[JSC] Invalidate old scope operations using global lexical binding epoch
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Invalidate old scope operations using global lexical binding epoch
4         https://bugs.webkit.org/show_bug.cgi?id=193603
5         <rdar://problem/47380869>
6
7         Reviewed by Saam Barati.
8
9         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
10         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
11         (shouldThrow):
12         (bar):
13         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
14         (shouldBe):
15         (get1):
16         (get2):
17         (get1If):
18         (get2If):
19         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
20         (shouldThrow):
21         (foo):
22
23 2019-01-17  Saam barati  <sbarati@apple.com>
24
25         StringObjectUse should not be a structure check for the original string object structure
26         https://bugs.webkit.org/show_bug.cgi?id=193483
27         <rdar://problem/47280522>
28
29         Reviewed by Yusuke Suzuki.
30
31         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
32         (foo):
33         (a.valueOf.0):
34
35 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
36
37         [JSC] ToThis omission in DFGByteCodeParser is wrong
38         https://bugs.webkit.org/show_bug.cgi?id=193513
39         <rdar://problem/45842236>
40
41         Reviewed by Saam Barati.
42
43         * stress/to-this-omission-with-different-strict-modes.js: Added.
44         (thisA):
45         (thisAStrictWrapper):
46
47 2019-01-15  Mark Lam  <mark.lam@apple.com>
48
49         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
50         https://bugs.webkit.org/show_bug.cgi?id=193423
51         <rdar://problem/46209355>
52
53         Reviewed by Saam Barati.
54
55         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
56         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
57         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
58         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
59
60 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
61
62         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
63         https://bugs.webkit.org/show_bug.cgi?id=193438
64         <rdar://problem/45581249>
65
66         Reviewed by Saam Barati and Keith Miller.
67
68         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
69         Then, GetByVal(String) crashed.
70
71         * stress/string-get-by-val-lowering.js: Added.
72         (shouldBe):
73         (test):
74         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
75         (Hello):
76         (foo):
77
78 2019-01-15  Tomas Popela  <tpopela@redhat.com>
79
80         Unreviewed, skip JIT tests if it's not enabled
81
82         * stress/bit-op-with-object-returning-int32.js:
83
84 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
85
86         DFGByteCodeParser rules for bitwise operations should consider type of their operands
87         https://bugs.webkit.org/show_bug.cgi?id=192966
88
89         Reviewed by Yusuke Suzuki.
90
91         * stress/bit-op-with-object-returning-int32.js: Added.
92
93 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
94
95         Skip a slow test and a flakey test on arm
96
97         Unreviewed gardening.
98
99         * typeProfiler/getter-richards.js:
100         this test always times out, it used to be always skipped on arm and
101         mips, but got accidentally enabled by r237919 now that we have DFG on
102         arm. Also skipping on mips as we plan to soon enable DFG for it too.
103
104 2019-01-14  Keith Miller  <keith_miller@apple.com>
105
106         Skip type-check-hoisting-phase-hoist... with no jit
107         https://bugs.webkit.org/show_bug.cgi?id=193421
108
109         Reviewed by Mark Lam.
110
111         It's timing out the 32-bit bots and takes 330 seconds
112         on my machine when run by itself.
113
114         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
115
116 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
117
118         [JSC] AI should check the given constant's array type when folding GetByVal into constant
119         https://bugs.webkit.org/show_bug.cgi?id=193413
120         <rdar://problem/46092389>
121
122         Reviewed by Keith Miller.
123
124         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
125         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
126         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
127         but GetByVal does not have appropriate ArrayModes, JSC crashes.
128
129         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
130         (compareArray):
131
132 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
133
134         [BigInt] Literal parsing is crashing when used inside a Object Literal
135         https://bugs.webkit.org/show_bug.cgi?id=193404
136
137         Reviewed by Yusuke Suzuki.
138
139         * stress/big-int-literal-inside-literal-object.js: Added.
140
141 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
142
143         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
144         https://bugs.webkit.org/show_bug.cgi?id=193372
145
146         Reviewed by Saam Barati.
147
148         * stress/typed-array-array-modes-profile.js: Added.
149         (foo):
150
151 2019-01-14  Mark Lam  <mark.lam@apple.com>
152
153         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
154         https://bugs.webkit.org/show_bug.cgi?id=193402
155         <rdar://problem/46012309>
156
157         Reviewed by Keith Miller.
158
159         * stress/regexp-compile-oom.js:
160         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
161           is enabled.  As a result, it will fail on cloop builds though there is no bug.
162
163 2019-01-11  Saam barati  <sbarati@apple.com>
164
165         DFG combined liveness can be wrong for terminal basic blocks
166         https://bugs.webkit.org/show_bug.cgi?id=193304
167         <rdar://problem/45268632>
168
169         Reviewed by Yusuke Suzuki.
170
171         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
172
173 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
174
175         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
176         https://bugs.webkit.org/show_bug.cgi?id=193308
177         <rdar://problem/45546542>
178
179         Reviewed by Saam Barati.
180
181         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
182         (shouldThrow):
183         (shouldBe):
184         (foo):
185         (get shouldThrow):
186         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
187         (shouldThrow):
188         (shouldBe):
189         (foo):
190         (get shouldBe):
191         (get shouldThrow):
192         (get return):
193         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
194         (shouldThrow):
195         (shouldBe):
196         (foo):
197         (get shouldBe):
198         (get shouldThrow):
199         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
200         (shouldThrow):
201         (shouldBe):
202         (foo):
203         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
204         (shouldThrow):
205         (shouldBe):
206         (foo):
207         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
208         (shouldThrow):
209         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
210         (shouldThrow):
211         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
212         (shouldThrow):
213         (shouldBe):
214         (foo):
215         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
216         (shouldThrow):
217         (shouldBe):
218         (foo):
219         (get shouldBe):
220         (get shouldThrow):
221         (get return):
222         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
223         (shouldThrow):
224         (shouldBe):
225         (foo):
226         (get shouldBe):
227         (get shouldThrow):
228         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
229         (shouldThrow):
230         (shouldBe):
231         (foo):
232         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
233         (shouldThrow):
234         (shouldBe):
235         (foo):
236
237 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
238
239         Enable DFG on ARM/Linux again
240         https://bugs.webkit.org/show_bug.cgi?id=192496
241
242         Reviewed by Yusuke Suzuki.
243
244         Test wasn't really skipped before moving the line with skip
245         to the top.
246
247         * stress/regress-192717.js:
248
249 2019-01-10  Commit Queue  <commit-queue@webkit.org>
250
251         Unreviewed, rolling out r239825.
252         https://bugs.webkit.org/show_bug.cgi?id=193330
253
254         Broke tests on armv7/linux bots (Requested by guijemont on
255         #webkit).
256
257         Reverted changeset:
258
259         "Enable DFG on ARM/Linux again"
260         https://bugs.webkit.org/show_bug.cgi?id=192496
261         https://trac.webkit.org/changeset/239825
262
263 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
264
265         Enable DFG on ARM/Linux again
266         https://bugs.webkit.org/show_bug.cgi?id=192496
267
268         Reviewed by Yusuke Suzuki.
269
270         Test wasn't really skipped before moving the line with skip
271         to the top.
272
273         * stress/regress-192717.js:
274
275 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
276
277         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
278         https://bugs.webkit.org/show_bug.cgi?id=193127
279
280         Reviewed by Saam Barati.
281
282         * stress/array-species-create-should-handle-masquerader.js: Added.
283         (shouldThrow):
284         * stress/is-undefined-or-null-builtin.js: Added.
285         (shouldBe):
286         (isUndefinedOrNull.vm.createBuiltin):
287
288 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
289
290         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
291         https://bugs.webkit.org/show_bug.cgi?id=193221
292
293         Reviewed by Mark Lam.
294
295         * stress/put-by-id-flags.js: Added.
296         (f):
297         (g):
298         (numberOfDFGCompiles):
299
300 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
301
302         Baseline version of get_by_id may corrupt metadata
303         https://bugs.webkit.org/show_bug.cgi?id=193085
304         <rdar://problem/23453006>
305
306         Reviewed by Saam Barati.
307
308         * stress/get-by-id-change-mode.js: Added.
309         (forEach):
310
311 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
312
313         [JSC] Optimize Object.prototype.toString
314         https://bugs.webkit.org/show_bug.cgi?id=193031
315
316         Reviewed by Saam Barati.
317
318         * stress/object-tostring-changed-proto.js: Added.
319         (shouldBe):
320         (test):
321         * stress/object-tostring-changed.js: Added.
322         (shouldBe):
323         (test):
324         * stress/object-tostring-misc.js: Added.
325         (shouldBe):
326         (test):
327         (i.switch):
328         * stress/object-tostring-other.js: Added.
329         (shouldBe):
330         (test):
331         * stress/object-tostring-untyped.js: Added.
332         (shouldBe):
333         (test):
334         (i.switch):
335
336 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
337
338         test262-runner misbehaves when test file YAML has a trailing space
339         https://bugs.webkit.org/show_bug.cgi?id=193053
340
341         Reviewed by Yusuke Suzuki.
342
343         * test262/expectations.yaml:
344         Mark two dozen tests as passing (and correct the output of another).
345
346 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
347
348         Unreviewed, JSTests gardening with memoryLimited
349
350         * stress/string-overflow-createError.js:
351
352 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
353
354         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
355         https://bugs.webkit.org/show_bug.cgi?id=193050
356
357         Reviewed by Yusuke Suzuki.
358
359         * test262.yaml:
360         * test262/expectations.yaml:
361         Mark 16 tests as passing.
362
363 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
364
365         [BigInt] Support BigInt in JSON.stringify
366         https://bugs.webkit.org/show_bug.cgi?id=192624
367
368         Reviewed by Saam Barati.
369
370         * stress/big-int-json-stringify-to-json.js: Added.
371         (shouldBe):
372         (shouldThrow):
373         (BigInt.prototype.toJSON):
374         (shouldBe.JSON.stringify):
375         * stress/big-int-json-stringify.js: Added.
376         (shouldBe):
377         (shouldThrow):
378
379 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
380
381         [JSC] Implement "well-formed JSON.stringify" proposal
382         https://bugs.webkit.org/show_bug.cgi?id=191677
383
384         Reviewed by Darin Adler.
385
386         * stress/json-surrogate-pair.js: Added.
387         (shouldBe):
388         * test262/expectations.yaml:
389
390 2018-12-20  Keith Miller  <keith_miller@apple.com>
391
392         Add support for globalThis
393         https://bugs.webkit.org/show_bug.cgi?id=165171
394
395         Reviewed by Mark Lam.
396
397         * test262/config.yaml:
398
399 2018-12-19  Keith Miller  <keith_miller@apple.com>
400
401         Update test262 configuration to not run tests dependent on ICU version.
402         https://bugs.webkit.org/show_bug.cgi?id=192920
403
404         Reviewed by Saam Barati.
405
406         * test262/expectations.yaml:
407
408 2018-12-20  Mark Lam  <mark.lam@apple.com>
409
410         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
411         https://bugs.webkit.org/show_bug.cgi?id=192939
412         <rdar://problem/46869516>
413
414         Reviewed by Keith Miller.
415
416         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
417
418 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
419
420         WTF::String and StringImpl overflow MaxLength
421         https://bugs.webkit.org/show_bug.cgi?id=192853
422         <rdar://problem/45726906>
423
424         Reviewed by Mark Lam.
425
426         * stress/string-16bit-repeat-overflow.js: Added.
427         (catch):
428
429 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
430
431         Unreviewed follow-up to r192914.
432
433         * test262/expectations.yaml:
434         Add the last 20 missing expectations.
435
436 2018-12-19  Keith Miller  <keith_miller@apple.com>
437
438         Fix test262 expectations
439         https://bugs.webkit.org/show_bug.cgi?id=192914
440
441         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
442
443         * test262/expectations.yaml:
444
445 2018-12-19  Keith Miller  <keith_miller@apple.com>
446
447         Update test262 tests.
448         https://bugs.webkit.org/show_bug.cgi?id=192907
449
450         Rubber stamped by Mark Lam.
451
452         * test262/*: Omitted because prepare-changelog crashes.
453
454 2018-12-19  Mark Lam  <mark.lam@apple.com>
455
456         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
457         https://bugs.webkit.org/show_bug.cgi?id=192464
458         <rdar://problem/46519455>
459
460         Reviewed by Saam Barati.
461
462         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
463         microbenchmark.
464
465         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
466         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
467
468 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
469
470         String overflow in JSC::createError results in ASSERT in WTF::makeString
471         https://bugs.webkit.org/show_bug.cgi?id=192833
472         <rdar://problem/45706868>
473
474         Reviewed by Mark Lam.
475
476         * stress/string-overflow-createError.js: Added.
477
478 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
479
480         Error message for `-x ** y` contains a typo.
481         https://bugs.webkit.org/show_bug.cgi?id=192832
482
483         Reviewed by Saam Barati.
484
485         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
486         (assert.assert.return.throws):
487         * stress/pow-expects-update-expression-on-lhs.js:
488         (throw.new.Error):
489         Update test expectations which match against the exact error message.
490
491 2018-12-18  Mark Lam  <mark.lam@apple.com>
492
493         Gardening: test options fix.
494         https://bugs.webkit.org/show_bug.cgi?id=192822
495
496         Unreviewed.
497
498         * stress/json-stringify-string-builder-overflow.js:
499
500 2018-12-18  Mark Lam  <mark.lam@apple.com>
501
502         JSON.stringify() should throw OOM on StringBuilder overflows.
503         https://bugs.webkit.org/show_bug.cgi?id=192822
504         <rdar://problem/46670577>
505
506         Reviewed by Saam Barati.
507
508         * stress/json-stringify-string-builder-overflow.js: Added.
509
510 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
511
512         Redeclaration of var over let/const/class should be a syntax error.
513         https://bugs.webkit.org/show_bug.cgi?id=192298
514
515         Reviewed by Keith Miller.
516
517         * test262.yaml:
518         * test262/expectations.yaml:
519         Mark 46 tests as passing.
520
521         * stress/block-scope-redeclarations.js:
522         Add some new tests.
523
524         * stress/for-in-invalidate-context-weird-assignments.js:
525         * stress/for-in-tests.js:
526         Replace tests for outdated behavior with tests for SyntaxError.
527
528         * ChakraCore/test/LetConst/defer3.baseline-jsc:
529         * ChakraCore/test/LetConst/letvar.baseline-jsc:
530         Update expectations.
531
532 2018-12-18  Mark Lam  <mark.lam@apple.com>
533
534         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
535         https://bugs.webkit.org/show_bug.cgi?id=191374
536         <rdar://problem/46525447>
537
538         Reviewed by Yusuke Suzuki.
539
540         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
541
542         * stress/elidable-new-object-roflcopter-then-exit.js:
543
544 2018-12-17  Mark Lam  <mark.lam@apple.com>
545
546         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
547         https://bugs.webkit.org/show_bug.cgi?id=192019
548         <rdar://problem/46525456>
549
550         Reviewed by Yusuke Suzuki.
551
552         The test runs too slow on 32-bit.
553
554         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
555
556 2018-12-17  Mark Lam  <mark.lam@apple.com>
557
558         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
559         https://bugs.webkit.org/show_bug.cgi?id=191373
560         <rdar://problem/46525458>
561
562         Reviewed by Yusuke Suzuki.
563
564         The test is already slow running with a JIT on 64-bit.  It will always timeout
565         on 32-bit without a JIT.
566
567         * stress/materialize-regexp-cyclic-regexp.js:
568
569 2018-12-17  Mark Lam  <mark.lam@apple.com>
570
571         Array unshift/shift should not race against the AI in the compiler thread.
572         https://bugs.webkit.org/show_bug.cgi?id=192795
573         <rdar://problem/46724263>
574
575         Reviewed by Saam Barati.
576
577         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
578
579 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
580
581         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
582         https://bugs.webkit.org/show_bug.cgi?id=190047
583
584         Reviewed by Saam Barati.
585
586         * stress/object-keys-cached-zero.js: Added.
587         (shouldBe):
588         (test):
589         * stress/object-keys-changed-attribute.js: Added.
590         (shouldBe):
591         (test):
592         * stress/object-keys-changed-index.js: Added.
593         (shouldBe):
594         (test):
595         * stress/object-keys-changed.js: Added.
596         (shouldBe):
597         (test):
598         * stress/object-keys-indexed-non-cache.js: Added.
599         (shouldBe):
600         (test):
601         * stress/object-keys-overrides-get-property-names.js: Added.
602         (shouldBe):
603         (test):
604         (noInline):
605
606 2018-12-17  Mark Lam  <mark.lam@apple.com>
607
608         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
609         https://bugs.webkit.org/show_bug.cgi?id=192779
610         <rdar://problem/46775869>
611
612         Reviewed by Saam Barati.
613
614         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
615
616 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
617
618         Unreviewed test gardening, address a syntax error in a new test.
619
620         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
621
622 2018-12-17  Mark Lam  <mark.lam@apple.com>
623
624         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
625         https://bugs.webkit.org/show_bug.cgi?id=192776
626         <rdar://problem/46772368>
627
628         Reviewed by Keith Miller.
629
630         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
631
632 2018-12-17  Mark Lam  <mark.lam@apple.com>
633
634         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
635         https://bugs.webkit.org/show_bug.cgi?id=192770
636         <rdar://problem/46449037>
637
638         Reviewed by Keith Miller.
639
640         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
641
642 2018-12-14  Mark Lam  <mark.lam@apple.com>
643
644         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
645         https://bugs.webkit.org/show_bug.cgi?id=192717
646         <rdar://problem/46660677>
647
648         Reviewed by Saam Barati.
649
650         * stress/regress-192717.js: Added.
651
652 2018-12-14  Commit Queue  <commit-queue@webkit.org>
653
654         Unreviewed, rolling out r239153, r239154, and r239155.
655         https://bugs.webkit.org/show_bug.cgi?id=192715
656
657         Caused flaky GC-related crashes seen with layout tests
658         (Requested by ryanhaddad on #webkit).
659
660         Reverted changesets:
661
662         "[JSC] Optimize Object.keys by caching own keys results in
663         StructureRareData"
664         https://bugs.webkit.org/show_bug.cgi?id=190047
665         https://trac.webkit.org/changeset/239153
666
667         "Unreviewed, build fix after r239153"
668         https://bugs.webkit.org/show_bug.cgi?id=190047
669         https://trac.webkit.org/changeset/239154
670
671         "Unreviewed, build fix after r239153, part 2"
672         https://bugs.webkit.org/show_bug.cgi?id=190047
673         https://trac.webkit.org/changeset/239155
674
675 2018-12-14  Keith Miller  <keith_miller@apple.com>
676
677         Callers of JSString::getIndex should check for OOM exceptions
678         https://bugs.webkit.org/show_bug.cgi?id=192709
679
680         Reviewed by Mark Lam.
681
682         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
683
684 2018-12-13  Mark Lam  <mark.lam@apple.com>
685
686         Add a missing exception check.
687         https://bugs.webkit.org/show_bug.cgi?id=192626
688         <rdar://problem/46662163>
689
690         Reviewed by Keith Miller.
691
692         * stress/regress-192626.js: Added.
693
694 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
695
696         [BigInt] Add ValueDiv into DFG
697         https://bugs.webkit.org/show_bug.cgi?id=186178
698
699         Reviewed by Yusuke Suzuki.
700
701         * stress/big-int-div-jit-osr.js: Added.
702         * stress/big-int-div-jit-untyped.js: Added.
703         * stress/value-div-fixup-int32-big-int.js: Added.
704
705 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
706
707         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
708         https://bugs.webkit.org/show_bug.cgi?id=190047
709
710         Reviewed by Keith Miller.
711
712         * stress/object-keys-cached-zero.js: Added.
713         (shouldBe):
714         (test):
715         * stress/object-keys-changed-attribute.js: Added.
716         (shouldBe):
717         (test):
718         * stress/object-keys-changed-index.js: Added.
719         (shouldBe):
720         (test):
721         * stress/object-keys-changed.js: Added.
722         (shouldBe):
723         (test):
724         * stress/object-keys-indexed-non-cache.js: Added.
725         (shouldBe):
726         (test):
727         * stress/object-keys-overrides-get-property-names.js: Added.
728         (shouldBe):
729         (test):
730         (noInline):
731
732 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
733
734         [DFG][FTL] Add NewSymbol
735         https://bugs.webkit.org/show_bug.cgi?id=192620
736
737         Reviewed by Saam Barati.
738
739         * microbenchmarks/symbol-creation.js: Added.
740         (test):
741         * stress/symbol-description-identity.js: Added.
742         (shouldBe):
743         (test):
744         * stress/symbol-identity.js: Added.
745         (shouldBe):
746         (test):
747         * stress/symbol-with-description-throw-error.js: Added.
748         (shouldBe):
749         (shouldThrow):
750         (test):
751         (object.toString):
752
753 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
754
755         [BigInt] Implement DFG/FTL typeof for BigInt
756         https://bugs.webkit.org/show_bug.cgi?id=192619
757
758         Reviewed by Keith Miller.
759
760         * stress/big-int-boolean-proven-type.js: Added.
761         (assert):
762         (bool):
763         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
764         (assert):
765         (typeOf):
766         (i.switch):
767         * stress/big-int-type-of-proven-type-non-constant.js: Added.
768         (assert):
769         (typeOf):
770         * stress/big-int-type-of.js:
771         (typeOf):
772         (func):
773
774 2018-12-10  Mark Lam  <mark.lam@apple.com>
775
776         PropertyAttribute needs a CustomValue bit.
777         https://bugs.webkit.org/show_bug.cgi?id=191993
778         <rdar://problem/46264467>
779
780         Reviewed by Saam Barati.
781
782         * stress/regress-191993.js: Added.
783
784 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
785
786         [BigInt] Add ValueMul into DFG
787         https://bugs.webkit.org/show_bug.cgi?id=186175
788
789         Reviewed by Yusuke Suzuki.
790
791         * stress/big-int-mul-jit-osr.js: Added.
792         * stress/big-int-mul-jit-untyped.js: Added.
793         * stress/value-mul-fixup-int32-big-int.js: Added.
794
795 2018-12-06  Keith Miller  <keith_miller@apple.com>
796
797         stress/big-wasm-memory tests failing on 32-bit JSC bot
798         https://bugs.webkit.org/show_bug.cgi?id=192020
799
800         Reviewed by Saam Barati.
801
802         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
803         the wasm stress tests if the WebAssembly object does not exist.
804
805         * stress/big-wasm-memory-grow-no-max.js:
806         (test.foo):
807         (test):
808         (foo): Deleted.
809         (catch): Deleted.
810         * stress/big-wasm-memory-grow.js:
811         (test.foo):
812         (test):
813         (foo): Deleted.
814         (catch): Deleted.
815         * stress/big-wasm-memory.js:
816         (test.foo):
817         (test):
818         (foo): Deleted.
819         (catch): Deleted.
820
821 2018-12-05  Mark Lam  <mark.lam@apple.com>
822
823         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
824         https://bugs.webkit.org/show_bug.cgi?id=192441
825         <rdar://problem/46480355>
826
827         Reviewed by Saam Barati.
828
829         * stress/regress-192441.js: Added.
830
831 2018-12-04  Mark Lam  <mark.lam@apple.com>
832
833         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
834         https://bugs.webkit.org/show_bug.cgi?id=192386
835         <rdar://problem/46445516>
836
837         Reviewed by Saam Barati.
838
839         * stress/regress-192386.js: Added.
840
841 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
842
843         [ESNext][BigInt] Support logic operations
844         https://bugs.webkit.org/show_bug.cgi?id=179903
845
846         Reviewed by Yusuke Suzuki.
847
848         * stress/big-int-branch-usage.js: Added.
849         * stress/big-int-logical-and.js: Added.
850         * stress/big-int-logical-not.js: Added.
851         * stress/big-int-logical-or.js: Added.
852
853 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
854
855         Unreviewed, rolling out r238833.
856
857         Breaks macOS and iOS debug builds.
858
859         Reverted changeset:
860
861         "[ESNext][BigInt] Support logic operations"
862         https://bugs.webkit.org/show_bug.cgi?id=179903
863         https://trac.webkit.org/changeset/238833
864
865 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
866
867         [ESNext][BigInt] Support logic operations
868         https://bugs.webkit.org/show_bug.cgi?id=179903
869
870         Reviewed by Yusuke Suzuki.
871
872         * stress/big-int-branch-usage.js: Added.
873         * stress/big-int-logical-and.js: Added.
874         * stress/big-int-logical-not.js: Added.
875         * stress/big-int-logical-or.js: Added.
876
877 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
878
879         [ESNext][BigInt] Implement support for "<<" and ">>"
880         https://bugs.webkit.org/show_bug.cgi?id=186233
881
882         Reviewed by Yusuke Suzuki.
883
884         * stress/big-int-left-shift-general.js: Added.
885         * stress/big-int-left-shift-range-error.js: Added.
886         * stress/big-int-left-shift-type-error.js: Added.
887         * stress/big-int-left-shift-wrapped-value.js: Added.
888         * stress/big-int-right-shift-general.js: Added.
889         * stress/big-int-right-shift-type-error.js: Added.
890         * stress/big-int-right-shift-wrapped-value.js: Added.
891         * stress/left-shift-to-primitive-precedence.js: Added.
892         * stress/right-shift-to-primitive-precedence.js: Added.
893
894 2018-11-30  Dean Jackson  <dino@apple.com>
895
896         Add first-class support for .mjs files in jsc binary
897         https://bugs.webkit.org/show_bug.cgi?id=192190
898         <rdar://problem/46375715>
899
900         Reviewed by Keith Miller.
901
902         * stress/simple-module.mjs: Added.
903         * stress/simple-script.js: Added.
904
905 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
906
907         [BigInt] Implement ValueBitXor into DFG
908         https://bugs.webkit.org/show_bug.cgi?id=190264
909
910         Reviewed by Yusuke Suzuki.
911
912         * stress/big-int-bitwise-xor-jit.js: Added.
913         * stress/big-int-bitwise-xor-memory-stress.js: Added.
914         * stress/big-int-bitwise-xor-untyped.js: Added.
915
916 2018-11-27  Saam barati  <sbarati@apple.com>
917
918         r238510 broke scopes of size zero
919         https://bugs.webkit.org/show_bug.cgi?id=192033
920         <rdar://problem/46281734>
921
922         Reviewed by Keith Miller.
923
924         * stress/r238510-bad-loop.js: Added.
925         (foo):
926
927 2018-11-27  Mark Lam  <mark.lam@apple.com>
928
929         [Re-landing] NaNs read from Wasm code needs to be be purified.
930         https://bugs.webkit.org/show_bug.cgi?id=191056
931         <rdar://problem/45660341>
932
933         Reviewed by Filip Pizlo.
934
935         * wasm/regress/regress-191056.js: Added.
936
937 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
938
939         Unreviewed, rolling out r238509.
940
941         Causes JSC tests to fail on iOS.
942
943         Reverted changeset:
944
945         "NaNs read from Wasm code needs to be be purified."
946         https://bugs.webkit.org/show_bug.cgi?id=191056
947         https://trac.webkit.org/changeset/238509
948
949 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
950
951         Re-introduce op_bitnot
952         https://bugs.webkit.org/show_bug.cgi?id=190923
953
954         Reviewed by Yusuke Suzuki.
955
956         * stress/bit-not-must-generate.js: Added.
957         * stress/bitwise-not-no-int32.js: Added.
958
959 2018-11-26  Saam barati  <sbarati@apple.com>
960
961         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
962         https://bugs.webkit.org/show_bug.cgi?id=191956
963         <rdar://problem/45665806>
964
965         Reviewed by Yusuke Suzuki.
966
967         * stress/end-basic-block-set-local-should-filter-type.js: Added.
968         (bar):
969         (foo):
970
971 2018-11-26  Saam barati  <sbarati@apple.com>
972
973         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
974         https://bugs.webkit.org/show_bug.cgi?id=191958
975         <rdar://problem/46221877>
976
977         Reviewed by Yusuke Suzuki.
978
979         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
980         (x):
981         (foo):
982
983 2018-11-26  Mark Lam  <mark.lam@apple.com>
984
985         NaNs read from Wasm code needs to be be purified.
986         https://bugs.webkit.org/show_bug.cgi?id=191056
987         <rdar://problem/45660341>
988
989         Reviewed by Filip Pizlo.
990
991         * wasm/regress/regress-191056.js: Added.
992
993 2018-11-26  Michael Saboff  <msaboff@apple.com>
994
995         32-bit JSC test failure: stress/regexp-compile-oom.js
996         https://bugs.webkit.org/show_bug.cgi?id=191375
997
998         Reviewed by Mark Lam.
999
1000         Disabled the test for 32 bit platforms.
1001
1002         * stress/regexp-compile-oom.js:
1003
1004 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1005
1006         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1007         https://bugs.webkit.org/show_bug.cgi?id=191716
1008         <rdar://problem/45723878>
1009
1010         Reviewed by Saam Barati.
1011
1012         * stress/regress-187373.js: Added.
1013         (async.fn):
1014
1015 2018-11-21  Saam barati  <sbarati@apple.com>
1016
1017         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1018         https://bugs.webkit.org/show_bug.cgi?id=191897
1019         <rdar://problem/45871998>
1020
1021         Reviewed by Mark Lam.
1022
1023         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1024         (bar):
1025         (foo):
1026
1027 2018-11-21  Saam barati  <sbarati@apple.com>
1028
1029         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1030         https://bugs.webkit.org/show_bug.cgi?id=191895
1031         <rdar://problem/46167406>
1032
1033         Reviewed by Mark Lam.
1034
1035         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1036         (foo):
1037         (bar):
1038
1039 2018-11-21  Mark Lam  <mark.lam@apple.com>
1040
1041         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1042         https://bugs.webkit.org/show_bug.cgi?id=191776
1043         <rdar://problem/46152851>
1044
1045         Reviewed by Saam Barati.
1046
1047         * stress/big-wasm-memory-grow-no-max.js:
1048         * stress/big-wasm-memory-grow.js:
1049         * stress/big-wasm-memory.js:
1050         - updated these to expect an OutOfMemoryError.
1051
1052         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1053         (Binary.prototype.emit_u8):
1054         (Binary.prototype.emit_u32v):
1055         (Binary.prototype.emit_header):
1056         (Binary.prototype.emit_section):
1057         (Binary):
1058         (WasmModuleBuilder):
1059         (WasmModuleBuilder.prototype.addMemory):
1060         (WasmModuleBuilder.prototype.toArray):
1061         (WasmModuleBuilder.prototype.toBuffer):
1062         (WasmModuleBuilder.prototype.instantiate):
1063         (catch):
1064         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1065         (catch):
1066
1067 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1068
1069         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1070         https://bugs.webkit.org/show_bug.cgi?id=190836
1071
1072         Reviewed by Saam Barati and Yusuke Suzuki.
1073
1074         * stress/big-int-out-of-memory-tests.js: Added.
1075
1076 2018-11-20  Mark Lam  <mark.lam@apple.com>
1077
1078         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1079         https://bugs.webkit.org/show_bug.cgi?id=191856
1080         <rdar://problem/46089992>
1081
1082         Reviewed by Yusuke Suzuki.
1083
1084         * stress/regress-191856.js: Added.
1085         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1086
1087 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1088
1089         Enable JIT on ARM/Linux
1090         https://bugs.webkit.org/show_bug.cgi?id=191548
1091
1092         Reviewed by Yusuke Suzuki.
1093
1094         Disable test on system with limited memory. Program was killed by
1095         the OS before the exception was thrown.
1096
1097         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1098
1099 2018-11-20  Saam barati  <sbarati@apple.com>
1100
1101         Merging an IC variant may lead to the IC status containing overlapping structure sets
1102         https://bugs.webkit.org/show_bug.cgi?id=191869
1103         <rdar://problem/45403453>
1104
1105         Reviewed by Mark Lam.
1106
1107         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1108
1109 2018-11-19  Mark Lam  <mark.lam@apple.com>
1110
1111         globalFuncImportModule() should return a promise when it clears exceptions.
1112         https://bugs.webkit.org/show_bug.cgi?id=191792
1113         <rdar://problem/46090763>
1114
1115         Reviewed by Michael Saboff.
1116
1117         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1118
1119 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1120
1121         Skip new memory-hungry tests on memory limited devices
1122
1123         Unreviewed gardening.
1124
1125         * stress/big-wasm-memory-grow-no-max.js:
1126         * stress/big-wasm-memory-grow.js:
1127         * stress/big-wasm-memory.js:
1128
1129 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1130
1131         Unreviewed, rolling in the rest of r237254
1132         https://bugs.webkit.org/show_bug.cgi?id=190340
1133
1134         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1135         * stress/function-cache-with-parameters-end-position.js: Added.
1136         (shouldBe):
1137         (shouldThrow):
1138         (i.anonymous):
1139         * stress/function-constructor-name.js: Added.
1140         (shouldBe):
1141         (GeneratorFunction):
1142         (AsyncFunction.async):
1143         (AsyncGeneratorFunction.async):
1144         (anonymous):
1145         (async.anonymous):
1146         * test262/expectations.yaml:
1147
1148 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1149
1150         All users of ArrayBuffer should agree on the same max size
1151         https://bugs.webkit.org/show_bug.cgi?id=191771
1152
1153         Reviewed by Mark Lam.
1154
1155         * stress/big-wasm-memory-grow-no-max.js: Added.
1156         (foo):
1157         (catch):
1158         * stress/big-wasm-memory-grow.js: Added.
1159         (foo):
1160         (catch):
1161         * stress/big-wasm-memory.js: Added.
1162         (foo):
1163         (catch):
1164
1165 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1166
1167         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1168         run for each JSC config since they're regression tests for runtime bugs.
1169
1170         * stress/json-stringified-overflow-2.js:
1171         * stress/json-stringified-overflow.js:
1172
1173 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1174
1175         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1176         config since they're regression tests for runtime bugs.
1177
1178         * stress/large-unshift-splice.js:
1179         * stress/regress-185888.js:
1180
1181 2018-11-16  Saam Barati  <sbarati@apple.com>
1182
1183         KnownCellUse should also have SpecCellCheck as its type filter
1184         https://bugs.webkit.org/show_bug.cgi?id=191729
1185         <rdar://problem/45872852>
1186
1187         Reviewed by Filip Pizlo.
1188
1189         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1190         (C):
1191
1192 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1193
1194         Fix assertion failure on BytecodeGenerator::recordOpcode
1195         https://bugs.webkit.org/show_bug.cgi?id=191724
1196         <rdar://problem/45724395>
1197
1198         Reviewed by Saam Barati.
1199
1200         * stress/regress-187373-2.js: Added.
1201         (foo):
1202
1203 2018-11-15  Mark Lam  <mark.lam@apple.com>
1204
1205         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1206         https://bugs.webkit.org/show_bug.cgi?id=191730
1207         <rdar://problem/46048517>
1208
1209         Reviewed by Saam Barati.
1210
1211         * stress/regress-187006.js: Removed.
1212           - this test is invalid because its sole purpose is to test for the non-spec
1213             compliant behavior that we just fixed.
1214
1215         * stress/regress-191730.js: Added.
1216
1217 2018-11-15  Mark Lam  <mark.lam@apple.com>
1218
1219         RegExp operations should not take fast patch if lastIndex is not numeric.
1220         https://bugs.webkit.org/show_bug.cgi?id=191731
1221         <rdar://problem/46017305>
1222
1223         Reviewed by Saam Barati.
1224
1225         * stress/regress-191731.js: Added.
1226
1227 2018-11-13  Saam Barati  <sbarati@apple.com>
1228
1229         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1230         https://bugs.webkit.org/show_bug.cgi?id=191600
1231
1232         Reviewed by Mark Lam.
1233
1234         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1235         (foo):
1236         (test):
1237         (bar):
1238
1239 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1240
1241         Unreviewed, rolling out r238132.
1242
1243         The test added with this change is timing out on Debug JSC
1244         bots.
1245
1246         Reverted changeset:
1247
1248         "[BigInt] JSBigInt::createWithLength should throw when length
1249         is greater than JSBigInt::maxLength"
1250         https://bugs.webkit.org/show_bug.cgi?id=190836
1251         https://trac.webkit.org/changeset/238132
1252
1253 2018-11-13  Mark Lam  <mark.lam@apple.com>
1254
1255         Add OOM detection to StringPrototype's substituteBackreferences().
1256         https://bugs.webkit.org/show_bug.cgi?id=191563
1257         <rdar://problem/45720428>
1258
1259         Reviewed by Saam Barati.
1260
1261         * stress/regress-191563.js: Added.
1262
1263 2018-11-13  Mark Lam  <mark.lam@apple.com>
1264
1265         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1266         https://bugs.webkit.org/show_bug.cgi?id=191579
1267         <rdar://problem/45942472>
1268
1269         Reviewed by Saam Barati.
1270
1271         * stress/regress-191579.js: Added.
1272
1273 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1274
1275         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1276         https://bugs.webkit.org/show_bug.cgi?id=190836
1277
1278         Reviewed by Saam Barati.
1279
1280         * stress/big-int-out-of-memory-tests.js: Added.
1281
1282 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1283
1284         U+180E is no longer a whitespace character
1285         https://bugs.webkit.org/show_bug.cgi?id=191415
1286
1287         Reviewed by Saam Barati.
1288
1289         * ChakraCore/test/es5/regexSpace.baseline:
1290         * ChakraCore/test/es6/unicode_whitespace.js:
1291         Update tests to latest version.
1292         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1293
1294         * test262.yaml:
1295         * test262/config.yaml:
1296         * test262/expectations.yaml:
1297         Update expectations.
1298
1299 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1300
1301         [BigInt] Add support to BigInt into ValueAdd
1302         https://bugs.webkit.org/show_bug.cgi?id=186177
1303
1304         Reviewed by Keith Miller.
1305
1306         * stress/big-int-negate-jit.js:
1307         * stress/value-add-big-int-and-string.js: Added.
1308         * stress/value-add-big-int-prediction-propagation.js: Added.
1309         * stress/value-add-big-int-untyped.js: Added.
1310
1311 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1312
1313         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1314         https://bugs.webkit.org/show_bug.cgi?id=191184
1315
1316         Reviewed by Saam Barati.
1317
1318         Most tests were failing due to timeouts, since they are too slow to
1319         run on CLoop. The exceptions are:
1320
1321         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1322         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1323         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1324         to change the stack size since CLoop requires it to be page aligned.
1325
1326         * microbenchmarks/array-push-1.js:
1327         * microbenchmarks/array-push-2.js:
1328         * microbenchmarks/elidable-new-object-dag.js:
1329         * microbenchmarks/elidable-new-object-roflcopter.js:
1330         * microbenchmarks/elidable-new-object-tree.js:
1331         * microbenchmarks/getter-richards.js:
1332         * microbenchmarks/sinkable-new-object-dag.js:
1333         * microbenchmarks/string-concat-long-convert.js:
1334         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1335         * slowMicrobenchmarks/array-push-3.js:
1336         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1337         * slowMicrobenchmarks/spread-small-array.js:
1338         * slowMicrobenchmarks/undefined-property-access.js:
1339         * stress/activation-sink-default-value-tdz-error.js:
1340         * stress/activation-sink-default-value.js:
1341         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1342         * stress/activation-sink-osrexit-default-value.js:
1343         * stress/activation-sink-osrexit.js:
1344         * stress/activation-sink.js:
1345         * stress/allow-math-ic-b3-code-duplication.js:
1346         * stress/array-push-multiple-int32.js:
1347         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1348         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1349         * stress/arrowfunction-lexical-this-activation-sink.js:
1350         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1351         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1352         * stress/elide-new-object-dag-then-exit.js:
1353         * stress/materialize-regexp-cyclic.js:
1354         * stress/new-regex-inline.js:
1355         * stress/op_add.js:
1356         * stress/op_bitand.js:
1357         * stress/op_bitor.js:
1358         * stress/op_bitxor.js:
1359         * stress/op_div-ConstVar.js:
1360         * stress/op_div-VarConst.js:
1361         * stress/op_div-VarVar.js:
1362         * stress/op_lshift-ConstVar.js:
1363         * stress/op_lshift-VarConst.js:
1364         * stress/op_lshift-VarVar.js:
1365         * stress/op_mod-ConstVar.js:
1366         * stress/op_mod-VarConst.js:
1367         * stress/op_mod-VarVar.js:
1368         * stress/op_mul-ConstVar.js:
1369         * stress/op_mul-VarConst.js:
1370         * stress/op_mul-VarVar.js:
1371         * stress/op_rshift-ConstVar.js:
1372         * stress/op_rshift-VarConst.js:
1373         * stress/op_rshift-VarVar.js:
1374         * stress/op_sub-ConstVar.js:
1375         * stress/op_sub-VarConst.js:
1376         * stress/op_sub-VarVar.js:
1377         * stress/op_urshift-ConstVar.js:
1378         * stress/op_urshift-VarConst.js:
1379         * stress/op_urshift-VarVar.js:
1380         * stress/proxy-get-set-correct-receiver.js:
1381         * stress/regress-179562.js:
1382         * stress/rest-parameter-many-arguments.js:
1383         * stress/sampling-profiler-richards.js:
1384         * stress/splay-flash-access-1ms.js:
1385         * stress/tailCallForwardArguments.js:
1386         * stress/typed-array-get-by-val-profiling.js:
1387         * typeProfiler/getter-richards.js:
1388
1389 2018-11-06  Michael Saboff  <msaboff@apple.com>
1390
1391         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1392         https://bugs.webkit.org/show_bug.cgi?id=191271
1393
1394         Reviewed by Saam Barati.
1395
1396         Added more test cases and made all test cases run with the same deeply recursive stack
1397         instead of finding that same point for each test case.
1398
1399         * stress/regexp-compile-oom.js:
1400         (prototype.runTest):
1401         (recurseAndTest):
1402         (testList.push.new.TestAndExpectedException):
1403
1404 2018-11-05  Michael Saboff  <msaboff@apple.com>
1405
1406         Unreviewed build fix for linux.
1407
1408         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1409
1410 2018-11-02  Michael Saboff  <msaboff@apple.com>
1411
1412         Rolling in r237753 with unreviewed build fix.
1413
1414         Fixed issues with DECLARE_THROW_SCOPE placement.
1415
1416 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1417
1418         Unreviewed, rolling out r237753.
1419
1420         Introduced JSC test failures
1421
1422         Reverted changeset:
1423
1424         "Running out of stack space not properly handled in
1425         RegExp::compile() and its callers"
1426         https://bugs.webkit.org/show_bug.cgi?id=191206
1427         https://trac.webkit.org/changeset/237753
1428
1429 2018-11-02  Michael Saboff  <msaboff@apple.com>
1430
1431         Running out of stack space not properly handled in RegExp::compile() and its callers
1432         https://bugs.webkit.org/show_bug.cgi?id=191206
1433
1434         Reviewed by Filip Pizlo.
1435
1436         New regression test.
1437
1438         * stress/regexp-compile-oom.js: Added.
1439         (recurseAndTest):
1440
1441 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1442
1443         Skip tests on arm/mips that time out now we're running on CLoop
1444
1445         Unreviewed gardening.
1446
1447         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1448         time out on the bots and need to be disabled. There's more tests
1449         disabled on arm because the timeout is longer on the mips bot (as the
1450         device is slower to start with), so many of the tests don't time out
1451         there.
1452
1453         * microbenchmarks/getter-richards.js: disable on arm and mips.
1454         * stress/op_add.js: disable on arm.
1455         * stress/op_bitand.js: disable on arm.
1456         * stress/op_bitor.js: disable on arm.
1457         * stress/op_bitxor.js: disable on arm.
1458         * stress/op_lshift-ConstVar.js: disable on arm.
1459         * stress/op_lshift-VarConst.js: disable on arm.
1460         * stress/op_lshift-VarVar.js: disable on arm.
1461         * stress/op_mod-ConstVar.js: disable on arm.
1462         * stress/op_mod-VarConst.js: disable on arm.
1463         * stress/op_mod-VarVar.js: disable on arm.
1464         * stress/op_mul-ConstVar.js: disable on arm.
1465         * stress/op_mul-VarConst.js: disable on arm.
1466         * stress/op_mul-VarVar.js: disable on arm.
1467         * stress/op_rshift-ConstVar.js: disable on arm.
1468         * stress/op_rshift-VarConst.js: disable on arm.
1469         * stress/op_rshift-VarVar.js: disable on arm.
1470         * stress/op_sub-ConstVar.js: disable on arm.
1471         * stress/op_sub-VarConst.js: disable on arm.
1472         * stress/op_sub-VarVar.js: disable on arm.
1473         * stress/op_urshift-ConstVar.js: disable on arm.
1474         * stress/op_urshift-VarConst.js: disable on arm.
1475         * stress/op_urshift-VarVar.js: disable on arm.
1476         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1477         * stress/value-to-boolean.js: disable on arm and mips.
1478
1479 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1480
1481         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1482         https://bugs.webkit.org/show_bug.cgi?id=191108
1483         <rdar://problem/45690700>
1484
1485         Reviewed by Saam Barati.
1486
1487         * stress/wide-op_catch.js: Added.
1488         (catch):
1489
1490 2018-10-29  Mark Lam  <mark.lam@apple.com>
1491
1492         Correctly detect string overflow when using the 'Function' constructor.
1493         https://bugs.webkit.org/show_bug.cgi?id=184883
1494         <rdar://problem/36320331>
1495
1496         Reviewed by Saam Barati.
1497
1498         I've verified that this passes on 32-bit as well.
1499
1500         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1501
1502 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1503
1504         Add support for GetStack FlushedDouble
1505         https://bugs.webkit.org/show_bug.cgi?id=191012
1506         <rdar://problem/45265141>
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/get-stack-double.js: Added.
1511         (bar):
1512         (noInline):
1513
1514 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1515
1516         New bytecode format for JSC
1517         https://bugs.webkit.org/show_bug.cgi?id=187373
1518         <rdar://problem/44186758>
1519
1520         Reviewed by Filip Pizlo.
1521
1522         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1523
1524         * stress/maximum-inline-capacity.js: Added.
1525         (test1):
1526         (test3.Foo):
1527         (test3):
1528
1529 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1530
1531         Unreviewed, rolling out r237479 and r237484.
1532         https://bugs.webkit.org/show_bug.cgi?id=190978
1533
1534         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1535
1536         Reverted changesets:
1537
1538         "New bytecode format for JSC"
1539         https://bugs.webkit.org/show_bug.cgi?id=187373
1540         https://trac.webkit.org/changeset/237479
1541
1542         "Gardening: Build fix after r237479."
1543         https://bugs.webkit.org/show_bug.cgi?id=187373
1544         https://trac.webkit.org/changeset/237484
1545
1546 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1547
1548         New bytecode format for JSC
1549         https://bugs.webkit.org/show_bug.cgi?id=187373
1550         <rdar://problem/44186758>
1551
1552         Reviewed by Filip Pizlo.
1553
1554         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1555
1556         * stress/maximum-inline-capacity.js: Added.
1557         (test1):
1558         (test3.Foo):
1559         (test3):
1560
1561 2018-10-26  Mark Lam  <mark.lam@apple.com>
1562
1563         Fix missing edge cases with JSGlobalObjects having a bad time.
1564         https://bugs.webkit.org/show_bug.cgi?id=189028
1565         <rdar://problem/45204939>
1566
1567         Reviewed by Saam Barati.
1568
1569         * stress/regress-189028.js: Added.
1570
1571 2018-10-22  Mark Lam  <mark.lam@apple.com>
1572
1573         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1574         https://bugs.webkit.org/show_bug.cgi?id=190515
1575         <rdar://problem/45222379>
1576
1577         Rubber-stamped by Saam Barati.
1578
1579         Adding another test.
1580
1581         * stress/regress-190515-2.js: Added.
1582
1583 2018-10-22  Mark Lam  <mark.lam@apple.com>
1584
1585         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1586         https://bugs.webkit.org/show_bug.cgi?id=190515
1587         <rdar://problem/45222379>
1588
1589         Reviewed by Saam Barati.
1590
1591         * stress/regress-190515.js: Added.
1592
1593 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1594
1595         Unreviewed, rolling out r237254.
1596         https://bugs.webkit.org/show_bug.cgi?id=190760
1597
1598         "It regresses JetStream 2 by 5% on some iOS devices"
1599         (Requested by saamyjoon on #webkit).
1600
1601         Reverted changeset:
1602
1603         "[JSC] JSC should have "parseFunction" to optimize Function
1604         constructor"
1605         https://bugs.webkit.org/show_bug.cgi?id=190340
1606         https://trac.webkit.org/changeset/237254
1607
1608 2018-10-19  Saam Barati  <sbarati@apple.com>
1609
1610         vmCall should check if we exit before emitting an OSR exit due to exceptions
1611         https://bugs.webkit.org/show_bug.cgi?id=190740
1612         <rdar://problem/45220139>
1613
1614         Reviewed by Mark Lam.
1615
1616         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1617         (foo):
1618
1619 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1620
1621         [ESNext][BigInt] Implement support for "^"
1622         https://bugs.webkit.org/show_bug.cgi?id=186235
1623
1624         Reviewed by Yusuke Suzuki.
1625
1626         * stress/big-int-bitwise-xor-general.js: Added.
1627         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1628         * stress/big-int-bitwise-xor-type-error.js: Added.
1629         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1630
1631 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1632
1633         [BigInt] Add ValueSub into DFG
1634         https://bugs.webkit.org/show_bug.cgi?id=186176
1635
1636         Reviewed by Yusuke Suzuki.
1637
1638         * stress/big-int-subtraction-jit.js:
1639         * stress/value-sub-big-int-prediction-propagation.js: Added.
1640         * stress/value-sub-big-int-untyped.js: Added.
1641         * stress/value-sub-spec-none-case.js: Added.
1642
1643 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] JSC should have "parseFunction" to optimize Function constructor
1646         https://bugs.webkit.org/show_bug.cgi?id=190340
1647
1648         Reviewed by Mark Lam.
1649
1650         This patch fixes the line number of syntax errors raised by the Function constructor,
1651         since we now parse the final code only once. And we no longer use block statement
1652         for Function constructor's parsing.
1653
1654         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1655         * stress/function-cache-with-parameters-end-position.js: Added.
1656         (shouldBe):
1657         (shouldThrow):
1658         (i.anonymous):
1659         * stress/function-constructor-name.js: Added.
1660         (shouldBe):
1661         (GeneratorFunction):
1662         (AsyncFunction.async):
1663         (AsyncGeneratorFunction.async):
1664         (anonymous):
1665         (async.anonymous):
1666         * test262/expectations.yaml:
1667
1668 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1669
1670         Unreviewed, rolling out r237242.
1671         https://bugs.webkit.org/show_bug.cgi?id=190701
1672
1673         it breaks "stress/sampling-profiler-basic.js" (Requested by
1674         caiolima on #webkit).
1675
1676         Reverted changeset:
1677
1678         "[BigInt] Add ValueSub into DFG"
1679         https://bugs.webkit.org/show_bug.cgi?id=186176
1680         https://trac.webkit.org/changeset/237242
1681
1682 2018-10-17  Keith Miller  <keith_miller@apple.com>
1683
1684         AI does not clear Phantom allocation nodes.
1685         https://bugs.webkit.org/show_bug.cgi?id=190694
1686
1687         Reviewed by Saam Barati.
1688
1689         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1690         (Day):
1691         (DaysInYear):
1692         (TimeInYear):
1693         (TimeFromYear):
1694         (DayFromYear):
1695         (InLeapYear):
1696         (YearFromTime):
1697         (WeekDay):
1698         (DaylightSavingTA):
1699         (GetSecondSundayInMarch):
1700         (TimeInMonth):
1701
1702 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1703
1704         [BigInt] Add ValueSub into DFG
1705         https://bugs.webkit.org/show_bug.cgi?id=186176
1706
1707         Reviewed by Yusuke Suzuki.
1708
1709         * stress/big-int-subtraction-jit.js:
1710         * stress/value-sub-big-int-prediction-propagation.js: Added.
1711         * stress/value-sub-big-int-untyped.js: Added.
1712
1713 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1714
1715         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1716         https://bugs.webkit.org/show_bug.cgi?id=190611
1717
1718         Reviewed by Saam Barati.
1719
1720         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1721         to improve test runtime. On ARM/MIPS this test even timed out when running all
1722         tests.
1723
1724         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1725         (test):
1726
1727 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1728
1729         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1730
1731         Unreviewed gardening.
1732
1733         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1734
1735 2018-10-15  Saam barati  <sbarati@apple.com>
1736
1737         Emit fjcvtzs on ARM64E on Darwin
1738         https://bugs.webkit.org/show_bug.cgi?id=184023
1739
1740         Reviewed by Yusuke Suzuki and Filip Pizlo.
1741
1742         * stress/double-to-int32-NaN.js: Added.
1743         (assert):
1744         (foo):
1745
1746 2018-10-15  Saam Barati  <sbarati@apple.com>
1747
1748         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1749         https://bugs.webkit.org/show_bug.cgi?id=190262
1750         <rdar://problem/44986241>
1751
1752         Reviewed by Mark Lam.
1753
1754         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1755         (test):
1756         * stress/slice-array-storage-with-holes.js: Added.
1757         (main):
1758
1759 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1760
1761         Unreviewed, rolling out r237054.
1762         https://bugs.webkit.org/show_bug.cgi?id=190593
1763
1764         "this regressed JetStream 2 by 6% on iOS" (Requested by
1765         saamyjoon on #webkit).
1766
1767         Reverted changeset:
1768
1769         "[JSC] JSC should have "parseFunction" to optimize Function
1770         constructor"
1771         https://bugs.webkit.org/show_bug.cgi?id=190340
1772         https://trac.webkit.org/changeset/237054
1773
1774 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1775
1776         [JSC] JSON.stringify can accept call-with-no-arguments
1777         https://bugs.webkit.org/show_bug.cgi?id=190343
1778
1779         Reviewed by Mark Lam.
1780
1781         * stress/json-stringify-no-arguments.js: Added.
1782         (shouldBe):
1783
1784 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1785
1786         [JSC] JSC should have "parseFunction" to optimize Function constructor
1787         https://bugs.webkit.org/show_bug.cgi?id=190340
1788
1789         Reviewed by Mark Lam.
1790
1791         This patch fixes the line number of syntax errors raised by the Function constructor,
1792         since we now parse the final code only once. And we no longer use block statement
1793         for Function constructor's parsing.
1794
1795         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1796         * stress/function-cache-with-parameters-end-position.js: Added.
1797         (shouldBe):
1798         (shouldThrow):
1799         (i.anonymous):
1800         * stress/function-constructor-name.js: Added.
1801         (shouldBe):
1802         (GeneratorFunction):
1803         (AsyncFunction.async):
1804         (AsyncGeneratorFunction.async):
1805         (anonymous):
1806         (async.anonymous):
1807         * test262/expectations.yaml:
1808
1809 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1810
1811         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1812         https://bugs.webkit.org/show_bug.cgi?id=190426
1813
1814         Unreviewed gardening.
1815
1816         * stress/sampling-profiler-richards.js:
1817
1818 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1819
1820         [ESNext][BigInt] Implement support for "|"
1821         https://bugs.webkit.org/show_bug.cgi?id=186229
1822
1823         Reviewed by Yusuke Suzuki.
1824
1825         * stress/big-int-bitwise-and-jit.js:
1826         * stress/big-int-bitwise-or-general.js: Added.
1827         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1828         * stress/big-int-bitwise-or-jit.js: Added.
1829         * stress/big-int-bitwise-or-memory-stress.js: Added.
1830         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1831         * stress/big-int-bitwise-or-type-error.js: Added.
1832         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1833
1834 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1835
1836         Skip test on systems with limited memory
1837         https://bugs.webkit.org/show_bug.cgi?id=190310
1838
1839         Invoking runDefault adds test to runlist, skipping the test in the next
1840         line does not prevent the test from executing. Change order of lines such
1841         that runDefault is only executed if test is not executed.
1842
1843         Reviewed by Mark Lam.
1844
1845         * stress/regress-190187.js:
1846
1847 2018-10-03  Saam barati  <sbarati@apple.com>
1848
1849         lowXYZ in FTLLower should always filter the type of the incoming edge
1850         https://bugs.webkit.org/show_bug.cgi?id=189939
1851         <rdar://problem/44407030>
1852
1853         Reviewed by Michael Saboff.
1854
1855         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1856         (foo):
1857         (test):
1858
1859 2018-10-03  Mark Lam  <mark.lam@apple.com>
1860
1861         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1862         https://bugs.webkit.org/show_bug.cgi?id=190187
1863         <rdar://problem/42512909>
1864
1865         Reviewed by Michael Saboff.
1866
1867         * stress/regress-190187.js: Added.
1868
1869 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1870
1871         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1872         https://bugs.webkit.org/show_bug.cgi?id=190033
1873
1874         Reviewed by Yusuke Suzuki.
1875
1876         * stress/big-int-to-string.js:
1877
1878 2018-10-01  Mark Lam  <mark.lam@apple.com>
1879
1880         Function.toString() should also copy the source code Functions that are class definitions.
1881         https://bugs.webkit.org/show_bug.cgi?id=190186
1882         <rdar://problem/44733360>
1883
1884         Reviewed by Saam Barati.
1885
1886         * stress/regress-190186.js: Added.
1887
1888 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1889
1890         Split NaN-check into separate test
1891         https://bugs.webkit.org/show_bug.cgi?id=190010
1892
1893         Reviewed by Saam Barati.
1894
1895         DataView exposes NaN-representation, which is not necessarily the same on each
1896         architecture. Therefore move the check of the NaN-representation into its own
1897         file such that we can disable this test on MIPS where NaN-representation can be
1898         different on older CPUs.
1899
1900         * stress/dataview-jit-set-nan.js: Added.
1901         (assert):
1902         (test.storeLittleEndian):
1903         (test.storeBigEndian):
1904         (test.store):
1905         (test):
1906         * stress/dataview-jit-set.js:
1907         (test5):
1908
1909 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1910
1911         Unreviewed, rolling out r236647.
1912         https://bugs.webkit.org/show_bug.cgi?id=190124
1913
1914         Breaking test stress/big-int-to-string.js (Requested by
1915         caiolima_ on #webkit).
1916
1917         Reverted changeset:
1918
1919         "[BigInt] BigInt.proptotype.toString is broken when radix is
1920         power of 2"
1921         https://bugs.webkit.org/show_bug.cgi?id=190033
1922         https://trac.webkit.org/changeset/236647
1923
1924 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1925
1926         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1927         https://bugs.webkit.org/show_bug.cgi?id=190033
1928
1929         Reviewed by Yusuke Suzuki.
1930
1931         * stress/big-int-to-string.js:
1932
1933 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1934
1935         [ESNext][BigInt] Implement support for "&"
1936         https://bugs.webkit.org/show_bug.cgi?id=186228
1937
1938         Reviewed by Yusuke Suzuki.
1939
1940         * stress/big-int-bitwise-and-general.js: Added.
1941         (assert):
1942         (assert.sameValue):
1943         * stress/big-int-bitwise-and-jit.js: Added.
1944         (let.assert.sameValue):
1945         (bigIntBitAnd):
1946         * stress/big-int-bitwise-and-memory-stress.js: Added.
1947         (assert):
1948         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1949         (assert.sameValue):
1950         (let.o.Symbol.toPrimitive):
1951         (catch):
1952         * stress/big-int-bitwise-and-type-error.js: Added.
1953         (assert):
1954         (assertThrowTypeError):
1955         (let.o.valueOf):
1956         (o.valueOf):
1957         (o.toString):
1958         (o.Symbol.toPrimitive):
1959         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1960         (assert.sameValue):
1961         (testBitAnd):
1962         (let.o.Symbol.toPrimitive):
1963         (o.valueOf):
1964         (o.toString):
1965
1966 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1967
1968         JSC test stress/jsc-read.js doesn't support CRLF
1969         https://bugs.webkit.org/show_bug.cgi?id=190063
1970
1971         Reviewed by Yusuke Suzuki.
1972
1973         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1974
1975         * stress/jsc-read.js:
1976         (test):
1977
1978 2018-09-27  Saam barati  <sbarati@apple.com>
1979
1980         Verify the contents of AssemblerBuffer on arm64e
1981         https://bugs.webkit.org/show_bug.cgi?id=190057
1982         <rdar://problem/38916630>
1983
1984         Reviewed by Mark Lam.
1985
1986         * stress/regress-189132.js:
1987
1988 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1989
1990         Disable test without LLInt on ARMv7
1991         https://bugs.webkit.org/show_bug.cgi?id=190037
1992
1993         Reviewed by Mark Lam.
1994
1995         Test runs out of executable memory on ARMv7, do not run
1996         this test without LLInt enabled.
1997
1998         * stress/regress-169445.js:
1999
2000 2018-09-26  Keith Miller  <keith_miller@apple.com>
2001
2002         We should zero unused property storage when rebalancing array storage.
2003         https://bugs.webkit.org/show_bug.cgi?id=188151
2004
2005         Reviewed by Michael Saboff.
2006
2007         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2008
2009 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2010
2011         [JSC] Optimize Array#lastIndexOf
2012         https://bugs.webkit.org/show_bug.cgi?id=189780
2013
2014         Reviewed by Saam Barati.
2015
2016         * stress/array-lastindexof-array-prototype-trap.js: Added.
2017         (shouldBe):
2018         (AncestorArray.prototype.get 2):
2019         (AncestorArray):
2020         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2021         (shouldBe):
2022         * stress/array-lastindexof-hole-nan.js: Added.
2023         (shouldBe):
2024         (throw.new.Error):
2025         * stress/array-lastindexof-infinity.js: Added.
2026         (shouldBe):
2027         (throw.new.Error):
2028         * stress/array-lastindexof-negative-zero.js: Added.
2029         (shouldBe):
2030         (throw.new.Error):
2031         * stress/array-lastindexof-own-getter.js: Added.
2032         (shouldBe):
2033         (throw.new.Error.get array):
2034         (get array):
2035         * stress/array-lastindexof-prototype-trap.js: Added.
2036         (shouldBe):
2037         (DerivedArray.prototype.get 2):
2038         (DerivedArray):
2039
2040 2018-09-25  Saam Barati  <sbarati@apple.com>
2041
2042         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2043         https://bugs.webkit.org/show_bug.cgi?id=189940
2044         <rdar://problem/43640987>
2045
2046         Reviewed by Mark Lam.
2047
2048         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2049
2050 2018-09-24  Saam Barati  <sbarati@apple.com>
2051
2052         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2053         https://bugs.webkit.org/show_bug.cgi?id=189922
2054         <rdar://problem/44651275>
2055
2056         Reviewed by Mark Lam.
2057
2058         * stress/array-indexof-fast-path-effects.js: Added.
2059         * stress/array-indexof-cached-length.js: Added.
2060
2061 2018-09-24  Saam barati  <sbarati@apple.com>
2062
2063         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2064         https://bugs.webkit.org/show_bug.cgi?id=189682
2065         <rdar://problem/43557315>
2066
2067         Reviewed by Mark Lam.
2068
2069         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2070         (foo):
2071
2072 2018-09-22  Saam barati  <sbarati@apple.com>
2073
2074         The sampling should not use Strong<CodeBlock> in its machineLocation field
2075         https://bugs.webkit.org/show_bug.cgi?id=189319
2076
2077         Reviewed by Filip Pizlo.
2078
2079         * stress/sampling-profiler-richards.js: Added.
2080
2081 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2082
2083         [JSC] Optimize Array#indexOf in C++ runtime
2084         https://bugs.webkit.org/show_bug.cgi?id=189507
2085
2086         Reviewed by Saam Barati.
2087
2088         * stress/array-indexof-array-prototype-trap.js: Added.
2089         (shouldBe):
2090         (AncestorArray.prototype.get 2):
2091         (AncestorArray):
2092         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2093         (shouldBe):
2094         * stress/array-indexof-hole-nan.js: Added.
2095         (shouldBe):
2096         (throw.new.Error):
2097         * stress/array-indexof-infinity.js: Added.
2098         (shouldBe):
2099         (throw.new.Error):
2100         * stress/array-indexof-negative-zero.js: Added.
2101         (shouldBe):
2102         (throw.new.Error):
2103         * stress/array-indexof-own-getter.js: Added.
2104         (shouldBe):
2105         (throw.new.Error.get array):
2106         (get array):
2107         * stress/array-indexof-prototype-trap.js: Added.
2108         (shouldBe):
2109         (DerivedArray.prototype.get 2):
2110         (DerivedArray):
2111
2112 2018-09-19  Saam barati  <sbarati@apple.com>
2113
2114         AI rule for MultiPutByOffset executes its effects in the wrong order
2115         https://bugs.webkit.org/show_bug.cgi?id=189757
2116         <rdar://problem/43535257>
2117
2118         Reviewed by Michael Saboff.
2119
2120         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2121         (foo):
2122         (Foo):
2123         (g):
2124
2125 2018-09-17  Mark Lam  <mark.lam@apple.com>
2126
2127         Ensure that ForInContexts are invalidated if their loop local is over-written.
2128         https://bugs.webkit.org/show_bug.cgi?id=189571
2129         <rdar://problem/44402277>
2130
2131         Reviewed by Saam Barati.
2132
2133         * stress/regress-189571.js: Added.
2134
2135 2018-09-17  Saam barati  <sbarati@apple.com>
2136
2137         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2138         https://bugs.webkit.org/show_bug.cgi?id=189676
2139         <rdar://problem/39682897>
2140
2141         Reviewed by Michael Saboff.
2142
2143         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2144         (A):
2145         (K):
2146         (i.catch):
2147
2148 2018-09-14  Saam barati  <sbarati@apple.com>
2149
2150         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2151         https://bugs.webkit.org/show_bug.cgi?id=189628
2152         <rdar://problem/39481690>
2153
2154         Reviewed by Mark Lam.
2155
2156         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2157         (foo):
2158
2159 2018-09-11  Mark Lam  <mark.lam@apple.com>
2160
2161         Test for array initialization in arrayProtoFuncSplice.
2162         https://bugs.webkit.org/show_bug.cgi?id=170253
2163         <rdar://problem/31328773>
2164
2165         Rubber-stamped by Saam Barati.
2166
2167         * stress/regress-170253.js: Added.
2168
2169 2018-09-11  Mark Lam  <mark.lam@apple.com>
2170
2171         Test for IntlObject initialization.
2172         https://bugs.webkit.org/show_bug.cgi?id=170251
2173         <rdar://problem/31328419>
2174
2175         Rubber-stamped by Saam Barati.
2176
2177         * stress/regress-170251.js: Added.
2178
2179 2018-09-11  Mark Lam  <mark.lam@apple.com>
2180
2181         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2182         https://bugs.webkit.org/show_bug.cgi?id=169889
2183         <rdar://problem/31155607>
2184
2185         Reviewed by Saam Barati.
2186
2187         * stress/regress-169889-array-concat.js: Added.
2188         * stress/regress-169889-array-concat1.js: Added.
2189         * stress/regress-169889-array-slice.js: Added.
2190
2191 2018-09-11  Mark Lam  <mark.lam@apple.com>
2192
2193         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2194         https://bugs.webkit.org/show_bug.cgi?id=169445
2195         <rdar://problem/30957435>
2196
2197         Reviewed by Saam Barati.
2198
2199         * stress/regress-169445.js: Added.
2200         (let.gun.eval.A):
2201         (let.gun.eval.B.C):
2202         (let.gun.eval.B.C.prototype.trigger):
2203         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2204         (let.gun.eval.B):
2205         (let.gun.eval):
2206
2207 == Rolled over to ChangeLog-2018-09-11 ==