Baseline version of get_by_id may corrupt metadata
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Baseline version of get_by_id may corrupt metadata
4         https://bugs.webkit.org/show_bug.cgi?id=193085
5         <rdar://problem/23453006>
6
7         Reviewed by Saam Barati.
8
9         * stress/get-by-id-change-mode.js: Added.
10         (forEach):
11
12 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
13
14         [JSC] Optimize Object.prototype.toString
15         https://bugs.webkit.org/show_bug.cgi?id=193031
16
17         Reviewed by Saam Barati.
18
19         * stress/object-tostring-changed-proto.js: Added.
20         (shouldBe):
21         (test):
22         * stress/object-tostring-changed.js: Added.
23         (shouldBe):
24         (test):
25         * stress/object-tostring-misc.js: Added.
26         (shouldBe):
27         (test):
28         (i.switch):
29         * stress/object-tostring-other.js: Added.
30         (shouldBe):
31         (test):
32         * stress/object-tostring-untyped.js: Added.
33         (shouldBe):
34         (test):
35         (i.switch):
36
37 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
38
39         test262-runner misbehaves when test file YAML has a trailing space
40         https://bugs.webkit.org/show_bug.cgi?id=193053
41
42         Reviewed by Yusuke Suzuki.
43
44         * test262/expectations.yaml:
45         Mark two dozen tests as passing (and correct the output of another).
46
47 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
48
49         Unreviewed, JSTests gardening with memoryLimited
50
51         * stress/string-overflow-createError.js:
52
53 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
54
55         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
56         https://bugs.webkit.org/show_bug.cgi?id=193050
57
58         Reviewed by Yusuke Suzuki.
59
60         * test262.yaml:
61         * test262/expectations.yaml:
62         Mark 16 tests as passing.
63
64 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
65
66         [BigInt] Support BigInt in JSON.stringify
67         https://bugs.webkit.org/show_bug.cgi?id=192624
68
69         Reviewed by Saam Barati.
70
71         * stress/big-int-json-stringify-to-json.js: Added.
72         (shouldBe):
73         (shouldThrow):
74         (BigInt.prototype.toJSON):
75         (shouldBe.JSON.stringify):
76         * stress/big-int-json-stringify.js: Added.
77         (shouldBe):
78         (shouldThrow):
79
80 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
81
82         [JSC] Implement "well-formed JSON.stringify" proposal
83         https://bugs.webkit.org/show_bug.cgi?id=191677
84
85         Reviewed by Darin Adler.
86
87         * stress/json-surrogate-pair.js: Added.
88         (shouldBe):
89         * test262/expectations.yaml:
90
91 2018-12-20  Keith Miller  <keith_miller@apple.com>
92
93         Add support for globalThis
94         https://bugs.webkit.org/show_bug.cgi?id=165171
95
96         Reviewed by Mark Lam.
97
98         * test262/config.yaml:
99
100 2018-12-19  Keith Miller  <keith_miller@apple.com>
101
102         Update test262 configuration to not run tests dependent on ICU version.
103         https://bugs.webkit.org/show_bug.cgi?id=192920
104
105         Reviewed by Saam Barati.
106
107         * test262/expectations.yaml:
108
109 2018-12-20  Mark Lam  <mark.lam@apple.com>
110
111         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
112         https://bugs.webkit.org/show_bug.cgi?id=192939
113         <rdar://problem/46869516>
114
115         Reviewed by Keith Miller.
116
117         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
118
119 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
120
121         WTF::String and StringImpl overflow MaxLength
122         https://bugs.webkit.org/show_bug.cgi?id=192853
123         <rdar://problem/45726906>
124
125         Reviewed by Mark Lam.
126
127         * stress/string-16bit-repeat-overflow.js: Added.
128         (catch):
129
130 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
131
132         Unreviewed follow-up to r192914.
133
134         * test262/expectations.yaml:
135         Add the last 20 missing expectations.
136
137 2018-12-19  Keith Miller  <keith_miller@apple.com>
138
139         Fix test262 expectations
140         https://bugs.webkit.org/show_bug.cgi?id=192914
141
142         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
143
144         * test262/expectations.yaml:
145
146 2018-12-19  Keith Miller  <keith_miller@apple.com>
147
148         Update test262 tests.
149         https://bugs.webkit.org/show_bug.cgi?id=192907
150
151         Rubber stamped by Mark Lam.
152
153         * test262/*: Omitted because prepare-changelog crashes.
154
155 2018-12-19  Mark Lam  <mark.lam@apple.com>
156
157         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
158         https://bugs.webkit.org/show_bug.cgi?id=192464
159         <rdar://problem/46519455>
160
161         Reviewed by Saam Barati.
162
163         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
164         microbenchmark.
165
166         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
167         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
168
169 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
170
171         String overflow in JSC::createError results in ASSERT in WTF::makeString
172         https://bugs.webkit.org/show_bug.cgi?id=192833
173         <rdar://problem/45706868>
174
175         Reviewed by Mark Lam.
176
177         * stress/string-overflow-createError.js: Added.
178
179 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
180
181         Error message for `-x ** y` contains a typo.
182         https://bugs.webkit.org/show_bug.cgi?id=192832
183
184         Reviewed by Saam Barati.
185
186         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
187         (assert.assert.return.throws):
188         * stress/pow-expects-update-expression-on-lhs.js:
189         (throw.new.Error):
190         Update test expectations which match against the exact error message.
191
192 2018-12-18  Mark Lam  <mark.lam@apple.com>
193
194         Gardening: test options fix.
195         https://bugs.webkit.org/show_bug.cgi?id=192822
196
197         Unreviewed.
198
199         * stress/json-stringify-string-builder-overflow.js:
200
201 2018-12-18  Mark Lam  <mark.lam@apple.com>
202
203         JSON.stringify() should throw OOM on StringBuilder overflows.
204         https://bugs.webkit.org/show_bug.cgi?id=192822
205         <rdar://problem/46670577>
206
207         Reviewed by Saam Barati.
208
209         * stress/json-stringify-string-builder-overflow.js: Added.
210
211 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
212
213         Redeclaration of var over let/const/class should be a syntax error.
214         https://bugs.webkit.org/show_bug.cgi?id=192298
215
216         Reviewed by Keith Miller.
217
218         * test262.yaml:
219         * test262/expectations.yaml:
220         Mark 46 tests as passing.
221
222         * stress/block-scope-redeclarations.js:
223         Add some new tests.
224
225         * stress/for-in-invalidate-context-weird-assignments.js:
226         * stress/for-in-tests.js:
227         Replace tests for outdated behavior with tests for SyntaxError.
228
229         * ChakraCore/test/LetConst/defer3.baseline-jsc:
230         * ChakraCore/test/LetConst/letvar.baseline-jsc:
231         Update expectations.
232
233 2018-12-18  Mark Lam  <mark.lam@apple.com>
234
235         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
236         https://bugs.webkit.org/show_bug.cgi?id=191374
237         <rdar://problem/46525447>
238
239         Reviewed by Yusuke Suzuki.
240
241         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
242
243         * stress/elidable-new-object-roflcopter-then-exit.js:
244
245 2018-12-17  Mark Lam  <mark.lam@apple.com>
246
247         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
248         https://bugs.webkit.org/show_bug.cgi?id=192019
249         <rdar://problem/46525456>
250
251         Reviewed by Yusuke Suzuki.
252
253         The test runs too slow on 32-bit.
254
255         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
256
257 2018-12-17  Mark Lam  <mark.lam@apple.com>
258
259         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
260         https://bugs.webkit.org/show_bug.cgi?id=191373
261         <rdar://problem/46525458>
262
263         Reviewed by Yusuke Suzuki.
264
265         The test is already slow running with a JIT on 64-bit.  It will always timeout
266         on 32-bit without a JIT.
267
268         * stress/materialize-regexp-cyclic-regexp.js:
269
270 2018-12-17  Mark Lam  <mark.lam@apple.com>
271
272         Array unshift/shift should not race against the AI in the compiler thread.
273         https://bugs.webkit.org/show_bug.cgi?id=192795
274         <rdar://problem/46724263>
275
276         Reviewed by Saam Barati.
277
278         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
279
280 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
281
282         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
283         https://bugs.webkit.org/show_bug.cgi?id=190047
284
285         Reviewed by Saam Barati.
286
287         * stress/object-keys-cached-zero.js: Added.
288         (shouldBe):
289         (test):
290         * stress/object-keys-changed-attribute.js: Added.
291         (shouldBe):
292         (test):
293         * stress/object-keys-changed-index.js: Added.
294         (shouldBe):
295         (test):
296         * stress/object-keys-changed.js: Added.
297         (shouldBe):
298         (test):
299         * stress/object-keys-indexed-non-cache.js: Added.
300         (shouldBe):
301         (test):
302         * stress/object-keys-overrides-get-property-names.js: Added.
303         (shouldBe):
304         (test):
305         (noInline):
306
307 2018-12-17  Mark Lam  <mark.lam@apple.com>
308
309         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
310         https://bugs.webkit.org/show_bug.cgi?id=192779
311         <rdar://problem/46775869>
312
313         Reviewed by Saam Barati.
314
315         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
316
317 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
318
319         Unreviewed test gardening, address a syntax error in a new test.
320
321         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
322
323 2018-12-17  Mark Lam  <mark.lam@apple.com>
324
325         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
326         https://bugs.webkit.org/show_bug.cgi?id=192776
327         <rdar://problem/46772368>
328
329         Reviewed by Keith Miller.
330
331         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
332
333 2018-12-17  Mark Lam  <mark.lam@apple.com>
334
335         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
336         https://bugs.webkit.org/show_bug.cgi?id=192770
337         <rdar://problem/46449037>
338
339         Reviewed by Keith Miller.
340
341         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
342
343 2018-12-14  Mark Lam  <mark.lam@apple.com>
344
345         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
346         https://bugs.webkit.org/show_bug.cgi?id=192717
347         <rdar://problem/46660677>
348
349         Reviewed by Saam Barati.
350
351         * stress/regress-192717.js: Added.
352
353 2018-12-14  Commit Queue  <commit-queue@webkit.org>
354
355         Unreviewed, rolling out r239153, r239154, and r239155.
356         https://bugs.webkit.org/show_bug.cgi?id=192715
357
358         Caused flaky GC-related crashes seen with layout tests
359         (Requested by ryanhaddad on #webkit).
360
361         Reverted changesets:
362
363         "[JSC] Optimize Object.keys by caching own keys results in
364         StructureRareData"
365         https://bugs.webkit.org/show_bug.cgi?id=190047
366         https://trac.webkit.org/changeset/239153
367
368         "Unreviewed, build fix after r239153"
369         https://bugs.webkit.org/show_bug.cgi?id=190047
370         https://trac.webkit.org/changeset/239154
371
372         "Unreviewed, build fix after r239153, part 2"
373         https://bugs.webkit.org/show_bug.cgi?id=190047
374         https://trac.webkit.org/changeset/239155
375
376 2018-12-14  Keith Miller  <keith_miller@apple.com>
377
378         Callers of JSString::getIndex should check for OOM exceptions
379         https://bugs.webkit.org/show_bug.cgi?id=192709
380
381         Reviewed by Mark Lam.
382
383         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
384
385 2018-12-13  Mark Lam  <mark.lam@apple.com>
386
387         Add a missing exception check.
388         https://bugs.webkit.org/show_bug.cgi?id=192626
389         <rdar://problem/46662163>
390
391         Reviewed by Keith Miller.
392
393         * stress/regress-192626.js: Added.
394
395 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
396
397         [BigInt] Add ValueDiv into DFG
398         https://bugs.webkit.org/show_bug.cgi?id=186178
399
400         Reviewed by Yusuke Suzuki.
401
402         * stress/big-int-div-jit-osr.js: Added.
403         * stress/big-int-div-jit-untyped.js: Added.
404         * stress/value-div-fixup-int32-big-int.js: Added.
405
406 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
407
408         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
409         https://bugs.webkit.org/show_bug.cgi?id=190047
410
411         Reviewed by Keith Miller.
412
413         * stress/object-keys-cached-zero.js: Added.
414         (shouldBe):
415         (test):
416         * stress/object-keys-changed-attribute.js: Added.
417         (shouldBe):
418         (test):
419         * stress/object-keys-changed-index.js: Added.
420         (shouldBe):
421         (test):
422         * stress/object-keys-changed.js: Added.
423         (shouldBe):
424         (test):
425         * stress/object-keys-indexed-non-cache.js: Added.
426         (shouldBe):
427         (test):
428         * stress/object-keys-overrides-get-property-names.js: Added.
429         (shouldBe):
430         (test):
431         (noInline):
432
433 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
434
435         [DFG][FTL] Add NewSymbol
436         https://bugs.webkit.org/show_bug.cgi?id=192620
437
438         Reviewed by Saam Barati.
439
440         * microbenchmarks/symbol-creation.js: Added.
441         (test):
442         * stress/symbol-description-identity.js: Added.
443         (shouldBe):
444         (test):
445         * stress/symbol-identity.js: Added.
446         (shouldBe):
447         (test):
448         * stress/symbol-with-description-throw-error.js: Added.
449         (shouldBe):
450         (shouldThrow):
451         (test):
452         (object.toString):
453
454 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
455
456         [BigInt] Implement DFG/FTL typeof for BigInt
457         https://bugs.webkit.org/show_bug.cgi?id=192619
458
459         Reviewed by Keith Miller.
460
461         * stress/big-int-boolean-proven-type.js: Added.
462         (assert):
463         (bool):
464         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
465         (assert):
466         (typeOf):
467         (i.switch):
468         * stress/big-int-type-of-proven-type-non-constant.js: Added.
469         (assert):
470         (typeOf):
471         * stress/big-int-type-of.js:
472         (typeOf):
473         (func):
474
475 2018-12-10  Mark Lam  <mark.lam@apple.com>
476
477         PropertyAttribute needs a CustomValue bit.
478         https://bugs.webkit.org/show_bug.cgi?id=191993
479         <rdar://problem/46264467>
480
481         Reviewed by Saam Barati.
482
483         * stress/regress-191993.js: Added.
484
485 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
486
487         [BigInt] Add ValueMul into DFG
488         https://bugs.webkit.org/show_bug.cgi?id=186175
489
490         Reviewed by Yusuke Suzuki.
491
492         * stress/big-int-mul-jit-osr.js: Added.
493         * stress/big-int-mul-jit-untyped.js: Added.
494         * stress/value-mul-fixup-int32-big-int.js: Added.
495
496 2018-12-06  Keith Miller  <keith_miller@apple.com>
497
498         stress/big-wasm-memory tests failing on 32-bit JSC bot
499         https://bugs.webkit.org/show_bug.cgi?id=192020
500
501         Reviewed by Saam Barati.
502
503         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
504         the wasm stress tests if the WebAssembly object does not exist.
505
506         * stress/big-wasm-memory-grow-no-max.js:
507         (test.foo):
508         (test):
509         (foo): Deleted.
510         (catch): Deleted.
511         * stress/big-wasm-memory-grow.js:
512         (test.foo):
513         (test):
514         (foo): Deleted.
515         (catch): Deleted.
516         * stress/big-wasm-memory.js:
517         (test.foo):
518         (test):
519         (foo): Deleted.
520         (catch): Deleted.
521
522 2018-12-05  Mark Lam  <mark.lam@apple.com>
523
524         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
525         https://bugs.webkit.org/show_bug.cgi?id=192441
526         <rdar://problem/46480355>
527
528         Reviewed by Saam Barati.
529
530         * stress/regress-192441.js: Added.
531
532 2018-12-04  Mark Lam  <mark.lam@apple.com>
533
534         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
535         https://bugs.webkit.org/show_bug.cgi?id=192386
536         <rdar://problem/46445516>
537
538         Reviewed by Saam Barati.
539
540         * stress/regress-192386.js: Added.
541
542 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
543
544         [ESNext][BigInt] Support logic operations
545         https://bugs.webkit.org/show_bug.cgi?id=179903
546
547         Reviewed by Yusuke Suzuki.
548
549         * stress/big-int-branch-usage.js: Added.
550         * stress/big-int-logical-and.js: Added.
551         * stress/big-int-logical-not.js: Added.
552         * stress/big-int-logical-or.js: Added.
553
554 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
555
556         Unreviewed, rolling out r238833.
557
558         Breaks macOS and iOS debug builds.
559
560         Reverted changeset:
561
562         "[ESNext][BigInt] Support logic operations"
563         https://bugs.webkit.org/show_bug.cgi?id=179903
564         https://trac.webkit.org/changeset/238833
565
566 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
567
568         [ESNext][BigInt] Support logic operations
569         https://bugs.webkit.org/show_bug.cgi?id=179903
570
571         Reviewed by Yusuke Suzuki.
572
573         * stress/big-int-branch-usage.js: Added.
574         * stress/big-int-logical-and.js: Added.
575         * stress/big-int-logical-not.js: Added.
576         * stress/big-int-logical-or.js: Added.
577
578 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
579
580         [ESNext][BigInt] Implement support for "<<" and ">>"
581         https://bugs.webkit.org/show_bug.cgi?id=186233
582
583         Reviewed by Yusuke Suzuki.
584
585         * stress/big-int-left-shift-general.js: Added.
586         * stress/big-int-left-shift-range-error.js: Added.
587         * stress/big-int-left-shift-type-error.js: Added.
588         * stress/big-int-left-shift-wrapped-value.js: Added.
589         * stress/big-int-right-shift-general.js: Added.
590         * stress/big-int-right-shift-type-error.js: Added.
591         * stress/big-int-right-shift-wrapped-value.js: Added.
592         * stress/left-shift-to-primitive-precedence.js: Added.
593         * stress/right-shift-to-primitive-precedence.js: Added.
594
595 2018-11-30  Dean Jackson  <dino@apple.com>
596
597         Add first-class support for .mjs files in jsc binary
598         https://bugs.webkit.org/show_bug.cgi?id=192190
599         <rdar://problem/46375715>
600
601         Reviewed by Keith Miller.
602
603         * stress/simple-module.mjs: Added.
604         * stress/simple-script.js: Added.
605
606 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
607
608         [BigInt] Implement ValueBitXor into DFG
609         https://bugs.webkit.org/show_bug.cgi?id=190264
610
611         Reviewed by Yusuke Suzuki.
612
613         * stress/big-int-bitwise-xor-jit.js: Added.
614         * stress/big-int-bitwise-xor-memory-stress.js: Added.
615         * stress/big-int-bitwise-xor-untyped.js: Added.
616
617 2018-11-27  Saam barati  <sbarati@apple.com>
618
619         r238510 broke scopes of size zero
620         https://bugs.webkit.org/show_bug.cgi?id=192033
621         <rdar://problem/46281734>
622
623         Reviewed by Keith Miller.
624
625         * stress/r238510-bad-loop.js: Added.
626         (foo):
627
628 2018-11-27  Mark Lam  <mark.lam@apple.com>
629
630         [Re-landing] NaNs read from Wasm code needs to be be purified.
631         https://bugs.webkit.org/show_bug.cgi?id=191056
632         <rdar://problem/45660341>
633
634         Reviewed by Filip Pizlo.
635
636         * wasm/regress/regress-191056.js: Added.
637
638 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
639
640         Unreviewed, rolling out r238509.
641
642         Causes JSC tests to fail on iOS.
643
644         Reverted changeset:
645
646         "NaNs read from Wasm code needs to be be purified."
647         https://bugs.webkit.org/show_bug.cgi?id=191056
648         https://trac.webkit.org/changeset/238509
649
650 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
651
652         Re-introduce op_bitnot
653         https://bugs.webkit.org/show_bug.cgi?id=190923
654
655         Reviewed by Yusuke Suzuki.
656
657         * stress/bit-not-must-generate.js: Added.
658         * stress/bitwise-not-no-int32.js: Added.
659
660 2018-11-26  Saam barati  <sbarati@apple.com>
661
662         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
663         https://bugs.webkit.org/show_bug.cgi?id=191956
664         <rdar://problem/45665806>
665
666         Reviewed by Yusuke Suzuki.
667
668         * stress/end-basic-block-set-local-should-filter-type.js: Added.
669         (bar):
670         (foo):
671
672 2018-11-26  Saam barati  <sbarati@apple.com>
673
674         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
675         https://bugs.webkit.org/show_bug.cgi?id=191958
676         <rdar://problem/46221877>
677
678         Reviewed by Yusuke Suzuki.
679
680         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
681         (x):
682         (foo):
683
684 2018-11-26  Mark Lam  <mark.lam@apple.com>
685
686         NaNs read from Wasm code needs to be be purified.
687         https://bugs.webkit.org/show_bug.cgi?id=191056
688         <rdar://problem/45660341>
689
690         Reviewed by Filip Pizlo.
691
692         * wasm/regress/regress-191056.js: Added.
693
694 2018-11-26  Michael Saboff  <msaboff@apple.com>
695
696         32-bit JSC test failure: stress/regexp-compile-oom.js
697         https://bugs.webkit.org/show_bug.cgi?id=191375
698
699         Reviewed by Mark Lam.
700
701         Disabled the test for 32 bit platforms.
702
703         * stress/regexp-compile-oom.js:
704
705 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
706
707         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
708         https://bugs.webkit.org/show_bug.cgi?id=191716
709         <rdar://problem/45723878>
710
711         Reviewed by Saam Barati.
712
713         * stress/regress-187373.js: Added.
714         (async.fn):
715
716 2018-11-21  Saam barati  <sbarati@apple.com>
717
718         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
719         https://bugs.webkit.org/show_bug.cgi?id=191897
720         <rdar://problem/45871998>
721
722         Reviewed by Mark Lam.
723
724         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
725         (bar):
726         (foo):
727
728 2018-11-21  Saam barati  <sbarati@apple.com>
729
730         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
731         https://bugs.webkit.org/show_bug.cgi?id=191895
732         <rdar://problem/46167406>
733
734         Reviewed by Mark Lam.
735
736         * stress/known-cell-use-needs-type-check-assertion.js: Added.
737         (foo):
738         (bar):
739
740 2018-11-21  Mark Lam  <mark.lam@apple.com>
741
742         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
743         https://bugs.webkit.org/show_bug.cgi?id=191776
744         <rdar://problem/46152851>
745
746         Reviewed by Saam Barati.
747
748         * stress/big-wasm-memory-grow-no-max.js:
749         * stress/big-wasm-memory-grow.js:
750         * stress/big-wasm-memory.js:
751         - updated these to expect an OutOfMemoryError.
752
753         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
754         (Binary.prototype.emit_u8):
755         (Binary.prototype.emit_u32v):
756         (Binary.prototype.emit_header):
757         (Binary.prototype.emit_section):
758         (Binary):
759         (WasmModuleBuilder):
760         (WasmModuleBuilder.prototype.addMemory):
761         (WasmModuleBuilder.prototype.toArray):
762         (WasmModuleBuilder.prototype.toBuffer):
763         (WasmModuleBuilder.prototype.instantiate):
764         (catch):
765         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
766         (catch):
767
768 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
769
770         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
771         https://bugs.webkit.org/show_bug.cgi?id=190836
772
773         Reviewed by Saam Barati and Yusuke Suzuki.
774
775         * stress/big-int-out-of-memory-tests.js: Added.
776
777 2018-11-20  Mark Lam  <mark.lam@apple.com>
778
779         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
780         https://bugs.webkit.org/show_bug.cgi?id=191856
781         <rdar://problem/46089992>
782
783         Reviewed by Yusuke Suzuki.
784
785         * stress/regress-191856.js: Added.
786         - this test is skipped for now until we have a fix for webkit.org/b/191855.
787
788 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
789
790         Enable JIT on ARM/Linux
791         https://bugs.webkit.org/show_bug.cgi?id=191548
792
793         Reviewed by Yusuke Suzuki.
794
795         Disable test on system with limited memory. Program was killed by
796         the OS before the exception was thrown.
797
798         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
799
800 2018-11-20  Saam barati  <sbarati@apple.com>
801
802         Merging an IC variant may lead to the IC status containing overlapping structure sets
803         https://bugs.webkit.org/show_bug.cgi?id=191869
804         <rdar://problem/45403453>
805
806         Reviewed by Mark Lam.
807
808         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
809
810 2018-11-19  Mark Lam  <mark.lam@apple.com>
811
812         globalFuncImportModule() should return a promise when it clears exceptions.
813         https://bugs.webkit.org/show_bug.cgi?id=191792
814         <rdar://problem/46090763>
815
816         Reviewed by Michael Saboff.
817
818         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
819
820 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
821
822         Skip new memory-hungry tests on memory limited devices
823
824         Unreviewed gardening.
825
826         * stress/big-wasm-memory-grow-no-max.js:
827         * stress/big-wasm-memory-grow.js:
828         * stress/big-wasm-memory.js:
829
830 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
831
832         Unreviewed, rolling in the rest of r237254
833         https://bugs.webkit.org/show_bug.cgi?id=190340
834
835         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
836         * stress/function-cache-with-parameters-end-position.js: Added.
837         (shouldBe):
838         (shouldThrow):
839         (i.anonymous):
840         * stress/function-constructor-name.js: Added.
841         (shouldBe):
842         (GeneratorFunction):
843         (AsyncFunction.async):
844         (AsyncGeneratorFunction.async):
845         (anonymous):
846         (async.anonymous):
847         * test262/expectations.yaml:
848
849 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
850
851         All users of ArrayBuffer should agree on the same max size
852         https://bugs.webkit.org/show_bug.cgi?id=191771
853
854         Reviewed by Mark Lam.
855
856         * stress/big-wasm-memory-grow-no-max.js: Added.
857         (foo):
858         (catch):
859         * stress/big-wasm-memory-grow.js: Added.
860         (foo):
861         (catch):
862         * stress/big-wasm-memory.js: Added.
863         (foo):
864         (catch):
865
866 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
867
868         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
869         run for each JSC config since they're regression tests for runtime bugs.
870
871         * stress/json-stringified-overflow-2.js:
872         * stress/json-stringified-overflow.js:
873
874 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
875
876         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
877         config since they're regression tests for runtime bugs.
878
879         * stress/large-unshift-splice.js:
880         * stress/regress-185888.js:
881
882 2018-11-16  Saam Barati  <sbarati@apple.com>
883
884         KnownCellUse should also have SpecCellCheck as its type filter
885         https://bugs.webkit.org/show_bug.cgi?id=191729
886         <rdar://problem/45872852>
887
888         Reviewed by Filip Pizlo.
889
890         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
891         (C):
892
893 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
894
895         Fix assertion failure on BytecodeGenerator::recordOpcode
896         https://bugs.webkit.org/show_bug.cgi?id=191724
897         <rdar://problem/45724395>
898
899         Reviewed by Saam Barati.
900
901         * stress/regress-187373-2.js: Added.
902         (foo):
903
904 2018-11-15  Mark Lam  <mark.lam@apple.com>
905
906         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
907         https://bugs.webkit.org/show_bug.cgi?id=191730
908         <rdar://problem/46048517>
909
910         Reviewed by Saam Barati.
911
912         * stress/regress-187006.js: Removed.
913           - this test is invalid because its sole purpose is to test for the non-spec
914             compliant behavior that we just fixed.
915
916         * stress/regress-191730.js: Added.
917
918 2018-11-15  Mark Lam  <mark.lam@apple.com>
919
920         RegExp operations should not take fast patch if lastIndex is not numeric.
921         https://bugs.webkit.org/show_bug.cgi?id=191731
922         <rdar://problem/46017305>
923
924         Reviewed by Saam Barati.
925
926         * stress/regress-191731.js: Added.
927
928 2018-11-13  Saam Barati  <sbarati@apple.com>
929
930         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
931         https://bugs.webkit.org/show_bug.cgi?id=191600
932
933         Reviewed by Mark Lam.
934
935         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
936         (foo):
937         (test):
938         (bar):
939
940 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
941
942         Unreviewed, rolling out r238132.
943
944         The test added with this change is timing out on Debug JSC
945         bots.
946
947         Reverted changeset:
948
949         "[BigInt] JSBigInt::createWithLength should throw when length
950         is greater than JSBigInt::maxLength"
951         https://bugs.webkit.org/show_bug.cgi?id=190836
952         https://trac.webkit.org/changeset/238132
953
954 2018-11-13  Mark Lam  <mark.lam@apple.com>
955
956         Add OOM detection to StringPrototype's substituteBackreferences().
957         https://bugs.webkit.org/show_bug.cgi?id=191563
958         <rdar://problem/45720428>
959
960         Reviewed by Saam Barati.
961
962         * stress/regress-191563.js: Added.
963
964 2018-11-13  Mark Lam  <mark.lam@apple.com>
965
966         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
967         https://bugs.webkit.org/show_bug.cgi?id=191579
968         <rdar://problem/45942472>
969
970         Reviewed by Saam Barati.
971
972         * stress/regress-191579.js: Added.
973
974 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
975
976         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
977         https://bugs.webkit.org/show_bug.cgi?id=190836
978
979         Reviewed by Saam Barati.
980
981         * stress/big-int-out-of-memory-tests.js: Added.
982
983 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
984
985         U+180E is no longer a whitespace character
986         https://bugs.webkit.org/show_bug.cgi?id=191415
987
988         Reviewed by Saam Barati.
989
990         * ChakraCore/test/es5/regexSpace.baseline:
991         * ChakraCore/test/es6/unicode_whitespace.js:
992         Update tests to latest version.
993         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
994
995         * test262.yaml:
996         * test262/config.yaml:
997         * test262/expectations.yaml:
998         Update expectations.
999
1000 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1001
1002         [BigInt] Add support to BigInt into ValueAdd
1003         https://bugs.webkit.org/show_bug.cgi?id=186177
1004
1005         Reviewed by Keith Miller.
1006
1007         * stress/big-int-negate-jit.js:
1008         * stress/value-add-big-int-and-string.js: Added.
1009         * stress/value-add-big-int-prediction-propagation.js: Added.
1010         * stress/value-add-big-int-untyped.js: Added.
1011
1012 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1013
1014         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1015         https://bugs.webkit.org/show_bug.cgi?id=191184
1016
1017         Reviewed by Saam Barati.
1018
1019         Most tests were failing due to timeouts, since they are too slow to
1020         run on CLoop. The exceptions are:
1021
1022         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1023         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1024         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1025         to change the stack size since CLoop requires it to be page aligned.
1026
1027         * microbenchmarks/array-push-1.js:
1028         * microbenchmarks/array-push-2.js:
1029         * microbenchmarks/elidable-new-object-dag.js:
1030         * microbenchmarks/elidable-new-object-roflcopter.js:
1031         * microbenchmarks/elidable-new-object-tree.js:
1032         * microbenchmarks/getter-richards.js:
1033         * microbenchmarks/sinkable-new-object-dag.js:
1034         * microbenchmarks/string-concat-long-convert.js:
1035         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1036         * slowMicrobenchmarks/array-push-3.js:
1037         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1038         * slowMicrobenchmarks/spread-small-array.js:
1039         * slowMicrobenchmarks/undefined-property-access.js:
1040         * stress/activation-sink-default-value-tdz-error.js:
1041         * stress/activation-sink-default-value.js:
1042         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1043         * stress/activation-sink-osrexit-default-value.js:
1044         * stress/activation-sink-osrexit.js:
1045         * stress/activation-sink.js:
1046         * stress/allow-math-ic-b3-code-duplication.js:
1047         * stress/array-push-multiple-int32.js:
1048         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1049         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1050         * stress/arrowfunction-lexical-this-activation-sink.js:
1051         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1052         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1053         * stress/elide-new-object-dag-then-exit.js:
1054         * stress/materialize-regexp-cyclic.js:
1055         * stress/new-regex-inline.js:
1056         * stress/op_add.js:
1057         * stress/op_bitand.js:
1058         * stress/op_bitor.js:
1059         * stress/op_bitxor.js:
1060         * stress/op_div-ConstVar.js:
1061         * stress/op_div-VarConst.js:
1062         * stress/op_div-VarVar.js:
1063         * stress/op_lshift-ConstVar.js:
1064         * stress/op_lshift-VarConst.js:
1065         * stress/op_lshift-VarVar.js:
1066         * stress/op_mod-ConstVar.js:
1067         * stress/op_mod-VarConst.js:
1068         * stress/op_mod-VarVar.js:
1069         * stress/op_mul-ConstVar.js:
1070         * stress/op_mul-VarConst.js:
1071         * stress/op_mul-VarVar.js:
1072         * stress/op_rshift-ConstVar.js:
1073         * stress/op_rshift-VarConst.js:
1074         * stress/op_rshift-VarVar.js:
1075         * stress/op_sub-ConstVar.js:
1076         * stress/op_sub-VarConst.js:
1077         * stress/op_sub-VarVar.js:
1078         * stress/op_urshift-ConstVar.js:
1079         * stress/op_urshift-VarConst.js:
1080         * stress/op_urshift-VarVar.js:
1081         * stress/proxy-get-set-correct-receiver.js:
1082         * stress/regress-179562.js:
1083         * stress/rest-parameter-many-arguments.js:
1084         * stress/sampling-profiler-richards.js:
1085         * stress/splay-flash-access-1ms.js:
1086         * stress/tailCallForwardArguments.js:
1087         * stress/typed-array-get-by-val-profiling.js:
1088         * typeProfiler/getter-richards.js:
1089
1090 2018-11-06  Michael Saboff  <msaboff@apple.com>
1091
1092         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1093         https://bugs.webkit.org/show_bug.cgi?id=191271
1094
1095         Reviewed by Saam Barati.
1096
1097         Added more test cases and made all test cases run with the same deeply recursive stack
1098         instead of finding that same point for each test case.
1099
1100         * stress/regexp-compile-oom.js:
1101         (prototype.runTest):
1102         (recurseAndTest):
1103         (testList.push.new.TestAndExpectedException):
1104
1105 2018-11-05  Michael Saboff  <msaboff@apple.com>
1106
1107         Unreviewed build fix for linux.
1108
1109         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1110
1111 2018-11-02  Michael Saboff  <msaboff@apple.com>
1112
1113         Rolling in r237753 with unreviewed build fix.
1114
1115         Fixed issues with DECLARE_THROW_SCOPE placement.
1116
1117 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1118
1119         Unreviewed, rolling out r237753.
1120
1121         Introduced JSC test failures
1122
1123         Reverted changeset:
1124
1125         "Running out of stack space not properly handled in
1126         RegExp::compile() and its callers"
1127         https://bugs.webkit.org/show_bug.cgi?id=191206
1128         https://trac.webkit.org/changeset/237753
1129
1130 2018-11-02  Michael Saboff  <msaboff@apple.com>
1131
1132         Running out of stack space not properly handled in RegExp::compile() and its callers
1133         https://bugs.webkit.org/show_bug.cgi?id=191206
1134
1135         Reviewed by Filip Pizlo.
1136
1137         New regression test.
1138
1139         * stress/regexp-compile-oom.js: Added.
1140         (recurseAndTest):
1141
1142 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1143
1144         Skip tests on arm/mips that time out now we're running on CLoop
1145
1146         Unreviewed gardening.
1147
1148         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1149         time out on the bots and need to be disabled. There's more tests
1150         disabled on arm because the timeout is longer on the mips bot (as the
1151         device is slower to start with), so many of the tests don't time out
1152         there.
1153
1154         * microbenchmarks/getter-richards.js: disable on arm and mips.
1155         * stress/op_add.js: disable on arm.
1156         * stress/op_bitand.js: disable on arm.
1157         * stress/op_bitor.js: disable on arm.
1158         * stress/op_bitxor.js: disable on arm.
1159         * stress/op_lshift-ConstVar.js: disable on arm.
1160         * stress/op_lshift-VarConst.js: disable on arm.
1161         * stress/op_lshift-VarVar.js: disable on arm.
1162         * stress/op_mod-ConstVar.js: disable on arm.
1163         * stress/op_mod-VarConst.js: disable on arm.
1164         * stress/op_mod-VarVar.js: disable on arm.
1165         * stress/op_mul-ConstVar.js: disable on arm.
1166         * stress/op_mul-VarConst.js: disable on arm.
1167         * stress/op_mul-VarVar.js: disable on arm.
1168         * stress/op_rshift-ConstVar.js: disable on arm.
1169         * stress/op_rshift-VarConst.js: disable on arm.
1170         * stress/op_rshift-VarVar.js: disable on arm.
1171         * stress/op_sub-ConstVar.js: disable on arm.
1172         * stress/op_sub-VarConst.js: disable on arm.
1173         * stress/op_sub-VarVar.js: disable on arm.
1174         * stress/op_urshift-ConstVar.js: disable on arm.
1175         * stress/op_urshift-VarConst.js: disable on arm.
1176         * stress/op_urshift-VarVar.js: disable on arm.
1177         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1178         * stress/value-to-boolean.js: disable on arm and mips.
1179
1180 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1181
1182         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1183         https://bugs.webkit.org/show_bug.cgi?id=191108
1184         <rdar://problem/45690700>
1185
1186         Reviewed by Saam Barati.
1187
1188         * stress/wide-op_catch.js: Added.
1189         (catch):
1190
1191 2018-10-29  Mark Lam  <mark.lam@apple.com>
1192
1193         Correctly detect string overflow when using the 'Function' constructor.
1194         https://bugs.webkit.org/show_bug.cgi?id=184883
1195         <rdar://problem/36320331>
1196
1197         Reviewed by Saam Barati.
1198
1199         I've verified that this passes on 32-bit as well.
1200
1201         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1202
1203 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1204
1205         Add support for GetStack FlushedDouble
1206         https://bugs.webkit.org/show_bug.cgi?id=191012
1207         <rdar://problem/45265141>
1208
1209         Reviewed by Saam Barati.
1210
1211         * stress/get-stack-double.js: Added.
1212         (bar):
1213         (noInline):
1214
1215 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1216
1217         New bytecode format for JSC
1218         https://bugs.webkit.org/show_bug.cgi?id=187373
1219         <rdar://problem/44186758>
1220
1221         Reviewed by Filip Pizlo.
1222
1223         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1224
1225         * stress/maximum-inline-capacity.js: Added.
1226         (test1):
1227         (test3.Foo):
1228         (test3):
1229
1230 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1231
1232         Unreviewed, rolling out r237479 and r237484.
1233         https://bugs.webkit.org/show_bug.cgi?id=190978
1234
1235         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1236
1237         Reverted changesets:
1238
1239         "New bytecode format for JSC"
1240         https://bugs.webkit.org/show_bug.cgi?id=187373
1241         https://trac.webkit.org/changeset/237479
1242
1243         "Gardening: Build fix after r237479."
1244         https://bugs.webkit.org/show_bug.cgi?id=187373
1245         https://trac.webkit.org/changeset/237484
1246
1247 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1248
1249         New bytecode format for JSC
1250         https://bugs.webkit.org/show_bug.cgi?id=187373
1251         <rdar://problem/44186758>
1252
1253         Reviewed by Filip Pizlo.
1254
1255         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1256
1257         * stress/maximum-inline-capacity.js: Added.
1258         (test1):
1259         (test3.Foo):
1260         (test3):
1261
1262 2018-10-26  Mark Lam  <mark.lam@apple.com>
1263
1264         Fix missing edge cases with JSGlobalObjects having a bad time.
1265         https://bugs.webkit.org/show_bug.cgi?id=189028
1266         <rdar://problem/45204939>
1267
1268         Reviewed by Saam Barati.
1269
1270         * stress/regress-189028.js: Added.
1271
1272 2018-10-22  Mark Lam  <mark.lam@apple.com>
1273
1274         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1275         https://bugs.webkit.org/show_bug.cgi?id=190515
1276         <rdar://problem/45222379>
1277
1278         Rubber-stamped by Saam Barati.
1279
1280         Adding another test.
1281
1282         * stress/regress-190515-2.js: Added.
1283
1284 2018-10-22  Mark Lam  <mark.lam@apple.com>
1285
1286         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1287         https://bugs.webkit.org/show_bug.cgi?id=190515
1288         <rdar://problem/45222379>
1289
1290         Reviewed by Saam Barati.
1291
1292         * stress/regress-190515.js: Added.
1293
1294 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1295
1296         Unreviewed, rolling out r237254.
1297         https://bugs.webkit.org/show_bug.cgi?id=190760
1298
1299         "It regresses JetStream 2 by 5% on some iOS devices"
1300         (Requested by saamyjoon on #webkit).
1301
1302         Reverted changeset:
1303
1304         "[JSC] JSC should have "parseFunction" to optimize Function
1305         constructor"
1306         https://bugs.webkit.org/show_bug.cgi?id=190340
1307         https://trac.webkit.org/changeset/237254
1308
1309 2018-10-19  Saam Barati  <sbarati@apple.com>
1310
1311         vmCall should check if we exit before emitting an OSR exit due to exceptions
1312         https://bugs.webkit.org/show_bug.cgi?id=190740
1313         <rdar://problem/45220139>
1314
1315         Reviewed by Mark Lam.
1316
1317         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1318         (foo):
1319
1320 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1321
1322         [ESNext][BigInt] Implement support for "^"
1323         https://bugs.webkit.org/show_bug.cgi?id=186235
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         * stress/big-int-bitwise-xor-general.js: Added.
1328         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1329         * stress/big-int-bitwise-xor-type-error.js: Added.
1330         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1331
1332 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1333
1334         [BigInt] Add ValueSub into DFG
1335         https://bugs.webkit.org/show_bug.cgi?id=186176
1336
1337         Reviewed by Yusuke Suzuki.
1338
1339         * stress/big-int-subtraction-jit.js:
1340         * stress/value-sub-big-int-prediction-propagation.js: Added.
1341         * stress/value-sub-big-int-untyped.js: Added.
1342         * stress/value-sub-spec-none-case.js: Added.
1343
1344 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1345
1346         [JSC] JSC should have "parseFunction" to optimize Function constructor
1347         https://bugs.webkit.org/show_bug.cgi?id=190340
1348
1349         Reviewed by Mark Lam.
1350
1351         This patch fixes the line number of syntax errors raised by the Function constructor,
1352         since we now parse the final code only once. And we no longer use block statement
1353         for Function constructor's parsing.
1354
1355         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1356         * stress/function-cache-with-parameters-end-position.js: Added.
1357         (shouldBe):
1358         (shouldThrow):
1359         (i.anonymous):
1360         * stress/function-constructor-name.js: Added.
1361         (shouldBe):
1362         (GeneratorFunction):
1363         (AsyncFunction.async):
1364         (AsyncGeneratorFunction.async):
1365         (anonymous):
1366         (async.anonymous):
1367         * test262/expectations.yaml:
1368
1369 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1370
1371         Unreviewed, rolling out r237242.
1372         https://bugs.webkit.org/show_bug.cgi?id=190701
1373
1374         it breaks "stress/sampling-profiler-basic.js" (Requested by
1375         caiolima on #webkit).
1376
1377         Reverted changeset:
1378
1379         "[BigInt] Add ValueSub into DFG"
1380         https://bugs.webkit.org/show_bug.cgi?id=186176
1381         https://trac.webkit.org/changeset/237242
1382
1383 2018-10-17  Keith Miller  <keith_miller@apple.com>
1384
1385         AI does not clear Phantom allocation nodes.
1386         https://bugs.webkit.org/show_bug.cgi?id=190694
1387
1388         Reviewed by Saam Barati.
1389
1390         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1391         (Day):
1392         (DaysInYear):
1393         (TimeInYear):
1394         (TimeFromYear):
1395         (DayFromYear):
1396         (InLeapYear):
1397         (YearFromTime):
1398         (WeekDay):
1399         (DaylightSavingTA):
1400         (GetSecondSundayInMarch):
1401         (TimeInMonth):
1402
1403 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1404
1405         [BigInt] Add ValueSub into DFG
1406         https://bugs.webkit.org/show_bug.cgi?id=186176
1407
1408         Reviewed by Yusuke Suzuki.
1409
1410         * stress/big-int-subtraction-jit.js:
1411         * stress/value-sub-big-int-prediction-propagation.js: Added.
1412         * stress/value-sub-big-int-untyped.js: Added.
1413
1414 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1415
1416         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1417         https://bugs.webkit.org/show_bug.cgi?id=190611
1418
1419         Reviewed by Saam Barati.
1420
1421         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1422         to improve test runtime. On ARM/MIPS this test even timed out when running all
1423         tests.
1424
1425         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1426         (test):
1427
1428 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1429
1430         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1431
1432         Unreviewed gardening.
1433
1434         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1435
1436 2018-10-15  Saam barati  <sbarati@apple.com>
1437
1438         Emit fjcvtzs on ARM64E on Darwin
1439         https://bugs.webkit.org/show_bug.cgi?id=184023
1440
1441         Reviewed by Yusuke Suzuki and Filip Pizlo.
1442
1443         * stress/double-to-int32-NaN.js: Added.
1444         (assert):
1445         (foo):
1446
1447 2018-10-15  Saam Barati  <sbarati@apple.com>
1448
1449         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1450         https://bugs.webkit.org/show_bug.cgi?id=190262
1451         <rdar://problem/44986241>
1452
1453         Reviewed by Mark Lam.
1454
1455         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1456         (test):
1457         * stress/slice-array-storage-with-holes.js: Added.
1458         (main):
1459
1460 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1461
1462         Unreviewed, rolling out r237054.
1463         https://bugs.webkit.org/show_bug.cgi?id=190593
1464
1465         "this regressed JetStream 2 by 6% on iOS" (Requested by
1466         saamyjoon on #webkit).
1467
1468         Reverted changeset:
1469
1470         "[JSC] JSC should have "parseFunction" to optimize Function
1471         constructor"
1472         https://bugs.webkit.org/show_bug.cgi?id=190340
1473         https://trac.webkit.org/changeset/237054
1474
1475 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1476
1477         [JSC] JSON.stringify can accept call-with-no-arguments
1478         https://bugs.webkit.org/show_bug.cgi?id=190343
1479
1480         Reviewed by Mark Lam.
1481
1482         * stress/json-stringify-no-arguments.js: Added.
1483         (shouldBe):
1484
1485 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1486
1487         [JSC] JSC should have "parseFunction" to optimize Function constructor
1488         https://bugs.webkit.org/show_bug.cgi?id=190340
1489
1490         Reviewed by Mark Lam.
1491
1492         This patch fixes the line number of syntax errors raised by the Function constructor,
1493         since we now parse the final code only once. And we no longer use block statement
1494         for Function constructor's parsing.
1495
1496         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1497         * stress/function-cache-with-parameters-end-position.js: Added.
1498         (shouldBe):
1499         (shouldThrow):
1500         (i.anonymous):
1501         * stress/function-constructor-name.js: Added.
1502         (shouldBe):
1503         (GeneratorFunction):
1504         (AsyncFunction.async):
1505         (AsyncGeneratorFunction.async):
1506         (anonymous):
1507         (async.anonymous):
1508         * test262/expectations.yaml:
1509
1510 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1511
1512         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1513         https://bugs.webkit.org/show_bug.cgi?id=190426
1514
1515         Unreviewed gardening.
1516
1517         * stress/sampling-profiler-richards.js:
1518
1519 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1520
1521         [ESNext][BigInt] Implement support for "|"
1522         https://bugs.webkit.org/show_bug.cgi?id=186229
1523
1524         Reviewed by Yusuke Suzuki.
1525
1526         * stress/big-int-bitwise-and-jit.js:
1527         * stress/big-int-bitwise-or-general.js: Added.
1528         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1529         * stress/big-int-bitwise-or-jit.js: Added.
1530         * stress/big-int-bitwise-or-memory-stress.js: Added.
1531         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1532         * stress/big-int-bitwise-or-type-error.js: Added.
1533         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1534
1535 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1536
1537         Skip test on systems with limited memory
1538         https://bugs.webkit.org/show_bug.cgi?id=190310
1539
1540         Invoking runDefault adds test to runlist, skipping the test in the next
1541         line does not prevent the test from executing. Change order of lines such
1542         that runDefault is only executed if test is not executed.
1543
1544         Reviewed by Mark Lam.
1545
1546         * stress/regress-190187.js:
1547
1548 2018-10-03  Saam barati  <sbarati@apple.com>
1549
1550         lowXYZ in FTLLower should always filter the type of the incoming edge
1551         https://bugs.webkit.org/show_bug.cgi?id=189939
1552         <rdar://problem/44407030>
1553
1554         Reviewed by Michael Saboff.
1555
1556         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1557         (foo):
1558         (test):
1559
1560 2018-10-03  Mark Lam  <mark.lam@apple.com>
1561
1562         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1563         https://bugs.webkit.org/show_bug.cgi?id=190187
1564         <rdar://problem/42512909>
1565
1566         Reviewed by Michael Saboff.
1567
1568         * stress/regress-190187.js: Added.
1569
1570 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1571
1572         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1573         https://bugs.webkit.org/show_bug.cgi?id=190033
1574
1575         Reviewed by Yusuke Suzuki.
1576
1577         * stress/big-int-to-string.js:
1578
1579 2018-10-01  Mark Lam  <mark.lam@apple.com>
1580
1581         Function.toString() should also copy the source code Functions that are class definitions.
1582         https://bugs.webkit.org/show_bug.cgi?id=190186
1583         <rdar://problem/44733360>
1584
1585         Reviewed by Saam Barati.
1586
1587         * stress/regress-190186.js: Added.
1588
1589 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1590
1591         Split NaN-check into separate test
1592         https://bugs.webkit.org/show_bug.cgi?id=190010
1593
1594         Reviewed by Saam Barati.
1595
1596         DataView exposes NaN-representation, which is not necessarily the same on each
1597         architecture. Therefore move the check of the NaN-representation into its own
1598         file such that we can disable this test on MIPS where NaN-representation can be
1599         different on older CPUs.
1600
1601         * stress/dataview-jit-set-nan.js: Added.
1602         (assert):
1603         (test.storeLittleEndian):
1604         (test.storeBigEndian):
1605         (test.store):
1606         (test):
1607         * stress/dataview-jit-set.js:
1608         (test5):
1609
1610 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1611
1612         Unreviewed, rolling out r236647.
1613         https://bugs.webkit.org/show_bug.cgi?id=190124
1614
1615         Breaking test stress/big-int-to-string.js (Requested by
1616         caiolima_ on #webkit).
1617
1618         Reverted changeset:
1619
1620         "[BigInt] BigInt.proptotype.toString is broken when radix is
1621         power of 2"
1622         https://bugs.webkit.org/show_bug.cgi?id=190033
1623         https://trac.webkit.org/changeset/236647
1624
1625 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1626
1627         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1628         https://bugs.webkit.org/show_bug.cgi?id=190033
1629
1630         Reviewed by Yusuke Suzuki.
1631
1632         * stress/big-int-to-string.js:
1633
1634 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1635
1636         [ESNext][BigInt] Implement support for "&"
1637         https://bugs.webkit.org/show_bug.cgi?id=186228
1638
1639         Reviewed by Yusuke Suzuki.
1640
1641         * stress/big-int-bitwise-and-general.js: Added.
1642         (assert):
1643         (assert.sameValue):
1644         * stress/big-int-bitwise-and-jit.js: Added.
1645         (let.assert.sameValue):
1646         (bigIntBitAnd):
1647         * stress/big-int-bitwise-and-memory-stress.js: Added.
1648         (assert):
1649         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1650         (assert.sameValue):
1651         (let.o.Symbol.toPrimitive):
1652         (catch):
1653         * stress/big-int-bitwise-and-type-error.js: Added.
1654         (assert):
1655         (assertThrowTypeError):
1656         (let.o.valueOf):
1657         (o.valueOf):
1658         (o.toString):
1659         (o.Symbol.toPrimitive):
1660         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1661         (assert.sameValue):
1662         (testBitAnd):
1663         (let.o.Symbol.toPrimitive):
1664         (o.valueOf):
1665         (o.toString):
1666
1667 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1668
1669         JSC test stress/jsc-read.js doesn't support CRLF
1670         https://bugs.webkit.org/show_bug.cgi?id=190063
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1675
1676         * stress/jsc-read.js:
1677         (test):
1678
1679 2018-09-27  Saam barati  <sbarati@apple.com>
1680
1681         Verify the contents of AssemblerBuffer on arm64e
1682         https://bugs.webkit.org/show_bug.cgi?id=190057
1683         <rdar://problem/38916630>
1684
1685         Reviewed by Mark Lam.
1686
1687         * stress/regress-189132.js:
1688
1689 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1690
1691         Disable test without LLInt on ARMv7
1692         https://bugs.webkit.org/show_bug.cgi?id=190037
1693
1694         Reviewed by Mark Lam.
1695
1696         Test runs out of executable memory on ARMv7, do not run
1697         this test without LLInt enabled.
1698
1699         * stress/regress-169445.js:
1700
1701 2018-09-26  Keith Miller  <keith_miller@apple.com>
1702
1703         We should zero unused property storage when rebalancing array storage.
1704         https://bugs.webkit.org/show_bug.cgi?id=188151
1705
1706         Reviewed by Michael Saboff.
1707
1708         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1709
1710 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1711
1712         [JSC] Optimize Array#lastIndexOf
1713         https://bugs.webkit.org/show_bug.cgi?id=189780
1714
1715         Reviewed by Saam Barati.
1716
1717         * stress/array-lastindexof-array-prototype-trap.js: Added.
1718         (shouldBe):
1719         (AncestorArray.prototype.get 2):
1720         (AncestorArray):
1721         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1722         (shouldBe):
1723         * stress/array-lastindexof-hole-nan.js: Added.
1724         (shouldBe):
1725         (throw.new.Error):
1726         * stress/array-lastindexof-infinity.js: Added.
1727         (shouldBe):
1728         (throw.new.Error):
1729         * stress/array-lastindexof-negative-zero.js: Added.
1730         (shouldBe):
1731         (throw.new.Error):
1732         * stress/array-lastindexof-own-getter.js: Added.
1733         (shouldBe):
1734         (throw.new.Error.get array):
1735         (get array):
1736         * stress/array-lastindexof-prototype-trap.js: Added.
1737         (shouldBe):
1738         (DerivedArray.prototype.get 2):
1739         (DerivedArray):
1740
1741 2018-09-25  Saam Barati  <sbarati@apple.com>
1742
1743         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1744         https://bugs.webkit.org/show_bug.cgi?id=189940
1745         <rdar://problem/43640987>
1746
1747         Reviewed by Mark Lam.
1748
1749         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1750
1751 2018-09-24  Saam Barati  <sbarati@apple.com>
1752
1753         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1754         https://bugs.webkit.org/show_bug.cgi?id=189922
1755         <rdar://problem/44651275>
1756
1757         Reviewed by Mark Lam.
1758
1759         * stress/array-indexof-fast-path-effects.js: Added.
1760         * stress/array-indexof-cached-length.js: Added.
1761
1762 2018-09-24  Saam barati  <sbarati@apple.com>
1763
1764         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1765         https://bugs.webkit.org/show_bug.cgi?id=189682
1766         <rdar://problem/43557315>
1767
1768         Reviewed by Mark Lam.
1769
1770         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1771         (foo):
1772
1773 2018-09-22  Saam barati  <sbarati@apple.com>
1774
1775         The sampling should not use Strong<CodeBlock> in its machineLocation field
1776         https://bugs.webkit.org/show_bug.cgi?id=189319
1777
1778         Reviewed by Filip Pizlo.
1779
1780         * stress/sampling-profiler-richards.js: Added.
1781
1782 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1783
1784         [JSC] Optimize Array#indexOf in C++ runtime
1785         https://bugs.webkit.org/show_bug.cgi?id=189507
1786
1787         Reviewed by Saam Barati.
1788
1789         * stress/array-indexof-array-prototype-trap.js: Added.
1790         (shouldBe):
1791         (AncestorArray.prototype.get 2):
1792         (AncestorArray):
1793         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1794         (shouldBe):
1795         * stress/array-indexof-hole-nan.js: Added.
1796         (shouldBe):
1797         (throw.new.Error):
1798         * stress/array-indexof-infinity.js: Added.
1799         (shouldBe):
1800         (throw.new.Error):
1801         * stress/array-indexof-negative-zero.js: Added.
1802         (shouldBe):
1803         (throw.new.Error):
1804         * stress/array-indexof-own-getter.js: Added.
1805         (shouldBe):
1806         (throw.new.Error.get array):
1807         (get array):
1808         * stress/array-indexof-prototype-trap.js: Added.
1809         (shouldBe):
1810         (DerivedArray.prototype.get 2):
1811         (DerivedArray):
1812
1813 2018-09-19  Saam barati  <sbarati@apple.com>
1814
1815         AI rule for MultiPutByOffset executes its effects in the wrong order
1816         https://bugs.webkit.org/show_bug.cgi?id=189757
1817         <rdar://problem/43535257>
1818
1819         Reviewed by Michael Saboff.
1820
1821         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1822         (foo):
1823         (Foo):
1824         (g):
1825
1826 2018-09-17  Mark Lam  <mark.lam@apple.com>
1827
1828         Ensure that ForInContexts are invalidated if their loop local is over-written.
1829         https://bugs.webkit.org/show_bug.cgi?id=189571
1830         <rdar://problem/44402277>
1831
1832         Reviewed by Saam Barati.
1833
1834         * stress/regress-189571.js: Added.
1835
1836 2018-09-17  Saam barati  <sbarati@apple.com>
1837
1838         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1839         https://bugs.webkit.org/show_bug.cgi?id=189676
1840         <rdar://problem/39682897>
1841
1842         Reviewed by Michael Saboff.
1843
1844         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1845         (A):
1846         (K):
1847         (i.catch):
1848
1849 2018-09-14  Saam barati  <sbarati@apple.com>
1850
1851         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1852         https://bugs.webkit.org/show_bug.cgi?id=189628
1853         <rdar://problem/39481690>
1854
1855         Reviewed by Mark Lam.
1856
1857         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1858         (foo):
1859
1860 2018-09-11  Mark Lam  <mark.lam@apple.com>
1861
1862         Test for array initialization in arrayProtoFuncSplice.
1863         https://bugs.webkit.org/show_bug.cgi?id=170253
1864         <rdar://problem/31328773>
1865
1866         Rubber-stamped by Saam Barati.
1867
1868         * stress/regress-170253.js: Added.
1869
1870 2018-09-11  Mark Lam  <mark.lam@apple.com>
1871
1872         Test for IntlObject initialization.
1873         https://bugs.webkit.org/show_bug.cgi?id=170251
1874         <rdar://problem/31328419>
1875
1876         Rubber-stamped by Saam Barati.
1877
1878         * stress/regress-170251.js: Added.
1879
1880 2018-09-11  Mark Lam  <mark.lam@apple.com>
1881
1882         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1883         https://bugs.webkit.org/show_bug.cgi?id=169889
1884         <rdar://problem/31155607>
1885
1886         Reviewed by Saam Barati.
1887
1888         * stress/regress-169889-array-concat.js: Added.
1889         * stress/regress-169889-array-concat1.js: Added.
1890         * stress/regress-169889-array-slice.js: Added.
1891
1892 2018-09-11  Mark Lam  <mark.lam@apple.com>
1893
1894         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1895         https://bugs.webkit.org/show_bug.cgi?id=169445
1896         <rdar://problem/30957435>
1897
1898         Reviewed by Saam Barati.
1899
1900         * stress/regress-169445.js: Added.
1901         (let.gun.eval.A):
1902         (let.gun.eval.B.C):
1903         (let.gun.eval.B.C.prototype.trigger):
1904         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1905         (let.gun.eval.B):
1906         (let.gun.eval):
1907
1908 == Rolled over to ChangeLog-2018-09-11 ==