Placate exception check validation in operationArrayIndexOfString().
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-21  Mark Lam  <mark.lam@apple.com>
2
3         Placate exception check validation in operationArrayIndexOfString().
4         https://bugs.webkit.org/show_bug.cgi?id=196067
5         <rdar://problem/49056572>
6
7         Reviewed by Michael Saboff.
8
9         * stress/string-equal-exception-check.js: Added.
10
11 2019-03-21  Mark Lam  <mark.lam@apple.com>
12
13         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
14         https://bugs.webkit.org/show_bug.cgi?id=196055
15         <rdar://problem/49067448>
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
20
21 2019-03-20  Saam Barati  <sbarati@apple.com>
22
23         typeOfDoubleSum is wrong for when NaN can be produced
24         https://bugs.webkit.org/show_bug.cgi?id=196030
25
26         Reviewed by Filip Pizlo.
27
28         * stress/double-add-sub-mul-can-produce-nan.js: Added.
29         (assert):
30         (noInline.sub):
31         (noInline):
32         (assert.mul):
33         (assert.add):
34
35 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
36
37         Update the test to ensure OutOfMemoryError is thrown as intended
38         https://bugs.webkit.org/show_bug.cgi?id=196032
39         <rdar://problem/46842740>
40
41         Rubber stamped by Saam Barati.
42
43         * stress/create-error-out-of-memory-rope-string.js:
44         (assert):
45         (catch):
46
47 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
48
49         JSC::createError needs to check for OOM in errorDescriptionForValue
50         https://bugs.webkit.org/show_bug.cgi?id=196032
51         <rdar://problem/46842740>
52
53         Reviewed by Mark Lam.
54
55         * stress/create-error-out-of-memory-rope-string.js: Added.
56
57 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
58
59         Unreviewed, reduce # of iterations to avoid timing out after r242991
60         https://bugs.webkit.org/show_bug.cgi?id=195791
61
62         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
63
64         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
65
66 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
67
68         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
69         https://bugs.webkit.org/show_bug.cgi?id=195950
70
71         Unreviewed, reducing the amount of memory used on this test to avoid
72         OOM on devices with memory restrictions.
73
74         * microbenchmarks/generate-multiple-llint-entrypoints.js:
75
76 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
77
78         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
79         https://bugs.webkit.org/show_bug.cgi?id=194648
80
81         Reviewed by Keith Miller.
82
83         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
84
85 2019-03-18  Mark Lam  <mark.lam@apple.com>
86
87         Missing a ThrowScope release in JSObject::toString().
88         https://bugs.webkit.org/show_bug.cgi?id=195893
89         <rdar://problem/48970986>
90
91         Reviewed by Michael Saboff.
92
93         * stress/to-string-exception-check-release.js: Added.
94
95 2019-03-18  Mark Lam  <mark.lam@apple.com>
96
97         Structure::flattenDictionary() should clear unused property slots.
98         https://bugs.webkit.org/show_bug.cgi?id=195871
99         <rdar://problem/48959497>
100
101         Reviewed by Michael Saboff.
102
103         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
104
105 2019-03-15  Mark Lam  <mark.lam@apple.com>
106
107         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
108         https://bugs.webkit.org/show_bug.cgi?id=195827
109         <rdar://problem/48845513>
110
111         Reviewed by Filip Pizlo.
112
113         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
114
115 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
116
117         [ARM,MIPS] Skip slow tests
118         https://bugs.webkit.org/show_bug.cgi?id=195799
119
120         Unreviewed, test does not finish on ARM and MIPS within the
121         timeout limit.
122
123         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
124
125 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
126
127         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
128         https://bugs.webkit.org/show_bug.cgi?id=195791
129         <rdar://problem/48806130>
130
131         Reviewed by Mark Lam.
132
133         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
134         (foo):
135
136 2019-03-14  Saam barati  <sbarati@apple.com>
137
138         We can't remove code after ForceOSRExit until after FixupPhase
139         https://bugs.webkit.org/show_bug.cgi?id=186916
140         <rdar://problem/41396612>
141
142         Reviewed by Yusuke Suzuki.
143
144         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
145         (foo):
146         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
147         (foo):
148
149 2019-03-13  Michael Saboff  <msaboff@apple.com>
150
151         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
152         https://bugs.webkit.org/show_bug.cgi?id=195735
153
154         Reviewed by Mark Lam.
155
156         New regression test.
157
158         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
159         (foo):
160         (bar):
161
162 2019-03-14  Saam barati  <sbarati@apple.com>
163
164         Fixup uses KnownInt32 incorrectly in some nodes
165         https://bugs.webkit.org/show_bug.cgi?id=195279
166         <rdar://problem/47915654>
167
168         Reviewed by Yusuke Suzuki.
169
170         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
171         (foo):
172
173 2019-03-14  Keith Miller  <keith_miller@apple.com>
174
175         DFG liveness can't skip tail caller inline frames
176         https://bugs.webkit.org/show_bug.cgi?id=195715
177
178         Reviewed by Saam Barati.
179
180         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
181         (i.foo):
182
183 2019-03-13  Mark Lam  <mark.lam@apple.com>
184
185         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
186         https://bugs.webkit.org/show_bug.cgi?id=195415
187
188         Not reviewed.
189
190         Changed these tests to only run the default configuration.
191         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
192         There's no strong need to run this test on that variant.
193
194         * stress/dfg-to-string-on-int-does-gc.js:
195         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
196
197 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
198
199         String overflow when using StringBuilder in JSC::createError
200         https://bugs.webkit.org/show_bug.cgi?id=194957
201
202         Reviewed by Mark Lam.
203
204         Add test string-overflow-createError-bulder.js that overflows
205         StringBuilder in notAFunctionSourceAppender. The second new test
206         string-overflow-createError-fit.js has an error message that doesn't
207         overflow, it still failed since the String's capacity can't be doubled.
208         Run test string-overflow-createError.js only in the default
209         configuration to reduce memory consumption when running the test
210         in all configurations on multiple CPUs in parallel.
211
212         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
213         (catch):
214         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
215         (catch):
216         * stress/string-overflow-createError.js:
217
218 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
219
220         [JSC] OSR entry should respect abstract values in addition to flush formats
221         https://bugs.webkit.org/show_bug.cgi?id=195653
222
223         Reviewed by Mark Lam.
224
225         * stress/osr-entry-locals-none.js: Added.
226
227 2019-03-12  Michael Saboff  <msaboff@apple.com>
228
229         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
230         https://bugs.webkit.org/show_bug.cgi?id=195613
231
232         Reviewed by Mark Lam.
233
234         New regression test.
235
236         * stress/regexp-backref-inbounds.js: Added.
237         (testRegExp):
238
239 2019-03-12  Mark Lam  <mark.lam@apple.com>
240
241         The HasIndexedProperty node does GC.
242         https://bugs.webkit.org/show_bug.cgi?id=195559
243         <rdar://problem/48767923>
244
245         Reviewed by Yusuke Suzuki.
246
247         * stress/HasIndexedProperty-does-gc.js: Added.
248
249 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
250
251         [ESNext][BigInt] Implement "~" unary operation
252         https://bugs.webkit.org/show_bug.cgi?id=182216
253
254         Reviewed by Keith Miller.
255
256         * stress/big-int-bit-not-general.js: Added.
257         * stress/big-int-bitwise-not-jit.js: Added.
258         * stress/big-int-bitwise-not-wrapped-value.js: Added.
259         * stress/bit-op-with-object-returning-int32.js:
260         * stress/bitwise-not-fixup-rules.js: Added.
261         * stress/value-bit-not-ai-rule.js: Added.
262
263 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
264
265         Invalid flags in a RegExp literal should be an early SyntaxError
266         https://bugs.webkit.org/show_bug.cgi?id=195514
267
268         Reviewed by Darin Adler.
269
270         * test262/expectations.yaml:
271         Mark 4 test cases as passing.
272
273         * stress/regexp-syntax-error-invalid-flags.js:
274         * stress/regress-161995.js: Removed.
275         Update existing test, merging in an older test for the same behavior.
276
277 2019-03-08  Mark Lam  <mark.lam@apple.com>
278
279         Stack overflow crash in JSC::JSObject::hasInstance.
280         https://bugs.webkit.org/show_bug.cgi?id=195458
281         <rdar://problem/48710195>
282
283         Reviewed by Yusuke Suzuki.
284
285         * stress/stack-overflow-in-custom-hasInstance.js: Added.
286
287 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
288
289         op_check_tdz does not def its argument
290         https://bugs.webkit.org/show_bug.cgi?id=192880
291         <rdar://problem/46221598>
292
293         Reviewed by Saam Barati.
294
295         * microbenchmarks/let-for-in.js: Added.
296         (foo):
297
298 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
299
300         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
301         https://bugs.webkit.org/show_bug.cgi?id=195429
302
303         Reviewed by Saam Barati.
304
305         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
306         (foo):
307         * stress/string-from-char-code-255.js: Added.
308
309 2019-03-06  Mark Lam  <mark.lam@apple.com>
310
311         Fix incorrect handling of try-finally completion values.
312         https://bugs.webkit.org/show_bug.cgi?id=195131
313         <rdar://problem/46222079>
314
315         Reviewed by Saam Barati and Yusuke Suzuki.
316
317         Added many permutations of new test case to test-finally.js.  test-finally.js has
318         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
319         tests passes there as well.
320
321         * stress/test-finally.js:
322
323 2019-03-06  Saam Barati  <sbarati@apple.com>
324
325         Air::reportUsedRegisters must padInterference
326         https://bugs.webkit.org/show_bug.cgi?id=195303
327         <rdar://problem/48270343>
328
329         Reviewed by Keith Miller.
330
331         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
332
333 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         [JSC] AI should not propagate AbstractValue relying on constant folding phase
336         https://bugs.webkit.org/show_bug.cgi?id=195375
337
338         Reviewed by Saam Barati.
339
340         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
341         (let.array):
342
343 2019-03-05  Saam barati  <sbarati@apple.com>
344
345         op_switch_char broken for rope strings after JSRopeString layout rewrite
346         https://bugs.webkit.org/show_bug.cgi?id=195339
347         <rdar://problem/48592545>
348
349         Reviewed by Yusuke Suzuki.
350
351         * stress/switch-on-char-llint-rope.js: Added.
352
353 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
354
355         [JSC] Store bits for JSRopeString in 3 stores
356         https://bugs.webkit.org/show_bug.cgi?id=195234
357
358         Reviewed by Saam Barati.
359
360         * stress/null-rope-and-collectors.js: Added.
361
362 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
363
364         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
365         https://bugs.webkit.org/show_bug.cgi?id=195207
366
367         Unreviewed. After test runtime was reduced in r242213, test can be
368         run again on ARM/MIPS.
369
370         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
371
372 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
373
374         [JSC] sizeof(JSString) should be 16
375         https://bugs.webkit.org/show_bug.cgi?id=194375
376
377         Reviewed by Saam Barati.
378
379         * microbenchmarks/make-rope.js: Added.
380         (makeRope):
381         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
382         (returnRope.helper): Deleted.
383         (returnRope): Deleted.
384
385 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
386
387         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
388         https://bugs.webkit.org/show_bug.cgi?id=195144
389
390         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
391         Change the number from 1e8 to 1e5.
392
393         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
394         (foo):
395
396 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
397
398         Test times out on ARM/MIPS
399         https://bugs.webkit.org/show_bug.cgi?id=195168
400
401         Unreviewed. Skip test on ARM/MIPS.
402
403         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
404
405 2019-02-27  Mark Lam  <mark.lam@apple.com>
406
407         The parser is failing to record the token location of new in new.target.
408         https://bugs.webkit.org/show_bug.cgi?id=195127
409         <rdar://problem/39645578>
410
411         Reviewed by Yusuke Suzuki.
412
413         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
414
415 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
416
417         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
418         https://bugs.webkit.org/show_bug.cgi?id=195144
419         <rdar://problem/47595961>
420
421         Reviewed by Mark Lam.
422
423         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
424         (bar):
425         (foo):
426         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
427         (bar):
428         (foo):
429
430 2019-02-27  Robin Morisset  <rmorisset@apple.com>
431
432         DFG: Loop-invariant code motion (LICM) should not hoist dead code
433         https://bugs.webkit.org/show_bug.cgi?id=194945
434         <rdar://problem/48311657>
435
436         Reviewed by Mark Lam.
437
438         * stress/licm-dead-code.js: Added.
439
440 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
441
442         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
443         https://bugs.webkit.org/show_bug.cgi?id=194677
444         <rdar://problem/48112492>
445
446         Reviewed by Mark Lam.
447
448         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
449         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
450         it immediately fails due the large size.
451
452         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
453         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
454         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
455         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
456
457         This patch changes the test to produce 16bit string from String.fromCharCode.
458
459         * stress/regress-178386.js:
460
461 2019-02-26  Mark Lam  <mark.lam@apple.com>
462
463         wasmToJS() should purify incoming NaNs.
464         https://bugs.webkit.org/show_bug.cgi?id=194807
465         <rdar://problem/48189132>
466
467         Reviewed by Saam Barati.
468
469         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
470
471 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
472
473         [JSC] Repeat string created from Array.prototype.join() take too much memory
474         https://bugs.webkit.org/show_bug.cgi?id=193912
475
476         Reviewed by Saam Barati.
477
478         Added a test and a microbenchmark for corner cases of
479         Array.prototype.join() with an uninitialized array.
480
481         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
482         * stress/array-prototype-join-uninitialized.js: Added.
483         (testArray):
484         (testABC):
485         (B):
486         (C):
487
488 2019-02-22  Robin Morisset  <rmorisset@apple.com>
489
490         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
491         https://bugs.webkit.org/show_bug.cgi?id=194953
492         <rdar://problem/47595253>
493
494         Reviewed by Saam Barati.
495
496         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
497
498         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
499
500 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
501
502         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
503         https://bugs.webkit.org/show_bug.cgi?id=172848
504         <rdar://problem/25709212>
505
506         Reviewed by Mark Lam.
507
508         * typeProfiler/inheritance.js:
509         Rewrite the test slightly for clarity. The hoisting was confusing.
510
511         * heapProfiler/class-names.js: Added.
512         (MyES5Class):
513         (MyES6Class):
514         (MyES6Subclass):
515         Test object types and improved class names.
516
517         * heapProfiler/driver/driver.js:
518         (CheapHeapSnapshotNode):
519         (CheapHeapSnapshot):
520         (createCheapHeapSnapshot):
521         (HeapSnapshot):
522         (createHeapSnapshot):
523         Update snapshot parsing from version 1 to version 2.
524
525 2019-02-19  Truitt Savell  <tsavell@apple.com>
526
527         Unreviewed, rolling out r241784.
528
529         Broke all OpenSource builds.
530
531         Reverted changeset:
532
533         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
534         instances view"
535         https://bugs.webkit.org/show_bug.cgi?id=172848
536         https://trac.webkit.org/changeset/241784
537
538 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
539
540         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
541         https://bugs.webkit.org/show_bug.cgi?id=172848
542         <rdar://problem/25709212>
543
544         Reviewed by Mark Lam.
545
546         * typeProfiler/inheritance.js:
547         Rewrite the test slightly for clarity. The hoisting was confusing.
548
549         * heapProfiler/class-names.js: Added.
550         (MyES5Class):
551         (MyES6Class):
552         (MyES6Subclass):
553         Test object types and improved class names.
554
555         * heapProfiler/driver/driver.js:
556         (CheapHeapSnapshotNode):
557         (CheapHeapSnapshot):
558         (createCheapHeapSnapshot):
559         (HeapSnapshot):
560         (createHeapSnapshot):
561         Update snapshot parsing from version 1 to version 2.
562
563 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
564
565         [ARM] Fix crash with sampling profiler
566         https://bugs.webkit.org/show_bug.cgi?id=194772
567
568         Reviewed by Mark Lam.
569
570         Do not skip test since crash with sampling profiler is now fixed.
571
572         * stress/sampling-profiler-richards.js:
573
574 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
575
576         [JSC] Add LazyClassStructure::getInitializedOnMainThread
577         https://bugs.webkit.org/show_bug.cgi?id=194784
578         <rdar://problem/48154820>
579
580         Reviewed by Mark Lam.
581
582         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
583         (getProperties):
584         (getRandomProperty):
585         (i.catch):
586
587 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
588
589         [ARM] Test gardening: Test running out of executable memory
590         https://bugs.webkit.org/show_bug.cgi?id=194771
591
592         Unreviewed. Do not run test without LLInt, test is running out of executable
593         memory on ARM otherwise.
594
595         * stress/tagged-template-object-collect.js:
596
597 2019-02-18  Tomas Popela  <tpopela@redhat.com>
598
599         Unreviewed, skip the test on platforms without sampling profiler
600
601         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
602         (platformSupportsSamplingProfiler.foo):
603         (platformSupportsSamplingProfiler.test):
604         (platformSupportsSamplingProfiler):
605         (foo): Deleted.
606         (test): Deleted.
607
608 2019-02-17  Saam Barati  <sbarati@apple.com>
609
610         Deadlock when adding a Structure property transition and then doing incremental marking
611         https://bugs.webkit.org/show_bug.cgi?id=194767
612
613         Reviewed by Mark Lam.
614
615         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
616
617 2019-02-15  Michael Saboff  <msaboff@apple.com>
618
619         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
620         https://bugs.webkit.org/show_bug.cgi?id=194558
621
622         Reviewed by Saam Barati.
623
624         New regression test.
625
626         * stress/regexp-unicode-within-string.js: Added.
627
628 2019-02-15  Mark Lam  <mark.lam@apple.com>
629
630         SamplingProfiler::stackTracesAsJSON() should escape strings.
631         https://bugs.webkit.org/show_bug.cgi?id=194649
632         <rdar://problem/48072386>
633
634         Reviewed by Saam Barati.
635
636         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
637         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
638         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
639         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
640
641 2019-02-15  Robin Morisset  <rmorisset@apple.com>
642         CodeBlock::jettison should clear related watchpoints
643         https://bugs.webkit.org/show_bug.cgi?id=194544
644
645         Reviewed by Mark Lam.
646
647         * stress/regexp-replace-double-watchpoint.js: Added.
648         (foo):
649
650 2019-02-15  Saam barati  <sbarati@apple.com>
651
652         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
653         https://bugs.webkit.org/show_bug.cgi?id=194036
654
655         Reviewed by Yusuke Suzuki.
656
657         * stress/tail-call-many-arguments.js: Added.
658         (foo):
659         (bar):
660
661 2019-02-14  Saam Barati  <sbarati@apple.com>
662
663         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
664         https://bugs.webkit.org/show_bug.cgi?id=194583
665         <rdar://problem/48028140>
666
667         Reviewed by Yusuke Suzuki.
668
669         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
670
671 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
672
673         [JSC] String.fromCharCode's slow path always generates 16bit string
674         https://bugs.webkit.org/show_bug.cgi?id=194466
675
676         Reviewed by Keith Miller.
677
678         * stress/string-from-char-code-slow-path.js: Added.
679         (shouldBe):
680         (testWithLength):
681
682 2019-02-08  Saam barati  <sbarati@apple.com>
683
684         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
685         https://bugs.webkit.org/show_bug.cgi?id=194334
686         <rdar://problem/47844327>
687
688         Reviewed by Mark Lam.
689
690         * stress/check-in-bounds-should-be-a-child-use.js: Added.
691         (func):
692
693 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
694
695         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
696         https://bugs.webkit.org/show_bug.cgi?id=194369
697         <rdar://problem/47813087>
698
699         Reviewed by Saam Barati.
700
701         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
702         (A):
703
704 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
705
706         [JSC] PrivateName to PublicName hash table is wasteful
707         https://bugs.webkit.org/show_bug.cgi?id=194277
708
709         Reviewed by Michael Saboff.
710
711         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
712
713         * ChakraCore.yaml:
714
715 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
716
717         [ARM] Test running out of executable memory
718         https://bugs.webkit.org/show_bug.cgi?id=194285
719
720         Unreviewed. Do no execute test with LLInt disabled, test runs out of
721         executable memory otherwise.
722
723         * stress/class-subclassing-function.js:
724
725 2019-02-04  Robin Morisset  <rmorisset@apple.com>
726
727         when lowering AssertNotEmpty, create the value before creating the patchpoint
728         https://bugs.webkit.org/show_bug.cgi?id=194231
729
730         Reviewed by Saam Barati.
731
732         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
733         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
734         So even tiny changes to this test can change the path code taken.
735
736         * stress/assert-not-empty.js: Added.
737         (foo):
738
739 2019-02-01  Mark Lam  <mark.lam@apple.com>
740
741         Remove invalid assertion in DFG's compileDoubleRep().
742         https://bugs.webkit.org/show_bug.cgi?id=194130
743         <rdar://problem/47699474>
744
745         Reviewed by Saam Barati.
746
747         * stress/constant-fold-double-rep-into-double-constant.js: Added.
748
749 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
750
751         Import latest Test262 updates.
752
753         Rubber-stamped by Keith Miller.
754
755         * test262.yaml: Deleted.
756         * test262/config.yaml:
757         * test262/expectations.yaml:
758         * test262/latest-changes-summary.txt:
759         * test262/test/:
760         * test262/test262-Revision.txt:
761
762 2019-01-30  Robin Morisset  <rmorisset@apple.com>
763
764         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
765         https://bugs.webkit.org/show_bug.cgi?id=194050
766         <rdar://problem/47595592>
767
768         Reviewed by Yusuke Suzuki.
769
770         * stress/object-keys-osr-exit.js: Added.
771         (foo):
772         (catch):
773
774 2019-01-29  Mark Lam  <mark.lam@apple.com>
775
776         ValueRecovery::recover() should purify NaN values it recovers.
777         https://bugs.webkit.org/show_bug.cgi?id=193978
778         <rdar://problem/47625488>
779
780         Reviewed by Saam Barati.
781
782         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
783
784 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
785
786         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
787         https://bugs.webkit.org/show_bug.cgi?id=193713
788
789         * stress/try-get-by-id-should-spill-registers-dfg.js:
790         (let.f.createBuiltin):
791
792 2019-01-28  Mark Lam  <mark.lam@apple.com>
793
794         ToString node actually does GC.
795         https://bugs.webkit.org/show_bug.cgi?id=193920
796         <rdar://problem/46695900>
797
798         Reviewed by Yusuke Suzuki.
799
800         * stress/dfg-to-string-on-int-does-gc.js: Added.
801         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
802         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
803
804 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
805
806         [JSC] NativeErrorConstructor should not have own IsoSubspace
807         https://bugs.webkit.org/show_bug.cgi?id=193713
808
809         Reviewed by Saam Barati.
810
811         Remove @Error use.
812
813         * stress/try-get-by-id-should-spill-registers-dfg.js:
814         (let.f.createBuiltin):
815
816 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
817
818         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
819         https://bugs.webkit.org/show_bug.cgi?id=190693
820
821         Reviewed by Michael Saboff.
822
823         * stress/regress-190693.js: Added.
824         (truth):
825         (assert):
826         (shouldThrowInvalidConstAssignment):
827         (taz):
828
829 2019-01-24  Saam Barati  <sbarati@apple.com>
830
831         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
832         https://bugs.webkit.org/show_bug.cgi?id=193751
833         <rdar://problem/47280215>
834
835         Reviewed by Michael Saboff.
836
837         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
838         (let.thing):
839         (foo.let.hello):
840         (foo):
841
842 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
843
844         [JSC] Reenable baseline JIT on mips
845         https://bugs.webkit.org/show_bug.cgi?id=192983
846
847         Reviewed by Mark Lam.
848
849         Added a new test for a case that was triggering a RELEASE_ASSERT when
850         testing.
851         Disable some slow tests that were already disabled for arm and x86.
852
853         * stress/json-parse-big-object.js: Added.
854         * stress/new-largeish-contiguous-array-with-size.js:
855         * stress/op_add.js:
856         * stress/op_bitand.js:
857         * stress/op_bitor.js:
858         * stress/op_bitxor.js:
859         * stress/op_lshift-ConstVar.js:
860         * stress/op_lshift-VarConst.js:
861         * stress/op_lshift-VarVar.js:
862         * stress/op_mod-ConstVar.js:
863         * stress/op_mod-VarConst.js:
864         * stress/op_mod-VarVar.js:
865         * stress/op_mul-ConstVar.js:
866         * stress/op_mul-VarConst.js:
867         * stress/op_mul-VarVar.js:
868         * stress/op_rshift-ConstVar.js:
869         * stress/op_rshift-VarConst.js:
870         * stress/op_rshift-VarVar.js:
871         * stress/op_sub-ConstVar.js:
872         * stress/op_sub-VarConst.js:
873         * stress/op_sub-VarVar.js:
874         * stress/op_urshift-ConstVar.js:
875         * stress/op_urshift-VarConst.js:
876         * stress/op_urshift-VarVar.js:
877         * stress/sampling-profiler-richards.js:
878         * stress/spread-forward-call-varargs-stack-overflow.js:
879
880 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
881
882         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
883         https://bugs.webkit.org/show_bug.cgi?id=193711
884         <rdar://problem/47250262>
885
886         Reviewed by Saam Barati.
887
888         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
889         (shouldBe):
890         (foo):
891         (bar):
892         (baz):
893
894 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
895
896         Unreviewed, fix initial global lexical binding epoch
897         https://bugs.webkit.org/show_bug.cgi?id=193603
898         <rdar://problem/47380869>
899
900         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
901         (f1.f2.f3.f4):
902         (f1.f2.f3):
903         (f1.f2):
904         (f1):
905
906 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
907
908         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
909         https://bugs.webkit.org/show_bug.cgi?id=193709
910         <rdar://problem/47363838>
911
912         Unreviewed, rollout to watch the tests.
913
914         * stress/object-tostring-changed-proto.js: Removed.
915         * stress/object-tostring-changed.js: Removed.
916         * stress/object-tostring-misc.js: Removed.
917         * stress/object-tostring-other.js: Removed.
918         * stress/object-tostring-untyped.js: Removed.
919
920 2019-01-22  Saam Barati  <sbarati@apple.com>
921
922         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
923
924         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
925         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
926         (testUncheckedLessThanZero):
927         (testUncheckedLessThanOrEqualZero):
928         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
929         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
930
931 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
932
933         [JSC] Invalidate old scope operations using global lexical binding epoch
934         https://bugs.webkit.org/show_bug.cgi?id=193603
935         <rdar://problem/47380869>
936
937         Reviewed by Saam Barati.
938
939         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
940         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
941         (shouldThrow):
942         (bar):
943         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
944         (shouldBe):
945         (get1):
946         (get2):
947         (get1If):
948         (get2If):
949         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
950         (shouldThrow):
951         (foo):
952
953 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         Unreviewed, roll out r240220 due to date-format-xparb regression
956         https://bugs.webkit.org/show_bug.cgi?id=193603
957
958         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
959         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
960         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
961         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
962
963 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
964
965         DoesGC rule is wrong for nodes with BigIntUse
966         https://bugs.webkit.org/show_bug.cgi?id=193652
967
968         Reviewed by Saam Barati.
969
970         * stress/big-int-value-op-update-gc-rules.js: Added.
971         (assert):
972         (doesGCAdd):
973         (doesGCSub):
974         (doesGCDiv):
975         (doesGCMul):
976         (doesGCBitAnd):
977         (doesGCBitOr):
978         (doesGCBitXor):
979
980 2019-01-20  Saam Barati  <sbarati@apple.com>
981
982         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
983         https://bugs.webkit.org/show_bug.cgi?id=193644
984         <rdar://problem/46209745>
985
986         Reviewed by Yusuke Suzuki.
987
988         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
989         (foo):
990         * stress/data-view-set-intrinsic-undefined-result.js: Added.
991         (foo):
992         (bar):
993
994 2019-01-20  Saam Barati  <sbarati@apple.com>
995
996         MovHint must merge NodeBytecodeUsesAsValue for its child
997         https://bugs.webkit.org/show_bug.cgi?id=186916
998         <rdar://problem/41396612>
999
1000         Reviewed by Yusuke Suzuki.
1001
1002         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1003         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1004
1005 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1006
1007         [JSC] Invalidate old scope operations using global lexical binding epoch
1008         https://bugs.webkit.org/show_bug.cgi?id=193603
1009         <rdar://problem/47380869>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1014         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1015         (shouldThrow):
1016         (bar):
1017         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1018         (shouldBe):
1019         (get1):
1020         (get2):
1021         (get1If):
1022         (get2If):
1023         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1024         (shouldThrow):
1025         (foo):
1026
1027 2019-01-17  Saam barati  <sbarati@apple.com>
1028
1029         StringObjectUse should not be a structure check for the original string object structure
1030         https://bugs.webkit.org/show_bug.cgi?id=193483
1031         <rdar://problem/47280522>
1032
1033         Reviewed by Yusuke Suzuki.
1034
1035         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1036         (foo):
1037         (a.valueOf.0):
1038
1039 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1040
1041         [JSC] ToThis omission in DFGByteCodeParser is wrong
1042         https://bugs.webkit.org/show_bug.cgi?id=193513
1043         <rdar://problem/45842236>
1044
1045         Reviewed by Saam Barati.
1046
1047         * stress/to-this-omission-with-different-strict-modes.js: Added.
1048         (thisA):
1049         (thisAStrictWrapper):
1050
1051 2019-01-15  Mark Lam  <mark.lam@apple.com>
1052
1053         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1054         https://bugs.webkit.org/show_bug.cgi?id=193423
1055         <rdar://problem/46209355>
1056
1057         Reviewed by Saam Barati.
1058
1059         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1060         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1061         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1062         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1063
1064 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1065
1066         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1067         https://bugs.webkit.org/show_bug.cgi?id=193438
1068         <rdar://problem/45581249>
1069
1070         Reviewed by Saam Barati and Keith Miller.
1071
1072         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1073         Then, GetByVal(String) crashed.
1074
1075         * stress/string-get-by-val-lowering.js: Added.
1076         (shouldBe):
1077         (test):
1078         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1079         (Hello):
1080         (foo):
1081
1082 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1083
1084         Unreviewed, skip JIT tests if it's not enabled
1085
1086         * stress/bit-op-with-object-returning-int32.js:
1087
1088 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1089
1090         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1091         https://bugs.webkit.org/show_bug.cgi?id=192966
1092
1093         Reviewed by Yusuke Suzuki.
1094
1095         * stress/bit-op-with-object-returning-int32.js: Added.
1096
1097 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1098
1099         Skip a slow test and a flakey test on arm
1100
1101         Unreviewed gardening.
1102
1103         * typeProfiler/getter-richards.js:
1104         this test always times out, it used to be always skipped on arm and
1105         mips, but got accidentally enabled by r237919 now that we have DFG on
1106         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1107
1108 2019-01-14  Keith Miller  <keith_miller@apple.com>
1109
1110         Skip type-check-hoisting-phase-hoist... with no jit
1111         https://bugs.webkit.org/show_bug.cgi?id=193421
1112
1113         Reviewed by Mark Lam.
1114
1115         It's timing out the 32-bit bots and takes 330 seconds
1116         on my machine when run by itself.
1117
1118         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1119
1120 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1121
1122         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1123         https://bugs.webkit.org/show_bug.cgi?id=193413
1124         <rdar://problem/46092389>
1125
1126         Reviewed by Keith Miller.
1127
1128         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1129         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1130         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1131         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1132
1133         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1134         (compareArray):
1135
1136 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1137
1138         [BigInt] Literal parsing is crashing when used inside a Object Literal
1139         https://bugs.webkit.org/show_bug.cgi?id=193404
1140
1141         Reviewed by Yusuke Suzuki.
1142
1143         * stress/big-int-literal-inside-literal-object.js: Added.
1144
1145 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1146
1147         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1148         https://bugs.webkit.org/show_bug.cgi?id=193372
1149
1150         Reviewed by Saam Barati.
1151
1152         * stress/typed-array-array-modes-profile.js: Added.
1153         (foo):
1154
1155 2019-01-14  Mark Lam  <mark.lam@apple.com>
1156
1157         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1158         https://bugs.webkit.org/show_bug.cgi?id=193402
1159         <rdar://problem/46012309>
1160
1161         Reviewed by Keith Miller.
1162
1163         * stress/regexp-compile-oom.js:
1164         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1165           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1166
1167 2019-01-11  Saam barati  <sbarati@apple.com>
1168
1169         DFG combined liveness can be wrong for terminal basic blocks
1170         https://bugs.webkit.org/show_bug.cgi?id=193304
1171         <rdar://problem/45268632>
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1176
1177 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1178
1179         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1180         https://bugs.webkit.org/show_bug.cgi?id=193308
1181         <rdar://problem/45546542>
1182
1183         Reviewed by Saam Barati.
1184
1185         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1186         (shouldThrow):
1187         (shouldBe):
1188         (foo):
1189         (get shouldThrow):
1190         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1191         (shouldThrow):
1192         (shouldBe):
1193         (foo):
1194         (get shouldBe):
1195         (get shouldThrow):
1196         (get return):
1197         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1198         (shouldThrow):
1199         (shouldBe):
1200         (foo):
1201         (get shouldBe):
1202         (get shouldThrow):
1203         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1204         (shouldThrow):
1205         (shouldBe):
1206         (foo):
1207         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1208         (shouldThrow):
1209         (shouldBe):
1210         (foo):
1211         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1212         (shouldThrow):
1213         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1214         (shouldThrow):
1215         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1216         (shouldThrow):
1217         (shouldBe):
1218         (foo):
1219         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1220         (shouldThrow):
1221         (shouldBe):
1222         (foo):
1223         (get shouldBe):
1224         (get shouldThrow):
1225         (get return):
1226         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1227         (shouldThrow):
1228         (shouldBe):
1229         (foo):
1230         (get shouldBe):
1231         (get shouldThrow):
1232         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1233         (shouldThrow):
1234         (shouldBe):
1235         (foo):
1236         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1237         (shouldThrow):
1238         (shouldBe):
1239         (foo):
1240
1241 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1242
1243         Enable DFG on ARM/Linux again
1244         https://bugs.webkit.org/show_bug.cgi?id=192496
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         Test wasn't really skipped before moving the line with skip
1249         to the top.
1250
1251         * stress/regress-192717.js:
1252
1253 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1254
1255         Unreviewed, rolling out r239825.
1256         https://bugs.webkit.org/show_bug.cgi?id=193330
1257
1258         Broke tests on armv7/linux bots (Requested by guijemont on
1259         #webkit).
1260
1261         Reverted changeset:
1262
1263         "Enable DFG on ARM/Linux again"
1264         https://bugs.webkit.org/show_bug.cgi?id=192496
1265         https://trac.webkit.org/changeset/239825
1266
1267 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1268
1269         Enable DFG on ARM/Linux again
1270         https://bugs.webkit.org/show_bug.cgi?id=192496
1271
1272         Reviewed by Yusuke Suzuki.
1273
1274         Test wasn't really skipped before moving the line with skip
1275         to the top.
1276
1277         * stress/regress-192717.js:
1278
1279 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1280
1281         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1282         https://bugs.webkit.org/show_bug.cgi?id=193127
1283
1284         Reviewed by Saam Barati.
1285
1286         * stress/array-species-create-should-handle-masquerader.js: Added.
1287         (shouldThrow):
1288         * stress/is-undefined-or-null-builtin.js: Added.
1289         (shouldBe):
1290         (isUndefinedOrNull.vm.createBuiltin):
1291
1292 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1293
1294         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1295         https://bugs.webkit.org/show_bug.cgi?id=193221
1296
1297         Reviewed by Mark Lam.
1298
1299         * stress/put-by-id-flags.js: Added.
1300         (f):
1301         (g):
1302         (numberOfDFGCompiles):
1303
1304 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1305
1306         Baseline version of get_by_id may corrupt metadata
1307         https://bugs.webkit.org/show_bug.cgi?id=193085
1308         <rdar://problem/23453006>
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/get-by-id-change-mode.js: Added.
1313         (forEach):
1314
1315 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1316
1317         [JSC] Optimize Object.prototype.toString
1318         https://bugs.webkit.org/show_bug.cgi?id=193031
1319
1320         Reviewed by Saam Barati.
1321
1322         * stress/object-tostring-changed-proto.js: Added.
1323         (shouldBe):
1324         (test):
1325         * stress/object-tostring-changed.js: Added.
1326         (shouldBe):
1327         (test):
1328         * stress/object-tostring-misc.js: Added.
1329         (shouldBe):
1330         (test):
1331         (i.switch):
1332         * stress/object-tostring-other.js: Added.
1333         (shouldBe):
1334         (test):
1335         * stress/object-tostring-untyped.js: Added.
1336         (shouldBe):
1337         (test):
1338         (i.switch):
1339
1340 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1341
1342         test262-runner misbehaves when test file YAML has a trailing space
1343         https://bugs.webkit.org/show_bug.cgi?id=193053
1344
1345         Reviewed by Yusuke Suzuki.
1346
1347         * test262/expectations.yaml:
1348         Mark two dozen tests as passing (and correct the output of another).
1349
1350 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1351
1352         Unreviewed, JSTests gardening with memoryLimited
1353
1354         * stress/string-overflow-createError.js:
1355
1356 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1357
1358         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1359         https://bugs.webkit.org/show_bug.cgi?id=193050
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         * test262.yaml:
1364         * test262/expectations.yaml:
1365         Mark 16 tests as passing.
1366
1367 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1368
1369         [BigInt] Support BigInt in JSON.stringify
1370         https://bugs.webkit.org/show_bug.cgi?id=192624
1371
1372         Reviewed by Saam Barati.
1373
1374         * stress/big-int-json-stringify-to-json.js: Added.
1375         (shouldBe):
1376         (shouldThrow):
1377         (BigInt.prototype.toJSON):
1378         (shouldBe.JSON.stringify):
1379         * stress/big-int-json-stringify.js: Added.
1380         (shouldBe):
1381         (shouldThrow):
1382
1383 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1384
1385         [JSC] Implement "well-formed JSON.stringify" proposal
1386         https://bugs.webkit.org/show_bug.cgi?id=191677
1387
1388         Reviewed by Darin Adler.
1389
1390         * stress/json-surrogate-pair.js: Added.
1391         (shouldBe):
1392         * test262/expectations.yaml:
1393
1394 2018-12-20  Keith Miller  <keith_miller@apple.com>
1395
1396         Add support for globalThis
1397         https://bugs.webkit.org/show_bug.cgi?id=165171
1398
1399         Reviewed by Mark Lam.
1400
1401         * test262/config.yaml:
1402
1403 2018-12-19  Keith Miller  <keith_miller@apple.com>
1404
1405         Update test262 configuration to not run tests dependent on ICU version.
1406         https://bugs.webkit.org/show_bug.cgi?id=192920
1407
1408         Reviewed by Saam Barati.
1409
1410         * test262/expectations.yaml:
1411
1412 2018-12-20  Mark Lam  <mark.lam@apple.com>
1413
1414         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1415         https://bugs.webkit.org/show_bug.cgi?id=192939
1416         <rdar://problem/46869516>
1417
1418         Reviewed by Keith Miller.
1419
1420         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1421
1422 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1423
1424         WTF::String and StringImpl overflow MaxLength
1425         https://bugs.webkit.org/show_bug.cgi?id=192853
1426         <rdar://problem/45726906>
1427
1428         Reviewed by Mark Lam.
1429
1430         * stress/string-16bit-repeat-overflow.js: Added.
1431         (catch):
1432
1433 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1434
1435         Unreviewed follow-up to r192914.
1436
1437         * test262/expectations.yaml:
1438         Add the last 20 missing expectations.
1439
1440 2018-12-19  Keith Miller  <keith_miller@apple.com>
1441
1442         Fix test262 expectations
1443         https://bugs.webkit.org/show_bug.cgi?id=192914
1444
1445         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1446
1447         * test262/expectations.yaml:
1448
1449 2018-12-19  Keith Miller  <keith_miller@apple.com>
1450
1451         Update test262 tests.
1452         https://bugs.webkit.org/show_bug.cgi?id=192907
1453
1454         Rubber stamped by Mark Lam.
1455
1456         * test262/*: Omitted because prepare-changelog crashes.
1457
1458 2018-12-19  Mark Lam  <mark.lam@apple.com>
1459
1460         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1461         https://bugs.webkit.org/show_bug.cgi?id=192464
1462         <rdar://problem/46519455>
1463
1464         Reviewed by Saam Barati.
1465
1466         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1467         microbenchmark.
1468
1469         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1470         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1471
1472 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1473
1474         String overflow in JSC::createError results in ASSERT in WTF::makeString
1475         https://bugs.webkit.org/show_bug.cgi?id=192833
1476         <rdar://problem/45706868>
1477
1478         Reviewed by Mark Lam.
1479
1480         * stress/string-overflow-createError.js: Added.
1481
1482 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1483
1484         Error message for `-x ** y` contains a typo.
1485         https://bugs.webkit.org/show_bug.cgi?id=192832
1486
1487         Reviewed by Saam Barati.
1488
1489         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1490         (assert.assert.return.throws):
1491         * stress/pow-expects-update-expression-on-lhs.js:
1492         (throw.new.Error):
1493         Update test expectations which match against the exact error message.
1494
1495 2018-12-18  Mark Lam  <mark.lam@apple.com>
1496
1497         Gardening: test options fix.
1498         https://bugs.webkit.org/show_bug.cgi?id=192822
1499
1500         Unreviewed.
1501
1502         * stress/json-stringify-string-builder-overflow.js:
1503
1504 2018-12-18  Mark Lam  <mark.lam@apple.com>
1505
1506         JSON.stringify() should throw OOM on StringBuilder overflows.
1507         https://bugs.webkit.org/show_bug.cgi?id=192822
1508         <rdar://problem/46670577>
1509
1510         Reviewed by Saam Barati.
1511
1512         * stress/json-stringify-string-builder-overflow.js: Added.
1513
1514 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1515
1516         Redeclaration of var over let/const/class should be a syntax error.
1517         https://bugs.webkit.org/show_bug.cgi?id=192298
1518
1519         Reviewed by Keith Miller.
1520
1521         * test262.yaml:
1522         * test262/expectations.yaml:
1523         Mark 46 tests as passing.
1524
1525         * stress/block-scope-redeclarations.js:
1526         Add some new tests.
1527
1528         * stress/for-in-invalidate-context-weird-assignments.js:
1529         * stress/for-in-tests.js:
1530         Replace tests for outdated behavior with tests for SyntaxError.
1531
1532         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1533         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1534         Update expectations.
1535
1536 2018-12-18  Mark Lam  <mark.lam@apple.com>
1537
1538         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1539         https://bugs.webkit.org/show_bug.cgi?id=191374
1540         <rdar://problem/46525447>
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1545
1546         * stress/elidable-new-object-roflcopter-then-exit.js:
1547
1548 2018-12-17  Mark Lam  <mark.lam@apple.com>
1549
1550         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1551         https://bugs.webkit.org/show_bug.cgi?id=192019
1552         <rdar://problem/46525456>
1553
1554         Reviewed by Yusuke Suzuki.
1555
1556         The test runs too slow on 32-bit.
1557
1558         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1559
1560 2018-12-17  Mark Lam  <mark.lam@apple.com>
1561
1562         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1563         https://bugs.webkit.org/show_bug.cgi?id=191373
1564         <rdar://problem/46525458>
1565
1566         Reviewed by Yusuke Suzuki.
1567
1568         The test is already slow running with a JIT on 64-bit.  It will always timeout
1569         on 32-bit without a JIT.
1570
1571         * stress/materialize-regexp-cyclic-regexp.js:
1572
1573 2018-12-17  Mark Lam  <mark.lam@apple.com>
1574
1575         Array unshift/shift should not race against the AI in the compiler thread.
1576         https://bugs.webkit.org/show_bug.cgi?id=192795
1577         <rdar://problem/46724263>
1578
1579         Reviewed by Saam Barati.
1580
1581         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1582
1583 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1584
1585         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1586         https://bugs.webkit.org/show_bug.cgi?id=190047
1587
1588         Reviewed by Saam Barati.
1589
1590         * stress/object-keys-cached-zero.js: Added.
1591         (shouldBe):
1592         (test):
1593         * stress/object-keys-changed-attribute.js: Added.
1594         (shouldBe):
1595         (test):
1596         * stress/object-keys-changed-index.js: Added.
1597         (shouldBe):
1598         (test):
1599         * stress/object-keys-changed.js: Added.
1600         (shouldBe):
1601         (test):
1602         * stress/object-keys-indexed-non-cache.js: Added.
1603         (shouldBe):
1604         (test):
1605         * stress/object-keys-overrides-get-property-names.js: Added.
1606         (shouldBe):
1607         (test):
1608         (noInline):
1609
1610 2018-12-17  Mark Lam  <mark.lam@apple.com>
1611
1612         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1613         https://bugs.webkit.org/show_bug.cgi?id=192779
1614         <rdar://problem/46775869>
1615
1616         Reviewed by Saam Barati.
1617
1618         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1619
1620 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1621
1622         Unreviewed test gardening, address a syntax error in a new test.
1623
1624         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1625
1626 2018-12-17  Mark Lam  <mark.lam@apple.com>
1627
1628         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1629         https://bugs.webkit.org/show_bug.cgi?id=192776
1630         <rdar://problem/46772368>
1631
1632         Reviewed by Keith Miller.
1633
1634         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1635
1636 2018-12-17  Mark Lam  <mark.lam@apple.com>
1637
1638         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1639         https://bugs.webkit.org/show_bug.cgi?id=192770
1640         <rdar://problem/46449037>
1641
1642         Reviewed by Keith Miller.
1643
1644         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1645
1646 2018-12-14  Mark Lam  <mark.lam@apple.com>
1647
1648         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1649         https://bugs.webkit.org/show_bug.cgi?id=192717
1650         <rdar://problem/46660677>
1651
1652         Reviewed by Saam Barati.
1653
1654         * stress/regress-192717.js: Added.
1655
1656 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1657
1658         Unreviewed, rolling out r239153, r239154, and r239155.
1659         https://bugs.webkit.org/show_bug.cgi?id=192715
1660
1661         Caused flaky GC-related crashes seen with layout tests
1662         (Requested by ryanhaddad on #webkit).
1663
1664         Reverted changesets:
1665
1666         "[JSC] Optimize Object.keys by caching own keys results in
1667         StructureRareData"
1668         https://bugs.webkit.org/show_bug.cgi?id=190047
1669         https://trac.webkit.org/changeset/239153
1670
1671         "Unreviewed, build fix after r239153"
1672         https://bugs.webkit.org/show_bug.cgi?id=190047
1673         https://trac.webkit.org/changeset/239154
1674
1675         "Unreviewed, build fix after r239153, part 2"
1676         https://bugs.webkit.org/show_bug.cgi?id=190047
1677         https://trac.webkit.org/changeset/239155
1678
1679 2018-12-14  Keith Miller  <keith_miller@apple.com>
1680
1681         Callers of JSString::getIndex should check for OOM exceptions
1682         https://bugs.webkit.org/show_bug.cgi?id=192709
1683
1684         Reviewed by Mark Lam.
1685
1686         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1687
1688 2018-12-13  Mark Lam  <mark.lam@apple.com>
1689
1690         Add a missing exception check.
1691         https://bugs.webkit.org/show_bug.cgi?id=192626
1692         <rdar://problem/46662163>
1693
1694         Reviewed by Keith Miller.
1695
1696         * stress/regress-192626.js: Added.
1697
1698 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1699
1700         [BigInt] Add ValueDiv into DFG
1701         https://bugs.webkit.org/show_bug.cgi?id=186178
1702
1703         Reviewed by Yusuke Suzuki.
1704
1705         * stress/big-int-div-jit-osr.js: Added.
1706         * stress/big-int-div-jit-untyped.js: Added.
1707         * stress/value-div-fixup-int32-big-int.js: Added.
1708
1709 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1710
1711         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1712         https://bugs.webkit.org/show_bug.cgi?id=190047
1713
1714         Reviewed by Keith Miller.
1715
1716         * stress/object-keys-cached-zero.js: Added.
1717         (shouldBe):
1718         (test):
1719         * stress/object-keys-changed-attribute.js: Added.
1720         (shouldBe):
1721         (test):
1722         * stress/object-keys-changed-index.js: Added.
1723         (shouldBe):
1724         (test):
1725         * stress/object-keys-changed.js: Added.
1726         (shouldBe):
1727         (test):
1728         * stress/object-keys-indexed-non-cache.js: Added.
1729         (shouldBe):
1730         (test):
1731         * stress/object-keys-overrides-get-property-names.js: Added.
1732         (shouldBe):
1733         (test):
1734         (noInline):
1735
1736 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1737
1738         [DFG][FTL] Add NewSymbol
1739         https://bugs.webkit.org/show_bug.cgi?id=192620
1740
1741         Reviewed by Saam Barati.
1742
1743         * microbenchmarks/symbol-creation.js: Added.
1744         (test):
1745         * stress/symbol-description-identity.js: Added.
1746         (shouldBe):
1747         (test):
1748         * stress/symbol-identity.js: Added.
1749         (shouldBe):
1750         (test):
1751         * stress/symbol-with-description-throw-error.js: Added.
1752         (shouldBe):
1753         (shouldThrow):
1754         (test):
1755         (object.toString):
1756
1757 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1758
1759         [BigInt] Implement DFG/FTL typeof for BigInt
1760         https://bugs.webkit.org/show_bug.cgi?id=192619
1761
1762         Reviewed by Keith Miller.
1763
1764         * stress/big-int-boolean-proven-type.js: Added.
1765         (assert):
1766         (bool):
1767         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1768         (assert):
1769         (typeOf):
1770         (i.switch):
1771         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1772         (assert):
1773         (typeOf):
1774         * stress/big-int-type-of.js:
1775         (typeOf):
1776         (func):
1777
1778 2018-12-10  Mark Lam  <mark.lam@apple.com>
1779
1780         PropertyAttribute needs a CustomValue bit.
1781         https://bugs.webkit.org/show_bug.cgi?id=191993
1782         <rdar://problem/46264467>
1783
1784         Reviewed by Saam Barati.
1785
1786         * stress/regress-191993.js: Added.
1787
1788 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1789
1790         [BigInt] Add ValueMul into DFG
1791         https://bugs.webkit.org/show_bug.cgi?id=186175
1792
1793         Reviewed by Yusuke Suzuki.
1794
1795         * stress/big-int-mul-jit-osr.js: Added.
1796         * stress/big-int-mul-jit-untyped.js: Added.
1797         * stress/value-mul-fixup-int32-big-int.js: Added.
1798
1799 2018-12-06  Keith Miller  <keith_miller@apple.com>
1800
1801         stress/big-wasm-memory tests failing on 32-bit JSC bot
1802         https://bugs.webkit.org/show_bug.cgi?id=192020
1803
1804         Reviewed by Saam Barati.
1805
1806         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1807         the wasm stress tests if the WebAssembly object does not exist.
1808
1809         * stress/big-wasm-memory-grow-no-max.js:
1810         (test.foo):
1811         (test):
1812         (foo): Deleted.
1813         (catch): Deleted.
1814         * stress/big-wasm-memory-grow.js:
1815         (test.foo):
1816         (test):
1817         (foo): Deleted.
1818         (catch): Deleted.
1819         * stress/big-wasm-memory.js:
1820         (test.foo):
1821         (test):
1822         (foo): Deleted.
1823         (catch): Deleted.
1824
1825 2018-12-05  Mark Lam  <mark.lam@apple.com>
1826
1827         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1828         https://bugs.webkit.org/show_bug.cgi?id=192441
1829         <rdar://problem/46480355>
1830
1831         Reviewed by Saam Barati.
1832
1833         * stress/regress-192441.js: Added.
1834
1835 2018-12-04  Mark Lam  <mark.lam@apple.com>
1836
1837         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1838         https://bugs.webkit.org/show_bug.cgi?id=192386
1839         <rdar://problem/46445516>
1840
1841         Reviewed by Saam Barati.
1842
1843         * stress/regress-192386.js: Added.
1844
1845 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1846
1847         [ESNext][BigInt] Support logic operations
1848         https://bugs.webkit.org/show_bug.cgi?id=179903
1849
1850         Reviewed by Yusuke Suzuki.
1851
1852         * stress/big-int-branch-usage.js: Added.
1853         * stress/big-int-logical-and.js: Added.
1854         * stress/big-int-logical-not.js: Added.
1855         * stress/big-int-logical-or.js: Added.
1856
1857 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1858
1859         Unreviewed, rolling out r238833.
1860
1861         Breaks macOS and iOS debug builds.
1862
1863         Reverted changeset:
1864
1865         "[ESNext][BigInt] Support logic operations"
1866         https://bugs.webkit.org/show_bug.cgi?id=179903
1867         https://trac.webkit.org/changeset/238833
1868
1869 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1870
1871         [ESNext][BigInt] Support logic operations
1872         https://bugs.webkit.org/show_bug.cgi?id=179903
1873
1874         Reviewed by Yusuke Suzuki.
1875
1876         * stress/big-int-branch-usage.js: Added.
1877         * stress/big-int-logical-and.js: Added.
1878         * stress/big-int-logical-not.js: Added.
1879         * stress/big-int-logical-or.js: Added.
1880
1881 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1882
1883         [ESNext][BigInt] Implement support for "<<" and ">>"
1884         https://bugs.webkit.org/show_bug.cgi?id=186233
1885
1886         Reviewed by Yusuke Suzuki.
1887
1888         * stress/big-int-left-shift-general.js: Added.
1889         * stress/big-int-left-shift-range-error.js: Added.
1890         * stress/big-int-left-shift-type-error.js: Added.
1891         * stress/big-int-left-shift-wrapped-value.js: Added.
1892         * stress/big-int-right-shift-general.js: Added.
1893         * stress/big-int-right-shift-type-error.js: Added.
1894         * stress/big-int-right-shift-wrapped-value.js: Added.
1895         * stress/left-shift-to-primitive-precedence.js: Added.
1896         * stress/right-shift-to-primitive-precedence.js: Added.
1897
1898 2018-11-30  Dean Jackson  <dino@apple.com>
1899
1900         Add first-class support for .mjs files in jsc binary
1901         https://bugs.webkit.org/show_bug.cgi?id=192190
1902         <rdar://problem/46375715>
1903
1904         Reviewed by Keith Miller.
1905
1906         * stress/simple-module.mjs: Added.
1907         * stress/simple-script.js: Added.
1908
1909 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1910
1911         [BigInt] Implement ValueBitXor into DFG
1912         https://bugs.webkit.org/show_bug.cgi?id=190264
1913
1914         Reviewed by Yusuke Suzuki.
1915
1916         * stress/big-int-bitwise-xor-jit.js: Added.
1917         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1918         * stress/big-int-bitwise-xor-untyped.js: Added.
1919
1920 2018-11-27  Saam barati  <sbarati@apple.com>
1921
1922         r238510 broke scopes of size zero
1923         https://bugs.webkit.org/show_bug.cgi?id=192033
1924         <rdar://problem/46281734>
1925
1926         Reviewed by Keith Miller.
1927
1928         * stress/r238510-bad-loop.js: Added.
1929         (foo):
1930
1931 2018-11-27  Mark Lam  <mark.lam@apple.com>
1932
1933         [Re-landing] NaNs read from Wasm code needs to be be purified.
1934         https://bugs.webkit.org/show_bug.cgi?id=191056
1935         <rdar://problem/45660341>
1936
1937         Reviewed by Filip Pizlo.
1938
1939         * wasm/regress/regress-191056.js: Added.
1940
1941 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1942
1943         Unreviewed, rolling out r238509.
1944
1945         Causes JSC tests to fail on iOS.
1946
1947         Reverted changeset:
1948
1949         "NaNs read from Wasm code needs to be be purified."
1950         https://bugs.webkit.org/show_bug.cgi?id=191056
1951         https://trac.webkit.org/changeset/238509
1952
1953 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1954
1955         Re-introduce op_bitnot
1956         https://bugs.webkit.org/show_bug.cgi?id=190923
1957
1958         Reviewed by Yusuke Suzuki.
1959
1960         * stress/bit-not-must-generate.js: Added.
1961         * stress/bitwise-not-no-int32.js: Added.
1962
1963 2018-11-26  Saam barati  <sbarati@apple.com>
1964
1965         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1966         https://bugs.webkit.org/show_bug.cgi?id=191956
1967         <rdar://problem/45665806>
1968
1969         Reviewed by Yusuke Suzuki.
1970
1971         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1972         (bar):
1973         (foo):
1974
1975 2018-11-26  Saam barati  <sbarati@apple.com>
1976
1977         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1978         https://bugs.webkit.org/show_bug.cgi?id=191958
1979         <rdar://problem/46221877>
1980
1981         Reviewed by Yusuke Suzuki.
1982
1983         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1984         (x):
1985         (foo):
1986
1987 2018-11-26  Mark Lam  <mark.lam@apple.com>
1988
1989         NaNs read from Wasm code needs to be be purified.
1990         https://bugs.webkit.org/show_bug.cgi?id=191056
1991         <rdar://problem/45660341>
1992
1993         Reviewed by Filip Pizlo.
1994
1995         * wasm/regress/regress-191056.js: Added.
1996
1997 2018-11-26  Michael Saboff  <msaboff@apple.com>
1998
1999         32-bit JSC test failure: stress/regexp-compile-oom.js
2000         https://bugs.webkit.org/show_bug.cgi?id=191375
2001
2002         Reviewed by Mark Lam.
2003
2004         Disabled the test for 32 bit platforms.
2005
2006         * stress/regexp-compile-oom.js:
2007
2008 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2009
2010         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2011         https://bugs.webkit.org/show_bug.cgi?id=191716
2012         <rdar://problem/45723878>
2013
2014         Reviewed by Saam Barati.
2015
2016         * stress/regress-187373.js: Added.
2017         (async.fn):
2018
2019 2018-11-21  Saam barati  <sbarati@apple.com>
2020
2021         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2022         https://bugs.webkit.org/show_bug.cgi?id=191897
2023         <rdar://problem/45871998>
2024
2025         Reviewed by Mark Lam.
2026
2027         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2028         (bar):
2029         (foo):
2030
2031 2018-11-21  Saam barati  <sbarati@apple.com>
2032
2033         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2034         https://bugs.webkit.org/show_bug.cgi?id=191895
2035         <rdar://problem/46167406>
2036
2037         Reviewed by Mark Lam.
2038
2039         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2040         (foo):
2041         (bar):
2042
2043 2018-11-21  Mark Lam  <mark.lam@apple.com>
2044
2045         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2046         https://bugs.webkit.org/show_bug.cgi?id=191776
2047         <rdar://problem/46152851>
2048
2049         Reviewed by Saam Barati.
2050
2051         * stress/big-wasm-memory-grow-no-max.js:
2052         * stress/big-wasm-memory-grow.js:
2053         * stress/big-wasm-memory.js:
2054         - updated these to expect an OutOfMemoryError.
2055
2056         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2057         (Binary.prototype.emit_u8):
2058         (Binary.prototype.emit_u32v):
2059         (Binary.prototype.emit_header):
2060         (Binary.prototype.emit_section):
2061         (Binary):
2062         (WasmModuleBuilder):
2063         (WasmModuleBuilder.prototype.addMemory):
2064         (WasmModuleBuilder.prototype.toArray):
2065         (WasmModuleBuilder.prototype.toBuffer):
2066         (WasmModuleBuilder.prototype.instantiate):
2067         (catch):
2068         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2069         (catch):
2070
2071 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2072
2073         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2074         https://bugs.webkit.org/show_bug.cgi?id=190836
2075
2076         Reviewed by Saam Barati and Yusuke Suzuki.
2077
2078         * stress/big-int-out-of-memory-tests.js: Added.
2079
2080 2018-11-20  Mark Lam  <mark.lam@apple.com>
2081
2082         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2083         https://bugs.webkit.org/show_bug.cgi?id=191856
2084         <rdar://problem/46089992>
2085
2086         Reviewed by Yusuke Suzuki.
2087
2088         * stress/regress-191856.js: Added.
2089         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2090
2091 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2092
2093         Enable JIT on ARM/Linux
2094         https://bugs.webkit.org/show_bug.cgi?id=191548
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         Disable test on system with limited memory. Program was killed by
2099         the OS before the exception was thrown.
2100
2101         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2102
2103 2018-11-20  Saam barati  <sbarati@apple.com>
2104
2105         Merging an IC variant may lead to the IC status containing overlapping structure sets
2106         https://bugs.webkit.org/show_bug.cgi?id=191869
2107         <rdar://problem/45403453>
2108
2109         Reviewed by Mark Lam.
2110
2111         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2112
2113 2018-11-19  Mark Lam  <mark.lam@apple.com>
2114
2115         globalFuncImportModule() should return a promise when it clears exceptions.
2116         https://bugs.webkit.org/show_bug.cgi?id=191792
2117         <rdar://problem/46090763>
2118
2119         Reviewed by Michael Saboff.
2120
2121         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2122
2123 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2124
2125         Skip new memory-hungry tests on memory limited devices
2126
2127         Unreviewed gardening.
2128
2129         * stress/big-wasm-memory-grow-no-max.js:
2130         * stress/big-wasm-memory-grow.js:
2131         * stress/big-wasm-memory.js:
2132
2133 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2134
2135         Unreviewed, rolling in the rest of r237254
2136         https://bugs.webkit.org/show_bug.cgi?id=190340
2137
2138         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2139         * stress/function-cache-with-parameters-end-position.js: Added.
2140         (shouldBe):
2141         (shouldThrow):
2142         (i.anonymous):
2143         * stress/function-constructor-name.js: Added.
2144         (shouldBe):
2145         (GeneratorFunction):
2146         (AsyncFunction.async):
2147         (AsyncGeneratorFunction.async):
2148         (anonymous):
2149         (async.anonymous):
2150         * test262/expectations.yaml:
2151
2152 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2153
2154         All users of ArrayBuffer should agree on the same max size
2155         https://bugs.webkit.org/show_bug.cgi?id=191771
2156
2157         Reviewed by Mark Lam.
2158
2159         * stress/big-wasm-memory-grow-no-max.js: Added.
2160         (foo):
2161         (catch):
2162         * stress/big-wasm-memory-grow.js: Added.
2163         (foo):
2164         (catch):
2165         * stress/big-wasm-memory.js: Added.
2166         (foo):
2167         (catch):
2168
2169 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2170
2171         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2172         run for each JSC config since they're regression tests for runtime bugs.
2173
2174         * stress/json-stringified-overflow-2.js:
2175         * stress/json-stringified-overflow.js:
2176
2177 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2178
2179         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2180         config since they're regression tests for runtime bugs.
2181
2182         * stress/large-unshift-splice.js:
2183         * stress/regress-185888.js:
2184
2185 2018-11-16  Saam Barati  <sbarati@apple.com>
2186
2187         KnownCellUse should also have SpecCellCheck as its type filter
2188         https://bugs.webkit.org/show_bug.cgi?id=191729
2189         <rdar://problem/45872852>
2190
2191         Reviewed by Filip Pizlo.
2192
2193         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2194         (C):
2195
2196 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2197
2198         Fix assertion failure on BytecodeGenerator::recordOpcode
2199         https://bugs.webkit.org/show_bug.cgi?id=191724
2200         <rdar://problem/45724395>
2201
2202         Reviewed by Saam Barati.
2203
2204         * stress/regress-187373-2.js: Added.
2205         (foo):
2206
2207 2018-11-15  Mark Lam  <mark.lam@apple.com>
2208
2209         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2210         https://bugs.webkit.org/show_bug.cgi?id=191730
2211         <rdar://problem/46048517>
2212
2213         Reviewed by Saam Barati.
2214
2215         * stress/regress-187006.js: Removed.
2216           - this test is invalid because its sole purpose is to test for the non-spec
2217             compliant behavior that we just fixed.
2218
2219         * stress/regress-191730.js: Added.
2220
2221 2018-11-15  Mark Lam  <mark.lam@apple.com>
2222
2223         RegExp operations should not take fast patch if lastIndex is not numeric.
2224         https://bugs.webkit.org/show_bug.cgi?id=191731
2225         <rdar://problem/46017305>
2226
2227         Reviewed by Saam Barati.
2228
2229         * stress/regress-191731.js: Added.
2230
2231 2018-11-13  Saam Barati  <sbarati@apple.com>
2232
2233         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2234         https://bugs.webkit.org/show_bug.cgi?id=191600
2235
2236         Reviewed by Mark Lam.
2237
2238         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2239         (foo):
2240         (test):
2241         (bar):
2242
2243 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2244
2245         Unreviewed, rolling out r238132.
2246
2247         The test added with this change is timing out on Debug JSC
2248         bots.
2249
2250         Reverted changeset:
2251
2252         "[BigInt] JSBigInt::createWithLength should throw when length
2253         is greater than JSBigInt::maxLength"
2254         https://bugs.webkit.org/show_bug.cgi?id=190836
2255         https://trac.webkit.org/changeset/238132
2256
2257 2018-11-13  Mark Lam  <mark.lam@apple.com>
2258
2259         Add OOM detection to StringPrototype's substituteBackreferences().
2260         https://bugs.webkit.org/show_bug.cgi?id=191563
2261         <rdar://problem/45720428>
2262
2263         Reviewed by Saam Barati.
2264
2265         * stress/regress-191563.js: Added.
2266
2267 2018-11-13  Mark Lam  <mark.lam@apple.com>
2268
2269         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2270         https://bugs.webkit.org/show_bug.cgi?id=191579
2271         <rdar://problem/45942472>
2272
2273         Reviewed by Saam Barati.
2274
2275         * stress/regress-191579.js: Added.
2276
2277 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2278
2279         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2280         https://bugs.webkit.org/show_bug.cgi?id=190836
2281
2282         Reviewed by Saam Barati.
2283
2284         * stress/big-int-out-of-memory-tests.js: Added.
2285
2286 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2287
2288         U+180E is no longer a whitespace character
2289         https://bugs.webkit.org/show_bug.cgi?id=191415
2290
2291         Reviewed by Saam Barati.
2292
2293         * ChakraCore/test/es5/regexSpace.baseline:
2294         * ChakraCore/test/es6/unicode_whitespace.js:
2295         Update tests to latest version.
2296         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2297
2298         * test262.yaml:
2299         * test262/config.yaml:
2300         * test262/expectations.yaml:
2301         Update expectations.
2302
2303 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2304
2305         [BigInt] Add support to BigInt into ValueAdd
2306         https://bugs.webkit.org/show_bug.cgi?id=186177
2307
2308         Reviewed by Keith Miller.
2309
2310         * stress/big-int-negate-jit.js:
2311         * stress/value-add-big-int-and-string.js: Added.
2312         * stress/value-add-big-int-prediction-propagation.js: Added.
2313         * stress/value-add-big-int-untyped.js: Added.
2314
2315 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2316
2317         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2318         https://bugs.webkit.org/show_bug.cgi?id=191184
2319
2320         Reviewed by Saam Barati.
2321
2322         Most tests were failing due to timeouts, since they are too slow to
2323         run on CLoop. The exceptions are:
2324
2325         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2326         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2327         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2328         to change the stack size since CLoop requires it to be page aligned.
2329
2330         * microbenchmarks/array-push-1.js:
2331         * microbenchmarks/array-push-2.js:
2332         * microbenchmarks/elidable-new-object-dag.js:
2333         * microbenchmarks/elidable-new-object-roflcopter.js:
2334         * microbenchmarks/elidable-new-object-tree.js:
2335         * microbenchmarks/getter-richards.js:
2336         * microbenchmarks/sinkable-new-object-dag.js:
2337         * microbenchmarks/string-concat-long-convert.js:
2338         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2339         * slowMicrobenchmarks/array-push-3.js:
2340         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2341         * slowMicrobenchmarks/spread-small-array.js:
2342         * slowMicrobenchmarks/undefined-property-access.js:
2343         * stress/activation-sink-default-value-tdz-error.js:
2344         * stress/activation-sink-default-value.js:
2345         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2346         * stress/activation-sink-osrexit-default-value.js:
2347         * stress/activation-sink-osrexit.js:
2348         * stress/activation-sink.js:
2349         * stress/allow-math-ic-b3-code-duplication.js:
2350         * stress/array-push-multiple-int32.js:
2351         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2352         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2353         * stress/arrowfunction-lexical-this-activation-sink.js:
2354         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2355         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2356         * stress/elide-new-object-dag-then-exit.js:
2357         * stress/materialize-regexp-cyclic.js:
2358         * stress/new-regex-inline.js:
2359         * stress/op_add.js:
2360         * stress/op_bitand.js:
2361         * stress/op_bitor.js:
2362         * stress/op_bitxor.js:
2363         * stress/op_div-ConstVar.js:
2364         * stress/op_div-VarConst.js:
2365         * stress/op_div-VarVar.js:
2366         * stress/op_lshift-ConstVar.js:
2367         * stress/op_lshift-VarConst.js:
2368         * stress/op_lshift-VarVar.js:
2369         * stress/op_mod-ConstVar.js:
2370         * stress/op_mod-VarConst.js:
2371         * stress/op_mod-VarVar.js:
2372         * stress/op_mul-ConstVar.js:
2373         * stress/op_mul-VarConst.js:
2374         * stress/op_mul-VarVar.js:
2375         * stress/op_rshift-ConstVar.js:
2376         * stress/op_rshift-VarConst.js:
2377         * stress/op_rshift-VarVar.js:
2378         * stress/op_sub-ConstVar.js:
2379         * stress/op_sub-VarConst.js:
2380         * stress/op_sub-VarVar.js:
2381         * stress/op_urshift-ConstVar.js:
2382         * stress/op_urshift-VarConst.js:
2383         * stress/op_urshift-VarVar.js:
2384         * stress/proxy-get-set-correct-receiver.js:
2385         * stress/regress-179562.js:
2386         * stress/rest-parameter-many-arguments.js:
2387         * stress/sampling-profiler-richards.js:
2388         * stress/splay-flash-access-1ms.js:
2389         * stress/tailCallForwardArguments.js:
2390         * stress/typed-array-get-by-val-profiling.js:
2391         * typeProfiler/getter-richards.js:
2392
2393 2018-11-06  Michael Saboff  <msaboff@apple.com>
2394
2395         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2396         https://bugs.webkit.org/show_bug.cgi?id=191271
2397
2398         Reviewed by Saam Barati.
2399
2400         Added more test cases and made all test cases run with the same deeply recursive stack
2401         instead of finding that same point for each test case.
2402
2403         * stress/regexp-compile-oom.js:
2404         (prototype.runTest):
2405         (recurseAndTest):
2406         (testList.push.new.TestAndExpectedException):
2407
2408 2018-11-05  Michael Saboff  <msaboff@apple.com>
2409
2410         Unreviewed build fix for linux.
2411
2412         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2413
2414 2018-11-02  Michael Saboff  <msaboff@apple.com>
2415
2416         Rolling in r237753 with unreviewed build fix.
2417
2418         Fixed issues with DECLARE_THROW_SCOPE placement.
2419
2420 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2421
2422         Unreviewed, rolling out r237753.
2423
2424         Introduced JSC test failures
2425
2426         Reverted changeset:
2427
2428         "Running out of stack space not properly handled in
2429         RegExp::compile() and its callers"
2430         https://bugs.webkit.org/show_bug.cgi?id=191206
2431         https://trac.webkit.org/changeset/237753
2432
2433 2018-11-02  Michael Saboff  <msaboff@apple.com>
2434
2435         Running out of stack space not properly handled in RegExp::compile() and its callers
2436         https://bugs.webkit.org/show_bug.cgi?id=191206
2437
2438         Reviewed by Filip Pizlo.
2439
2440         New regression test.
2441
2442         * stress/regexp-compile-oom.js: Added.
2443         (recurseAndTest):
2444
2445 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2446
2447         Skip tests on arm/mips that time out now we're running on CLoop
2448
2449         Unreviewed gardening.
2450
2451         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2452         time out on the bots and need to be disabled. There's more tests
2453         disabled on arm because the timeout is longer on the mips bot (as the
2454         device is slower to start with), so many of the tests don't time out
2455         there.
2456
2457         * microbenchmarks/getter-richards.js: disable on arm and mips.
2458         * stress/op_add.js: disable on arm.
2459         * stress/op_bitand.js: disable on arm.
2460         * stress/op_bitor.js: disable on arm.
2461         * stress/op_bitxor.js: disable on arm.
2462         * stress/op_lshift-ConstVar.js: disable on arm.
2463         * stress/op_lshift-VarConst.js: disable on arm.
2464         * stress/op_lshift-VarVar.js: disable on arm.
2465         * stress/op_mod-ConstVar.js: disable on arm.
2466         * stress/op_mod-VarConst.js: disable on arm.
2467         * stress/op_mod-VarVar.js: disable on arm.
2468         * stress/op_mul-ConstVar.js: disable on arm.
2469         * stress/op_mul-VarConst.js: disable on arm.
2470         * stress/op_mul-VarVar.js: disable on arm.
2471         * stress/op_rshift-ConstVar.js: disable on arm.
2472         * stress/op_rshift-VarConst.js: disable on arm.
2473         * stress/op_rshift-VarVar.js: disable on arm.
2474         * stress/op_sub-ConstVar.js: disable on arm.
2475         * stress/op_sub-VarConst.js: disable on arm.
2476         * stress/op_sub-VarVar.js: disable on arm.
2477         * stress/op_urshift-ConstVar.js: disable on arm.
2478         * stress/op_urshift-VarConst.js: disable on arm.
2479         * stress/op_urshift-VarVar.js: disable on arm.
2480         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2481         * stress/value-to-boolean.js: disable on arm and mips.
2482
2483 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2484
2485         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2486         https://bugs.webkit.org/show_bug.cgi?id=191108
2487         <rdar://problem/45690700>
2488
2489         Reviewed by Saam Barati.
2490
2491         * stress/wide-op_catch.js: Added.
2492         (catch):
2493
2494 2018-10-29  Mark Lam  <mark.lam@apple.com>
2495
2496         Correctly detect string overflow when using the 'Function' constructor.
2497         https://bugs.webkit.org/show_bug.cgi?id=184883
2498         <rdar://problem/36320331>
2499
2500         Reviewed by Saam Barati.
2501
2502         I've verified that this passes on 32-bit as well.
2503
2504         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2505
2506 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2507
2508         Add support for GetStack FlushedDouble
2509         https://bugs.webkit.org/show_bug.cgi?id=191012
2510         <rdar://problem/45265141>
2511
2512         Reviewed by Saam Barati.
2513
2514         * stress/get-stack-double.js: Added.
2515         (bar):
2516         (noInline):
2517
2518 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2519
2520         New bytecode format for JSC
2521         https://bugs.webkit.org/show_bug.cgi?id=187373
2522         <rdar://problem/44186758>
2523
2524         Reviewed by Filip Pizlo.
2525
2526         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2527
2528         * stress/maximum-inline-capacity.js: Added.
2529         (test1):
2530         (test3.Foo):
2531         (test3):
2532
2533 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2534
2535         Unreviewed, rolling out r237479 and r237484.
2536         https://bugs.webkit.org/show_bug.cgi?id=190978
2537
2538         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2539
2540         Reverted changesets:
2541
2542         "New bytecode format for JSC"
2543         https://bugs.webkit.org/show_bug.cgi?id=187373
2544         https://trac.webkit.org/changeset/237479
2545
2546         "Gardening: Build fix after r237479."
2547         https://bugs.webkit.org/show_bug.cgi?id=187373
2548         https://trac.webkit.org/changeset/237484
2549
2550 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2551
2552         New bytecode format for JSC
2553         https://bugs.webkit.org/show_bug.cgi?id=187373
2554         <rdar://problem/44186758>
2555
2556         Reviewed by Filip Pizlo.
2557
2558         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2559
2560         * stress/maximum-inline-capacity.js: Added.
2561         (test1):
2562         (test3.Foo):
2563         (test3):
2564
2565 2018-10-26  Mark Lam  <mark.lam@apple.com>
2566
2567         Fix missing edge cases with JSGlobalObjects having a bad time.
2568         https://bugs.webkit.org/show_bug.cgi?id=189028
2569         <rdar://problem/45204939>
2570
2571         Reviewed by Saam Barati.
2572
2573         * stress/regress-189028.js: Added.
2574
2575 2018-10-22  Mark Lam  <mark.lam@apple.com>
2576
2577         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2578         https://bugs.webkit.org/show_bug.cgi?id=190515
2579         <rdar://problem/45222379>
2580
2581         Rubber-stamped by Saam Barati.
2582
2583         Adding another test.
2584
2585         * stress/regress-190515-2.js: Added.
2586
2587 2018-10-22  Mark Lam  <mark.lam@apple.com>
2588
2589         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2590         https://bugs.webkit.org/show_bug.cgi?id=190515
2591         <rdar://problem/45222379>
2592
2593         Reviewed by Saam Barati.
2594
2595         * stress/regress-190515.js: Added.
2596
2597 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2598
2599         Unreviewed, rolling out r237254.
2600         https://bugs.webkit.org/show_bug.cgi?id=190760
2601
2602         "It regresses JetStream 2 by 5% on some iOS devices"
2603         (Requested by saamyjoon on #webkit).
2604
2605         Reverted changeset:
2606
2607         "[JSC] JSC should have "parseFunction" to optimize Function
2608         constructor"
2609         https://bugs.webkit.org/show_bug.cgi?id=190340
2610         https://trac.webkit.org/changeset/237254
2611
2612 2018-10-19  Saam Barati  <sbarati@apple.com>
2613
2614         vmCall should check if we exit before emitting an OSR exit due to exceptions
2615         https://bugs.webkit.org/show_bug.cgi?id=190740
2616         <rdar://problem/45220139>
2617
2618         Reviewed by Mark Lam.
2619
2620         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2621         (foo):
2622
2623 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2624
2625         [ESNext][BigInt] Implement support for "^"
2626         https://bugs.webkit.org/show_bug.cgi?id=186235
2627
2628         Reviewed by Yusuke Suzuki.
2629
2630         * stress/big-int-bitwise-xor-general.js: Added.
2631         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2632         * stress/big-int-bitwise-xor-type-error.js: Added.
2633         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2634
2635 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2636
2637         [BigInt] Add ValueSub into DFG
2638         https://bugs.webkit.org/show_bug.cgi?id=186176
2639
2640         Reviewed by Yusuke Suzuki.
2641
2642         * stress/big-int-subtraction-jit.js:
2643         * stress/value-sub-big-int-prediction-propagation.js: Added.
2644         * stress/value-sub-big-int-untyped.js: Added.
2645         * stress/value-sub-spec-none-case.js: Added.
2646
2647 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2648
2649         [JSC] JSC should have "parseFunction" to optimize Function constructor
2650         https://bugs.webkit.org/show_bug.cgi?id=190340
2651
2652         Reviewed by Mark Lam.
2653
2654         This patch fixes the line number of syntax errors raised by the Function constructor,
2655         since we now parse the final code only once. And we no longer use block statement
2656         for Function constructor's parsing.
2657
2658         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2659         * stress/function-cache-with-parameters-end-position.js: Added.
2660         (shouldBe):
2661         (shouldThrow):
2662         (i.anonymous):
2663         * stress/function-constructor-name.js: Added.
2664         (shouldBe):
2665         (GeneratorFunction):
2666         (AsyncFunction.async):
2667         (AsyncGeneratorFunction.async):
2668         (anonymous):
2669         (async.anonymous):
2670         * test262/expectations.yaml:
2671
2672 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2673
2674         Unreviewed, rolling out r237242.
2675         https://bugs.webkit.org/show_bug.cgi?id=190701
2676
2677         it breaks "stress/sampling-profiler-basic.js" (Requested by
2678         caiolima on #webkit).
2679
2680         Reverted changeset:
2681
2682         "[BigInt] Add ValueSub into DFG"
2683         https://bugs.webkit.org/show_bug.cgi?id=186176
2684         https://trac.webkit.org/changeset/237242
2685
2686 2018-10-17  Keith Miller  <keith_miller@apple.com>
2687
2688         AI does not clear Phantom allocation nodes.
2689         https://bugs.webkit.org/show_bug.cgi?id=190694
2690
2691         Reviewed by Saam Barati.
2692
2693         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2694         (Day):
2695         (DaysInYear):
2696         (TimeInYear):
2697         (TimeFromYear):
2698         (DayFromYear):
2699         (InLeapYear):
2700         (YearFromTime):
2701         (WeekDay):
2702         (DaylightSavingTA):
2703         (GetSecondSundayInMarch):
2704         (TimeInMonth):
2705
2706 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2707
2708         [BigInt] Add ValueSub into DFG
2709         https://bugs.webkit.org/show_bug.cgi?id=186176
2710
2711         Reviewed by Yusuke Suzuki.
2712
2713         * stress/big-int-subtraction-jit.js:
2714         * stress/value-sub-big-int-prediction-propagation.js: Added.
2715         * stress/value-sub-big-int-untyped.js: Added.
2716
2717 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2718
2719         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2720         https://bugs.webkit.org/show_bug.cgi?id=190611
2721
2722         Reviewed by Saam Barati.
2723
2724         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2725         to improve test runtime. On ARM/MIPS this test even timed out when running all
2726         tests.
2727
2728         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2729         (test):
2730
2731 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2732
2733         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2734
2735         Unreviewed gardening.
2736
2737         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2738
2739 2018-10-15  Saam barati  <sbarati@apple.com>
2740
2741         Emit fjcvtzs on ARM64E on Darwin
2742         https://bugs.webkit.org/show_bug.cgi?id=184023
2743
2744         Reviewed by Yusuke Suzuki and Filip Pizlo.
2745
2746         * stress/double-to-int32-NaN.js: Added.
2747         (assert):
2748         (foo):
2749
2750 2018-10-15  Saam Barati  <sbarati@apple.com>
2751
2752         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2753         https://bugs.webkit.org/show_bug.cgi?id=190262
2754         <rdar://problem/44986241>
2755
2756         Reviewed by Mark Lam.
2757
2758         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2759         (test):
2760         * stress/slice-array-storage-with-holes.js: Added.
2761         (main):
2762
2763 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2764
2765         Unreviewed, rolling out r237054.
2766         https://bugs.webkit.org/show_bug.cgi?id=190593
2767
2768         "this regressed JetStream 2 by 6% on iOS" (Requested by
2769         saamyjoon on #webkit).
2770
2771         Reverted changeset:
2772
2773         "[JSC] JSC should have "parseFunction" to optimize Function
2774         constructor"
2775         https://bugs.webkit.org/show_bug.cgi?id=190340
2776         https://trac.webkit.org/changeset/237054
2777
2778 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2779
2780         [JSC] JSON.stringify can accept call-with-no-arguments
2781         https://bugs.webkit.org/show_bug.cgi?id=190343
2782
2783         Reviewed by Mark Lam.
2784
2785         * stress/json-stringify-no-arguments.js: Added.
2786         (shouldBe):
2787
2788 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2789
2790         [JSC] JSC should have "parseFunction" to optimize Function constructor
2791         https://bugs.webkit.org/show_bug.cgi?id=190340
2792
2793         Reviewed by Mark Lam.
2794
2795         This patch fixes the line number of syntax errors raised by the Function constructor,
2796         since we now parse the final code only once. And we no longer use block statement
2797         for Function constructor's parsing.
2798
2799         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2800         * stress/function-cache-with-parameters-end-position.js: Added.
2801         (shouldBe):
2802         (shouldThrow):
2803         (i.anonymous):
2804         * stress/function-constructor-name.js: Added.
2805         (shouldBe):
2806         (GeneratorFunction):
2807         (AsyncFunction.async):
2808         (AsyncGeneratorFunction.async):
2809         (anonymous):
2810         (async.anonymous):
2811         * test262/expectations.yaml:
2812
2813 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2814
2815         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2816         https://bugs.webkit.org/show_bug.cgi?id=190426
2817
2818         Unreviewed gardening.
2819
2820         * stress/sampling-profiler-richards.js:
2821
2822 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2823
2824         [ESNext][BigInt] Implement support for "|"
2825         https://bugs.webkit.org/show_bug.cgi?id=186229
2826
2827         Reviewed by Yusuke Suzuki.
2828
2829         * stress/big-int-bitwise-and-jit.js:
2830         * stress/big-int-bitwise-or-general.js: Added.
2831         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2832         * stress/big-int-bitwise-or-jit.js: Added.
2833         * stress/big-int-bitwise-or-memory-stress.js: Added.
2834         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2835         * stress/big-int-bitwise-or-type-error.js: Added.
2836         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2837
2838 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2839
2840         Skip test on systems with limited memory
2841         https://bugs.webkit.org/show_bug.cgi?id=190310
2842
2843         Invoking runDefault adds test to runlist, skipping the test in the next
2844         line does not prevent the test from executing. Change order of lines such
2845         that runDefault is only executed if test is not executed.
2846
2847         Reviewed by Mark Lam.
2848
2849         * stress/regress-190187.js:
2850
2851 2018-10-03  Saam barati  <sbarati@apple.com>
2852
2853         lowXYZ in FTLLower should always filter the type of the incoming edge
2854         https://bugs.webkit.org/show_bug.cgi?id=189939
2855         <rdar://problem/44407030>
2856
2857         Reviewed by Michael Saboff.
2858
2859         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2860         (foo):
2861         (test):
2862
2863 2018-10-03  Mark Lam  <mark.lam@apple.com>
2864
2865         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2866         https://bugs.webkit.org/show_bug.cgi?id=190187
2867         <rdar://problem/42512909>
2868
2869         Reviewed by Michael Saboff.
2870
2871         * stress/regress-190187.js: Added.
2872
2873 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2874
2875         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2876         https://bugs.webkit.org/show_bug.cgi?id=190033
2877
2878         Reviewed by Yusuke Suzuki.
2879
2880         * stress/big-int-to-string.js:
2881
2882 2018-10-01  Mark Lam  <mark.lam@apple.com>
2883
2884         Function.toString() should also copy the source code Functions that are class definitions.
2885         https://bugs.webkit.org/show_bug.cgi?id=190186
2886         <rdar://problem/44733360>
2887
2888         Reviewed by Saam Barati.
2889
2890         * stress/regress-190186.js: Added.
2891
2892 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2893
2894         Split NaN-check into separate test
2895         https://bugs.webkit.org/show_bug.cgi?id=190010
2896
2897         Reviewed by Saam Barati.
2898
2899         DataView exposes NaN-representation, which is not necessarily the same on each
2900         architecture. Therefore move the check of the NaN-representation into its own
2901         file such that we can disable this test on MIPS where NaN-representation can be
2902         different on older CPUs.
2903
2904         * stress/dataview-jit-set-nan.js: Added.
2905         (assert):
2906         (test.storeLittleEndian):
2907         (test.storeBigEndian):
2908         (test.store):
2909         (test):
2910         * stress/dataview-jit-set.js:
2911         (test5):
2912
2913 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2914
2915         Unreviewed, rolling out r236647.
2916         https://bugs.webkit.org/show_bug.cgi?id=190124
2917
2918         Breaking test stress/big-int-to-string.js (Requested by
2919         caiolima_ on #webkit).
2920
2921         Reverted changeset:
2922
2923         "[BigInt] BigInt.proptotype.toString is broken when radix is
2924         power of 2"
2925         https://bugs.webkit.org/show_bug.cgi?id=190033
2926         https://trac.webkit.org/changeset/236647
2927
2928 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2929
2930         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2931         https://bugs.webkit.org/show_bug.cgi?id=190033
2932
2933         Reviewed by Yusuke Suzuki.
2934
2935         * stress/big-int-to-string.js:
2936
2937 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2938
2939         [ESNext][BigInt] Implement support for "&"
2940         https://bugs.webkit.org/show_bug.cgi?id=186228
2941
2942         Reviewed by Yusuke Suzuki.
2943
2944         * stress/big-int-bitwise-and-general.js: Added.
2945         (assert):
2946         (assert.sameValue):
2947         * stress/big-int-bitwise-and-jit.js: Added.
2948         (let.assert.sameValue):
2949         (bigIntBitAnd):
2950         * stress/big-int-bitwise-and-memory-stress.js: Added.
2951         (assert):
2952         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2953         (assert.sameValue):
2954         (let.o.Symbol.toPrimitive):
2955         (catch):
2956         * stress/big-int-bitwise-and-type-error.js: Added.
2957         (assert):
2958         (assertThrowTypeError):
2959         (let.o.valueOf):
2960         (o.valueOf):
2961         (o.toString):
2962         (o.Symbol.toPrimitive):
2963         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2964         (assert.sameValue):
2965         (testBitAnd):
2966         (let.o.Symbol.toPrimitive):
2967         (o.valueOf):
2968         (o.toString):
2969
2970 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2971
2972         JSC test stress/jsc-read.js doesn't support CRLF
2973         https://bugs.webkit.org/show_bug.cgi?id=190063
2974
2975         Reviewed by Yusuke Suzuki.
2976
2977         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2978
2979         * stress/jsc-read.js:
2980         (test):
2981
2982 2018-09-27  Saam barati  <sbarati@apple.com>
2983
2984         Verify the contents of AssemblerBuffer on arm64e
2985         https://bugs.webkit.org/show_bug.cgi?id=190057
2986         <rdar://problem/38916630>
2987
2988         Reviewed by Mark Lam.
2989
2990         * stress/regress-189132.js:
2991
2992 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2993
2994         Disable test without LLInt on ARMv7
2995         https://bugs.webkit.org/show_bug.cgi?id=190037
2996
2997         Reviewed by Mark Lam.
2998
2999         Test runs out of executable memory on ARMv7, do not run
3000         this test without LLInt enabled.
3001
3002         * stress/regress-169445.js:
3003
3004 2018-09-26  Keith Miller  <keith_miller@apple.com>
3005
3006         We should zero unused property storage when rebalancing array storage.
3007         https://bugs.webkit.org/show_bug.cgi?id=188151
3008
3009         Reviewed by Michael Saboff.
3010
3011         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3012
3013 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3014
3015         [JSC] Optimize Array#lastIndexOf
3016         https://bugs.webkit.org/show_bug.cgi?id=189780
3017
3018         Reviewed by Saam Barati.
3019
3020         * stress/array-lastindexof-array-prototype-trap.js: Added.
3021         (shouldBe):
3022         (AncestorArray.prototype.get 2):
3023         (AncestorArray):
3024         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3025         (shouldBe):
3026         * stress/array-lastindexof-hole-nan.js: Added.
3027         (shouldBe):
3028         (throw.new.Error):
3029         * stress/array-lastindexof-infinity.js: Added.
3030         (shouldBe):
3031         (throw.new.Error):
3032         * stress/array-lastindexof-negative-zero.js: Added.
3033         (shouldBe):
3034         (throw.new.Error):
3035         * stress/array-lastindexof-own-getter.js: Added.
3036         (shouldBe):
3037         (throw.new.Error.get array):
3038         (get array):
3039         * stress/array-lastindexof-prototype-trap.js: Added.
3040         (shouldBe):
3041         (DerivedArray.prototype.get 2):
3042         (DerivedArray):
3043
3044 2018-09-25  Saam Barati  <sbarati@apple.com>
3045
3046         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3047         https://bugs.webkit.org/show_bug.cgi?id=189940
3048         <rdar://problem/43640987>
3049
3050         Reviewed by Mark Lam.
3051
3052         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3053
3054 2018-09-24  Saam Barati  <sbarati@apple.com>
3055
3056         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3057         https://bugs.webkit.org/show_bug.cgi?id=189922
3058         <rdar://problem/44651275>
3059
3060         Reviewed by Mark Lam.
3061
3062         * stress/array-indexof-fast-path-effects.js: Added.
3063         * stress/array-indexof-cached-length.js: Added.
3064
3065 2018-09-24  Saam barati  <sbarati@apple.com>
3066
3067         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3068         https://bugs.webkit.org/show_bug.cgi?id=189682
3069         <rdar://problem/43557315>
3070
3071         Reviewed by Mark Lam.
3072
3073         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3074         (foo):
3075
3076 2018-09-22  Saam barati  <sbarati@apple.com>
3077
3078         The sampling should not use Strong<CodeBlock> in its machineLocation field
3079         https://bugs.webkit.org/show_bug.cgi?id=189319
3080
3081         Reviewed by Filip Pizlo.
3082
3083         * stress/sampling-profiler-richards.js: Added.
3084
3085 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3086
3087         [JSC] Optimize Array#indexOf in C++ runtime
3088         https://bugs.webkit.org/show_bug.cgi?id=189507
3089
3090         Reviewed by Saam Barati.
3091
3092         * stress/array-indexof-array-prototype-trap.js: Added.
3093         (shouldBe):
3094         (AncestorArray.prototype.get 2):
3095         (AncestorArray):
3096         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3097         (shouldBe):
3098         * stress/array-indexof-hole-nan.js: Added.
3099         (shouldBe):
3100         (throw.new.Error):
3101         * stress/array-indexof-infinity.js: Added.
3102         (shouldBe):
3103         (throw.new.Error):
3104         * stress/array-indexof-negative-zero.js: Added.
3105         (shouldBe):
3106         (throw.new.Error):
3107         * stress/array-indexof-own-getter.js: Added.
3108         (shouldBe):
3109         (throw.new.Error.get array):
3110         (get array):
3111         * stress/array-indexof-prototype-trap.js: Added.
3112         (shouldBe):
3113         (DerivedArray.prototype.get 2):
3114         (DerivedArray):
3115
3116 2018-09-19  Saam barati  <sbarati@apple.com>
3117
3118         AI rule for MultiPutByOffset executes its effects in the wrong order
3119         https://bugs.webkit.org/show_bug.cgi?id=189757
3120         <rdar://problem/43535257>
3121
3122         Reviewed by Michael Saboff.
3123
3124         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3125         (foo):
3126         (Foo):
3127         (g):
3128
3129 2018-09-17  Mark Lam  <mark.lam@apple.com>
3130
3131         Ensure that ForInContexts are invalidated if their loop local is over-written.
3132         https://bugs.webkit.org/show_bug.cgi?id=189571
3133         <rdar://problem/44402277>
3134
3135         Reviewed by Saam Barati.
3136
3137         * stress/regress-189571.js: Added.
3138
3139 2018-09-17  Saam barati  <sbarati@apple.com>
3140
3141         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3142         https://bugs.webkit.org/show_bug.cgi?id=189676
3143         <rdar://problem/39682897>
3144
3145         Reviewed by Michael Saboff.
3146
3147         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3148         (A):
3149         (K):
3150         (i.catch):
3151
3152 2018-09-14  Saam barati  <sbarati@apple.com>
3153
3154         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3155         https://bugs.webkit.org/show_bug.cgi?id=189628
3156         <rdar://problem/39481690>
3157
3158         Reviewed by Mark Lam.
3159
3160         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3161         (foo):
3162
3163 2018-09-11  Mark Lam  <mark.lam@apple.com>
3164
3165         Test for array initialization in arrayProtoFuncSplice.
3166         https://bugs.webkit.org/show_bug.cgi?id=170253
3167         <rdar://problem/31328773>
3168
3169         Rubber-stamped by Saam Barati.
3170
3171         * stress/regress-170253.js: Added.
3172
3173 2018-09-11  Mark Lam  <mark.lam@apple.com>
3174
3175         Test for IntlObject initialization.
3176         https://bugs.webkit.org/show_bug.cgi?id=170251
3177         <rdar://problem/31328419>
3178
3179         Rubber-stamped by Saam Barati.
3180
3181         * stress/regress-170251.js: Added.
3182
3183 2018-09-11  Mark Lam  <mark.lam@apple.com>
3184
3185         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3186         https://bugs.webkit.org/show_bug.cgi?id=169889
3187         <rdar://problem/31155607>
3188
3189         Reviewed by Saam Barati.
3190
3191         * stress/regress-169889-array-concat.js: Added.
3192         * stress/regress-169889-array-concat1.js: Added.
3193         * stress/regress-169889-array-slice.js: Added.
3194
3195 2018-09-11  Mark Lam  <mark.lam@apple.com>
3196
3197         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3198         https://bugs.webkit.org/show_bug.cgi?id=169445
3199         <rdar://problem/30957435>
3200
3201         Reviewed by Saam Barati.
3202
3203         * stress/regress-169445.js: Added.
3204         (let.gun.eval.A):
3205         (let.gun.eval.B.C):
3206         (let.gun.eval.B.C.prototype.trigger):
3207         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3208         (let.gun.eval.B):
3209         (let.gun.eval):
3210
3211 == Rolled over to ChangeLog-2018-09-11 ==