ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-13  Michael Saboff  <msaboff@apple.com>
2
3         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
4         https://bugs.webkit.org/show_bug.cgi?id=195735
5
6         Reviewed by Mark Lam.
7
8         New regression test.
9
10         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
11         (foo):
12         (bar):
13
14 2019-03-14  Saam barati  <sbarati@apple.com>
15
16         Fixup uses KnownInt32 incorrectly in some nodes
17         https://bugs.webkit.org/show_bug.cgi?id=195279
18         <rdar://problem/47915654>
19
20         Reviewed by Yusuke Suzuki.
21
22         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
23         (foo):
24
25 2019-03-14  Keith Miller  <keith_miller@apple.com>
26
27         DFG liveness can't skip tail caller inline frames
28         https://bugs.webkit.org/show_bug.cgi?id=195715
29
30         Reviewed by Saam Barati.
31
32         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
33         (i.foo):
34
35 2019-03-13  Mark Lam  <mark.lam@apple.com>
36
37         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
38         https://bugs.webkit.org/show_bug.cgi?id=195415
39
40         Not reviewed.
41
42         Changed these tests to only run the default configuration.
43         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
44         There's no strong need to run this test on that variant.
45
46         * stress/dfg-to-string-on-int-does-gc.js:
47         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
48
49 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
50
51         String overflow when using StringBuilder in JSC::createError
52         https://bugs.webkit.org/show_bug.cgi?id=194957
53
54         Reviewed by Mark Lam.
55
56         Add test string-overflow-createError-bulder.js that overflows
57         StringBuilder in notAFunctionSourceAppender. The second new test
58         string-overflow-createError-fit.js has an error message that doesn't
59         overflow, it still failed since the String's capacity can't be doubled.
60         Run test string-overflow-createError.js only in the default
61         configuration to reduce memory consumption when running the test
62         in all configurations on multiple CPUs in parallel.
63
64         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
65         (catch):
66         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
67         (catch):
68         * stress/string-overflow-createError.js:
69
70 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
71
72         [JSC] OSR entry should respect abstract values in addition to flush formats
73         https://bugs.webkit.org/show_bug.cgi?id=195653
74
75         Reviewed by Mark Lam.
76
77         * stress/osr-entry-locals-none.js: Added.
78
79 2019-03-12  Michael Saboff  <msaboff@apple.com>
80
81         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
82         https://bugs.webkit.org/show_bug.cgi?id=195613
83
84         Reviewed by Mark Lam.
85
86         New regression test.
87
88         * stress/regexp-backref-inbounds.js: Added.
89         (testRegExp):
90
91 2019-03-12  Mark Lam  <mark.lam@apple.com>
92
93         The HasIndexedProperty node does GC.
94         https://bugs.webkit.org/show_bug.cgi?id=195559
95         <rdar://problem/48767923>
96
97         Reviewed by Yusuke Suzuki.
98
99         * stress/HasIndexedProperty-does-gc.js: Added.
100
101 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
102
103         [ESNext][BigInt] Implement "~" unary operation
104         https://bugs.webkit.org/show_bug.cgi?id=182216
105
106         Reviewed by Keith Miller.
107
108         * stress/big-int-bit-not-general.js: Added.
109         * stress/big-int-bitwise-not-jit.js: Added.
110         * stress/big-int-bitwise-not-wrapped-value.js: Added.
111         * stress/bit-op-with-object-returning-int32.js:
112         * stress/bitwise-not-fixup-rules.js: Added.
113         * stress/value-bit-not-ai-rule.js: Added.
114
115 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
116
117         Invalid flags in a RegExp literal should be an early SyntaxError
118         https://bugs.webkit.org/show_bug.cgi?id=195514
119
120         Reviewed by Darin Adler.
121
122         * test262/expectations.yaml:
123         Mark 4 test cases as passing.
124
125         * stress/regexp-syntax-error-invalid-flags.js:
126         * stress/regress-161995.js: Removed.
127         Update existing test, merging in an older test for the same behavior.
128
129 2019-03-08  Mark Lam  <mark.lam@apple.com>
130
131         Stack overflow crash in JSC::JSObject::hasInstance.
132         https://bugs.webkit.org/show_bug.cgi?id=195458
133         <rdar://problem/48710195>
134
135         Reviewed by Yusuke Suzuki.
136
137         * stress/stack-overflow-in-custom-hasInstance.js: Added.
138
139 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
140
141         op_check_tdz does not def its argument
142         https://bugs.webkit.org/show_bug.cgi?id=192880
143         <rdar://problem/46221598>
144
145         Reviewed by Saam Barati.
146
147         * microbenchmarks/let-for-in.js: Added.
148         (foo):
149
150 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
153         https://bugs.webkit.org/show_bug.cgi?id=195429
154
155         Reviewed by Saam Barati.
156
157         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
158         (foo):
159         * stress/string-from-char-code-255.js: Added.
160
161 2019-03-06  Mark Lam  <mark.lam@apple.com>
162
163         Fix incorrect handling of try-finally completion values.
164         https://bugs.webkit.org/show_bug.cgi?id=195131
165         <rdar://problem/46222079>
166
167         Reviewed by Saam Barati and Yusuke Suzuki.
168
169         Added many permutations of new test case to test-finally.js.  test-finally.js has
170         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
171         tests passes there as well.
172
173         * stress/test-finally.js:
174
175 2019-03-06  Saam Barati  <sbarati@apple.com>
176
177         Air::reportUsedRegisters must padInterference
178         https://bugs.webkit.org/show_bug.cgi?id=195303
179         <rdar://problem/48270343>
180
181         Reviewed by Keith Miller.
182
183         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
184
185 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
186
187         [JSC] AI should not propagate AbstractValue relying on constant folding phase
188         https://bugs.webkit.org/show_bug.cgi?id=195375
189
190         Reviewed by Saam Barati.
191
192         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
193         (let.array):
194
195 2019-03-05  Saam barati  <sbarati@apple.com>
196
197         op_switch_char broken for rope strings after JSRopeString layout rewrite
198         https://bugs.webkit.org/show_bug.cgi?id=195339
199         <rdar://problem/48592545>
200
201         Reviewed by Yusuke Suzuki.
202
203         * stress/switch-on-char-llint-rope.js: Added.
204
205 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
206
207         [JSC] Store bits for JSRopeString in 3 stores
208         https://bugs.webkit.org/show_bug.cgi?id=195234
209
210         Reviewed by Saam Barati.
211
212         * stress/null-rope-and-collectors.js: Added.
213
214 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
215
216         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
217         https://bugs.webkit.org/show_bug.cgi?id=195207
218
219         Unreviewed. After test runtime was reduced in r242213, test can be
220         run again on ARM/MIPS.
221
222         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
223
224 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         [JSC] sizeof(JSString) should be 16
227         https://bugs.webkit.org/show_bug.cgi?id=194375
228
229         Reviewed by Saam Barati.
230
231         * microbenchmarks/make-rope.js: Added.
232         (makeRope):
233         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
234         (returnRope.helper): Deleted.
235         (returnRope): Deleted.
236
237 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
238
239         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
240         https://bugs.webkit.org/show_bug.cgi?id=195144
241
242         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
243         Change the number from 1e8 to 1e5.
244
245         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
246         (foo):
247
248 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
249
250         Test times out on ARM/MIPS
251         https://bugs.webkit.org/show_bug.cgi?id=195168
252
253         Unreviewed. Skip test on ARM/MIPS.
254
255         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
256
257 2019-02-27  Mark Lam  <mark.lam@apple.com>
258
259         The parser is failing to record the token location of new in new.target.
260         https://bugs.webkit.org/show_bug.cgi?id=195127
261         <rdar://problem/39645578>
262
263         Reviewed by Yusuke Suzuki.
264
265         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
266
267 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
268
269         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
270         https://bugs.webkit.org/show_bug.cgi?id=195144
271         <rdar://problem/47595961>
272
273         Reviewed by Mark Lam.
274
275         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
276         (bar):
277         (foo):
278         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
279         (bar):
280         (foo):
281
282 2019-02-27  Robin Morisset  <rmorisset@apple.com>
283
284         DFG: Loop-invariant code motion (LICM) should not hoist dead code
285         https://bugs.webkit.org/show_bug.cgi?id=194945
286         <rdar://problem/48311657>
287
288         Reviewed by Mark Lam.
289
290         * stress/licm-dead-code.js: Added.
291
292 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
293
294         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
295         https://bugs.webkit.org/show_bug.cgi?id=194677
296         <rdar://problem/48112492>
297
298         Reviewed by Mark Lam.
299
300         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
301         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
302         it immediately fails due the large size.
303
304         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
305         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
306         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
307         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
308
309         This patch changes the test to produce 16bit string from String.fromCharCode.
310
311         * stress/regress-178386.js:
312
313 2019-02-26  Mark Lam  <mark.lam@apple.com>
314
315         wasmToJS() should purify incoming NaNs.
316         https://bugs.webkit.org/show_bug.cgi?id=194807
317         <rdar://problem/48189132>
318
319         Reviewed by Saam Barati.
320
321         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
322
323 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
324
325         [JSC] Repeat string created from Array.prototype.join() take too much memory
326         https://bugs.webkit.org/show_bug.cgi?id=193912
327
328         Reviewed by Saam Barati.
329
330         Added a test and a microbenchmark for corner cases of
331         Array.prototype.join() with an uninitialized array.
332
333         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
334         * stress/array-prototype-join-uninitialized.js: Added.
335         (testArray):
336         (testABC):
337         (B):
338         (C):
339
340 2019-02-22  Robin Morisset  <rmorisset@apple.com>
341
342         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
343         https://bugs.webkit.org/show_bug.cgi?id=194953
344         <rdar://problem/47595253>
345
346         Reviewed by Saam Barati.
347
348         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
349
350         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
351
352 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
353
354         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
355         https://bugs.webkit.org/show_bug.cgi?id=172848
356         <rdar://problem/25709212>
357
358         Reviewed by Mark Lam.
359
360         * typeProfiler/inheritance.js:
361         Rewrite the test slightly for clarity. The hoisting was confusing.
362
363         * heapProfiler/class-names.js: Added.
364         (MyES5Class):
365         (MyES6Class):
366         (MyES6Subclass):
367         Test object types and improved class names.
368
369         * heapProfiler/driver/driver.js:
370         (CheapHeapSnapshotNode):
371         (CheapHeapSnapshot):
372         (createCheapHeapSnapshot):
373         (HeapSnapshot):
374         (createHeapSnapshot):
375         Update snapshot parsing from version 1 to version 2.
376
377 2019-02-19  Truitt Savell  <tsavell@apple.com>
378
379         Unreviewed, rolling out r241784.
380
381         Broke all OpenSource builds.
382
383         Reverted changeset:
384
385         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
386         instances view"
387         https://bugs.webkit.org/show_bug.cgi?id=172848
388         https://trac.webkit.org/changeset/241784
389
390 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
391
392         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
393         https://bugs.webkit.org/show_bug.cgi?id=172848
394         <rdar://problem/25709212>
395
396         Reviewed by Mark Lam.
397
398         * typeProfiler/inheritance.js:
399         Rewrite the test slightly for clarity. The hoisting was confusing.
400
401         * heapProfiler/class-names.js: Added.
402         (MyES5Class):
403         (MyES6Class):
404         (MyES6Subclass):
405         Test object types and improved class names.
406
407         * heapProfiler/driver/driver.js:
408         (CheapHeapSnapshotNode):
409         (CheapHeapSnapshot):
410         (createCheapHeapSnapshot):
411         (HeapSnapshot):
412         (createHeapSnapshot):
413         Update snapshot parsing from version 1 to version 2.
414
415 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
416
417         [ARM] Fix crash with sampling profiler
418         https://bugs.webkit.org/show_bug.cgi?id=194772
419
420         Reviewed by Mark Lam.
421
422         Do not skip test since crash with sampling profiler is now fixed.
423
424         * stress/sampling-profiler-richards.js:
425
426 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
427
428         [JSC] Add LazyClassStructure::getInitializedOnMainThread
429         https://bugs.webkit.org/show_bug.cgi?id=194784
430         <rdar://problem/48154820>
431
432         Reviewed by Mark Lam.
433
434         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
435         (getProperties):
436         (getRandomProperty):
437         (i.catch):
438
439 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
440
441         [ARM] Test gardening: Test running out of executable memory
442         https://bugs.webkit.org/show_bug.cgi?id=194771
443
444         Unreviewed. Do not run test without LLInt, test is running out of executable
445         memory on ARM otherwise.
446
447         * stress/tagged-template-object-collect.js:
448
449 2019-02-18  Tomas Popela  <tpopela@redhat.com>
450
451         Unreviewed, skip the test on platforms without sampling profiler
452
453         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
454         (platformSupportsSamplingProfiler.foo):
455         (platformSupportsSamplingProfiler.test):
456         (platformSupportsSamplingProfiler):
457         (foo): Deleted.
458         (test): Deleted.
459
460 2019-02-17  Saam Barati  <sbarati@apple.com>
461
462         Deadlock when adding a Structure property transition and then doing incremental marking
463         https://bugs.webkit.org/show_bug.cgi?id=194767
464
465         Reviewed by Mark Lam.
466
467         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
468
469 2019-02-15  Michael Saboff  <msaboff@apple.com>
470
471         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
472         https://bugs.webkit.org/show_bug.cgi?id=194558
473
474         Reviewed by Saam Barati.
475
476         New regression test.
477
478         * stress/regexp-unicode-within-string.js: Added.
479
480 2019-02-15  Mark Lam  <mark.lam@apple.com>
481
482         SamplingProfiler::stackTracesAsJSON() should escape strings.
483         https://bugs.webkit.org/show_bug.cgi?id=194649
484         <rdar://problem/48072386>
485
486         Reviewed by Saam Barati.
487
488         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
489         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
490         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
491         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
492
493 2019-02-15  Robin Morisset  <rmorisset@apple.com>
494         CodeBlock::jettison should clear related watchpoints
495         https://bugs.webkit.org/show_bug.cgi?id=194544
496
497         Reviewed by Mark Lam.
498
499         * stress/regexp-replace-double-watchpoint.js: Added.
500         (foo):
501
502 2019-02-15  Saam barati  <sbarati@apple.com>
503
504         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
505         https://bugs.webkit.org/show_bug.cgi?id=194036
506
507         Reviewed by Yusuke Suzuki.
508
509         * stress/tail-call-many-arguments.js: Added.
510         (foo):
511         (bar):
512
513 2019-02-14  Saam Barati  <sbarati@apple.com>
514
515         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
516         https://bugs.webkit.org/show_bug.cgi?id=194583
517         <rdar://problem/48028140>
518
519         Reviewed by Yusuke Suzuki.
520
521         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
522
523 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
524
525         [JSC] String.fromCharCode's slow path always generates 16bit string
526         https://bugs.webkit.org/show_bug.cgi?id=194466
527
528         Reviewed by Keith Miller.
529
530         * stress/string-from-char-code-slow-path.js: Added.
531         (shouldBe):
532         (testWithLength):
533
534 2019-02-08  Saam barati  <sbarati@apple.com>
535
536         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
537         https://bugs.webkit.org/show_bug.cgi?id=194334
538         <rdar://problem/47844327>
539
540         Reviewed by Mark Lam.
541
542         * stress/check-in-bounds-should-be-a-child-use.js: Added.
543         (func):
544
545 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
546
547         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
548         https://bugs.webkit.org/show_bug.cgi?id=194369
549         <rdar://problem/47813087>
550
551         Reviewed by Saam Barati.
552
553         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
554         (A):
555
556 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
557
558         [JSC] PrivateName to PublicName hash table is wasteful
559         https://bugs.webkit.org/show_bug.cgi?id=194277
560
561         Reviewed by Michael Saboff.
562
563         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
564
565         * ChakraCore.yaml:
566
567 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
568
569         [ARM] Test running out of executable memory
570         https://bugs.webkit.org/show_bug.cgi?id=194285
571
572         Unreviewed. Do no execute test with LLInt disabled, test runs out of
573         executable memory otherwise.
574
575         * stress/class-subclassing-function.js:
576
577 2019-02-04  Robin Morisset  <rmorisset@apple.com>
578
579         when lowering AssertNotEmpty, create the value before creating the patchpoint
580         https://bugs.webkit.org/show_bug.cgi?id=194231
581
582         Reviewed by Saam Barati.
583
584         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
585         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
586         So even tiny changes to this test can change the path code taken.
587
588         * stress/assert-not-empty.js: Added.
589         (foo):
590
591 2019-02-01  Mark Lam  <mark.lam@apple.com>
592
593         Remove invalid assertion in DFG's compileDoubleRep().
594         https://bugs.webkit.org/show_bug.cgi?id=194130
595         <rdar://problem/47699474>
596
597         Reviewed by Saam Barati.
598
599         * stress/constant-fold-double-rep-into-double-constant.js: Added.
600
601 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
602
603         Import latest Test262 updates.
604
605         Rubber-stamped by Keith Miller.
606
607         * test262.yaml: Deleted.
608         * test262/config.yaml:
609         * test262/expectations.yaml:
610         * test262/latest-changes-summary.txt:
611         * test262/test/:
612         * test262/test262-Revision.txt:
613
614 2019-01-30  Robin Morisset  <rmorisset@apple.com>
615
616         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
617         https://bugs.webkit.org/show_bug.cgi?id=194050
618         <rdar://problem/47595592>
619
620         Reviewed by Yusuke Suzuki.
621
622         * stress/object-keys-osr-exit.js: Added.
623         (foo):
624         (catch):
625
626 2019-01-29  Mark Lam  <mark.lam@apple.com>
627
628         ValueRecovery::recover() should purify NaN values it recovers.
629         https://bugs.webkit.org/show_bug.cgi?id=193978
630         <rdar://problem/47625488>
631
632         Reviewed by Saam Barati.
633
634         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
635
636 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
637
638         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
639         https://bugs.webkit.org/show_bug.cgi?id=193713
640
641         * stress/try-get-by-id-should-spill-registers-dfg.js:
642         (let.f.createBuiltin):
643
644 2019-01-28  Mark Lam  <mark.lam@apple.com>
645
646         ToString node actually does GC.
647         https://bugs.webkit.org/show_bug.cgi?id=193920
648         <rdar://problem/46695900>
649
650         Reviewed by Yusuke Suzuki.
651
652         * stress/dfg-to-string-on-int-does-gc.js: Added.
653         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
654         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
655
656 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
657
658         [JSC] NativeErrorConstructor should not have own IsoSubspace
659         https://bugs.webkit.org/show_bug.cgi?id=193713
660
661         Reviewed by Saam Barati.
662
663         Remove @Error use.
664
665         * stress/try-get-by-id-should-spill-registers-dfg.js:
666         (let.f.createBuiltin):
667
668 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
669
670         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
671         https://bugs.webkit.org/show_bug.cgi?id=190693
672
673         Reviewed by Michael Saboff.
674
675         * stress/regress-190693.js: Added.
676         (truth):
677         (assert):
678         (shouldThrowInvalidConstAssignment):
679         (taz):
680
681 2019-01-24  Saam Barati  <sbarati@apple.com>
682
683         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
684         https://bugs.webkit.org/show_bug.cgi?id=193751
685         <rdar://problem/47280215>
686
687         Reviewed by Michael Saboff.
688
689         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
690         (let.thing):
691         (foo.let.hello):
692         (foo):
693
694 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
695
696         [JSC] Reenable baseline JIT on mips
697         https://bugs.webkit.org/show_bug.cgi?id=192983
698
699         Reviewed by Mark Lam.
700
701         Added a new test for a case that was triggering a RELEASE_ASSERT when
702         testing.
703         Disable some slow tests that were already disabled for arm and x86.
704
705         * stress/json-parse-big-object.js: Added.
706         * stress/new-largeish-contiguous-array-with-size.js:
707         * stress/op_add.js:
708         * stress/op_bitand.js:
709         * stress/op_bitor.js:
710         * stress/op_bitxor.js:
711         * stress/op_lshift-ConstVar.js:
712         * stress/op_lshift-VarConst.js:
713         * stress/op_lshift-VarVar.js:
714         * stress/op_mod-ConstVar.js:
715         * stress/op_mod-VarConst.js:
716         * stress/op_mod-VarVar.js:
717         * stress/op_mul-ConstVar.js:
718         * stress/op_mul-VarConst.js:
719         * stress/op_mul-VarVar.js:
720         * stress/op_rshift-ConstVar.js:
721         * stress/op_rshift-VarConst.js:
722         * stress/op_rshift-VarVar.js:
723         * stress/op_sub-ConstVar.js:
724         * stress/op_sub-VarConst.js:
725         * stress/op_sub-VarVar.js:
726         * stress/op_urshift-ConstVar.js:
727         * stress/op_urshift-VarConst.js:
728         * stress/op_urshift-VarVar.js:
729         * stress/sampling-profiler-richards.js:
730         * stress/spread-forward-call-varargs-stack-overflow.js:
731
732 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
733
734         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
735         https://bugs.webkit.org/show_bug.cgi?id=193711
736         <rdar://problem/47250262>
737
738         Reviewed by Saam Barati.
739
740         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
741         (shouldBe):
742         (foo):
743         (bar):
744         (baz):
745
746 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
747
748         Unreviewed, fix initial global lexical binding epoch
749         https://bugs.webkit.org/show_bug.cgi?id=193603
750         <rdar://problem/47380869>
751
752         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
753         (f1.f2.f3.f4):
754         (f1.f2.f3):
755         (f1.f2):
756         (f1):
757
758 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
759
760         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
761         https://bugs.webkit.org/show_bug.cgi?id=193709
762         <rdar://problem/47363838>
763
764         Unreviewed, rollout to watch the tests.
765
766         * stress/object-tostring-changed-proto.js: Removed.
767         * stress/object-tostring-changed.js: Removed.
768         * stress/object-tostring-misc.js: Removed.
769         * stress/object-tostring-other.js: Removed.
770         * stress/object-tostring-untyped.js: Removed.
771
772 2019-01-22  Saam Barati  <sbarati@apple.com>
773
774         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
775
776         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
777         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
778         (testUncheckedLessThanZero):
779         (testUncheckedLessThanOrEqualZero):
780         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
781         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
782
783 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
784
785         [JSC] Invalidate old scope operations using global lexical binding epoch
786         https://bugs.webkit.org/show_bug.cgi?id=193603
787         <rdar://problem/47380869>
788
789         Reviewed by Saam Barati.
790
791         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
792         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
793         (shouldThrow):
794         (bar):
795         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
796         (shouldBe):
797         (get1):
798         (get2):
799         (get1If):
800         (get2If):
801         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
802         (shouldThrow):
803         (foo):
804
805 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         Unreviewed, roll out r240220 due to date-format-xparb regression
808         https://bugs.webkit.org/show_bug.cgi?id=193603
809
810         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
811         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
812         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
813         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
814
815 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
816
817         DoesGC rule is wrong for nodes with BigIntUse
818         https://bugs.webkit.org/show_bug.cgi?id=193652
819
820         Reviewed by Saam Barati.
821
822         * stress/big-int-value-op-update-gc-rules.js: Added.
823         (assert):
824         (doesGCAdd):
825         (doesGCSub):
826         (doesGCDiv):
827         (doesGCMul):
828         (doesGCBitAnd):
829         (doesGCBitOr):
830         (doesGCBitXor):
831
832 2019-01-20  Saam Barati  <sbarati@apple.com>
833
834         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
835         https://bugs.webkit.org/show_bug.cgi?id=193644
836         <rdar://problem/46209745>
837
838         Reviewed by Yusuke Suzuki.
839
840         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
841         (foo):
842         * stress/data-view-set-intrinsic-undefined-result.js: Added.
843         (foo):
844         (bar):
845
846 2019-01-20  Saam Barati  <sbarati@apple.com>
847
848         MovHint must merge NodeBytecodeUsesAsValue for its child
849         https://bugs.webkit.org/show_bug.cgi?id=186916
850         <rdar://problem/41396612>
851
852         Reviewed by Yusuke Suzuki.
853
854         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
855         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
856
857 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
858
859         [JSC] Invalidate old scope operations using global lexical binding epoch
860         https://bugs.webkit.org/show_bug.cgi?id=193603
861         <rdar://problem/47380869>
862
863         Reviewed by Saam Barati.
864
865         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
866         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
867         (shouldThrow):
868         (bar):
869         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
870         (shouldBe):
871         (get1):
872         (get2):
873         (get1If):
874         (get2If):
875         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
876         (shouldThrow):
877         (foo):
878
879 2019-01-17  Saam barati  <sbarati@apple.com>
880
881         StringObjectUse should not be a structure check for the original string object structure
882         https://bugs.webkit.org/show_bug.cgi?id=193483
883         <rdar://problem/47280522>
884
885         Reviewed by Yusuke Suzuki.
886
887         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
888         (foo):
889         (a.valueOf.0):
890
891 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
892
893         [JSC] ToThis omission in DFGByteCodeParser is wrong
894         https://bugs.webkit.org/show_bug.cgi?id=193513
895         <rdar://problem/45842236>
896
897         Reviewed by Saam Barati.
898
899         * stress/to-this-omission-with-different-strict-modes.js: Added.
900         (thisA):
901         (thisAStrictWrapper):
902
903 2019-01-15  Mark Lam  <mark.lam@apple.com>
904
905         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
906         https://bugs.webkit.org/show_bug.cgi?id=193423
907         <rdar://problem/46209355>
908
909         Reviewed by Saam Barati.
910
911         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
912         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
913         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
914         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
915
916 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
917
918         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
919         https://bugs.webkit.org/show_bug.cgi?id=193438
920         <rdar://problem/45581249>
921
922         Reviewed by Saam Barati and Keith Miller.
923
924         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
925         Then, GetByVal(String) crashed.
926
927         * stress/string-get-by-val-lowering.js: Added.
928         (shouldBe):
929         (test):
930         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
931         (Hello):
932         (foo):
933
934 2019-01-15  Tomas Popela  <tpopela@redhat.com>
935
936         Unreviewed, skip JIT tests if it's not enabled
937
938         * stress/bit-op-with-object-returning-int32.js:
939
940 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
941
942         DFGByteCodeParser rules for bitwise operations should consider type of their operands
943         https://bugs.webkit.org/show_bug.cgi?id=192966
944
945         Reviewed by Yusuke Suzuki.
946
947         * stress/bit-op-with-object-returning-int32.js: Added.
948
949 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
950
951         Skip a slow test and a flakey test on arm
952
953         Unreviewed gardening.
954
955         * typeProfiler/getter-richards.js:
956         this test always times out, it used to be always skipped on arm and
957         mips, but got accidentally enabled by r237919 now that we have DFG on
958         arm. Also skipping on mips as we plan to soon enable DFG for it too.
959
960 2019-01-14  Keith Miller  <keith_miller@apple.com>
961
962         Skip type-check-hoisting-phase-hoist... with no jit
963         https://bugs.webkit.org/show_bug.cgi?id=193421
964
965         Reviewed by Mark Lam.
966
967         It's timing out the 32-bit bots and takes 330 seconds
968         on my machine when run by itself.
969
970         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
971
972 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
973
974         [JSC] AI should check the given constant's array type when folding GetByVal into constant
975         https://bugs.webkit.org/show_bug.cgi?id=193413
976         <rdar://problem/46092389>
977
978         Reviewed by Keith Miller.
979
980         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
981         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
982         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
983         but GetByVal does not have appropriate ArrayModes, JSC crashes.
984
985         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
986         (compareArray):
987
988 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
989
990         [BigInt] Literal parsing is crashing when used inside a Object Literal
991         https://bugs.webkit.org/show_bug.cgi?id=193404
992
993         Reviewed by Yusuke Suzuki.
994
995         * stress/big-int-literal-inside-literal-object.js: Added.
996
997 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
998
999         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1000         https://bugs.webkit.org/show_bug.cgi?id=193372
1001
1002         Reviewed by Saam Barati.
1003
1004         * stress/typed-array-array-modes-profile.js: Added.
1005         (foo):
1006
1007 2019-01-14  Mark Lam  <mark.lam@apple.com>
1008
1009         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1010         https://bugs.webkit.org/show_bug.cgi?id=193402
1011         <rdar://problem/46012309>
1012
1013         Reviewed by Keith Miller.
1014
1015         * stress/regexp-compile-oom.js:
1016         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1017           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1018
1019 2019-01-11  Saam barati  <sbarati@apple.com>
1020
1021         DFG combined liveness can be wrong for terminal basic blocks
1022         https://bugs.webkit.org/show_bug.cgi?id=193304
1023         <rdar://problem/45268632>
1024
1025         Reviewed by Yusuke Suzuki.
1026
1027         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1028
1029 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1030
1031         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1032         https://bugs.webkit.org/show_bug.cgi?id=193308
1033         <rdar://problem/45546542>
1034
1035         Reviewed by Saam Barati.
1036
1037         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1038         (shouldThrow):
1039         (shouldBe):
1040         (foo):
1041         (get shouldThrow):
1042         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1043         (shouldThrow):
1044         (shouldBe):
1045         (foo):
1046         (get shouldBe):
1047         (get shouldThrow):
1048         (get return):
1049         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1050         (shouldThrow):
1051         (shouldBe):
1052         (foo):
1053         (get shouldBe):
1054         (get shouldThrow):
1055         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1056         (shouldThrow):
1057         (shouldBe):
1058         (foo):
1059         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1060         (shouldThrow):
1061         (shouldBe):
1062         (foo):
1063         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1064         (shouldThrow):
1065         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1066         (shouldThrow):
1067         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1068         (shouldThrow):
1069         (shouldBe):
1070         (foo):
1071         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1072         (shouldThrow):
1073         (shouldBe):
1074         (foo):
1075         (get shouldBe):
1076         (get shouldThrow):
1077         (get return):
1078         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1079         (shouldThrow):
1080         (shouldBe):
1081         (foo):
1082         (get shouldBe):
1083         (get shouldThrow):
1084         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1085         (shouldThrow):
1086         (shouldBe):
1087         (foo):
1088         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1089         (shouldThrow):
1090         (shouldBe):
1091         (foo):
1092
1093 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1094
1095         Enable DFG on ARM/Linux again
1096         https://bugs.webkit.org/show_bug.cgi?id=192496
1097
1098         Reviewed by Yusuke Suzuki.
1099
1100         Test wasn't really skipped before moving the line with skip
1101         to the top.
1102
1103         * stress/regress-192717.js:
1104
1105 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1106
1107         Unreviewed, rolling out r239825.
1108         https://bugs.webkit.org/show_bug.cgi?id=193330
1109
1110         Broke tests on armv7/linux bots (Requested by guijemont on
1111         #webkit).
1112
1113         Reverted changeset:
1114
1115         "Enable DFG on ARM/Linux again"
1116         https://bugs.webkit.org/show_bug.cgi?id=192496
1117         https://trac.webkit.org/changeset/239825
1118
1119 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1120
1121         Enable DFG on ARM/Linux again
1122         https://bugs.webkit.org/show_bug.cgi?id=192496
1123
1124         Reviewed by Yusuke Suzuki.
1125
1126         Test wasn't really skipped before moving the line with skip
1127         to the top.
1128
1129         * stress/regress-192717.js:
1130
1131 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1132
1133         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1134         https://bugs.webkit.org/show_bug.cgi?id=193127
1135
1136         Reviewed by Saam Barati.
1137
1138         * stress/array-species-create-should-handle-masquerader.js: Added.
1139         (shouldThrow):
1140         * stress/is-undefined-or-null-builtin.js: Added.
1141         (shouldBe):
1142         (isUndefinedOrNull.vm.createBuiltin):
1143
1144 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1145
1146         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1147         https://bugs.webkit.org/show_bug.cgi?id=193221
1148
1149         Reviewed by Mark Lam.
1150
1151         * stress/put-by-id-flags.js: Added.
1152         (f):
1153         (g):
1154         (numberOfDFGCompiles):
1155
1156 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1157
1158         Baseline version of get_by_id may corrupt metadata
1159         https://bugs.webkit.org/show_bug.cgi?id=193085
1160         <rdar://problem/23453006>
1161
1162         Reviewed by Saam Barati.
1163
1164         * stress/get-by-id-change-mode.js: Added.
1165         (forEach):
1166
1167 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1168
1169         [JSC] Optimize Object.prototype.toString
1170         https://bugs.webkit.org/show_bug.cgi?id=193031
1171
1172         Reviewed by Saam Barati.
1173
1174         * stress/object-tostring-changed-proto.js: Added.
1175         (shouldBe):
1176         (test):
1177         * stress/object-tostring-changed.js: Added.
1178         (shouldBe):
1179         (test):
1180         * stress/object-tostring-misc.js: Added.
1181         (shouldBe):
1182         (test):
1183         (i.switch):
1184         * stress/object-tostring-other.js: Added.
1185         (shouldBe):
1186         (test):
1187         * stress/object-tostring-untyped.js: Added.
1188         (shouldBe):
1189         (test):
1190         (i.switch):
1191
1192 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1193
1194         test262-runner misbehaves when test file YAML has a trailing space
1195         https://bugs.webkit.org/show_bug.cgi?id=193053
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         * test262/expectations.yaml:
1200         Mark two dozen tests as passing (and correct the output of another).
1201
1202 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1203
1204         Unreviewed, JSTests gardening with memoryLimited
1205
1206         * stress/string-overflow-createError.js:
1207
1208 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1209
1210         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1211         https://bugs.webkit.org/show_bug.cgi?id=193050
1212
1213         Reviewed by Yusuke Suzuki.
1214
1215         * test262.yaml:
1216         * test262/expectations.yaml:
1217         Mark 16 tests as passing.
1218
1219 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1220
1221         [BigInt] Support BigInt in JSON.stringify
1222         https://bugs.webkit.org/show_bug.cgi?id=192624
1223
1224         Reviewed by Saam Barati.
1225
1226         * stress/big-int-json-stringify-to-json.js: Added.
1227         (shouldBe):
1228         (shouldThrow):
1229         (BigInt.prototype.toJSON):
1230         (shouldBe.JSON.stringify):
1231         * stress/big-int-json-stringify.js: Added.
1232         (shouldBe):
1233         (shouldThrow):
1234
1235 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1236
1237         [JSC] Implement "well-formed JSON.stringify" proposal
1238         https://bugs.webkit.org/show_bug.cgi?id=191677
1239
1240         Reviewed by Darin Adler.
1241
1242         * stress/json-surrogate-pair.js: Added.
1243         (shouldBe):
1244         * test262/expectations.yaml:
1245
1246 2018-12-20  Keith Miller  <keith_miller@apple.com>
1247
1248         Add support for globalThis
1249         https://bugs.webkit.org/show_bug.cgi?id=165171
1250
1251         Reviewed by Mark Lam.
1252
1253         * test262/config.yaml:
1254
1255 2018-12-19  Keith Miller  <keith_miller@apple.com>
1256
1257         Update test262 configuration to not run tests dependent on ICU version.
1258         https://bugs.webkit.org/show_bug.cgi?id=192920
1259
1260         Reviewed by Saam Barati.
1261
1262         * test262/expectations.yaml:
1263
1264 2018-12-20  Mark Lam  <mark.lam@apple.com>
1265
1266         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1267         https://bugs.webkit.org/show_bug.cgi?id=192939
1268         <rdar://problem/46869516>
1269
1270         Reviewed by Keith Miller.
1271
1272         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1273
1274 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1275
1276         WTF::String and StringImpl overflow MaxLength
1277         https://bugs.webkit.org/show_bug.cgi?id=192853
1278         <rdar://problem/45726906>
1279
1280         Reviewed by Mark Lam.
1281
1282         * stress/string-16bit-repeat-overflow.js: Added.
1283         (catch):
1284
1285 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1286
1287         Unreviewed follow-up to r192914.
1288
1289         * test262/expectations.yaml:
1290         Add the last 20 missing expectations.
1291
1292 2018-12-19  Keith Miller  <keith_miller@apple.com>
1293
1294         Fix test262 expectations
1295         https://bugs.webkit.org/show_bug.cgi?id=192914
1296
1297         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1298
1299         * test262/expectations.yaml:
1300
1301 2018-12-19  Keith Miller  <keith_miller@apple.com>
1302
1303         Update test262 tests.
1304         https://bugs.webkit.org/show_bug.cgi?id=192907
1305
1306         Rubber stamped by Mark Lam.
1307
1308         * test262/*: Omitted because prepare-changelog crashes.
1309
1310 2018-12-19  Mark Lam  <mark.lam@apple.com>
1311
1312         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1313         https://bugs.webkit.org/show_bug.cgi?id=192464
1314         <rdar://problem/46519455>
1315
1316         Reviewed by Saam Barati.
1317
1318         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1319         microbenchmark.
1320
1321         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1322         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1323
1324 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1325
1326         String overflow in JSC::createError results in ASSERT in WTF::makeString
1327         https://bugs.webkit.org/show_bug.cgi?id=192833
1328         <rdar://problem/45706868>
1329
1330         Reviewed by Mark Lam.
1331
1332         * stress/string-overflow-createError.js: Added.
1333
1334 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1335
1336         Error message for `-x ** y` contains a typo.
1337         https://bugs.webkit.org/show_bug.cgi?id=192832
1338
1339         Reviewed by Saam Barati.
1340
1341         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1342         (assert.assert.return.throws):
1343         * stress/pow-expects-update-expression-on-lhs.js:
1344         (throw.new.Error):
1345         Update test expectations which match against the exact error message.
1346
1347 2018-12-18  Mark Lam  <mark.lam@apple.com>
1348
1349         Gardening: test options fix.
1350         https://bugs.webkit.org/show_bug.cgi?id=192822
1351
1352         Unreviewed.
1353
1354         * stress/json-stringify-string-builder-overflow.js:
1355
1356 2018-12-18  Mark Lam  <mark.lam@apple.com>
1357
1358         JSON.stringify() should throw OOM on StringBuilder overflows.
1359         https://bugs.webkit.org/show_bug.cgi?id=192822
1360         <rdar://problem/46670577>
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/json-stringify-string-builder-overflow.js: Added.
1365
1366 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1367
1368         Redeclaration of var over let/const/class should be a syntax error.
1369         https://bugs.webkit.org/show_bug.cgi?id=192298
1370
1371         Reviewed by Keith Miller.
1372
1373         * test262.yaml:
1374         * test262/expectations.yaml:
1375         Mark 46 tests as passing.
1376
1377         * stress/block-scope-redeclarations.js:
1378         Add some new tests.
1379
1380         * stress/for-in-invalidate-context-weird-assignments.js:
1381         * stress/for-in-tests.js:
1382         Replace tests for outdated behavior with tests for SyntaxError.
1383
1384         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1385         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1386         Update expectations.
1387
1388 2018-12-18  Mark Lam  <mark.lam@apple.com>
1389
1390         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1391         https://bugs.webkit.org/show_bug.cgi?id=191374
1392         <rdar://problem/46525447>
1393
1394         Reviewed by Yusuke Suzuki.
1395
1396         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1397
1398         * stress/elidable-new-object-roflcopter-then-exit.js:
1399
1400 2018-12-17  Mark Lam  <mark.lam@apple.com>
1401
1402         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1403         https://bugs.webkit.org/show_bug.cgi?id=192019
1404         <rdar://problem/46525456>
1405
1406         Reviewed by Yusuke Suzuki.
1407
1408         The test runs too slow on 32-bit.
1409
1410         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1411
1412 2018-12-17  Mark Lam  <mark.lam@apple.com>
1413
1414         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1415         https://bugs.webkit.org/show_bug.cgi?id=191373
1416         <rdar://problem/46525458>
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         The test is already slow running with a JIT on 64-bit.  It will always timeout
1421         on 32-bit without a JIT.
1422
1423         * stress/materialize-regexp-cyclic-regexp.js:
1424
1425 2018-12-17  Mark Lam  <mark.lam@apple.com>
1426
1427         Array unshift/shift should not race against the AI in the compiler thread.
1428         https://bugs.webkit.org/show_bug.cgi?id=192795
1429         <rdar://problem/46724263>
1430
1431         Reviewed by Saam Barati.
1432
1433         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1434
1435 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1436
1437         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1438         https://bugs.webkit.org/show_bug.cgi?id=190047
1439
1440         Reviewed by Saam Barati.
1441
1442         * stress/object-keys-cached-zero.js: Added.
1443         (shouldBe):
1444         (test):
1445         * stress/object-keys-changed-attribute.js: Added.
1446         (shouldBe):
1447         (test):
1448         * stress/object-keys-changed-index.js: Added.
1449         (shouldBe):
1450         (test):
1451         * stress/object-keys-changed.js: Added.
1452         (shouldBe):
1453         (test):
1454         * stress/object-keys-indexed-non-cache.js: Added.
1455         (shouldBe):
1456         (test):
1457         * stress/object-keys-overrides-get-property-names.js: Added.
1458         (shouldBe):
1459         (test):
1460         (noInline):
1461
1462 2018-12-17  Mark Lam  <mark.lam@apple.com>
1463
1464         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1465         https://bugs.webkit.org/show_bug.cgi?id=192779
1466         <rdar://problem/46775869>
1467
1468         Reviewed by Saam Barati.
1469
1470         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1471
1472 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1473
1474         Unreviewed test gardening, address a syntax error in a new test.
1475
1476         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1477
1478 2018-12-17  Mark Lam  <mark.lam@apple.com>
1479
1480         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1481         https://bugs.webkit.org/show_bug.cgi?id=192776
1482         <rdar://problem/46772368>
1483
1484         Reviewed by Keith Miller.
1485
1486         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1487
1488 2018-12-17  Mark Lam  <mark.lam@apple.com>
1489
1490         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1491         https://bugs.webkit.org/show_bug.cgi?id=192770
1492         <rdar://problem/46449037>
1493
1494         Reviewed by Keith Miller.
1495
1496         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1497
1498 2018-12-14  Mark Lam  <mark.lam@apple.com>
1499
1500         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1501         https://bugs.webkit.org/show_bug.cgi?id=192717
1502         <rdar://problem/46660677>
1503
1504         Reviewed by Saam Barati.
1505
1506         * stress/regress-192717.js: Added.
1507
1508 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1509
1510         Unreviewed, rolling out r239153, r239154, and r239155.
1511         https://bugs.webkit.org/show_bug.cgi?id=192715
1512
1513         Caused flaky GC-related crashes seen with layout tests
1514         (Requested by ryanhaddad on #webkit).
1515
1516         Reverted changesets:
1517
1518         "[JSC] Optimize Object.keys by caching own keys results in
1519         StructureRareData"
1520         https://bugs.webkit.org/show_bug.cgi?id=190047
1521         https://trac.webkit.org/changeset/239153
1522
1523         "Unreviewed, build fix after r239153"
1524         https://bugs.webkit.org/show_bug.cgi?id=190047
1525         https://trac.webkit.org/changeset/239154
1526
1527         "Unreviewed, build fix after r239153, part 2"
1528         https://bugs.webkit.org/show_bug.cgi?id=190047
1529         https://trac.webkit.org/changeset/239155
1530
1531 2018-12-14  Keith Miller  <keith_miller@apple.com>
1532
1533         Callers of JSString::getIndex should check for OOM exceptions
1534         https://bugs.webkit.org/show_bug.cgi?id=192709
1535
1536         Reviewed by Mark Lam.
1537
1538         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1539
1540 2018-12-13  Mark Lam  <mark.lam@apple.com>
1541
1542         Add a missing exception check.
1543         https://bugs.webkit.org/show_bug.cgi?id=192626
1544         <rdar://problem/46662163>
1545
1546         Reviewed by Keith Miller.
1547
1548         * stress/regress-192626.js: Added.
1549
1550 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1551
1552         [BigInt] Add ValueDiv into DFG
1553         https://bugs.webkit.org/show_bug.cgi?id=186178
1554
1555         Reviewed by Yusuke Suzuki.
1556
1557         * stress/big-int-div-jit-osr.js: Added.
1558         * stress/big-int-div-jit-untyped.js: Added.
1559         * stress/value-div-fixup-int32-big-int.js: Added.
1560
1561 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1562
1563         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1564         https://bugs.webkit.org/show_bug.cgi?id=190047
1565
1566         Reviewed by Keith Miller.
1567
1568         * stress/object-keys-cached-zero.js: Added.
1569         (shouldBe):
1570         (test):
1571         * stress/object-keys-changed-attribute.js: Added.
1572         (shouldBe):
1573         (test):
1574         * stress/object-keys-changed-index.js: Added.
1575         (shouldBe):
1576         (test):
1577         * stress/object-keys-changed.js: Added.
1578         (shouldBe):
1579         (test):
1580         * stress/object-keys-indexed-non-cache.js: Added.
1581         (shouldBe):
1582         (test):
1583         * stress/object-keys-overrides-get-property-names.js: Added.
1584         (shouldBe):
1585         (test):
1586         (noInline):
1587
1588 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1589
1590         [DFG][FTL] Add NewSymbol
1591         https://bugs.webkit.org/show_bug.cgi?id=192620
1592
1593         Reviewed by Saam Barati.
1594
1595         * microbenchmarks/symbol-creation.js: Added.
1596         (test):
1597         * stress/symbol-description-identity.js: Added.
1598         (shouldBe):
1599         (test):
1600         * stress/symbol-identity.js: Added.
1601         (shouldBe):
1602         (test):
1603         * stress/symbol-with-description-throw-error.js: Added.
1604         (shouldBe):
1605         (shouldThrow):
1606         (test):
1607         (object.toString):
1608
1609 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1610
1611         [BigInt] Implement DFG/FTL typeof for BigInt
1612         https://bugs.webkit.org/show_bug.cgi?id=192619
1613
1614         Reviewed by Keith Miller.
1615
1616         * stress/big-int-boolean-proven-type.js: Added.
1617         (assert):
1618         (bool):
1619         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1620         (assert):
1621         (typeOf):
1622         (i.switch):
1623         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1624         (assert):
1625         (typeOf):
1626         * stress/big-int-type-of.js:
1627         (typeOf):
1628         (func):
1629
1630 2018-12-10  Mark Lam  <mark.lam@apple.com>
1631
1632         PropertyAttribute needs a CustomValue bit.
1633         https://bugs.webkit.org/show_bug.cgi?id=191993
1634         <rdar://problem/46264467>
1635
1636         Reviewed by Saam Barati.
1637
1638         * stress/regress-191993.js: Added.
1639
1640 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1641
1642         [BigInt] Add ValueMul into DFG
1643         https://bugs.webkit.org/show_bug.cgi?id=186175
1644
1645         Reviewed by Yusuke Suzuki.
1646
1647         * stress/big-int-mul-jit-osr.js: Added.
1648         * stress/big-int-mul-jit-untyped.js: Added.
1649         * stress/value-mul-fixup-int32-big-int.js: Added.
1650
1651 2018-12-06  Keith Miller  <keith_miller@apple.com>
1652
1653         stress/big-wasm-memory tests failing on 32-bit JSC bot
1654         https://bugs.webkit.org/show_bug.cgi?id=192020
1655
1656         Reviewed by Saam Barati.
1657
1658         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1659         the wasm stress tests if the WebAssembly object does not exist.
1660
1661         * stress/big-wasm-memory-grow-no-max.js:
1662         (test.foo):
1663         (test):
1664         (foo): Deleted.
1665         (catch): Deleted.
1666         * stress/big-wasm-memory-grow.js:
1667         (test.foo):
1668         (test):
1669         (foo): Deleted.
1670         (catch): Deleted.
1671         * stress/big-wasm-memory.js:
1672         (test.foo):
1673         (test):
1674         (foo): Deleted.
1675         (catch): Deleted.
1676
1677 2018-12-05  Mark Lam  <mark.lam@apple.com>
1678
1679         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1680         https://bugs.webkit.org/show_bug.cgi?id=192441
1681         <rdar://problem/46480355>
1682
1683         Reviewed by Saam Barati.
1684
1685         * stress/regress-192441.js: Added.
1686
1687 2018-12-04  Mark Lam  <mark.lam@apple.com>
1688
1689         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1690         https://bugs.webkit.org/show_bug.cgi?id=192386
1691         <rdar://problem/46445516>
1692
1693         Reviewed by Saam Barati.
1694
1695         * stress/regress-192386.js: Added.
1696
1697 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1698
1699         [ESNext][BigInt] Support logic operations
1700         https://bugs.webkit.org/show_bug.cgi?id=179903
1701
1702         Reviewed by Yusuke Suzuki.
1703
1704         * stress/big-int-branch-usage.js: Added.
1705         * stress/big-int-logical-and.js: Added.
1706         * stress/big-int-logical-not.js: Added.
1707         * stress/big-int-logical-or.js: Added.
1708
1709 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1710
1711         Unreviewed, rolling out r238833.
1712
1713         Breaks macOS and iOS debug builds.
1714
1715         Reverted changeset:
1716
1717         "[ESNext][BigInt] Support logic operations"
1718         https://bugs.webkit.org/show_bug.cgi?id=179903
1719         https://trac.webkit.org/changeset/238833
1720
1721 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1722
1723         [ESNext][BigInt] Support logic operations
1724         https://bugs.webkit.org/show_bug.cgi?id=179903
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         * stress/big-int-branch-usage.js: Added.
1729         * stress/big-int-logical-and.js: Added.
1730         * stress/big-int-logical-not.js: Added.
1731         * stress/big-int-logical-or.js: Added.
1732
1733 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1734
1735         [ESNext][BigInt] Implement support for "<<" and ">>"
1736         https://bugs.webkit.org/show_bug.cgi?id=186233
1737
1738         Reviewed by Yusuke Suzuki.
1739
1740         * stress/big-int-left-shift-general.js: Added.
1741         * stress/big-int-left-shift-range-error.js: Added.
1742         * stress/big-int-left-shift-type-error.js: Added.
1743         * stress/big-int-left-shift-wrapped-value.js: Added.
1744         * stress/big-int-right-shift-general.js: Added.
1745         * stress/big-int-right-shift-type-error.js: Added.
1746         * stress/big-int-right-shift-wrapped-value.js: Added.
1747         * stress/left-shift-to-primitive-precedence.js: Added.
1748         * stress/right-shift-to-primitive-precedence.js: Added.
1749
1750 2018-11-30  Dean Jackson  <dino@apple.com>
1751
1752         Add first-class support for .mjs files in jsc binary
1753         https://bugs.webkit.org/show_bug.cgi?id=192190
1754         <rdar://problem/46375715>
1755
1756         Reviewed by Keith Miller.
1757
1758         * stress/simple-module.mjs: Added.
1759         * stress/simple-script.js: Added.
1760
1761 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1762
1763         [BigInt] Implement ValueBitXor into DFG
1764         https://bugs.webkit.org/show_bug.cgi?id=190264
1765
1766         Reviewed by Yusuke Suzuki.
1767
1768         * stress/big-int-bitwise-xor-jit.js: Added.
1769         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1770         * stress/big-int-bitwise-xor-untyped.js: Added.
1771
1772 2018-11-27  Saam barati  <sbarati@apple.com>
1773
1774         r238510 broke scopes of size zero
1775         https://bugs.webkit.org/show_bug.cgi?id=192033
1776         <rdar://problem/46281734>
1777
1778         Reviewed by Keith Miller.
1779
1780         * stress/r238510-bad-loop.js: Added.
1781         (foo):
1782
1783 2018-11-27  Mark Lam  <mark.lam@apple.com>
1784
1785         [Re-landing] NaNs read from Wasm code needs to be be purified.
1786         https://bugs.webkit.org/show_bug.cgi?id=191056
1787         <rdar://problem/45660341>
1788
1789         Reviewed by Filip Pizlo.
1790
1791         * wasm/regress/regress-191056.js: Added.
1792
1793 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1794
1795         Unreviewed, rolling out r238509.
1796
1797         Causes JSC tests to fail on iOS.
1798
1799         Reverted changeset:
1800
1801         "NaNs read from Wasm code needs to be be purified."
1802         https://bugs.webkit.org/show_bug.cgi?id=191056
1803         https://trac.webkit.org/changeset/238509
1804
1805 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1806
1807         Re-introduce op_bitnot
1808         https://bugs.webkit.org/show_bug.cgi?id=190923
1809
1810         Reviewed by Yusuke Suzuki.
1811
1812         * stress/bit-not-must-generate.js: Added.
1813         * stress/bitwise-not-no-int32.js: Added.
1814
1815 2018-11-26  Saam barati  <sbarati@apple.com>
1816
1817         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1818         https://bugs.webkit.org/show_bug.cgi?id=191956
1819         <rdar://problem/45665806>
1820
1821         Reviewed by Yusuke Suzuki.
1822
1823         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1824         (bar):
1825         (foo):
1826
1827 2018-11-26  Saam barati  <sbarati@apple.com>
1828
1829         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1830         https://bugs.webkit.org/show_bug.cgi?id=191958
1831         <rdar://problem/46221877>
1832
1833         Reviewed by Yusuke Suzuki.
1834
1835         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1836         (x):
1837         (foo):
1838
1839 2018-11-26  Mark Lam  <mark.lam@apple.com>
1840
1841         NaNs read from Wasm code needs to be be purified.
1842         https://bugs.webkit.org/show_bug.cgi?id=191056
1843         <rdar://problem/45660341>
1844
1845         Reviewed by Filip Pizlo.
1846
1847         * wasm/regress/regress-191056.js: Added.
1848
1849 2018-11-26  Michael Saboff  <msaboff@apple.com>
1850
1851         32-bit JSC test failure: stress/regexp-compile-oom.js
1852         https://bugs.webkit.org/show_bug.cgi?id=191375
1853
1854         Reviewed by Mark Lam.
1855
1856         Disabled the test for 32 bit platforms.
1857
1858         * stress/regexp-compile-oom.js:
1859
1860 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1861
1862         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1863         https://bugs.webkit.org/show_bug.cgi?id=191716
1864         <rdar://problem/45723878>
1865
1866         Reviewed by Saam Barati.
1867
1868         * stress/regress-187373.js: Added.
1869         (async.fn):
1870
1871 2018-11-21  Saam barati  <sbarati@apple.com>
1872
1873         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1874         https://bugs.webkit.org/show_bug.cgi?id=191897
1875         <rdar://problem/45871998>
1876
1877         Reviewed by Mark Lam.
1878
1879         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1880         (bar):
1881         (foo):
1882
1883 2018-11-21  Saam barati  <sbarati@apple.com>
1884
1885         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1886         https://bugs.webkit.org/show_bug.cgi?id=191895
1887         <rdar://problem/46167406>
1888
1889         Reviewed by Mark Lam.
1890
1891         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1892         (foo):
1893         (bar):
1894
1895 2018-11-21  Mark Lam  <mark.lam@apple.com>
1896
1897         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1898         https://bugs.webkit.org/show_bug.cgi?id=191776
1899         <rdar://problem/46152851>
1900
1901         Reviewed by Saam Barati.
1902
1903         * stress/big-wasm-memory-grow-no-max.js:
1904         * stress/big-wasm-memory-grow.js:
1905         * stress/big-wasm-memory.js:
1906         - updated these to expect an OutOfMemoryError.
1907
1908         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1909         (Binary.prototype.emit_u8):
1910         (Binary.prototype.emit_u32v):
1911         (Binary.prototype.emit_header):
1912         (Binary.prototype.emit_section):
1913         (Binary):
1914         (WasmModuleBuilder):
1915         (WasmModuleBuilder.prototype.addMemory):
1916         (WasmModuleBuilder.prototype.toArray):
1917         (WasmModuleBuilder.prototype.toBuffer):
1918         (WasmModuleBuilder.prototype.instantiate):
1919         (catch):
1920         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1921         (catch):
1922
1923 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1924
1925         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1926         https://bugs.webkit.org/show_bug.cgi?id=190836
1927
1928         Reviewed by Saam Barati and Yusuke Suzuki.
1929
1930         * stress/big-int-out-of-memory-tests.js: Added.
1931
1932 2018-11-20  Mark Lam  <mark.lam@apple.com>
1933
1934         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1935         https://bugs.webkit.org/show_bug.cgi?id=191856
1936         <rdar://problem/46089992>
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         * stress/regress-191856.js: Added.
1941         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1942
1943 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1944
1945         Enable JIT on ARM/Linux
1946         https://bugs.webkit.org/show_bug.cgi?id=191548
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         Disable test on system with limited memory. Program was killed by
1951         the OS before the exception was thrown.
1952
1953         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1954
1955 2018-11-20  Saam barati  <sbarati@apple.com>
1956
1957         Merging an IC variant may lead to the IC status containing overlapping structure sets
1958         https://bugs.webkit.org/show_bug.cgi?id=191869
1959         <rdar://problem/45403453>
1960
1961         Reviewed by Mark Lam.
1962
1963         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1964
1965 2018-11-19  Mark Lam  <mark.lam@apple.com>
1966
1967         globalFuncImportModule() should return a promise when it clears exceptions.
1968         https://bugs.webkit.org/show_bug.cgi?id=191792
1969         <rdar://problem/46090763>
1970
1971         Reviewed by Michael Saboff.
1972
1973         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1974
1975 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1976
1977         Skip new memory-hungry tests on memory limited devices
1978
1979         Unreviewed gardening.
1980
1981         * stress/big-wasm-memory-grow-no-max.js:
1982         * stress/big-wasm-memory-grow.js:
1983         * stress/big-wasm-memory.js:
1984
1985 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1986
1987         Unreviewed, rolling in the rest of r237254
1988         https://bugs.webkit.org/show_bug.cgi?id=190340
1989
1990         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1991         * stress/function-cache-with-parameters-end-position.js: Added.
1992         (shouldBe):
1993         (shouldThrow):
1994         (i.anonymous):
1995         * stress/function-constructor-name.js: Added.
1996         (shouldBe):
1997         (GeneratorFunction):
1998         (AsyncFunction.async):
1999         (AsyncGeneratorFunction.async):
2000         (anonymous):
2001         (async.anonymous):
2002         * test262/expectations.yaml:
2003
2004 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2005
2006         All users of ArrayBuffer should agree on the same max size
2007         https://bugs.webkit.org/show_bug.cgi?id=191771
2008
2009         Reviewed by Mark Lam.
2010
2011         * stress/big-wasm-memory-grow-no-max.js: Added.
2012         (foo):
2013         (catch):
2014         * stress/big-wasm-memory-grow.js: Added.
2015         (foo):
2016         (catch):
2017         * stress/big-wasm-memory.js: Added.
2018         (foo):
2019         (catch):
2020
2021 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2022
2023         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2024         run for each JSC config since they're regression tests for runtime bugs.
2025
2026         * stress/json-stringified-overflow-2.js:
2027         * stress/json-stringified-overflow.js:
2028
2029 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2030
2031         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2032         config since they're regression tests for runtime bugs.
2033
2034         * stress/large-unshift-splice.js:
2035         * stress/regress-185888.js:
2036
2037 2018-11-16  Saam Barati  <sbarati@apple.com>
2038
2039         KnownCellUse should also have SpecCellCheck as its type filter
2040         https://bugs.webkit.org/show_bug.cgi?id=191729
2041         <rdar://problem/45872852>
2042
2043         Reviewed by Filip Pizlo.
2044
2045         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2046         (C):
2047
2048 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2049
2050         Fix assertion failure on BytecodeGenerator::recordOpcode
2051         https://bugs.webkit.org/show_bug.cgi?id=191724
2052         <rdar://problem/45724395>
2053
2054         Reviewed by Saam Barati.
2055
2056         * stress/regress-187373-2.js: Added.
2057         (foo):
2058
2059 2018-11-15  Mark Lam  <mark.lam@apple.com>
2060
2061         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2062         https://bugs.webkit.org/show_bug.cgi?id=191730
2063         <rdar://problem/46048517>
2064
2065         Reviewed by Saam Barati.
2066
2067         * stress/regress-187006.js: Removed.
2068           - this test is invalid because its sole purpose is to test for the non-spec
2069             compliant behavior that we just fixed.
2070
2071         * stress/regress-191730.js: Added.
2072
2073 2018-11-15  Mark Lam  <mark.lam@apple.com>
2074
2075         RegExp operations should not take fast patch if lastIndex is not numeric.
2076         https://bugs.webkit.org/show_bug.cgi?id=191731
2077         <rdar://problem/46017305>
2078
2079         Reviewed by Saam Barati.
2080
2081         * stress/regress-191731.js: Added.
2082
2083 2018-11-13  Saam Barati  <sbarati@apple.com>
2084
2085         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2086         https://bugs.webkit.org/show_bug.cgi?id=191600
2087
2088         Reviewed by Mark Lam.
2089
2090         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2091         (foo):
2092         (test):
2093         (bar):
2094
2095 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2096
2097         Unreviewed, rolling out r238132.
2098
2099         The test added with this change is timing out on Debug JSC
2100         bots.
2101
2102         Reverted changeset:
2103
2104         "[BigInt] JSBigInt::createWithLength should throw when length
2105         is greater than JSBigInt::maxLength"
2106         https://bugs.webkit.org/show_bug.cgi?id=190836
2107         https://trac.webkit.org/changeset/238132
2108
2109 2018-11-13  Mark Lam  <mark.lam@apple.com>
2110
2111         Add OOM detection to StringPrototype's substituteBackreferences().
2112         https://bugs.webkit.org/show_bug.cgi?id=191563
2113         <rdar://problem/45720428>
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/regress-191563.js: Added.
2118
2119 2018-11-13  Mark Lam  <mark.lam@apple.com>
2120
2121         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2122         https://bugs.webkit.org/show_bug.cgi?id=191579
2123         <rdar://problem/45942472>
2124
2125         Reviewed by Saam Barati.
2126
2127         * stress/regress-191579.js: Added.
2128
2129 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2130
2131         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2132         https://bugs.webkit.org/show_bug.cgi?id=190836
2133
2134         Reviewed by Saam Barati.
2135
2136         * stress/big-int-out-of-memory-tests.js: Added.
2137
2138 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2139
2140         U+180E is no longer a whitespace character
2141         https://bugs.webkit.org/show_bug.cgi?id=191415
2142
2143         Reviewed by Saam Barati.
2144
2145         * ChakraCore/test/es5/regexSpace.baseline:
2146         * ChakraCore/test/es6/unicode_whitespace.js:
2147         Update tests to latest version.
2148         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2149
2150         * test262.yaml:
2151         * test262/config.yaml:
2152         * test262/expectations.yaml:
2153         Update expectations.
2154
2155 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2156
2157         [BigInt] Add support to BigInt into ValueAdd
2158         https://bugs.webkit.org/show_bug.cgi?id=186177
2159
2160         Reviewed by Keith Miller.
2161
2162         * stress/big-int-negate-jit.js:
2163         * stress/value-add-big-int-and-string.js: Added.
2164         * stress/value-add-big-int-prediction-propagation.js: Added.
2165         * stress/value-add-big-int-untyped.js: Added.
2166
2167 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2168
2169         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2170         https://bugs.webkit.org/show_bug.cgi?id=191184
2171
2172         Reviewed by Saam Barati.
2173
2174         Most tests were failing due to timeouts, since they are too slow to
2175         run on CLoop. The exceptions are:
2176
2177         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2178         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2179         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2180         to change the stack size since CLoop requires it to be page aligned.
2181
2182         * microbenchmarks/array-push-1.js:
2183         * microbenchmarks/array-push-2.js:
2184         * microbenchmarks/elidable-new-object-dag.js:
2185         * microbenchmarks/elidable-new-object-roflcopter.js:
2186         * microbenchmarks/elidable-new-object-tree.js:
2187         * microbenchmarks/getter-richards.js:
2188         * microbenchmarks/sinkable-new-object-dag.js:
2189         * microbenchmarks/string-concat-long-convert.js:
2190         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2191         * slowMicrobenchmarks/array-push-3.js:
2192         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2193         * slowMicrobenchmarks/spread-small-array.js:
2194         * slowMicrobenchmarks/undefined-property-access.js:
2195         * stress/activation-sink-default-value-tdz-error.js:
2196         * stress/activation-sink-default-value.js:
2197         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2198         * stress/activation-sink-osrexit-default-value.js:
2199         * stress/activation-sink-osrexit.js:
2200         * stress/activation-sink.js:
2201         * stress/allow-math-ic-b3-code-duplication.js:
2202         * stress/array-push-multiple-int32.js:
2203         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2204         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2205         * stress/arrowfunction-lexical-this-activation-sink.js:
2206         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2207         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2208         * stress/elide-new-object-dag-then-exit.js:
2209         * stress/materialize-regexp-cyclic.js:
2210         * stress/new-regex-inline.js:
2211         * stress/op_add.js:
2212         * stress/op_bitand.js:
2213         * stress/op_bitor.js:
2214         * stress/op_bitxor.js:
2215         * stress/op_div-ConstVar.js:
2216         * stress/op_div-VarConst.js:
2217         * stress/op_div-VarVar.js:
2218         * stress/op_lshift-ConstVar.js:
2219         * stress/op_lshift-VarConst.js:
2220         * stress/op_lshift-VarVar.js:
2221         * stress/op_mod-ConstVar.js:
2222         * stress/op_mod-VarConst.js:
2223         * stress/op_mod-VarVar.js:
2224         * stress/op_mul-ConstVar.js:
2225         * stress/op_mul-VarConst.js:
2226         * stress/op_mul-VarVar.js:
2227         * stress/op_rshift-ConstVar.js:
2228         * stress/op_rshift-VarConst.js:
2229         * stress/op_rshift-VarVar.js:
2230         * stress/op_sub-ConstVar.js:
2231         * stress/op_sub-VarConst.js:
2232         * stress/op_sub-VarVar.js:
2233         * stress/op_urshift-ConstVar.js:
2234         * stress/op_urshift-VarConst.js:
2235         * stress/op_urshift-VarVar.js:
2236         * stress/proxy-get-set-correct-receiver.js:
2237         * stress/regress-179562.js:
2238         * stress/rest-parameter-many-arguments.js:
2239         * stress/sampling-profiler-richards.js:
2240         * stress/splay-flash-access-1ms.js:
2241         * stress/tailCallForwardArguments.js:
2242         * stress/typed-array-get-by-val-profiling.js:
2243         * typeProfiler/getter-richards.js:
2244
2245 2018-11-06  Michael Saboff  <msaboff@apple.com>
2246
2247         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2248         https://bugs.webkit.org/show_bug.cgi?id=191271
2249
2250         Reviewed by Saam Barati.
2251
2252         Added more test cases and made all test cases run with the same deeply recursive stack
2253         instead of finding that same point for each test case.
2254
2255         * stress/regexp-compile-oom.js:
2256         (prototype.runTest):
2257         (recurseAndTest):
2258         (testList.push.new.TestAndExpectedException):
2259
2260 2018-11-05  Michael Saboff  <msaboff@apple.com>
2261
2262         Unreviewed build fix for linux.
2263
2264         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2265
2266 2018-11-02  Michael Saboff  <msaboff@apple.com>
2267
2268         Rolling in r237753 with unreviewed build fix.
2269
2270         Fixed issues with DECLARE_THROW_SCOPE placement.
2271
2272 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2273
2274         Unreviewed, rolling out r237753.
2275
2276         Introduced JSC test failures
2277
2278         Reverted changeset:
2279
2280         "Running out of stack space not properly handled in
2281         RegExp::compile() and its callers"
2282         https://bugs.webkit.org/show_bug.cgi?id=191206
2283         https://trac.webkit.org/changeset/237753
2284
2285 2018-11-02  Michael Saboff  <msaboff@apple.com>
2286
2287         Running out of stack space not properly handled in RegExp::compile() and its callers
2288         https://bugs.webkit.org/show_bug.cgi?id=191206
2289
2290         Reviewed by Filip Pizlo.
2291
2292         New regression test.
2293
2294         * stress/regexp-compile-oom.js: Added.
2295         (recurseAndTest):
2296
2297 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2298
2299         Skip tests on arm/mips that time out now we're running on CLoop
2300
2301         Unreviewed gardening.
2302
2303         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2304         time out on the bots and need to be disabled. There's more tests
2305         disabled on arm because the timeout is longer on the mips bot (as the
2306         device is slower to start with), so many of the tests don't time out
2307         there.
2308
2309         * microbenchmarks/getter-richards.js: disable on arm and mips.
2310         * stress/op_add.js: disable on arm.
2311         * stress/op_bitand.js: disable on arm.
2312         * stress/op_bitor.js: disable on arm.
2313         * stress/op_bitxor.js: disable on arm.
2314         * stress/op_lshift-ConstVar.js: disable on arm.
2315         * stress/op_lshift-VarConst.js: disable on arm.
2316         * stress/op_lshift-VarVar.js: disable on arm.
2317         * stress/op_mod-ConstVar.js: disable on arm.
2318         * stress/op_mod-VarConst.js: disable on arm.
2319         * stress/op_mod-VarVar.js: disable on arm.
2320         * stress/op_mul-ConstVar.js: disable on arm.
2321         * stress/op_mul-VarConst.js: disable on arm.
2322         * stress/op_mul-VarVar.js: disable on arm.
2323         * stress/op_rshift-ConstVar.js: disable on arm.
2324         * stress/op_rshift-VarConst.js: disable on arm.
2325         * stress/op_rshift-VarVar.js: disable on arm.
2326         * stress/op_sub-ConstVar.js: disable on arm.
2327         * stress/op_sub-VarConst.js: disable on arm.
2328         * stress/op_sub-VarVar.js: disable on arm.
2329         * stress/op_urshift-ConstVar.js: disable on arm.
2330         * stress/op_urshift-VarConst.js: disable on arm.
2331         * stress/op_urshift-VarVar.js: disable on arm.
2332         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2333         * stress/value-to-boolean.js: disable on arm and mips.
2334
2335 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2336
2337         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2338         https://bugs.webkit.org/show_bug.cgi?id=191108
2339         <rdar://problem/45690700>
2340
2341         Reviewed by Saam Barati.
2342
2343         * stress/wide-op_catch.js: Added.
2344         (catch):
2345
2346 2018-10-29  Mark Lam  <mark.lam@apple.com>
2347
2348         Correctly detect string overflow when using the 'Function' constructor.
2349         https://bugs.webkit.org/show_bug.cgi?id=184883
2350         <rdar://problem/36320331>
2351
2352         Reviewed by Saam Barati.
2353
2354         I've verified that this passes on 32-bit as well.
2355
2356         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2357
2358 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2359
2360         Add support for GetStack FlushedDouble
2361         https://bugs.webkit.org/show_bug.cgi?id=191012
2362         <rdar://problem/45265141>
2363
2364         Reviewed by Saam Barati.
2365
2366         * stress/get-stack-double.js: Added.
2367         (bar):
2368         (noInline):
2369
2370 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2371
2372         New bytecode format for JSC
2373         https://bugs.webkit.org/show_bug.cgi?id=187373
2374         <rdar://problem/44186758>
2375
2376         Reviewed by Filip Pizlo.
2377
2378         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2379
2380         * stress/maximum-inline-capacity.js: Added.
2381         (test1):
2382         (test3.Foo):
2383         (test3):
2384
2385 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2386
2387         Unreviewed, rolling out r237479 and r237484.
2388         https://bugs.webkit.org/show_bug.cgi?id=190978
2389
2390         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2391
2392         Reverted changesets:
2393
2394         "New bytecode format for JSC"
2395         https://bugs.webkit.org/show_bug.cgi?id=187373
2396         https://trac.webkit.org/changeset/237479
2397
2398         "Gardening: Build fix after r237479."
2399         https://bugs.webkit.org/show_bug.cgi?id=187373
2400         https://trac.webkit.org/changeset/237484
2401
2402 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2403
2404         New bytecode format for JSC
2405         https://bugs.webkit.org/show_bug.cgi?id=187373
2406         <rdar://problem/44186758>
2407
2408         Reviewed by Filip Pizlo.
2409
2410         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2411
2412         * stress/maximum-inline-capacity.js: Added.
2413         (test1):
2414         (test3.Foo):
2415         (test3):
2416
2417 2018-10-26  Mark Lam  <mark.lam@apple.com>
2418
2419         Fix missing edge cases with JSGlobalObjects having a bad time.
2420         https://bugs.webkit.org/show_bug.cgi?id=189028
2421         <rdar://problem/45204939>
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/regress-189028.js: Added.
2426
2427 2018-10-22  Mark Lam  <mark.lam@apple.com>
2428
2429         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2430         https://bugs.webkit.org/show_bug.cgi?id=190515
2431         <rdar://problem/45222379>
2432
2433         Rubber-stamped by Saam Barati.
2434
2435         Adding another test.
2436
2437         * stress/regress-190515-2.js: Added.
2438
2439 2018-10-22  Mark Lam  <mark.lam@apple.com>
2440
2441         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2442         https://bugs.webkit.org/show_bug.cgi?id=190515
2443         <rdar://problem/45222379>
2444
2445         Reviewed by Saam Barati.
2446
2447         * stress/regress-190515.js: Added.
2448
2449 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2450
2451         Unreviewed, rolling out r237254.
2452         https://bugs.webkit.org/show_bug.cgi?id=190760
2453
2454         "It regresses JetStream 2 by 5% on some iOS devices"
2455         (Requested by saamyjoon on #webkit).
2456
2457         Reverted changeset:
2458
2459         "[JSC] JSC should have "parseFunction" to optimize Function
2460         constructor"
2461         https://bugs.webkit.org/show_bug.cgi?id=190340
2462         https://trac.webkit.org/changeset/237254
2463
2464 2018-10-19  Saam Barati  <sbarati@apple.com>
2465
2466         vmCall should check if we exit before emitting an OSR exit due to exceptions
2467         https://bugs.webkit.org/show_bug.cgi?id=190740
2468         <rdar://problem/45220139>
2469
2470         Reviewed by Mark Lam.
2471
2472         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2473         (foo):
2474
2475 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2476
2477         [ESNext][BigInt] Implement support for "^"
2478         https://bugs.webkit.org/show_bug.cgi?id=186235
2479
2480         Reviewed by Yusuke Suzuki.
2481
2482         * stress/big-int-bitwise-xor-general.js: Added.
2483         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2484         * stress/big-int-bitwise-xor-type-error.js: Added.
2485         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2486
2487 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2488
2489         [BigInt] Add ValueSub into DFG
2490         https://bugs.webkit.org/show_bug.cgi?id=186176
2491
2492         Reviewed by Yusuke Suzuki.
2493
2494         * stress/big-int-subtraction-jit.js:
2495         * stress/value-sub-big-int-prediction-propagation.js: Added.
2496         * stress/value-sub-big-int-untyped.js: Added.
2497         * stress/value-sub-spec-none-case.js: Added.
2498
2499 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2500
2501         [JSC] JSC should have "parseFunction" to optimize Function constructor
2502         https://bugs.webkit.org/show_bug.cgi?id=190340
2503
2504         Reviewed by Mark Lam.
2505
2506         This patch fixes the line number of syntax errors raised by the Function constructor,
2507         since we now parse the final code only once. And we no longer use block statement
2508         for Function constructor's parsing.
2509
2510         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2511         * stress/function-cache-with-parameters-end-position.js: Added.
2512         (shouldBe):
2513         (shouldThrow):
2514         (i.anonymous):
2515         * stress/function-constructor-name.js: Added.
2516         (shouldBe):
2517         (GeneratorFunction):
2518         (AsyncFunction.async):
2519         (AsyncGeneratorFunction.async):
2520         (anonymous):
2521         (async.anonymous):
2522         * test262/expectations.yaml:
2523
2524 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2525
2526         Unreviewed, rolling out r237242.
2527         https://bugs.webkit.org/show_bug.cgi?id=190701
2528
2529         it breaks "stress/sampling-profiler-basic.js" (Requested by
2530         caiolima on #webkit).
2531
2532         Reverted changeset:
2533
2534         "[BigInt] Add ValueSub into DFG"
2535         https://bugs.webkit.org/show_bug.cgi?id=186176
2536         https://trac.webkit.org/changeset/237242
2537
2538 2018-10-17  Keith Miller  <keith_miller@apple.com>
2539
2540         AI does not clear Phantom allocation nodes.
2541         https://bugs.webkit.org/show_bug.cgi?id=190694
2542
2543         Reviewed by Saam Barati.
2544
2545         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2546         (Day):
2547         (DaysInYear):
2548         (TimeInYear):
2549         (TimeFromYear):
2550         (DayFromYear):
2551         (InLeapYear):
2552         (YearFromTime):
2553         (WeekDay):
2554         (DaylightSavingTA):
2555         (GetSecondSundayInMarch):
2556         (TimeInMonth):
2557
2558 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2559
2560         [BigInt] Add ValueSub into DFG
2561         https://bugs.webkit.org/show_bug.cgi?id=186176
2562
2563         Reviewed by Yusuke Suzuki.
2564
2565         * stress/big-int-subtraction-jit.js:
2566         * stress/value-sub-big-int-prediction-propagation.js: Added.
2567         * stress/value-sub-big-int-untyped.js: Added.
2568
2569 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2570
2571         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2572         https://bugs.webkit.org/show_bug.cgi?id=190611
2573
2574         Reviewed by Saam Barati.
2575
2576         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2577         to improve test runtime. On ARM/MIPS this test even timed out when running all
2578         tests.
2579
2580         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2581         (test):
2582
2583 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2584
2585         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2586
2587         Unreviewed gardening.
2588
2589         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2590
2591 2018-10-15  Saam barati  <sbarati@apple.com>
2592
2593         Emit fjcvtzs on ARM64E on Darwin
2594         https://bugs.webkit.org/show_bug.cgi?id=184023
2595
2596         Reviewed by Yusuke Suzuki and Filip Pizlo.
2597
2598         * stress/double-to-int32-NaN.js: Added.
2599         (assert):
2600         (foo):
2601
2602 2018-10-15  Saam Barati  <sbarati@apple.com>
2603
2604         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2605         https://bugs.webkit.org/show_bug.cgi?id=190262
2606         <rdar://problem/44986241>
2607
2608         Reviewed by Mark Lam.
2609
2610         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2611         (test):
2612         * stress/slice-array-storage-with-holes.js: Added.
2613         (main):
2614
2615 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2616
2617         Unreviewed, rolling out r237054.
2618         https://bugs.webkit.org/show_bug.cgi?id=190593
2619
2620         "this regressed JetStream 2 by 6% on iOS" (Requested by
2621         saamyjoon on #webkit).
2622
2623         Reverted changeset:
2624
2625         "[JSC] JSC should have "parseFunction" to optimize Function
2626         constructor"
2627         https://bugs.webkit.org/show_bug.cgi?id=190340
2628         https://trac.webkit.org/changeset/237054
2629
2630 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2631
2632         [JSC] JSON.stringify can accept call-with-no-arguments
2633         https://bugs.webkit.org/show_bug.cgi?id=190343
2634
2635         Reviewed by Mark Lam.
2636
2637         * stress/json-stringify-no-arguments.js: Added.
2638         (shouldBe):
2639
2640 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2641
2642         [JSC] JSC should have "parseFunction" to optimize Function constructor
2643         https://bugs.webkit.org/show_bug.cgi?id=190340
2644
2645         Reviewed by Mark Lam.
2646
2647         This patch fixes the line number of syntax errors raised by the Function constructor,
2648         since we now parse the final code only once. And we no longer use block statement
2649         for Function constructor's parsing.
2650
2651         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2652         * stress/function-cache-with-parameters-end-position.js: Added.
2653         (shouldBe):
2654         (shouldThrow):
2655         (i.anonymous):
2656         * stress/function-constructor-name.js: Added.
2657         (shouldBe):
2658         (GeneratorFunction):
2659         (AsyncFunction.async):
2660         (AsyncGeneratorFunction.async):
2661         (anonymous):
2662         (async.anonymous):
2663         * test262/expectations.yaml:
2664
2665 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2666
2667         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2668         https://bugs.webkit.org/show_bug.cgi?id=190426
2669
2670         Unreviewed gardening.
2671
2672         * stress/sampling-profiler-richards.js:
2673
2674 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2675
2676         [ESNext][BigInt] Implement support for "|"
2677         https://bugs.webkit.org/show_bug.cgi?id=186229
2678
2679         Reviewed by Yusuke Suzuki.
2680
2681         * stress/big-int-bitwise-and-jit.js:
2682         * stress/big-int-bitwise-or-general.js: Added.
2683         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2684         * stress/big-int-bitwise-or-jit.js: Added.
2685         * stress/big-int-bitwise-or-memory-stress.js: Added.
2686         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2687         * stress/big-int-bitwise-or-type-error.js: Added.
2688         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2689
2690 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2691
2692         Skip test on systems with limited memory
2693         https://bugs.webkit.org/show_bug.cgi?id=190310
2694
2695         Invoking runDefault adds test to runlist, skipping the test in the next
2696         line does not prevent the test from executing. Change order of lines such
2697         that runDefault is only executed if test is not executed.
2698
2699         Reviewed by Mark Lam.
2700
2701         * stress/regress-190187.js:
2702
2703 2018-10-03  Saam barati  <sbarati@apple.com>
2704
2705         lowXYZ in FTLLower should always filter the type of the incoming edge
2706         https://bugs.webkit.org/show_bug.cgi?id=189939
2707         <rdar://problem/44407030>
2708
2709         Reviewed by Michael Saboff.
2710
2711         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2712         (foo):
2713         (test):
2714
2715 2018-10-03  Mark Lam  <mark.lam@apple.com>
2716
2717         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2718         https://bugs.webkit.org/show_bug.cgi?id=190187
2719         <rdar://problem/42512909>
2720
2721         Reviewed by Michael Saboff.
2722
2723         * stress/regress-190187.js: Added.
2724
2725 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2726
2727         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2728         https://bugs.webkit.org/show_bug.cgi?id=190033
2729
2730         Reviewed by Yusuke Suzuki.
2731
2732         * stress/big-int-to-string.js:
2733
2734 2018-10-01  Mark Lam  <mark.lam@apple.com>
2735
2736         Function.toString() should also copy the source code Functions that are class definitions.
2737         https://bugs.webkit.org/show_bug.cgi?id=190186
2738         <rdar://problem/44733360>
2739
2740         Reviewed by Saam Barati.
2741
2742         * stress/regress-190186.js: Added.
2743
2744 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2745
2746         Split NaN-check into separate test
2747         https://bugs.webkit.org/show_bug.cgi?id=190010
2748
2749         Reviewed by Saam Barati.
2750
2751         DataView exposes NaN-representation, which is not necessarily the same on each
2752         architecture. Therefore move the check of the NaN-representation into its own
2753         file such that we can disable this test on MIPS where NaN-representation can be
2754         different on older CPUs.
2755
2756         * stress/dataview-jit-set-nan.js: Added.
2757         (assert):
2758         (test.storeLittleEndian):
2759         (test.storeBigEndian):
2760         (test.store):
2761         (test):
2762         * stress/dataview-jit-set.js:
2763         (test5):
2764
2765 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2766
2767         Unreviewed, rolling out r236647.
2768         https://bugs.webkit.org/show_bug.cgi?id=190124
2769
2770         Breaking test stress/big-int-to-string.js (Requested by
2771         caiolima_ on #webkit).
2772
2773         Reverted changeset:
2774
2775         "[BigInt] BigInt.proptotype.toString is broken when radix is
2776         power of 2"
2777         https://bugs.webkit.org/show_bug.cgi?id=190033
2778         https://trac.webkit.org/changeset/236647
2779
2780 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2781
2782         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2783         https://bugs.webkit.org/show_bug.cgi?id=190033
2784
2785         Reviewed by Yusuke Suzuki.
2786
2787         * stress/big-int-to-string.js:
2788
2789 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2790
2791         [ESNext][BigInt] Implement support for "&"
2792         https://bugs.webkit.org/show_bug.cgi?id=186228
2793
2794         Reviewed by Yusuke Suzuki.
2795
2796         * stress/big-int-bitwise-and-general.js: Added.
2797         (assert):
2798         (assert.sameValue):
2799         * stress/big-int-bitwise-and-jit.js: Added.
2800         (let.assert.sameValue):
2801         (bigIntBitAnd):
2802         * stress/big-int-bitwise-and-memory-stress.js: Added.
2803         (assert):
2804         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2805         (assert.sameValue):
2806         (let.o.Symbol.toPrimitive):
2807         (catch):
2808         * stress/big-int-bitwise-and-type-error.js: Added.
2809         (assert):
2810         (assertThrowTypeError):
2811         (let.o.valueOf):
2812         (o.valueOf):
2813         (o.toString):
2814         (o.Symbol.toPrimitive):
2815         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2816         (assert.sameValue):
2817         (testBitAnd):
2818         (let.o.Symbol.toPrimitive):
2819         (o.valueOf):
2820         (o.toString):
2821
2822 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2823
2824         JSC test stress/jsc-read.js doesn't support CRLF
2825         https://bugs.webkit.org/show_bug.cgi?id=190063
2826
2827         Reviewed by Yusuke Suzuki.
2828
2829         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2830
2831         * stress/jsc-read.js:
2832         (test):
2833
2834 2018-09-27  Saam barati  <sbarati@apple.com>
2835
2836         Verify the contents of AssemblerBuffer on arm64e
2837         https://bugs.webkit.org/show_bug.cgi?id=190057
2838         <rdar://problem/38916630>
2839
2840         Reviewed by Mark Lam.
2841
2842         * stress/regress-189132.js:
2843
2844 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2845
2846         Disable test without LLInt on ARMv7
2847         https://bugs.webkit.org/show_bug.cgi?id=190037
2848
2849         Reviewed by Mark Lam.
2850
2851         Test runs out of executable memory on ARMv7, do not run
2852         this test without LLInt enabled.
2853
2854         * stress/regress-169445.js:
2855
2856 2018-09-26  Keith Miller  <keith_miller@apple.com>
2857
2858         We should zero unused property storage when rebalancing array storage.
2859         https://bugs.webkit.org/show_bug.cgi?id=188151
2860
2861         Reviewed by Michael Saboff.
2862
2863         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2864
2865 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2866
2867         [JSC] Optimize Array#lastIndexOf
2868         https://bugs.webkit.org/show_bug.cgi?id=189780
2869
2870         Reviewed by Saam Barati.
2871
2872         * stress/array-lastindexof-array-prototype-trap.js: Added.
2873         (shouldBe):
2874         (AncestorArray.prototype.get 2):
2875         (AncestorArray):
2876         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2877         (shouldBe):
2878         * stress/array-lastindexof-hole-nan.js: Added.
2879         (shouldBe):
2880         (throw.new.Error):
2881         * stress/array-lastindexof-infinity.js: Added.
2882         (shouldBe):
2883         (throw.new.Error):
2884         * stress/array-lastindexof-negative-zero.js: Added.
2885         (shouldBe):
2886         (throw.new.Error):
2887         * stress/array-lastindexof-own-getter.js: Added.
2888         (shouldBe):
2889         (throw.new.Error.get array):
2890         (get array):
2891         * stress/array-lastindexof-prototype-trap.js: Added.
2892         (shouldBe):
2893         (DerivedArray.prototype.get 2):
2894         (DerivedArray):
2895
2896 2018-09-25  Saam Barati  <sbarati@apple.com>
2897
2898         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2899         https://bugs.webkit.org/show_bug.cgi?id=189940
2900         <rdar://problem/43640987>
2901
2902         Reviewed by Mark Lam.
2903
2904         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2905
2906 2018-09-24  Saam Barati  <sbarati@apple.com>
2907
2908         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2909         https://bugs.webkit.org/show_bug.cgi?id=189922
2910         <rdar://problem/44651275>
2911
2912         Reviewed by Mark Lam.
2913
2914         * stress/array-indexof-fast-path-effects.js: Added.
2915         * stress/array-indexof-cached-length.js: Added.
2916
2917 2018-09-24  Saam barati  <sbarati@apple.com>
2918
2919         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2920         https://bugs.webkit.org/show_bug.cgi?id=189682
2921         <rdar://problem/43557315>
2922
2923         Reviewed by Mark Lam.
2924
2925         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2926         (foo):
2927
2928 2018-09-22  Saam barati  <sbarati@apple.com>
2929
2930         The sampling should not use Strong<CodeBlock> in its machineLocation field
2931         https://bugs.webkit.org/show_bug.cgi?id=189319
2932
2933         Reviewed by Filip Pizlo.
2934
2935         * stress/sampling-profiler-richards.js: Added.
2936
2937 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2938
2939         [JSC] Optimize Array#indexOf in C++ runtime
2940         https://bugs.webkit.org/show_bug.cgi?id=189507
2941
2942         Reviewed by Saam Barati.
2943
2944         * stress/array-indexof-array-prototype-trap.js: Added.
2945         (shouldBe):
2946         (AncestorArray.prototype.get 2):
2947         (AncestorArray):
2948         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2949         (shouldBe):
2950         * stress/array-indexof-hole-nan.js: Added.
2951         (shouldBe):
2952         (throw.new.Error):
2953         * stress/array-indexof-infinity.js: Added.
2954         (shouldBe):
2955         (throw.new.Error):
2956         * stress/array-indexof-negative-zero.js: Added.
2957         (shouldBe):
2958         (throw.new.Error):
2959         * stress/array-indexof-own-getter.js: Added.
2960         (shouldBe):
2961         (throw.new.Error.get array):
2962         (get array):
2963         * stress/array-indexof-prototype-trap.js: Added.
2964         (shouldBe):
2965         (DerivedArray.prototype.get 2):
2966         (DerivedArray):
2967
2968 2018-09-19  Saam barati  <sbarati@apple.com>
2969
2970         AI rule for MultiPutByOffset executes its effects in the wrong order
2971         https://bugs.webkit.org/show_bug.cgi?id=189757
2972         <rdar://problem/43535257>
2973
2974         Reviewed by Michael Saboff.
2975
2976         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2977         (foo):
2978         (Foo):
2979         (g):
2980
2981 2018-09-17  Mark Lam  <mark.lam@apple.com>
2982
2983         Ensure that ForInContexts are invalidated if their loop local is over-written.
2984         https://bugs.webkit.org/show_bug.cgi?id=189571
2985         <rdar://problem/44402277>
2986
2987         Reviewed by Saam Barati.
2988
2989         * stress/regress-189571.js: Added.
2990
2991 2018-09-17  Saam barati  <sbarati@apple.com>
2992
2993         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2994         https://bugs.webkit.org/show_bug.cgi?id=189676
2995         <rdar://problem/39682897>
2996
2997         Reviewed by Michael Saboff.
2998
2999         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3000         (A):
3001         (K):
3002         (i.catch):
3003
3004 2018-09-14  Saam barati  <sbarati@apple.com>
3005
3006         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3007         https://bugs.webkit.org/show_bug.cgi?id=189628
3008         <rdar://problem/39481690>
3009
3010         Reviewed by Mark Lam.
3011
3012         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3013         (foo):
3014
3015 2018-09-11  Mark Lam  <mark.lam@apple.com>
3016
3017         Test for array initialization in arrayProtoFuncSplice.
3018         https://bugs.webkit.org/show_bug.cgi?id=170253
3019         <rdar://problem/31328773>
3020
3021         Rubber-stamped by Saam Barati.
3022
3023         * stress/regress-170253.js: Added.
3024
3025 2018-09-11  Mark Lam  <mark.lam@apple.com>
3026
3027         Test for IntlObject initialization.
3028         https://bugs.webkit.org/show_bug.cgi?id=170251
3029         <rdar://problem/31328419>
3030
3031         Rubber-stamped by Saam Barati.
3032
3033         * stress/regress-170251.js: Added.
3034
3035 2018-09-11  Mark Lam  <mark.lam@apple.com>
3036
3037         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3038         https://bugs.webkit.org/show_bug.cgi?id=169889
3039         <rdar://problem/31155607>
3040
3041         Reviewed by Saam Barati.
3042
3043         * stress/regress-169889-array-concat.js: Added.
3044         * stress/regress-169889-array-concat1.js: Added.
3045         * stress/regress-169889-array-slice.js: Added.
3046
3047 2018-09-11  Mark Lam  <mark.lam@apple.com>
3048
3049         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3050         https://bugs.webkit.org/show_bug.cgi?id=169445
3051         <rdar://problem/30957435>
3052
3053         Reviewed by Saam Barati.
3054
3055         * stress/regress-169445.js: Added.
3056         (let.gun.eval.A):
3057         (let.gun.eval.B.C):
3058         (let.gun.eval.B.C.prototype.trigger):
3059         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3060         (let.gun.eval.B):
3061         (let.gun.eval):
3062
3063 == Rolled over to ChangeLog-2018-09-11 ==