[JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
4         https://bugs.webkit.org/show_bug.cgi?id=196683
5
6         Reviewed by Saam Barati.
7
8         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
9         (foo):
10
11 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
14         https://bugs.webkit.org/show_bug.cgi?id=196582
15
16         Reviewed by Saam Barati.
17
18         * stress/add-overflow-check-with-three-same-registers.js: Added.
19         (foo):
20         (Number.prototype.valueOf):
21         (runWithNumber):
22
23 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
24
25         Unreviewed, rolling out r243665.
26
27         Caused iOS JSC tests to exit with an exception.
28
29         Reverted changeset:
30
31         "Assertion failed in JSC::createError"
32         https://bugs.webkit.org/show_bug.cgi?id=196305
33         https://trac.webkit.org/changeset/243665
34
35 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
36
37         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
38         https://bugs.webkit.org/show_bug.cgi?id=196486
39
40         Reviewed by Saam Barati.
41
42         * stress/arrow-function-and-use-strict-directive.js: Added.
43         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
44         (checkSyntax):
45         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
46
47 2019-04-05  Caitlin Potter  <caitp@igalia.com>
48
49         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
50         https://bugs.webkit.org/show_bug.cgi?id=176810
51
52         Reviewed by Saam Barati.
53
54         Add tests for the DontEnum filtering, and variations of other tests
55         take the DontEnum-filtering path.
56
57         * stress/proxy-own-keys.js:
58         (i.catch):
59         (set assert):
60         (set add):
61         (let.set new):
62         (get let):
63
64 2019-04-05  Caitlin Potter  <caitp@igalia.com>
65
66         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
67         https://bugs.webkit.org/show_bug.cgi?id=185211
68
69         Reviewed by Saam Barati.
70
71         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
72
73         This changes several assertions to expect a TypeError to be thrown (in some cases,
74         changing thee expected message).
75
76         * es6/Proxy_ownKeys_duplicates.js:
77         (handler):
78         (shouldThrow):
79         (test):
80         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
81         (shouldThrow):
82         * stress/proxy-own-keys.js:
83         (i.catch):
84         (assert):
85
86 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
87
88         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
89         https://bugs.webkit.org/show_bug.cgi?id=196631
90
91         Reviewed by Saam Barati.
92
93         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
94         (assert):
95         (test):
96         (foo):
97
98 2019-04-04  Saam Barati  <sbarati@apple.com>
99
100         Unreviewed. Make the test from r243906 catch the thrown exceptions.
101
102         * stress/inferred-types-regex-matches-array.js:
103
104 2019-04-04  Saam Barati  <sbarati@apple.com>
105
106         createRegExpMatchesArray does not respect inferred types
107         https://bugs.webkit.org/show_bug.cgi?id=193287
108
109         Reviewed by Yusuke Suzuki.
110
111         This checks in the test case for 193287. This issue was discovered by
112         Samuel GroƟ of Google Project Zero.
113
114         * stress/inferred-types-regex-matches-array.js: Added.
115
116 2019-04-04  Saam barati  <sbarati@apple.com>
117
118         Teach Call ICs how to call Wasm
119         https://bugs.webkit.org/show_bug.cgi?id=196387
120
121         Reviewed by Filip Pizlo.
122
123         * wasm/function-tests/stack-trace.js:
124
125 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
126
127         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
128         https://bugs.webkit.org/show_bug.cgi?id=194944
129
130         Reviewed by Keith Miller.
131
132         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
133
134 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
135
136         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
137         https://bugs.webkit.org/show_bug.cgi?id=196409
138
139         Reviewed by Saam Barati.
140
141         * stress/bytecode-cache-cached-string-impl.js: Added.
142         (f):
143         (g):
144         * stress/bytecode-cache-run-string.js: Added.
145
146 2019-04-03  Robin Morisset  <rmorisset@apple.com>
147
148         B3 should use associativity to optimize expression trees
149         https://bugs.webkit.org/show_bug.cgi?id=194081
150
151         Reviewed by Filip Pizlo.
152
153         Added three microbenchmarks:
154         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
155         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
156           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
157         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
158
159         * microbenchmarks/add-tree.js: Added.
160         * microbenchmarks/bit-or-tree.js: Added.
161         * microbenchmarks/bit-xor-tree.js: Added.
162
163 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
164
165         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
166         https://bugs.webkit.org/show_bug.cgi?id=196574
167
168         Reviewed by Saam Barati.
169
170         * stress/string-index-of-exception-check.js: Added.
171         (blurType):
172         (1.forEach):
173
174 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
175
176         Assertion failed in JSC::createError
177         https://bugs.webkit.org/show_bug.cgi?id=196305
178         <rdar://problem/49387382>
179
180         Reviewed by Saam Barati.
181
182         * stress/create-error-out-of-memory-rope-string-2.js: Added.
183         (assert):
184         (catch):
185
186 2019-03-28  Saam Barati  <sbarati@apple.com>
187
188         BackwardsGraph needs to consider back edges as the backward's root successor
189         https://bugs.webkit.org/show_bug.cgi?id=195991
190
191         Reviewed by Filip Pizlo.
192
193         * stress/map-b3-licm-infinite-loop.js: Added.
194
195 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
196
197         CodeBlock::jettison() should disallow repatching its own calls
198         https://bugs.webkit.org/show_bug.cgi?id=196359
199         <rdar://problem/48973663>
200
201         Reviewed by Saam Barati.
202
203         * stress/call-link-info-osrexit-repatch.js: Added.
204         (foo):
205
206 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
207
208         [JSC] imports-oom.js intermittently fails
209         https://bugs.webkit.org/show_bug.cgi?id=196373
210
211         Reviewed by Saam Barati.
212
213         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
214         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
215         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
216         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
217         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
218
219         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
220         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
221
222         * wasm/lowExecutableMemory/imports-oom.js:
223
224 2019-03-27  Saam Barati  <sbarati@apple.com>
225
226         validateOSREntryValue with Int52 should box the value being checked into double format
227         https://bugs.webkit.org/show_bug.cgi?id=196313
228         <rdar://problem/49306703>
229
230         Reviewed by Yusuke Suzuki.
231
232         * stress/validate-int-52-ai-state.js: Added.
233
234 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
235
236         [JSC] Owner of watchpoints should validate at GC finalizing phase
237         https://bugs.webkit.org/show_bug.cgi?id=195827
238
239         Reviewed by Filip Pizlo.
240
241         * stress/gc-should-reap-dead-watchpoints.js: Added.
242         (foo):
243         (A.prototype.y):
244         (A):
245
246 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
247
248         Skip WebAssembly test on 32-bit systems
249         https://bugs.webkit.org/show_bug.cgi?id=196206
250
251         Reviewed by Saam Barati.
252
253         Invoking runDefault executes test immediately even though
254         that test should be skipped due to missing WASM support.
255         Therefore remove runDefault.
256
257         * wasm/regress/web-assembly-link-error-exception-check.js:
258
259 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
260
261         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
262         https://bugs.webkit.org/show_bug.cgi?id=196217
263
264         Reviewed by Saam Barati.
265
266         Re-enable all NaN tests for f32.min, f64.min and f64.max.
267
268         * wasm/spec-tests/f32.wast.js:
269         * wasm/spec-tests/f64.wast.js:
270         * wasm/wasm.json:
271
272 2019-03-25  Keith Miller  <keith_miller@apple.com>
273
274         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
275         https://bugs.webkit.org/show_bug.cgi?id=196176
276
277         Reviewed by Saam Barati.
278
279         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
280         (main.v10):
281         (main):
282
283 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
284
285         WebAssembly: f32.max with NaN generates incorrect result
286         https://bugs.webkit.org/show_bug.cgi?id=175691
287         <rdar://problem/33952228>
288
289         Reviewed by Saam Barati.
290
291         Enable all f32.max NaN tests
292
293         * wasm/spec-tests/f32.wast.js:
294         * wasm/wasm.json:
295
296 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
297
298         [JSC] Move test into directory for WASM tests
299         https://bugs.webkit.org/show_bug.cgi?id=196187
300
301         Reviewed by Mark Lam.
302
303         Move Test into wasm-directory. Otherwise this test
304         is also executed on systems without WASM support.
305
306         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
307
308 2019-03-23  Mark Lam  <mark.lam@apple.com>
309
310         Rolling out r243032 and r243071 because the fix is incorrect.
311         https://bugs.webkit.org/show_bug.cgi?id=195892
312         <rdar://problem/48981239>
313
314         Not reviewed.
315
316         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
317
318 2019-03-22  Mark Lam  <mark.lam@apple.com>
319
320         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
321         https://bugs.webkit.org/show_bug.cgi?id=196154
322         <rdar://problem/49145307>
323
324         Reviewed by Filip Pizlo.
325
326         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
327         There's no need to run this test on more than 1 test configuration.
328
329         * stress/typed-array-lastIndexOf-exception-check.js: Added.
330         * stress/web-assembly-link-error-exception-check.js:
331
332 2019-03-22  Mark Lam  <mark.lam@apple.com>
333
334         Placate exception check validation in constructJSWebAssemblyLinkError().
335         https://bugs.webkit.org/show_bug.cgi?id=196152
336         <rdar://problem/49145257>
337
338         Reviewed by Michael Saboff.
339
340         * stress/web-assembly-link-error-exception-check.js: Added.
341
342 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
343
344         Skip tests running out of memory on ARM/MIPS
345         https://bugs.webkit.org/show_bug.cgi?id=196131
346
347         Unreviewed. Skip test if memory is limited.
348
349         * microbenchmarks/put-by-val-direct-large-index.js:
350
351 2019-03-21  Mark Lam  <mark.lam@apple.com>
352
353         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
354         https://bugs.webkit.org/show_bug.cgi?id=196116
355         <rdar://problem/48976951>
356
357         Reviewed by Filip Pizlo.
358
359         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
360
361 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
362
363         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
364         https://bugs.webkit.org/show_bug.cgi?id=196078
365         <rdar://problem/35925380>
366
367         Reviewed by Mark Lam.
368
369         Add a new benchmark that allocates several objects and invokes put_by_val_direct
370         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
371
372         * microbenchmarks/put-by-val-direct-large-index.js: Added.
373
374 2019-03-21  Mark Lam  <mark.lam@apple.com>
375
376         Placate exception check validation in operationArrayIndexOfString().
377         https://bugs.webkit.org/show_bug.cgi?id=196067
378         <rdar://problem/49056572>
379
380         Reviewed by Michael Saboff.
381
382         * stress/string-equal-exception-check.js: Added.
383
384 2019-03-21  Mark Lam  <mark.lam@apple.com>
385
386         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
387         https://bugs.webkit.org/show_bug.cgi?id=196055
388         <rdar://problem/49067448>
389
390         Reviewed by Yusuke Suzuki.
391
392         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
393
394 2019-03-20  Saam Barati  <sbarati@apple.com>
395
396         typeOfDoubleSum is wrong for when NaN can be produced
397         https://bugs.webkit.org/show_bug.cgi?id=196030
398
399         Reviewed by Filip Pizlo.
400
401         * stress/double-add-sub-mul-can-produce-nan.js: Added.
402         (assert):
403         (noInline.sub):
404         (noInline):
405         (assert.mul):
406         (assert.add):
407
408 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
409
410         Update the test to ensure OutOfMemoryError is thrown as intended
411         https://bugs.webkit.org/show_bug.cgi?id=196032
412         <rdar://problem/46842740>
413
414         Rubber stamped by Saam Barati.
415
416         * stress/create-error-out-of-memory-rope-string.js:
417         (assert):
418         (catch):
419
420 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
421
422         JSC::createError needs to check for OOM in errorDescriptionForValue
423         https://bugs.webkit.org/show_bug.cgi?id=196032
424         <rdar://problem/46842740>
425
426         Reviewed by Mark Lam.
427
428         * stress/create-error-out-of-memory-rope-string.js: Added.
429
430 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
431
432         Unreviewed, reduce # of iterations to avoid timing out after r242991
433         https://bugs.webkit.org/show_bug.cgi?id=195791
434
435         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
436
437         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
438
439 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
440
441         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
442         https://bugs.webkit.org/show_bug.cgi?id=195950
443
444         Unreviewed, reducing the amount of memory used on this test to avoid
445         OOM on devices with memory restrictions.
446
447         * microbenchmarks/generate-multiple-llint-entrypoints.js:
448
449 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
450
451         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
452         https://bugs.webkit.org/show_bug.cgi?id=194648
453
454         Reviewed by Keith Miller.
455
456         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
457
458 2019-03-18  Mark Lam  <mark.lam@apple.com>
459
460         Missing a ThrowScope release in JSObject::toString().
461         https://bugs.webkit.org/show_bug.cgi?id=195893
462         <rdar://problem/48970986>
463
464         Reviewed by Michael Saboff.
465
466         * stress/to-string-exception-check-release.js: Added.
467
468 2019-03-18  Mark Lam  <mark.lam@apple.com>
469
470         Structure::flattenDictionary() should clear unused property slots.
471         https://bugs.webkit.org/show_bug.cgi?id=195871
472         <rdar://problem/48959497>
473
474         Reviewed by Michael Saboff.
475
476         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
477
478 2019-03-15  Mark Lam  <mark.lam@apple.com>
479
480         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
481         https://bugs.webkit.org/show_bug.cgi?id=195827
482         <rdar://problem/48845513>
483
484         Reviewed by Filip Pizlo.
485
486         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
487
488 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
489
490         [ARM,MIPS] Skip slow tests
491         https://bugs.webkit.org/show_bug.cgi?id=195799
492
493         Unreviewed, test does not finish on ARM and MIPS within the
494         timeout limit.
495
496         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
497
498 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
499
500         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
501         https://bugs.webkit.org/show_bug.cgi?id=195791
502         <rdar://problem/48806130>
503
504         Reviewed by Mark Lam.
505
506         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
507         (foo):
508
509 2019-03-14  Saam barati  <sbarati@apple.com>
510
511         We can't remove code after ForceOSRExit until after FixupPhase
512         https://bugs.webkit.org/show_bug.cgi?id=186916
513         <rdar://problem/41396612>
514
515         Reviewed by Yusuke Suzuki.
516
517         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
518         (foo):
519         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
520         (foo):
521
522 2019-03-13  Michael Saboff  <msaboff@apple.com>
523
524         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
525         https://bugs.webkit.org/show_bug.cgi?id=195735
526
527         Reviewed by Mark Lam.
528
529         New regression test.
530
531         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
532         (foo):
533         (bar):
534
535 2019-03-14  Saam barati  <sbarati@apple.com>
536
537         Fixup uses KnownInt32 incorrectly in some nodes
538         https://bugs.webkit.org/show_bug.cgi?id=195279
539         <rdar://problem/47915654>
540
541         Reviewed by Yusuke Suzuki.
542
543         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
544         (foo):
545
546 2019-03-14  Keith Miller  <keith_miller@apple.com>
547
548         DFG liveness can't skip tail caller inline frames
549         https://bugs.webkit.org/show_bug.cgi?id=195715
550
551         Reviewed by Saam Barati.
552
553         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
554         (i.foo):
555
556 2019-03-13  Mark Lam  <mark.lam@apple.com>
557
558         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
559         https://bugs.webkit.org/show_bug.cgi?id=195415
560
561         Not reviewed.
562
563         Changed these tests to only run the default configuration.
564         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
565         There's no strong need to run this test on that variant.
566
567         * stress/dfg-to-string-on-int-does-gc.js:
568         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
569
570 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
571
572         String overflow when using StringBuilder in JSC::createError
573         https://bugs.webkit.org/show_bug.cgi?id=194957
574
575         Reviewed by Mark Lam.
576
577         Add test string-overflow-createError-bulder.js that overflows
578         StringBuilder in notAFunctionSourceAppender. The second new test
579         string-overflow-createError-fit.js has an error message that doesn't
580         overflow, it still failed since the String's capacity can't be doubled.
581         Run test string-overflow-createError.js only in the default
582         configuration to reduce memory consumption when running the test
583         in all configurations on multiple CPUs in parallel.
584
585         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
586         (catch):
587         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
588         (catch):
589         * stress/string-overflow-createError.js:
590
591 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         [JSC] OSR entry should respect abstract values in addition to flush formats
594         https://bugs.webkit.org/show_bug.cgi?id=195653
595
596         Reviewed by Mark Lam.
597
598         * stress/osr-entry-locals-none.js: Added.
599
600 2019-03-12  Michael Saboff  <msaboff@apple.com>
601
602         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
603         https://bugs.webkit.org/show_bug.cgi?id=195613
604
605         Reviewed by Mark Lam.
606
607         New regression test.
608
609         * stress/regexp-backref-inbounds.js: Added.
610         (testRegExp):
611
612 2019-03-12  Mark Lam  <mark.lam@apple.com>
613
614         The HasIndexedProperty node does GC.
615         https://bugs.webkit.org/show_bug.cgi?id=195559
616         <rdar://problem/48767923>
617
618         Reviewed by Yusuke Suzuki.
619
620         * stress/HasIndexedProperty-does-gc.js: Added.
621
622 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
623
624         [ESNext][BigInt] Implement "~" unary operation
625         https://bugs.webkit.org/show_bug.cgi?id=182216
626
627         Reviewed by Keith Miller.
628
629         * stress/big-int-bit-not-general.js: Added.
630         * stress/big-int-bitwise-not-jit.js: Added.
631         * stress/big-int-bitwise-not-wrapped-value.js: Added.
632         * stress/bit-op-with-object-returning-int32.js:
633         * stress/bitwise-not-fixup-rules.js: Added.
634         * stress/value-bit-not-ai-rule.js: Added.
635
636 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
637
638         Invalid flags in a RegExp literal should be an early SyntaxError
639         https://bugs.webkit.org/show_bug.cgi?id=195514
640
641         Reviewed by Darin Adler.
642
643         * test262/expectations.yaml:
644         Mark 4 test cases as passing.
645
646         * stress/regexp-syntax-error-invalid-flags.js:
647         * stress/regress-161995.js: Removed.
648         Update existing test, merging in an older test for the same behavior.
649
650 2019-03-08  Mark Lam  <mark.lam@apple.com>
651
652         Stack overflow crash in JSC::JSObject::hasInstance.
653         https://bugs.webkit.org/show_bug.cgi?id=195458
654         <rdar://problem/48710195>
655
656         Reviewed by Yusuke Suzuki.
657
658         * stress/stack-overflow-in-custom-hasInstance.js: Added.
659
660 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
661
662         op_check_tdz does not def its argument
663         https://bugs.webkit.org/show_bug.cgi?id=192880
664         <rdar://problem/46221598>
665
666         Reviewed by Saam Barati.
667
668         * microbenchmarks/let-for-in.js: Added.
669         (foo):
670
671 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
672
673         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
674         https://bugs.webkit.org/show_bug.cgi?id=195429
675
676         Reviewed by Saam Barati.
677
678         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
679         (foo):
680         * stress/string-from-char-code-255.js: Added.
681
682 2019-03-06  Mark Lam  <mark.lam@apple.com>
683
684         Fix incorrect handling of try-finally completion values.
685         https://bugs.webkit.org/show_bug.cgi?id=195131
686         <rdar://problem/46222079>
687
688         Reviewed by Saam Barati and Yusuke Suzuki.
689
690         Added many permutations of new test case to test-finally.js.  test-finally.js has
691         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
692         tests passes there as well.
693
694         * stress/test-finally.js:
695
696 2019-03-06  Saam Barati  <sbarati@apple.com>
697
698         Air::reportUsedRegisters must padInterference
699         https://bugs.webkit.org/show_bug.cgi?id=195303
700         <rdar://problem/48270343>
701
702         Reviewed by Keith Miller.
703
704         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
705
706 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
707
708         [JSC] AI should not propagate AbstractValue relying on constant folding phase
709         https://bugs.webkit.org/show_bug.cgi?id=195375
710
711         Reviewed by Saam Barati.
712
713         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
714         (let.array):
715
716 2019-03-05  Saam barati  <sbarati@apple.com>
717
718         op_switch_char broken for rope strings after JSRopeString layout rewrite
719         https://bugs.webkit.org/show_bug.cgi?id=195339
720         <rdar://problem/48592545>
721
722         Reviewed by Yusuke Suzuki.
723
724         * stress/switch-on-char-llint-rope.js: Added.
725
726 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
727
728         [JSC] Store bits for JSRopeString in 3 stores
729         https://bugs.webkit.org/show_bug.cgi?id=195234
730
731         Reviewed by Saam Barati.
732
733         * stress/null-rope-and-collectors.js: Added.
734
735 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
736
737         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
738         https://bugs.webkit.org/show_bug.cgi?id=195207
739
740         Unreviewed. After test runtime was reduced in r242213, test can be
741         run again on ARM/MIPS.
742
743         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
744
745 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
746
747         [JSC] sizeof(JSString) should be 16
748         https://bugs.webkit.org/show_bug.cgi?id=194375
749
750         Reviewed by Saam Barati.
751
752         * microbenchmarks/make-rope.js: Added.
753         (makeRope):
754         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
755         (returnRope.helper): Deleted.
756         (returnRope): Deleted.
757
758 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
759
760         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
761         https://bugs.webkit.org/show_bug.cgi?id=195144
762
763         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
764         Change the number from 1e8 to 1e5.
765
766         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
767         (foo):
768
769 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
770
771         Test times out on ARM/MIPS
772         https://bugs.webkit.org/show_bug.cgi?id=195168
773
774         Unreviewed. Skip test on ARM/MIPS.
775
776         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
777
778 2019-02-27  Mark Lam  <mark.lam@apple.com>
779
780         The parser is failing to record the token location of new in new.target.
781         https://bugs.webkit.org/show_bug.cgi?id=195127
782         <rdar://problem/39645578>
783
784         Reviewed by Yusuke Suzuki.
785
786         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
787
788 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
789
790         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
791         https://bugs.webkit.org/show_bug.cgi?id=195144
792         <rdar://problem/47595961>
793
794         Reviewed by Mark Lam.
795
796         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
797         (bar):
798         (foo):
799         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
800         (bar):
801         (foo):
802
803 2019-02-27  Robin Morisset  <rmorisset@apple.com>
804
805         DFG: Loop-invariant code motion (LICM) should not hoist dead code
806         https://bugs.webkit.org/show_bug.cgi?id=194945
807         <rdar://problem/48311657>
808
809         Reviewed by Mark Lam.
810
811         * stress/licm-dead-code.js: Added.
812
813 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
814
815         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
816         https://bugs.webkit.org/show_bug.cgi?id=194677
817         <rdar://problem/48112492>
818
819         Reviewed by Mark Lam.
820
821         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
822         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
823         it immediately fails due the large size.
824
825         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
826         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
827         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
828         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
829
830         This patch changes the test to produce 16bit string from String.fromCharCode.
831
832         * stress/regress-178386.js:
833
834 2019-02-26  Mark Lam  <mark.lam@apple.com>
835
836         wasmToJS() should purify incoming NaNs.
837         https://bugs.webkit.org/show_bug.cgi?id=194807
838         <rdar://problem/48189132>
839
840         Reviewed by Saam Barati.
841
842         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
843
844 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
845
846         [JSC] Repeat string created from Array.prototype.join() take too much memory
847         https://bugs.webkit.org/show_bug.cgi?id=193912
848
849         Reviewed by Saam Barati.
850
851         Added a test and a microbenchmark for corner cases of
852         Array.prototype.join() with an uninitialized array.
853
854         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
855         * stress/array-prototype-join-uninitialized.js: Added.
856         (testArray):
857         (testABC):
858         (B):
859         (C):
860
861 2019-02-22  Robin Morisset  <rmorisset@apple.com>
862
863         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
864         https://bugs.webkit.org/show_bug.cgi?id=194953
865         <rdar://problem/47595253>
866
867         Reviewed by Saam Barati.
868
869         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
870
871         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
872
873 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
874
875         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
876         https://bugs.webkit.org/show_bug.cgi?id=172848
877         <rdar://problem/25709212>
878
879         Reviewed by Mark Lam.
880
881         * typeProfiler/inheritance.js:
882         Rewrite the test slightly for clarity. The hoisting was confusing.
883
884         * heapProfiler/class-names.js: Added.
885         (MyES5Class):
886         (MyES6Class):
887         (MyES6Subclass):
888         Test object types and improved class names.
889
890         * heapProfiler/driver/driver.js:
891         (CheapHeapSnapshotNode):
892         (CheapHeapSnapshot):
893         (createCheapHeapSnapshot):
894         (HeapSnapshot):
895         (createHeapSnapshot):
896         Update snapshot parsing from version 1 to version 2.
897
898 2019-02-19  Truitt Savell  <tsavell@apple.com>
899
900         Unreviewed, rolling out r241784.
901
902         Broke all OpenSource builds.
903
904         Reverted changeset:
905
906         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
907         instances view"
908         https://bugs.webkit.org/show_bug.cgi?id=172848
909         https://trac.webkit.org/changeset/241784
910
911 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
912
913         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
914         https://bugs.webkit.org/show_bug.cgi?id=172848
915         <rdar://problem/25709212>
916
917         Reviewed by Mark Lam.
918
919         * typeProfiler/inheritance.js:
920         Rewrite the test slightly for clarity. The hoisting was confusing.
921
922         * heapProfiler/class-names.js: Added.
923         (MyES5Class):
924         (MyES6Class):
925         (MyES6Subclass):
926         Test object types and improved class names.
927
928         * heapProfiler/driver/driver.js:
929         (CheapHeapSnapshotNode):
930         (CheapHeapSnapshot):
931         (createCheapHeapSnapshot):
932         (HeapSnapshot):
933         (createHeapSnapshot):
934         Update snapshot parsing from version 1 to version 2.
935
936 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
937
938         [ARM] Fix crash with sampling profiler
939         https://bugs.webkit.org/show_bug.cgi?id=194772
940
941         Reviewed by Mark Lam.
942
943         Do not skip test since crash with sampling profiler is now fixed.
944
945         * stress/sampling-profiler-richards.js:
946
947 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
948
949         [JSC] Add LazyClassStructure::getInitializedOnMainThread
950         https://bugs.webkit.org/show_bug.cgi?id=194784
951         <rdar://problem/48154820>
952
953         Reviewed by Mark Lam.
954
955         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
956         (getProperties):
957         (getRandomProperty):
958         (i.catch):
959
960 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
961
962         [ARM] Test gardening: Test running out of executable memory
963         https://bugs.webkit.org/show_bug.cgi?id=194771
964
965         Unreviewed. Do not run test without LLInt, test is running out of executable
966         memory on ARM otherwise.
967
968         * stress/tagged-template-object-collect.js:
969
970 2019-02-18  Tomas Popela  <tpopela@redhat.com>
971
972         Unreviewed, skip the test on platforms without sampling profiler
973
974         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
975         (platformSupportsSamplingProfiler.foo):
976         (platformSupportsSamplingProfiler.test):
977         (platformSupportsSamplingProfiler):
978         (foo): Deleted.
979         (test): Deleted.
980
981 2019-02-17  Saam Barati  <sbarati@apple.com>
982
983         Deadlock when adding a Structure property transition and then doing incremental marking
984         https://bugs.webkit.org/show_bug.cgi?id=194767
985
986         Reviewed by Mark Lam.
987
988         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
989
990 2019-02-15  Michael Saboff  <msaboff@apple.com>
991
992         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
993         https://bugs.webkit.org/show_bug.cgi?id=194558
994
995         Reviewed by Saam Barati.
996
997         New regression test.
998
999         * stress/regexp-unicode-within-string.js: Added.
1000
1001 2019-02-15  Mark Lam  <mark.lam@apple.com>
1002
1003         SamplingProfiler::stackTracesAsJSON() should escape strings.
1004         https://bugs.webkit.org/show_bug.cgi?id=194649
1005         <rdar://problem/48072386>
1006
1007         Reviewed by Saam Barati.
1008
1009         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1010         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1011         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1012         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1013
1014 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1015         CodeBlock::jettison should clear related watchpoints
1016         https://bugs.webkit.org/show_bug.cgi?id=194544
1017
1018         Reviewed by Mark Lam.
1019
1020         * stress/regexp-replace-double-watchpoint.js: Added.
1021         (foo):
1022
1023 2019-02-15  Saam barati  <sbarati@apple.com>
1024
1025         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1026         https://bugs.webkit.org/show_bug.cgi?id=194036
1027
1028         Reviewed by Yusuke Suzuki.
1029
1030         * stress/tail-call-many-arguments.js: Added.
1031         (foo):
1032         (bar):
1033
1034 2019-02-14  Saam Barati  <sbarati@apple.com>
1035
1036         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1037         https://bugs.webkit.org/show_bug.cgi?id=194583
1038         <rdar://problem/48028140>
1039
1040         Reviewed by Yusuke Suzuki.
1041
1042         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1043
1044 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         [JSC] String.fromCharCode's slow path always generates 16bit string
1047         https://bugs.webkit.org/show_bug.cgi?id=194466
1048
1049         Reviewed by Keith Miller.
1050
1051         * stress/string-from-char-code-slow-path.js: Added.
1052         (shouldBe):
1053         (testWithLength):
1054
1055 2019-02-08  Saam barati  <sbarati@apple.com>
1056
1057         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1058         https://bugs.webkit.org/show_bug.cgi?id=194334
1059         <rdar://problem/47844327>
1060
1061         Reviewed by Mark Lam.
1062
1063         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1064         (func):
1065
1066 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1067
1068         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1069         https://bugs.webkit.org/show_bug.cgi?id=194369
1070         <rdar://problem/47813087>
1071
1072         Reviewed by Saam Barati.
1073
1074         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1075         (A):
1076
1077 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1078
1079         [JSC] PrivateName to PublicName hash table is wasteful
1080         https://bugs.webkit.org/show_bug.cgi?id=194277
1081
1082         Reviewed by Michael Saboff.
1083
1084         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1085
1086         * ChakraCore.yaml:
1087
1088 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1089
1090         [ARM] Test running out of executable memory
1091         https://bugs.webkit.org/show_bug.cgi?id=194285
1092
1093         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1094         executable memory otherwise.
1095
1096         * stress/class-subclassing-function.js:
1097
1098 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1099
1100         when lowering AssertNotEmpty, create the value before creating the patchpoint
1101         https://bugs.webkit.org/show_bug.cgi?id=194231
1102
1103         Reviewed by Saam Barati.
1104
1105         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1106         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1107         So even tiny changes to this test can change the path code taken.
1108
1109         * stress/assert-not-empty.js: Added.
1110         (foo):
1111
1112 2019-02-01  Mark Lam  <mark.lam@apple.com>
1113
1114         Remove invalid assertion in DFG's compileDoubleRep().
1115         https://bugs.webkit.org/show_bug.cgi?id=194130
1116         <rdar://problem/47699474>
1117
1118         Reviewed by Saam Barati.
1119
1120         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1121
1122 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1123
1124         Import latest Test262 updates.
1125
1126         Rubber-stamped by Keith Miller.
1127
1128         * test262.yaml: Deleted.
1129         * test262/config.yaml:
1130         * test262/expectations.yaml:
1131         * test262/latest-changes-summary.txt:
1132         * test262/test/:
1133         * test262/test262-Revision.txt:
1134
1135 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1136
1137         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1138         https://bugs.webkit.org/show_bug.cgi?id=194050
1139         <rdar://problem/47595592>
1140
1141         Reviewed by Yusuke Suzuki.
1142
1143         * stress/object-keys-osr-exit.js: Added.
1144         (foo):
1145         (catch):
1146
1147 2019-01-29  Mark Lam  <mark.lam@apple.com>
1148
1149         ValueRecovery::recover() should purify NaN values it recovers.
1150         https://bugs.webkit.org/show_bug.cgi?id=193978
1151         <rdar://problem/47625488>
1152
1153         Reviewed by Saam Barati.
1154
1155         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1156
1157 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1158
1159         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1160         https://bugs.webkit.org/show_bug.cgi?id=193713
1161
1162         * stress/try-get-by-id-should-spill-registers-dfg.js:
1163         (let.f.createBuiltin):
1164
1165 2019-01-28  Mark Lam  <mark.lam@apple.com>
1166
1167         ToString node actually does GC.
1168         https://bugs.webkit.org/show_bug.cgi?id=193920
1169         <rdar://problem/46695900>
1170
1171         Reviewed by Yusuke Suzuki.
1172
1173         * stress/dfg-to-string-on-int-does-gc.js: Added.
1174         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1175         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1176
1177 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1178
1179         [JSC] NativeErrorConstructor should not have own IsoSubspace
1180         https://bugs.webkit.org/show_bug.cgi?id=193713
1181
1182         Reviewed by Saam Barati.
1183
1184         Remove @Error use.
1185
1186         * stress/try-get-by-id-should-spill-registers-dfg.js:
1187         (let.f.createBuiltin):
1188
1189 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1190
1191         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1192         https://bugs.webkit.org/show_bug.cgi?id=190693
1193
1194         Reviewed by Michael Saboff.
1195
1196         * stress/regress-190693.js: Added.
1197         (truth):
1198         (assert):
1199         (shouldThrowInvalidConstAssignment):
1200         (taz):
1201
1202 2019-01-24  Saam Barati  <sbarati@apple.com>
1203
1204         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1205         https://bugs.webkit.org/show_bug.cgi?id=193751
1206         <rdar://problem/47280215>
1207
1208         Reviewed by Michael Saboff.
1209
1210         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1211         (let.thing):
1212         (foo.let.hello):
1213         (foo):
1214
1215 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1216
1217         [JSC] Reenable baseline JIT on mips
1218         https://bugs.webkit.org/show_bug.cgi?id=192983
1219
1220         Reviewed by Mark Lam.
1221
1222         Added a new test for a case that was triggering a RELEASE_ASSERT when
1223         testing.
1224         Disable some slow tests that were already disabled for arm and x86.
1225
1226         * stress/json-parse-big-object.js: Added.
1227         * stress/new-largeish-contiguous-array-with-size.js:
1228         * stress/op_add.js:
1229         * stress/op_bitand.js:
1230         * stress/op_bitor.js:
1231         * stress/op_bitxor.js:
1232         * stress/op_lshift-ConstVar.js:
1233         * stress/op_lshift-VarConst.js:
1234         * stress/op_lshift-VarVar.js:
1235         * stress/op_mod-ConstVar.js:
1236         * stress/op_mod-VarConst.js:
1237         * stress/op_mod-VarVar.js:
1238         * stress/op_mul-ConstVar.js:
1239         * stress/op_mul-VarConst.js:
1240         * stress/op_mul-VarVar.js:
1241         * stress/op_rshift-ConstVar.js:
1242         * stress/op_rshift-VarConst.js:
1243         * stress/op_rshift-VarVar.js:
1244         * stress/op_sub-ConstVar.js:
1245         * stress/op_sub-VarConst.js:
1246         * stress/op_sub-VarVar.js:
1247         * stress/op_urshift-ConstVar.js:
1248         * stress/op_urshift-VarConst.js:
1249         * stress/op_urshift-VarVar.js:
1250         * stress/sampling-profiler-richards.js:
1251         * stress/spread-forward-call-varargs-stack-overflow.js:
1252
1253 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1254
1255         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1256         https://bugs.webkit.org/show_bug.cgi?id=193711
1257         <rdar://problem/47250262>
1258
1259         Reviewed by Saam Barati.
1260
1261         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1262         (shouldBe):
1263         (foo):
1264         (bar):
1265         (baz):
1266
1267 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1268
1269         Unreviewed, fix initial global lexical binding epoch
1270         https://bugs.webkit.org/show_bug.cgi?id=193603
1271         <rdar://problem/47380869>
1272
1273         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1274         (f1.f2.f3.f4):
1275         (f1.f2.f3):
1276         (f1.f2):
1277         (f1):
1278
1279 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1280
1281         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1282         https://bugs.webkit.org/show_bug.cgi?id=193709
1283         <rdar://problem/47363838>
1284
1285         Unreviewed, rollout to watch the tests.
1286
1287         * stress/object-tostring-changed-proto.js: Removed.
1288         * stress/object-tostring-changed.js: Removed.
1289         * stress/object-tostring-misc.js: Removed.
1290         * stress/object-tostring-other.js: Removed.
1291         * stress/object-tostring-untyped.js: Removed.
1292
1293 2019-01-22  Saam Barati  <sbarati@apple.com>
1294
1295         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1296
1297         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1298         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1299         (testUncheckedLessThanZero):
1300         (testUncheckedLessThanOrEqualZero):
1301         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1302         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1303
1304 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1305
1306         [JSC] Invalidate old scope operations using global lexical binding epoch
1307         https://bugs.webkit.org/show_bug.cgi?id=193603
1308         <rdar://problem/47380869>
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1313         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1314         (shouldThrow):
1315         (bar):
1316         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1317         (shouldBe):
1318         (get1):
1319         (get2):
1320         (get1If):
1321         (get2If):
1322         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1323         (shouldThrow):
1324         (foo):
1325
1326 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1327
1328         Unreviewed, roll out r240220 due to date-format-xparb regression
1329         https://bugs.webkit.org/show_bug.cgi?id=193603
1330
1331         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1332         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1333         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1334         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1335
1336 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1337
1338         DoesGC rule is wrong for nodes with BigIntUse
1339         https://bugs.webkit.org/show_bug.cgi?id=193652
1340
1341         Reviewed by Saam Barati.
1342
1343         * stress/big-int-value-op-update-gc-rules.js: Added.
1344         (assert):
1345         (doesGCAdd):
1346         (doesGCSub):
1347         (doesGCDiv):
1348         (doesGCMul):
1349         (doesGCBitAnd):
1350         (doesGCBitOr):
1351         (doesGCBitXor):
1352
1353 2019-01-20  Saam Barati  <sbarati@apple.com>
1354
1355         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1356         https://bugs.webkit.org/show_bug.cgi?id=193644
1357         <rdar://problem/46209745>
1358
1359         Reviewed by Yusuke Suzuki.
1360
1361         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1362         (foo):
1363         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1364         (foo):
1365         (bar):
1366
1367 2019-01-20  Saam Barati  <sbarati@apple.com>
1368
1369         MovHint must merge NodeBytecodeUsesAsValue for its child
1370         https://bugs.webkit.org/show_bug.cgi?id=186916
1371         <rdar://problem/41396612>
1372
1373         Reviewed by Yusuke Suzuki.
1374
1375         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1376         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1377
1378 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         [JSC] Invalidate old scope operations using global lexical binding epoch
1381         https://bugs.webkit.org/show_bug.cgi?id=193603
1382         <rdar://problem/47380869>
1383
1384         Reviewed by Saam Barati.
1385
1386         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1387         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1388         (shouldThrow):
1389         (bar):
1390         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1391         (shouldBe):
1392         (get1):
1393         (get2):
1394         (get1If):
1395         (get2If):
1396         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1397         (shouldThrow):
1398         (foo):
1399
1400 2019-01-17  Saam barati  <sbarati@apple.com>
1401
1402         StringObjectUse should not be a structure check for the original string object structure
1403         https://bugs.webkit.org/show_bug.cgi?id=193483
1404         <rdar://problem/47280522>
1405
1406         Reviewed by Yusuke Suzuki.
1407
1408         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1409         (foo):
1410         (a.valueOf.0):
1411
1412 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1413
1414         [JSC] ToThis omission in DFGByteCodeParser is wrong
1415         https://bugs.webkit.org/show_bug.cgi?id=193513
1416         <rdar://problem/45842236>
1417
1418         Reviewed by Saam Barati.
1419
1420         * stress/to-this-omission-with-different-strict-modes.js: Added.
1421         (thisA):
1422         (thisAStrictWrapper):
1423
1424 2019-01-15  Mark Lam  <mark.lam@apple.com>
1425
1426         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1427         https://bugs.webkit.org/show_bug.cgi?id=193423
1428         <rdar://problem/46209355>
1429
1430         Reviewed by Saam Barati.
1431
1432         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1433         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1434         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1435         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1436
1437 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1438
1439         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1440         https://bugs.webkit.org/show_bug.cgi?id=193438
1441         <rdar://problem/45581249>
1442
1443         Reviewed by Saam Barati and Keith Miller.
1444
1445         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1446         Then, GetByVal(String) crashed.
1447
1448         * stress/string-get-by-val-lowering.js: Added.
1449         (shouldBe):
1450         (test):
1451         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1452         (Hello):
1453         (foo):
1454
1455 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1456
1457         Unreviewed, skip JIT tests if it's not enabled
1458
1459         * stress/bit-op-with-object-returning-int32.js:
1460
1461 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1462
1463         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1464         https://bugs.webkit.org/show_bug.cgi?id=192966
1465
1466         Reviewed by Yusuke Suzuki.
1467
1468         * stress/bit-op-with-object-returning-int32.js: Added.
1469
1470 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1471
1472         Skip a slow test and a flakey test on arm
1473
1474         Unreviewed gardening.
1475
1476         * typeProfiler/getter-richards.js:
1477         this test always times out, it used to be always skipped on arm and
1478         mips, but got accidentally enabled by r237919 now that we have DFG on
1479         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1480
1481 2019-01-14  Keith Miller  <keith_miller@apple.com>
1482
1483         Skip type-check-hoisting-phase-hoist... with no jit
1484         https://bugs.webkit.org/show_bug.cgi?id=193421
1485
1486         Reviewed by Mark Lam.
1487
1488         It's timing out the 32-bit bots and takes 330 seconds
1489         on my machine when run by itself.
1490
1491         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1492
1493 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1494
1495         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1496         https://bugs.webkit.org/show_bug.cgi?id=193413
1497         <rdar://problem/46092389>
1498
1499         Reviewed by Keith Miller.
1500
1501         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1502         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1503         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1504         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1505
1506         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1507         (compareArray):
1508
1509 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1510
1511         [BigInt] Literal parsing is crashing when used inside a Object Literal
1512         https://bugs.webkit.org/show_bug.cgi?id=193404
1513
1514         Reviewed by Yusuke Suzuki.
1515
1516         * stress/big-int-literal-inside-literal-object.js: Added.
1517
1518 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1519
1520         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1521         https://bugs.webkit.org/show_bug.cgi?id=193372
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/typed-array-array-modes-profile.js: Added.
1526         (foo):
1527
1528 2019-01-14  Mark Lam  <mark.lam@apple.com>
1529
1530         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1531         https://bugs.webkit.org/show_bug.cgi?id=193402
1532         <rdar://problem/46012309>
1533
1534         Reviewed by Keith Miller.
1535
1536         * stress/regexp-compile-oom.js:
1537         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1538           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1539
1540 2019-01-11  Saam barati  <sbarati@apple.com>
1541
1542         DFG combined liveness can be wrong for terminal basic blocks
1543         https://bugs.webkit.org/show_bug.cgi?id=193304
1544         <rdar://problem/45268632>
1545
1546         Reviewed by Yusuke Suzuki.
1547
1548         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1549
1550 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1551
1552         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1553         https://bugs.webkit.org/show_bug.cgi?id=193308
1554         <rdar://problem/45546542>
1555
1556         Reviewed by Saam Barati.
1557
1558         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1559         (shouldThrow):
1560         (shouldBe):
1561         (foo):
1562         (get shouldThrow):
1563         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1564         (shouldThrow):
1565         (shouldBe):
1566         (foo):
1567         (get shouldBe):
1568         (get shouldThrow):
1569         (get return):
1570         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1571         (shouldThrow):
1572         (shouldBe):
1573         (foo):
1574         (get shouldBe):
1575         (get shouldThrow):
1576         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1577         (shouldThrow):
1578         (shouldBe):
1579         (foo):
1580         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1581         (shouldThrow):
1582         (shouldBe):
1583         (foo):
1584         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1585         (shouldThrow):
1586         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1587         (shouldThrow):
1588         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1589         (shouldThrow):
1590         (shouldBe):
1591         (foo):
1592         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1593         (shouldThrow):
1594         (shouldBe):
1595         (foo):
1596         (get shouldBe):
1597         (get shouldThrow):
1598         (get return):
1599         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1600         (shouldThrow):
1601         (shouldBe):
1602         (foo):
1603         (get shouldBe):
1604         (get shouldThrow):
1605         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1606         (shouldThrow):
1607         (shouldBe):
1608         (foo):
1609         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1610         (shouldThrow):
1611         (shouldBe):
1612         (foo):
1613
1614 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1615
1616         Enable DFG on ARM/Linux again
1617         https://bugs.webkit.org/show_bug.cgi?id=192496
1618
1619         Reviewed by Yusuke Suzuki.
1620
1621         Test wasn't really skipped before moving the line with skip
1622         to the top.
1623
1624         * stress/regress-192717.js:
1625
1626 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1627
1628         Unreviewed, rolling out r239825.
1629         https://bugs.webkit.org/show_bug.cgi?id=193330
1630
1631         Broke tests on armv7/linux bots (Requested by guijemont on
1632         #webkit).
1633
1634         Reverted changeset:
1635
1636         "Enable DFG on ARM/Linux again"
1637         https://bugs.webkit.org/show_bug.cgi?id=192496
1638         https://trac.webkit.org/changeset/239825
1639
1640 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1641
1642         Enable DFG on ARM/Linux again
1643         https://bugs.webkit.org/show_bug.cgi?id=192496
1644
1645         Reviewed by Yusuke Suzuki.
1646
1647         Test wasn't really skipped before moving the line with skip
1648         to the top.
1649
1650         * stress/regress-192717.js:
1651
1652 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1653
1654         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1655         https://bugs.webkit.org/show_bug.cgi?id=193127
1656
1657         Reviewed by Saam Barati.
1658
1659         * stress/array-species-create-should-handle-masquerader.js: Added.
1660         (shouldThrow):
1661         * stress/is-undefined-or-null-builtin.js: Added.
1662         (shouldBe):
1663         (isUndefinedOrNull.vm.createBuiltin):
1664
1665 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1666
1667         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1668         https://bugs.webkit.org/show_bug.cgi?id=193221
1669
1670         Reviewed by Mark Lam.
1671
1672         * stress/put-by-id-flags.js: Added.
1673         (f):
1674         (g):
1675         (numberOfDFGCompiles):
1676
1677 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1678
1679         Baseline version of get_by_id may corrupt metadata
1680         https://bugs.webkit.org/show_bug.cgi?id=193085
1681         <rdar://problem/23453006>
1682
1683         Reviewed by Saam Barati.
1684
1685         * stress/get-by-id-change-mode.js: Added.
1686         (forEach):
1687
1688 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1689
1690         [JSC] Optimize Object.prototype.toString
1691         https://bugs.webkit.org/show_bug.cgi?id=193031
1692
1693         Reviewed by Saam Barati.
1694
1695         * stress/object-tostring-changed-proto.js: Added.
1696         (shouldBe):
1697         (test):
1698         * stress/object-tostring-changed.js: Added.
1699         (shouldBe):
1700         (test):
1701         * stress/object-tostring-misc.js: Added.
1702         (shouldBe):
1703         (test):
1704         (i.switch):
1705         * stress/object-tostring-other.js: Added.
1706         (shouldBe):
1707         (test):
1708         * stress/object-tostring-untyped.js: Added.
1709         (shouldBe):
1710         (test):
1711         (i.switch):
1712
1713 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1714
1715         test262-runner misbehaves when test file YAML has a trailing space
1716         https://bugs.webkit.org/show_bug.cgi?id=193053
1717
1718         Reviewed by Yusuke Suzuki.
1719
1720         * test262/expectations.yaml:
1721         Mark two dozen tests as passing (and correct the output of another).
1722
1723 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1724
1725         Unreviewed, JSTests gardening with memoryLimited
1726
1727         * stress/string-overflow-createError.js:
1728
1729 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1730
1731         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1732         https://bugs.webkit.org/show_bug.cgi?id=193050
1733
1734         Reviewed by Yusuke Suzuki.
1735
1736         * test262.yaml:
1737         * test262/expectations.yaml:
1738         Mark 16 tests as passing.
1739
1740 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1741
1742         [BigInt] Support BigInt in JSON.stringify
1743         https://bugs.webkit.org/show_bug.cgi?id=192624
1744
1745         Reviewed by Saam Barati.
1746
1747         * stress/big-int-json-stringify-to-json.js: Added.
1748         (shouldBe):
1749         (shouldThrow):
1750         (BigInt.prototype.toJSON):
1751         (shouldBe.JSON.stringify):
1752         * stress/big-int-json-stringify.js: Added.
1753         (shouldBe):
1754         (shouldThrow):
1755
1756 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1757
1758         [JSC] Implement "well-formed JSON.stringify" proposal
1759         https://bugs.webkit.org/show_bug.cgi?id=191677
1760
1761         Reviewed by Darin Adler.
1762
1763         * stress/json-surrogate-pair.js: Added.
1764         (shouldBe):
1765         * test262/expectations.yaml:
1766
1767 2018-12-20  Keith Miller  <keith_miller@apple.com>
1768
1769         Add support for globalThis
1770         https://bugs.webkit.org/show_bug.cgi?id=165171
1771
1772         Reviewed by Mark Lam.
1773
1774         * test262/config.yaml:
1775
1776 2018-12-19  Keith Miller  <keith_miller@apple.com>
1777
1778         Update test262 configuration to not run tests dependent on ICU version.
1779         https://bugs.webkit.org/show_bug.cgi?id=192920
1780
1781         Reviewed by Saam Barati.
1782
1783         * test262/expectations.yaml:
1784
1785 2018-12-20  Mark Lam  <mark.lam@apple.com>
1786
1787         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1788         https://bugs.webkit.org/show_bug.cgi?id=192939
1789         <rdar://problem/46869516>
1790
1791         Reviewed by Keith Miller.
1792
1793         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1794
1795 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1796
1797         WTF::String and StringImpl overflow MaxLength
1798         https://bugs.webkit.org/show_bug.cgi?id=192853
1799         <rdar://problem/45726906>
1800
1801         Reviewed by Mark Lam.
1802
1803         * stress/string-16bit-repeat-overflow.js: Added.
1804         (catch):
1805
1806 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1807
1808         Unreviewed follow-up to r192914.
1809
1810         * test262/expectations.yaml:
1811         Add the last 20 missing expectations.
1812
1813 2018-12-19  Keith Miller  <keith_miller@apple.com>
1814
1815         Fix test262 expectations
1816         https://bugs.webkit.org/show_bug.cgi?id=192914
1817
1818         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1819
1820         * test262/expectations.yaml:
1821
1822 2018-12-19  Keith Miller  <keith_miller@apple.com>
1823
1824         Update test262 tests.
1825         https://bugs.webkit.org/show_bug.cgi?id=192907
1826
1827         Rubber stamped by Mark Lam.
1828
1829         * test262/*: Omitted because prepare-changelog crashes.
1830
1831 2018-12-19  Mark Lam  <mark.lam@apple.com>
1832
1833         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1834         https://bugs.webkit.org/show_bug.cgi?id=192464
1835         <rdar://problem/46519455>
1836
1837         Reviewed by Saam Barati.
1838
1839         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1840         microbenchmark.
1841
1842         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1843         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1844
1845 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1846
1847         String overflow in JSC::createError results in ASSERT in WTF::makeString
1848         https://bugs.webkit.org/show_bug.cgi?id=192833
1849         <rdar://problem/45706868>
1850
1851         Reviewed by Mark Lam.
1852
1853         * stress/string-overflow-createError.js: Added.
1854
1855 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1856
1857         Error message for `-x ** y` contains a typo.
1858         https://bugs.webkit.org/show_bug.cgi?id=192832
1859
1860         Reviewed by Saam Barati.
1861
1862         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1863         (assert.assert.return.throws):
1864         * stress/pow-expects-update-expression-on-lhs.js:
1865         (throw.new.Error):
1866         Update test expectations which match against the exact error message.
1867
1868 2018-12-18  Mark Lam  <mark.lam@apple.com>
1869
1870         Gardening: test options fix.
1871         https://bugs.webkit.org/show_bug.cgi?id=192822
1872
1873         Unreviewed.
1874
1875         * stress/json-stringify-string-builder-overflow.js:
1876
1877 2018-12-18  Mark Lam  <mark.lam@apple.com>
1878
1879         JSON.stringify() should throw OOM on StringBuilder overflows.
1880         https://bugs.webkit.org/show_bug.cgi?id=192822
1881         <rdar://problem/46670577>
1882
1883         Reviewed by Saam Barati.
1884
1885         * stress/json-stringify-string-builder-overflow.js: Added.
1886
1887 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1888
1889         Redeclaration of var over let/const/class should be a syntax error.
1890         https://bugs.webkit.org/show_bug.cgi?id=192298
1891
1892         Reviewed by Keith Miller.
1893
1894         * test262.yaml:
1895         * test262/expectations.yaml:
1896         Mark 46 tests as passing.
1897
1898         * stress/block-scope-redeclarations.js:
1899         Add some new tests.
1900
1901         * stress/for-in-invalidate-context-weird-assignments.js:
1902         * stress/for-in-tests.js:
1903         Replace tests for outdated behavior with tests for SyntaxError.
1904
1905         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1906         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1907         Update expectations.
1908
1909 2018-12-18  Mark Lam  <mark.lam@apple.com>
1910
1911         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1912         https://bugs.webkit.org/show_bug.cgi?id=191374
1913         <rdar://problem/46525447>
1914
1915         Reviewed by Yusuke Suzuki.
1916
1917         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1918
1919         * stress/elidable-new-object-roflcopter-then-exit.js:
1920
1921 2018-12-17  Mark Lam  <mark.lam@apple.com>
1922
1923         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1924         https://bugs.webkit.org/show_bug.cgi?id=192019
1925         <rdar://problem/46525456>
1926
1927         Reviewed by Yusuke Suzuki.
1928
1929         The test runs too slow on 32-bit.
1930
1931         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1932
1933 2018-12-17  Mark Lam  <mark.lam@apple.com>
1934
1935         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1936         https://bugs.webkit.org/show_bug.cgi?id=191373
1937         <rdar://problem/46525458>
1938
1939         Reviewed by Yusuke Suzuki.
1940
1941         The test is already slow running with a JIT on 64-bit.  It will always timeout
1942         on 32-bit without a JIT.
1943
1944         * stress/materialize-regexp-cyclic-regexp.js:
1945
1946 2018-12-17  Mark Lam  <mark.lam@apple.com>
1947
1948         Array unshift/shift should not race against the AI in the compiler thread.
1949         https://bugs.webkit.org/show_bug.cgi?id=192795
1950         <rdar://problem/46724263>
1951
1952         Reviewed by Saam Barati.
1953
1954         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1955
1956 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1957
1958         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1959         https://bugs.webkit.org/show_bug.cgi?id=190047
1960
1961         Reviewed by Saam Barati.
1962
1963         * stress/object-keys-cached-zero.js: Added.
1964         (shouldBe):
1965         (test):
1966         * stress/object-keys-changed-attribute.js: Added.
1967         (shouldBe):
1968         (test):
1969         * stress/object-keys-changed-index.js: Added.
1970         (shouldBe):
1971         (test):
1972         * stress/object-keys-changed.js: Added.
1973         (shouldBe):
1974         (test):
1975         * stress/object-keys-indexed-non-cache.js: Added.
1976         (shouldBe):
1977         (test):
1978         * stress/object-keys-overrides-get-property-names.js: Added.
1979         (shouldBe):
1980         (test):
1981         (noInline):
1982
1983 2018-12-17  Mark Lam  <mark.lam@apple.com>
1984
1985         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1986         https://bugs.webkit.org/show_bug.cgi?id=192779
1987         <rdar://problem/46775869>
1988
1989         Reviewed by Saam Barati.
1990
1991         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1992
1993 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1994
1995         Unreviewed test gardening, address a syntax error in a new test.
1996
1997         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1998
1999 2018-12-17  Mark Lam  <mark.lam@apple.com>
2000
2001         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2002         https://bugs.webkit.org/show_bug.cgi?id=192776
2003         <rdar://problem/46772368>
2004
2005         Reviewed by Keith Miller.
2006
2007         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2008
2009 2018-12-17  Mark Lam  <mark.lam@apple.com>
2010
2011         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2012         https://bugs.webkit.org/show_bug.cgi?id=192770
2013         <rdar://problem/46449037>
2014
2015         Reviewed by Keith Miller.
2016
2017         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2018
2019 2018-12-14  Mark Lam  <mark.lam@apple.com>
2020
2021         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2022         https://bugs.webkit.org/show_bug.cgi?id=192717
2023         <rdar://problem/46660677>
2024
2025         Reviewed by Saam Barati.
2026
2027         * stress/regress-192717.js: Added.
2028
2029 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2030
2031         Unreviewed, rolling out r239153, r239154, and r239155.
2032         https://bugs.webkit.org/show_bug.cgi?id=192715
2033
2034         Caused flaky GC-related crashes seen with layout tests
2035         (Requested by ryanhaddad on #webkit).
2036
2037         Reverted changesets:
2038
2039         "[JSC] Optimize Object.keys by caching own keys results in
2040         StructureRareData"
2041         https://bugs.webkit.org/show_bug.cgi?id=190047
2042         https://trac.webkit.org/changeset/239153
2043
2044         "Unreviewed, build fix after r239153"
2045         https://bugs.webkit.org/show_bug.cgi?id=190047
2046         https://trac.webkit.org/changeset/239154
2047
2048         "Unreviewed, build fix after r239153, part 2"
2049         https://bugs.webkit.org/show_bug.cgi?id=190047
2050         https://trac.webkit.org/changeset/239155
2051
2052 2018-12-14  Keith Miller  <keith_miller@apple.com>
2053
2054         Callers of JSString::getIndex should check for OOM exceptions
2055         https://bugs.webkit.org/show_bug.cgi?id=192709
2056
2057         Reviewed by Mark Lam.
2058
2059         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2060
2061 2018-12-13  Mark Lam  <mark.lam@apple.com>
2062
2063         Add a missing exception check.
2064         https://bugs.webkit.org/show_bug.cgi?id=192626
2065         <rdar://problem/46662163>
2066
2067         Reviewed by Keith Miller.
2068
2069         * stress/regress-192626.js: Added.
2070
2071 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2072
2073         [BigInt] Add ValueDiv into DFG
2074         https://bugs.webkit.org/show_bug.cgi?id=186178
2075
2076         Reviewed by Yusuke Suzuki.
2077
2078         * stress/big-int-div-jit-osr.js: Added.
2079         * stress/big-int-div-jit-untyped.js: Added.
2080         * stress/value-div-fixup-int32-big-int.js: Added.
2081
2082 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2083
2084         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2085         https://bugs.webkit.org/show_bug.cgi?id=190047
2086
2087         Reviewed by Keith Miller.
2088
2089         * stress/object-keys-cached-zero.js: Added.
2090         (shouldBe):
2091         (test):
2092         * stress/object-keys-changed-attribute.js: Added.
2093         (shouldBe):
2094         (test):
2095         * stress/object-keys-changed-index.js: Added.
2096         (shouldBe):
2097         (test):
2098         * stress/object-keys-changed.js: Added.
2099         (shouldBe):
2100         (test):
2101         * stress/object-keys-indexed-non-cache.js: Added.
2102         (shouldBe):
2103         (test):
2104         * stress/object-keys-overrides-get-property-names.js: Added.
2105         (shouldBe):
2106         (test):
2107         (noInline):
2108
2109 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2110
2111         [DFG][FTL] Add NewSymbol
2112         https://bugs.webkit.org/show_bug.cgi?id=192620
2113
2114         Reviewed by Saam Barati.
2115
2116         * microbenchmarks/symbol-creation.js: Added.
2117         (test):
2118         * stress/symbol-description-identity.js: Added.
2119         (shouldBe):
2120         (test):
2121         * stress/symbol-identity.js: Added.
2122         (shouldBe):
2123         (test):
2124         * stress/symbol-with-description-throw-error.js: Added.
2125         (shouldBe):
2126         (shouldThrow):
2127         (test):
2128         (object.toString):
2129
2130 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2131
2132         [BigInt] Implement DFG/FTL typeof for BigInt
2133         https://bugs.webkit.org/show_bug.cgi?id=192619
2134
2135         Reviewed by Keith Miller.
2136
2137         * stress/big-int-boolean-proven-type.js: Added.
2138         (assert):
2139         (bool):
2140         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2141         (assert):
2142         (typeOf):
2143         (i.switch):
2144         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2145         (assert):
2146         (typeOf):
2147         * stress/big-int-type-of.js:
2148         (typeOf):
2149         (func):
2150
2151 2018-12-10  Mark Lam  <mark.lam@apple.com>
2152
2153         PropertyAttribute needs a CustomValue bit.
2154         https://bugs.webkit.org/show_bug.cgi?id=191993
2155         <rdar://problem/46264467>
2156
2157         Reviewed by Saam Barati.
2158
2159         * stress/regress-191993.js: Added.
2160
2161 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2162
2163         [BigInt] Add ValueMul into DFG
2164         https://bugs.webkit.org/show_bug.cgi?id=186175
2165
2166         Reviewed by Yusuke Suzuki.
2167
2168         * stress/big-int-mul-jit-osr.js: Added.
2169         * stress/big-int-mul-jit-untyped.js: Added.
2170         * stress/value-mul-fixup-int32-big-int.js: Added.
2171
2172 2018-12-06  Keith Miller  <keith_miller@apple.com>
2173
2174         stress/big-wasm-memory tests failing on 32-bit JSC bot
2175         https://bugs.webkit.org/show_bug.cgi?id=192020
2176
2177         Reviewed by Saam Barati.
2178
2179         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2180         the wasm stress tests if the WebAssembly object does not exist.
2181
2182         * stress/big-wasm-memory-grow-no-max.js:
2183         (test.foo):
2184         (test):
2185         (foo): Deleted.
2186         (catch): Deleted.
2187         * stress/big-wasm-memory-grow.js:
2188         (test.foo):
2189         (test):
2190         (foo): Deleted.
2191         (catch): Deleted.
2192         * stress/big-wasm-memory.js:
2193         (test.foo):
2194         (test):
2195         (foo): Deleted.
2196         (catch): Deleted.
2197
2198 2018-12-05  Mark Lam  <mark.lam@apple.com>
2199
2200         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2201         https://bugs.webkit.org/show_bug.cgi?id=192441
2202         <rdar://problem/46480355>
2203
2204         Reviewed by Saam Barati.
2205
2206         * stress/regress-192441.js: Added.
2207
2208 2018-12-04  Mark Lam  <mark.lam@apple.com>
2209
2210         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2211         https://bugs.webkit.org/show_bug.cgi?id=192386
2212         <rdar://problem/46445516>
2213
2214         Reviewed by Saam Barati.
2215
2216         * stress/regress-192386.js: Added.
2217
2218 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2219
2220         [ESNext][BigInt] Support logic operations
2221         https://bugs.webkit.org/show_bug.cgi?id=179903
2222
2223         Reviewed by Yusuke Suzuki.
2224
2225         * stress/big-int-branch-usage.js: Added.
2226         * stress/big-int-logical-and.js: Added.
2227         * stress/big-int-logical-not.js: Added.
2228         * stress/big-int-logical-or.js: Added.
2229
2230 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2231
2232         Unreviewed, rolling out r238833.
2233
2234         Breaks macOS and iOS debug builds.
2235
2236         Reverted changeset:
2237
2238         "[ESNext][BigInt] Support logic operations"
2239         https://bugs.webkit.org/show_bug.cgi?id=179903
2240         https://trac.webkit.org/changeset/238833
2241
2242 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2243
2244         [ESNext][BigInt] Support logic operations
2245         https://bugs.webkit.org/show_bug.cgi?id=179903
2246
2247         Reviewed by Yusuke Suzuki.
2248
2249         * stress/big-int-branch-usage.js: Added.
2250         * stress/big-int-logical-and.js: Added.
2251         * stress/big-int-logical-not.js: Added.
2252         * stress/big-int-logical-or.js: Added.
2253
2254 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2255
2256         [ESNext][BigInt] Implement support for "<<" and ">>"
2257         https://bugs.webkit.org/show_bug.cgi?id=186233
2258
2259         Reviewed by Yusuke Suzuki.
2260
2261         * stress/big-int-left-shift-general.js: Added.
2262         * stress/big-int-left-shift-range-error.js: Added.
2263         * stress/big-int-left-shift-type-error.js: Added.
2264         * stress/big-int-left-shift-wrapped-value.js: Added.
2265         * stress/big-int-right-shift-general.js: Added.
2266         * stress/big-int-right-shift-type-error.js: Added.
2267         * stress/big-int-right-shift-wrapped-value.js: Added.
2268         * stress/left-shift-to-primitive-precedence.js: Added.
2269         * stress/right-shift-to-primitive-precedence.js: Added.
2270
2271 2018-11-30  Dean Jackson  <dino@apple.com>
2272
2273         Add first-class support for .mjs files in jsc binary
2274         https://bugs.webkit.org/show_bug.cgi?id=192190
2275         <rdar://problem/46375715>
2276
2277         Reviewed by Keith Miller.
2278
2279         * stress/simple-module.mjs: Added.
2280         * stress/simple-script.js: Added.
2281
2282 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2283
2284         [BigInt] Implement ValueBitXor into DFG
2285         https://bugs.webkit.org/show_bug.cgi?id=190264
2286
2287         Reviewed by Yusuke Suzuki.
2288
2289         * stress/big-int-bitwise-xor-jit.js: Added.
2290         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2291         * stress/big-int-bitwise-xor-untyped.js: Added.
2292
2293 2018-11-27  Saam barati  <sbarati@apple.com>
2294
2295         r238510 broke scopes of size zero
2296         https://bugs.webkit.org/show_bug.cgi?id=192033
2297         <rdar://problem/46281734>
2298
2299         Reviewed by Keith Miller.
2300
2301         * stress/r238510-bad-loop.js: Added.
2302         (foo):
2303
2304 2018-11-27  Mark Lam  <mark.lam@apple.com>
2305
2306         [Re-landing] NaNs read from Wasm code needs to be be purified.
2307         https://bugs.webkit.org/show_bug.cgi?id=191056
2308         <rdar://problem/45660341>
2309
2310         Reviewed by Filip Pizlo.
2311
2312         * wasm/regress/regress-191056.js: Added.
2313
2314 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2315
2316         Unreviewed, rolling out r238509.
2317
2318         Causes JSC tests to fail on iOS.
2319
2320         Reverted changeset:
2321
2322         "NaNs read from Wasm code needs to be be purified."
2323         https://bugs.webkit.org/show_bug.cgi?id=191056
2324         https://trac.webkit.org/changeset/238509
2325
2326 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2327
2328         Re-introduce op_bitnot
2329         https://bugs.webkit.org/show_bug.cgi?id=190923
2330
2331         Reviewed by Yusuke Suzuki.
2332
2333         * stress/bit-not-must-generate.js: Added.
2334         * stress/bitwise-not-no-int32.js: Added.
2335
2336 2018-11-26  Saam barati  <sbarati@apple.com>
2337
2338         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2339         https://bugs.webkit.org/show_bug.cgi?id=191956
2340         <rdar://problem/45665806>
2341
2342         Reviewed by Yusuke Suzuki.
2343
2344         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2345         (bar):
2346         (foo):
2347
2348 2018-11-26  Saam barati  <sbarati@apple.com>
2349
2350         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2351         https://bugs.webkit.org/show_bug.cgi?id=191958
2352         <rdar://problem/46221877>
2353
2354         Reviewed by Yusuke Suzuki.
2355
2356         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2357         (x):
2358         (foo):
2359
2360 2018-11-26  Mark Lam  <mark.lam@apple.com>
2361
2362         NaNs read from Wasm code needs to be be purified.
2363         https://bugs.webkit.org/show_bug.cgi?id=191056
2364         <rdar://problem/45660341>
2365
2366         Reviewed by Filip Pizlo.
2367
2368         * wasm/regress/regress-191056.js: Added.
2369
2370 2018-11-26  Michael Saboff  <msaboff@apple.com>
2371
2372         32-bit JSC test failure: stress/regexp-compile-oom.js
2373         https://bugs.webkit.org/show_bug.cgi?id=191375
2374
2375         Reviewed by Mark Lam.
2376
2377         Disabled the test for 32 bit platforms.
2378
2379         * stress/regexp-compile-oom.js:
2380
2381 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2382
2383         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2384         https://bugs.webkit.org/show_bug.cgi?id=191716
2385         <rdar://problem/45723878>
2386
2387         Reviewed by Saam Barati.
2388
2389         * stress/regress-187373.js: Added.
2390         (async.fn):
2391
2392 2018-11-21  Saam barati  <sbarati@apple.com>
2393
2394         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2395         https://bugs.webkit.org/show_bug.cgi?id=191897
2396         <rdar://problem/45871998>
2397
2398         Reviewed by Mark Lam.
2399
2400         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2401         (bar):
2402         (foo):
2403
2404 2018-11-21  Saam barati  <sbarati@apple.com>
2405
2406         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2407         https://bugs.webkit.org/show_bug.cgi?id=191895
2408         <rdar://problem/46167406>
2409
2410         Reviewed by Mark Lam.
2411
2412         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2413         (foo):
2414         (bar):
2415
2416 2018-11-21  Mark Lam  <mark.lam@apple.com>
2417
2418         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2419         https://bugs.webkit.org/show_bug.cgi?id=191776
2420         <rdar://problem/46152851>
2421
2422         Reviewed by Saam Barati.
2423
2424         * stress/big-wasm-memory-grow-no-max.js:
2425         * stress/big-wasm-memory-grow.js:
2426         * stress/big-wasm-memory.js:
2427         - updated these to expect an OutOfMemoryError.
2428
2429         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2430         (Binary.prototype.emit_u8):
2431         (Binary.prototype.emit_u32v):
2432         (Binary.prototype.emit_header):
2433         (Binary.prototype.emit_section):
2434         (Binary):
2435         (WasmModuleBuilder):
2436         (WasmModuleBuilder.prototype.addMemory):
2437         (WasmModuleBuilder.prototype.toArray):
2438         (WasmModuleBuilder.prototype.toBuffer):
2439         (WasmModuleBuilder.prototype.instantiate):
2440         (catch):
2441         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2442         (catch):
2443
2444 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2445
2446         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2447         https://bugs.webkit.org/show_bug.cgi?id=190836
2448
2449         Reviewed by Saam Barati and Yusuke Suzuki.
2450
2451         * stress/big-int-out-of-memory-tests.js: Added.
2452
2453 2018-11-20  Mark Lam  <mark.lam@apple.com>
2454
2455         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2456         https://bugs.webkit.org/show_bug.cgi?id=191856
2457         <rdar://problem/46089992>
2458
2459         Reviewed by Yusuke Suzuki.
2460
2461         * stress/regress-191856.js: Added.
2462         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2463
2464 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2465
2466         Enable JIT on ARM/Linux
2467         https://bugs.webkit.org/show_bug.cgi?id=191548
2468
2469         Reviewed by Yusuke Suzuki.
2470
2471         Disable test on system with limited memory. Program was killed by
2472         the OS before the exception was thrown.
2473
2474         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2475
2476 2018-11-20  Saam barati  <sbarati@apple.com>
2477
2478         Merging an IC variant may lead to the IC status containing overlapping structure sets
2479         https://bugs.webkit.org/show_bug.cgi?id=191869
2480         <rdar://problem/45403453>
2481
2482         Reviewed by Mark Lam.
2483
2484         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2485
2486 2018-11-19  Mark Lam  <mark.lam@apple.com>
2487
2488         globalFuncImportModule() should return a promise when it clears exceptions.
2489         https://bugs.webkit.org/show_bug.cgi?id=191792
2490         <rdar://problem/46090763>
2491
2492         Reviewed by Michael Saboff.
2493
2494         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2495
2496 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2497
2498         Skip new memory-hungry tests on memory limited devices
2499
2500         Unreviewed gardening.
2501
2502         * stress/big-wasm-memory-grow-no-max.js:
2503         * stress/big-wasm-memory-grow.js:
2504         * stress/big-wasm-memory.js:
2505
2506 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2507
2508         Unreviewed, rolling in the rest of r237254
2509         https://bugs.webkit.org/show_bug.cgi?id=190340
2510
2511         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2512         * stress/function-cache-with-parameters-end-position.js: Added.
2513         (shouldBe):
2514         (shouldThrow):
2515         (i.anonymous):
2516         * stress/function-constructor-name.js: Added.
2517         (shouldBe):
2518         (GeneratorFunction):
2519         (AsyncFunction.async):
2520         (AsyncGeneratorFunction.async):
2521         (anonymous):
2522         (async.anonymous):
2523         * test262/expectations.yaml:
2524
2525 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2526
2527         All users of ArrayBuffer should agree on the same max size
2528         https://bugs.webkit.org/show_bug.cgi?id=191771
2529
2530         Reviewed by Mark Lam.
2531
2532         * stress/big-wasm-memory-grow-no-max.js: Added.
2533         (foo):
2534         (catch):
2535         * stress/big-wasm-memory-grow.js: Added.
2536         (foo):
2537         (catch):
2538         * stress/big-wasm-memory.js: Added.
2539         (foo):
2540         (catch):
2541
2542 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2543
2544         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2545         run for each JSC config since they're regression tests for runtime bugs.
2546
2547         * stress/json-stringified-overflow-2.js:
2548         * stress/json-stringified-overflow.js:
2549
2550 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2551
2552         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2553         config since they're regression tests for runtime bugs.
2554
2555         * stress/large-unshift-splice.js:
2556         * stress/regress-185888.js:
2557
2558 2018-11-16  Saam Barati  <sbarati@apple.com>
2559
2560         KnownCellUse should also have SpecCellCheck as its type filter
2561         https://bugs.webkit.org/show_bug.cgi?id=191729
2562         <rdar://problem/45872852>
2563
2564         Reviewed by Filip Pizlo.
2565
2566         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2567         (C):
2568
2569 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2570
2571         Fix assertion failure on BytecodeGenerator::recordOpcode
2572         https://bugs.webkit.org/show_bug.cgi?id=191724
2573         <rdar://problem/45724395>
2574
2575         Reviewed by Saam Barati.
2576
2577         * stress/regress-187373-2.js: Added.
2578         (foo):
2579
2580 2018-11-15  Mark Lam  <mark.lam@apple.com>
2581
2582         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2583         https://bugs.webkit.org/show_bug.cgi?id=191730
2584         <rdar://problem/46048517>
2585
2586         Reviewed by Saam Barati.
2587
2588         * stress/regress-187006.js: Removed.
2589           - this test is invalid because its sole purpose is to test for the non-spec
2590             compliant behavior that we just fixed.
2591
2592         * stress/regress-191730.js: Added.
2593
2594 2018-11-15  Mark Lam  <mark.lam@apple.com>
2595
2596         RegExp operations should not take fast patch if lastIndex is not numeric.
2597         https://bugs.webkit.org/show_bug.cgi?id=191731
2598         <rdar://problem/46017305>
2599
2600         Reviewed by Saam Barati.
2601
2602         * stress/regress-191731.js: Added.
2603
2604 2018-11-13  Saam Barati  <sbarati@apple.com>
2605
2606         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2607         https://bugs.webkit.org/show_bug.cgi?id=191600
2608
2609         Reviewed by Mark Lam.
2610
2611         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2612         (foo):
2613         (test):
2614         (bar):
2615
2616 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2617
2618         Unreviewed, rolling out r238132.
2619
2620         The test added with this change is timing out on Debug JSC
2621         bots.
2622
2623         Reverted changeset:
2624
2625         "[BigInt] JSBigInt::createWithLength should throw when length
2626         is greater than JSBigInt::maxLength"
2627         https://bugs.webkit.org/show_bug.cgi?id=190836
2628         https://trac.webkit.org/changeset/238132
2629
2630 2018-11-13  Mark Lam  <mark.lam@apple.com>
2631
2632         Add OOM detection to StringPrototype's substituteBackreferences().
2633         https://bugs.webkit.org/show_bug.cgi?id=191563
2634         <rdar://problem/45720428>
2635
2636         Reviewed by Saam Barati.
2637
2638         * stress/regress-191563.js: Added.
2639
2640 2018-11-13  Mark Lam  <mark.lam@apple.com>
2641
2642         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2643         https://bugs.webkit.org/show_bug.cgi?id=191579
2644         <rdar://problem/45942472>
2645
2646         Reviewed by Saam Barati.
2647
2648         * stress/regress-191579.js: Added.
2649
2650 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2651
2652         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2653         https://bugs.webkit.org/show_bug.cgi?id=190836
2654
2655         Reviewed by Saam Barati.
2656
2657         * stress/big-int-out-of-memory-tests.js: Added.
2658
2659 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2660
2661         U+180E is no longer a whitespace character
2662         https://bugs.webkit.org/show_bug.cgi?id=191415
2663
2664         Reviewed by Saam Barati.
2665
2666         * ChakraCore/test/es5/regexSpace.baseline:
2667         * ChakraCore/test/es6/unicode_whitespace.js:
2668         Update tests to latest version.
2669         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2670
2671         * test262.yaml:
2672         * test262/config.yaml:
2673         * test262/expectations.yaml:
2674         Update expectations.
2675
2676 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2677
2678         [BigInt] Add support to BigInt into ValueAdd
2679         https://bugs.webkit.org/show_bug.cgi?id=186177
2680
2681         Reviewed by Keith Miller.
2682
2683         * stress/big-int-negate-jit.js:
2684         * stress/value-add-big-int-and-string.js: Added.
2685         * stress/value-add-big-int-prediction-propagation.js: Added.
2686         * stress/value-add-big-int-untyped.js: Added.
2687
2688 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2689
2690         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2691         https://bugs.webkit.org/show_bug.cgi?id=191184
2692
2693         Reviewed by Saam Barati.
2694
2695         Most tests were failing due to timeouts, since they are too slow to
2696         run on CLoop. The exceptions are:
2697
2698         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2699         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2700         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2701         to change the stack size since CLoop requires it to be page aligned.
2702
2703         * microbenchmarks/array-push-1.js:
2704         * microbenchmarks/array-push-2.js:
2705         * microbenchmarks/elidable-new-object-dag.js:
2706         * microbenchmarks/elidable-new-object-roflcopter.js:
2707         * microbenchmarks/elidable-new-object-tree.js:
2708         * microbenchmarks/getter-richards.js:
2709         * microbenchmarks/sinkable-new-object-dag.js:
2710         * microbenchmarks/string-concat-long-convert.js:
2711         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2712         * slowMicrobenchmarks/array-push-3.js:
2713         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2714         * slowMicrobenchmarks/spread-small-array.js:
2715         * slowMicrobenchmarks/undefined-property-access.js:
2716         * stress/activation-sink-default-value-tdz-error.js:
2717         * stress/activation-sink-default-value.js:
2718         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2719         * stress/activation-sink-osrexit-default-value.js:
2720         * stress/activation-sink-osrexit.js:
2721         * stress/activation-sink.js:
2722         * stress/allow-math-ic-b3-code-duplication.js:
2723         * stress/array-push-multiple-int32.js:
2724         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2725         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2726         * stress/arrowfunction-lexical-this-activation-sink.js:
2727         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2728         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2729         * stress/elide-new-object-dag-then-exit.js:
2730         * stress/materialize-regexp-cyclic.js:
2731         * stress/new-regex-inline.js:
2732         * stress/op_add.js:
2733         * stress/op_bitand.js:
2734         * stress/op_bitor.js:
2735         * stress/op_bitxor.js:
2736         * stress/op_div-ConstVar.js:
2737         * stress/op_div-VarConst.js:
2738         * stress/op_div-VarVar.js:
2739         * stress/op_lshift-ConstVar.js:
2740         * stress/op_lshift-VarConst.js:
2741         * stress/op_lshift-VarVar.js:
2742         * stress/op_mod-ConstVar.js:
2743         * stress/op_mod-VarConst.js:
2744         * stress/op_mod-VarVar.js:
2745         * stress/op_mul-ConstVar.js:
2746         * stress/op_mul-VarConst.js:
2747         * stress/op_mul-VarVar.js:
2748         * stress/op_rshift-ConstVar.js:
2749         * stress/op_rshift-VarConst.js:
2750         * stress/op_rshift-VarVar.js:
2751         * stress/op_sub-ConstVar.js:
2752         * stress/op_sub-VarConst.js:
2753         * stress/op_sub-VarVar.js:
2754         * stress/op_urshift-ConstVar.js:
2755         * stress/op_urshift-VarConst.js:
2756         * stress/op_urshift-VarVar.js:
2757         * stress/proxy-get-set-correct-receiver.js:
2758         * stress/regress-179562.js:
2759         * stress/rest-parameter-many-arguments.js:
2760         * stress/sampling-profiler-richards.js:
2761         * stress/splay-flash-access-1ms.js:
2762         * stress/tailCallForwardArguments.js:
2763         * stress/typed-array-get-by-val-profiling.js:
2764         * typeProfiler/getter-richards.js:
2765
2766 2018-11-06  Michael Saboff  <msaboff@apple.com>
2767
2768         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2769         https://bugs.webkit.org/show_bug.cgi?id=191271
2770
2771         Reviewed by Saam Barati.
2772
2773         Added more test cases and made all test cases run with the same deeply recursive stack
2774         instead of finding that same point for each test case.
2775
2776         * stress/regexp-compile-oom.js:
2777         (prototype.runTest):
2778         (recurseAndTest):
2779         (testList.push.new.TestAndExpectedException):
2780
2781 2018-11-05  Michael Saboff  <msaboff@apple.com>
2782
2783         Unreviewed build fix for linux.
2784
2785         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2786
2787 2018-11-02  Michael Saboff  <msaboff@apple.com>
2788
2789         Rolling in r237753 with unreviewed build fix.
2790
2791         Fixed issues with DECLARE_THROW_SCOPE placement.
2792
2793 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2794
2795         Unreviewed, rolling out r237753.
2796
2797         Introduced JSC test failures
2798
2799         Reverted changeset:
2800
2801         "Running out of stack space not properly handled in
2802         RegExp::compile() and its callers"
2803         https://bugs.webkit.org/show_bug.cgi?id=191206
2804         https://trac.webkit.org/changeset/237753
2805
2806 2018-11-02  Michael Saboff  <msaboff@apple.com>
2807
2808         Running out of stack space not properly handled in RegExp::compile() and its callers
2809         https://bugs.webkit.org/show_bug.cgi?id=191206
2810
2811         Reviewed by Filip Pizlo.
2812
2813         New regression test.
2814
2815         * stress/regexp-compile-oom.js: Added.
2816         (recurseAndTest):
2817
2818 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2819
2820         Skip tests on arm/mips that time out now we're running on CLoop
2821
2822         Unreviewed gardening.
2823
2824         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2825         time out on the bots and need to be disabled. There's more tests
2826         disabled on arm because the timeout is longer on the mips bot (as the
2827         device is slower to start with), so many of the tests don't time out
2828         there.
2829
2830         * microbenchmarks/getter-richards.js: disable on arm and mips.
2831         * stress/op_add.js: disable on arm.
2832         * stress/op_bitand.js: disable on arm.
2833         * stress/op_bitor.js: disable on arm.
2834         * stress/op_bitxor.js: disable on arm.
2835         * stress/op_lshift-ConstVar.js: disable on arm.
2836         * stress/op_lshift-VarConst.js: disable on arm.
2837         * stress/op_lshift-VarVar.js: disable on arm.
2838         * stress/op_mod-ConstVar.js: disable on arm.
2839         * stress/op_mod-VarConst.js: disable on arm.
2840         * stress/op_mod-VarVar.js: disable on arm.
2841         * stress/op_mul-ConstVar.js: disable on arm.
2842         * stress/op_mul-VarConst.js: disable on arm.
2843         * stress/op_mul-VarVar.js: disable on arm.
2844         * stress/op_rshift-ConstVar.js: disable on arm.
2845         * stress/op_rshift-VarConst.js: disable on arm.
2846         * stress/op_rshift-VarVar.js: disable on arm.
2847         * stress/op_sub-ConstVar.js: disable on arm.
2848         * stress/op_sub-VarConst.js: disable on arm.
2849         * stress/op_sub-VarVar.js: disable on arm.
2850         * stress/op_urshift-ConstVar.js: disable on arm.
2851         * stress/op_urshift-VarConst.js: disable on arm.
2852         * stress/op_urshift-VarVar.js: disable on arm.
2853         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2854         * stress/value-to-boolean.js: disable on arm and mips.
2855
2856 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2857
2858         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2859         https://bugs.webkit.org/show_bug.cgi?id=191108
2860         <rdar://problem/45690700>
2861
2862         Reviewed by Saam Barati.
2863
2864         * stress/wide-op_catch.js: Added.
2865         (catch):
2866
2867 2018-10-29  Mark Lam  <mark.lam@apple.com>
2868
2869         Correctly detect string overflow when using the 'Function' constructor.
2870         https://bugs.webkit.org/show_bug.cgi?id=184883
2871         <rdar://problem/36320331>
2872
2873         Reviewed by Saam Barati.
2874
2875         I've verified that this passes on 32-bit as well.
2876
2877         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2878
2879 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2880
2881         Add support for GetStack FlushedDouble
2882         https://bugs.webkit.org/show_bug.cgi?id=191012
2883         <rdar://problem/45265141>
2884
2885         Reviewed by Saam Barati.
2886
2887         * stress/get-stack-double.js: Added.
2888         (bar):
2889         (noInline):
2890
2891 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2892
2893         New bytecode format for JSC
2894         https://bugs.webkit.org/show_bug.cgi?id=187373
2895         <rdar://problem/44186758>
2896
2897         Reviewed by Filip Pizlo.
2898
2899         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2900
2901         * stress/maximum-inline-capacity.js: Added.
2902         (test1):
2903         (test3.Foo):
2904         (test3):
2905
2906 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2907
2908         Unreviewed, rolling out r237479 and r237484.
2909         https://bugs.webkit.org/show_bug.cgi?id=190978
2910
2911         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2912
2913         Reverted changesets:
2914
2915         "New bytecode format for JSC"
2916         https://bugs.webkit.org/show_bug.cgi?id=187373
2917         https://trac.webkit.org/changeset/237479
2918
2919         "Gardening: Build fix after r237479."
2920         https://bugs.webkit.org/show_bug.cgi?id=187373
2921         https://trac.webkit.org/changeset/237484
2922
2923 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2924
2925         New bytecode format for JSC
2926         https://bugs.webkit.org/show_bug.cgi?id=187373
2927         <rdar://problem/44186758>
2928
2929         Reviewed by Filip Pizlo.
2930
2931         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2932
2933         * stress/maximum-inline-capacity.js: Added.
2934         (test1):
2935         (test3.Foo):
2936         (test3):
2937
2938 2018-10-26  Mark Lam  <mark.lam@apple.com>
2939
2940         Fix missing edge cases with JSGlobalObjects having a bad time.
2941         https://bugs.webkit.org/show_bug.cgi?id=189028
2942         <rdar://problem/45204939>
2943
2944         Reviewed by Saam Barati.
2945
2946         * stress/regress-189028.js: Added.
2947
2948 2018-10-22  Mark Lam  <mark.lam@apple.com>
2949
2950         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2951         https://bugs.webkit.org/show_bug.cgi?id=190515
2952         <rdar://problem/45222379>
2953
2954         Rubber-stamped by Saam Barati.
2955
2956         Adding another test.
2957
2958         * stress/regress-190515-2.js: Added.
2959
2960 2018-10-22  Mark Lam  <mark.lam@apple.com>
2961
2962         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2963         https://bugs.webkit.org/show_bug.cgi?id=190515
2964         <rdar://problem/45222379>
2965
2966         Reviewed by Saam Barati.
2967
2968         * stress/regress-190515.js: Added.
2969
2970 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2971
2972         Unreviewed, rolling out r237254.
2973         https://bugs.webkit.org/show_bug.cgi?id=190760
2974
2975         "It regresses JetStream 2 by 5% on some iOS devices"
2976         (Requested by saamyjoon on #webkit).
2977
2978         Reverted changeset:
2979
2980         "[JSC] JSC should have "parseFunction" to optimize Function
2981         constructor"
2982         https://bugs.webkit.org/show_bug.cgi?id=190340
2983         https://trac.webkit.org/changeset/237254
2984
2985 2018-10-19  Saam Barati  <sbarati@apple.com>
2986
2987         vmCall should check if we exit before emitting an OSR exit due to exceptions
2988         https://bugs.webkit.org/show_bug.cgi?id=190740
2989         <rdar://problem/45220139>
2990
2991         Reviewed by Mark Lam.
2992
2993         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2994         (foo):
2995
2996 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2997
2998         [ESNext][BigInt] Implement support for "^"
2999         https://bugs.webkit.org/show_bug.cgi?id=186235
3000
3001         Reviewed by Yusuke Suzuki.
3002
3003         * stress/big-int-bitwise-xor-general.js: Added.
3004         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3005         * stress/big-int-bitwise-xor-type-error.js: Added.
3006         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3007
3008 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3009
3010         [BigInt] Add ValueSub into DFG
3011         https://bugs.webkit.org/show_bug.cgi?id=186176
3012
3013         Reviewed by Yusuke Suzuki.
3014
3015         * stress/big-int-subtraction-jit.js:
3016         * stress/value-sub-big-int-prediction-propagation.js: Added.
3017         * stress/value-sub-big-int-untyped.js: Added.
3018         * stress/value-sub-spec-none-case.js: Added.
3019
3020 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3021
3022         [JSC] JSC should have "parseFunction" to optimize Function constructor
3023         https://bugs.webkit.org/show_bug.cgi?id=190340
3024
3025         Reviewed by Mark Lam.
3026
3027         This patch fixes the line number of syntax errors raised by the Function constructor,
3028         since we now parse the final code only once. And we no longer use block statement
3029         for Function constructor's parsing.
3030
3031         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3032         * stress/function-cache-with-parameters-end-position.js: Added.
3033         (shouldBe):
3034         (shouldThrow):
3035         (i.anonymous):
3036         * stress/function-constructor-name.js: Added.
3037         (shouldBe):
3038         (GeneratorFunction):
3039         (AsyncFunction.async):
3040         (AsyncGeneratorFunction.async):
3041         (anonymous):
3042         (async.anonymous):
3043         * test262/expectations.yaml:
3044
3045 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3046
3047         Unreviewed, rolling out r237242.
3048         https://bugs.webkit.org/show_bug.cgi?id=190701
3049
3050         it breaks "stress/sampling-profiler-basic.js" (Requested by
3051         caiolima on #webkit).
3052
3053         Reverted changeset:
3054
3055         "[BigInt] Add ValueSub into DFG"
3056         https://bugs.webkit.org/show_bug.cgi?id=186176
3057         https://trac.webkit.org/changeset/237242
3058
3059 2018-10-17  Keith Miller  <keith_miller@apple.com>
3060
3061         AI does not clear Phantom allocation nodes.
3062         https://bugs.webkit.org/show_bug.cgi?id=190694
3063
3064         Reviewed by Saam Barati.
3065
3066         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3067         (Day):
3068         (DaysInYear):
3069         (TimeInYear):
3070         (TimeFromYear):
3071         (DayFromYear):
3072         (InLeapYear):
3073         (YearFromTime):
3074         (WeekDay):
3075         (DaylightSavingTA):
3076         (GetSecondSundayInMarch):
3077         (TimeInMonth):
3078
3079 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3080
3081         [BigInt] Add ValueSub into DFG
3082         https://bugs.webkit.org/show_bug.cgi?id=186176
3083
3084         Reviewed by Yusuke Suzuki.
3085
3086         * stress/big-int-subtraction-jit.js:
3087         * stress/value-sub-big-int-prediction-propagation.js: Added.
3088         * stress/value-sub-big-int-untyped.js: Added.
3089
3090 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3091
3092         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3093         https://bugs.webkit.org/show_bug.cgi?id=190611
3094
3095         Reviewed by Saam Barati.
3096
3097         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3098         to improve test runtime. On ARM/MIPS this test even timed out when running all
3099         tests.
3100
3101         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3102         (test):
3103
3104 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3105
3106         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3107
3108         Unreviewed gardening.
3109
3110         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3111
3112 2018-10-15  Saam barati  <sbarati@apple.com>
3113
3114         Emit fjcvtzs on ARM64E on Darwin
3115         https://bugs.webkit.org/show_bug.cgi?id=184023
3116
3117         Reviewed by Yusuke Suzuki and Filip Pizlo.
3118
3119         * stress/double-to-int32-NaN.js: Added.
3120         (assert):
3121         (foo):
3122
3123 2018-10-15  Saam Barati  <sbarati@apple.com>
3124
3125         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3126         https://bugs.webkit.org/show_bug.cgi?id=190262
3127         <rdar://problem/44986241>
3128
3129         Reviewed by Mark Lam.
3130
3131         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3132         (test):
3133         * stress/slice-array-storage-with-holes.js: Added.
3134         (main):
3135
3136 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3137
3138         Unreviewed, rolling out r237054.
3139         https://bugs.webkit.org/show_bug.cgi?id=190593
3140
3141         "this regressed JetStream 2 by 6% on iOS" (Requested by
3142         saamyjoon on #webkit).
3143
3144         Reverted changeset:
3145
3146         "[JSC] JSC should have "parseFunction" to optimize Function
3147         constructor"
3148         https://bugs.webkit.org/show_bug.cgi?id=190340
3149         https://trac.webkit.org/changeset/237054
3150
3151 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3152
3153         [JSC] JSON.stringify can accept call-with-no-arguments
3154         https://bugs.webkit.org/show_bug.cgi?id=190343
3155
3156         Reviewed by Mark Lam.
3157
3158         * stress/json-stringify-no-arguments.js: Added.
3159         (shouldBe):
3160
3161 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3162
3163         [JSC] JSC should have "parseFunction" to optimize Function constructor
3164         https://bugs.webkit.org/show_bug.cgi?id=190340
3165
3166         Reviewed by Mark Lam.
3167
3168         This patch fixes the line number of syntax errors raised by the Function constructor,
3169         since we now parse the final code only once. And we no longer use block statement
3170         for Function constructor's parsing.
3171
3172         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3173         * stress/function-cache-with-parameters-end-position.js: Added.
3174         (shouldBe):
3175         (shouldThrow):
3176         (i.anonymous):
3177         * stress/function-constructor-name.js: Added.
3178         (shouldBe):
3179         (GeneratorFunction):
3180         (AsyncFunction.async):
3181         (AsyncGeneratorFunction.async):
3182         (anonymous):
3183         (async.anonymous):
3184         * test262/expectations.yaml:
3185
3186 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3187
3188         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3189         https://bugs.webkit.org/show_bug.cgi?id=190426
3190
3191         Unreviewed gardening.
3192
3193         * stress/sampling-profiler-richards.js:
3194
3195 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3196
3197         [ESNext][BigInt] Implement support for "|"
3198         https://bugs.webkit.org/show_bug.cgi?id=186229
3199
3200         Reviewed by Yusuke Suzuki.
3201
3202         * stress/big-int-bitwise-and-jit.js:
3203         * stress/big-int-bitwise-or-general.js: Added.
3204         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3205         * stress/big-int-bitwise-or-jit.js: Added.
3206         * stress/big-int-bitwise-or-memory-stress.js: Added.
3207         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3208         * stress/big-int-bitwise-or-type-error.js: Added.
3209         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3210
3211 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3212
3213         Skip test on systems with limited memory
3214         https://bugs.webkit.org/show_bug.cgi?id=190310
3215
3216         Invoking runDefault adds test to runlist, skipping the test in the next
3217         line does not prevent the test from executing. Change order of lines such
3218         that runDefault is only executed if test is not executed.
3219
3220         Reviewed by Mark Lam.
3221
3222         * stress/regress-190187.js:
3223
3224 2018-10-03  Saam barati  <sbarati@apple.com>
3225
3226         lowXYZ in FTLLower should always filter the type of the incoming edge
3227         https://bugs.webkit.org/show_bug.cgi?id=189939
3228         <rdar://problem/44407030>
3229
3230         Reviewed by Michael Saboff.
3231
3232         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3233         (foo):
3234         (test):
3235
3236 2018-10-03  Mark Lam  <mark.lam@apple.com>
3237
3238         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3239         https://bugs.webkit.org/show_bug.cgi?id=190187
3240         <rdar://problem/42512909>
3241
3242         Reviewed by Michael Saboff.
3243
3244         * stress/regress-190187.js: Added.
3245
3246 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3247
3248         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3249         https://bugs.webkit.org/show_bug.cgi?id=190033
3250
3251         Reviewed by Yusuke Suzuki.
3252
3253         * stress/big-int-to-string.js:
3254
3255 2018-10-01  Mark Lam  <mark.lam@apple.com>
3256
3257         Function.toString() should also copy the source code Functions that are class definitions.
3258         https://bugs.webkit.org/show_bug.cgi?id=190186
3259         <rdar://problem/44733360>
3260
3261         Reviewed by Saam Barati.
3262
3263         * stress/regress-190186.js: Added.
3264
3265 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3266
3267         Split NaN-check into separate test
3268         https://bugs.webkit.org/show_bug.cgi?id=190010
3269
3270         Reviewed by Saam Barati.
3271
3272         DataView exposes NaN-representation, which is not necessarily the same on each
3273         architecture. Therefore move the check of the NaN-representation into its own
3274         file such that we can disable this test on MIPS where NaN-representation can be
3275         different on older CPUs.
3276
3277         * stress/dataview-jit-set-nan.js: Added.
3278         (assert):
3279         (test.storeLittleEndian):
3280         (test.storeBigEndian):
3281         (test.store):
3282         (test):
3283         * stress/dataview-jit-set.js:
3284         (test5):
3285
3286 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3287
3288         Unreviewed, rolling out r236647.
3289         https://bugs.webkit.org/show_bug.cgi?id=190124
3290
3291         Breaking test stress/big-int-to-string.js (Requested by
3292         caiolima_ on #webkit).
3293
3294         Reverted changeset:
3295
3296         "[BigInt] BigInt.proptotype.toString is broken when radix is
3297         power of 2"
3298         https://bugs.webkit.org/show_bug.cgi?id=190033
3299         https://trac.webkit.org/changeset/236647
3300
3301 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3302
3303         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3304         https://bugs.webkit.org/show_bug.cgi?id=190033
3305
3306         Reviewed by Yusuke Suzuki.
3307
3308         * stress/big-int-to-string.js:
3309
3310 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3311
3312         [ESNext][BigInt] Implement support for "&"
3313         https://bugs.webkit.org/show_bug.cgi?id=186228
3314
3315         Reviewed by Yusuke Suzuki.
3316
3317         * stress/big-int-bitwise-and-general.js: Added.
3318         (assert):
3319         (assert.sameValue):
3320         * stress/big-int-bitwise-and-jit.js: Added.
3321         (let.assert.sameValue):
3322         (bigIntBitAnd):
3323         * stress/big-int-bitwise-and-memory-stress.js: Added.
3324         (assert):
3325         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3326         (assert.sameValue):
3327         (let.o.Symbol.toPrimitive):
3328         (catch):
3329         * stress/big-int-bitwise-and-type-error.js: Added.
3330         (assert):
3331         (assertThrowTypeError):
3332         (let.o.valueOf):
3333         (o.valueOf):
3334         (o.toString):
3335         (o.Symbol.toPrimitive):
3336         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3337         (assert.sameValue):
3338         (testBitAnd):
3339         (let.o.Symbol.toPrimitive):
3340         (o.valueOf):
3341         (o.toString):
3342
3343 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3344
3345         JSC test stress/jsc-read.js doesn't support CRLF
3346         https://bugs.webkit.org/show_bug.cgi?id=190063
3347
3348         Reviewed by Yusuke Suzuki.
3349
3350         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3351
3352         * stress/jsc-read.js:
3353         (test):
3354
3355 2018-09-27  Saam barati  <sbarati@apple.com>
3356
3357         Verify the contents of AssemblerBuffer on arm64e
3358         https://bugs.webkit.org/show_bug.cgi?id=190057
3359         <rdar://problem/38916630>
3360
3361         Reviewed by Mark Lam.
3362
3363         * stress/regress-189132.js:
3364
3365 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3366
3367         Disable test without LLInt on ARMv7
3368         https://bugs.webkit.org/show_bug.cgi?id=190037
3369
3370         Reviewed by Mark Lam.
3371
3372         Test runs out of executable memory on ARMv7, do not run
3373         this test without LLInt enabled.
3374
3375         * stress/regress-169445.js:
3376
3377 2018-09-26  Keith Miller  <keith_miller@apple.com>
3378
3379         We should zero unused property storage when rebalancing array storage.
3380         https://bugs.webkit.org/show_bug.cgi?id=188151
3381
3382         Reviewed by Michael Saboff.
3383
3384         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3385
3386 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3387
3388         [JSC] Optimize Array#lastIndexOf
3389         https://bugs.webkit.org/show_bug.cgi?id=189780
3390
3391         Reviewed by Saam Barati.
3392
3393         * stress/array-lastindexof-array-prototype-trap.js: Added.
3394         (shouldBe):
3395         (AncestorArray.prototype.get 2):
3396         (AncestorArray):
3397         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3398         (shouldBe):
3399         * stress/array-lastindexof-hole-nan.js: Added.
3400         (shouldBe):
3401         (throw.new.Error):
3402         * stress/array-lastindexof-infinity.js: Added.
3403         (shouldBe):
3404         (throw.new.Error):
3405         * stress/array-lastindexof-negative-zero.js: Added.
3406         (shouldBe):
3407         (throw.new.Error):
3408         * stress/array-lastindexof-own-getter.js: Added.
3409         (shouldBe):
3410         (throw.new.Error.get array):
3411         (get array):
3412         * stress/array-lastindexof-prototype-trap.js: Added.
3413         (shouldBe):
3414         (DerivedArray.prototype.get 2):
3415         (DerivedArray):
3416
3417 2018-09-25  Saam Barati  <sbarati@apple.com>
3418
3419         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3420         https://bugs.webkit.org/show_bug.cgi?id=189940
3421         <rdar://problem/43640987>
3422
3423         Reviewed by Mark Lam.
3424
3425         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3426
3427 2018-09-24  Saam Barati  <sbarati@apple.com>
3428
3429         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3430         https://bugs.webkit.org/show_bug.cgi?id=189922
3431         <rdar://problem/44651275>
3432
3433         Reviewed by Mark Lam.
3434
3435         * stress/array-indexof-fast-path-effects.js: Added.
3436         * stress/array-indexof-cached-length.js: Added.
3437
3438 2018-09-24  Saam barati  <sbarati@apple.com>
3439
3440         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3441         https://bugs.webkit.org/show_bug.cgi?id=189682
3442         <rdar://problem/43557315>
3443
3444         Reviewed by Mark Lam.
3445
3446         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3447         (foo):
3448
3449 2018-09-22  Saam barati  <sbarati@apple.com>
3450
3451         The sampling should not use Strong<CodeBlock> in its machineLocation field
3452         https://bugs.webkit.org/show_bug.cgi?id=189319
3453
3454         Reviewed by Filip Pizlo.
3455
3456         * stress/sampling-profiler-richards.js: Added.
3457
3458 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3459
3460         [JSC] Optimize Array#indexOf in C++ runtime
3461         https://bugs.webkit.org/show_bug.cgi?id=189507
3462
3463         Reviewed by Saam Barati.
3464
3465         * stress/array-indexof-array-prototype-trap.js: Added.
3466         (shouldBe):
3467         (AncestorArray.prototype.get 2):
3468         (AncestorArray):
3469         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3470         (shouldBe):
3471         * stress/array-indexof-hole-nan.js: Added.
3472         (shouldBe):
3473         (throw.new.Error):
3474         * stress/array-indexof-infinity.js: Added.
3475         (shouldBe):
3476         (throw.new.Error):
3477         * stress/array-indexof-negative-zero.js: Added.
3478         (shouldBe):
3479         (throw.new.Error):
3480         * stress/array-indexof-own-getter.js: Added.
3481         (shouldBe):
3482         (throw.new.Error.get array):
3483         (get array):
3484         * stress/array-indexof-prototype-trap.js: Added.
3485         (shouldBe):
3486         (DerivedArray.prototype.get 2):
3487         (DerivedArray):
3488
3489 2018-09-19  Saam barati  <sbarati@apple.com>
3490
3491         AI rule for MultiPutByOffset executes its effects in the wrong order
3492         https://bugs.webkit.org/show_bug.cgi?id=189757
3493         <rdar://problem/43535257>
3494
3495         Reviewed by Michael Saboff.
3496
3497         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3498         (foo):
3499         (Foo):
3500         (g):
3501
3502 2018-09-17  Mark Lam  <mark.lam@apple.com>
3503
3504         Ensure that ForInContexts are invalidated if their loop local is over-written.
3505         https://bugs.webkit.org/show_bug.cgi?id=189571
3506         <rdar://problem/44402277>
3507
3508         Reviewed by Saam Barati.
3509
3510         * stress/regress-189571.js: Added.
3511
3512 2018-09-17  Saam barati  <sbarati@apple.com>
3513
3514         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3515         https://bugs.webkit.org/show_bug.cgi?id=189676
3516         <rdar://problem/39682897>
3517
3518         Reviewed by Michael Saboff.
3519
3520         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3521         (A):
3522         (K):
3523         (i.catch):
3524
3525 2018-09-14  Saam barati  <sbarati@apple.com>
3526
3527         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3528         https://bugs.webkit.org/show_bug.cgi?id=189628
3529         <rdar://problem/39481690>
3530
3531         Reviewed by Mark Lam.
3532
3533         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3534         (foo):
3535
3536 2018-09-11  Mark Lam  <mark.lam@apple.com>
3537
3538         Test for array initialization in arrayProtoFuncSplice.
3539         https://bugs.webkit.org/show_bug.cgi?id=170253
3540         <rdar://problem/31328773>
3541
3542         Rubber-stamped by Saam Barati.
3543
3544         * stress/regress-170253.js: Added.
3545
3546 2018-09-11  Mark Lam  <mark.lam@apple.com>
3547
3548         Test for IntlObject initialization.
3549         https://bugs.webkit.org/show_bug.cgi?id=170251
3550         <rdar://problem/31328419>
3551
3552         Rubber-stamped by Saam Barati.
3553
3554         * stress/regress-170251.js: Added.
3555
3556 2018-09-11  Mark Lam  <mark.lam@apple.com>
3557
3558         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3559         https://bugs.webkit.org/show_bug.cgi?id=169889
3560         <rdar://problem/31155607>
3561
3562         Reviewed by Saam Barati.
3563
3564         * stress/regress-169889-array-concat.js: Added.
3565         * stress/regress-169889-array-concat1.js: Added.
3566         * stress/regress-169889-array-slice.js: Added.
3567
3568 2018-09-11  Mark Lam  <mark.lam@apple.com>
3569
3570         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3571         https://bugs.webkit.org/show_bug.cgi?id=169445
3572         <rdar://problem/30957435>
3573
3574         Reviewed by Saam Barati.
3575
3576         * stress/regress-169445.js: Added.
3577         (let.gun.eval.A):
3578         (let.gun.eval.B.C):
3579         (let.gun.eval.B.C.prototype.trigger):
3580         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3581         (let.gun.eval.B):
3582         (let.gun.eval):
3583
3584 == Rolled over to ChangeLog-2018-09-11 ==