Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-22  Mark Lam  <mark.lam@apple.com>
2
3         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
4         https://bugs.webkit.org/show_bug.cgi?id=196154
5         <rdar://problem/49145307>
6
7         Reviewed by Filip Pizlo.
8
9         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
10         There's no need to run this test on more than 1 test configuration.
11
12         * stress/typed-array-lastIndexOf-exception-check.js: Added.
13         * stress/web-assembly-link-error-exception-check.js:
14
15 2019-03-22  Mark Lam  <mark.lam@apple.com>
16
17         Placate exception check validation in constructJSWebAssemblyLinkError().
18         https://bugs.webkit.org/show_bug.cgi?id=196152
19         <rdar://problem/49145257>
20
21         Reviewed by Michael Saboff.
22
23         * stress/web-assembly-link-error-exception-check.js: Added.
24
25 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
26
27         Skip tests running out of memory on ARM/MIPS
28         https://bugs.webkit.org/show_bug.cgi?id=196131
29
30         Unreviewed. Skip test if memory is limited.
31
32         * microbenchmarks/put-by-val-direct-large-index.js:
33
34 2019-03-21  Mark Lam  <mark.lam@apple.com>
35
36         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
37         https://bugs.webkit.org/show_bug.cgi?id=196116
38         <rdar://problem/48976951>
39
40         Reviewed by Filip Pizlo.
41
42         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
43
44 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
45
46         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
47         https://bugs.webkit.org/show_bug.cgi?id=196078
48         <rdar://problem/35925380>
49
50         Reviewed by Mark Lam.
51
52         Add a new benchmark that allocates several objects and invokes put_by_val_direct
53         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
54
55         * microbenchmarks/put-by-val-direct-large-index.js: Added.
56
57 2019-03-21  Mark Lam  <mark.lam@apple.com>
58
59         Placate exception check validation in operationArrayIndexOfString().
60         https://bugs.webkit.org/show_bug.cgi?id=196067
61         <rdar://problem/49056572>
62
63         Reviewed by Michael Saboff.
64
65         * stress/string-equal-exception-check.js: Added.
66
67 2019-03-21  Mark Lam  <mark.lam@apple.com>
68
69         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
70         https://bugs.webkit.org/show_bug.cgi?id=196055
71         <rdar://problem/49067448>
72
73         Reviewed by Yusuke Suzuki.
74
75         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
76
77 2019-03-20  Saam Barati  <sbarati@apple.com>
78
79         typeOfDoubleSum is wrong for when NaN can be produced
80         https://bugs.webkit.org/show_bug.cgi?id=196030
81
82         Reviewed by Filip Pizlo.
83
84         * stress/double-add-sub-mul-can-produce-nan.js: Added.
85         (assert):
86         (noInline.sub):
87         (noInline):
88         (assert.mul):
89         (assert.add):
90
91 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         Update the test to ensure OutOfMemoryError is thrown as intended
94         https://bugs.webkit.org/show_bug.cgi?id=196032
95         <rdar://problem/46842740>
96
97         Rubber stamped by Saam Barati.
98
99         * stress/create-error-out-of-memory-rope-string.js:
100         (assert):
101         (catch):
102
103 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
104
105         JSC::createError needs to check for OOM in errorDescriptionForValue
106         https://bugs.webkit.org/show_bug.cgi?id=196032
107         <rdar://problem/46842740>
108
109         Reviewed by Mark Lam.
110
111         * stress/create-error-out-of-memory-rope-string.js: Added.
112
113 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
114
115         Unreviewed, reduce # of iterations to avoid timing out after r242991
116         https://bugs.webkit.org/show_bug.cgi?id=195791
117
118         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
119
120         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
121
122 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
123
124         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
125         https://bugs.webkit.org/show_bug.cgi?id=195950
126
127         Unreviewed, reducing the amount of memory used on this test to avoid
128         OOM on devices with memory restrictions.
129
130         * microbenchmarks/generate-multiple-llint-entrypoints.js:
131
132 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
133
134         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
135         https://bugs.webkit.org/show_bug.cgi?id=194648
136
137         Reviewed by Keith Miller.
138
139         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
140
141 2019-03-18  Mark Lam  <mark.lam@apple.com>
142
143         Missing a ThrowScope release in JSObject::toString().
144         https://bugs.webkit.org/show_bug.cgi?id=195893
145         <rdar://problem/48970986>
146
147         Reviewed by Michael Saboff.
148
149         * stress/to-string-exception-check-release.js: Added.
150
151 2019-03-18  Mark Lam  <mark.lam@apple.com>
152
153         Structure::flattenDictionary() should clear unused property slots.
154         https://bugs.webkit.org/show_bug.cgi?id=195871
155         <rdar://problem/48959497>
156
157         Reviewed by Michael Saboff.
158
159         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
160
161 2019-03-15  Mark Lam  <mark.lam@apple.com>
162
163         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
164         https://bugs.webkit.org/show_bug.cgi?id=195827
165         <rdar://problem/48845513>
166
167         Reviewed by Filip Pizlo.
168
169         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
170
171 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
172
173         [ARM,MIPS] Skip slow tests
174         https://bugs.webkit.org/show_bug.cgi?id=195799
175
176         Unreviewed, test does not finish on ARM and MIPS within the
177         timeout limit.
178
179         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
180
181 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
182
183         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
184         https://bugs.webkit.org/show_bug.cgi?id=195791
185         <rdar://problem/48806130>
186
187         Reviewed by Mark Lam.
188
189         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
190         (foo):
191
192 2019-03-14  Saam barati  <sbarati@apple.com>
193
194         We can't remove code after ForceOSRExit until after FixupPhase
195         https://bugs.webkit.org/show_bug.cgi?id=186916
196         <rdar://problem/41396612>
197
198         Reviewed by Yusuke Suzuki.
199
200         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
201         (foo):
202         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
203         (foo):
204
205 2019-03-13  Michael Saboff  <msaboff@apple.com>
206
207         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
208         https://bugs.webkit.org/show_bug.cgi?id=195735
209
210         Reviewed by Mark Lam.
211
212         New regression test.
213
214         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
215         (foo):
216         (bar):
217
218 2019-03-14  Saam barati  <sbarati@apple.com>
219
220         Fixup uses KnownInt32 incorrectly in some nodes
221         https://bugs.webkit.org/show_bug.cgi?id=195279
222         <rdar://problem/47915654>
223
224         Reviewed by Yusuke Suzuki.
225
226         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
227         (foo):
228
229 2019-03-14  Keith Miller  <keith_miller@apple.com>
230
231         DFG liveness can't skip tail caller inline frames
232         https://bugs.webkit.org/show_bug.cgi?id=195715
233
234         Reviewed by Saam Barati.
235
236         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
237         (i.foo):
238
239 2019-03-13  Mark Lam  <mark.lam@apple.com>
240
241         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
242         https://bugs.webkit.org/show_bug.cgi?id=195415
243
244         Not reviewed.
245
246         Changed these tests to only run the default configuration.
247         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
248         There's no strong need to run this test on that variant.
249
250         * stress/dfg-to-string-on-int-does-gc.js:
251         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
252
253 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
254
255         String overflow when using StringBuilder in JSC::createError
256         https://bugs.webkit.org/show_bug.cgi?id=194957
257
258         Reviewed by Mark Lam.
259
260         Add test string-overflow-createError-bulder.js that overflows
261         StringBuilder in notAFunctionSourceAppender. The second new test
262         string-overflow-createError-fit.js has an error message that doesn't
263         overflow, it still failed since the String's capacity can't be doubled.
264         Run test string-overflow-createError.js only in the default
265         configuration to reduce memory consumption when running the test
266         in all configurations on multiple CPUs in parallel.
267
268         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
269         (catch):
270         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
271         (catch):
272         * stress/string-overflow-createError.js:
273
274 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
275
276         [JSC] OSR entry should respect abstract values in addition to flush formats
277         https://bugs.webkit.org/show_bug.cgi?id=195653
278
279         Reviewed by Mark Lam.
280
281         * stress/osr-entry-locals-none.js: Added.
282
283 2019-03-12  Michael Saboff  <msaboff@apple.com>
284
285         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
286         https://bugs.webkit.org/show_bug.cgi?id=195613
287
288         Reviewed by Mark Lam.
289
290         New regression test.
291
292         * stress/regexp-backref-inbounds.js: Added.
293         (testRegExp):
294
295 2019-03-12  Mark Lam  <mark.lam@apple.com>
296
297         The HasIndexedProperty node does GC.
298         https://bugs.webkit.org/show_bug.cgi?id=195559
299         <rdar://problem/48767923>
300
301         Reviewed by Yusuke Suzuki.
302
303         * stress/HasIndexedProperty-does-gc.js: Added.
304
305 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
306
307         [ESNext][BigInt] Implement "~" unary operation
308         https://bugs.webkit.org/show_bug.cgi?id=182216
309
310         Reviewed by Keith Miller.
311
312         * stress/big-int-bit-not-general.js: Added.
313         * stress/big-int-bitwise-not-jit.js: Added.
314         * stress/big-int-bitwise-not-wrapped-value.js: Added.
315         * stress/bit-op-with-object-returning-int32.js:
316         * stress/bitwise-not-fixup-rules.js: Added.
317         * stress/value-bit-not-ai-rule.js: Added.
318
319 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
320
321         Invalid flags in a RegExp literal should be an early SyntaxError
322         https://bugs.webkit.org/show_bug.cgi?id=195514
323
324         Reviewed by Darin Adler.
325
326         * test262/expectations.yaml:
327         Mark 4 test cases as passing.
328
329         * stress/regexp-syntax-error-invalid-flags.js:
330         * stress/regress-161995.js: Removed.
331         Update existing test, merging in an older test for the same behavior.
332
333 2019-03-08  Mark Lam  <mark.lam@apple.com>
334
335         Stack overflow crash in JSC::JSObject::hasInstance.
336         https://bugs.webkit.org/show_bug.cgi?id=195458
337         <rdar://problem/48710195>
338
339         Reviewed by Yusuke Suzuki.
340
341         * stress/stack-overflow-in-custom-hasInstance.js: Added.
342
343 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
344
345         op_check_tdz does not def its argument
346         https://bugs.webkit.org/show_bug.cgi?id=192880
347         <rdar://problem/46221598>
348
349         Reviewed by Saam Barati.
350
351         * microbenchmarks/let-for-in.js: Added.
352         (foo):
353
354 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
355
356         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
357         https://bugs.webkit.org/show_bug.cgi?id=195429
358
359         Reviewed by Saam Barati.
360
361         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
362         (foo):
363         * stress/string-from-char-code-255.js: Added.
364
365 2019-03-06  Mark Lam  <mark.lam@apple.com>
366
367         Fix incorrect handling of try-finally completion values.
368         https://bugs.webkit.org/show_bug.cgi?id=195131
369         <rdar://problem/46222079>
370
371         Reviewed by Saam Barati and Yusuke Suzuki.
372
373         Added many permutations of new test case to test-finally.js.  test-finally.js has
374         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
375         tests passes there as well.
376
377         * stress/test-finally.js:
378
379 2019-03-06  Saam Barati  <sbarati@apple.com>
380
381         Air::reportUsedRegisters must padInterference
382         https://bugs.webkit.org/show_bug.cgi?id=195303
383         <rdar://problem/48270343>
384
385         Reviewed by Keith Miller.
386
387         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
388
389 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
390
391         [JSC] AI should not propagate AbstractValue relying on constant folding phase
392         https://bugs.webkit.org/show_bug.cgi?id=195375
393
394         Reviewed by Saam Barati.
395
396         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
397         (let.array):
398
399 2019-03-05  Saam barati  <sbarati@apple.com>
400
401         op_switch_char broken for rope strings after JSRopeString layout rewrite
402         https://bugs.webkit.org/show_bug.cgi?id=195339
403         <rdar://problem/48592545>
404
405         Reviewed by Yusuke Suzuki.
406
407         * stress/switch-on-char-llint-rope.js: Added.
408
409 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
410
411         [JSC] Store bits for JSRopeString in 3 stores
412         https://bugs.webkit.org/show_bug.cgi?id=195234
413
414         Reviewed by Saam Barati.
415
416         * stress/null-rope-and-collectors.js: Added.
417
418 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
419
420         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
421         https://bugs.webkit.org/show_bug.cgi?id=195207
422
423         Unreviewed. After test runtime was reduced in r242213, test can be
424         run again on ARM/MIPS.
425
426         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
427
428 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
429
430         [JSC] sizeof(JSString) should be 16
431         https://bugs.webkit.org/show_bug.cgi?id=194375
432
433         Reviewed by Saam Barati.
434
435         * microbenchmarks/make-rope.js: Added.
436         (makeRope):
437         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
438         (returnRope.helper): Deleted.
439         (returnRope): Deleted.
440
441 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
444         https://bugs.webkit.org/show_bug.cgi?id=195144
445
446         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
447         Change the number from 1e8 to 1e5.
448
449         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
450         (foo):
451
452 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
453
454         Test times out on ARM/MIPS
455         https://bugs.webkit.org/show_bug.cgi?id=195168
456
457         Unreviewed. Skip test on ARM/MIPS.
458
459         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
460
461 2019-02-27  Mark Lam  <mark.lam@apple.com>
462
463         The parser is failing to record the token location of new in new.target.
464         https://bugs.webkit.org/show_bug.cgi?id=195127
465         <rdar://problem/39645578>
466
467         Reviewed by Yusuke Suzuki.
468
469         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
470
471 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
472
473         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
474         https://bugs.webkit.org/show_bug.cgi?id=195144
475         <rdar://problem/47595961>
476
477         Reviewed by Mark Lam.
478
479         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
480         (bar):
481         (foo):
482         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
483         (bar):
484         (foo):
485
486 2019-02-27  Robin Morisset  <rmorisset@apple.com>
487
488         DFG: Loop-invariant code motion (LICM) should not hoist dead code
489         https://bugs.webkit.org/show_bug.cgi?id=194945
490         <rdar://problem/48311657>
491
492         Reviewed by Mark Lam.
493
494         * stress/licm-dead-code.js: Added.
495
496 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
497
498         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
499         https://bugs.webkit.org/show_bug.cgi?id=194677
500         <rdar://problem/48112492>
501
502         Reviewed by Mark Lam.
503
504         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
505         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
506         it immediately fails due the large size.
507
508         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
509         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
510         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
511         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
512
513         This patch changes the test to produce 16bit string from String.fromCharCode.
514
515         * stress/regress-178386.js:
516
517 2019-02-26  Mark Lam  <mark.lam@apple.com>
518
519         wasmToJS() should purify incoming NaNs.
520         https://bugs.webkit.org/show_bug.cgi?id=194807
521         <rdar://problem/48189132>
522
523         Reviewed by Saam Barati.
524
525         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
526
527 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
528
529         [JSC] Repeat string created from Array.prototype.join() take too much memory
530         https://bugs.webkit.org/show_bug.cgi?id=193912
531
532         Reviewed by Saam Barati.
533
534         Added a test and a microbenchmark for corner cases of
535         Array.prototype.join() with an uninitialized array.
536
537         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
538         * stress/array-prototype-join-uninitialized.js: Added.
539         (testArray):
540         (testABC):
541         (B):
542         (C):
543
544 2019-02-22  Robin Morisset  <rmorisset@apple.com>
545
546         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
547         https://bugs.webkit.org/show_bug.cgi?id=194953
548         <rdar://problem/47595253>
549
550         Reviewed by Saam Barati.
551
552         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
553
554         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
555
556 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
557
558         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
559         https://bugs.webkit.org/show_bug.cgi?id=172848
560         <rdar://problem/25709212>
561
562         Reviewed by Mark Lam.
563
564         * typeProfiler/inheritance.js:
565         Rewrite the test slightly for clarity. The hoisting was confusing.
566
567         * heapProfiler/class-names.js: Added.
568         (MyES5Class):
569         (MyES6Class):
570         (MyES6Subclass):
571         Test object types and improved class names.
572
573         * heapProfiler/driver/driver.js:
574         (CheapHeapSnapshotNode):
575         (CheapHeapSnapshot):
576         (createCheapHeapSnapshot):
577         (HeapSnapshot):
578         (createHeapSnapshot):
579         Update snapshot parsing from version 1 to version 2.
580
581 2019-02-19  Truitt Savell  <tsavell@apple.com>
582
583         Unreviewed, rolling out r241784.
584
585         Broke all OpenSource builds.
586
587         Reverted changeset:
588
589         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
590         instances view"
591         https://bugs.webkit.org/show_bug.cgi?id=172848
592         https://trac.webkit.org/changeset/241784
593
594 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
595
596         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
597         https://bugs.webkit.org/show_bug.cgi?id=172848
598         <rdar://problem/25709212>
599
600         Reviewed by Mark Lam.
601
602         * typeProfiler/inheritance.js:
603         Rewrite the test slightly for clarity. The hoisting was confusing.
604
605         * heapProfiler/class-names.js: Added.
606         (MyES5Class):
607         (MyES6Class):
608         (MyES6Subclass):
609         Test object types and improved class names.
610
611         * heapProfiler/driver/driver.js:
612         (CheapHeapSnapshotNode):
613         (CheapHeapSnapshot):
614         (createCheapHeapSnapshot):
615         (HeapSnapshot):
616         (createHeapSnapshot):
617         Update snapshot parsing from version 1 to version 2.
618
619 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
620
621         [ARM] Fix crash with sampling profiler
622         https://bugs.webkit.org/show_bug.cgi?id=194772
623
624         Reviewed by Mark Lam.
625
626         Do not skip test since crash with sampling profiler is now fixed.
627
628         * stress/sampling-profiler-richards.js:
629
630 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
631
632         [JSC] Add LazyClassStructure::getInitializedOnMainThread
633         https://bugs.webkit.org/show_bug.cgi?id=194784
634         <rdar://problem/48154820>
635
636         Reviewed by Mark Lam.
637
638         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
639         (getProperties):
640         (getRandomProperty):
641         (i.catch):
642
643 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
644
645         [ARM] Test gardening: Test running out of executable memory
646         https://bugs.webkit.org/show_bug.cgi?id=194771
647
648         Unreviewed. Do not run test without LLInt, test is running out of executable
649         memory on ARM otherwise.
650
651         * stress/tagged-template-object-collect.js:
652
653 2019-02-18  Tomas Popela  <tpopela@redhat.com>
654
655         Unreviewed, skip the test on platforms without sampling profiler
656
657         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
658         (platformSupportsSamplingProfiler.foo):
659         (platformSupportsSamplingProfiler.test):
660         (platformSupportsSamplingProfiler):
661         (foo): Deleted.
662         (test): Deleted.
663
664 2019-02-17  Saam Barati  <sbarati@apple.com>
665
666         Deadlock when adding a Structure property transition and then doing incremental marking
667         https://bugs.webkit.org/show_bug.cgi?id=194767
668
669         Reviewed by Mark Lam.
670
671         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
672
673 2019-02-15  Michael Saboff  <msaboff@apple.com>
674
675         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
676         https://bugs.webkit.org/show_bug.cgi?id=194558
677
678         Reviewed by Saam Barati.
679
680         New regression test.
681
682         * stress/regexp-unicode-within-string.js: Added.
683
684 2019-02-15  Mark Lam  <mark.lam@apple.com>
685
686         SamplingProfiler::stackTracesAsJSON() should escape strings.
687         https://bugs.webkit.org/show_bug.cgi?id=194649
688         <rdar://problem/48072386>
689
690         Reviewed by Saam Barati.
691
692         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
693         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
694         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
695         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
696
697 2019-02-15  Robin Morisset  <rmorisset@apple.com>
698         CodeBlock::jettison should clear related watchpoints
699         https://bugs.webkit.org/show_bug.cgi?id=194544
700
701         Reviewed by Mark Lam.
702
703         * stress/regexp-replace-double-watchpoint.js: Added.
704         (foo):
705
706 2019-02-15  Saam barati  <sbarati@apple.com>
707
708         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
709         https://bugs.webkit.org/show_bug.cgi?id=194036
710
711         Reviewed by Yusuke Suzuki.
712
713         * stress/tail-call-many-arguments.js: Added.
714         (foo):
715         (bar):
716
717 2019-02-14  Saam Barati  <sbarati@apple.com>
718
719         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
720         https://bugs.webkit.org/show_bug.cgi?id=194583
721         <rdar://problem/48028140>
722
723         Reviewed by Yusuke Suzuki.
724
725         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
726
727 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
728
729         [JSC] String.fromCharCode's slow path always generates 16bit string
730         https://bugs.webkit.org/show_bug.cgi?id=194466
731
732         Reviewed by Keith Miller.
733
734         * stress/string-from-char-code-slow-path.js: Added.
735         (shouldBe):
736         (testWithLength):
737
738 2019-02-08  Saam barati  <sbarati@apple.com>
739
740         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
741         https://bugs.webkit.org/show_bug.cgi?id=194334
742         <rdar://problem/47844327>
743
744         Reviewed by Mark Lam.
745
746         * stress/check-in-bounds-should-be-a-child-use.js: Added.
747         (func):
748
749 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
750
751         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
752         https://bugs.webkit.org/show_bug.cgi?id=194369
753         <rdar://problem/47813087>
754
755         Reviewed by Saam Barati.
756
757         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
758         (A):
759
760 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
761
762         [JSC] PrivateName to PublicName hash table is wasteful
763         https://bugs.webkit.org/show_bug.cgi?id=194277
764
765         Reviewed by Michael Saboff.
766
767         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
768
769         * ChakraCore.yaml:
770
771 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
772
773         [ARM] Test running out of executable memory
774         https://bugs.webkit.org/show_bug.cgi?id=194285
775
776         Unreviewed. Do no execute test with LLInt disabled, test runs out of
777         executable memory otherwise.
778
779         * stress/class-subclassing-function.js:
780
781 2019-02-04  Robin Morisset  <rmorisset@apple.com>
782
783         when lowering AssertNotEmpty, create the value before creating the patchpoint
784         https://bugs.webkit.org/show_bug.cgi?id=194231
785
786         Reviewed by Saam Barati.
787
788         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
789         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
790         So even tiny changes to this test can change the path code taken.
791
792         * stress/assert-not-empty.js: Added.
793         (foo):
794
795 2019-02-01  Mark Lam  <mark.lam@apple.com>
796
797         Remove invalid assertion in DFG's compileDoubleRep().
798         https://bugs.webkit.org/show_bug.cgi?id=194130
799         <rdar://problem/47699474>
800
801         Reviewed by Saam Barati.
802
803         * stress/constant-fold-double-rep-into-double-constant.js: Added.
804
805 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
806
807         Import latest Test262 updates.
808
809         Rubber-stamped by Keith Miller.
810
811         * test262.yaml: Deleted.
812         * test262/config.yaml:
813         * test262/expectations.yaml:
814         * test262/latest-changes-summary.txt:
815         * test262/test/:
816         * test262/test262-Revision.txt:
817
818 2019-01-30  Robin Morisset  <rmorisset@apple.com>
819
820         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
821         https://bugs.webkit.org/show_bug.cgi?id=194050
822         <rdar://problem/47595592>
823
824         Reviewed by Yusuke Suzuki.
825
826         * stress/object-keys-osr-exit.js: Added.
827         (foo):
828         (catch):
829
830 2019-01-29  Mark Lam  <mark.lam@apple.com>
831
832         ValueRecovery::recover() should purify NaN values it recovers.
833         https://bugs.webkit.org/show_bug.cgi?id=193978
834         <rdar://problem/47625488>
835
836         Reviewed by Saam Barati.
837
838         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
839
840 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
841
842         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
843         https://bugs.webkit.org/show_bug.cgi?id=193713
844
845         * stress/try-get-by-id-should-spill-registers-dfg.js:
846         (let.f.createBuiltin):
847
848 2019-01-28  Mark Lam  <mark.lam@apple.com>
849
850         ToString node actually does GC.
851         https://bugs.webkit.org/show_bug.cgi?id=193920
852         <rdar://problem/46695900>
853
854         Reviewed by Yusuke Suzuki.
855
856         * stress/dfg-to-string-on-int-does-gc.js: Added.
857         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
858         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
859
860 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [JSC] NativeErrorConstructor should not have own IsoSubspace
863         https://bugs.webkit.org/show_bug.cgi?id=193713
864
865         Reviewed by Saam Barati.
866
867         Remove @Error use.
868
869         * stress/try-get-by-id-should-spill-registers-dfg.js:
870         (let.f.createBuiltin):
871
872 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
873
874         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
875         https://bugs.webkit.org/show_bug.cgi?id=190693
876
877         Reviewed by Michael Saboff.
878
879         * stress/regress-190693.js: Added.
880         (truth):
881         (assert):
882         (shouldThrowInvalidConstAssignment):
883         (taz):
884
885 2019-01-24  Saam Barati  <sbarati@apple.com>
886
887         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
888         https://bugs.webkit.org/show_bug.cgi?id=193751
889         <rdar://problem/47280215>
890
891         Reviewed by Michael Saboff.
892
893         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
894         (let.thing):
895         (foo.let.hello):
896         (foo):
897
898 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
899
900         [JSC] Reenable baseline JIT on mips
901         https://bugs.webkit.org/show_bug.cgi?id=192983
902
903         Reviewed by Mark Lam.
904
905         Added a new test for a case that was triggering a RELEASE_ASSERT when
906         testing.
907         Disable some slow tests that were already disabled for arm and x86.
908
909         * stress/json-parse-big-object.js: Added.
910         * stress/new-largeish-contiguous-array-with-size.js:
911         * stress/op_add.js:
912         * stress/op_bitand.js:
913         * stress/op_bitor.js:
914         * stress/op_bitxor.js:
915         * stress/op_lshift-ConstVar.js:
916         * stress/op_lshift-VarConst.js:
917         * stress/op_lshift-VarVar.js:
918         * stress/op_mod-ConstVar.js:
919         * stress/op_mod-VarConst.js:
920         * stress/op_mod-VarVar.js:
921         * stress/op_mul-ConstVar.js:
922         * stress/op_mul-VarConst.js:
923         * stress/op_mul-VarVar.js:
924         * stress/op_rshift-ConstVar.js:
925         * stress/op_rshift-VarConst.js:
926         * stress/op_rshift-VarVar.js:
927         * stress/op_sub-ConstVar.js:
928         * stress/op_sub-VarConst.js:
929         * stress/op_sub-VarVar.js:
930         * stress/op_urshift-ConstVar.js:
931         * stress/op_urshift-VarConst.js:
932         * stress/op_urshift-VarVar.js:
933         * stress/sampling-profiler-richards.js:
934         * stress/spread-forward-call-varargs-stack-overflow.js:
935
936 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
937
938         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
939         https://bugs.webkit.org/show_bug.cgi?id=193711
940         <rdar://problem/47250262>
941
942         Reviewed by Saam Barati.
943
944         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
945         (shouldBe):
946         (foo):
947         (bar):
948         (baz):
949
950 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
951
952         Unreviewed, fix initial global lexical binding epoch
953         https://bugs.webkit.org/show_bug.cgi?id=193603
954         <rdar://problem/47380869>
955
956         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
957         (f1.f2.f3.f4):
958         (f1.f2.f3):
959         (f1.f2):
960         (f1):
961
962 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
963
964         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
965         https://bugs.webkit.org/show_bug.cgi?id=193709
966         <rdar://problem/47363838>
967
968         Unreviewed, rollout to watch the tests.
969
970         * stress/object-tostring-changed-proto.js: Removed.
971         * stress/object-tostring-changed.js: Removed.
972         * stress/object-tostring-misc.js: Removed.
973         * stress/object-tostring-other.js: Removed.
974         * stress/object-tostring-untyped.js: Removed.
975
976 2019-01-22  Saam Barati  <sbarati@apple.com>
977
978         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
979
980         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
981         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
982         (testUncheckedLessThanZero):
983         (testUncheckedLessThanOrEqualZero):
984         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
985         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
986
987 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
988
989         [JSC] Invalidate old scope operations using global lexical binding epoch
990         https://bugs.webkit.org/show_bug.cgi?id=193603
991         <rdar://problem/47380869>
992
993         Reviewed by Saam Barati.
994
995         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
996         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
997         (shouldThrow):
998         (bar):
999         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1000         (shouldBe):
1001         (get1):
1002         (get2):
1003         (get1If):
1004         (get2If):
1005         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1006         (shouldThrow):
1007         (foo):
1008
1009 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1010
1011         Unreviewed, roll out r240220 due to date-format-xparb regression
1012         https://bugs.webkit.org/show_bug.cgi?id=193603
1013
1014         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1015         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1016         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1017         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1018
1019 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1020
1021         DoesGC rule is wrong for nodes with BigIntUse
1022         https://bugs.webkit.org/show_bug.cgi?id=193652
1023
1024         Reviewed by Saam Barati.
1025
1026         * stress/big-int-value-op-update-gc-rules.js: Added.
1027         (assert):
1028         (doesGCAdd):
1029         (doesGCSub):
1030         (doesGCDiv):
1031         (doesGCMul):
1032         (doesGCBitAnd):
1033         (doesGCBitOr):
1034         (doesGCBitXor):
1035
1036 2019-01-20  Saam Barati  <sbarati@apple.com>
1037
1038         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1039         https://bugs.webkit.org/show_bug.cgi?id=193644
1040         <rdar://problem/46209745>
1041
1042         Reviewed by Yusuke Suzuki.
1043
1044         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1045         (foo):
1046         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1047         (foo):
1048         (bar):
1049
1050 2019-01-20  Saam Barati  <sbarati@apple.com>
1051
1052         MovHint must merge NodeBytecodeUsesAsValue for its child
1053         https://bugs.webkit.org/show_bug.cgi?id=186916
1054         <rdar://problem/41396612>
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1059         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1060
1061 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1062
1063         [JSC] Invalidate old scope operations using global lexical binding epoch
1064         https://bugs.webkit.org/show_bug.cgi?id=193603
1065         <rdar://problem/47380869>
1066
1067         Reviewed by Saam Barati.
1068
1069         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1070         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1071         (shouldThrow):
1072         (bar):
1073         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1074         (shouldBe):
1075         (get1):
1076         (get2):
1077         (get1If):
1078         (get2If):
1079         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1080         (shouldThrow):
1081         (foo):
1082
1083 2019-01-17  Saam barati  <sbarati@apple.com>
1084
1085         StringObjectUse should not be a structure check for the original string object structure
1086         https://bugs.webkit.org/show_bug.cgi?id=193483
1087         <rdar://problem/47280522>
1088
1089         Reviewed by Yusuke Suzuki.
1090
1091         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1092         (foo):
1093         (a.valueOf.0):
1094
1095 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1096
1097         [JSC] ToThis omission in DFGByteCodeParser is wrong
1098         https://bugs.webkit.org/show_bug.cgi?id=193513
1099         <rdar://problem/45842236>
1100
1101         Reviewed by Saam Barati.
1102
1103         * stress/to-this-omission-with-different-strict-modes.js: Added.
1104         (thisA):
1105         (thisAStrictWrapper):
1106
1107 2019-01-15  Mark Lam  <mark.lam@apple.com>
1108
1109         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1110         https://bugs.webkit.org/show_bug.cgi?id=193423
1111         <rdar://problem/46209355>
1112
1113         Reviewed by Saam Barati.
1114
1115         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1116         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1117         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1118         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1119
1120 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1121
1122         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1123         https://bugs.webkit.org/show_bug.cgi?id=193438
1124         <rdar://problem/45581249>
1125
1126         Reviewed by Saam Barati and Keith Miller.
1127
1128         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1129         Then, GetByVal(String) crashed.
1130
1131         * stress/string-get-by-val-lowering.js: Added.
1132         (shouldBe):
1133         (test):
1134         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1135         (Hello):
1136         (foo):
1137
1138 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1139
1140         Unreviewed, skip JIT tests if it's not enabled
1141
1142         * stress/bit-op-with-object-returning-int32.js:
1143
1144 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1145
1146         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1147         https://bugs.webkit.org/show_bug.cgi?id=192966
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         * stress/bit-op-with-object-returning-int32.js: Added.
1152
1153 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1154
1155         Skip a slow test and a flakey test on arm
1156
1157         Unreviewed gardening.
1158
1159         * typeProfiler/getter-richards.js:
1160         this test always times out, it used to be always skipped on arm and
1161         mips, but got accidentally enabled by r237919 now that we have DFG on
1162         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1163
1164 2019-01-14  Keith Miller  <keith_miller@apple.com>
1165
1166         Skip type-check-hoisting-phase-hoist... with no jit
1167         https://bugs.webkit.org/show_bug.cgi?id=193421
1168
1169         Reviewed by Mark Lam.
1170
1171         It's timing out the 32-bit bots and takes 330 seconds
1172         on my machine when run by itself.
1173
1174         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1175
1176 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1177
1178         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1179         https://bugs.webkit.org/show_bug.cgi?id=193413
1180         <rdar://problem/46092389>
1181
1182         Reviewed by Keith Miller.
1183
1184         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1185         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1186         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1187         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1188
1189         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1190         (compareArray):
1191
1192 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1193
1194         [BigInt] Literal parsing is crashing when used inside a Object Literal
1195         https://bugs.webkit.org/show_bug.cgi?id=193404
1196
1197         Reviewed by Yusuke Suzuki.
1198
1199         * stress/big-int-literal-inside-literal-object.js: Added.
1200
1201 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1202
1203         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1204         https://bugs.webkit.org/show_bug.cgi?id=193372
1205
1206         Reviewed by Saam Barati.
1207
1208         * stress/typed-array-array-modes-profile.js: Added.
1209         (foo):
1210
1211 2019-01-14  Mark Lam  <mark.lam@apple.com>
1212
1213         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1214         https://bugs.webkit.org/show_bug.cgi?id=193402
1215         <rdar://problem/46012309>
1216
1217         Reviewed by Keith Miller.
1218
1219         * stress/regexp-compile-oom.js:
1220         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1221           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1222
1223 2019-01-11  Saam barati  <sbarati@apple.com>
1224
1225         DFG combined liveness can be wrong for terminal basic blocks
1226         https://bugs.webkit.org/show_bug.cgi?id=193304
1227         <rdar://problem/45268632>
1228
1229         Reviewed by Yusuke Suzuki.
1230
1231         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1232
1233 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1234
1235         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1236         https://bugs.webkit.org/show_bug.cgi?id=193308
1237         <rdar://problem/45546542>
1238
1239         Reviewed by Saam Barati.
1240
1241         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1242         (shouldThrow):
1243         (shouldBe):
1244         (foo):
1245         (get shouldThrow):
1246         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1247         (shouldThrow):
1248         (shouldBe):
1249         (foo):
1250         (get shouldBe):
1251         (get shouldThrow):
1252         (get return):
1253         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1254         (shouldThrow):
1255         (shouldBe):
1256         (foo):
1257         (get shouldBe):
1258         (get shouldThrow):
1259         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1260         (shouldThrow):
1261         (shouldBe):
1262         (foo):
1263         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1264         (shouldThrow):
1265         (shouldBe):
1266         (foo):
1267         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1268         (shouldThrow):
1269         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1270         (shouldThrow):
1271         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1272         (shouldThrow):
1273         (shouldBe):
1274         (foo):
1275         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1276         (shouldThrow):
1277         (shouldBe):
1278         (foo):
1279         (get shouldBe):
1280         (get shouldThrow):
1281         (get return):
1282         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1283         (shouldThrow):
1284         (shouldBe):
1285         (foo):
1286         (get shouldBe):
1287         (get shouldThrow):
1288         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1289         (shouldThrow):
1290         (shouldBe):
1291         (foo):
1292         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1293         (shouldThrow):
1294         (shouldBe):
1295         (foo):
1296
1297 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1298
1299         Enable DFG on ARM/Linux again
1300         https://bugs.webkit.org/show_bug.cgi?id=192496
1301
1302         Reviewed by Yusuke Suzuki.
1303
1304         Test wasn't really skipped before moving the line with skip
1305         to the top.
1306
1307         * stress/regress-192717.js:
1308
1309 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1310
1311         Unreviewed, rolling out r239825.
1312         https://bugs.webkit.org/show_bug.cgi?id=193330
1313
1314         Broke tests on armv7/linux bots (Requested by guijemont on
1315         #webkit).
1316
1317         Reverted changeset:
1318
1319         "Enable DFG on ARM/Linux again"
1320         https://bugs.webkit.org/show_bug.cgi?id=192496
1321         https://trac.webkit.org/changeset/239825
1322
1323 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1324
1325         Enable DFG on ARM/Linux again
1326         https://bugs.webkit.org/show_bug.cgi?id=192496
1327
1328         Reviewed by Yusuke Suzuki.
1329
1330         Test wasn't really skipped before moving the line with skip
1331         to the top.
1332
1333         * stress/regress-192717.js:
1334
1335 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1336
1337         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1338         https://bugs.webkit.org/show_bug.cgi?id=193127
1339
1340         Reviewed by Saam Barati.
1341
1342         * stress/array-species-create-should-handle-masquerader.js: Added.
1343         (shouldThrow):
1344         * stress/is-undefined-or-null-builtin.js: Added.
1345         (shouldBe):
1346         (isUndefinedOrNull.vm.createBuiltin):
1347
1348 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1349
1350         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1351         https://bugs.webkit.org/show_bug.cgi?id=193221
1352
1353         Reviewed by Mark Lam.
1354
1355         * stress/put-by-id-flags.js: Added.
1356         (f):
1357         (g):
1358         (numberOfDFGCompiles):
1359
1360 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1361
1362         Baseline version of get_by_id may corrupt metadata
1363         https://bugs.webkit.org/show_bug.cgi?id=193085
1364         <rdar://problem/23453006>
1365
1366         Reviewed by Saam Barati.
1367
1368         * stress/get-by-id-change-mode.js: Added.
1369         (forEach):
1370
1371 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1372
1373         [JSC] Optimize Object.prototype.toString
1374         https://bugs.webkit.org/show_bug.cgi?id=193031
1375
1376         Reviewed by Saam Barati.
1377
1378         * stress/object-tostring-changed-proto.js: Added.
1379         (shouldBe):
1380         (test):
1381         * stress/object-tostring-changed.js: Added.
1382         (shouldBe):
1383         (test):
1384         * stress/object-tostring-misc.js: Added.
1385         (shouldBe):
1386         (test):
1387         (i.switch):
1388         * stress/object-tostring-other.js: Added.
1389         (shouldBe):
1390         (test):
1391         * stress/object-tostring-untyped.js: Added.
1392         (shouldBe):
1393         (test):
1394         (i.switch):
1395
1396 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1397
1398         test262-runner misbehaves when test file YAML has a trailing space
1399         https://bugs.webkit.org/show_bug.cgi?id=193053
1400
1401         Reviewed by Yusuke Suzuki.
1402
1403         * test262/expectations.yaml:
1404         Mark two dozen tests as passing (and correct the output of another).
1405
1406 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1407
1408         Unreviewed, JSTests gardening with memoryLimited
1409
1410         * stress/string-overflow-createError.js:
1411
1412 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1413
1414         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1415         https://bugs.webkit.org/show_bug.cgi?id=193050
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         * test262.yaml:
1420         * test262/expectations.yaml:
1421         Mark 16 tests as passing.
1422
1423 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1424
1425         [BigInt] Support BigInt in JSON.stringify
1426         https://bugs.webkit.org/show_bug.cgi?id=192624
1427
1428         Reviewed by Saam Barati.
1429
1430         * stress/big-int-json-stringify-to-json.js: Added.
1431         (shouldBe):
1432         (shouldThrow):
1433         (BigInt.prototype.toJSON):
1434         (shouldBe.JSON.stringify):
1435         * stress/big-int-json-stringify.js: Added.
1436         (shouldBe):
1437         (shouldThrow):
1438
1439 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1440
1441         [JSC] Implement "well-formed JSON.stringify" proposal
1442         https://bugs.webkit.org/show_bug.cgi?id=191677
1443
1444         Reviewed by Darin Adler.
1445
1446         * stress/json-surrogate-pair.js: Added.
1447         (shouldBe):
1448         * test262/expectations.yaml:
1449
1450 2018-12-20  Keith Miller  <keith_miller@apple.com>
1451
1452         Add support for globalThis
1453         https://bugs.webkit.org/show_bug.cgi?id=165171
1454
1455         Reviewed by Mark Lam.
1456
1457         * test262/config.yaml:
1458
1459 2018-12-19  Keith Miller  <keith_miller@apple.com>
1460
1461         Update test262 configuration to not run tests dependent on ICU version.
1462         https://bugs.webkit.org/show_bug.cgi?id=192920
1463
1464         Reviewed by Saam Barati.
1465
1466         * test262/expectations.yaml:
1467
1468 2018-12-20  Mark Lam  <mark.lam@apple.com>
1469
1470         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1471         https://bugs.webkit.org/show_bug.cgi?id=192939
1472         <rdar://problem/46869516>
1473
1474         Reviewed by Keith Miller.
1475
1476         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1477
1478 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1479
1480         WTF::String and StringImpl overflow MaxLength
1481         https://bugs.webkit.org/show_bug.cgi?id=192853
1482         <rdar://problem/45726906>
1483
1484         Reviewed by Mark Lam.
1485
1486         * stress/string-16bit-repeat-overflow.js: Added.
1487         (catch):
1488
1489 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1490
1491         Unreviewed follow-up to r192914.
1492
1493         * test262/expectations.yaml:
1494         Add the last 20 missing expectations.
1495
1496 2018-12-19  Keith Miller  <keith_miller@apple.com>
1497
1498         Fix test262 expectations
1499         https://bugs.webkit.org/show_bug.cgi?id=192914
1500
1501         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1502
1503         * test262/expectations.yaml:
1504
1505 2018-12-19  Keith Miller  <keith_miller@apple.com>
1506
1507         Update test262 tests.
1508         https://bugs.webkit.org/show_bug.cgi?id=192907
1509
1510         Rubber stamped by Mark Lam.
1511
1512         * test262/*: Omitted because prepare-changelog crashes.
1513
1514 2018-12-19  Mark Lam  <mark.lam@apple.com>
1515
1516         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1517         https://bugs.webkit.org/show_bug.cgi?id=192464
1518         <rdar://problem/46519455>
1519
1520         Reviewed by Saam Barati.
1521
1522         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1523         microbenchmark.
1524
1525         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1526         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1527
1528 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1529
1530         String overflow in JSC::createError results in ASSERT in WTF::makeString
1531         https://bugs.webkit.org/show_bug.cgi?id=192833
1532         <rdar://problem/45706868>
1533
1534         Reviewed by Mark Lam.
1535
1536         * stress/string-overflow-createError.js: Added.
1537
1538 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1539
1540         Error message for `-x ** y` contains a typo.
1541         https://bugs.webkit.org/show_bug.cgi?id=192832
1542
1543         Reviewed by Saam Barati.
1544
1545         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1546         (assert.assert.return.throws):
1547         * stress/pow-expects-update-expression-on-lhs.js:
1548         (throw.new.Error):
1549         Update test expectations which match against the exact error message.
1550
1551 2018-12-18  Mark Lam  <mark.lam@apple.com>
1552
1553         Gardening: test options fix.
1554         https://bugs.webkit.org/show_bug.cgi?id=192822
1555
1556         Unreviewed.
1557
1558         * stress/json-stringify-string-builder-overflow.js:
1559
1560 2018-12-18  Mark Lam  <mark.lam@apple.com>
1561
1562         JSON.stringify() should throw OOM on StringBuilder overflows.
1563         https://bugs.webkit.org/show_bug.cgi?id=192822
1564         <rdar://problem/46670577>
1565
1566         Reviewed by Saam Barati.
1567
1568         * stress/json-stringify-string-builder-overflow.js: Added.
1569
1570 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1571
1572         Redeclaration of var over let/const/class should be a syntax error.
1573         https://bugs.webkit.org/show_bug.cgi?id=192298
1574
1575         Reviewed by Keith Miller.
1576
1577         * test262.yaml:
1578         * test262/expectations.yaml:
1579         Mark 46 tests as passing.
1580
1581         * stress/block-scope-redeclarations.js:
1582         Add some new tests.
1583
1584         * stress/for-in-invalidate-context-weird-assignments.js:
1585         * stress/for-in-tests.js:
1586         Replace tests for outdated behavior with tests for SyntaxError.
1587
1588         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1589         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1590         Update expectations.
1591
1592 2018-12-18  Mark Lam  <mark.lam@apple.com>
1593
1594         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1595         https://bugs.webkit.org/show_bug.cgi?id=191374
1596         <rdar://problem/46525447>
1597
1598         Reviewed by Yusuke Suzuki.
1599
1600         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1601
1602         * stress/elidable-new-object-roflcopter-then-exit.js:
1603
1604 2018-12-17  Mark Lam  <mark.lam@apple.com>
1605
1606         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1607         https://bugs.webkit.org/show_bug.cgi?id=192019
1608         <rdar://problem/46525456>
1609
1610         Reviewed by Yusuke Suzuki.
1611
1612         The test runs too slow on 32-bit.
1613
1614         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1615
1616 2018-12-17  Mark Lam  <mark.lam@apple.com>
1617
1618         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1619         https://bugs.webkit.org/show_bug.cgi?id=191373
1620         <rdar://problem/46525458>
1621
1622         Reviewed by Yusuke Suzuki.
1623
1624         The test is already slow running with a JIT on 64-bit.  It will always timeout
1625         on 32-bit without a JIT.
1626
1627         * stress/materialize-regexp-cyclic-regexp.js:
1628
1629 2018-12-17  Mark Lam  <mark.lam@apple.com>
1630
1631         Array unshift/shift should not race against the AI in the compiler thread.
1632         https://bugs.webkit.org/show_bug.cgi?id=192795
1633         <rdar://problem/46724263>
1634
1635         Reviewed by Saam Barati.
1636
1637         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1638
1639 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1640
1641         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1642         https://bugs.webkit.org/show_bug.cgi?id=190047
1643
1644         Reviewed by Saam Barati.
1645
1646         * stress/object-keys-cached-zero.js: Added.
1647         (shouldBe):
1648         (test):
1649         * stress/object-keys-changed-attribute.js: Added.
1650         (shouldBe):
1651         (test):
1652         * stress/object-keys-changed-index.js: Added.
1653         (shouldBe):
1654         (test):
1655         * stress/object-keys-changed.js: Added.
1656         (shouldBe):
1657         (test):
1658         * stress/object-keys-indexed-non-cache.js: Added.
1659         (shouldBe):
1660         (test):
1661         * stress/object-keys-overrides-get-property-names.js: Added.
1662         (shouldBe):
1663         (test):
1664         (noInline):
1665
1666 2018-12-17  Mark Lam  <mark.lam@apple.com>
1667
1668         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1669         https://bugs.webkit.org/show_bug.cgi?id=192779
1670         <rdar://problem/46775869>
1671
1672         Reviewed by Saam Barati.
1673
1674         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1675
1676 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1677
1678         Unreviewed test gardening, address a syntax error in a new test.
1679
1680         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1681
1682 2018-12-17  Mark Lam  <mark.lam@apple.com>
1683
1684         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1685         https://bugs.webkit.org/show_bug.cgi?id=192776
1686         <rdar://problem/46772368>
1687
1688         Reviewed by Keith Miller.
1689
1690         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1691
1692 2018-12-17  Mark Lam  <mark.lam@apple.com>
1693
1694         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1695         https://bugs.webkit.org/show_bug.cgi?id=192770
1696         <rdar://problem/46449037>
1697
1698         Reviewed by Keith Miller.
1699
1700         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1701
1702 2018-12-14  Mark Lam  <mark.lam@apple.com>
1703
1704         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1705         https://bugs.webkit.org/show_bug.cgi?id=192717
1706         <rdar://problem/46660677>
1707
1708         Reviewed by Saam Barati.
1709
1710         * stress/regress-192717.js: Added.
1711
1712 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1713
1714         Unreviewed, rolling out r239153, r239154, and r239155.
1715         https://bugs.webkit.org/show_bug.cgi?id=192715
1716
1717         Caused flaky GC-related crashes seen with layout tests
1718         (Requested by ryanhaddad on #webkit).
1719
1720         Reverted changesets:
1721
1722         "[JSC] Optimize Object.keys by caching own keys results in
1723         StructureRareData"
1724         https://bugs.webkit.org/show_bug.cgi?id=190047
1725         https://trac.webkit.org/changeset/239153
1726
1727         "Unreviewed, build fix after r239153"
1728         https://bugs.webkit.org/show_bug.cgi?id=190047
1729         https://trac.webkit.org/changeset/239154
1730
1731         "Unreviewed, build fix after r239153, part 2"
1732         https://bugs.webkit.org/show_bug.cgi?id=190047
1733         https://trac.webkit.org/changeset/239155
1734
1735 2018-12-14  Keith Miller  <keith_miller@apple.com>
1736
1737         Callers of JSString::getIndex should check for OOM exceptions
1738         https://bugs.webkit.org/show_bug.cgi?id=192709
1739
1740         Reviewed by Mark Lam.
1741
1742         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1743
1744 2018-12-13  Mark Lam  <mark.lam@apple.com>
1745
1746         Add a missing exception check.
1747         https://bugs.webkit.org/show_bug.cgi?id=192626
1748         <rdar://problem/46662163>
1749
1750         Reviewed by Keith Miller.
1751
1752         * stress/regress-192626.js: Added.
1753
1754 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1755
1756         [BigInt] Add ValueDiv into DFG
1757         https://bugs.webkit.org/show_bug.cgi?id=186178
1758
1759         Reviewed by Yusuke Suzuki.
1760
1761         * stress/big-int-div-jit-osr.js: Added.
1762         * stress/big-int-div-jit-untyped.js: Added.
1763         * stress/value-div-fixup-int32-big-int.js: Added.
1764
1765 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1766
1767         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1768         https://bugs.webkit.org/show_bug.cgi?id=190047
1769
1770         Reviewed by Keith Miller.
1771
1772         * stress/object-keys-cached-zero.js: Added.
1773         (shouldBe):
1774         (test):
1775         * stress/object-keys-changed-attribute.js: Added.
1776         (shouldBe):
1777         (test):
1778         * stress/object-keys-changed-index.js: Added.
1779         (shouldBe):
1780         (test):
1781         * stress/object-keys-changed.js: Added.
1782         (shouldBe):
1783         (test):
1784         * stress/object-keys-indexed-non-cache.js: Added.
1785         (shouldBe):
1786         (test):
1787         * stress/object-keys-overrides-get-property-names.js: Added.
1788         (shouldBe):
1789         (test):
1790         (noInline):
1791
1792 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1793
1794         [DFG][FTL] Add NewSymbol
1795         https://bugs.webkit.org/show_bug.cgi?id=192620
1796
1797         Reviewed by Saam Barati.
1798
1799         * microbenchmarks/symbol-creation.js: Added.
1800         (test):
1801         * stress/symbol-description-identity.js: Added.
1802         (shouldBe):
1803         (test):
1804         * stress/symbol-identity.js: Added.
1805         (shouldBe):
1806         (test):
1807         * stress/symbol-with-description-throw-error.js: Added.
1808         (shouldBe):
1809         (shouldThrow):
1810         (test):
1811         (object.toString):
1812
1813 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1814
1815         [BigInt] Implement DFG/FTL typeof for BigInt
1816         https://bugs.webkit.org/show_bug.cgi?id=192619
1817
1818         Reviewed by Keith Miller.
1819
1820         * stress/big-int-boolean-proven-type.js: Added.
1821         (assert):
1822         (bool):
1823         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1824         (assert):
1825         (typeOf):
1826         (i.switch):
1827         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1828         (assert):
1829         (typeOf):
1830         * stress/big-int-type-of.js:
1831         (typeOf):
1832         (func):
1833
1834 2018-12-10  Mark Lam  <mark.lam@apple.com>
1835
1836         PropertyAttribute needs a CustomValue bit.
1837         https://bugs.webkit.org/show_bug.cgi?id=191993
1838         <rdar://problem/46264467>
1839
1840         Reviewed by Saam Barati.
1841
1842         * stress/regress-191993.js: Added.
1843
1844 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1845
1846         [BigInt] Add ValueMul into DFG
1847         https://bugs.webkit.org/show_bug.cgi?id=186175
1848
1849         Reviewed by Yusuke Suzuki.
1850
1851         * stress/big-int-mul-jit-osr.js: Added.
1852         * stress/big-int-mul-jit-untyped.js: Added.
1853         * stress/value-mul-fixup-int32-big-int.js: Added.
1854
1855 2018-12-06  Keith Miller  <keith_miller@apple.com>
1856
1857         stress/big-wasm-memory tests failing on 32-bit JSC bot
1858         https://bugs.webkit.org/show_bug.cgi?id=192020
1859
1860         Reviewed by Saam Barati.
1861
1862         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1863         the wasm stress tests if the WebAssembly object does not exist.
1864
1865         * stress/big-wasm-memory-grow-no-max.js:
1866         (test.foo):
1867         (test):
1868         (foo): Deleted.
1869         (catch): Deleted.
1870         * stress/big-wasm-memory-grow.js:
1871         (test.foo):
1872         (test):
1873         (foo): Deleted.
1874         (catch): Deleted.
1875         * stress/big-wasm-memory.js:
1876         (test.foo):
1877         (test):
1878         (foo): Deleted.
1879         (catch): Deleted.
1880
1881 2018-12-05  Mark Lam  <mark.lam@apple.com>
1882
1883         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1884         https://bugs.webkit.org/show_bug.cgi?id=192441
1885         <rdar://problem/46480355>
1886
1887         Reviewed by Saam Barati.
1888
1889         * stress/regress-192441.js: Added.
1890
1891 2018-12-04  Mark Lam  <mark.lam@apple.com>
1892
1893         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1894         https://bugs.webkit.org/show_bug.cgi?id=192386
1895         <rdar://problem/46445516>
1896
1897         Reviewed by Saam Barati.
1898
1899         * stress/regress-192386.js: Added.
1900
1901 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1902
1903         [ESNext][BigInt] Support logic operations
1904         https://bugs.webkit.org/show_bug.cgi?id=179903
1905
1906         Reviewed by Yusuke Suzuki.
1907
1908         * stress/big-int-branch-usage.js: Added.
1909         * stress/big-int-logical-and.js: Added.
1910         * stress/big-int-logical-not.js: Added.
1911         * stress/big-int-logical-or.js: Added.
1912
1913 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1914
1915         Unreviewed, rolling out r238833.
1916
1917         Breaks macOS and iOS debug builds.
1918
1919         Reverted changeset:
1920
1921         "[ESNext][BigInt] Support logic operations"
1922         https://bugs.webkit.org/show_bug.cgi?id=179903
1923         https://trac.webkit.org/changeset/238833
1924
1925 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1926
1927         [ESNext][BigInt] Support logic operations
1928         https://bugs.webkit.org/show_bug.cgi?id=179903
1929
1930         Reviewed by Yusuke Suzuki.
1931
1932         * stress/big-int-branch-usage.js: Added.
1933         * stress/big-int-logical-and.js: Added.
1934         * stress/big-int-logical-not.js: Added.
1935         * stress/big-int-logical-or.js: Added.
1936
1937 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1938
1939         [ESNext][BigInt] Implement support for "<<" and ">>"
1940         https://bugs.webkit.org/show_bug.cgi?id=186233
1941
1942         Reviewed by Yusuke Suzuki.
1943
1944         * stress/big-int-left-shift-general.js: Added.
1945         * stress/big-int-left-shift-range-error.js: Added.
1946         * stress/big-int-left-shift-type-error.js: Added.
1947         * stress/big-int-left-shift-wrapped-value.js: Added.
1948         * stress/big-int-right-shift-general.js: Added.
1949         * stress/big-int-right-shift-type-error.js: Added.
1950         * stress/big-int-right-shift-wrapped-value.js: Added.
1951         * stress/left-shift-to-primitive-precedence.js: Added.
1952         * stress/right-shift-to-primitive-precedence.js: Added.
1953
1954 2018-11-30  Dean Jackson  <dino@apple.com>
1955
1956         Add first-class support for .mjs files in jsc binary
1957         https://bugs.webkit.org/show_bug.cgi?id=192190
1958         <rdar://problem/46375715>
1959
1960         Reviewed by Keith Miller.
1961
1962         * stress/simple-module.mjs: Added.
1963         * stress/simple-script.js: Added.
1964
1965 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1966
1967         [BigInt] Implement ValueBitXor into DFG
1968         https://bugs.webkit.org/show_bug.cgi?id=190264
1969
1970         Reviewed by Yusuke Suzuki.
1971
1972         * stress/big-int-bitwise-xor-jit.js: Added.
1973         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1974         * stress/big-int-bitwise-xor-untyped.js: Added.
1975
1976 2018-11-27  Saam barati  <sbarati@apple.com>
1977
1978         r238510 broke scopes of size zero
1979         https://bugs.webkit.org/show_bug.cgi?id=192033
1980         <rdar://problem/46281734>
1981
1982         Reviewed by Keith Miller.
1983
1984         * stress/r238510-bad-loop.js: Added.
1985         (foo):
1986
1987 2018-11-27  Mark Lam  <mark.lam@apple.com>
1988
1989         [Re-landing] NaNs read from Wasm code needs to be be purified.
1990         https://bugs.webkit.org/show_bug.cgi?id=191056
1991         <rdar://problem/45660341>
1992
1993         Reviewed by Filip Pizlo.
1994
1995         * wasm/regress/regress-191056.js: Added.
1996
1997 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1998
1999         Unreviewed, rolling out r238509.
2000
2001         Causes JSC tests to fail on iOS.
2002
2003         Reverted changeset:
2004
2005         "NaNs read from Wasm code needs to be be purified."
2006         https://bugs.webkit.org/show_bug.cgi?id=191056
2007         https://trac.webkit.org/changeset/238509
2008
2009 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2010
2011         Re-introduce op_bitnot
2012         https://bugs.webkit.org/show_bug.cgi?id=190923
2013
2014         Reviewed by Yusuke Suzuki.
2015
2016         * stress/bit-not-must-generate.js: Added.
2017         * stress/bitwise-not-no-int32.js: Added.
2018
2019 2018-11-26  Saam barati  <sbarati@apple.com>
2020
2021         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2022         https://bugs.webkit.org/show_bug.cgi?id=191956
2023         <rdar://problem/45665806>
2024
2025         Reviewed by Yusuke Suzuki.
2026
2027         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2028         (bar):
2029         (foo):
2030
2031 2018-11-26  Saam barati  <sbarati@apple.com>
2032
2033         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2034         https://bugs.webkit.org/show_bug.cgi?id=191958
2035         <rdar://problem/46221877>
2036
2037         Reviewed by Yusuke Suzuki.
2038
2039         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2040         (x):
2041         (foo):
2042
2043 2018-11-26  Mark Lam  <mark.lam@apple.com>
2044
2045         NaNs read from Wasm code needs to be be purified.
2046         https://bugs.webkit.org/show_bug.cgi?id=191056
2047         <rdar://problem/45660341>
2048
2049         Reviewed by Filip Pizlo.
2050
2051         * wasm/regress/regress-191056.js: Added.
2052
2053 2018-11-26  Michael Saboff  <msaboff@apple.com>
2054
2055         32-bit JSC test failure: stress/regexp-compile-oom.js
2056         https://bugs.webkit.org/show_bug.cgi?id=191375
2057
2058         Reviewed by Mark Lam.
2059
2060         Disabled the test for 32 bit platforms.
2061
2062         * stress/regexp-compile-oom.js:
2063
2064 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2065
2066         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2067         https://bugs.webkit.org/show_bug.cgi?id=191716
2068         <rdar://problem/45723878>
2069
2070         Reviewed by Saam Barati.
2071
2072         * stress/regress-187373.js: Added.
2073         (async.fn):
2074
2075 2018-11-21  Saam barati  <sbarati@apple.com>
2076
2077         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2078         https://bugs.webkit.org/show_bug.cgi?id=191897
2079         <rdar://problem/45871998>
2080
2081         Reviewed by Mark Lam.
2082
2083         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2084         (bar):
2085         (foo):
2086
2087 2018-11-21  Saam barati  <sbarati@apple.com>
2088
2089         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2090         https://bugs.webkit.org/show_bug.cgi?id=191895
2091         <rdar://problem/46167406>
2092
2093         Reviewed by Mark Lam.
2094
2095         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2096         (foo):
2097         (bar):
2098
2099 2018-11-21  Mark Lam  <mark.lam@apple.com>
2100
2101         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2102         https://bugs.webkit.org/show_bug.cgi?id=191776
2103         <rdar://problem/46152851>
2104
2105         Reviewed by Saam Barati.
2106
2107         * stress/big-wasm-memory-grow-no-max.js:
2108         * stress/big-wasm-memory-grow.js:
2109         * stress/big-wasm-memory.js:
2110         - updated these to expect an OutOfMemoryError.
2111
2112         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2113         (Binary.prototype.emit_u8):
2114         (Binary.prototype.emit_u32v):
2115         (Binary.prototype.emit_header):
2116         (Binary.prototype.emit_section):
2117         (Binary):
2118         (WasmModuleBuilder):
2119         (WasmModuleBuilder.prototype.addMemory):
2120         (WasmModuleBuilder.prototype.toArray):
2121         (WasmModuleBuilder.prototype.toBuffer):
2122         (WasmModuleBuilder.prototype.instantiate):
2123         (catch):
2124         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2125         (catch):
2126
2127 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2128
2129         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2130         https://bugs.webkit.org/show_bug.cgi?id=190836
2131
2132         Reviewed by Saam Barati and Yusuke Suzuki.
2133
2134         * stress/big-int-out-of-memory-tests.js: Added.
2135
2136 2018-11-20  Mark Lam  <mark.lam@apple.com>
2137
2138         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2139         https://bugs.webkit.org/show_bug.cgi?id=191856
2140         <rdar://problem/46089992>
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         * stress/regress-191856.js: Added.
2145         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2146
2147 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2148
2149         Enable JIT on ARM/Linux
2150         https://bugs.webkit.org/show_bug.cgi?id=191548
2151
2152         Reviewed by Yusuke Suzuki.
2153
2154         Disable test on system with limited memory. Program was killed by
2155         the OS before the exception was thrown.
2156
2157         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2158
2159 2018-11-20  Saam barati  <sbarati@apple.com>
2160
2161         Merging an IC variant may lead to the IC status containing overlapping structure sets
2162         https://bugs.webkit.org/show_bug.cgi?id=191869
2163         <rdar://problem/45403453>
2164
2165         Reviewed by Mark Lam.
2166
2167         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2168
2169 2018-11-19  Mark Lam  <mark.lam@apple.com>
2170
2171         globalFuncImportModule() should return a promise when it clears exceptions.
2172         https://bugs.webkit.org/show_bug.cgi?id=191792
2173         <rdar://problem/46090763>
2174
2175         Reviewed by Michael Saboff.
2176
2177         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2178
2179 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2180
2181         Skip new memory-hungry tests on memory limited devices
2182
2183         Unreviewed gardening.
2184
2185         * stress/big-wasm-memory-grow-no-max.js:
2186         * stress/big-wasm-memory-grow.js:
2187         * stress/big-wasm-memory.js:
2188
2189 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2190
2191         Unreviewed, rolling in the rest of r237254
2192         https://bugs.webkit.org/show_bug.cgi?id=190340
2193
2194         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2195         * stress/function-cache-with-parameters-end-position.js: Added.
2196         (shouldBe):
2197         (shouldThrow):
2198         (i.anonymous):
2199         * stress/function-constructor-name.js: Added.
2200         (shouldBe):
2201         (GeneratorFunction):
2202         (AsyncFunction.async):
2203         (AsyncGeneratorFunction.async):
2204         (anonymous):
2205         (async.anonymous):
2206         * test262/expectations.yaml:
2207
2208 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2209
2210         All users of ArrayBuffer should agree on the same max size
2211         https://bugs.webkit.org/show_bug.cgi?id=191771
2212
2213         Reviewed by Mark Lam.
2214
2215         * stress/big-wasm-memory-grow-no-max.js: Added.
2216         (foo):
2217         (catch):
2218         * stress/big-wasm-memory-grow.js: Added.
2219         (foo):
2220         (catch):
2221         * stress/big-wasm-memory.js: Added.
2222         (foo):
2223         (catch):
2224
2225 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2226
2227         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2228         run for each JSC config since they're regression tests for runtime bugs.
2229
2230         * stress/json-stringified-overflow-2.js:
2231         * stress/json-stringified-overflow.js:
2232
2233 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2234
2235         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2236         config since they're regression tests for runtime bugs.
2237
2238         * stress/large-unshift-splice.js:
2239         * stress/regress-185888.js:
2240
2241 2018-11-16  Saam Barati  <sbarati@apple.com>
2242
2243         KnownCellUse should also have SpecCellCheck as its type filter
2244         https://bugs.webkit.org/show_bug.cgi?id=191729
2245         <rdar://problem/45872852>
2246
2247         Reviewed by Filip Pizlo.
2248
2249         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2250         (C):
2251
2252 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2253
2254         Fix assertion failure on BytecodeGenerator::recordOpcode
2255         https://bugs.webkit.org/show_bug.cgi?id=191724
2256         <rdar://problem/45724395>
2257
2258         Reviewed by Saam Barati.
2259
2260         * stress/regress-187373-2.js: Added.
2261         (foo):
2262
2263 2018-11-15  Mark Lam  <mark.lam@apple.com>
2264
2265         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2266         https://bugs.webkit.org/show_bug.cgi?id=191730
2267         <rdar://problem/46048517>
2268
2269         Reviewed by Saam Barati.
2270
2271         * stress/regress-187006.js: Removed.
2272           - this test is invalid because its sole purpose is to test for the non-spec
2273             compliant behavior that we just fixed.
2274
2275         * stress/regress-191730.js: Added.
2276
2277 2018-11-15  Mark Lam  <mark.lam@apple.com>
2278
2279         RegExp operations should not take fast patch if lastIndex is not numeric.
2280         https://bugs.webkit.org/show_bug.cgi?id=191731
2281         <rdar://problem/46017305>
2282
2283         Reviewed by Saam Barati.
2284
2285         * stress/regress-191731.js: Added.
2286
2287 2018-11-13  Saam Barati  <sbarati@apple.com>
2288
2289         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2290         https://bugs.webkit.org/show_bug.cgi?id=191600
2291
2292         Reviewed by Mark Lam.
2293
2294         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2295         (foo):
2296         (test):
2297         (bar):
2298
2299 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2300
2301         Unreviewed, rolling out r238132.
2302
2303         The test added with this change is timing out on Debug JSC
2304         bots.
2305
2306         Reverted changeset:
2307
2308         "[BigInt] JSBigInt::createWithLength should throw when length
2309         is greater than JSBigInt::maxLength"
2310         https://bugs.webkit.org/show_bug.cgi?id=190836
2311         https://trac.webkit.org/changeset/238132
2312
2313 2018-11-13  Mark Lam  <mark.lam@apple.com>
2314
2315         Add OOM detection to StringPrototype's substituteBackreferences().
2316         https://bugs.webkit.org/show_bug.cgi?id=191563
2317         <rdar://problem/45720428>
2318
2319         Reviewed by Saam Barati.
2320
2321         * stress/regress-191563.js: Added.
2322
2323 2018-11-13  Mark Lam  <mark.lam@apple.com>
2324
2325         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2326         https://bugs.webkit.org/show_bug.cgi?id=191579
2327         <rdar://problem/45942472>
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/regress-191579.js: Added.
2332
2333 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2334
2335         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2336         https://bugs.webkit.org/show_bug.cgi?id=190836
2337
2338         Reviewed by Saam Barati.
2339
2340         * stress/big-int-out-of-memory-tests.js: Added.
2341
2342 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2343
2344         U+180E is no longer a whitespace character
2345         https://bugs.webkit.org/show_bug.cgi?id=191415
2346
2347         Reviewed by Saam Barati.
2348
2349         * ChakraCore/test/es5/regexSpace.baseline:
2350         * ChakraCore/test/es6/unicode_whitespace.js:
2351         Update tests to latest version.
2352         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2353
2354         * test262.yaml:
2355         * test262/config.yaml:
2356         * test262/expectations.yaml:
2357         Update expectations.
2358
2359 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2360
2361         [BigInt] Add support to BigInt into ValueAdd
2362         https://bugs.webkit.org/show_bug.cgi?id=186177
2363
2364         Reviewed by Keith Miller.
2365
2366         * stress/big-int-negate-jit.js:
2367         * stress/value-add-big-int-and-string.js: Added.
2368         * stress/value-add-big-int-prediction-propagation.js: Added.
2369         * stress/value-add-big-int-untyped.js: Added.
2370
2371 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2372
2373         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2374         https://bugs.webkit.org/show_bug.cgi?id=191184
2375
2376         Reviewed by Saam Barati.
2377
2378         Most tests were failing due to timeouts, since they are too slow to
2379         run on CLoop. The exceptions are:
2380
2381         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2382         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2383         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2384         to change the stack size since CLoop requires it to be page aligned.
2385
2386         * microbenchmarks/array-push-1.js:
2387         * microbenchmarks/array-push-2.js:
2388         * microbenchmarks/elidable-new-object-dag.js:
2389         * microbenchmarks/elidable-new-object-roflcopter.js:
2390         * microbenchmarks/elidable-new-object-tree.js:
2391         * microbenchmarks/getter-richards.js:
2392         * microbenchmarks/sinkable-new-object-dag.js:
2393         * microbenchmarks/string-concat-long-convert.js:
2394         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2395         * slowMicrobenchmarks/array-push-3.js:
2396         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2397         * slowMicrobenchmarks/spread-small-array.js:
2398         * slowMicrobenchmarks/undefined-property-access.js:
2399         * stress/activation-sink-default-value-tdz-error.js:
2400         * stress/activation-sink-default-value.js:
2401         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2402         * stress/activation-sink-osrexit-default-value.js:
2403         * stress/activation-sink-osrexit.js:
2404         * stress/activation-sink.js:
2405         * stress/allow-math-ic-b3-code-duplication.js:
2406         * stress/array-push-multiple-int32.js:
2407         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2408         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2409         * stress/arrowfunction-lexical-this-activation-sink.js:
2410         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2411         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2412         * stress/elide-new-object-dag-then-exit.js:
2413         * stress/materialize-regexp-cyclic.js:
2414         * stress/new-regex-inline.js:
2415         * stress/op_add.js:
2416         * stress/op_bitand.js:
2417         * stress/op_bitor.js:
2418         * stress/op_bitxor.js:
2419         * stress/op_div-ConstVar.js:
2420         * stress/op_div-VarConst.js:
2421         * stress/op_div-VarVar.js:
2422         * stress/op_lshift-ConstVar.js:
2423         * stress/op_lshift-VarConst.js:
2424         * stress/op_lshift-VarVar.js:
2425         * stress/op_mod-ConstVar.js:
2426         * stress/op_mod-VarConst.js:
2427         * stress/op_mod-VarVar.js:
2428         * stress/op_mul-ConstVar.js:
2429         * stress/op_mul-VarConst.js:
2430         * stress/op_mul-VarVar.js:
2431         * stress/op_rshift-ConstVar.js:
2432         * stress/op_rshift-VarConst.js:
2433         * stress/op_rshift-VarVar.js:
2434         * stress/op_sub-ConstVar.js:
2435         * stress/op_sub-VarConst.js:
2436         * stress/op_sub-VarVar.js:
2437         * stress/op_urshift-ConstVar.js:
2438         * stress/op_urshift-VarConst.js:
2439         * stress/op_urshift-VarVar.js:
2440         * stress/proxy-get-set-correct-receiver.js:
2441         * stress/regress-179562.js:
2442         * stress/rest-parameter-many-arguments.js:
2443         * stress/sampling-profiler-richards.js:
2444         * stress/splay-flash-access-1ms.js:
2445         * stress/tailCallForwardArguments.js:
2446         * stress/typed-array-get-by-val-profiling.js:
2447         * typeProfiler/getter-richards.js:
2448
2449 2018-11-06  Michael Saboff  <msaboff@apple.com>
2450
2451         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2452         https://bugs.webkit.org/show_bug.cgi?id=191271
2453
2454         Reviewed by Saam Barati.
2455
2456         Added more test cases and made all test cases run with the same deeply recursive stack
2457         instead of finding that same point for each test case.
2458
2459         * stress/regexp-compile-oom.js:
2460         (prototype.runTest):
2461         (recurseAndTest):
2462         (testList.push.new.TestAndExpectedException):
2463
2464 2018-11-05  Michael Saboff  <msaboff@apple.com>
2465
2466         Unreviewed build fix for linux.
2467
2468         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2469
2470 2018-11-02  Michael Saboff  <msaboff@apple.com>
2471
2472         Rolling in r237753 with unreviewed build fix.
2473
2474         Fixed issues with DECLARE_THROW_SCOPE placement.
2475
2476 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2477
2478         Unreviewed, rolling out r237753.
2479
2480         Introduced JSC test failures
2481
2482         Reverted changeset:
2483
2484         "Running out of stack space not properly handled in
2485         RegExp::compile() and its callers"
2486         https://bugs.webkit.org/show_bug.cgi?id=191206
2487         https://trac.webkit.org/changeset/237753
2488
2489 2018-11-02  Michael Saboff  <msaboff@apple.com>
2490
2491         Running out of stack space not properly handled in RegExp::compile() and its callers
2492         https://bugs.webkit.org/show_bug.cgi?id=191206
2493
2494         Reviewed by Filip Pizlo.
2495
2496         New regression test.
2497
2498         * stress/regexp-compile-oom.js: Added.
2499         (recurseAndTest):
2500
2501 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2502
2503         Skip tests on arm/mips that time out now we're running on CLoop
2504
2505         Unreviewed gardening.
2506
2507         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2508         time out on the bots and need to be disabled. There's more tests
2509         disabled on arm because the timeout is longer on the mips bot (as the
2510         device is slower to start with), so many of the tests don't time out
2511         there.
2512
2513         * microbenchmarks/getter-richards.js: disable on arm and mips.
2514         * stress/op_add.js: disable on arm.
2515         * stress/op_bitand.js: disable on arm.
2516         * stress/op_bitor.js: disable on arm.
2517         * stress/op_bitxor.js: disable on arm.
2518         * stress/op_lshift-ConstVar.js: disable on arm.
2519         * stress/op_lshift-VarConst.js: disable on arm.
2520         * stress/op_lshift-VarVar.js: disable on arm.
2521         * stress/op_mod-ConstVar.js: disable on arm.
2522         * stress/op_mod-VarConst.js: disable on arm.
2523         * stress/op_mod-VarVar.js: disable on arm.
2524         * stress/op_mul-ConstVar.js: disable on arm.
2525         * stress/op_mul-VarConst.js: disable on arm.
2526         * stress/op_mul-VarVar.js: disable on arm.
2527         * stress/op_rshift-ConstVar.js: disable on arm.
2528         * stress/op_rshift-VarConst.js: disable on arm.
2529         * stress/op_rshift-VarVar.js: disable on arm.
2530         * stress/op_sub-ConstVar.js: disable on arm.
2531         * stress/op_sub-VarConst.js: disable on arm.
2532         * stress/op_sub-VarVar.js: disable on arm.
2533         * stress/op_urshift-ConstVar.js: disable on arm.
2534         * stress/op_urshift-VarConst.js: disable on arm.
2535         * stress/op_urshift-VarVar.js: disable on arm.
2536         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2537         * stress/value-to-boolean.js: disable on arm and mips.
2538
2539 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2540
2541         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2542         https://bugs.webkit.org/show_bug.cgi?id=191108
2543         <rdar://problem/45690700>
2544
2545         Reviewed by Saam Barati.
2546
2547         * stress/wide-op_catch.js: Added.
2548         (catch):
2549
2550 2018-10-29  Mark Lam  <mark.lam@apple.com>
2551
2552         Correctly detect string overflow when using the 'Function' constructor.
2553         https://bugs.webkit.org/show_bug.cgi?id=184883
2554         <rdar://problem/36320331>
2555
2556         Reviewed by Saam Barati.
2557
2558         I've verified that this passes on 32-bit as well.
2559
2560         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2561
2562 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2563
2564         Add support for GetStack FlushedDouble
2565         https://bugs.webkit.org/show_bug.cgi?id=191012
2566         <rdar://problem/45265141>
2567
2568         Reviewed by Saam Barati.
2569
2570         * stress/get-stack-double.js: Added.
2571         (bar):
2572         (noInline):
2573
2574 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2575
2576         New bytecode format for JSC
2577         https://bugs.webkit.org/show_bug.cgi?id=187373
2578         <rdar://problem/44186758>
2579
2580         Reviewed by Filip Pizlo.
2581
2582         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2583
2584         * stress/maximum-inline-capacity.js: Added.
2585         (test1):
2586         (test3.Foo):
2587         (test3):
2588
2589 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2590
2591         Unreviewed, rolling out r237479 and r237484.
2592         https://bugs.webkit.org/show_bug.cgi?id=190978
2593
2594         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2595
2596         Reverted changesets:
2597
2598         "New bytecode format for JSC"
2599         https://bugs.webkit.org/show_bug.cgi?id=187373
2600         https://trac.webkit.org/changeset/237479
2601
2602         "Gardening: Build fix after r237479."
2603         https://bugs.webkit.org/show_bug.cgi?id=187373
2604         https://trac.webkit.org/changeset/237484
2605
2606 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2607
2608         New bytecode format for JSC
2609         https://bugs.webkit.org/show_bug.cgi?id=187373
2610         <rdar://problem/44186758>
2611
2612         Reviewed by Filip Pizlo.
2613
2614         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2615
2616         * stress/maximum-inline-capacity.js: Added.
2617         (test1):
2618         (test3.Foo):
2619         (test3):
2620
2621 2018-10-26  Mark Lam  <mark.lam@apple.com>
2622
2623         Fix missing edge cases with JSGlobalObjects having a bad time.
2624         https://bugs.webkit.org/show_bug.cgi?id=189028
2625         <rdar://problem/45204939>
2626
2627         Reviewed by Saam Barati.
2628
2629         * stress/regress-189028.js: Added.
2630
2631 2018-10-22  Mark Lam  <mark.lam@apple.com>
2632
2633         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2634         https://bugs.webkit.org/show_bug.cgi?id=190515
2635         <rdar://problem/45222379>
2636
2637         Rubber-stamped by Saam Barati.
2638
2639         Adding another test.
2640
2641         * stress/regress-190515-2.js: Added.
2642
2643 2018-10-22  Mark Lam  <mark.lam@apple.com>
2644
2645         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2646         https://bugs.webkit.org/show_bug.cgi?id=190515
2647         <rdar://problem/45222379>
2648
2649         Reviewed by Saam Barati.
2650
2651         * stress/regress-190515.js: Added.
2652
2653 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2654
2655         Unreviewed, rolling out r237254.
2656         https://bugs.webkit.org/show_bug.cgi?id=190760
2657
2658         "It regresses JetStream 2 by 5% on some iOS devices"
2659         (Requested by saamyjoon on #webkit).
2660
2661         Reverted changeset:
2662
2663         "[JSC] JSC should have "parseFunction" to optimize Function
2664         constructor"
2665         https://bugs.webkit.org/show_bug.cgi?id=190340
2666         https://trac.webkit.org/changeset/237254
2667
2668 2018-10-19  Saam Barati  <sbarati@apple.com>
2669
2670         vmCall should check if we exit before emitting an OSR exit due to exceptions
2671         https://bugs.webkit.org/show_bug.cgi?id=190740
2672         <rdar://problem/45220139>
2673
2674         Reviewed by Mark Lam.
2675
2676         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2677         (foo):
2678
2679 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2680
2681         [ESNext][BigInt] Implement support for "^"
2682         https://bugs.webkit.org/show_bug.cgi?id=186235
2683
2684         Reviewed by Yusuke Suzuki.
2685
2686         * stress/big-int-bitwise-xor-general.js: Added.
2687         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2688         * stress/big-int-bitwise-xor-type-error.js: Added.
2689         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2690
2691 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2692
2693         [BigInt] Add ValueSub into DFG
2694         https://bugs.webkit.org/show_bug.cgi?id=186176
2695
2696         Reviewed by Yusuke Suzuki.
2697
2698         * stress/big-int-subtraction-jit.js:
2699         * stress/value-sub-big-int-prediction-propagation.js: Added.
2700         * stress/value-sub-big-int-untyped.js: Added.
2701         * stress/value-sub-spec-none-case.js: Added.
2702
2703 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2704
2705         [JSC] JSC should have "parseFunction" to optimize Function constructor
2706         https://bugs.webkit.org/show_bug.cgi?id=190340
2707
2708         Reviewed by Mark Lam.
2709
2710         This patch fixes the line number of syntax errors raised by the Function constructor,
2711         since we now parse the final code only once. And we no longer use block statement
2712         for Function constructor's parsing.
2713
2714         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2715         * stress/function-cache-with-parameters-end-position.js: Added.
2716         (shouldBe):
2717         (shouldThrow):
2718         (i.anonymous):
2719         * stress/function-constructor-name.js: Added.
2720         (shouldBe):
2721         (GeneratorFunction):
2722         (AsyncFunction.async):
2723         (AsyncGeneratorFunction.async):
2724         (anonymous):
2725         (async.anonymous):
2726         * test262/expectations.yaml:
2727
2728 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2729
2730         Unreviewed, rolling out r237242.
2731         https://bugs.webkit.org/show_bug.cgi?id=190701
2732
2733         it breaks "stress/sampling-profiler-basic.js" (Requested by
2734         caiolima on #webkit).
2735
2736         Reverted changeset:
2737
2738         "[BigInt] Add ValueSub into DFG"
2739         https://bugs.webkit.org/show_bug.cgi?id=186176
2740         https://trac.webkit.org/changeset/237242
2741
2742 2018-10-17  Keith Miller  <keith_miller@apple.com>
2743
2744         AI does not clear Phantom allocation nodes.
2745         https://bugs.webkit.org/show_bug.cgi?id=190694
2746
2747         Reviewed by Saam Barati.
2748
2749         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2750         (Day):
2751         (DaysInYear):
2752         (TimeInYear):
2753         (TimeFromYear):
2754         (DayFromYear):
2755         (InLeapYear):
2756         (YearFromTime):
2757         (WeekDay):
2758         (DaylightSavingTA):
2759         (GetSecondSundayInMarch):
2760         (TimeInMonth):
2761
2762 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2763
2764         [BigInt] Add ValueSub into DFG
2765         https://bugs.webkit.org/show_bug.cgi?id=186176
2766
2767         Reviewed by Yusuke Suzuki.
2768
2769         * stress/big-int-subtraction-jit.js:
2770         * stress/value-sub-big-int-prediction-propagation.js: Added.
2771         * stress/value-sub-big-int-untyped.js: Added.
2772
2773 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2774
2775         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2776         https://bugs.webkit.org/show_bug.cgi?id=190611
2777
2778         Reviewed by Saam Barati.
2779
2780         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2781         to improve test runtime. On ARM/MIPS this test even timed out when running all
2782         tests.
2783
2784         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2785         (test):
2786
2787 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2788
2789         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2790
2791         Unreviewed gardening.
2792
2793         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2794
2795 2018-10-15  Saam barati  <sbarati@apple.com>
2796
2797         Emit fjcvtzs on ARM64E on Darwin
2798         https://bugs.webkit.org/show_bug.cgi?id=184023
2799
2800         Reviewed by Yusuke Suzuki and Filip Pizlo.
2801
2802         * stress/double-to-int32-NaN.js: Added.
2803         (assert):
2804         (foo):
2805
2806 2018-10-15  Saam Barati  <sbarati@apple.com>
2807
2808         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2809         https://bugs.webkit.org/show_bug.cgi?id=190262
2810         <rdar://problem/44986241>
2811
2812         Reviewed by Mark Lam.
2813
2814         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2815         (test):
2816         * stress/slice-array-storage-with-holes.js: Added.
2817         (main):
2818
2819 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2820
2821         Unreviewed, rolling out r237054.
2822         https://bugs.webkit.org/show_bug.cgi?id=190593
2823
2824         "this regressed JetStream 2 by 6% on iOS" (Requested by
2825         saamyjoon on #webkit).
2826
2827         Reverted changeset:
2828
2829         "[JSC] JSC should have "parseFunction" to optimize Function
2830         constructor"
2831         https://bugs.webkit.org/show_bug.cgi?id=190340
2832         https://trac.webkit.org/changeset/237054
2833
2834 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2835
2836         [JSC] JSON.stringify can accept call-with-no-arguments
2837         https://bugs.webkit.org/show_bug.cgi?id=190343
2838
2839         Reviewed by Mark Lam.
2840
2841         * stress/json-stringify-no-arguments.js: Added.
2842         (shouldBe):
2843
2844 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2845
2846         [JSC] JSC should have "parseFunction" to optimize Function constructor
2847         https://bugs.webkit.org/show_bug.cgi?id=190340
2848
2849         Reviewed by Mark Lam.
2850
2851         This patch fixes the line number of syntax errors raised by the Function constructor,
2852         since we now parse the final code only once. And we no longer use block statement
2853         for Function constructor's parsing.
2854
2855         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2856         * stress/function-cache-with-parameters-end-position.js: Added.
2857         (shouldBe):
2858         (shouldThrow):
2859         (i.anonymous):
2860         * stress/function-constructor-name.js: Added.
2861         (shouldBe):
2862         (GeneratorFunction):
2863         (AsyncFunction.async):
2864         (AsyncGeneratorFunction.async):
2865         (anonymous):
2866         (async.anonymous):
2867         * test262/expectations.yaml:
2868
2869 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2870
2871         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2872         https://bugs.webkit.org/show_bug.cgi?id=190426
2873
2874         Unreviewed gardening.
2875
2876         * stress/sampling-profiler-richards.js:
2877
2878 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2879
2880         [ESNext][BigInt] Implement support for "|"
2881         https://bugs.webkit.org/show_bug.cgi?id=186229
2882
2883         Reviewed by Yusuke Suzuki.
2884
2885         * stress/big-int-bitwise-and-jit.js:
2886         * stress/big-int-bitwise-or-general.js: Added.
2887         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2888         * stress/big-int-bitwise-or-jit.js: Added.
2889         * stress/big-int-bitwise-or-memory-stress.js: Added.
2890         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2891         * stress/big-int-bitwise-or-type-error.js: Added.
2892         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2893
2894 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2895
2896         Skip test on systems with limited memory
2897         https://bugs.webkit.org/show_bug.cgi?id=190310
2898
2899         Invoking runDefault adds test to runlist, skipping the test in the next
2900         line does not prevent the test from executing. Change order of lines such
2901         that runDefault is only executed if test is not executed.
2902
2903         Reviewed by Mark Lam.
2904
2905         * stress/regress-190187.js:
2906
2907 2018-10-03  Saam barati  <sbarati@apple.com>
2908
2909         lowXYZ in FTLLower should always filter the type of the incoming edge
2910         https://bugs.webkit.org/show_bug.cgi?id=189939
2911         <rdar://problem/44407030>
2912
2913         Reviewed by Michael Saboff.
2914
2915         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2916         (foo):
2917         (test):
2918
2919 2018-10-03  Mark Lam  <mark.lam@apple.com>
2920
2921         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2922         https://bugs.webkit.org/show_bug.cgi?id=190187
2923         <rdar://problem/42512909>
2924
2925         Reviewed by Michael Saboff.
2926
2927         * stress/regress-190187.js: Added.
2928
2929 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2930
2931         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2932         https://bugs.webkit.org/show_bug.cgi?id=190033
2933
2934         Reviewed by Yusuke Suzuki.
2935
2936         * stress/big-int-to-string.js:
2937
2938 2018-10-01  Mark Lam  <mark.lam@apple.com>
2939
2940         Function.toString() should also copy the source code Functions that are class definitions.
2941         https://bugs.webkit.org/show_bug.cgi?id=190186
2942         <rdar://problem/44733360>
2943
2944         Reviewed by Saam Barati.
2945
2946         * stress/regress-190186.js: Added.
2947
2948 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2949
2950         Split NaN-check into separate test
2951         https://bugs.webkit.org/show_bug.cgi?id=190010
2952
2953         Reviewed by Saam Barati.
2954
2955         DataView exposes NaN-representation, which is not necessarily the same on each
2956         architecture. Therefore move the check of the NaN-representation into its own
2957         file such that we can disable this test on MIPS where NaN-representation can be
2958         different on older CPUs.
2959
2960         * stress/dataview-jit-set-nan.js: Added.
2961         (assert):
2962         (test.storeLittleEndian):
2963         (test.storeBigEndian):
2964         (test.store):
2965         (test):
2966         * stress/dataview-jit-set.js:
2967         (test5):
2968
2969 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2970
2971         Unreviewed, rolling out r236647.
2972         https://bugs.webkit.org/show_bug.cgi?id=190124
2973
2974         Breaking test stress/big-int-to-string.js (Requested by
2975         caiolima_ on #webkit).
2976
2977         Reverted changeset:
2978
2979         "[BigInt] BigInt.proptotype.toString is broken when radix is
2980         power of 2"
2981         https://bugs.webkit.org/show_bug.cgi?id=190033
2982         https://trac.webkit.org/changeset/236647
2983
2984 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2985
2986         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2987         https://bugs.webkit.org/show_bug.cgi?id=190033
2988
2989         Reviewed by Yusuke Suzuki.
2990
2991         * stress/big-int-to-string.js:
2992
2993 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2994
2995         [ESNext][BigInt] Implement support for "&"
2996         https://bugs.webkit.org/show_bug.cgi?id=186228
2997
2998         Reviewed by Yusuke Suzuki.
2999
3000         * stress/big-int-bitwise-and-general.js: Added.
3001         (assert):
3002         (assert.sameValue):
3003         * stress/big-int-bitwise-and-jit.js: Added.
3004         (let.assert.sameValue):
3005         (bigIntBitAnd):
3006         * stress/big-int-bitwise-and-memory-stress.js: Added.
3007         (assert):
3008         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3009         (assert.sameValue):
3010         (let.o.Symbol.toPrimitive):
3011         (catch):
3012         * stress/big-int-bitwise-and-type-error.js: Added.
3013         (assert):
3014         (assertThrowTypeError):
3015         (let.o.valueOf):
3016         (o.valueOf):
3017         (o.toString):
3018         (o.Symbol.toPrimitive):
3019         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3020         (assert.sameValue):
3021         (testBitAnd):
3022         (let.o.Symbol.toPrimitive):
3023         (o.valueOf):
3024         (o.toString):
3025
3026 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3027
3028         JSC test stress/jsc-read.js doesn't support CRLF
3029         https://bugs.webkit.org/show_bug.cgi?id=190063
3030
3031         Reviewed by Yusuke Suzuki.
3032
3033         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3034
3035         * stress/jsc-read.js:
3036         (test):
3037
3038 2018-09-27  Saam barati  <sbarati@apple.com>
3039
3040         Verify the contents of AssemblerBuffer on arm64e
3041         https://bugs.webkit.org/show_bug.cgi?id=190057
3042         <rdar://problem/38916630>
3043
3044         Reviewed by Mark Lam.
3045
3046         * stress/regress-189132.js:
3047
3048 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3049
3050         Disable test without LLInt on ARMv7
3051         https://bugs.webkit.org/show_bug.cgi?id=190037
3052
3053         Reviewed by Mark Lam.
3054
3055         Test runs out of executable memory on ARMv7, do not run
3056         this test without LLInt enabled.
3057
3058         * stress/regress-169445.js:
3059
3060 2018-09-26  Keith Miller  <keith_miller@apple.com>
3061
3062         We should zero unused property storage when rebalancing array storage.
3063         https://bugs.webkit.org/show_bug.cgi?id=188151
3064
3065         Reviewed by Michael Saboff.
3066
3067         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3068
3069 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3070
3071         [JSC] Optimize Array#lastIndexOf
3072         https://bugs.webkit.org/show_bug.cgi?id=189780
3073
3074         Reviewed by Saam Barati.
3075
3076         * stress/array-lastindexof-array-prototype-trap.js: Added.
3077         (shouldBe):
3078         (AncestorArray.prototype.get 2):
3079         (AncestorArray):
3080         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3081         (shouldBe):
3082         * stress/array-lastindexof-hole-nan.js: Added.
3083         (shouldBe):
3084         (throw.new.Error):
3085         * stress/array-lastindexof-infinity.js: Added.
3086         (shouldBe):
3087         (throw.new.Error):
3088         * stress/array-lastindexof-negative-zero.js: Added.
3089         (shouldBe):
3090         (throw.new.Error):
3091         * stress/array-lastindexof-own-getter.js: Added.
3092         (shouldBe):
3093         (throw.new.Error.get array):
3094         (get array):
3095         * stress/array-lastindexof-prototype-trap.js: Added.
3096         (shouldBe):
3097         (DerivedArray.prototype.get 2):
3098         (DerivedArray):
3099
3100 2018-09-25  Saam Barati  <sbarati@apple.com>
3101
3102         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3103         https://bugs.webkit.org/show_bug.cgi?id=189940
3104         <rdar://problem/43640987>
3105
3106         Reviewed by Mark Lam.
3107
3108         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3109
3110 2018-09-24  Saam Barati  <sbarati@apple.com>
3111
3112         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3113         https://bugs.webkit.org/show_bug.cgi?id=189922
3114         <rdar://problem/44651275>
3115
3116         Reviewed by Mark Lam.
3117
3118         * stress/array-indexof-fast-path-effects.js: Added.
3119         * stress/array-indexof-cached-length.js: Added.
3120
3121 2018-09-24  Saam barati  <sbarati@apple.com>
3122
3123         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3124         https://bugs.webkit.org/show_bug.cgi?id=189682
3125         <rdar://problem/43557315>
3126
3127         Reviewed by Mark Lam.
3128
3129         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3130         (foo):
3131
3132 2018-09-22  Saam barati  <sbarati@apple.com>
3133
3134         The sampling should not use Strong<CodeBlock> in its machineLocation field
3135         https://bugs.webkit.org/show_bug.cgi?id=189319
3136
3137         Reviewed by Filip Pizlo.
3138
3139         * stress/sampling-profiler-richards.js: Added.
3140
3141 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3142
3143         [JSC] Optimize Array#indexOf in C++ runtime
3144         https://bugs.webkit.org/show_bug.cgi?id=189507
3145
3146         Reviewed by Saam Barati.
3147
3148         * stress/array-indexof-array-prototype-trap.js: Added.
3149         (shouldBe):
3150         (AncestorArray.prototype.get 2):
3151         (AncestorArray):
3152         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3153         (shouldBe):
3154         * stress/array-indexof-hole-nan.js: Added.
3155         (shouldBe):
3156         (throw.new.Error):
3157         * stress/array-indexof-infinity.js: Added.
3158         (shouldBe):
3159         (throw.new.Error):
3160         * stress/array-indexof-negative-zero.js: Added.
3161         (shouldBe):
3162         (throw.new.Error):
3163         * stress/array-indexof-own-getter.js: Added.
3164         (shouldBe):
3165         (throw.new.Error.get array):
3166         (get array):
3167         * stress/array-indexof-prototype-trap.js: Added.
3168         (shouldBe):
3169         (DerivedArray.prototype.get 2):
3170         (DerivedArray):
3171
3172 2018-09-19  Saam barati  <sbarati@apple.com>
3173
3174         AI rule for MultiPutByOffset executes its effects in the wrong order
3175         https://bugs.webkit.org/show_bug.cgi?id=189757
3176         <rdar://problem/43535257>
3177
3178         Reviewed by Michael Saboff.
3179
3180         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3181         (foo):
3182         (Foo):
3183         (g):
3184
3185 2018-09-17  Mark Lam  <mark.lam@apple.com>
3186
3187         Ensure that ForInContexts are invalidated if their loop local is over-written.
3188         https://bugs.webkit.org/show_bug.cgi?id=189571
3189         <rdar://problem/44402277>
3190
3191         Reviewed by Saam Barati.
3192
3193         * stress/regress-189571.js: Added.
3194
3195 2018-09-17  Saam barati  <sbarati@apple.com>
3196
3197         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3198         https://bugs.webkit.org/show_bug.cgi?id=189676
3199         <rdar://problem/39682897>
3200
3201         Reviewed by Michael Saboff.
3202
3203         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3204         (A):
3205         (K):
3206         (i.catch):
3207
3208 2018-09-14  Saam barati  <sbarati@apple.com>
3209
3210         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3211         https://bugs.webkit.org/show_bug.cgi?id=189628
3212         <rdar://problem/39481690>
3213
3214         Reviewed by Mark Lam.
3215
3216         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3217         (foo):
3218
3219 2018-09-11  Mark Lam  <mark.lam@apple.com>
3220
3221         Test for array initialization in arrayProtoFuncSplice.
3222         https://bugs.webkit.org/show_bug.cgi?id=170253
3223         <rdar://problem/31328773>
3224
3225         Rubber-stamped by Saam Barati.
3226
3227         * stress/regress-170253.js: Added.
3228
3229 2018-09-11  Mark Lam  <mark.lam@apple.com>
3230
3231         Test for IntlObject initialization.
3232         https://bugs.webkit.org/show_bug.cgi?id=170251
3233         <rdar://problem/31328419>
3234
3235         Rubber-stamped by Saam Barati.
3236
3237         * stress/regress-170251.js: Added.
3238
3239 2018-09-11  Mark Lam  <mark.lam@apple.com>
3240
3241         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3242         https://bugs.webkit.org/show_bug.cgi?id=169889
3243         <rdar://problem/31155607>
3244
3245         Reviewed by Saam Barati.
3246
3247         * stress/regress-169889-array-concat.js: Added.
3248         * stress/regress-169889-array-concat1.js: Added.
3249         * stress/regress-169889-array-slice.js: Added.
3250
3251 2018-09-11  Mark Lam  <mark.lam@apple.com>
3252
3253         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3254         https://bugs.webkit.org/show_bug.cgi?id=169445
3255         <rdar://problem/30957435>
3256
3257         Reviewed by Saam Barati.
3258
3259         * stress/regress-169445.js: Added.
3260         (let.gun.eval.A):
3261         (let.gun.eval.B.C):
3262         (let.gun.eval.B.C.prototype.trigger):
3263         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3264         (let.gun.eval.B):
3265         (let.gun.eval):
3266
3267 == Rolled over to ChangeLog-2018-09-11 ==