar://problem/46772368>
1527
1528         Reviewed by Keith Miller.
1529
1530         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1531
1532 2018-12-17  Mark Lam  <mark.lam@apple.com>
1533
1534         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1535         https://bugs.webkit.org/show_bug.cgi?id=192770
1536         <rdar://problem/46449037>
1537
1538         Reviewed by Keith Miller.
1539
1540         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1541
1542 2018-12-14  Mark Lam  <mark.lam@apple.com>
1543
1544         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1545         https://bugs.webkit.org/show_bug.cgi?id=192717
1546         <rdar://problem/46660677>
1547
1548         Reviewed by Saam Barati.
1549
1550         * stress/regress-192717.js: Added.
1551
1552 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1553
1554         Unreviewed, rolling out r239153, r239154, and r239155.
1555         https://bugs.webkit.org/show_bug.cgi?id=192715
1556
1557         Caused flaky GC-related crashes seen with layout tests
1558         (Requested by ryanhaddad on #webkit).
1559
1560         Reverted changesets:
1561
1562         "[JSC] Optimize Object.keys by caching own keys results in
1563         StructureRareData"
1564         https://bugs.webkit.org/show_bug.cgi?id=190047
1565         https://trac.webkit.org/changeset/239153
1566
1567         "Unreviewed, build fix after r239153"
1568         https://bugs.webkit.org/show_bug.cgi?id=190047
1569         https://trac.webkit.org/changeset/239154
1570
1571         "Unreviewed, build fix after r239153, part 2"
1572         https://bugs.webkit.org/show_bug.cgi?id=190047
1573         https://trac.webkit.org/changeset/239155
1574
1575 2018-12-14  Keith Miller  <keith_miller@apple.com>
1576
1577         Callers of JSString::getIndex should check for OOM exceptions
1578         https://bugs.webkit.org/show_bug.cgi?id=192709
1579
1580         Reviewed by Mark Lam.
1581
1582         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1583
1584 2018-12-13  Mark Lam  <mark.lam@apple.com>
1585
1586         Add a missing exception check.
1587         https://bugs.webkit.org/show_bug.cgi?id=192626
1588         <rdar://problem/46662163>
1589
1590         Reviewed by Keith Miller.
1591
1592         * stress/regress-192626.js: Added.
1593
1594 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1595
1596         [BigInt] Add ValueDiv into DFG
1597         https://bugs.webkit.org/show_bug.cgi?id=186178
1598
1599         Reviewed by Yusuke Suzuki.
1600
1601         * stress/big-int-div-jit-osr.js: Added.
1602         * stress/big-int-div-jit-untyped.js: Added.
1603         * stress/value-div-fixup-int32-big-int.js: Added.
1604
1605 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1606
1607         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1608         https://bugs.webkit.org/show_bug.cgi?id=190047
1609
1610         Reviewed by Keith Miller.
1611
1612         * stress/object-keys-cached-zero.js: Added.
1613         (shouldBe):
1614         (test):
1615         * stress/object-keys-changed-attribute.js: Added.
1616         (shouldBe):
1617         (test):
1618         * stress/object-keys-changed-index.js: Added.
1619         (shouldBe):
1620         (test):
1621         * stress/object-keys-changed.js: Added.
1622         (shouldBe):
1623         (test):
1624         * stress/object-keys-indexed-non-cache.js: Added.
1625         (shouldBe):
1626         (test):
1627         * stress/object-keys-overrides-get-property-names.js: Added.
1628         (shouldBe):
1629         (test):
1630         (noInline):
1631
1632 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1633
1634         [DFG][FTL] Add NewSymbol
1635         https://bugs.webkit.org/show_bug.cgi?id=192620
1636
1637         Reviewed by Saam Barati.
1638
1639         * microbenchmarks/symbol-creation.js: Added.
1640         (test):
1641         * stress/symbol-description-identity.js: Added.
1642         (shouldBe):
1643         (test):
1644         * stress/symbol-identity.js: Added.
1645         (shouldBe):
1646         (test):
1647         * stress/symbol-with-description-throw-error.js: Added.
1648         (shouldBe):
1649         (shouldThrow):
1650         (test):
1651         (object.toString):
1652
1653 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         [BigInt] Implement DFG/FTL typeof for BigInt
1656         https://bugs.webkit.org/show_bug.cgi?id=192619
1657
1658         Reviewed by Keith Miller.
1659
1660         * stress/big-int-boolean-proven-type.js: Added.
1661         (assert):
1662         (bool):
1663         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1664         (assert):
1665         (typeOf):
1666         (i.switch):
1667         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1668         (assert):
1669         (typeOf):
1670         * stress/big-int-type-of.js:
1671         (typeOf):
1672         (func):
1673
1674 2018-12-10  Mark Lam  <mark.lam@apple.com>
1675
1676         PropertyAttribute needs a CustomValue bit.
1677         https://bugs.webkit.org/show_bug.cgi?id=191993
1678         <rdar://problem/46264467>
1679
1680         Reviewed by Saam Barati.
1681
1682         * stress/regress-191993.js: Added.
1683
1684 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1685
1686         [BigInt] Add ValueMul into DFG
1687         https://bugs.webkit.org/show_bug.cgi?id=186175
1688
1689         Reviewed by Yusuke Suzuki.
1690
1691         * stress/big-int-mul-jit-osr.js: Added.
1692         * stress/big-int-mul-jit-untyped.js: Added.
1693         * stress/value-mul-fixup-int32-big-int.js: Added.
1694
1695 2018-12-06  Keith Miller  <keith_miller@apple.com>
1696
1697         stress/big-wasm-memory tests failing on 32-bit JSC bot
1698         https://bugs.webkit.org/show_bug.cgi?id=192020
1699
1700         Reviewed by Saam Barati.
1701
1702         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1703         the wasm stress tests if the WebAssembly object does not exist.
1704
1705         * stress/big-wasm-memory-grow-no-max.js:
1706         (test.foo):
1707         (test):
1708         (foo): Deleted.
1709         (catch): Deleted.
1710         * stress/big-wasm-memory-grow.js:
1711         (test.foo):
1712         (test):
1713         (foo): Deleted.
1714         (catch): Deleted.
1715         * stress/big-wasm-memory.js:
1716         (test.foo):
1717         (test):
1718         (foo): Deleted.
1719         (catch): Deleted.
1720
1721 2018-12-05  Mark Lam  <mark.lam@apple.com>
1722
1723         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1724         https://bugs.webkit.org/show_bug.cgi?id=192441
1725         <rdar://problem/46480355>
1726
1727         Reviewed by Saam Barati.
1728
1729         * stress/regress-192441.js: Added.
1730
1731 2018-12-04  Mark Lam  <mark.lam@apple.com>
1732
1733         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1734         https://bugs.webkit.org/show_bug.cgi?id=192386
1735         <rdar://problem/46445516>
1736
1737         Reviewed by Saam Barati.
1738
1739         * stress/regress-192386.js: Added.
1740
1741 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1742
1743         [ESNext][BigInt] Support logic operations
1744         https://bugs.webkit.org/show_bug.cgi?id=179903
1745
1746         Reviewed by Yusuke Suzuki.
1747
1748         * stress/big-int-branch-usage.js: Added.
1749         * stress/big-int-logical-and.js: Added.
1750         * stress/big-int-logical-not.js: Added.
1751         * stress/big-int-logical-or.js: Added.
1752
1753 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1754
1755         Unreviewed, rolling out r238833.
1756
1757         Breaks macOS and iOS debug builds.
1758
1759         Reverted changeset:
1760
1761         "[ESNext][BigInt] Support logic operations"
1762         https://bugs.webkit.org/show_bug.cgi?id=179903
1763         https://trac.webkit.org/changeset/238833
1764
1765 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1766
1767         [ESNext][BigInt] Support logic operations
1768         https://bugs.webkit.org/show_bug.cgi?id=179903
1769
1770         Reviewed by Yusuke Suzuki.
1771
1772         * stress/big-int-branch-usage.js: Added.
1773         * stress/big-int-logical-and.js: Added.
1774         * stress/big-int-logical-not.js: Added.
1775         * stress/big-int-logical-or.js: Added.
1776
1777 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1778
1779         [ESNext][BigInt] Implement support for "<<" and ">>"
1780         https://bugs.webkit.org/show_bug.cgi?id=186233
1781
1782         Reviewed by Yusuke Suzuki.
1783
1784         * stress/big-int-left-shift-general.js: Added.
1785         * stress/big-int-left-shift-range-error.js: Added.
1786         * stress/big-int-left-shift-type-error.js: Added.
1787         * stress/big-int-left-shift-wrapped-value.js: Added.
1788         * stress/big-int-right-shift-general.js: Added.
1789         * stress/big-int-right-shift-type-error.js: Added.
1790         * stress/big-int-right-shift-wrapped-value.js: Added.
1791         * stress/left-shift-to-primitive-precedence.js: Added.
1792         * stress/right-shift-to-primitive-precedence.js: Added.
1793
1794 2018-11-30  Dean Jackson  <dino@apple.com>
1795
1796         Add first-class support for .mjs files in jsc binary
1797         https://bugs.webkit.org/show_bug.cgi?id=192190
1798         <rdar://problem/46375715>
1799
1800         Reviewed by Keith Miller.
1801
1802         * stress/simple-module.mjs: Added.
1803         * stress/simple-script.js: Added.
1804
1805 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1806
1807         [BigInt] Implement ValueBitXor into DFG
1808         https://bugs.webkit.org/show_bug.cgi?id=190264
1809
1810         Reviewed by Yusuke Suzuki.
1811
1812         * stress/big-int-bitwise-xor-jit.js: Added.
1813         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1814         * stress/big-int-bitwise-xor-untyped.js: Added.
1815
1816 2018-11-27  Saam barati  <sbarati@apple.com>
1817
1818         r238510 broke scopes of size zero
1819         https://bugs.webkit.org/show_bug.cgi?id=192033
1820         <rdar://problem/46281734>
1821
1822         Reviewed by Keith Miller.
1823
1824         * stress/r238510-bad-loop.js: Added.
1825         (foo):
1826
1827 2018-11-27  Mark Lam  <mark.lam@apple.com>
1828
1829         [Re-landing] NaNs read from Wasm code needs to be be purified.
1830         https://bugs.webkit.org/show_bug.cgi?id=191056
1831         <rdar://problem/45660341>
1832
1833         Reviewed by Filip Pizlo.
1834
1835         * wasm/regress/regress-191056.js: Added.
1836
1837 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1838
1839         Unreviewed, rolling out r238509.
1840
1841         Causes JSC tests to fail on iOS.
1842
1843         Reverted changeset:
1844
1845         "NaNs read from Wasm code needs to be be purified."
1846         https://bugs.webkit.org/show_bug.cgi?id=191056
1847         https://trac.webkit.org/changeset/238509
1848
1849 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1850
1851         Re-introduce op_bitnot
1852         https://bugs.webkit.org/show_bug.cgi?id=190923
1853
1854         Reviewed by Yusuke Suzuki.
1855
1856         * stress/bit-not-must-generate.js: Added.
1857         * stress/bitwise-not-no-int32.js: Added.
1858
1859 2018-11-26  Saam barati  <sbarati@apple.com>
1860
1861         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1862         https://bugs.webkit.org/show_bug.cgi?id=191956
1863         <rdar://problem/45665806>
1864
1865         Reviewed by Yusuke Suzuki.
1866
1867         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1868         (bar):
1869         (foo):
1870
1871 2018-11-26  Saam barati  <sbarati@apple.com>
1872
1873         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1874         https://bugs.webkit.org/show_bug.cgi?id=191958
1875         <rdar://problem/46221877>
1876
1877         Reviewed by Yusuke Suzuki.
1878
1879         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1880         (x):
1881         (foo):
1882
1883 2018-11-26  Mark Lam  <mark.lam@apple.com>
1884
1885         NaNs read from Wasm code needs to be be purified.
1886         https://bugs.webkit.org/show_bug.cgi?id=191056
1887         <rdar://problem/45660341>
1888
1889         Reviewed by Filip Pizlo.
1890
1891         * wasm/regress/regress-191056.js: Added.
1892
1893 2018-11-26  Michael Saboff  <msaboff@apple.com>
1894
1895         32-bit JSC test failure: stress/regexp-compile-oom.js
1896         https://bugs.webkit.org/show_bug.cgi?id=191375
1897
1898         Reviewed by Mark Lam.
1899
1900         Disabled the test for 32 bit platforms.
1901
1902         * stress/regexp-compile-oom.js:
1903
1904 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1905
1906         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1907         https://bugs.webkit.org/show_bug.cgi?id=191716
1908         <rdar://problem/45723878>
1909
1910         Reviewed by Saam Barati.
1911
1912         * stress/regress-187373.js: Added.
1913         (async.fn):
1914
1915 2018-11-21  Saam barati  <sbarati@apple.com>
1916
1917         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1918         https://bugs.webkit.org/show_bug.cgi?id=191897
1919         <rdar://problem/45871998>
1920
1921         Reviewed by Mark Lam.
1922
1923         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1924         (bar):
1925         (foo):
1926
1927 2018-11-21  Saam barati  <sbarati@apple.com>
1928
1929         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1930         https://bugs.webkit.org/show_bug.cgi?id=191895
1931         <rdar://problem/46167406>
1932
1933         Reviewed by Mark Lam.
1934
1935         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1936         (foo):
1937         (bar):
1938
1939 2018-11-21  Mark Lam  <mark.lam@apple.com>
1940
1941         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1942         https://bugs.webkit.org/show_bug.cgi?id=191776
1943         <rdar://problem/46152851>
1944
1945         Reviewed by Saam Barati.
1946
1947         * stress/big-wasm-memory-grow-no-max.js:
1948         * stress/big-wasm-memory-grow.js:
1949         * stress/big-wasm-memory.js:
1950         - updated these to expect an OutOfMemoryError.
1951
1952         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1953         (Binary.prototype.emit_u8):
1954         (Binary.prototype.emit_u32v):
1955         (Binary.prototype.emit_header):
1956         (Binary.prototype.emit_section):
1957         (Binary):
1958         (WasmModuleBuilder):
1959         (WasmModuleBuilder.prototype.addMemory):
1960         (WasmModuleBuilder.prototype.toArray):
1961         (WasmModuleBuilder.prototype.toBuffer):
1962         (WasmModuleBuilder.prototype.instantiate):
1963         (catch):
1964         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1965         (catch):
1966
1967 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1968
1969         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1970         https://bugs.webkit.org/show_bug.cgi?id=190836
1971
1972         Reviewed by Saam Barati and Yusuke Suzuki.
1973
1974         * stress/big-int-out-of-memory-tests.js: Added.
1975
1976 2018-11-20  Mark Lam  <mark.lam@apple.com>
1977
1978         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1979         https://bugs.webkit.org/show_bug.cgi?id=191856
1980         <rdar://problem/46089992>
1981
1982         Reviewed by Yusuke Suzuki.
1983
1984         * stress/regress-191856.js: Added.
1985         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1986
1987 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1988
1989         Enable JIT on ARM/Linux
1990         https://bugs.webkit.org/show_bug.cgi?id=191548
1991
1992         Reviewed by Yusuke Suzuki.
1993
1994         Disable test on system with limited memory. Program was killed by
1995         the OS before the exception was thrown.
1996
1997         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1998
1999 2018-11-20  Saam barati  <sbarati@apple.com>
2000
2001         Merging an IC variant may lead to the IC status containing overlapping structure sets
2002         https://bugs.webkit.org/show_bug.cgi?id=191869
2003         <rdar://problem/45403453>
2004
2005         Reviewed by Mark Lam.
2006
2007         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2008
2009 2018-11-19  Mark Lam  <mark.lam@apple.com>
2010
2011         globalFuncImportModule() should return a promise when it clears exceptions.
2012         https://bugs.webkit.org/show_bug.cgi?id=191792
2013         <rdar://problem/46090763>
2014
2015         Reviewed by Michael Saboff.
2016
2017         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2018
2019 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2020
2021         Skip new memory-hungry tests on memory limited devices
2022
2023         Unreviewed gardening.
2024
2025         * stress/big-wasm-memory-grow-no-max.js:
2026         * stress/big-wasm-memory-grow.js:
2027         * stress/big-wasm-memory.js:
2028
2029 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2030
2031         Unreviewed, rolling in the rest of r237254
2032         https://bugs.webkit.org/show_bug.cgi?id=190340
2033
2034         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2035         * stress/function-cache-with-parameters-end-position.js: Added.
2036         (shouldBe):
2037         (shouldThrow):
2038         (i.anonymous):
2039         * stress/function-constructor-name.js: Added.
2040         (shouldBe):
2041         (GeneratorFunction):
2042         (AsyncFunction.async):
2043         (AsyncGeneratorFunction.async):
2044         (anonymous):
2045         (async.anonymous):
2046         * test262/expectations.yaml:
2047
2048 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2049
2050         All users of ArrayBuffer should agree on the same max size
2051         https://bugs.webkit.org/show_bug.cgi?id=191771
2052
2053         Reviewed by Mark Lam.
2054
2055         * stress/big-wasm-memory-grow-no-max.js: Added.
2056         (foo):
2057         (catch):
2058         * stress/big-wasm-memory-grow.js: Added.
2059         (foo):
2060         (catch):
2061         * stress/big-wasm-memory.js: Added.
2062         (foo):
2063         (catch):
2064
2065 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2066
2067         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2068         run for each JSC config since they're regression tests for runtime bugs.
2069
2070         * stress/json-stringified-overflow-2.js:
2071         * stress/json-stringified-overflow.js:
2072
2073 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2074
2075         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2076         config since they're regression tests for runtime bugs.
2077
2078         * stress/large-unshift-splice.js:
2079         * stress/regress-185888.js:
2080
2081 2018-11-16  Saam Barati  <sbarati@apple.com>
2082
2083         KnownCellUse should also have SpecCellCheck as its type filter
2084         https://bugs.webkit.org/show_bug.cgi?id=191729
2085         <rdar://problem/45872852>
2086
2087         Reviewed by Filip Pizlo.
2088
2089         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2090         (C):
2091
2092 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2093
2094         Fix assertion failure on BytecodeGenerator::recordOpcode
2095         https://bugs.webkit.org/show_bug.cgi?id=191724
2096         <rdar://problem/45724395>
2097
2098         Reviewed by Saam Barati.
2099
2100         * stress/regress-187373-2.js: Added.
2101         (foo):
2102
2103 2018-11-15  Mark Lam  <mark.lam@apple.com>
2104
2105         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2106         https://bugs.webkit.org/show_bug.cgi?id=191730
2107         <rdar://problem/46048517>
2108
2109         Reviewed by Saam Barati.
2110
2111         * stress/regress-187006.js: Removed.
2112           - this test is invalid because its sole purpose is to test for the non-spec
2113             compliant behavior that we just fixed.
2114
2115         * stress/regress-191730.js: Added.
2116
2117 2018-11-15  Mark Lam  <mark.lam@apple.com>
2118
2119         RegExp operations should not take fast patch if lastIndex is not numeric.
2120         https://bugs.webkit.org/show_bug.cgi?id=191731
2121         <rdar://problem/46017305>
2122
2123         Reviewed by Saam Barati.
2124
2125         * stress/regress-191731.js: Added.
2126
2127 2018-11-13  Saam Barati  <sbarati@apple.com>
2128
2129         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2130         https://bugs.webkit.org/show_bug.cgi?id=191600
2131
2132         Reviewed by Mark Lam.
2133
2134         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2135         (foo):
2136         (test):
2137         (bar):
2138
2139 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2140
2141         Unreviewed, rolling out r238132.
2142
2143         The test added with this change is timing out on Debug JSC
2144         bots.
2145
2146         Reverted changeset:
2147
2148         "[BigInt] JSBigInt::createWithLength should throw when length
2149         is greater than JSBigInt::maxLength"
2150         https://bugs.webkit.org/show_bug.cgi?id=190836
2151         https://trac.webkit.org/changeset/238132
2152
2153 2018-11-13  Mark Lam  <mark.lam@apple.com>
2154
2155         Add OOM detection to StringPrototype's substituteBackreferences().
2156         https://bugs.webkit.org/show_bug.cgi?id=191563
2157         <rdar://problem/45720428>
2158
2159         Reviewed by Saam Barati.
2160
2161         * stress/regress-191563.js: Added.
2162
2163 2018-11-13  Mark Lam  <mark.lam@apple.com>
2164
2165         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2166         https://bugs.webkit.org/show_bug.cgi?id=191579
2167         <rdar://problem/45942472>
2168
2169         Reviewed by Saam Barati.
2170
2171         * stress/regress-191579.js: Added.
2172
2173 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2174
2175         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2176         https://bugs.webkit.org/show_bug.cgi?id=190836
2177
2178         Reviewed by Saam Barati.
2179
2180         * stress/big-int-out-of-memory-tests.js: Added.
2181
2182 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2183
2184         U+180E is no longer a whitespace character
2185         https://bugs.webkit.org/show_bug.cgi?id=191415
2186
2187         Reviewed by Saam Barati.
2188
2189         * ChakraCore/test/es5/regexSpace.baseline:
2190         * ChakraCore/test/es6/unicode_whitespace.js:
2191         Update tests to latest version.
2192         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2193
2194         * test262.yaml:
2195         * test262/config.yaml:
2196         * test262/expectations.yaml:
2197         Update expectations.
2198
2199 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2200
2201         [BigInt] Add support to BigInt into ValueAdd
2202         https://bugs.webkit.org/show_bug.cgi?id=186177
2203
2204         Reviewed by Keith Miller.
2205
2206         * stress/big-int-negate-jit.js:
2207         * stress/value-add-big-int-and-string.js: Added.
2208         * stress/value-add-big-int-prediction-propagation.js: Added.
2209         * stress/value-add-big-int-untyped.js: Added.
2210
2211 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2212
2213         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2214         https://bugs.webkit.org/show_bug.cgi?id=191184
2215
2216         Reviewed by Saam Barati.
2217
2218         Most tests were failing due to timeouts, since they are too slow to
2219         run on CLoop. The exceptions are:
2220
2221         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2222         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2223         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2224         to change the stack size since CLoop requires it to be page aligned.
2225
2226         * microbenchmarks/array-push-1.js:
2227         * microbenchmarks/array-push-2.js:
2228         * microbenchmarks/elidable-new-object-dag.js:
2229         * microbenchmarks/elidable-new-object-roflcopter.js:
2230         * microbenchmarks/elidable-new-object-tree.js:
2231         * microbenchmarks/getter-richards.js:
2232         * microbenchmarks/sinkable-new-object-dag.js:
2233         * microbenchmarks/string-concat-long-convert.js:
2234         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2235         * slowMicrobenchmarks/array-push-3.js:
2236         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2237         * slowMicrobenchmarks/spread-small-array.js:
2238         * slowMicrobenchmarks/undefined-property-access.js:
2239         * stress/activation-sink-default-value-tdz-error.js:
2240         * stress/activation-sink-default-value.js:
2241         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2242         * stress/activation-sink-osrexit-default-value.js:
2243         * stress/activation-sink-osrexit.js:
2244         * stress/activation-sink.js:
2245         * stress/allow-math-ic-b3-code-duplication.js:
2246         * stress/array-push-multiple-int32.js:
2247         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2248         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2249         * stress/arrowfunction-lexical-this-activation-sink.js:
2250         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2251         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2252         * stress/elide-new-object-dag-then-exit.js:
2253         * stress/materialize-regexp-cyclic.js:
2254         * stress/new-regex-inline.js:
2255         * stress/op_add.js:
2256         * stress/op_bitand.js:
2257         * stress/op_bitor.js:
2258         * stress/op_bitxor.js:
2259         * stress/op_div-ConstVar.js:
2260         * stress/op_div-VarConst.js:
2261         * stress/op_div-VarVar.js:
2262         * stress/op_lshift-ConstVar.js:
2263         * stress/op_lshift-VarConst.js:
2264         * stress/op_lshift-VarVar.js:
2265         * stress/op_mod-ConstVar.js:
2266         * stress/op_mod-VarConst.js:
2267         * stress/op_mod-VarVar.js:
2268         * stress/op_mul-ConstVar.js:
2269         * stress/op_mul-VarConst.js:
2270         * stress/op_mul-VarVar.js:
2271         * stress/op_rshift-ConstVar.js:
2272         * stress/op_rshift-VarConst.js:
2273         * stress/op_rshift-VarVar.js:
2274         * stress/op_sub-ConstVar.js:
2275         * stress/op_sub-VarConst.js:
2276         * stress/op_sub-VarVar.js:
2277         * stress/op_urshift-ConstVar.js:
2278         * stress/op_urshift-VarConst.js:
2279         * stress/op_urshift-VarVar.js:
2280         * stress/proxy-get-set-correct-receiver.js:
2281         * stress/regress-179562.js:
2282         * stress/rest-parameter-many-arguments.js:
2283         * stress/sampling-profiler-richards.js:
2284         * stress/splay-flash-access-1ms.js:
2285         * stress/tailCallForwardArguments.js:
2286         * stress/typed-array-get-by-val-profiling.js:
2287         * typeProfiler/getter-richards.js:
2288
2289 2018-11-06  Michael Saboff  <msaboff@apple.com>
2290
2291         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2292         https://bugs.webkit.org/show_bug.cgi?id=191271
2293
2294         Reviewed by Saam Barati.
2295
2296         Added more test cases and made all test cases run with the same deeply recursive stack
2297         instead of finding that same point for each test case.
2298
2299         * stress/regexp-compile-oom.js:
2300         (prototype.runTest):
2301         (recurseAndTest):
2302         (testList.push.new.TestAndExpectedException):
2303
2304 2018-11-05  Michael Saboff  <msaboff@apple.com>
2305
2306         Unreviewed build fix for linux.
2307
2308         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2309
2310 2018-11-02  Michael Saboff  <msaboff@apple.com>
2311
2312         Rolling in r237753 with unreviewed build fix.
2313
2314         Fixed issues with DECLARE_THROW_SCOPE placement.
2315
2316 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2317
2318         Unreviewed, rolling out r237753.
2319
2320         Introduced JSC test failures
2321
2322         Reverted changeset:
2323
2324         "Running out of stack space not properly handled in
2325         RegExp::compile() and its callers"
2326         https://bugs.webkit.org/show_bug.cgi?id=191206
2327         https://trac.webkit.org/changeset/237753
2328
2329 2018-11-02  Michael Saboff  <msaboff@apple.com>
2330
2331         Running out of stack space not properly handled in RegExp::compile() and its callers
2332         https://bugs.webkit.org/show_bug.cgi?id=191206
2333
2334         Reviewed by Filip Pizlo.
2335
2336         New regression test.
2337
2338         * stress/regexp-compile-oom.js: Added.
2339         (recurseAndTest):
2340
2341 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2342
2343         Skip tests on arm/mips that time out now we're running on CLoop
2344
2345         Unreviewed gardening.
2346
2347         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2348         time out on the bots and need to be disabled. There's more tests
2349         disabled on arm because the timeout is longer on the mips bot (as the
2350         device is slower to start with), so many of the tests don't time out
2351         there.
2352
2353         * microbenchmarks/getter-richards.js: disable on arm and mips.
2354         * stress/op_add.js: disable on arm.
2355         * stress/op_bitand.js: disable on arm.
2356         * stress/op_bitor.js: disable on arm.
2357         * stress/op_bitxor.js: disable on arm.
2358         * stress/op_lshift-ConstVar.js: disable on arm.
2359         * stress/op_lshift-VarConst.js: disable on arm.
2360         * stress/op_lshift-VarVar.js: disable on arm.
2361         * stress/op_mod-ConstVar.js: disable on arm.
2362         * stress/op_mod-VarConst.js: disable on arm.
2363         * stress/op_mod-VarVar.js: disable on arm.
2364         * stress/op_mul-ConstVar.js: disable on arm.
2365         * stress/op_mul-VarConst.js: disable on arm.
2366         * stress/op_mul-VarVar.js: disable on arm.
2367         * stress/op_rshift-ConstVar.js: disable on arm.
2368         * stress/op_rshift-VarConst.js: disable on arm.
2369         * stress/op_rshift-VarVar.js: disable on arm.
2370         * stress/op_sub-ConstVar.js: disable on arm.
2371         * stress/op_sub-VarConst.js: disable on arm.
2372         * stress/op_sub-VarVar.js: disable on arm.
2373         * stress/op_urshift-ConstVar.js: disable on arm.
2374         * stress/op_urshift-VarConst.js: disable on arm.
2375         * stress/op_urshift-VarVar.js: disable on arm.
2376         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2377         * stress/value-to-boolean.js: disable on arm and mips.
2378
2379 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2380
2381         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2382         https://bugs.webkit.org/show_bug.cgi?id=191108
2383         <rdar://problem/45690700>
2384
2385         Reviewed by Saam Barati.
2386
2387         * stress/wide-op_catch.js: Added.
2388         (catch):
2389
2390 2018-10-29  Mark Lam  <mark.lam@apple.com>
2391
2392         Correctly detect string overflow when using the 'Function' constructor.
2393         https://bugs.webkit.org/show_bug.cgi?id=184883
2394         <rdar://problem/36320331>
2395
2396         Reviewed by Saam Barati.
2397
2398         I've verified that this passes on 32-bit as well.
2399
2400         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2401
2402 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2403
2404         Add support for GetStack FlushedDouble
2405         https://bugs.webkit.org/show_bug.cgi?id=191012
2406         <rdar://problem/45265141>
2407
2408         Reviewed by Saam Barati.
2409
2410         * stress/get-stack-double.js: Added.
2411         (bar):
2412         (noInline):
2413
2414 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2415
2416         New bytecode format for JSC
2417         https://bugs.webkit.org/show_bug.cgi?id=187373
2418         <rdar://problem/44186758>
2419
2420         Reviewed by Filip Pizlo.
2421
2422         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2423
2424         * stress/maximum-inline-capacity.js: Added.
2425         (test1):
2426         (test3.Foo):
2427         (test3):
2428
2429 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2430
2431         Unreviewed, rolling out r237479 and r237484.
2432         https://bugs.webkit.org/show_bug.cgi?id=190978
2433
2434         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2435
2436         Reverted changesets:
2437
2438         "New bytecode format for JSC"
2439         https://bugs.webkit.org/show_bug.cgi?id=187373
2440         https://trac.webkit.org/changeset/237479
2441
2442         "Gardening: Build fix after r237479."
2443         https://bugs.webkit.org/show_bug.cgi?id=187373
2444         https://trac.webkit.org/changeset/237484
2445
2446 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2447
2448         New bytecode format for JSC
2449         https://bugs.webkit.org/show_bug.cgi?id=187373
2450         <rdar://problem/44186758>
2451
2452         Reviewed by Filip Pizlo.
2453
2454         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2455
2456         * stress/maximum-inline-capacity.js: Added.
2457         (test1):
2458         (test3.Foo):
2459         (test3):
2460
2461 2018-10-26  Mark Lam  <mark.lam@apple.com>
2462
2463         Fix missing edge cases with JSGlobalObjects having a bad time.
2464         https://bugs.webkit.org/show_bug.cgi?id=189028
2465         <rdar://problem/45204939>
2466
2467         Reviewed by Saam Barati.
2468
2469         * stress/regress-189028.js: Added.
2470
2471 2018-10-22  Mark Lam  <mark.lam@apple.com>
2472
2473         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2474         https://bugs.webkit.org/show_bug.cgi?id=190515
2475         <rdar://problem/45222379>
2476
2477         Rubber-stamped by Saam Barati.
2478
2479         Adding another test.
2480
2481         * stress/regress-190515-2.js: Added.
2482
2483 2018-10-22  Mark Lam  <mark.lam@apple.com>
2484
2485         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2486         https://bugs.webkit.org/show_bug.cgi?id=190515
2487         <rdar://problem/45222379>
2488
2489         Reviewed by Saam Barati.
2490
2491         * stress/regress-190515.js: Added.
2492
2493 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2494
2495         Unreviewed, rolling out r237254.
2496         https://bugs.webkit.org/show_bug.cgi?id=190760
2497
2498         "It regresses JetStream 2 by 5% on some iOS devices"
2499         (Requested by saamyjoon on #webkit).
2500
2501         Reverted changeset:
2502
2503         "[JSC] JSC should have "parseFunction" to optimize Function
2504         constructor"
2505         https://bugs.webkit.org/show_bug.cgi?id=190340
2506         https://trac.webkit.org/changeset/237254
2507
2508 2018-10-19  Saam Barati  <sbarati@apple.com>
2509
2510         vmCall should check if we exit before emitting an OSR exit due to exceptions
2511         https://bugs.webkit.org/show_bug.cgi?id=190740
2512         <rdar://problem/45220139>
2513
2514         Reviewed by Mark Lam.
2515
2516         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2517         (foo):
2518
2519 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2520
2521         [ESNext][BigInt] Implement support for "^"
2522         https://bugs.webkit.org/show_bug.cgi?id=186235
2523
2524         Reviewed by Yusuke Suzuki.
2525
2526         * stress/big-int-bitwise-xor-general.js: Added.
2527         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2528         * stress/big-int-bitwise-xor-type-error.js: Added.
2529         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2530
2531 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2532
2533         [BigInt] Add ValueSub into DFG
2534         https://bugs.webkit.org/show_bug.cgi?id=186176
2535
2536         Reviewed by Yusuke Suzuki.
2537
2538         * stress/big-int-subtraction-jit.js:
2539         * stress/value-sub-big-int-prediction-propagation.js: Added.
2540         * stress/value-sub-big-int-untyped.js: Added.
2541         * stress/value-sub-spec-none-case.js: Added.
2542
2543 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2544
2545         [JSC] JSC should have "parseFunction" to optimize Function constructor
2546         https://bugs.webkit.org/show_bug.cgi?id=190340
2547
2548         Reviewed by Mark Lam.
2549
2550         This patch fixes the line number of syntax errors raised by the Function constructor,
2551         since we now parse the final code only once. And we no longer use block statement
2552         for Function constructor's parsing.
2553
2554         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2555         * stress/function-cache-with-parameters-end-position.js: Added.
2556         (shouldBe):
2557         (shouldThrow):
2558         (i.anonymous):
2559         * stress/function-constructor-name.js: Added.
2560         (shouldBe):
2561         (GeneratorFunction):
2562         (AsyncFunction.async):
2563         (AsyncGeneratorFunction.async):
2564         (anonymous):
2565         (async.anonymous):
2566         * test262/expectations.yaml:
2567
2568 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2569
2570         Unreviewed, rolling out r237242.
2571         https://bugs.webkit.org/show_bug.cgi?id=190701
2572
2573         it breaks "stress/sampling-profiler-basic.js" (Requested by
2574         caiolima on #webkit).
2575
2576         Reverted changeset:
2577
2578         "[BigInt] Add ValueSub into DFG"
2579         https://bugs.webkit.org/show_bug.cgi?id=186176
2580         https://trac.webkit.org/changeset/237242
2581
2582 2018-10-17  Keith Miller  <keith_miller@apple.com>
2583
2584         AI does not clear Phantom allocation nodes.
2585         https://bugs.webkit.org/show_bug.cgi?id=190694
2586
2587         Reviewed by Saam Barati.
2588
2589         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2590         (Day):
2591         (DaysInYear):
2592         (TimeInYear):
2593         (TimeFromYear):
2594         (DayFromYear):
2595         (InLeapYear):
2596         (YearFromTime):
2597         (WeekDay):
2598         (DaylightSavingTA):
2599         (GetSecondSundayInMarch):
2600         (TimeInMonth):
2601
2602 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2603
2604         [BigInt] Add ValueSub into DFG
2605         https://bugs.webkit.org/show_bug.cgi?id=186176
2606
2607         Reviewed by Yusuke Suzuki.
2608
2609         * stress/big-int-subtraction-jit.js:
2610         * stress/value-sub-big-int-prediction-propagation.js: Added.
2611         * stress/value-sub-big-int-untyped.js: Added.
2612
2613 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2614
2615         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2616         https://bugs.webkit.org/show_bug.cgi?id=190611
2617
2618         Reviewed by Saam Barati.
2619
2620         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2621         to improve test runtime. On ARM/MIPS this test even timed out when running all
2622         tests.
2623
2624         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2625         (test):
2626
2627 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2628
2629         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2630
2631         Unreviewed gardening.
2632
2633         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2634
2635 2018-10-15  Saam barati  <sbarati@apple.com>
2636
2637         Emit fjcvtzs on ARM64E on Darwin
2638         https://bugs.webkit.org/show_bug.cgi?id=184023
2639
2640         Reviewed by Yusuke Suzuki and Filip Pizlo.
2641
2642         * stress/double-to-int32-NaN.js: Added.
2643         (assert):
2644         (foo):
2645
2646 2018-10-15  Saam Barati  <sbarati@apple.com>
2647
2648         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2649         https://bugs.webkit.org/show_bug.cgi?id=190262
2650         <rdar://problem/44986241>
2651
2652         Reviewed by Mark Lam.
2653
2654         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2655         (test):
2656         * stress/slice-array-storage-with-holes.js: Added.
2657         (main):
2658
2659 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2660
2661         Unreviewed, rolling out r237054.
2662         https://bugs.webkit.org/show_bug.cgi?id=190593
2663
2664         "this regressed JetStream 2 by 6% on iOS" (Requested by
2665         saamyjoon on #webkit).
2666
2667         Reverted changeset:
2668
2669         "[JSC] JSC should have "parseFunction" to optimize Function
2670         constructor"
2671         https://bugs.webkit.org/show_bug.cgi?id=190340
2672         https://trac.webkit.org/changeset/237054
2673
2674 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2675
2676         [JSC] JSON.stringify can accept call-with-no-arguments
2677         https://bugs.webkit.org/show_bug.cgi?id=190343
2678
2679         Reviewed by Mark Lam.
2680
2681         * stress/json-stringify-no-arguments.js: Added.
2682         (shouldBe):
2683
2684 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2685
2686         [JSC] JSC should have "parseFunction" to optimize Function constructor
2687         https://bugs.webkit.org/show_bug.cgi?id=190340
2688
2689         Reviewed by Mark Lam.
2690
2691         This patch fixes the line number of syntax errors raised by the Function constructor,
2692         since we now parse the final code only once. And we no longer use block statement
2693         for Function constructor's parsing.
2694
2695         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2696         * stress/function-cache-with-parameters-end-position.js: Added.
2697         (shouldBe):
2698         (shouldThrow):
2699         (i.anonymous):
2700         * stress/function-constructor-name.js: Added.
2701         (shouldBe):
2702         (GeneratorFunction):
2703         (AsyncFunction.async):
2704         (AsyncGeneratorFunction.async):
2705         (anonymous):
2706         (async.anonymous):
2707         * test262/expectations.yaml:
2708
2709 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2710
2711         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2712         https://bugs.webkit.org/show_bug.cgi?id=190426
2713
2714         Unreviewed gardening.
2715
2716         * stress/sampling-profiler-richards.js:
2717
2718 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2719
2720         [ESNext][BigInt] Implement support for "|"
2721         https://bugs.webkit.org/show_bug.cgi?id=186229
2722
2723         Reviewed by Yusuke Suzuki.
2724
2725         * stress/big-int-bitwise-and-jit.js:
2726         * stress/big-int-bitwise-or-general.js: Added.
2727         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2728         * stress/big-int-bitwise-or-jit.js: Added.
2729         * stress/big-int-bitwise-or-memory-stress.js: Added.
2730         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2731         * stress/big-int-bitwise-or-type-error.js: Added.
2732         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2733
2734 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2735
2736         Skip test on systems with limited memory
2737         https://bugs.webkit.org/show_bug.cgi?id=190310
2738
2739         Invoking runDefault adds test to runlist, skipping the test in the next
2740         line does not prevent the test from executing. Change order of lines such
2741         that runDefault is only executed if test is not executed.
2742
2743         Reviewed by Mark Lam.
2744
2745         * stress/regress-190187.js:
2746
2747 2018-10-03  Saam barati  <sbarati@apple.com>
2748
2749         lowXYZ in FTLLower should always filter the type of the incoming edge
2750         https://bugs.webkit.org/show_bug.cgi?id=189939
2751         <rdar://problem/44407030>
2752
2753         Reviewed by Michael Saboff.
2754
2755         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2756         (foo):
2757         (test):
2758
2759 2018-10-03  Mark Lam  <mark.lam@apple.com>
2760
2761         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2762         https://bugs.webkit.org/show_bug.cgi?id=190187
2763         <rdar://problem/42512909>
2764
2765         Reviewed by Michael Saboff.
2766
2767         * stress/regress-190187.js: Added.
2768
2769 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2770
2771         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2772         https://bugs.webkit.org/show_bug.cgi?id=190033
2773
2774         Reviewed by Yusuke Suzuki.
2775
2776         * stress/big-int-to-string.js:
2777
2778 2018-10-01  Mark Lam  <mark.lam@apple.com>
2779
2780         Function.toString() should also copy the source code Functions that are class definitions.
2781         https://bugs.webkit.org/show_bug.cgi?id=190186
2782         <rdar://problem/44733360>
2783
2784         Reviewed by Saam Barati.
2785
2786         * stress/regress-190186.js: Added.
2787
2788 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2789
2790         Split NaN-check into separate test
2791         https://bugs.webkit.org/show_bug.cgi?id=190010
2792
2793         Reviewed by Saam Barati.
2794
2795         DataView exposes NaN-representation, which is not necessarily the same on each
2796         architecture. Therefore move the check of the NaN-representation into its own
2797         file such that we can disable this test on MIPS where NaN-representation can be
2798         different on older CPUs.
2799
2800         * stress/dataview-jit-set-nan.js: Added.
2801         (assert):
2802         (test.storeLittleEndian):
2803         (test.storeBigEndian):
2804         (test.store):
2805         (test):
2806         * stress/dataview-jit-set.js:
2807         (test5):
2808
2809 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2810
2811         Unreviewed, rolling out r236647.
2812         https://bugs.webkit.org/show_bug.cgi?id=190124
2813
2814         Breaking test stress/big-int-to-string.js (Requested by
2815         caiolima_ on #webkit).
2816
2817         Reverted changeset:
2818
2819         "[BigInt] BigInt.proptotype.toString is broken when radix is
2820         power of 2"
2821         https://bugs.webkit.org/show_bug.cgi?id=190033
2822         https://trac.webkit.org/changeset/236647
2823
2824 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2825
2826         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2827         https://bugs.webkit.org/show_bug.cgi?id=190033
2828
2829         Reviewed by Yusuke Suzuki.
2830
2831         * stress/big-int-to-string.js:
2832
2833 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2834
2835         [ESNext][BigInt] Implement support for "&"
2836         https://bugs.webkit.org/show_bug.cgi?id=186228
2837
2838         Reviewed by Yusuke Suzuki.
2839
2840         * stress/big-int-bitwise-and-general.js: Added.
2841         (assert):
2842         (assert.sameValue):
2843         * stress/big-int-bitwise-and-jit.js: Added.
2844         (let.assert.sameValue):
2845         (bigIntBitAnd):
2846         * stress/big-int-bitwise-and-memory-stress.js: Added.
2847         (assert):
2848         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2849         (assert.sameValue):
2850         (let.o.Symbol.toPrimitive):
2851         (catch):
2852         * stress/big-int-bitwise-and-type-error.js: Added.
2853         (assert):
2854         (assertThrowTypeError):
2855         (let.o.valueOf):
2856         (o.valueOf):
2857         (o.toString):
2858         (o.Symbol.toPrimitive):
2859         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2860         (assert.sameValue):
2861         (testBitAnd):
2862         (let.o.Symbol.toPrimitive):
2863         (o.valueOf):
2864         (o.toString):
2865
2866 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2867
2868         JSC test stress/jsc-read.js doesn't support CRLF
2869         https://bugs.webkit.org/show_bug.cgi?id=190063
2870
2871         Reviewed by Yusuke Suzuki.
2872
2873         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2874
2875         * stress/jsc-read.js:
2876         (test):
2877
2878 2018-09-27  Saam barati  <sbarati@apple.com>
2879
2880         Verify the contents of AssemblerBuffer on arm64e
2881         https://bugs.webkit.org/show_bug.cgi?id=190057
2882         <rdar://problem/38916630>
2883
2884         Reviewed by Mark Lam.
2885
2886         * stress/regress-189132.js:
2887
2888 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2889
2890         Disable test without LLInt on ARMv7
2891         https://bugs.webkit.org/show_bug.cgi?id=190037
2892
2893         Reviewed by Mark Lam.
2894
2895         Test runs out of executable memory on ARMv7, do not run
2896         this test without LLInt enabled.
2897
2898         * stress/regress-169445.js:
2899
2900 2018-09-26  Keith Miller  <keith_miller@apple.com>
2901
2902         We should zero unused property storage when rebalancing array storage.
2903         https://bugs.webkit.org/show_bug.cgi?id=188151
2904
2905         Reviewed by Michael Saboff.
2906
2907         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2908
2909 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2910
2911         [JSC] Optimize Array#lastIndexOf
2912         https://bugs.webkit.org/show_bug.cgi?id=189780
2913
2914         Reviewed by Saam Barati.
2915
2916         * stress/array-lastindexof-array-prototype-trap.js: Added.
2917         (shouldBe):
2918         (AncestorArray.prototype.get 2):
2919         (AncestorArray):
2920         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2921         (shouldBe):
2922         * stress/array-lastindexof-hole-nan.js: Added.
2923         (shouldBe):
2924         (throw.new.Error):
2925         * stress/array-lastindexof-infinity.js: Added.
2926         (shouldBe):
2927         (throw.new.Error):
2928         * stress/array-lastindexof-negative-zero.js: Added.
2929         (shouldBe):
2930         (throw.new.Error):
2931         * stress/array-lastindexof-own-getter.js: Added.
2932         (shouldBe):
2933         (throw.new.Error.get array):
2934         (get array):
2935         * stress/array-lastindexof-prototype-trap.js: Added.
2936         (shouldBe):
2937         (DerivedArray.prototype.get 2):
2938         (DerivedArray):
2939
2940 2018-09-25  Saam Barati  <sbarati@apple.com>
2941
2942         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2943         https://bugs.webkit.org/show_bug.cgi?id=189940
2944         <rdar://problem/43640987>
2945
2946         Reviewed by Mark Lam.
2947
2948         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2949
2950 2018-09-24  Saam Barati  <sbarati@apple.com>
2951
2952         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2953         https://bugs.webkit.org/show_bug.cgi?id=189922
2954         <rdar://problem/44651275>
2955
2956         Reviewed by Mark Lam.
2957
2958         * stress/array-indexof-fast-path-effects.js: Added.
2959         * stress/array-indexof-cached-length.js: Added.
2960
2961 2018-09-24  Saam barati  <sbarati@apple.com>
2962
2963         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2964         https://bugs.webkit.org/show_bug.cgi?id=189682
2965         <rdar://problem/43557315>
2966
2967         Reviewed by Mark Lam.
2968
2969         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2970         (foo):
2971
2972 2018-09-22  Saam barati  <sbarati@apple.com>
2973
2974         The sampling should not use Strong<CodeBlock> in its machineLocation field
2975         https://bugs.webkit.org/show_bug.cgi?id=189319
2976
2977         Reviewed by Filip Pizlo.
2978
2979         * stress/sampling-profiler-richards.js: Added.
2980
2981 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2982
2983         [JSC] Optimize Array#indexOf in C++ runtime
2984         https://bugs.webkit.org/show_bug.cgi?id=189507
2985
2986         Reviewed by Saam Barati.
2987
2988         * stress/array-indexof-array-prototype-trap.js: Added.
2989         (shouldBe):
2990         (AncestorArray.prototype.get 2):
2991         (AncestorArray):
2992         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2993         (shouldBe):
2994         * stress/array-indexof-hole-nan.js: Added.
2995         (shouldBe):
2996         (throw.new.Error):
2997         * stress/array-indexof-infinity.js: Added.
2998         (shouldBe):
2999         (throw.new.Error):
3000         * stress/array-indexof-negative-zero.js: Added.
3001         (shouldBe):
3002         (throw.new.Error):
3003         * stress/array-indexof-own-getter.js: Added.
3004         (shouldBe):
3005         (throw.new.Error.get array):
3006         (get array):
3007         * stress/array-indexof-prototype-trap.js: Added.
3008         (shouldBe):
3009         (DerivedArray.prototype.get 2):
3010         (DerivedArray):
3011
3012 2018-09-19  Saam barati  <sbarati@apple.com>
3013
3014         AI rule for MultiPutByOffset executes its effects in the wrong order
3015         https://bugs.webkit.org/show_bug.cgi?id=189757
3016         <rdar://problem/43535257>
3017
3018         Reviewed by Michael Saboff.
3019
3020         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3021         (foo):
3022         (Foo):
3023         (g):
3024
3025 2018-09-17  Mark Lam  <mark.lam@apple.com>
3026
3027         Ensure that ForInContexts are invalidated if their loop local is over-written.
3028         https://bugs.webkit.org/show_bug.cgi?id=189571
3029         <rdar://problem/44402277>
3030
3031         Reviewed by Saam Barati.
3032
3033         * stress/regress-189571.js: Added.
3034
3035 2018-09-17  Saam barati  <sbarati@apple.com>
3036
3037         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3038         https://bugs.webkit.org/show_bug.cgi?id=189676
3039         <rdar://problem/39682897>
3040
3041         Reviewed by Michael Saboff.
3042
3043         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3044         (A):
3045         (K):
3046         (i.catch):
3047
3048 2018-09-14  Saam barati  <sbarati@apple.com>
3049
3050         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3051         https://bugs.webkit.org/show_bug.cgi?id=189628
3052         <rdar://problem/39481690>
3053
3054         Reviewed by Mark Lam.
3055
3056         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3057         (foo):
3058
3059 2018-09-11  Mark Lam  <mark.lam@apple.com>
3060
3061         Test for array initialization in arrayProtoFuncSplice.
3062         https://bugs.webkit.org/show_bug.cgi?id=170253
3063         <rdar://problem/31328773>
3064
3065         Rubber-stamped by Saam Barati.
3066
3067         * stress/regress-170253.js: Added.
3068
3069 2018-09-11  Mark Lam  <mark.lam@apple.com>
3070
3071         Test for IntlObject initialization.
3072         https://bugs.webkit.org/show_bug.cgi?id=170251
3073         <rdar://problem/31328419>
3074
3075         Rubber-stamped by Saam Barati.
3076
3077         * stress/regress-170251.js: Added.
3078
3079 2018-09-11  Mark Lam  <mark.lam@apple.com>
3080
3081         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3082         https://bugs.webkit.org/show_bug.cgi?id=169889
3083         <rdar://problem/31155607>
3084
3085         Reviewed by Saam Barati.
3086
3087         * stress/regress-169889-array-concat.js: Added.
3088         * stress/regress-169889-array-concat1.js: Added.
3089         * stress/regress-169889-array-slice.js: Added.
3090
3091 2018-09-11  Mark Lam  <mark.lam@apple.com>
3092
3093         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3094         https://bugs.webkit.org/show_bug.cgi?id=169445
3095         <rdar://problem/30957435>
3096
3097         Reviewed by Saam Barati.
3098
3099         * stress/regress-169445.js: Added.
3100         (let.gun.eval.A):
3101         (let.gun.eval.B.C):
3102         (let.gun.eval.B.C.prototype.trigger):
3103         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3104         (let.gun.eval.B):
3105         (let.gun.eval):
3106
3107 == Rolled over to ChangeLog-2018-09-11 ==