Update the test to ensure OutOfMemoryError is thrown as intended
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Update the test to ensure OutOfMemoryError is thrown as intended
4         https://bugs.webkit.org/show_bug.cgi?id=196032
5         <rdar://problem/46842740>
6
7         Rubber stamped by Saam Barati.
8
9         * stress/create-error-out-of-memory-rope-string.js:
10         (assert):
11         (catch):
12
13 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
14
15         JSC::createError needs to check for OOM in errorDescriptionForValue
16         https://bugs.webkit.org/show_bug.cgi?id=196032
17         <rdar://problem/46842740>
18
19         Reviewed by Mark Lam.
20
21         * stress/create-error-out-of-memory-rope-string.js: Added.
22
23 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         Unreviewed, reduce # of iterations to avoid timing out after r242991
26         https://bugs.webkit.org/show_bug.cgi?id=195791
27
28         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
29
30         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
31
32 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
33
34         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
35         https://bugs.webkit.org/show_bug.cgi?id=195950
36
37         Unreviewed, reducing the amount of memory used on this test to avoid
38         OOM on devices with memory restrictions.
39
40         * microbenchmarks/generate-multiple-llint-entrypoints.js:
41
42 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
43
44         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
45         https://bugs.webkit.org/show_bug.cgi?id=194648
46
47         Reviewed by Keith Miller.
48
49         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
50
51 2019-03-18  Mark Lam  <mark.lam@apple.com>
52
53         Missing a ThrowScope release in JSObject::toString().
54         https://bugs.webkit.org/show_bug.cgi?id=195893
55         <rdar://problem/48970986>
56
57         Reviewed by Michael Saboff.
58
59         * stress/to-string-exception-check-release.js: Added.
60
61 2019-03-18  Mark Lam  <mark.lam@apple.com>
62
63         Structure::flattenDictionary() should clear unused property slots.
64         https://bugs.webkit.org/show_bug.cgi?id=195871
65         <rdar://problem/48959497>
66
67         Reviewed by Michael Saboff.
68
69         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
70
71 2019-03-15  Mark Lam  <mark.lam@apple.com>
72
73         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
74         https://bugs.webkit.org/show_bug.cgi?id=195827
75         <rdar://problem/48845513>
76
77         Reviewed by Filip Pizlo.
78
79         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
80
81 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
82
83         [ARM,MIPS] Skip slow tests
84         https://bugs.webkit.org/show_bug.cgi?id=195799
85
86         Unreviewed, test does not finish on ARM and MIPS within the
87         timeout limit.
88
89         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
90
91 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
94         https://bugs.webkit.org/show_bug.cgi?id=195791
95         <rdar://problem/48806130>
96
97         Reviewed by Mark Lam.
98
99         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
100         (foo):
101
102 2019-03-14  Saam barati  <sbarati@apple.com>
103
104         We can't remove code after ForceOSRExit until after FixupPhase
105         https://bugs.webkit.org/show_bug.cgi?id=186916
106         <rdar://problem/41396612>
107
108         Reviewed by Yusuke Suzuki.
109
110         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
111         (foo):
112         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
113         (foo):
114
115 2019-03-13  Michael Saboff  <msaboff@apple.com>
116
117         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
118         https://bugs.webkit.org/show_bug.cgi?id=195735
119
120         Reviewed by Mark Lam.
121
122         New regression test.
123
124         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
125         (foo):
126         (bar):
127
128 2019-03-14  Saam barati  <sbarati@apple.com>
129
130         Fixup uses KnownInt32 incorrectly in some nodes
131         https://bugs.webkit.org/show_bug.cgi?id=195279
132         <rdar://problem/47915654>
133
134         Reviewed by Yusuke Suzuki.
135
136         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
137         (foo):
138
139 2019-03-14  Keith Miller  <keith_miller@apple.com>
140
141         DFG liveness can't skip tail caller inline frames
142         https://bugs.webkit.org/show_bug.cgi?id=195715
143
144         Reviewed by Saam Barati.
145
146         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
147         (i.foo):
148
149 2019-03-13  Mark Lam  <mark.lam@apple.com>
150
151         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
152         https://bugs.webkit.org/show_bug.cgi?id=195415
153
154         Not reviewed.
155
156         Changed these tests to only run the default configuration.
157         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
158         There's no strong need to run this test on that variant.
159
160         * stress/dfg-to-string-on-int-does-gc.js:
161         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
162
163 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
164
165         String overflow when using StringBuilder in JSC::createError
166         https://bugs.webkit.org/show_bug.cgi?id=194957
167
168         Reviewed by Mark Lam.
169
170         Add test string-overflow-createError-bulder.js that overflows
171         StringBuilder in notAFunctionSourceAppender. The second new test
172         string-overflow-createError-fit.js has an error message that doesn't
173         overflow, it still failed since the String's capacity can't be doubled.
174         Run test string-overflow-createError.js only in the default
175         configuration to reduce memory consumption when running the test
176         in all configurations on multiple CPUs in parallel.
177
178         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
179         (catch):
180         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
181         (catch):
182         * stress/string-overflow-createError.js:
183
184 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
185
186         [JSC] OSR entry should respect abstract values in addition to flush formats
187         https://bugs.webkit.org/show_bug.cgi?id=195653
188
189         Reviewed by Mark Lam.
190
191         * stress/osr-entry-locals-none.js: Added.
192
193 2019-03-12  Michael Saboff  <msaboff@apple.com>
194
195         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
196         https://bugs.webkit.org/show_bug.cgi?id=195613
197
198         Reviewed by Mark Lam.
199
200         New regression test.
201
202         * stress/regexp-backref-inbounds.js: Added.
203         (testRegExp):
204
205 2019-03-12  Mark Lam  <mark.lam@apple.com>
206
207         The HasIndexedProperty node does GC.
208         https://bugs.webkit.org/show_bug.cgi?id=195559
209         <rdar://problem/48767923>
210
211         Reviewed by Yusuke Suzuki.
212
213         * stress/HasIndexedProperty-does-gc.js: Added.
214
215 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
216
217         [ESNext][BigInt] Implement "~" unary operation
218         https://bugs.webkit.org/show_bug.cgi?id=182216
219
220         Reviewed by Keith Miller.
221
222         * stress/big-int-bit-not-general.js: Added.
223         * stress/big-int-bitwise-not-jit.js: Added.
224         * stress/big-int-bitwise-not-wrapped-value.js: Added.
225         * stress/bit-op-with-object-returning-int32.js:
226         * stress/bitwise-not-fixup-rules.js: Added.
227         * stress/value-bit-not-ai-rule.js: Added.
228
229 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
230
231         Invalid flags in a RegExp literal should be an early SyntaxError
232         https://bugs.webkit.org/show_bug.cgi?id=195514
233
234         Reviewed by Darin Adler.
235
236         * test262/expectations.yaml:
237         Mark 4 test cases as passing.
238
239         * stress/regexp-syntax-error-invalid-flags.js:
240         * stress/regress-161995.js: Removed.
241         Update existing test, merging in an older test for the same behavior.
242
243 2019-03-08  Mark Lam  <mark.lam@apple.com>
244
245         Stack overflow crash in JSC::JSObject::hasInstance.
246         https://bugs.webkit.org/show_bug.cgi?id=195458
247         <rdar://problem/48710195>
248
249         Reviewed by Yusuke Suzuki.
250
251         * stress/stack-overflow-in-custom-hasInstance.js: Added.
252
253 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
254
255         op_check_tdz does not def its argument
256         https://bugs.webkit.org/show_bug.cgi?id=192880
257         <rdar://problem/46221598>
258
259         Reviewed by Saam Barati.
260
261         * microbenchmarks/let-for-in.js: Added.
262         (foo):
263
264 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
265
266         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
267         https://bugs.webkit.org/show_bug.cgi?id=195429
268
269         Reviewed by Saam Barati.
270
271         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
272         (foo):
273         * stress/string-from-char-code-255.js: Added.
274
275 2019-03-06  Mark Lam  <mark.lam@apple.com>
276
277         Fix incorrect handling of try-finally completion values.
278         https://bugs.webkit.org/show_bug.cgi?id=195131
279         <rdar://problem/46222079>
280
281         Reviewed by Saam Barati and Yusuke Suzuki.
282
283         Added many permutations of new test case to test-finally.js.  test-finally.js has
284         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
285         tests passes there as well.
286
287         * stress/test-finally.js:
288
289 2019-03-06  Saam Barati  <sbarati@apple.com>
290
291         Air::reportUsedRegisters must padInterference
292         https://bugs.webkit.org/show_bug.cgi?id=195303
293         <rdar://problem/48270343>
294
295         Reviewed by Keith Miller.
296
297         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
298
299 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         [JSC] AI should not propagate AbstractValue relying on constant folding phase
302         https://bugs.webkit.org/show_bug.cgi?id=195375
303
304         Reviewed by Saam Barati.
305
306         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
307         (let.array):
308
309 2019-03-05  Saam barati  <sbarati@apple.com>
310
311         op_switch_char broken for rope strings after JSRopeString layout rewrite
312         https://bugs.webkit.org/show_bug.cgi?id=195339
313         <rdar://problem/48592545>
314
315         Reviewed by Yusuke Suzuki.
316
317         * stress/switch-on-char-llint-rope.js: Added.
318
319 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
320
321         [JSC] Store bits for JSRopeString in 3 stores
322         https://bugs.webkit.org/show_bug.cgi?id=195234
323
324         Reviewed by Saam Barati.
325
326         * stress/null-rope-and-collectors.js: Added.
327
328 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
329
330         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
331         https://bugs.webkit.org/show_bug.cgi?id=195207
332
333         Unreviewed. After test runtime was reduced in r242213, test can be
334         run again on ARM/MIPS.
335
336         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
337
338 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
339
340         [JSC] sizeof(JSString) should be 16
341         https://bugs.webkit.org/show_bug.cgi?id=194375
342
343         Reviewed by Saam Barati.
344
345         * microbenchmarks/make-rope.js: Added.
346         (makeRope):
347         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
348         (returnRope.helper): Deleted.
349         (returnRope): Deleted.
350
351 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
352
353         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
354         https://bugs.webkit.org/show_bug.cgi?id=195144
355
356         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
357         Change the number from 1e8 to 1e5.
358
359         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
360         (foo):
361
362 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
363
364         Test times out on ARM/MIPS
365         https://bugs.webkit.org/show_bug.cgi?id=195168
366
367         Unreviewed. Skip test on ARM/MIPS.
368
369         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
370
371 2019-02-27  Mark Lam  <mark.lam@apple.com>
372
373         The parser is failing to record the token location of new in new.target.
374         https://bugs.webkit.org/show_bug.cgi?id=195127
375         <rdar://problem/39645578>
376
377         Reviewed by Yusuke Suzuki.
378
379         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
380
381 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
382
383         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
384         https://bugs.webkit.org/show_bug.cgi?id=195144
385         <rdar://problem/47595961>
386
387         Reviewed by Mark Lam.
388
389         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
390         (bar):
391         (foo):
392         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
393         (bar):
394         (foo):
395
396 2019-02-27  Robin Morisset  <rmorisset@apple.com>
397
398         DFG: Loop-invariant code motion (LICM) should not hoist dead code
399         https://bugs.webkit.org/show_bug.cgi?id=194945
400         <rdar://problem/48311657>
401
402         Reviewed by Mark Lam.
403
404         * stress/licm-dead-code.js: Added.
405
406 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
407
408         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
409         https://bugs.webkit.org/show_bug.cgi?id=194677
410         <rdar://problem/48112492>
411
412         Reviewed by Mark Lam.
413
414         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
415         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
416         it immediately fails due the large size.
417
418         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
419         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
420         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
421         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
422
423         This patch changes the test to produce 16bit string from String.fromCharCode.
424
425         * stress/regress-178386.js:
426
427 2019-02-26  Mark Lam  <mark.lam@apple.com>
428
429         wasmToJS() should purify incoming NaNs.
430         https://bugs.webkit.org/show_bug.cgi?id=194807
431         <rdar://problem/48189132>
432
433         Reviewed by Saam Barati.
434
435         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
436
437 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
438
439         [JSC] Repeat string created from Array.prototype.join() take too much memory
440         https://bugs.webkit.org/show_bug.cgi?id=193912
441
442         Reviewed by Saam Barati.
443
444         Added a test and a microbenchmark for corner cases of
445         Array.prototype.join() with an uninitialized array.
446
447         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
448         * stress/array-prototype-join-uninitialized.js: Added.
449         (testArray):
450         (testABC):
451         (B):
452         (C):
453
454 2019-02-22  Robin Morisset  <rmorisset@apple.com>
455
456         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
457         https://bugs.webkit.org/show_bug.cgi?id=194953
458         <rdar://problem/47595253>
459
460         Reviewed by Saam Barati.
461
462         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
463
464         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
465
466 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
467
468         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
469         https://bugs.webkit.org/show_bug.cgi?id=172848
470         <rdar://problem/25709212>
471
472         Reviewed by Mark Lam.
473
474         * typeProfiler/inheritance.js:
475         Rewrite the test slightly for clarity. The hoisting was confusing.
476
477         * heapProfiler/class-names.js: Added.
478         (MyES5Class):
479         (MyES6Class):
480         (MyES6Subclass):
481         Test object types and improved class names.
482
483         * heapProfiler/driver/driver.js:
484         (CheapHeapSnapshotNode):
485         (CheapHeapSnapshot):
486         (createCheapHeapSnapshot):
487         (HeapSnapshot):
488         (createHeapSnapshot):
489         Update snapshot parsing from version 1 to version 2.
490
491 2019-02-19  Truitt Savell  <tsavell@apple.com>
492
493         Unreviewed, rolling out r241784.
494
495         Broke all OpenSource builds.
496
497         Reverted changeset:
498
499         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
500         instances view"
501         https://bugs.webkit.org/show_bug.cgi?id=172848
502         https://trac.webkit.org/changeset/241784
503
504 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
505
506         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
507         https://bugs.webkit.org/show_bug.cgi?id=172848
508         <rdar://problem/25709212>
509
510         Reviewed by Mark Lam.
511
512         * typeProfiler/inheritance.js:
513         Rewrite the test slightly for clarity. The hoisting was confusing.
514
515         * heapProfiler/class-names.js: Added.
516         (MyES5Class):
517         (MyES6Class):
518         (MyES6Subclass):
519         Test object types and improved class names.
520
521         * heapProfiler/driver/driver.js:
522         (CheapHeapSnapshotNode):
523         (CheapHeapSnapshot):
524         (createCheapHeapSnapshot):
525         (HeapSnapshot):
526         (createHeapSnapshot):
527         Update snapshot parsing from version 1 to version 2.
528
529 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
530
531         [ARM] Fix crash with sampling profiler
532         https://bugs.webkit.org/show_bug.cgi?id=194772
533
534         Reviewed by Mark Lam.
535
536         Do not skip test since crash with sampling profiler is now fixed.
537
538         * stress/sampling-profiler-richards.js:
539
540 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
541
542         [JSC] Add LazyClassStructure::getInitializedOnMainThread
543         https://bugs.webkit.org/show_bug.cgi?id=194784
544         <rdar://problem/48154820>
545
546         Reviewed by Mark Lam.
547
548         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
549         (getProperties):
550         (getRandomProperty):
551         (i.catch):
552
553 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
554
555         [ARM] Test gardening: Test running out of executable memory
556         https://bugs.webkit.org/show_bug.cgi?id=194771
557
558         Unreviewed. Do not run test without LLInt, test is running out of executable
559         memory on ARM otherwise.
560
561         * stress/tagged-template-object-collect.js:
562
563 2019-02-18  Tomas Popela  <tpopela@redhat.com>
564
565         Unreviewed, skip the test on platforms without sampling profiler
566
567         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
568         (platformSupportsSamplingProfiler.foo):
569         (platformSupportsSamplingProfiler.test):
570         (platformSupportsSamplingProfiler):
571         (foo): Deleted.
572         (test): Deleted.
573
574 2019-02-17  Saam Barati  <sbarati@apple.com>
575
576         Deadlock when adding a Structure property transition and then doing incremental marking
577         https://bugs.webkit.org/show_bug.cgi?id=194767
578
579         Reviewed by Mark Lam.
580
581         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
582
583 2019-02-15  Michael Saboff  <msaboff@apple.com>
584
585         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
586         https://bugs.webkit.org/show_bug.cgi?id=194558
587
588         Reviewed by Saam Barati.
589
590         New regression test.
591
592         * stress/regexp-unicode-within-string.js: Added.
593
594 2019-02-15  Mark Lam  <mark.lam@apple.com>
595
596         SamplingProfiler::stackTracesAsJSON() should escape strings.
597         https://bugs.webkit.org/show_bug.cgi?id=194649
598         <rdar://problem/48072386>
599
600         Reviewed by Saam Barati.
601
602         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
603         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
604         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
605         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
606
607 2019-02-15  Robin Morisset  <rmorisset@apple.com>
608         CodeBlock::jettison should clear related watchpoints
609         https://bugs.webkit.org/show_bug.cgi?id=194544
610
611         Reviewed by Mark Lam.
612
613         * stress/regexp-replace-double-watchpoint.js: Added.
614         (foo):
615
616 2019-02-15  Saam barati  <sbarati@apple.com>
617
618         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
619         https://bugs.webkit.org/show_bug.cgi?id=194036
620
621         Reviewed by Yusuke Suzuki.
622
623         * stress/tail-call-many-arguments.js: Added.
624         (foo):
625         (bar):
626
627 2019-02-14  Saam Barati  <sbarati@apple.com>
628
629         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
630         https://bugs.webkit.org/show_bug.cgi?id=194583
631         <rdar://problem/48028140>
632
633         Reviewed by Yusuke Suzuki.
634
635         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
636
637 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
638
639         [JSC] String.fromCharCode's slow path always generates 16bit string
640         https://bugs.webkit.org/show_bug.cgi?id=194466
641
642         Reviewed by Keith Miller.
643
644         * stress/string-from-char-code-slow-path.js: Added.
645         (shouldBe):
646         (testWithLength):
647
648 2019-02-08  Saam barati  <sbarati@apple.com>
649
650         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
651         https://bugs.webkit.org/show_bug.cgi?id=194334
652         <rdar://problem/47844327>
653
654         Reviewed by Mark Lam.
655
656         * stress/check-in-bounds-should-be-a-child-use.js: Added.
657         (func):
658
659 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
660
661         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
662         https://bugs.webkit.org/show_bug.cgi?id=194369
663         <rdar://problem/47813087>
664
665         Reviewed by Saam Barati.
666
667         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
668         (A):
669
670 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
671
672         [JSC] PrivateName to PublicName hash table is wasteful
673         https://bugs.webkit.org/show_bug.cgi?id=194277
674
675         Reviewed by Michael Saboff.
676
677         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
678
679         * ChakraCore.yaml:
680
681 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
682
683         [ARM] Test running out of executable memory
684         https://bugs.webkit.org/show_bug.cgi?id=194285
685
686         Unreviewed. Do no execute test with LLInt disabled, test runs out of
687         executable memory otherwise.
688
689         * stress/class-subclassing-function.js:
690
691 2019-02-04  Robin Morisset  <rmorisset@apple.com>
692
693         when lowering AssertNotEmpty, create the value before creating the patchpoint
694         https://bugs.webkit.org/show_bug.cgi?id=194231
695
696         Reviewed by Saam Barati.
697
698         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
699         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
700         So even tiny changes to this test can change the path code taken.
701
702         * stress/assert-not-empty.js: Added.
703         (foo):
704
705 2019-02-01  Mark Lam  <mark.lam@apple.com>
706
707         Remove invalid assertion in DFG's compileDoubleRep().
708         https://bugs.webkit.org/show_bug.cgi?id=194130
709         <rdar://problem/47699474>
710
711         Reviewed by Saam Barati.
712
713         * stress/constant-fold-double-rep-into-double-constant.js: Added.
714
715 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
716
717         Import latest Test262 updates.
718
719         Rubber-stamped by Keith Miller.
720
721         * test262.yaml: Deleted.
722         * test262/config.yaml:
723         * test262/expectations.yaml:
724         * test262/latest-changes-summary.txt:
725         * test262/test/:
726         * test262/test262-Revision.txt:
727
728 2019-01-30  Robin Morisset  <rmorisset@apple.com>
729
730         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
731         https://bugs.webkit.org/show_bug.cgi?id=194050
732         <rdar://problem/47595592>
733
734         Reviewed by Yusuke Suzuki.
735
736         * stress/object-keys-osr-exit.js: Added.
737         (foo):
738         (catch):
739
740 2019-01-29  Mark Lam  <mark.lam@apple.com>
741
742         ValueRecovery::recover() should purify NaN values it recovers.
743         https://bugs.webkit.org/show_bug.cgi?id=193978
744         <rdar://problem/47625488>
745
746         Reviewed by Saam Barati.
747
748         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
749
750 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
751
752         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
753         https://bugs.webkit.org/show_bug.cgi?id=193713
754
755         * stress/try-get-by-id-should-spill-registers-dfg.js:
756         (let.f.createBuiltin):
757
758 2019-01-28  Mark Lam  <mark.lam@apple.com>
759
760         ToString node actually does GC.
761         https://bugs.webkit.org/show_bug.cgi?id=193920
762         <rdar://problem/46695900>
763
764         Reviewed by Yusuke Suzuki.
765
766         * stress/dfg-to-string-on-int-does-gc.js: Added.
767         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
768         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
769
770 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
771
772         [JSC] NativeErrorConstructor should not have own IsoSubspace
773         https://bugs.webkit.org/show_bug.cgi?id=193713
774
775         Reviewed by Saam Barati.
776
777         Remove @Error use.
778
779         * stress/try-get-by-id-should-spill-registers-dfg.js:
780         (let.f.createBuiltin):
781
782 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
783
784         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
785         https://bugs.webkit.org/show_bug.cgi?id=190693
786
787         Reviewed by Michael Saboff.
788
789         * stress/regress-190693.js: Added.
790         (truth):
791         (assert):
792         (shouldThrowInvalidConstAssignment):
793         (taz):
794
795 2019-01-24  Saam Barati  <sbarati@apple.com>
796
797         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
798         https://bugs.webkit.org/show_bug.cgi?id=193751
799         <rdar://problem/47280215>
800
801         Reviewed by Michael Saboff.
802
803         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
804         (let.thing):
805         (foo.let.hello):
806         (foo):
807
808 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
809
810         [JSC] Reenable baseline JIT on mips
811         https://bugs.webkit.org/show_bug.cgi?id=192983
812
813         Reviewed by Mark Lam.
814
815         Added a new test for a case that was triggering a RELEASE_ASSERT when
816         testing.
817         Disable some slow tests that were already disabled for arm and x86.
818
819         * stress/json-parse-big-object.js: Added.
820         * stress/new-largeish-contiguous-array-with-size.js:
821         * stress/op_add.js:
822         * stress/op_bitand.js:
823         * stress/op_bitor.js:
824         * stress/op_bitxor.js:
825         * stress/op_lshift-ConstVar.js:
826         * stress/op_lshift-VarConst.js:
827         * stress/op_lshift-VarVar.js:
828         * stress/op_mod-ConstVar.js:
829         * stress/op_mod-VarConst.js:
830         * stress/op_mod-VarVar.js:
831         * stress/op_mul-ConstVar.js:
832         * stress/op_mul-VarConst.js:
833         * stress/op_mul-VarVar.js:
834         * stress/op_rshift-ConstVar.js:
835         * stress/op_rshift-VarConst.js:
836         * stress/op_rshift-VarVar.js:
837         * stress/op_sub-ConstVar.js:
838         * stress/op_sub-VarConst.js:
839         * stress/op_sub-VarVar.js:
840         * stress/op_urshift-ConstVar.js:
841         * stress/op_urshift-VarConst.js:
842         * stress/op_urshift-VarVar.js:
843         * stress/sampling-profiler-richards.js:
844         * stress/spread-forward-call-varargs-stack-overflow.js:
845
846 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
847
848         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
849         https://bugs.webkit.org/show_bug.cgi?id=193711
850         <rdar://problem/47250262>
851
852         Reviewed by Saam Barati.
853
854         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
855         (shouldBe):
856         (foo):
857         (bar):
858         (baz):
859
860 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         Unreviewed, fix initial global lexical binding epoch
863         https://bugs.webkit.org/show_bug.cgi?id=193603
864         <rdar://problem/47380869>
865
866         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
867         (f1.f2.f3.f4):
868         (f1.f2.f3):
869         (f1.f2):
870         (f1):
871
872 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
873
874         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
875         https://bugs.webkit.org/show_bug.cgi?id=193709
876         <rdar://problem/47363838>
877
878         Unreviewed, rollout to watch the tests.
879
880         * stress/object-tostring-changed-proto.js: Removed.
881         * stress/object-tostring-changed.js: Removed.
882         * stress/object-tostring-misc.js: Removed.
883         * stress/object-tostring-other.js: Removed.
884         * stress/object-tostring-untyped.js: Removed.
885
886 2019-01-22  Saam Barati  <sbarati@apple.com>
887
888         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
889
890         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
891         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
892         (testUncheckedLessThanZero):
893         (testUncheckedLessThanOrEqualZero):
894         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
895         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
896
897 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
898
899         [JSC] Invalidate old scope operations using global lexical binding epoch
900         https://bugs.webkit.org/show_bug.cgi?id=193603
901         <rdar://problem/47380869>
902
903         Reviewed by Saam Barati.
904
905         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
906         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
907         (shouldThrow):
908         (bar):
909         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
910         (shouldBe):
911         (get1):
912         (get2):
913         (get1If):
914         (get2If):
915         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
916         (shouldThrow):
917         (foo):
918
919 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         Unreviewed, roll out r240220 due to date-format-xparb regression
922         https://bugs.webkit.org/show_bug.cgi?id=193603
923
924         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
925         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
926         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
927         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
928
929 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
930
931         DoesGC rule is wrong for nodes with BigIntUse
932         https://bugs.webkit.org/show_bug.cgi?id=193652
933
934         Reviewed by Saam Barati.
935
936         * stress/big-int-value-op-update-gc-rules.js: Added.
937         (assert):
938         (doesGCAdd):
939         (doesGCSub):
940         (doesGCDiv):
941         (doesGCMul):
942         (doesGCBitAnd):
943         (doesGCBitOr):
944         (doesGCBitXor):
945
946 2019-01-20  Saam Barati  <sbarati@apple.com>
947
948         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
949         https://bugs.webkit.org/show_bug.cgi?id=193644
950         <rdar://problem/46209745>
951
952         Reviewed by Yusuke Suzuki.
953
954         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
955         (foo):
956         * stress/data-view-set-intrinsic-undefined-result.js: Added.
957         (foo):
958         (bar):
959
960 2019-01-20  Saam Barati  <sbarati@apple.com>
961
962         MovHint must merge NodeBytecodeUsesAsValue for its child
963         https://bugs.webkit.org/show_bug.cgi?id=186916
964         <rdar://problem/41396612>
965
966         Reviewed by Yusuke Suzuki.
967
968         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
969         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
970
971 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
972
973         [JSC] Invalidate old scope operations using global lexical binding epoch
974         https://bugs.webkit.org/show_bug.cgi?id=193603
975         <rdar://problem/47380869>
976
977         Reviewed by Saam Barati.
978
979         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
980         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
981         (shouldThrow):
982         (bar):
983         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
984         (shouldBe):
985         (get1):
986         (get2):
987         (get1If):
988         (get2If):
989         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
990         (shouldThrow):
991         (foo):
992
993 2019-01-17  Saam barati  <sbarati@apple.com>
994
995         StringObjectUse should not be a structure check for the original string object structure
996         https://bugs.webkit.org/show_bug.cgi?id=193483
997         <rdar://problem/47280522>
998
999         Reviewed by Yusuke Suzuki.
1000
1001         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1002         (foo):
1003         (a.valueOf.0):
1004
1005 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1006
1007         [JSC] ToThis omission in DFGByteCodeParser is wrong
1008         https://bugs.webkit.org/show_bug.cgi?id=193513
1009         <rdar://problem/45842236>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/to-this-omission-with-different-strict-modes.js: Added.
1014         (thisA):
1015         (thisAStrictWrapper):
1016
1017 2019-01-15  Mark Lam  <mark.lam@apple.com>
1018
1019         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1020         https://bugs.webkit.org/show_bug.cgi?id=193423
1021         <rdar://problem/46209355>
1022
1023         Reviewed by Saam Barati.
1024
1025         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1026         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1027         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1028         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1029
1030 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1031
1032         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1033         https://bugs.webkit.org/show_bug.cgi?id=193438
1034         <rdar://problem/45581249>
1035
1036         Reviewed by Saam Barati and Keith Miller.
1037
1038         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1039         Then, GetByVal(String) crashed.
1040
1041         * stress/string-get-by-val-lowering.js: Added.
1042         (shouldBe):
1043         (test):
1044         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1045         (Hello):
1046         (foo):
1047
1048 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1049
1050         Unreviewed, skip JIT tests if it's not enabled
1051
1052         * stress/bit-op-with-object-returning-int32.js:
1053
1054 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1055
1056         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1057         https://bugs.webkit.org/show_bug.cgi?id=192966
1058
1059         Reviewed by Yusuke Suzuki.
1060
1061         * stress/bit-op-with-object-returning-int32.js: Added.
1062
1063 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1064
1065         Skip a slow test and a flakey test on arm
1066
1067         Unreviewed gardening.
1068
1069         * typeProfiler/getter-richards.js:
1070         this test always times out, it used to be always skipped on arm and
1071         mips, but got accidentally enabled by r237919 now that we have DFG on
1072         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1073
1074 2019-01-14  Keith Miller  <keith_miller@apple.com>
1075
1076         Skip type-check-hoisting-phase-hoist... with no jit
1077         https://bugs.webkit.org/show_bug.cgi?id=193421
1078
1079         Reviewed by Mark Lam.
1080
1081         It's timing out the 32-bit bots and takes 330 seconds
1082         on my machine when run by itself.
1083
1084         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1085
1086 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1087
1088         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1089         https://bugs.webkit.org/show_bug.cgi?id=193413
1090         <rdar://problem/46092389>
1091
1092         Reviewed by Keith Miller.
1093
1094         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1095         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1096         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1097         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1098
1099         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1100         (compareArray):
1101
1102 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1103
1104         [BigInt] Literal parsing is crashing when used inside a Object Literal
1105         https://bugs.webkit.org/show_bug.cgi?id=193404
1106
1107         Reviewed by Yusuke Suzuki.
1108
1109         * stress/big-int-literal-inside-literal-object.js: Added.
1110
1111 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1112
1113         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1114         https://bugs.webkit.org/show_bug.cgi?id=193372
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/typed-array-array-modes-profile.js: Added.
1119         (foo):
1120
1121 2019-01-14  Mark Lam  <mark.lam@apple.com>
1122
1123         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1124         https://bugs.webkit.org/show_bug.cgi?id=193402
1125         <rdar://problem/46012309>
1126
1127         Reviewed by Keith Miller.
1128
1129         * stress/regexp-compile-oom.js:
1130         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1131           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1132
1133 2019-01-11  Saam barati  <sbarati@apple.com>
1134
1135         DFG combined liveness can be wrong for terminal basic blocks
1136         https://bugs.webkit.org/show_bug.cgi?id=193304
1137         <rdar://problem/45268632>
1138
1139         Reviewed by Yusuke Suzuki.
1140
1141         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1142
1143 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1144
1145         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1146         https://bugs.webkit.org/show_bug.cgi?id=193308
1147         <rdar://problem/45546542>
1148
1149         Reviewed by Saam Barati.
1150
1151         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1152         (shouldThrow):
1153         (shouldBe):
1154         (foo):
1155         (get shouldThrow):
1156         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1157         (shouldThrow):
1158         (shouldBe):
1159         (foo):
1160         (get shouldBe):
1161         (get shouldThrow):
1162         (get return):
1163         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1164         (shouldThrow):
1165         (shouldBe):
1166         (foo):
1167         (get shouldBe):
1168         (get shouldThrow):
1169         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1170         (shouldThrow):
1171         (shouldBe):
1172         (foo):
1173         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1174         (shouldThrow):
1175         (shouldBe):
1176         (foo):
1177         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1178         (shouldThrow):
1179         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1180         (shouldThrow):
1181         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1182         (shouldThrow):
1183         (shouldBe):
1184         (foo):
1185         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1186         (shouldThrow):
1187         (shouldBe):
1188         (foo):
1189         (get shouldBe):
1190         (get shouldThrow):
1191         (get return):
1192         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1193         (shouldThrow):
1194         (shouldBe):
1195         (foo):
1196         (get shouldBe):
1197         (get shouldThrow):
1198         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1199         (shouldThrow):
1200         (shouldBe):
1201         (foo):
1202         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1203         (shouldThrow):
1204         (shouldBe):
1205         (foo):
1206
1207 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1208
1209         Enable DFG on ARM/Linux again
1210         https://bugs.webkit.org/show_bug.cgi?id=192496
1211
1212         Reviewed by Yusuke Suzuki.
1213
1214         Test wasn't really skipped before moving the line with skip
1215         to the top.
1216
1217         * stress/regress-192717.js:
1218
1219 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1220
1221         Unreviewed, rolling out r239825.
1222         https://bugs.webkit.org/show_bug.cgi?id=193330
1223
1224         Broke tests on armv7/linux bots (Requested by guijemont on
1225         #webkit).
1226
1227         Reverted changeset:
1228
1229         "Enable DFG on ARM/Linux again"
1230         https://bugs.webkit.org/show_bug.cgi?id=192496
1231         https://trac.webkit.org/changeset/239825
1232
1233 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1234
1235         Enable DFG on ARM/Linux again
1236         https://bugs.webkit.org/show_bug.cgi?id=192496
1237
1238         Reviewed by Yusuke Suzuki.
1239
1240         Test wasn't really skipped before moving the line with skip
1241         to the top.
1242
1243         * stress/regress-192717.js:
1244
1245 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1246
1247         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1248         https://bugs.webkit.org/show_bug.cgi?id=193127
1249
1250         Reviewed by Saam Barati.
1251
1252         * stress/array-species-create-should-handle-masquerader.js: Added.
1253         (shouldThrow):
1254         * stress/is-undefined-or-null-builtin.js: Added.
1255         (shouldBe):
1256         (isUndefinedOrNull.vm.createBuiltin):
1257
1258 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1259
1260         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1261         https://bugs.webkit.org/show_bug.cgi?id=193221
1262
1263         Reviewed by Mark Lam.
1264
1265         * stress/put-by-id-flags.js: Added.
1266         (f):
1267         (g):
1268         (numberOfDFGCompiles):
1269
1270 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1271
1272         Baseline version of get_by_id may corrupt metadata
1273         https://bugs.webkit.org/show_bug.cgi?id=193085
1274         <rdar://problem/23453006>
1275
1276         Reviewed by Saam Barati.
1277
1278         * stress/get-by-id-change-mode.js: Added.
1279         (forEach):
1280
1281 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1282
1283         [JSC] Optimize Object.prototype.toString
1284         https://bugs.webkit.org/show_bug.cgi?id=193031
1285
1286         Reviewed by Saam Barati.
1287
1288         * stress/object-tostring-changed-proto.js: Added.
1289         (shouldBe):
1290         (test):
1291         * stress/object-tostring-changed.js: Added.
1292         (shouldBe):
1293         (test):
1294         * stress/object-tostring-misc.js: Added.
1295         (shouldBe):
1296         (test):
1297         (i.switch):
1298         * stress/object-tostring-other.js: Added.
1299         (shouldBe):
1300         (test):
1301         * stress/object-tostring-untyped.js: Added.
1302         (shouldBe):
1303         (test):
1304         (i.switch):
1305
1306 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1307
1308         test262-runner misbehaves when test file YAML has a trailing space
1309         https://bugs.webkit.org/show_bug.cgi?id=193053
1310
1311         Reviewed by Yusuke Suzuki.
1312
1313         * test262/expectations.yaml:
1314         Mark two dozen tests as passing (and correct the output of another).
1315
1316 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1317
1318         Unreviewed, JSTests gardening with memoryLimited
1319
1320         * stress/string-overflow-createError.js:
1321
1322 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1323
1324         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1325         https://bugs.webkit.org/show_bug.cgi?id=193050
1326
1327         Reviewed by Yusuke Suzuki.
1328
1329         * test262.yaml:
1330         * test262/expectations.yaml:
1331         Mark 16 tests as passing.
1332
1333 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1334
1335         [BigInt] Support BigInt in JSON.stringify
1336         https://bugs.webkit.org/show_bug.cgi?id=192624
1337
1338         Reviewed by Saam Barati.
1339
1340         * stress/big-int-json-stringify-to-json.js: Added.
1341         (shouldBe):
1342         (shouldThrow):
1343         (BigInt.prototype.toJSON):
1344         (shouldBe.JSON.stringify):
1345         * stress/big-int-json-stringify.js: Added.
1346         (shouldBe):
1347         (shouldThrow):
1348
1349 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1350
1351         [JSC] Implement "well-formed JSON.stringify" proposal
1352         https://bugs.webkit.org/show_bug.cgi?id=191677
1353
1354         Reviewed by Darin Adler.
1355
1356         * stress/json-surrogate-pair.js: Added.
1357         (shouldBe):
1358         * test262/expectations.yaml:
1359
1360 2018-12-20  Keith Miller  <keith_miller@apple.com>
1361
1362         Add support for globalThis
1363         https://bugs.webkit.org/show_bug.cgi?id=165171
1364
1365         Reviewed by Mark Lam.
1366
1367         * test262/config.yaml:
1368
1369 2018-12-19  Keith Miller  <keith_miller@apple.com>
1370
1371         Update test262 configuration to not run tests dependent on ICU version.
1372         https://bugs.webkit.org/show_bug.cgi?id=192920
1373
1374         Reviewed by Saam Barati.
1375
1376         * test262/expectations.yaml:
1377
1378 2018-12-20  Mark Lam  <mark.lam@apple.com>
1379
1380         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1381         https://bugs.webkit.org/show_bug.cgi?id=192939
1382         <rdar://problem/46869516>
1383
1384         Reviewed by Keith Miller.
1385
1386         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1387
1388 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1389
1390         WTF::String and StringImpl overflow MaxLength
1391         https://bugs.webkit.org/show_bug.cgi?id=192853
1392         <rdar://problem/45726906>
1393
1394         Reviewed by Mark Lam.
1395
1396         * stress/string-16bit-repeat-overflow.js: Added.
1397         (catch):
1398
1399 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1400
1401         Unreviewed follow-up to r192914.
1402
1403         * test262/expectations.yaml:
1404         Add the last 20 missing expectations.
1405
1406 2018-12-19  Keith Miller  <keith_miller@apple.com>
1407
1408         Fix test262 expectations
1409         https://bugs.webkit.org/show_bug.cgi?id=192914
1410
1411         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1412
1413         * test262/expectations.yaml:
1414
1415 2018-12-19  Keith Miller  <keith_miller@apple.com>
1416
1417         Update test262 tests.
1418         https://bugs.webkit.org/show_bug.cgi?id=192907
1419
1420         Rubber stamped by Mark Lam.
1421
1422         * test262/*: Omitted because prepare-changelog crashes.
1423
1424 2018-12-19  Mark Lam  <mark.lam@apple.com>
1425
1426         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1427         https://bugs.webkit.org/show_bug.cgi?id=192464
1428         <rdar://problem/46519455>
1429
1430         Reviewed by Saam Barati.
1431
1432         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1433         microbenchmark.
1434
1435         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1436         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1437
1438 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1439
1440         String overflow in JSC::createError results in ASSERT in WTF::makeString
1441         https://bugs.webkit.org/show_bug.cgi?id=192833
1442         <rdar://problem/45706868>
1443
1444         Reviewed by Mark Lam.
1445
1446         * stress/string-overflow-createError.js: Added.
1447
1448 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1449
1450         Error message for `-x ** y` contains a typo.
1451         https://bugs.webkit.org/show_bug.cgi?id=192832
1452
1453         Reviewed by Saam Barati.
1454
1455         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1456         (assert.assert.return.throws):
1457         * stress/pow-expects-update-expression-on-lhs.js:
1458         (throw.new.Error):
1459         Update test expectations which match against the exact error message.
1460
1461 2018-12-18  Mark Lam  <mark.lam@apple.com>
1462
1463         Gardening: test options fix.
1464         https://bugs.webkit.org/show_bug.cgi?id=192822
1465
1466         Unreviewed.
1467
1468         * stress/json-stringify-string-builder-overflow.js:
1469
1470 2018-12-18  Mark Lam  <mark.lam@apple.com>
1471
1472         JSON.stringify() should throw OOM on StringBuilder overflows.
1473         https://bugs.webkit.org/show_bug.cgi?id=192822
1474         <rdar://problem/46670577>
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/json-stringify-string-builder-overflow.js: Added.
1479
1480 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1481
1482         Redeclaration of var over let/const/class should be a syntax error.
1483         https://bugs.webkit.org/show_bug.cgi?id=192298
1484
1485         Reviewed by Keith Miller.
1486
1487         * test262.yaml:
1488         * test262/expectations.yaml:
1489         Mark 46 tests as passing.
1490
1491         * stress/block-scope-redeclarations.js:
1492         Add some new tests.
1493
1494         * stress/for-in-invalidate-context-weird-assignments.js:
1495         * stress/for-in-tests.js:
1496         Replace tests for outdated behavior with tests for SyntaxError.
1497
1498         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1499         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1500         Update expectations.
1501
1502 2018-12-18  Mark Lam  <mark.lam@apple.com>
1503
1504         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1505         https://bugs.webkit.org/show_bug.cgi?id=191374
1506         <rdar://problem/46525447>
1507
1508         Reviewed by Yusuke Suzuki.
1509
1510         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1511
1512         * stress/elidable-new-object-roflcopter-then-exit.js:
1513
1514 2018-12-17  Mark Lam  <mark.lam@apple.com>
1515
1516         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1517         https://bugs.webkit.org/show_bug.cgi?id=192019
1518         <rdar://problem/46525456>
1519
1520         Reviewed by Yusuke Suzuki.
1521
1522         The test runs too slow on 32-bit.
1523
1524         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1525
1526 2018-12-17  Mark Lam  <mark.lam@apple.com>
1527
1528         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1529         https://bugs.webkit.org/show_bug.cgi?id=191373
1530         <rdar://problem/46525458>
1531
1532         Reviewed by Yusuke Suzuki.
1533
1534         The test is already slow running with a JIT on 64-bit.  It will always timeout
1535         on 32-bit without a JIT.
1536
1537         * stress/materialize-regexp-cyclic-regexp.js:
1538
1539 2018-12-17  Mark Lam  <mark.lam@apple.com>
1540
1541         Array unshift/shift should not race against the AI in the compiler thread.
1542         https://bugs.webkit.org/show_bug.cgi?id=192795
1543         <rdar://problem/46724263>
1544
1545         Reviewed by Saam Barati.
1546
1547         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1548
1549 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1550
1551         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1552         https://bugs.webkit.org/show_bug.cgi?id=190047
1553
1554         Reviewed by Saam Barati.
1555
1556         * stress/object-keys-cached-zero.js: Added.
1557         (shouldBe):
1558         (test):
1559         * stress/object-keys-changed-attribute.js: Added.
1560         (shouldBe):
1561         (test):
1562         * stress/object-keys-changed-index.js: Added.
1563         (shouldBe):
1564         (test):
1565         * stress/object-keys-changed.js: Added.
1566         (shouldBe):
1567         (test):
1568         * stress/object-keys-indexed-non-cache.js: Added.
1569         (shouldBe):
1570         (test):
1571         * stress/object-keys-overrides-get-property-names.js: Added.
1572         (shouldBe):
1573         (test):
1574         (noInline):
1575
1576 2018-12-17  Mark Lam  <mark.lam@apple.com>
1577
1578         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1579         https://bugs.webkit.org/show_bug.cgi?id=192779
1580         <rdar://problem/46775869>
1581
1582         Reviewed by Saam Barati.
1583
1584         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1585
1586 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1587
1588         Unreviewed test gardening, address a syntax error in a new test.
1589
1590         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1591
1592 2018-12-17  Mark Lam  <mark.lam@apple.com>
1593
1594         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1595         https://bugs.webkit.org/show_bug.cgi?id=192776
1596         <rdar://problem/46772368>
1597
1598         Reviewed by Keith Miller.
1599
1600         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1601
1602 2018-12-17  Mark Lam  <mark.lam@apple.com>
1603
1604         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1605         https://bugs.webkit.org/show_bug.cgi?id=192770
1606         <rdar://problem/46449037>
1607
1608         Reviewed by Keith Miller.
1609
1610         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1611
1612 2018-12-14  Mark Lam  <mark.lam@apple.com>
1613
1614         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1615         https://bugs.webkit.org/show_bug.cgi?id=192717
1616         <rdar://problem/46660677>
1617
1618         Reviewed by Saam Barati.
1619
1620         * stress/regress-192717.js: Added.
1621
1622 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1623
1624         Unreviewed, rolling out r239153, r239154, and r239155.
1625         https://bugs.webkit.org/show_bug.cgi?id=192715
1626
1627         Caused flaky GC-related crashes seen with layout tests
1628         (Requested by ryanhaddad on #webkit).
1629
1630         Reverted changesets:
1631
1632         "[JSC] Optimize Object.keys by caching own keys results in
1633         StructureRareData"
1634         https://bugs.webkit.org/show_bug.cgi?id=190047
1635         https://trac.webkit.org/changeset/239153
1636
1637         "Unreviewed, build fix after r239153"
1638         https://bugs.webkit.org/show_bug.cgi?id=190047
1639         https://trac.webkit.org/changeset/239154
1640
1641         "Unreviewed, build fix after r239153, part 2"
1642         https://bugs.webkit.org/show_bug.cgi?id=190047
1643         https://trac.webkit.org/changeset/239155
1644
1645 2018-12-14  Keith Miller  <keith_miller@apple.com>
1646
1647         Callers of JSString::getIndex should check for OOM exceptions
1648         https://bugs.webkit.org/show_bug.cgi?id=192709
1649
1650         Reviewed by Mark Lam.
1651
1652         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1653
1654 2018-12-13  Mark Lam  <mark.lam@apple.com>
1655
1656         Add a missing exception check.
1657         https://bugs.webkit.org/show_bug.cgi?id=192626
1658         <rdar://problem/46662163>
1659
1660         Reviewed by Keith Miller.
1661
1662         * stress/regress-192626.js: Added.
1663
1664 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1665
1666         [BigInt] Add ValueDiv into DFG
1667         https://bugs.webkit.org/show_bug.cgi?id=186178
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         * stress/big-int-div-jit-osr.js: Added.
1672         * stress/big-int-div-jit-untyped.js: Added.
1673         * stress/value-div-fixup-int32-big-int.js: Added.
1674
1675 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1676
1677         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1678         https://bugs.webkit.org/show_bug.cgi?id=190047
1679
1680         Reviewed by Keith Miller.
1681
1682         * stress/object-keys-cached-zero.js: Added.
1683         (shouldBe):
1684         (test):
1685         * stress/object-keys-changed-attribute.js: Added.
1686         (shouldBe):
1687         (test):
1688         * stress/object-keys-changed-index.js: Added.
1689         (shouldBe):
1690         (test):
1691         * stress/object-keys-changed.js: Added.
1692         (shouldBe):
1693         (test):
1694         * stress/object-keys-indexed-non-cache.js: Added.
1695         (shouldBe):
1696         (test):
1697         * stress/object-keys-overrides-get-property-names.js: Added.
1698         (shouldBe):
1699         (test):
1700         (noInline):
1701
1702 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1703
1704         [DFG][FTL] Add NewSymbol
1705         https://bugs.webkit.org/show_bug.cgi?id=192620
1706
1707         Reviewed by Saam Barati.
1708
1709         * microbenchmarks/symbol-creation.js: Added.
1710         (test):
1711         * stress/symbol-description-identity.js: Added.
1712         (shouldBe):
1713         (test):
1714         * stress/symbol-identity.js: Added.
1715         (shouldBe):
1716         (test):
1717         * stress/symbol-with-description-throw-error.js: Added.
1718         (shouldBe):
1719         (shouldThrow):
1720         (test):
1721         (object.toString):
1722
1723 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1724
1725         [BigInt] Implement DFG/FTL typeof for BigInt
1726         https://bugs.webkit.org/show_bug.cgi?id=192619
1727
1728         Reviewed by Keith Miller.
1729
1730         * stress/big-int-boolean-proven-type.js: Added.
1731         (assert):
1732         (bool):
1733         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1734         (assert):
1735         (typeOf):
1736         (i.switch):
1737         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1738         (assert):
1739         (typeOf):
1740         * stress/big-int-type-of.js:
1741         (typeOf):
1742         (func):
1743
1744 2018-12-10  Mark Lam  <mark.lam@apple.com>
1745
1746         PropertyAttribute needs a CustomValue bit.
1747         https://bugs.webkit.org/show_bug.cgi?id=191993
1748         <rdar://problem/46264467>
1749
1750         Reviewed by Saam Barati.
1751
1752         * stress/regress-191993.js: Added.
1753
1754 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1755
1756         [BigInt] Add ValueMul into DFG
1757         https://bugs.webkit.org/show_bug.cgi?id=186175
1758
1759         Reviewed by Yusuke Suzuki.
1760
1761         * stress/big-int-mul-jit-osr.js: Added.
1762         * stress/big-int-mul-jit-untyped.js: Added.
1763         * stress/value-mul-fixup-int32-big-int.js: Added.
1764
1765 2018-12-06  Keith Miller  <keith_miller@apple.com>
1766
1767         stress/big-wasm-memory tests failing on 32-bit JSC bot
1768         https://bugs.webkit.org/show_bug.cgi?id=192020
1769
1770         Reviewed by Saam Barati.
1771
1772         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1773         the wasm stress tests if the WebAssembly object does not exist.
1774
1775         * stress/big-wasm-memory-grow-no-max.js:
1776         (test.foo):
1777         (test):
1778         (foo): Deleted.
1779         (catch): Deleted.
1780         * stress/big-wasm-memory-grow.js:
1781         (test.foo):
1782         (test):
1783         (foo): Deleted.
1784         (catch): Deleted.
1785         * stress/big-wasm-memory.js:
1786         (test.foo):
1787         (test):
1788         (foo): Deleted.
1789         (catch): Deleted.
1790
1791 2018-12-05  Mark Lam  <mark.lam@apple.com>
1792
1793         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1794         https://bugs.webkit.org/show_bug.cgi?id=192441
1795         <rdar://problem/46480355>
1796
1797         Reviewed by Saam Barati.
1798
1799         * stress/regress-192441.js: Added.
1800
1801 2018-12-04  Mark Lam  <mark.lam@apple.com>
1802
1803         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1804         https://bugs.webkit.org/show_bug.cgi?id=192386
1805         <rdar://problem/46445516>
1806
1807         Reviewed by Saam Barati.
1808
1809         * stress/regress-192386.js: Added.
1810
1811 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1812
1813         [ESNext][BigInt] Support logic operations
1814         https://bugs.webkit.org/show_bug.cgi?id=179903
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         * stress/big-int-branch-usage.js: Added.
1819         * stress/big-int-logical-and.js: Added.
1820         * stress/big-int-logical-not.js: Added.
1821         * stress/big-int-logical-or.js: Added.
1822
1823 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1824
1825         Unreviewed, rolling out r238833.
1826
1827         Breaks macOS and iOS debug builds.
1828
1829         Reverted changeset:
1830
1831         "[ESNext][BigInt] Support logic operations"
1832         https://bugs.webkit.org/show_bug.cgi?id=179903
1833         https://trac.webkit.org/changeset/238833
1834
1835 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1836
1837         [ESNext][BigInt] Support logic operations
1838         https://bugs.webkit.org/show_bug.cgi?id=179903
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         * stress/big-int-branch-usage.js: Added.
1843         * stress/big-int-logical-and.js: Added.
1844         * stress/big-int-logical-not.js: Added.
1845         * stress/big-int-logical-or.js: Added.
1846
1847 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1848
1849         [ESNext][BigInt] Implement support for "<<" and ">>"
1850         https://bugs.webkit.org/show_bug.cgi?id=186233
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         * stress/big-int-left-shift-general.js: Added.
1855         * stress/big-int-left-shift-range-error.js: Added.
1856         * stress/big-int-left-shift-type-error.js: Added.
1857         * stress/big-int-left-shift-wrapped-value.js: Added.
1858         * stress/big-int-right-shift-general.js: Added.
1859         * stress/big-int-right-shift-type-error.js: Added.
1860         * stress/big-int-right-shift-wrapped-value.js: Added.
1861         * stress/left-shift-to-primitive-precedence.js: Added.
1862         * stress/right-shift-to-primitive-precedence.js: Added.
1863
1864 2018-11-30  Dean Jackson  <dino@apple.com>
1865
1866         Add first-class support for .mjs files in jsc binary
1867         https://bugs.webkit.org/show_bug.cgi?id=192190
1868         <rdar://problem/46375715>
1869
1870         Reviewed by Keith Miller.
1871
1872         * stress/simple-module.mjs: Added.
1873         * stress/simple-script.js: Added.
1874
1875 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1876
1877         [BigInt] Implement ValueBitXor into DFG
1878         https://bugs.webkit.org/show_bug.cgi?id=190264
1879
1880         Reviewed by Yusuke Suzuki.
1881
1882         * stress/big-int-bitwise-xor-jit.js: Added.
1883         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1884         * stress/big-int-bitwise-xor-untyped.js: Added.
1885
1886 2018-11-27  Saam barati  <sbarati@apple.com>
1887
1888         r238510 broke scopes of size zero
1889         https://bugs.webkit.org/show_bug.cgi?id=192033
1890         <rdar://problem/46281734>
1891
1892         Reviewed by Keith Miller.
1893
1894         * stress/r238510-bad-loop.js: Added.
1895         (foo):
1896
1897 2018-11-27  Mark Lam  <mark.lam@apple.com>
1898
1899         [Re-landing] NaNs read from Wasm code needs to be be purified.
1900         https://bugs.webkit.org/show_bug.cgi?id=191056
1901         <rdar://problem/45660341>
1902
1903         Reviewed by Filip Pizlo.
1904
1905         * wasm/regress/regress-191056.js: Added.
1906
1907 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1908
1909         Unreviewed, rolling out r238509.
1910
1911         Causes JSC tests to fail on iOS.
1912
1913         Reverted changeset:
1914
1915         "NaNs read from Wasm code needs to be be purified."
1916         https://bugs.webkit.org/show_bug.cgi?id=191056
1917         https://trac.webkit.org/changeset/238509
1918
1919 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1920
1921         Re-introduce op_bitnot
1922         https://bugs.webkit.org/show_bug.cgi?id=190923
1923
1924         Reviewed by Yusuke Suzuki.
1925
1926         * stress/bit-not-must-generate.js: Added.
1927         * stress/bitwise-not-no-int32.js: Added.
1928
1929 2018-11-26  Saam barati  <sbarati@apple.com>
1930
1931         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1932         https://bugs.webkit.org/show_bug.cgi?id=191956
1933         <rdar://problem/45665806>
1934
1935         Reviewed by Yusuke Suzuki.
1936
1937         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1938         (bar):
1939         (foo):
1940
1941 2018-11-26  Saam barati  <sbarati@apple.com>
1942
1943         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1944         https://bugs.webkit.org/show_bug.cgi?id=191958
1945         <rdar://problem/46221877>
1946
1947         Reviewed by Yusuke Suzuki.
1948
1949         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1950         (x):
1951         (foo):
1952
1953 2018-11-26  Mark Lam  <mark.lam@apple.com>
1954
1955         NaNs read from Wasm code needs to be be purified.
1956         https://bugs.webkit.org/show_bug.cgi?id=191056
1957         <rdar://problem/45660341>
1958
1959         Reviewed by Filip Pizlo.
1960
1961         * wasm/regress/regress-191056.js: Added.
1962
1963 2018-11-26  Michael Saboff  <msaboff@apple.com>
1964
1965         32-bit JSC test failure: stress/regexp-compile-oom.js
1966         https://bugs.webkit.org/show_bug.cgi?id=191375
1967
1968         Reviewed by Mark Lam.
1969
1970         Disabled the test for 32 bit platforms.
1971
1972         * stress/regexp-compile-oom.js:
1973
1974 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1975
1976         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1977         https://bugs.webkit.org/show_bug.cgi?id=191716
1978         <rdar://problem/45723878>
1979
1980         Reviewed by Saam Barati.
1981
1982         * stress/regress-187373.js: Added.
1983         (async.fn):
1984
1985 2018-11-21  Saam barati  <sbarati@apple.com>
1986
1987         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1988         https://bugs.webkit.org/show_bug.cgi?id=191897
1989         <rdar://problem/45871998>
1990
1991         Reviewed by Mark Lam.
1992
1993         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1994         (bar):
1995         (foo):
1996
1997 2018-11-21  Saam barati  <sbarati@apple.com>
1998
1999         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2000         https://bugs.webkit.org/show_bug.cgi?id=191895
2001         <rdar://problem/46167406>
2002
2003         Reviewed by Mark Lam.
2004
2005         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2006         (foo):
2007         (bar):
2008
2009 2018-11-21  Mark Lam  <mark.lam@apple.com>
2010
2011         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2012         https://bugs.webkit.org/show_bug.cgi?id=191776
2013         <rdar://problem/46152851>
2014
2015         Reviewed by Saam Barati.
2016
2017         * stress/big-wasm-memory-grow-no-max.js:
2018         * stress/big-wasm-memory-grow.js:
2019         * stress/big-wasm-memory.js:
2020         - updated these to expect an OutOfMemoryError.
2021
2022         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2023         (Binary.prototype.emit_u8):
2024         (Binary.prototype.emit_u32v):
2025         (Binary.prototype.emit_header):
2026         (Binary.prototype.emit_section):
2027         (Binary):
2028         (WasmModuleBuilder):
2029         (WasmModuleBuilder.prototype.addMemory):
2030         (WasmModuleBuilder.prototype.toArray):
2031         (WasmModuleBuilder.prototype.toBuffer):
2032         (WasmModuleBuilder.prototype.instantiate):
2033         (catch):
2034         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2035         (catch):
2036
2037 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2038
2039         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2040         https://bugs.webkit.org/show_bug.cgi?id=190836
2041
2042         Reviewed by Saam Barati and Yusuke Suzuki.
2043
2044         * stress/big-int-out-of-memory-tests.js: Added.
2045
2046 2018-11-20  Mark Lam  <mark.lam@apple.com>
2047
2048         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2049         https://bugs.webkit.org/show_bug.cgi?id=191856
2050         <rdar://problem/46089992>
2051
2052         Reviewed by Yusuke Suzuki.
2053
2054         * stress/regress-191856.js: Added.
2055         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2056
2057 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2058
2059         Enable JIT on ARM/Linux
2060         https://bugs.webkit.org/show_bug.cgi?id=191548
2061
2062         Reviewed by Yusuke Suzuki.
2063
2064         Disable test on system with limited memory. Program was killed by
2065         the OS before the exception was thrown.
2066
2067         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2068
2069 2018-11-20  Saam barati  <sbarati@apple.com>
2070
2071         Merging an IC variant may lead to the IC status containing overlapping structure sets
2072         https://bugs.webkit.org/show_bug.cgi?id=191869
2073         <rdar://problem/45403453>
2074
2075         Reviewed by Mark Lam.
2076
2077         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2078
2079 2018-11-19  Mark Lam  <mark.lam@apple.com>
2080
2081         globalFuncImportModule() should return a promise when it clears exceptions.
2082         https://bugs.webkit.org/show_bug.cgi?id=191792
2083         <rdar://problem/46090763>
2084
2085         Reviewed by Michael Saboff.
2086
2087         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2088
2089 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2090
2091         Skip new memory-hungry tests on memory limited devices
2092
2093         Unreviewed gardening.
2094
2095         * stress/big-wasm-memory-grow-no-max.js:
2096         * stress/big-wasm-memory-grow.js:
2097         * stress/big-wasm-memory.js:
2098
2099 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2100
2101         Unreviewed, rolling in the rest of r237254
2102         https://bugs.webkit.org/show_bug.cgi?id=190340
2103
2104         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2105         * stress/function-cache-with-parameters-end-position.js: Added.
2106         (shouldBe):
2107         (shouldThrow):
2108         (i.anonymous):
2109         * stress/function-constructor-name.js: Added.
2110         (shouldBe):
2111         (GeneratorFunction):
2112         (AsyncFunction.async):
2113         (AsyncGeneratorFunction.async):
2114         (anonymous):
2115         (async.anonymous):
2116         * test262/expectations.yaml:
2117
2118 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2119
2120         All users of ArrayBuffer should agree on the same max size
2121         https://bugs.webkit.org/show_bug.cgi?id=191771
2122
2123         Reviewed by Mark Lam.
2124
2125         * stress/big-wasm-memory-grow-no-max.js: Added.
2126         (foo):
2127         (catch):
2128         * stress/big-wasm-memory-grow.js: Added.
2129         (foo):
2130         (catch):
2131         * stress/big-wasm-memory.js: Added.
2132         (foo):
2133         (catch):
2134
2135 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2136
2137         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2138         run for each JSC config since they're regression tests for runtime bugs.
2139
2140         * stress/json-stringified-overflow-2.js:
2141         * stress/json-stringified-overflow.js:
2142
2143 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2144
2145         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2146         config since they're regression tests for runtime bugs.
2147
2148         * stress/large-unshift-splice.js:
2149         * stress/regress-185888.js:
2150
2151 2018-11-16  Saam Barati  <sbarati@apple.com>
2152
2153         KnownCellUse should also have SpecCellCheck as its type filter
2154         https://bugs.webkit.org/show_bug.cgi?id=191729
2155         <rdar://problem/45872852>
2156
2157         Reviewed by Filip Pizlo.
2158
2159         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2160         (C):
2161
2162 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2163
2164         Fix assertion failure on BytecodeGenerator::recordOpcode
2165         https://bugs.webkit.org/show_bug.cgi?id=191724
2166         <rdar://problem/45724395>
2167
2168         Reviewed by Saam Barati.
2169
2170         * stress/regress-187373-2.js: Added.
2171         (foo):
2172
2173 2018-11-15  Mark Lam  <mark.lam@apple.com>
2174
2175         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2176         https://bugs.webkit.org/show_bug.cgi?id=191730
2177         <rdar://problem/46048517>
2178
2179         Reviewed by Saam Barati.
2180
2181         * stress/regress-187006.js: Removed.
2182           - this test is invalid because its sole purpose is to test for the non-spec
2183             compliant behavior that we just fixed.
2184
2185         * stress/regress-191730.js: Added.
2186
2187 2018-11-15  Mark Lam  <mark.lam@apple.com>
2188
2189         RegExp operations should not take fast patch if lastIndex is not numeric.
2190         https://bugs.webkit.org/show_bug.cgi?id=191731
2191         <rdar://problem/46017305>
2192
2193         Reviewed by Saam Barati.
2194
2195         * stress/regress-191731.js: Added.
2196
2197 2018-11-13  Saam Barati  <sbarati@apple.com>
2198
2199         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2200         https://bugs.webkit.org/show_bug.cgi?id=191600
2201
2202         Reviewed by Mark Lam.
2203
2204         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2205         (foo):
2206         (test):
2207         (bar):
2208
2209 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2210
2211         Unreviewed, rolling out r238132.
2212
2213         The test added with this change is timing out on Debug JSC
2214         bots.
2215
2216         Reverted changeset:
2217
2218         "[BigInt] JSBigInt::createWithLength should throw when length
2219         is greater than JSBigInt::maxLength"
2220         https://bugs.webkit.org/show_bug.cgi?id=190836
2221         https://trac.webkit.org/changeset/238132
2222
2223 2018-11-13  Mark Lam  <mark.lam@apple.com>
2224
2225         Add OOM detection to StringPrototype's substituteBackreferences().
2226         https://bugs.webkit.org/show_bug.cgi?id=191563
2227         <rdar://problem/45720428>
2228
2229         Reviewed by Saam Barati.
2230
2231         * stress/regress-191563.js: Added.
2232
2233 2018-11-13  Mark Lam  <mark.lam@apple.com>
2234
2235         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2236         https://bugs.webkit.org/show_bug.cgi?id=191579
2237         <rdar://problem/45942472>
2238
2239         Reviewed by Saam Barati.
2240
2241         * stress/regress-191579.js: Added.
2242
2243 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2244
2245         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2246         https://bugs.webkit.org/show_bug.cgi?id=190836
2247
2248         Reviewed by Saam Barati.
2249
2250         * stress/big-int-out-of-memory-tests.js: Added.
2251
2252 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2253
2254         U+180E is no longer a whitespace character
2255         https://bugs.webkit.org/show_bug.cgi?id=191415
2256
2257         Reviewed by Saam Barati.
2258
2259         * ChakraCore/test/es5/regexSpace.baseline:
2260         * ChakraCore/test/es6/unicode_whitespace.js:
2261         Update tests to latest version.
2262         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2263
2264         * test262.yaml:
2265         * test262/config.yaml:
2266         * test262/expectations.yaml:
2267         Update expectations.
2268
2269 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2270
2271         [BigInt] Add support to BigInt into ValueAdd
2272         https://bugs.webkit.org/show_bug.cgi?id=186177
2273
2274         Reviewed by Keith Miller.
2275
2276         * stress/big-int-negate-jit.js:
2277         * stress/value-add-big-int-and-string.js: Added.
2278         * stress/value-add-big-int-prediction-propagation.js: Added.
2279         * stress/value-add-big-int-untyped.js: Added.
2280
2281 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2282
2283         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2284         https://bugs.webkit.org/show_bug.cgi?id=191184
2285
2286         Reviewed by Saam Barati.
2287
2288         Most tests were failing due to timeouts, since they are too slow to
2289         run on CLoop. The exceptions are:
2290
2291         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2292         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2293         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2294         to change the stack size since CLoop requires it to be page aligned.
2295
2296         * microbenchmarks/array-push-1.js:
2297         * microbenchmarks/array-push-2.js:
2298         * microbenchmarks/elidable-new-object-dag.js:
2299         * microbenchmarks/elidable-new-object-roflcopter.js:
2300         * microbenchmarks/elidable-new-object-tree.js:
2301         * microbenchmarks/getter-richards.js:
2302         * microbenchmarks/sinkable-new-object-dag.js:
2303         * microbenchmarks/string-concat-long-convert.js:
2304         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2305         * slowMicrobenchmarks/array-push-3.js:
2306         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2307         * slowMicrobenchmarks/spread-small-array.js:
2308         * slowMicrobenchmarks/undefined-property-access.js:
2309         * stress/activation-sink-default-value-tdz-error.js:
2310         * stress/activation-sink-default-value.js:
2311         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2312         * stress/activation-sink-osrexit-default-value.js:
2313         * stress/activation-sink-osrexit.js:
2314         * stress/activation-sink.js:
2315         * stress/allow-math-ic-b3-code-duplication.js:
2316         * stress/array-push-multiple-int32.js:
2317         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2318         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2319         * stress/arrowfunction-lexical-this-activation-sink.js:
2320         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2321         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2322         * stress/elide-new-object-dag-then-exit.js:
2323         * stress/materialize-regexp-cyclic.js:
2324         * stress/new-regex-inline.js:
2325         * stress/op_add.js:
2326         * stress/op_bitand.js:
2327         * stress/op_bitor.js:
2328         * stress/op_bitxor.js:
2329         * stress/op_div-ConstVar.js:
2330         * stress/op_div-VarConst.js:
2331         * stress/op_div-VarVar.js:
2332         * stress/op_lshift-ConstVar.js:
2333         * stress/op_lshift-VarConst.js:
2334         * stress/op_lshift-VarVar.js:
2335         * stress/op_mod-ConstVar.js:
2336         * stress/op_mod-VarConst.js:
2337         * stress/op_mod-VarVar.js:
2338         * stress/op_mul-ConstVar.js:
2339         * stress/op_mul-VarConst.js:
2340         * stress/op_mul-VarVar.js:
2341         * stress/op_rshift-ConstVar.js:
2342         * stress/op_rshift-VarConst.js:
2343         * stress/op_rshift-VarVar.js:
2344         * stress/op_sub-ConstVar.js:
2345         * stress/op_sub-VarConst.js:
2346         * stress/op_sub-VarVar.js:
2347         * stress/op_urshift-ConstVar.js:
2348         * stress/op_urshift-VarConst.js:
2349         * stress/op_urshift-VarVar.js:
2350         * stress/proxy-get-set-correct-receiver.js:
2351         * stress/regress-179562.js:
2352         * stress/rest-parameter-many-arguments.js:
2353         * stress/sampling-profiler-richards.js:
2354         * stress/splay-flash-access-1ms.js:
2355         * stress/tailCallForwardArguments.js:
2356         * stress/typed-array-get-by-val-profiling.js:
2357         * typeProfiler/getter-richards.js:
2358
2359 2018-11-06  Michael Saboff  <msaboff@apple.com>
2360
2361         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2362         https://bugs.webkit.org/show_bug.cgi?id=191271
2363
2364         Reviewed by Saam Barati.
2365
2366         Added more test cases and made all test cases run with the same deeply recursive stack
2367         instead of finding that same point for each test case.
2368
2369         * stress/regexp-compile-oom.js:
2370         (prototype.runTest):
2371         (recurseAndTest):
2372         (testList.push.new.TestAndExpectedException):
2373
2374 2018-11-05  Michael Saboff  <msaboff@apple.com>
2375
2376         Unreviewed build fix for linux.
2377
2378         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2379
2380 2018-11-02  Michael Saboff  <msaboff@apple.com>
2381
2382         Rolling in r237753 with unreviewed build fix.
2383
2384         Fixed issues with DECLARE_THROW_SCOPE placement.
2385
2386 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2387
2388         Unreviewed, rolling out r237753.
2389
2390         Introduced JSC test failures
2391
2392         Reverted changeset:
2393
2394         "Running out of stack space not properly handled in
2395         RegExp::compile() and its callers"
2396         https://bugs.webkit.org/show_bug.cgi?id=191206
2397         https://trac.webkit.org/changeset/237753
2398
2399 2018-11-02  Michael Saboff  <msaboff@apple.com>
2400
2401         Running out of stack space not properly handled in RegExp::compile() and its callers
2402         https://bugs.webkit.org/show_bug.cgi?id=191206
2403
2404         Reviewed by Filip Pizlo.
2405
2406         New regression test.
2407
2408         * stress/regexp-compile-oom.js: Added.
2409         (recurseAndTest):
2410
2411 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2412
2413         Skip tests on arm/mips that time out now we're running on CLoop
2414
2415         Unreviewed gardening.
2416
2417         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2418         time out on the bots and need to be disabled. There's more tests
2419         disabled on arm because the timeout is longer on the mips bot (as the
2420         device is slower to start with), so many of the tests don't time out
2421         there.
2422
2423         * microbenchmarks/getter-richards.js: disable on arm and mips.
2424         * stress/op_add.js: disable on arm.
2425         * stress/op_bitand.js: disable on arm.
2426         * stress/op_bitor.js: disable on arm.
2427         * stress/op_bitxor.js: disable on arm.
2428         * stress/op_lshift-ConstVar.js: disable on arm.
2429         * stress/op_lshift-VarConst.js: disable on arm.
2430         * stress/op_lshift-VarVar.js: disable on arm.
2431         * stress/op_mod-ConstVar.js: disable on arm.
2432         * stress/op_mod-VarConst.js: disable on arm.
2433         * stress/op_mod-VarVar.js: disable on arm.
2434         * stress/op_mul-ConstVar.js: disable on arm.
2435         * stress/op_mul-VarConst.js: disable on arm.
2436         * stress/op_mul-VarVar.js: disable on arm.
2437         * stress/op_rshift-ConstVar.js: disable on arm.
2438         * stress/op_rshift-VarConst.js: disable on arm.
2439         * stress/op_rshift-VarVar.js: disable on arm.
2440         * stress/op_sub-ConstVar.js: disable on arm.
2441         * stress/op_sub-VarConst.js: disable on arm.
2442         * stress/op_sub-VarVar.js: disable on arm.
2443         * stress/op_urshift-ConstVar.js: disable on arm.
2444         * stress/op_urshift-VarConst.js: disable on arm.
2445         * stress/op_urshift-VarVar.js: disable on arm.
2446         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2447         * stress/value-to-boolean.js: disable on arm and mips.
2448
2449 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2450
2451         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2452         https://bugs.webkit.org/show_bug.cgi?id=191108
2453         <rdar://problem/45690700>
2454
2455         Reviewed by Saam Barati.
2456
2457         * stress/wide-op_catch.js: Added.
2458         (catch):
2459
2460 2018-10-29  Mark Lam  <mark.lam@apple.com>
2461
2462         Correctly detect string overflow when using the 'Function' constructor.
2463         https://bugs.webkit.org/show_bug.cgi?id=184883
2464         <rdar://problem/36320331>
2465
2466         Reviewed by Saam Barati.
2467
2468         I've verified that this passes on 32-bit as well.
2469
2470         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2471
2472 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2473
2474         Add support for GetStack FlushedDouble
2475         https://bugs.webkit.org/show_bug.cgi?id=191012
2476         <rdar://problem/45265141>
2477
2478         Reviewed by Saam Barati.
2479
2480         * stress/get-stack-double.js: Added.
2481         (bar):
2482         (noInline):
2483
2484 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2485
2486         New bytecode format for JSC
2487         https://bugs.webkit.org/show_bug.cgi?id=187373
2488         <rdar://problem/44186758>
2489
2490         Reviewed by Filip Pizlo.
2491
2492         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2493
2494         * stress/maximum-inline-capacity.js: Added.
2495         (test1):
2496         (test3.Foo):
2497         (test3):
2498
2499 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2500
2501         Unreviewed, rolling out r237479 and r237484.
2502         https://bugs.webkit.org/show_bug.cgi?id=190978
2503
2504         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2505
2506         Reverted changesets:
2507
2508         "New bytecode format for JSC"
2509         https://bugs.webkit.org/show_bug.cgi?id=187373
2510         https://trac.webkit.org/changeset/237479
2511
2512         "Gardening: Build fix after r237479."
2513         https://bugs.webkit.org/show_bug.cgi?id=187373
2514         https://trac.webkit.org/changeset/237484
2515
2516 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2517
2518         New bytecode format for JSC
2519         https://bugs.webkit.org/show_bug.cgi?id=187373
2520         <rdar://problem/44186758>
2521
2522         Reviewed by Filip Pizlo.
2523
2524         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2525
2526         * stress/maximum-inline-capacity.js: Added.
2527         (test1):
2528         (test3.Foo):
2529         (test3):
2530
2531 2018-10-26  Mark Lam  <mark.lam@apple.com>
2532
2533         Fix missing edge cases with JSGlobalObjects having a bad time.
2534         https://bugs.webkit.org/show_bug.cgi?id=189028
2535         <rdar://problem/45204939>
2536
2537         Reviewed by Saam Barati.
2538
2539         * stress/regress-189028.js: Added.
2540
2541 2018-10-22  Mark Lam  <mark.lam@apple.com>
2542
2543         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2544         https://bugs.webkit.org/show_bug.cgi?id=190515
2545         <rdar://problem/45222379>
2546
2547         Rubber-stamped by Saam Barati.
2548
2549         Adding another test.
2550
2551         * stress/regress-190515-2.js: Added.
2552
2553 2018-10-22  Mark Lam  <mark.lam@apple.com>
2554
2555         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2556         https://bugs.webkit.org/show_bug.cgi?id=190515
2557         <rdar://problem/45222379>
2558
2559         Reviewed by Saam Barati.
2560
2561         * stress/regress-190515.js: Added.
2562
2563 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2564
2565         Unreviewed, rolling out r237254.
2566         https://bugs.webkit.org/show_bug.cgi?id=190760
2567
2568         "It regresses JetStream 2 by 5% on some iOS devices"
2569         (Requested by saamyjoon on #webkit).
2570
2571         Reverted changeset:
2572
2573         "[JSC] JSC should have "parseFunction" to optimize Function
2574         constructor"
2575         https://bugs.webkit.org/show_bug.cgi?id=190340
2576         https://trac.webkit.org/changeset/237254
2577
2578 2018-10-19  Saam Barati  <sbarati@apple.com>
2579
2580         vmCall should check if we exit before emitting an OSR exit due to exceptions
2581         https://bugs.webkit.org/show_bug.cgi?id=190740
2582         <rdar://problem/45220139>
2583
2584         Reviewed by Mark Lam.
2585
2586         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2587         (foo):
2588
2589 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2590
2591         [ESNext][BigInt] Implement support for "^"
2592         https://bugs.webkit.org/show_bug.cgi?id=186235
2593
2594         Reviewed by Yusuke Suzuki.
2595
2596         * stress/big-int-bitwise-xor-general.js: Added.
2597         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2598         * stress/big-int-bitwise-xor-type-error.js: Added.
2599         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2600
2601 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2602
2603         [BigInt] Add ValueSub into DFG
2604         https://bugs.webkit.org/show_bug.cgi?id=186176
2605
2606         Reviewed by Yusuke Suzuki.
2607
2608         * stress/big-int-subtraction-jit.js:
2609         * stress/value-sub-big-int-prediction-propagation.js: Added.
2610         * stress/value-sub-big-int-untyped.js: Added.
2611         * stress/value-sub-spec-none-case.js: Added.
2612
2613 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2614
2615         [JSC] JSC should have "parseFunction" to optimize Function constructor
2616         https://bugs.webkit.org/show_bug.cgi?id=190340
2617
2618         Reviewed by Mark Lam.
2619
2620         This patch fixes the line number of syntax errors raised by the Function constructor,
2621         since we now parse the final code only once. And we no longer use block statement
2622         for Function constructor's parsing.
2623
2624         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2625         * stress/function-cache-with-parameters-end-position.js: Added.
2626         (shouldBe):
2627         (shouldThrow):
2628         (i.anonymous):
2629         * stress/function-constructor-name.js: Added.
2630         (shouldBe):
2631         (GeneratorFunction):
2632         (AsyncFunction.async):
2633         (AsyncGeneratorFunction.async):
2634         (anonymous):
2635         (async.anonymous):
2636         * test262/expectations.yaml:
2637
2638 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2639
2640         Unreviewed, rolling out r237242.
2641         https://bugs.webkit.org/show_bug.cgi?id=190701
2642
2643         it breaks "stress/sampling-profiler-basic.js" (Requested by
2644         caiolima on #webkit).
2645
2646         Reverted changeset:
2647
2648         "[BigInt] Add ValueSub into DFG"
2649         https://bugs.webkit.org/show_bug.cgi?id=186176
2650         https://trac.webkit.org/changeset/237242
2651
2652 2018-10-17  Keith Miller  <keith_miller@apple.com>
2653
2654         AI does not clear Phantom allocation nodes.
2655         https://bugs.webkit.org/show_bug.cgi?id=190694
2656
2657         Reviewed by Saam Barati.
2658
2659         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2660         (Day):
2661         (DaysInYear):
2662         (TimeInYear):
2663         (TimeFromYear):
2664         (DayFromYear):
2665         (InLeapYear):
2666         (YearFromTime):
2667         (WeekDay):
2668         (DaylightSavingTA):
2669         (GetSecondSundayInMarch):
2670         (TimeInMonth):
2671
2672 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2673
2674         [BigInt] Add ValueSub into DFG
2675         https://bugs.webkit.org/show_bug.cgi?id=186176
2676
2677         Reviewed by Yusuke Suzuki.
2678
2679         * stress/big-int-subtraction-jit.js:
2680         * stress/value-sub-big-int-prediction-propagation.js: Added.
2681         * stress/value-sub-big-int-untyped.js: Added.
2682
2683 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2684
2685         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2686         https://bugs.webkit.org/show_bug.cgi?id=190611
2687
2688         Reviewed by Saam Barati.
2689
2690         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2691         to improve test runtime. On ARM/MIPS this test even timed out when running all
2692         tests.
2693
2694         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2695         (test):
2696
2697 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2698
2699         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2700
2701         Unreviewed gardening.
2702
2703         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2704
2705 2018-10-15  Saam barati  <sbarati@apple.com>
2706
2707         Emit fjcvtzs on ARM64E on Darwin
2708         https://bugs.webkit.org/show_bug.cgi?id=184023
2709
2710         Reviewed by Yusuke Suzuki and Filip Pizlo.
2711
2712         * stress/double-to-int32-NaN.js: Added.
2713         (assert):
2714         (foo):
2715
2716 2018-10-15  Saam Barati  <sbarati@apple.com>
2717
2718         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2719         https://bugs.webkit.org/show_bug.cgi?id=190262
2720         <rdar://problem/44986241>
2721
2722         Reviewed by Mark Lam.
2723
2724         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2725         (test):
2726         * stress/slice-array-storage-with-holes.js: Added.
2727         (main):
2728
2729 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2730
2731         Unreviewed, rolling out r237054.
2732         https://bugs.webkit.org/show_bug.cgi?id=190593
2733
2734         "this regressed JetStream 2 by 6% on iOS" (Requested by
2735         saamyjoon on #webkit).
2736
2737         Reverted changeset:
2738
2739         "[JSC] JSC should have "parseFunction" to optimize Function
2740         constructor"
2741         https://bugs.webkit.org/show_bug.cgi?id=190340
2742         https://trac.webkit.org/changeset/237054
2743
2744 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2745
2746         [JSC] JSON.stringify can accept call-with-no-arguments
2747         https://bugs.webkit.org/show_bug.cgi?id=190343
2748
2749         Reviewed by Mark Lam.
2750
2751         * stress/json-stringify-no-arguments.js: Added.
2752         (shouldBe):
2753
2754 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2755
2756         [JSC] JSC should have "parseFunction" to optimize Function constructor
2757         https://bugs.webkit.org/show_bug.cgi?id=190340
2758
2759         Reviewed by Mark Lam.
2760
2761         This patch fixes the line number of syntax errors raised by the Function constructor,
2762         since we now parse the final code only once. And we no longer use block statement
2763         for Function constructor's parsing.
2764
2765         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2766         * stress/function-cache-with-parameters-end-position.js: Added.
2767         (shouldBe):
2768         (shouldThrow):
2769         (i.anonymous):
2770         * stress/function-constructor-name.js: Added.
2771         (shouldBe):
2772         (GeneratorFunction):
2773         (AsyncFunction.async):
2774         (AsyncGeneratorFunction.async):
2775         (anonymous):
2776         (async.anonymous):
2777         * test262/expectations.yaml:
2778
2779 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2780
2781         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2782         https://bugs.webkit.org/show_bug.cgi?id=190426
2783
2784         Unreviewed gardening.
2785
2786         * stress/sampling-profiler-richards.js:
2787
2788 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2789
2790         [ESNext][BigInt] Implement support for "|"
2791         https://bugs.webkit.org/show_bug.cgi?id=186229
2792
2793         Reviewed by Yusuke Suzuki.
2794
2795         * stress/big-int-bitwise-and-jit.js:
2796         * stress/big-int-bitwise-or-general.js: Added.
2797         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2798         * stress/big-int-bitwise-or-jit.js: Added.
2799         * stress/big-int-bitwise-or-memory-stress.js: Added.
2800         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2801         * stress/big-int-bitwise-or-type-error.js: Added.
2802         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2803
2804 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2805
2806         Skip test on systems with limited memory
2807         https://bugs.webkit.org/show_bug.cgi?id=190310
2808
2809         Invoking runDefault adds test to runlist, skipping the test in the next
2810         line does not prevent the test from executing. Change order of lines such
2811         that runDefault is only executed if test is not executed.
2812
2813         Reviewed by Mark Lam.
2814
2815         * stress/regress-190187.js:
2816
2817 2018-10-03  Saam barati  <sbarati@apple.com>
2818
2819         lowXYZ in FTLLower should always filter the type of the incoming edge
2820         https://bugs.webkit.org/show_bug.cgi?id=189939
2821         <rdar://problem/44407030>
2822
2823         Reviewed by Michael Saboff.
2824
2825         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2826         (foo):
2827         (test):
2828
2829 2018-10-03  Mark Lam  <mark.lam@apple.com>
2830
2831         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2832         https://bugs.webkit.org/show_bug.cgi?id=190187
2833         <rdar://problem/42512909>
2834
2835         Reviewed by Michael Saboff.
2836
2837         * stress/regress-190187.js: Added.
2838
2839 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2840
2841         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2842         https://bugs.webkit.org/show_bug.cgi?id=190033
2843
2844         Reviewed by Yusuke Suzuki.
2845
2846         * stress/big-int-to-string.js:
2847
2848 2018-10-01  Mark Lam  <mark.lam@apple.com>
2849
2850         Function.toString() should also copy the source code Functions that are class definitions.
2851         https://bugs.webkit.org/show_bug.cgi?id=190186
2852         <rdar://problem/44733360>
2853
2854         Reviewed by Saam Barati.
2855
2856         * stress/regress-190186.js: Added.
2857
2858 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2859
2860         Split NaN-check into separate test
2861         https://bugs.webkit.org/show_bug.cgi?id=190010
2862
2863         Reviewed by Saam Barati.
2864
2865         DataView exposes NaN-representation, which is not necessarily the same on each
2866         architecture. Therefore move the check of the NaN-representation into its own
2867         file such that we can disable this test on MIPS where NaN-representation can be
2868         different on older CPUs.
2869
2870         * stress/dataview-jit-set-nan.js: Added.
2871         (assert):
2872         (test.storeLittleEndian):
2873         (test.storeBigEndian):
2874         (test.store):
2875         (test):
2876         * stress/dataview-jit-set.js:
2877         (test5):
2878
2879 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2880
2881         Unreviewed, rolling out r236647.
2882         https://bugs.webkit.org/show_bug.cgi?id=190124
2883
2884         Breaking test stress/big-int-to-string.js (Requested by
2885         caiolima_ on #webkit).
2886
2887         Reverted changeset:
2888
2889         "[BigInt] BigInt.proptotype.toString is broken when radix is
2890         power of 2"
2891         https://bugs.webkit.org/show_bug.cgi?id=190033
2892         https://trac.webkit.org/changeset/236647
2893
2894 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2895
2896         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2897         https://bugs.webkit.org/show_bug.cgi?id=190033
2898
2899         Reviewed by Yusuke Suzuki.
2900
2901         * stress/big-int-to-string.js:
2902
2903 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2904
2905         [ESNext][BigInt] Implement support for "&"
2906         https://bugs.webkit.org/show_bug.cgi?id=186228
2907
2908         Reviewed by Yusuke Suzuki.
2909
2910         * stress/big-int-bitwise-and-general.js: Added.
2911         (assert):
2912         (assert.sameValue):
2913         * stress/big-int-bitwise-and-jit.js: Added.
2914         (let.assert.sameValue):
2915         (bigIntBitAnd):
2916         * stress/big-int-bitwise-and-memory-stress.js: Added.
2917         (assert):
2918         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2919         (assert.sameValue):
2920         (let.o.Symbol.toPrimitive):
2921         (catch):
2922         * stress/big-int-bitwise-and-type-error.js: Added.
2923         (assert):
2924         (assertThrowTypeError):
2925         (let.o.valueOf):
2926         (o.valueOf):
2927         (o.toString):
2928         (o.Symbol.toPrimitive):
2929         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2930         (assert.sameValue):
2931         (testBitAnd):
2932         (let.o.Symbol.toPrimitive):
2933         (o.valueOf):
2934         (o.toString):
2935
2936 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2937
2938         JSC test stress/jsc-read.js doesn't support CRLF
2939         https://bugs.webkit.org/show_bug.cgi?id=190063
2940
2941         Reviewed by Yusuke Suzuki.
2942
2943         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2944
2945         * stress/jsc-read.js:
2946         (test):
2947
2948 2018-09-27  Saam barati  <sbarati@apple.com>
2949
2950         Verify the contents of AssemblerBuffer on arm64e
2951         https://bugs.webkit.org/show_bug.cgi?id=190057
2952         <rdar://problem/38916630>
2953
2954         Reviewed by Mark Lam.
2955
2956         * stress/regress-189132.js:
2957
2958 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2959
2960         Disable test without LLInt on ARMv7
2961         https://bugs.webkit.org/show_bug.cgi?id=190037
2962
2963         Reviewed by Mark Lam.
2964
2965         Test runs out of executable memory on ARMv7, do not run
2966         this test without LLInt enabled.
2967
2968         * stress/regress-169445.js:
2969
2970 2018-09-26  Keith Miller  <keith_miller@apple.com>
2971
2972         We should zero unused property storage when rebalancing array storage.
2973         https://bugs.webkit.org/show_bug.cgi?id=188151
2974
2975         Reviewed by Michael Saboff.
2976
2977         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2978
2979 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2980
2981         [JSC] Optimize Array#lastIndexOf
2982         https://bugs.webkit.org/show_bug.cgi?id=189780
2983
2984         Reviewed by Saam Barati.
2985
2986         * stress/array-lastindexof-array-prototype-trap.js: Added.
2987         (shouldBe):
2988         (AncestorArray.prototype.get 2):
2989         (AncestorArray):
2990         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2991         (shouldBe):
2992         * stress/array-lastindexof-hole-nan.js: Added.
2993         (shouldBe):
2994         (throw.new.Error):
2995         * stress/array-lastindexof-infinity.js: Added.
2996         (shouldBe):
2997         (throw.new.Error):
2998         * stress/array-lastindexof-negative-zero.js: Added.
2999         (shouldBe):
3000         (throw.new.Error):
3001         * stress/array-lastindexof-own-getter.js: Added.
3002         (shouldBe):
3003         (throw.new.Error.get array):
3004         (get array):
3005         * stress/array-lastindexof-prototype-trap.js: Added.
3006         (shouldBe):
3007         (DerivedArray.prototype.get 2):
3008         (DerivedArray):
3009
3010 2018-09-25  Saam Barati  <sbarati@apple.com>
3011
3012         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3013         https://bugs.webkit.org/show_bug.cgi?id=189940
3014         <rdar://problem/43640987>
3015
3016         Reviewed by Mark Lam.
3017
3018         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3019
3020 2018-09-24  Saam Barati  <sbarati@apple.com>
3021
3022         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3023         https://bugs.webkit.org/show_bug.cgi?id=189922
3024         <rdar://problem/44651275>
3025
3026         Reviewed by Mark Lam.
3027
3028         * stress/array-indexof-fast-path-effects.js: Added.
3029         * stress/array-indexof-cached-length.js: Added.
3030
3031 2018-09-24  Saam barati  <sbarati@apple.com>
3032
3033         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3034         https://bugs.webkit.org/show_bug.cgi?id=189682
3035         <rdar://problem/43557315>
3036
3037         Reviewed by Mark Lam.
3038
3039         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3040         (foo):
3041
3042 2018-09-22  Saam barati  <sbarati@apple.com>
3043
3044         The sampling should not use Strong<CodeBlock> in its machineLocation field
3045         https://bugs.webkit.org/show_bug.cgi?id=189319
3046
3047         Reviewed by Filip Pizlo.
3048
3049         * stress/sampling-profiler-richards.js: Added.
3050
3051 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3052
3053         [JSC] Optimize Array#indexOf in C++ runtime
3054         https://bugs.webkit.org/show_bug.cgi?id=189507
3055
3056         Reviewed by Saam Barati.
3057
3058         * stress/array-indexof-array-prototype-trap.js: Added.
3059         (shouldBe):
3060         (AncestorArray.prototype.get 2):
3061         (AncestorArray):
3062         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3063         (shouldBe):
3064         * stress/array-indexof-hole-nan.js: Added.
3065         (shouldBe):
3066         (throw.new.Error):
3067         * stress/array-indexof-infinity.js: Added.
3068         (shouldBe):
3069         (throw.new.Error):
3070         * stress/array-indexof-negative-zero.js: Added.
3071         (shouldBe):
3072         (throw.new.Error):
3073         * stress/array-indexof-own-getter.js: Added.
3074         (shouldBe):
3075         (throw.new.Error.get array):
3076         (get array):
3077         * stress/array-indexof-prototype-trap.js: Added.
3078         (shouldBe):
3079         (DerivedArray.prototype.get 2):
3080         (DerivedArray):
3081
3082 2018-09-19  Saam barati  <sbarati@apple.com>
3083
3084         AI rule for MultiPutByOffset executes its effects in the wrong order
3085         https://bugs.webkit.org/show_bug.cgi?id=189757
3086         <rdar://problem/43535257>
3087
3088         Reviewed by Michael Saboff.
3089
3090         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3091         (foo):
3092         (Foo):
3093         (g):
3094
3095 2018-09-17  Mark Lam  <mark.lam@apple.com>
3096
3097         Ensure that ForInContexts are invalidated if their loop local is over-written.
3098         https://bugs.webkit.org/show_bug.cgi?id=189571
3099         <rdar://problem/44402277>
3100
3101         Reviewed by Saam Barati.
3102
3103         * stress/regress-189571.js: Added.
3104
3105 2018-09-17  Saam barati  <sbarati@apple.com>
3106
3107         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3108         https://bugs.webkit.org/show_bug.cgi?id=189676
3109         <rdar://problem/39682897>
3110
3111         Reviewed by Michael Saboff.
3112
3113         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3114         (A):
3115         (K):
3116         (i.catch):
3117
3118 2018-09-14  Saam barati  <sbarati@apple.com>
3119
3120         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3121         https://bugs.webkit.org/show_bug.cgi?id=189628
3122         <rdar://problem/39481690>
3123
3124         Reviewed by Mark Lam.
3125
3126         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3127         (foo):
3128
3129 2018-09-11  Mark Lam  <mark.lam@apple.com>
3130
3131         Test for array initialization in arrayProtoFuncSplice.
3132         https://bugs.webkit.org/show_bug.cgi?id=170253
3133         <rdar://problem/31328773>
3134
3135         Rubber-stamped by Saam Barati.
3136
3137         * stress/regress-170253.js: Added.
3138
3139 2018-09-11  Mark Lam  <mark.lam@apple.com>
3140
3141         Test for IntlObject initialization.
3142         https://bugs.webkit.org/show_bug.cgi?id=170251
3143         <rdar://problem/31328419>
3144
3145         Rubber-stamped by Saam Barati.
3146
3147         * stress/regress-170251.js: Added.
3148
3149 2018-09-11  Mark Lam  <mark.lam@apple.com>
3150
3151         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3152         https://bugs.webkit.org/show_bug.cgi?id=169889
3153         <rdar://problem/31155607>
3154
3155         Reviewed by Saam Barati.
3156
3157         * stress/regress-169889-array-concat.js: Added.
3158         * stress/regress-169889-array-concat1.js: Added.
3159         * stress/regress-169889-array-slice.js: Added.
3160
3161 2018-09-11  Mark Lam  <mark.lam@apple.com>
3162
3163         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3164         https://bugs.webkit.org/show_bug.cgi?id=169445
3165         <rdar://problem/30957435>
3166
3167         Reviewed by Saam Barati.
3168
3169         * stress/regress-169445.js: Added.
3170         (let.gun.eval.A):
3171         (let.gun.eval.B.C):
3172         (let.gun.eval.B.C.prototype.trigger):
3173         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3174         (let.gun.eval.B):
3175         (let.gun.eval):
3176
3177 == Rolled over to ChangeLog-2018-09-11 ==