[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
4         https://bugs.webkit.org/show_bug.cgi?id=195429
5
6         Reviewed by Saam Barati.
7
8         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
9         (foo):
10         * stress/string-from-char-code-255.js: Added.
11
12 2019-03-06  Mark Lam  <mark.lam@apple.com>
13
14         Fix incorrect handling of try-finally completion values.
15         https://bugs.webkit.org/show_bug.cgi?id=195131
16         <rdar://problem/46222079>
17
18         Reviewed by Saam Barati and Yusuke Suzuki.
19
20         Added many permutations of new test case to test-finally.js.  test-finally.js has
21         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
22         tests passes there as well.
23
24         * stress/test-finally.js:
25
26 2019-03-06  Saam Barati  <sbarati@apple.com>
27
28         Air::reportUsedRegisters must padInterference
29         https://bugs.webkit.org/show_bug.cgi?id=195303
30         <rdar://problem/48270343>
31
32         Reviewed by Keith Miller.
33
34         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
35
36 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
37
38         [JSC] AI should not propagate AbstractValue relying on constant folding phase
39         https://bugs.webkit.org/show_bug.cgi?id=195375
40
41         Reviewed by Saam Barati.
42
43         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
44         (let.array):
45
46 2019-03-05  Saam barati  <sbarati@apple.com>
47
48         op_switch_char broken for rope strings after JSRopeString layout rewrite
49         https://bugs.webkit.org/show_bug.cgi?id=195339
50         <rdar://problem/48592545>
51
52         Reviewed by Yusuke Suzuki.
53
54         * stress/switch-on-char-llint-rope.js: Added.
55
56 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
57
58         [JSC] Store bits for JSRopeString in 3 stores
59         https://bugs.webkit.org/show_bug.cgi?id=195234
60
61         Reviewed by Saam Barati.
62
63         * stress/null-rope-and-collectors.js: Added.
64
65 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
66
67         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
68         https://bugs.webkit.org/show_bug.cgi?id=195207
69
70         Unreviewed. After test runtime was reduced in r242213, test can be
71         run again on ARM/MIPS.
72
73         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
74
75 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
76
77         [JSC] sizeof(JSString) should be 16
78         https://bugs.webkit.org/show_bug.cgi?id=194375
79
80         Reviewed by Saam Barati.
81
82         * microbenchmarks/make-rope.js: Added.
83         (makeRope):
84         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
85         (returnRope.helper): Deleted.
86         (returnRope): Deleted.
87
88 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
89
90         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
91         https://bugs.webkit.org/show_bug.cgi?id=195144
92
93         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
94         Change the number from 1e8 to 1e5.
95
96         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
97         (foo):
98
99 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
100
101         Test times out on ARM/MIPS
102         https://bugs.webkit.org/show_bug.cgi?id=195168
103
104         Unreviewed. Skip test on ARM/MIPS.
105
106         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
107
108 2019-02-27  Mark Lam  <mark.lam@apple.com>
109
110         The parser is failing to record the token location of new in new.target.
111         https://bugs.webkit.org/show_bug.cgi?id=195127
112         <rdar://problem/39645578>
113
114         Reviewed by Yusuke Suzuki.
115
116         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
117
118 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
119
120         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
121         https://bugs.webkit.org/show_bug.cgi?id=195144
122         <rdar://problem/47595961>
123
124         Reviewed by Mark Lam.
125
126         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
127         (bar):
128         (foo):
129         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
130         (bar):
131         (foo):
132
133 2019-02-27  Robin Morisset  <rmorisset@apple.com>
134
135         DFG: Loop-invariant code motion (LICM) should not hoist dead code
136         https://bugs.webkit.org/show_bug.cgi?id=194945
137         <rdar://problem/48311657>
138
139         Reviewed by Mark Lam.
140
141         * stress/licm-dead-code.js: Added.
142
143 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
144
145         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
146         https://bugs.webkit.org/show_bug.cgi?id=194677
147         <rdar://problem/48112492>
148
149         Reviewed by Mark Lam.
150
151         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
152         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
153         it immediately fails due the large size.
154
155         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
156         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
157         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
158         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
159
160         This patch changes the test to produce 16bit string from String.fromCharCode.
161
162         * stress/regress-178386.js:
163
164 2019-02-26  Mark Lam  <mark.lam@apple.com>
165
166         wasmToJS() should purify incoming NaNs.
167         https://bugs.webkit.org/show_bug.cgi?id=194807
168         <rdar://problem/48189132>
169
170         Reviewed by Saam Barati.
171
172         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
173
174 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
175
176         [JSC] Repeat string created from Array.prototype.join() take too much memory
177         https://bugs.webkit.org/show_bug.cgi?id=193912
178
179         Reviewed by Saam Barati.
180
181         Added a test and a microbenchmark for corner cases of
182         Array.prototype.join() with an uninitialized array.
183
184         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
185         * stress/array-prototype-join-uninitialized.js: Added.
186         (testArray):
187         (testABC):
188         (B):
189         (C):
190
191 2019-02-22  Robin Morisset  <rmorisset@apple.com>
192
193         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
194         https://bugs.webkit.org/show_bug.cgi?id=194953
195         <rdar://problem/47595253>
196
197         Reviewed by Saam Barati.
198
199         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
200
201         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
202
203 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
204
205         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
206         https://bugs.webkit.org/show_bug.cgi?id=172848
207         <rdar://problem/25709212>
208
209         Reviewed by Mark Lam.
210
211         * typeProfiler/inheritance.js:
212         Rewrite the test slightly for clarity. The hoisting was confusing.
213
214         * heapProfiler/class-names.js: Added.
215         (MyES5Class):
216         (MyES6Class):
217         (MyES6Subclass):
218         Test object types and improved class names.
219
220         * heapProfiler/driver/driver.js:
221         (CheapHeapSnapshotNode):
222         (CheapHeapSnapshot):
223         (createCheapHeapSnapshot):
224         (HeapSnapshot):
225         (createHeapSnapshot):
226         Update snapshot parsing from version 1 to version 2.
227
228 2019-02-19  Truitt Savell  <tsavell@apple.com>
229
230         Unreviewed, rolling out r241784.
231
232         Broke all OpenSource builds.
233
234         Reverted changeset:
235
236         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
237         instances view"
238         https://bugs.webkit.org/show_bug.cgi?id=172848
239         https://trac.webkit.org/changeset/241784
240
241 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
242
243         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
244         https://bugs.webkit.org/show_bug.cgi?id=172848
245         <rdar://problem/25709212>
246
247         Reviewed by Mark Lam.
248
249         * typeProfiler/inheritance.js:
250         Rewrite the test slightly for clarity. The hoisting was confusing.
251
252         * heapProfiler/class-names.js: Added.
253         (MyES5Class):
254         (MyES6Class):
255         (MyES6Subclass):
256         Test object types and improved class names.
257
258         * heapProfiler/driver/driver.js:
259         (CheapHeapSnapshotNode):
260         (CheapHeapSnapshot):
261         (createCheapHeapSnapshot):
262         (HeapSnapshot):
263         (createHeapSnapshot):
264         Update snapshot parsing from version 1 to version 2.
265
266 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
267
268         [ARM] Fix crash with sampling profiler
269         https://bugs.webkit.org/show_bug.cgi?id=194772
270
271         Reviewed by Mark Lam.
272
273         Do not skip test since crash with sampling profiler is now fixed.
274
275         * stress/sampling-profiler-richards.js:
276
277 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
278
279         [JSC] Add LazyClassStructure::getInitializedOnMainThread
280         https://bugs.webkit.org/show_bug.cgi?id=194784
281         <rdar://problem/48154820>
282
283         Reviewed by Mark Lam.
284
285         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
286         (getProperties):
287         (getRandomProperty):
288         (i.catch):
289
290 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
291
292         [ARM] Test gardening: Test running out of executable memory
293         https://bugs.webkit.org/show_bug.cgi?id=194771
294
295         Unreviewed. Do not run test without LLInt, test is running out of executable
296         memory on ARM otherwise.
297
298         * stress/tagged-template-object-collect.js:
299
300 2019-02-18  Tomas Popela  <tpopela@redhat.com>
301
302         Unreviewed, skip the test on platforms without sampling profiler
303
304         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
305         (platformSupportsSamplingProfiler.foo):
306         (platformSupportsSamplingProfiler.test):
307         (platformSupportsSamplingProfiler):
308         (foo): Deleted.
309         (test): Deleted.
310
311 2019-02-17  Saam Barati  <sbarati@apple.com>
312
313         Deadlock when adding a Structure property transition and then doing incremental marking
314         https://bugs.webkit.org/show_bug.cgi?id=194767
315
316         Reviewed by Mark Lam.
317
318         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
319
320 2019-02-15  Michael Saboff  <msaboff@apple.com>
321
322         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
323         https://bugs.webkit.org/show_bug.cgi?id=194558
324
325         Reviewed by Saam Barati.
326
327         New regression test.
328
329         * stress/regexp-unicode-within-string.js: Added.
330
331 2019-02-15  Mark Lam  <mark.lam@apple.com>
332
333         SamplingProfiler::stackTracesAsJSON() should escape strings.
334         https://bugs.webkit.org/show_bug.cgi?id=194649
335         <rdar://problem/48072386>
336
337         Reviewed by Saam Barati.
338
339         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
340         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
341         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
342         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
343
344 2019-02-15  Robin Morisset  <rmorisset@apple.com>
345         CodeBlock::jettison should clear related watchpoints
346         https://bugs.webkit.org/show_bug.cgi?id=194544
347
348         Reviewed by Mark Lam.
349
350         * stress/regexp-replace-double-watchpoint.js: Added.
351         (foo):
352
353 2019-02-15  Saam barati  <sbarati@apple.com>
354
355         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
356         https://bugs.webkit.org/show_bug.cgi?id=194036
357
358         Reviewed by Yusuke Suzuki.
359
360         * stress/tail-call-many-arguments.js: Added.
361         (foo):
362         (bar):
363
364 2019-02-14  Saam Barati  <sbarati@apple.com>
365
366         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
367         https://bugs.webkit.org/show_bug.cgi?id=194583
368         <rdar://problem/48028140>
369
370         Reviewed by Yusuke Suzuki.
371
372         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
373
374 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
375
376         [JSC] String.fromCharCode's slow path always generates 16bit string
377         https://bugs.webkit.org/show_bug.cgi?id=194466
378
379         Reviewed by Keith Miller.
380
381         * stress/string-from-char-code-slow-path.js: Added.
382         (shouldBe):
383         (testWithLength):
384
385 2019-02-08  Saam barati  <sbarati@apple.com>
386
387         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
388         https://bugs.webkit.org/show_bug.cgi?id=194334
389         <rdar://problem/47844327>
390
391         Reviewed by Mark Lam.
392
393         * stress/check-in-bounds-should-be-a-child-use.js: Added.
394         (func):
395
396 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
397
398         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
399         https://bugs.webkit.org/show_bug.cgi?id=194369
400         <rdar://problem/47813087>
401
402         Reviewed by Saam Barati.
403
404         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
405         (A):
406
407 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
408
409         [JSC] PrivateName to PublicName hash table is wasteful
410         https://bugs.webkit.org/show_bug.cgi?id=194277
411
412         Reviewed by Michael Saboff.
413
414         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
415
416         * ChakraCore.yaml:
417
418 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
419
420         [ARM] Test running out of executable memory
421         https://bugs.webkit.org/show_bug.cgi?id=194285
422
423         Unreviewed. Do no execute test with LLInt disabled, test runs out of
424         executable memory otherwise.
425
426         * stress/class-subclassing-function.js:
427
428 2019-02-04  Robin Morisset  <rmorisset@apple.com>
429
430         when lowering AssertNotEmpty, create the value before creating the patchpoint
431         https://bugs.webkit.org/show_bug.cgi?id=194231
432
433         Reviewed by Saam Barati.
434
435         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
436         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
437         So even tiny changes to this test can change the path code taken.
438
439         * stress/assert-not-empty.js: Added.
440         (foo):
441
442 2019-02-01  Mark Lam  <mark.lam@apple.com>
443
444         Remove invalid assertion in DFG's compileDoubleRep().
445         https://bugs.webkit.org/show_bug.cgi?id=194130
446         <rdar://problem/47699474>
447
448         Reviewed by Saam Barati.
449
450         * stress/constant-fold-double-rep-into-double-constant.js: Added.
451
452 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
453
454         Import latest Test262 updates.
455
456         Rubber-stamped by Keith Miller.
457
458         * test262.yaml: Deleted.
459         * test262/config.yaml:
460         * test262/expectations.yaml:
461         * test262/latest-changes-summary.txt:
462         * test262/test/:
463         * test262/test262-Revision.txt:
464
465 2019-01-30  Robin Morisset  <rmorisset@apple.com>
466
467         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
468         https://bugs.webkit.org/show_bug.cgi?id=194050
469         <rdar://problem/47595592>
470
471         Reviewed by Yusuke Suzuki.
472
473         * stress/object-keys-osr-exit.js: Added.
474         (foo):
475         (catch):
476
477 2019-01-29  Mark Lam  <mark.lam@apple.com>
478
479         ValueRecovery::recover() should purify NaN values it recovers.
480         https://bugs.webkit.org/show_bug.cgi?id=193978
481         <rdar://problem/47625488>
482
483         Reviewed by Saam Barati.
484
485         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
486
487 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
488
489         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
490         https://bugs.webkit.org/show_bug.cgi?id=193713
491
492         * stress/try-get-by-id-should-spill-registers-dfg.js:
493         (let.f.createBuiltin):
494
495 2019-01-28  Mark Lam  <mark.lam@apple.com>
496
497         ToString node actually does GC.
498         https://bugs.webkit.org/show_bug.cgi?id=193920
499         <rdar://problem/46695900>
500
501         Reviewed by Yusuke Suzuki.
502
503         * stress/dfg-to-string-on-int-does-gc.js: Added.
504         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
505         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
506
507 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
508
509         [JSC] NativeErrorConstructor should not have own IsoSubspace
510         https://bugs.webkit.org/show_bug.cgi?id=193713
511
512         Reviewed by Saam Barati.
513
514         Remove @Error use.
515
516         * stress/try-get-by-id-should-spill-registers-dfg.js:
517         (let.f.createBuiltin):
518
519 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
520
521         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
522         https://bugs.webkit.org/show_bug.cgi?id=190693
523
524         Reviewed by Michael Saboff.
525
526         * stress/regress-190693.js: Added.
527         (truth):
528         (assert):
529         (shouldThrowInvalidConstAssignment):
530         (taz):
531
532 2019-01-24  Saam Barati  <sbarati@apple.com>
533
534         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
535         https://bugs.webkit.org/show_bug.cgi?id=193751
536         <rdar://problem/47280215>
537
538         Reviewed by Michael Saboff.
539
540         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
541         (let.thing):
542         (foo.let.hello):
543         (foo):
544
545 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
546
547         [JSC] Reenable baseline JIT on mips
548         https://bugs.webkit.org/show_bug.cgi?id=192983
549
550         Reviewed by Mark Lam.
551
552         Added a new test for a case that was triggering a RELEASE_ASSERT when
553         testing.
554         Disable some slow tests that were already disabled for arm and x86.
555
556         * stress/json-parse-big-object.js: Added.
557         * stress/new-largeish-contiguous-array-with-size.js:
558         * stress/op_add.js:
559         * stress/op_bitand.js:
560         * stress/op_bitor.js:
561         * stress/op_bitxor.js:
562         * stress/op_lshift-ConstVar.js:
563         * stress/op_lshift-VarConst.js:
564         * stress/op_lshift-VarVar.js:
565         * stress/op_mod-ConstVar.js:
566         * stress/op_mod-VarConst.js:
567         * stress/op_mod-VarVar.js:
568         * stress/op_mul-ConstVar.js:
569         * stress/op_mul-VarConst.js:
570         * stress/op_mul-VarVar.js:
571         * stress/op_rshift-ConstVar.js:
572         * stress/op_rshift-VarConst.js:
573         * stress/op_rshift-VarVar.js:
574         * stress/op_sub-ConstVar.js:
575         * stress/op_sub-VarConst.js:
576         * stress/op_sub-VarVar.js:
577         * stress/op_urshift-ConstVar.js:
578         * stress/op_urshift-VarConst.js:
579         * stress/op_urshift-VarVar.js:
580         * stress/sampling-profiler-richards.js:
581         * stress/spread-forward-call-varargs-stack-overflow.js:
582
583 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
584
585         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
586         https://bugs.webkit.org/show_bug.cgi?id=193711
587         <rdar://problem/47250262>
588
589         Reviewed by Saam Barati.
590
591         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
592         (shouldBe):
593         (foo):
594         (bar):
595         (baz):
596
597 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
598
599         Unreviewed, fix initial global lexical binding epoch
600         https://bugs.webkit.org/show_bug.cgi?id=193603
601         <rdar://problem/47380869>
602
603         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
604         (f1.f2.f3.f4):
605         (f1.f2.f3):
606         (f1.f2):
607         (f1):
608
609 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
610
611         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
612         https://bugs.webkit.org/show_bug.cgi?id=193709
613         <rdar://problem/47363838>
614
615         Unreviewed, rollout to watch the tests.
616
617         * stress/object-tostring-changed-proto.js: Removed.
618         * stress/object-tostring-changed.js: Removed.
619         * stress/object-tostring-misc.js: Removed.
620         * stress/object-tostring-other.js: Removed.
621         * stress/object-tostring-untyped.js: Removed.
622
623 2019-01-22  Saam Barati  <sbarati@apple.com>
624
625         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
626
627         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
628         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
629         (testUncheckedLessThanZero):
630         (testUncheckedLessThanOrEqualZero):
631         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
632         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
633
634 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
635
636         [JSC] Invalidate old scope operations using global lexical binding epoch
637         https://bugs.webkit.org/show_bug.cgi?id=193603
638         <rdar://problem/47380869>
639
640         Reviewed by Saam Barati.
641
642         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
643         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
644         (shouldThrow):
645         (bar):
646         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
647         (shouldBe):
648         (get1):
649         (get2):
650         (get1If):
651         (get2If):
652         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
653         (shouldThrow):
654         (foo):
655
656 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
657
658         Unreviewed, roll out r240220 due to date-format-xparb regression
659         https://bugs.webkit.org/show_bug.cgi?id=193603
660
661         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
662         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
663         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
664         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
665
666 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
667
668         DoesGC rule is wrong for nodes with BigIntUse
669         https://bugs.webkit.org/show_bug.cgi?id=193652
670
671         Reviewed by Saam Barati.
672
673         * stress/big-int-value-op-update-gc-rules.js: Added.
674         (assert):
675         (doesGCAdd):
676         (doesGCSub):
677         (doesGCDiv):
678         (doesGCMul):
679         (doesGCBitAnd):
680         (doesGCBitOr):
681         (doesGCBitXor):
682
683 2019-01-20  Saam Barati  <sbarati@apple.com>
684
685         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
686         https://bugs.webkit.org/show_bug.cgi?id=193644
687         <rdar://problem/46209745>
688
689         Reviewed by Yusuke Suzuki.
690
691         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
692         (foo):
693         * stress/data-view-set-intrinsic-undefined-result.js: Added.
694         (foo):
695         (bar):
696
697 2019-01-20  Saam Barati  <sbarati@apple.com>
698
699         MovHint must merge NodeBytecodeUsesAsValue for its child
700         https://bugs.webkit.org/show_bug.cgi?id=186916
701         <rdar://problem/41396612>
702
703         Reviewed by Yusuke Suzuki.
704
705         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
706         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
707
708 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
709
710         [JSC] Invalidate old scope operations using global lexical binding epoch
711         https://bugs.webkit.org/show_bug.cgi?id=193603
712         <rdar://problem/47380869>
713
714         Reviewed by Saam Barati.
715
716         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
717         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
718         (shouldThrow):
719         (bar):
720         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
721         (shouldBe):
722         (get1):
723         (get2):
724         (get1If):
725         (get2If):
726         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
727         (shouldThrow):
728         (foo):
729
730 2019-01-17  Saam barati  <sbarati@apple.com>
731
732         StringObjectUse should not be a structure check for the original string object structure
733         https://bugs.webkit.org/show_bug.cgi?id=193483
734         <rdar://problem/47280522>
735
736         Reviewed by Yusuke Suzuki.
737
738         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
739         (foo):
740         (a.valueOf.0):
741
742 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
743
744         [JSC] ToThis omission in DFGByteCodeParser is wrong
745         https://bugs.webkit.org/show_bug.cgi?id=193513
746         <rdar://problem/45842236>
747
748         Reviewed by Saam Barati.
749
750         * stress/to-this-omission-with-different-strict-modes.js: Added.
751         (thisA):
752         (thisAStrictWrapper):
753
754 2019-01-15  Mark Lam  <mark.lam@apple.com>
755
756         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
757         https://bugs.webkit.org/show_bug.cgi?id=193423
758         <rdar://problem/46209355>
759
760         Reviewed by Saam Barati.
761
762         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
763         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
764         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
765         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
766
767 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
768
769         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
770         https://bugs.webkit.org/show_bug.cgi?id=193438
771         <rdar://problem/45581249>
772
773         Reviewed by Saam Barati and Keith Miller.
774
775         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
776         Then, GetByVal(String) crashed.
777
778         * stress/string-get-by-val-lowering.js: Added.
779         (shouldBe):
780         (test):
781         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
782         (Hello):
783         (foo):
784
785 2019-01-15  Tomas Popela  <tpopela@redhat.com>
786
787         Unreviewed, skip JIT tests if it's not enabled
788
789         * stress/bit-op-with-object-returning-int32.js:
790
791 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
792
793         DFGByteCodeParser rules for bitwise operations should consider type of their operands
794         https://bugs.webkit.org/show_bug.cgi?id=192966
795
796         Reviewed by Yusuke Suzuki.
797
798         * stress/bit-op-with-object-returning-int32.js: Added.
799
800 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
801
802         Skip a slow test and a flakey test on arm
803
804         Unreviewed gardening.
805
806         * typeProfiler/getter-richards.js:
807         this test always times out, it used to be always skipped on arm and
808         mips, but got accidentally enabled by r237919 now that we have DFG on
809         arm. Also skipping on mips as we plan to soon enable DFG for it too.
810
811 2019-01-14  Keith Miller  <keith_miller@apple.com>
812
813         Skip type-check-hoisting-phase-hoist... with no jit
814         https://bugs.webkit.org/show_bug.cgi?id=193421
815
816         Reviewed by Mark Lam.
817
818         It's timing out the 32-bit bots and takes 330 seconds
819         on my machine when run by itself.
820
821         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
822
823 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
824
825         [JSC] AI should check the given constant's array type when folding GetByVal into constant
826         https://bugs.webkit.org/show_bug.cgi?id=193413
827         <rdar://problem/46092389>
828
829         Reviewed by Keith Miller.
830
831         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
832         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
833         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
834         but GetByVal does not have appropriate ArrayModes, JSC crashes.
835
836         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
837         (compareArray):
838
839 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
840
841         [BigInt] Literal parsing is crashing when used inside a Object Literal
842         https://bugs.webkit.org/show_bug.cgi?id=193404
843
844         Reviewed by Yusuke Suzuki.
845
846         * stress/big-int-literal-inside-literal-object.js: Added.
847
848 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
849
850         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
851         https://bugs.webkit.org/show_bug.cgi?id=193372
852
853         Reviewed by Saam Barati.
854
855         * stress/typed-array-array-modes-profile.js: Added.
856         (foo):
857
858 2019-01-14  Mark Lam  <mark.lam@apple.com>
859
860         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
861         https://bugs.webkit.org/show_bug.cgi?id=193402
862         <rdar://problem/46012309>
863
864         Reviewed by Keith Miller.
865
866         * stress/regexp-compile-oom.js:
867         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
868           is enabled.  As a result, it will fail on cloop builds though there is no bug.
869
870 2019-01-11  Saam barati  <sbarati@apple.com>
871
872         DFG combined liveness can be wrong for terminal basic blocks
873         https://bugs.webkit.org/show_bug.cgi?id=193304
874         <rdar://problem/45268632>
875
876         Reviewed by Yusuke Suzuki.
877
878         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
879
880 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
881
882         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
883         https://bugs.webkit.org/show_bug.cgi?id=193308
884         <rdar://problem/45546542>
885
886         Reviewed by Saam Barati.
887
888         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
889         (shouldThrow):
890         (shouldBe):
891         (foo):
892         (get shouldThrow):
893         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
894         (shouldThrow):
895         (shouldBe):
896         (foo):
897         (get shouldBe):
898         (get shouldThrow):
899         (get return):
900         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
901         (shouldThrow):
902         (shouldBe):
903         (foo):
904         (get shouldBe):
905         (get shouldThrow):
906         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
907         (shouldThrow):
908         (shouldBe):
909         (foo):
910         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
911         (shouldThrow):
912         (shouldBe):
913         (foo):
914         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
915         (shouldThrow):
916         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
917         (shouldThrow):
918         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
919         (shouldThrow):
920         (shouldBe):
921         (foo):
922         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
923         (shouldThrow):
924         (shouldBe):
925         (foo):
926         (get shouldBe):
927         (get shouldThrow):
928         (get return):
929         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
930         (shouldThrow):
931         (shouldBe):
932         (foo):
933         (get shouldBe):
934         (get shouldThrow):
935         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
936         (shouldThrow):
937         (shouldBe):
938         (foo):
939         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
940         (shouldThrow):
941         (shouldBe):
942         (foo):
943
944 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
945
946         Enable DFG on ARM/Linux again
947         https://bugs.webkit.org/show_bug.cgi?id=192496
948
949         Reviewed by Yusuke Suzuki.
950
951         Test wasn't really skipped before moving the line with skip
952         to the top.
953
954         * stress/regress-192717.js:
955
956 2019-01-10  Commit Queue  <commit-queue@webkit.org>
957
958         Unreviewed, rolling out r239825.
959         https://bugs.webkit.org/show_bug.cgi?id=193330
960
961         Broke tests on armv7/linux bots (Requested by guijemont on
962         #webkit).
963
964         Reverted changeset:
965
966         "Enable DFG on ARM/Linux again"
967         https://bugs.webkit.org/show_bug.cgi?id=192496
968         https://trac.webkit.org/changeset/239825
969
970 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
971
972         Enable DFG on ARM/Linux again
973         https://bugs.webkit.org/show_bug.cgi?id=192496
974
975         Reviewed by Yusuke Suzuki.
976
977         Test wasn't really skipped before moving the line with skip
978         to the top.
979
980         * stress/regress-192717.js:
981
982 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
983
984         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
985         https://bugs.webkit.org/show_bug.cgi?id=193127
986
987         Reviewed by Saam Barati.
988
989         * stress/array-species-create-should-handle-masquerader.js: Added.
990         (shouldThrow):
991         * stress/is-undefined-or-null-builtin.js: Added.
992         (shouldBe):
993         (isUndefinedOrNull.vm.createBuiltin):
994
995 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
996
997         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
998         https://bugs.webkit.org/show_bug.cgi?id=193221
999
1000         Reviewed by Mark Lam.
1001
1002         * stress/put-by-id-flags.js: Added.
1003         (f):
1004         (g):
1005         (numberOfDFGCompiles):
1006
1007 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1008
1009         Baseline version of get_by_id may corrupt metadata
1010         https://bugs.webkit.org/show_bug.cgi?id=193085
1011         <rdar://problem/23453006>
1012
1013         Reviewed by Saam Barati.
1014
1015         * stress/get-by-id-change-mode.js: Added.
1016         (forEach):
1017
1018 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1019
1020         [JSC] Optimize Object.prototype.toString
1021         https://bugs.webkit.org/show_bug.cgi?id=193031
1022
1023         Reviewed by Saam Barati.
1024
1025         * stress/object-tostring-changed-proto.js: Added.
1026         (shouldBe):
1027         (test):
1028         * stress/object-tostring-changed.js: Added.
1029         (shouldBe):
1030         (test):
1031         * stress/object-tostring-misc.js: Added.
1032         (shouldBe):
1033         (test):
1034         (i.switch):
1035         * stress/object-tostring-other.js: Added.
1036         (shouldBe):
1037         (test):
1038         * stress/object-tostring-untyped.js: Added.
1039         (shouldBe):
1040         (test):
1041         (i.switch):
1042
1043 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1044
1045         test262-runner misbehaves when test file YAML has a trailing space
1046         https://bugs.webkit.org/show_bug.cgi?id=193053
1047
1048         Reviewed by Yusuke Suzuki.
1049
1050         * test262/expectations.yaml:
1051         Mark two dozen tests as passing (and correct the output of another).
1052
1053 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1054
1055         Unreviewed, JSTests gardening with memoryLimited
1056
1057         * stress/string-overflow-createError.js:
1058
1059 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1060
1061         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1062         https://bugs.webkit.org/show_bug.cgi?id=193050
1063
1064         Reviewed by Yusuke Suzuki.
1065
1066         * test262.yaml:
1067         * test262/expectations.yaml:
1068         Mark 16 tests as passing.
1069
1070 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1071
1072         [BigInt] Support BigInt in JSON.stringify
1073         https://bugs.webkit.org/show_bug.cgi?id=192624
1074
1075         Reviewed by Saam Barati.
1076
1077         * stress/big-int-json-stringify-to-json.js: Added.
1078         (shouldBe):
1079         (shouldThrow):
1080         (BigInt.prototype.toJSON):
1081         (shouldBe.JSON.stringify):
1082         * stress/big-int-json-stringify.js: Added.
1083         (shouldBe):
1084         (shouldThrow):
1085
1086 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1087
1088         [JSC] Implement "well-formed JSON.stringify" proposal
1089         https://bugs.webkit.org/show_bug.cgi?id=191677
1090
1091         Reviewed by Darin Adler.
1092
1093         * stress/json-surrogate-pair.js: Added.
1094         (shouldBe):
1095         * test262/expectations.yaml:
1096
1097 2018-12-20  Keith Miller  <keith_miller@apple.com>
1098
1099         Add support for globalThis
1100         https://bugs.webkit.org/show_bug.cgi?id=165171
1101
1102         Reviewed by Mark Lam.
1103
1104         * test262/config.yaml:
1105
1106 2018-12-19  Keith Miller  <keith_miller@apple.com>
1107
1108         Update test262 configuration to not run tests dependent on ICU version.
1109         https://bugs.webkit.org/show_bug.cgi?id=192920
1110
1111         Reviewed by Saam Barati.
1112
1113         * test262/expectations.yaml:
1114
1115 2018-12-20  Mark Lam  <mark.lam@apple.com>
1116
1117         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1118         https://bugs.webkit.org/show_bug.cgi?id=192939
1119         <rdar://problem/46869516>
1120
1121         Reviewed by Keith Miller.
1122
1123         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1124
1125 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1126
1127         WTF::String and StringImpl overflow MaxLength
1128         https://bugs.webkit.org/show_bug.cgi?id=192853
1129         <rdar://problem/45726906>
1130
1131         Reviewed by Mark Lam.
1132
1133         * stress/string-16bit-repeat-overflow.js: Added.
1134         (catch):
1135
1136 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1137
1138         Unreviewed follow-up to r192914.
1139
1140         * test262/expectations.yaml:
1141         Add the last 20 missing expectations.
1142
1143 2018-12-19  Keith Miller  <keith_miller@apple.com>
1144
1145         Fix test262 expectations
1146         https://bugs.webkit.org/show_bug.cgi?id=192914
1147
1148         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1149
1150         * test262/expectations.yaml:
1151
1152 2018-12-19  Keith Miller  <keith_miller@apple.com>
1153
1154         Update test262 tests.
1155         https://bugs.webkit.org/show_bug.cgi?id=192907
1156
1157         Rubber stamped by Mark Lam.
1158
1159         * test262/*: Omitted because prepare-changelog crashes.
1160
1161 2018-12-19  Mark Lam  <mark.lam@apple.com>
1162
1163         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1164         https://bugs.webkit.org/show_bug.cgi?id=192464
1165         <rdar://problem/46519455>
1166
1167         Reviewed by Saam Barati.
1168
1169         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1170         microbenchmark.
1171
1172         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1173         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1174
1175 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1176
1177         String overflow in JSC::createError results in ASSERT in WTF::makeString
1178         https://bugs.webkit.org/show_bug.cgi?id=192833
1179         <rdar://problem/45706868>
1180
1181         Reviewed by Mark Lam.
1182
1183         * stress/string-overflow-createError.js: Added.
1184
1185 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1186
1187         Error message for `-x ** y` contains a typo.
1188         https://bugs.webkit.org/show_bug.cgi?id=192832
1189
1190         Reviewed by Saam Barati.
1191
1192         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1193         (assert.assert.return.throws):
1194         * stress/pow-expects-update-expression-on-lhs.js:
1195         (throw.new.Error):
1196         Update test expectations which match against the exact error message.
1197
1198 2018-12-18  Mark Lam  <mark.lam@apple.com>
1199
1200         Gardening: test options fix.
1201         https://bugs.webkit.org/show_bug.cgi?id=192822
1202
1203         Unreviewed.
1204
1205         * stress/json-stringify-string-builder-overflow.js:
1206
1207 2018-12-18  Mark Lam  <mark.lam@apple.com>
1208
1209         JSON.stringify() should throw OOM on StringBuilder overflows.
1210         https://bugs.webkit.org/show_bug.cgi?id=192822
1211         <rdar://problem/46670577>
1212
1213         Reviewed by Saam Barati.
1214
1215         * stress/json-stringify-string-builder-overflow.js: Added.
1216
1217 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1218
1219         Redeclaration of var over let/const/class should be a syntax error.
1220         https://bugs.webkit.org/show_bug.cgi?id=192298
1221
1222         Reviewed by Keith Miller.
1223
1224         * test262.yaml:
1225         * test262/expectations.yaml:
1226         Mark 46 tests as passing.
1227
1228         * stress/block-scope-redeclarations.js:
1229         Add some new tests.
1230
1231         * stress/for-in-invalidate-context-weird-assignments.js:
1232         * stress/for-in-tests.js:
1233         Replace tests for outdated behavior with tests for SyntaxError.
1234
1235         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1236         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1237         Update expectations.
1238
1239 2018-12-18  Mark Lam  <mark.lam@apple.com>
1240
1241         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1242         https://bugs.webkit.org/show_bug.cgi?id=191374
1243         <rdar://problem/46525447>
1244
1245         Reviewed by Yusuke Suzuki.
1246
1247         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1248
1249         * stress/elidable-new-object-roflcopter-then-exit.js:
1250
1251 2018-12-17  Mark Lam  <mark.lam@apple.com>
1252
1253         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1254         https://bugs.webkit.org/show_bug.cgi?id=192019
1255         <rdar://problem/46525456>
1256
1257         Reviewed by Yusuke Suzuki.
1258
1259         The test runs too slow on 32-bit.
1260
1261         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1262
1263 2018-12-17  Mark Lam  <mark.lam@apple.com>
1264
1265         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1266         https://bugs.webkit.org/show_bug.cgi?id=191373
1267         <rdar://problem/46525458>
1268
1269         Reviewed by Yusuke Suzuki.
1270
1271         The test is already slow running with a JIT on 64-bit.  It will always timeout
1272         on 32-bit without a JIT.
1273
1274         * stress/materialize-regexp-cyclic-regexp.js:
1275
1276 2018-12-17  Mark Lam  <mark.lam@apple.com>
1277
1278         Array unshift/shift should not race against the AI in the compiler thread.
1279         https://bugs.webkit.org/show_bug.cgi?id=192795
1280         <rdar://problem/46724263>
1281
1282         Reviewed by Saam Barati.
1283
1284         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1285
1286 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1287
1288         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1289         https://bugs.webkit.org/show_bug.cgi?id=190047
1290
1291         Reviewed by Saam Barati.
1292
1293         * stress/object-keys-cached-zero.js: Added.
1294         (shouldBe):
1295         (test):
1296         * stress/object-keys-changed-attribute.js: Added.
1297         (shouldBe):
1298         (test):
1299         * stress/object-keys-changed-index.js: Added.
1300         (shouldBe):
1301         (test):
1302         * stress/object-keys-changed.js: Added.
1303         (shouldBe):
1304         (test):
1305         * stress/object-keys-indexed-non-cache.js: Added.
1306         (shouldBe):
1307         (test):
1308         * stress/object-keys-overrides-get-property-names.js: Added.
1309         (shouldBe):
1310         (test):
1311         (noInline):
1312
1313 2018-12-17  Mark Lam  <mark.lam@apple.com>
1314
1315         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1316         https://bugs.webkit.org/show_bug.cgi?id=192779
1317         <rdar://problem/46775869>
1318
1319         Reviewed by Saam Barati.
1320
1321         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1322
1323 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1324
1325         Unreviewed test gardening, address a syntax error in a new test.
1326
1327         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1328
1329 2018-12-17  Mark Lam  <mark.lam@apple.com>
1330
1331         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1332         https://bugs.webkit.org/show_bug.cgi?id=192776
1333         <rdar://problem/46772368>
1334
1335         Reviewed by Keith Miller.
1336
1337         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1338
1339 2018-12-17  Mark Lam  <mark.lam@apple.com>
1340
1341         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1342         https://bugs.webkit.org/show_bug.cgi?id=192770
1343         <rdar://problem/46449037>
1344
1345         Reviewed by Keith Miller.
1346
1347         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1348
1349 2018-12-14  Mark Lam  <mark.lam@apple.com>
1350
1351         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1352         https://bugs.webkit.org/show_bug.cgi?id=192717
1353         <rdar://problem/46660677>
1354
1355         Reviewed by Saam Barati.
1356
1357         * stress/regress-192717.js: Added.
1358
1359 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1360
1361         Unreviewed, rolling out r239153, r239154, and r239155.
1362         https://bugs.webkit.org/show_bug.cgi?id=192715
1363
1364         Caused flaky GC-related crashes seen with layout tests
1365         (Requested by ryanhaddad on #webkit).
1366
1367         Reverted changesets:
1368
1369         "[JSC] Optimize Object.keys by caching own keys results in
1370         StructureRareData"
1371         https://bugs.webkit.org/show_bug.cgi?id=190047
1372         https://trac.webkit.org/changeset/239153
1373
1374         "Unreviewed, build fix after r239153"
1375         https://bugs.webkit.org/show_bug.cgi?id=190047
1376         https://trac.webkit.org/changeset/239154
1377
1378         "Unreviewed, build fix after r239153, part 2"
1379         https://bugs.webkit.org/show_bug.cgi?id=190047
1380         https://trac.webkit.org/changeset/239155
1381
1382 2018-12-14  Keith Miller  <keith_miller@apple.com>
1383
1384         Callers of JSString::getIndex should check for OOM exceptions
1385         https://bugs.webkit.org/show_bug.cgi?id=192709
1386
1387         Reviewed by Mark Lam.
1388
1389         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1390
1391 2018-12-13  Mark Lam  <mark.lam@apple.com>
1392
1393         Add a missing exception check.
1394         https://bugs.webkit.org/show_bug.cgi?id=192626
1395         <rdar://problem/46662163>
1396
1397         Reviewed by Keith Miller.
1398
1399         * stress/regress-192626.js: Added.
1400
1401 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1402
1403         [BigInt] Add ValueDiv into DFG
1404         https://bugs.webkit.org/show_bug.cgi?id=186178
1405
1406         Reviewed by Yusuke Suzuki.
1407
1408         * stress/big-int-div-jit-osr.js: Added.
1409         * stress/big-int-div-jit-untyped.js: Added.
1410         * stress/value-div-fixup-int32-big-int.js: Added.
1411
1412 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1413
1414         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1415         https://bugs.webkit.org/show_bug.cgi?id=190047
1416
1417         Reviewed by Keith Miller.
1418
1419         * stress/object-keys-cached-zero.js: Added.
1420         (shouldBe):
1421         (test):
1422         * stress/object-keys-changed-attribute.js: Added.
1423         (shouldBe):
1424         (test):
1425         * stress/object-keys-changed-index.js: Added.
1426         (shouldBe):
1427         (test):
1428         * stress/object-keys-changed.js: Added.
1429         (shouldBe):
1430         (test):
1431         * stress/object-keys-indexed-non-cache.js: Added.
1432         (shouldBe):
1433         (test):
1434         * stress/object-keys-overrides-get-property-names.js: Added.
1435         (shouldBe):
1436         (test):
1437         (noInline):
1438
1439 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1440
1441         [DFG][FTL] Add NewSymbol
1442         https://bugs.webkit.org/show_bug.cgi?id=192620
1443
1444         Reviewed by Saam Barati.
1445
1446         * microbenchmarks/symbol-creation.js: Added.
1447         (test):
1448         * stress/symbol-description-identity.js: Added.
1449         (shouldBe):
1450         (test):
1451         * stress/symbol-identity.js: Added.
1452         (shouldBe):
1453         (test):
1454         * stress/symbol-with-description-throw-error.js: Added.
1455         (shouldBe):
1456         (shouldThrow):
1457         (test):
1458         (object.toString):
1459
1460 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1461
1462         [BigInt] Implement DFG/FTL typeof for BigInt
1463         https://bugs.webkit.org/show_bug.cgi?id=192619
1464
1465         Reviewed by Keith Miller.
1466
1467         * stress/big-int-boolean-proven-type.js: Added.
1468         (assert):
1469         (bool):
1470         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1471         (assert):
1472         (typeOf):
1473         (i.switch):
1474         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1475         (assert):
1476         (typeOf):
1477         * stress/big-int-type-of.js:
1478         (typeOf):
1479         (func):
1480
1481 2018-12-10  Mark Lam  <mark.lam@apple.com>
1482
1483         PropertyAttribute needs a CustomValue bit.
1484         https://bugs.webkit.org/show_bug.cgi?id=191993
1485         <rdar://problem/46264467>
1486
1487         Reviewed by Saam Barati.
1488
1489         * stress/regress-191993.js: Added.
1490
1491 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1492
1493         [BigInt] Add ValueMul into DFG
1494         https://bugs.webkit.org/show_bug.cgi?id=186175
1495
1496         Reviewed by Yusuke Suzuki.
1497
1498         * stress/big-int-mul-jit-osr.js: Added.
1499         * stress/big-int-mul-jit-untyped.js: Added.
1500         * stress/value-mul-fixup-int32-big-int.js: Added.
1501
1502 2018-12-06  Keith Miller  <keith_miller@apple.com>
1503
1504         stress/big-wasm-memory tests failing on 32-bit JSC bot
1505         https://bugs.webkit.org/show_bug.cgi?id=192020
1506
1507         Reviewed by Saam Barati.
1508
1509         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1510         the wasm stress tests if the WebAssembly object does not exist.
1511
1512         * stress/big-wasm-memory-grow-no-max.js:
1513         (test.foo):
1514         (test):
1515         (foo): Deleted.
1516         (catch): Deleted.
1517         * stress/big-wasm-memory-grow.js:
1518         (test.foo):
1519         (test):
1520         (foo): Deleted.
1521         (catch): Deleted.
1522         * stress/big-wasm-memory.js:
1523         (test.foo):
1524         (test):
1525         (foo): Deleted.
1526         (catch): Deleted.
1527
1528 2018-12-05  Mark Lam  <mark.lam@apple.com>
1529
1530         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1531         https://bugs.webkit.org/show_bug.cgi?id=192441
1532         <rdar://problem/46480355>
1533
1534         Reviewed by Saam Barati.
1535
1536         * stress/regress-192441.js: Added.
1537
1538 2018-12-04  Mark Lam  <mark.lam@apple.com>
1539
1540         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1541         https://bugs.webkit.org/show_bug.cgi?id=192386
1542         <rdar://problem/46445516>
1543
1544         Reviewed by Saam Barati.
1545
1546         * stress/regress-192386.js: Added.
1547
1548 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1549
1550         [ESNext][BigInt] Support logic operations
1551         https://bugs.webkit.org/show_bug.cgi?id=179903
1552
1553         Reviewed by Yusuke Suzuki.
1554
1555         * stress/big-int-branch-usage.js: Added.
1556         * stress/big-int-logical-and.js: Added.
1557         * stress/big-int-logical-not.js: Added.
1558         * stress/big-int-logical-or.js: Added.
1559
1560 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1561
1562         Unreviewed, rolling out r238833.
1563
1564         Breaks macOS and iOS debug builds.
1565
1566         Reverted changeset:
1567
1568         "[ESNext][BigInt] Support logic operations"
1569         https://bugs.webkit.org/show_bug.cgi?id=179903
1570         https://trac.webkit.org/changeset/238833
1571
1572 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1573
1574         [ESNext][BigInt] Support logic operations
1575         https://bugs.webkit.org/show_bug.cgi?id=179903
1576
1577         Reviewed by Yusuke Suzuki.
1578
1579         * stress/big-int-branch-usage.js: Added.
1580         * stress/big-int-logical-and.js: Added.
1581         * stress/big-int-logical-not.js: Added.
1582         * stress/big-int-logical-or.js: Added.
1583
1584 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1585
1586         [ESNext][BigInt] Implement support for "<<" and ">>"
1587         https://bugs.webkit.org/show_bug.cgi?id=186233
1588
1589         Reviewed by Yusuke Suzuki.
1590
1591         * stress/big-int-left-shift-general.js: Added.
1592         * stress/big-int-left-shift-range-error.js: Added.
1593         * stress/big-int-left-shift-type-error.js: Added.
1594         * stress/big-int-left-shift-wrapped-value.js: Added.
1595         * stress/big-int-right-shift-general.js: Added.
1596         * stress/big-int-right-shift-type-error.js: Added.
1597         * stress/big-int-right-shift-wrapped-value.js: Added.
1598         * stress/left-shift-to-primitive-precedence.js: Added.
1599         * stress/right-shift-to-primitive-precedence.js: Added.
1600
1601 2018-11-30  Dean Jackson  <dino@apple.com>
1602
1603         Add first-class support for .mjs files in jsc binary
1604         https://bugs.webkit.org/show_bug.cgi?id=192190
1605         <rdar://problem/46375715>
1606
1607         Reviewed by Keith Miller.
1608
1609         * stress/simple-module.mjs: Added.
1610         * stress/simple-script.js: Added.
1611
1612 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1613
1614         [BigInt] Implement ValueBitXor into DFG
1615         https://bugs.webkit.org/show_bug.cgi?id=190264
1616
1617         Reviewed by Yusuke Suzuki.
1618
1619         * stress/big-int-bitwise-xor-jit.js: Added.
1620         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1621         * stress/big-int-bitwise-xor-untyped.js: Added.
1622
1623 2018-11-27  Saam barati  <sbarati@apple.com>
1624
1625         r238510 broke scopes of size zero
1626         https://bugs.webkit.org/show_bug.cgi?id=192033
1627         <rdar://problem/46281734>
1628
1629         Reviewed by Keith Miller.
1630
1631         * stress/r238510-bad-loop.js: Added.
1632         (foo):
1633
1634 2018-11-27  Mark Lam  <mark.lam@apple.com>
1635
1636         [Re-landing] NaNs read from Wasm code needs to be be purified.
1637         https://bugs.webkit.org/show_bug.cgi?id=191056
1638         <rdar://problem/45660341>
1639
1640         Reviewed by Filip Pizlo.
1641
1642         * wasm/regress/regress-191056.js: Added.
1643
1644 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1645
1646         Unreviewed, rolling out r238509.
1647
1648         Causes JSC tests to fail on iOS.
1649
1650         Reverted changeset:
1651
1652         "NaNs read from Wasm code needs to be be purified."
1653         https://bugs.webkit.org/show_bug.cgi?id=191056
1654         https://trac.webkit.org/changeset/238509
1655
1656 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1657
1658         Re-introduce op_bitnot
1659         https://bugs.webkit.org/show_bug.cgi?id=190923
1660
1661         Reviewed by Yusuke Suzuki.
1662
1663         * stress/bit-not-must-generate.js: Added.
1664         * stress/bitwise-not-no-int32.js: Added.
1665
1666 2018-11-26  Saam barati  <sbarati@apple.com>
1667
1668         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1669         https://bugs.webkit.org/show_bug.cgi?id=191956
1670         <rdar://problem/45665806>
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1675         (bar):
1676         (foo):
1677
1678 2018-11-26  Saam barati  <sbarati@apple.com>
1679
1680         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1681         https://bugs.webkit.org/show_bug.cgi?id=191958
1682         <rdar://problem/46221877>
1683
1684         Reviewed by Yusuke Suzuki.
1685
1686         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1687         (x):
1688         (foo):
1689
1690 2018-11-26  Mark Lam  <mark.lam@apple.com>
1691
1692         NaNs read from Wasm code needs to be be purified.
1693         https://bugs.webkit.org/show_bug.cgi?id=191056
1694         <rdar://problem/45660341>
1695
1696         Reviewed by Filip Pizlo.
1697
1698         * wasm/regress/regress-191056.js: Added.
1699
1700 2018-11-26  Michael Saboff  <msaboff@apple.com>
1701
1702         32-bit JSC test failure: stress/regexp-compile-oom.js
1703         https://bugs.webkit.org/show_bug.cgi?id=191375
1704
1705         Reviewed by Mark Lam.
1706
1707         Disabled the test for 32 bit platforms.
1708
1709         * stress/regexp-compile-oom.js:
1710
1711 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1712
1713         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1714         https://bugs.webkit.org/show_bug.cgi?id=191716
1715         <rdar://problem/45723878>
1716
1717         Reviewed by Saam Barati.
1718
1719         * stress/regress-187373.js: Added.
1720         (async.fn):
1721
1722 2018-11-21  Saam barati  <sbarati@apple.com>
1723
1724         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1725         https://bugs.webkit.org/show_bug.cgi?id=191897
1726         <rdar://problem/45871998>
1727
1728         Reviewed by Mark Lam.
1729
1730         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1731         (bar):
1732         (foo):
1733
1734 2018-11-21  Saam barati  <sbarati@apple.com>
1735
1736         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1737         https://bugs.webkit.org/show_bug.cgi?id=191895
1738         <rdar://problem/46167406>
1739
1740         Reviewed by Mark Lam.
1741
1742         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1743         (foo):
1744         (bar):
1745
1746 2018-11-21  Mark Lam  <mark.lam@apple.com>
1747
1748         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1749         https://bugs.webkit.org/show_bug.cgi?id=191776
1750         <rdar://problem/46152851>
1751
1752         Reviewed by Saam Barati.
1753
1754         * stress/big-wasm-memory-grow-no-max.js:
1755         * stress/big-wasm-memory-grow.js:
1756         * stress/big-wasm-memory.js:
1757         - updated these to expect an OutOfMemoryError.
1758
1759         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1760         (Binary.prototype.emit_u8):
1761         (Binary.prototype.emit_u32v):
1762         (Binary.prototype.emit_header):
1763         (Binary.prototype.emit_section):
1764         (Binary):
1765         (WasmModuleBuilder):
1766         (WasmModuleBuilder.prototype.addMemory):
1767         (WasmModuleBuilder.prototype.toArray):
1768         (WasmModuleBuilder.prototype.toBuffer):
1769         (WasmModuleBuilder.prototype.instantiate):
1770         (catch):
1771         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1772         (catch):
1773
1774 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1775
1776         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1777         https://bugs.webkit.org/show_bug.cgi?id=190836
1778
1779         Reviewed by Saam Barati and Yusuke Suzuki.
1780
1781         * stress/big-int-out-of-memory-tests.js: Added.
1782
1783 2018-11-20  Mark Lam  <mark.lam@apple.com>
1784
1785         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1786         https://bugs.webkit.org/show_bug.cgi?id=191856
1787         <rdar://problem/46089992>
1788
1789         Reviewed by Yusuke Suzuki.
1790
1791         * stress/regress-191856.js: Added.
1792         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1793
1794 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1795
1796         Enable JIT on ARM/Linux
1797         https://bugs.webkit.org/show_bug.cgi?id=191548
1798
1799         Reviewed by Yusuke Suzuki.
1800
1801         Disable test on system with limited memory. Program was killed by
1802         the OS before the exception was thrown.
1803
1804         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1805
1806 2018-11-20  Saam barati  <sbarati@apple.com>
1807
1808         Merging an IC variant may lead to the IC status containing overlapping structure sets
1809         https://bugs.webkit.org/show_bug.cgi?id=191869
1810         <rdar://problem/45403453>
1811
1812         Reviewed by Mark Lam.
1813
1814         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1815
1816 2018-11-19  Mark Lam  <mark.lam@apple.com>
1817
1818         globalFuncImportModule() should return a promise when it clears exceptions.
1819         https://bugs.webkit.org/show_bug.cgi?id=191792
1820         <rdar://problem/46090763>
1821
1822         Reviewed by Michael Saboff.
1823
1824         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1825
1826 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1827
1828         Skip new memory-hungry tests on memory limited devices
1829
1830         Unreviewed gardening.
1831
1832         * stress/big-wasm-memory-grow-no-max.js:
1833         * stress/big-wasm-memory-grow.js:
1834         * stress/big-wasm-memory.js:
1835
1836 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1837
1838         Unreviewed, rolling in the rest of r237254
1839         https://bugs.webkit.org/show_bug.cgi?id=190340
1840
1841         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1842         * stress/function-cache-with-parameters-end-position.js: Added.
1843         (shouldBe):
1844         (shouldThrow):
1845         (i.anonymous):
1846         * stress/function-constructor-name.js: Added.
1847         (shouldBe):
1848         (GeneratorFunction):
1849         (AsyncFunction.async):
1850         (AsyncGeneratorFunction.async):
1851         (anonymous):
1852         (async.anonymous):
1853         * test262/expectations.yaml:
1854
1855 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1856
1857         All users of ArrayBuffer should agree on the same max size
1858         https://bugs.webkit.org/show_bug.cgi?id=191771
1859
1860         Reviewed by Mark Lam.
1861
1862         * stress/big-wasm-memory-grow-no-max.js: Added.
1863         (foo):
1864         (catch):
1865         * stress/big-wasm-memory-grow.js: Added.
1866         (foo):
1867         (catch):
1868         * stress/big-wasm-memory.js: Added.
1869         (foo):
1870         (catch):
1871
1872 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1873
1874         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1875         run for each JSC config since they're regression tests for runtime bugs.
1876
1877         * stress/json-stringified-overflow-2.js:
1878         * stress/json-stringified-overflow.js:
1879
1880 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1881
1882         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1883         config since they're regression tests for runtime bugs.
1884
1885         * stress/large-unshift-splice.js:
1886         * stress/regress-185888.js:
1887
1888 2018-11-16  Saam Barati  <sbarati@apple.com>
1889
1890         KnownCellUse should also have SpecCellCheck as its type filter
1891         https://bugs.webkit.org/show_bug.cgi?id=191729
1892         <rdar://problem/45872852>
1893
1894         Reviewed by Filip Pizlo.
1895
1896         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1897         (C):
1898
1899 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1900
1901         Fix assertion failure on BytecodeGenerator::recordOpcode
1902         https://bugs.webkit.org/show_bug.cgi?id=191724
1903         <rdar://problem/45724395>
1904
1905         Reviewed by Saam Barati.
1906
1907         * stress/regress-187373-2.js: Added.
1908         (foo):
1909
1910 2018-11-15  Mark Lam  <mark.lam@apple.com>
1911
1912         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1913         https://bugs.webkit.org/show_bug.cgi?id=191730
1914         <rdar://problem/46048517>
1915
1916         Reviewed by Saam Barati.
1917
1918         * stress/regress-187006.js: Removed.
1919           - this test is invalid because its sole purpose is to test for the non-spec
1920             compliant behavior that we just fixed.
1921
1922         * stress/regress-191730.js: Added.
1923
1924 2018-11-15  Mark Lam  <mark.lam@apple.com>
1925
1926         RegExp operations should not take fast patch if lastIndex is not numeric.
1927         https://bugs.webkit.org/show_bug.cgi?id=191731
1928         <rdar://problem/46017305>
1929
1930         Reviewed by Saam Barati.
1931
1932         * stress/regress-191731.js: Added.
1933
1934 2018-11-13  Saam Barati  <sbarati@apple.com>
1935
1936         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1937         https://bugs.webkit.org/show_bug.cgi?id=191600
1938
1939         Reviewed by Mark Lam.
1940
1941         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1942         (foo):
1943         (test):
1944         (bar):
1945
1946 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1947
1948         Unreviewed, rolling out r238132.
1949
1950         The test added with this change is timing out on Debug JSC
1951         bots.
1952
1953         Reverted changeset:
1954
1955         "[BigInt] JSBigInt::createWithLength should throw when length
1956         is greater than JSBigInt::maxLength"
1957         https://bugs.webkit.org/show_bug.cgi?id=190836
1958         https://trac.webkit.org/changeset/238132
1959
1960 2018-11-13  Mark Lam  <mark.lam@apple.com>
1961
1962         Add OOM detection to StringPrototype's substituteBackreferences().
1963         https://bugs.webkit.org/show_bug.cgi?id=191563
1964         <rdar://problem/45720428>
1965
1966         Reviewed by Saam Barati.
1967
1968         * stress/regress-191563.js: Added.
1969
1970 2018-11-13  Mark Lam  <mark.lam@apple.com>
1971
1972         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1973         https://bugs.webkit.org/show_bug.cgi?id=191579
1974         <rdar://problem/45942472>
1975
1976         Reviewed by Saam Barati.
1977
1978         * stress/regress-191579.js: Added.
1979
1980 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1981
1982         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1983         https://bugs.webkit.org/show_bug.cgi?id=190836
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/big-int-out-of-memory-tests.js: Added.
1988
1989 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1990
1991         U+180E is no longer a whitespace character
1992         https://bugs.webkit.org/show_bug.cgi?id=191415
1993
1994         Reviewed by Saam Barati.
1995
1996         * ChakraCore/test/es5/regexSpace.baseline:
1997         * ChakraCore/test/es6/unicode_whitespace.js:
1998         Update tests to latest version.
1999         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2000
2001         * test262.yaml:
2002         * test262/config.yaml:
2003         * test262/expectations.yaml:
2004         Update expectations.
2005
2006 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2007
2008         [BigInt] Add support to BigInt into ValueAdd
2009         https://bugs.webkit.org/show_bug.cgi?id=186177
2010
2011         Reviewed by Keith Miller.
2012
2013         * stress/big-int-negate-jit.js:
2014         * stress/value-add-big-int-and-string.js: Added.
2015         * stress/value-add-big-int-prediction-propagation.js: Added.
2016         * stress/value-add-big-int-untyped.js: Added.
2017
2018 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2019
2020         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2021         https://bugs.webkit.org/show_bug.cgi?id=191184
2022
2023         Reviewed by Saam Barati.
2024
2025         Most tests were failing due to timeouts, since they are too slow to
2026         run on CLoop. The exceptions are:
2027
2028         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2029         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2030         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2031         to change the stack size since CLoop requires it to be page aligned.
2032
2033         * microbenchmarks/array-push-1.js:
2034         * microbenchmarks/array-push-2.js:
2035         * microbenchmarks/elidable-new-object-dag.js:
2036         * microbenchmarks/elidable-new-object-roflcopter.js:
2037         * microbenchmarks/elidable-new-object-tree.js:
2038         * microbenchmarks/getter-richards.js:
2039         * microbenchmarks/sinkable-new-object-dag.js:
2040         * microbenchmarks/string-concat-long-convert.js:
2041         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2042         * slowMicrobenchmarks/array-push-3.js:
2043         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2044         * slowMicrobenchmarks/spread-small-array.js:
2045         * slowMicrobenchmarks/undefined-property-access.js:
2046         * stress/activation-sink-default-value-tdz-error.js:
2047         * stress/activation-sink-default-value.js:
2048         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2049         * stress/activation-sink-osrexit-default-value.js:
2050         * stress/activation-sink-osrexit.js:
2051         * stress/activation-sink.js:
2052         * stress/allow-math-ic-b3-code-duplication.js:
2053         * stress/array-push-multiple-int32.js:
2054         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2055         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2056         * stress/arrowfunction-lexical-this-activation-sink.js:
2057         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2058         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2059         * stress/elide-new-object-dag-then-exit.js:
2060         * stress/materialize-regexp-cyclic.js:
2061         * stress/new-regex-inline.js:
2062         * stress/op_add.js:
2063         * stress/op_bitand.js:
2064         * stress/op_bitor.js:
2065         * stress/op_bitxor.js:
2066         * stress/op_div-ConstVar.js:
2067         * stress/op_div-VarConst.js:
2068         * stress/op_div-VarVar.js:
2069         * stress/op_lshift-ConstVar.js:
2070         * stress/op_lshift-VarConst.js:
2071         * stress/op_lshift-VarVar.js:
2072         * stress/op_mod-ConstVar.js:
2073         * stress/op_mod-VarConst.js:
2074         * stress/op_mod-VarVar.js:
2075         * stress/op_mul-ConstVar.js:
2076         * stress/op_mul-VarConst.js:
2077         * stress/op_mul-VarVar.js:
2078         * stress/op_rshift-ConstVar.js:
2079         * stress/op_rshift-VarConst.js:
2080         * stress/op_rshift-VarVar.js:
2081         * stress/op_sub-ConstVar.js:
2082         * stress/op_sub-VarConst.js:
2083         * stress/op_sub-VarVar.js:
2084         * stress/op_urshift-ConstVar.js:
2085         * stress/op_urshift-VarConst.js:
2086         * stress/op_urshift-VarVar.js:
2087         * stress/proxy-get-set-correct-receiver.js:
2088         * stress/regress-179562.js:
2089         * stress/rest-parameter-many-arguments.js:
2090         * stress/sampling-profiler-richards.js:
2091         * stress/splay-flash-access-1ms.js:
2092         * stress/tailCallForwardArguments.js:
2093         * stress/typed-array-get-by-val-profiling.js:
2094         * typeProfiler/getter-richards.js:
2095
2096 2018-11-06  Michael Saboff  <msaboff@apple.com>
2097
2098         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2099         https://bugs.webkit.org/show_bug.cgi?id=191271
2100
2101         Reviewed by Saam Barati.
2102
2103         Added more test cases and made all test cases run with the same deeply recursive stack
2104         instead of finding that same point for each test case.
2105
2106         * stress/regexp-compile-oom.js:
2107         (prototype.runTest):
2108         (recurseAndTest):
2109         (testList.push.new.TestAndExpectedException):
2110
2111 2018-11-05  Michael Saboff  <msaboff@apple.com>
2112
2113         Unreviewed build fix for linux.
2114
2115         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2116
2117 2018-11-02  Michael Saboff  <msaboff@apple.com>
2118
2119         Rolling in r237753 with unreviewed build fix.
2120
2121         Fixed issues with DECLARE_THROW_SCOPE placement.
2122
2123 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2124
2125         Unreviewed, rolling out r237753.
2126
2127         Introduced JSC test failures
2128
2129         Reverted changeset:
2130
2131         "Running out of stack space not properly handled in
2132         RegExp::compile() and its callers"
2133         https://bugs.webkit.org/show_bug.cgi?id=191206
2134         https://trac.webkit.org/changeset/237753
2135
2136 2018-11-02  Michael Saboff  <msaboff@apple.com>
2137
2138         Running out of stack space not properly handled in RegExp::compile() and its callers
2139         https://bugs.webkit.org/show_bug.cgi?id=191206
2140
2141         Reviewed by Filip Pizlo.
2142
2143         New regression test.
2144
2145         * stress/regexp-compile-oom.js: Added.
2146         (recurseAndTest):
2147
2148 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2149
2150         Skip tests on arm/mips that time out now we're running on CLoop
2151
2152         Unreviewed gardening.
2153
2154         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2155         time out on the bots and need to be disabled. There's more tests
2156         disabled on arm because the timeout is longer on the mips bot (as the
2157         device is slower to start with), so many of the tests don't time out
2158         there.
2159
2160         * microbenchmarks/getter-richards.js: disable on arm and mips.
2161         * stress/op_add.js: disable on arm.
2162         * stress/op_bitand.js: disable on arm.
2163         * stress/op_bitor.js: disable on arm.
2164         * stress/op_bitxor.js: disable on arm.
2165         * stress/op_lshift-ConstVar.js: disable on arm.
2166         * stress/op_lshift-VarConst.js: disable on arm.
2167         * stress/op_lshift-VarVar.js: disable on arm.
2168         * stress/op_mod-ConstVar.js: disable on arm.
2169         * stress/op_mod-VarConst.js: disable on arm.
2170         * stress/op_mod-VarVar.js: disable on arm.
2171         * stress/op_mul-ConstVar.js: disable on arm.
2172         * stress/op_mul-VarConst.js: disable on arm.
2173         * stress/op_mul-VarVar.js: disable on arm.
2174         * stress/op_rshift-ConstVar.js: disable on arm.
2175         * stress/op_rshift-VarConst.js: disable on arm.
2176         * stress/op_rshift-VarVar.js: disable on arm.
2177         * stress/op_sub-ConstVar.js: disable on arm.
2178         * stress/op_sub-VarConst.js: disable on arm.
2179         * stress/op_sub-VarVar.js: disable on arm.
2180         * stress/op_urshift-ConstVar.js: disable on arm.
2181         * stress/op_urshift-VarConst.js: disable on arm.
2182         * stress/op_urshift-VarVar.js: disable on arm.
2183         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2184         * stress/value-to-boolean.js: disable on arm and mips.
2185
2186 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2187
2188         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2189         https://bugs.webkit.org/show_bug.cgi?id=191108
2190         <rdar://problem/45690700>
2191
2192         Reviewed by Saam Barati.
2193
2194         * stress/wide-op_catch.js: Added.
2195         (catch):
2196
2197 2018-10-29  Mark Lam  <mark.lam@apple.com>
2198
2199         Correctly detect string overflow when using the 'Function' constructor.
2200         https://bugs.webkit.org/show_bug.cgi?id=184883
2201         <rdar://problem/36320331>
2202
2203         Reviewed by Saam Barati.
2204
2205         I've verified that this passes on 32-bit as well.
2206
2207         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2208
2209 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2210
2211         Add support for GetStack FlushedDouble
2212         https://bugs.webkit.org/show_bug.cgi?id=191012
2213         <rdar://problem/45265141>
2214
2215         Reviewed by Saam Barati.
2216
2217         * stress/get-stack-double.js: Added.
2218         (bar):
2219         (noInline):
2220
2221 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2222
2223         New bytecode format for JSC
2224         https://bugs.webkit.org/show_bug.cgi?id=187373
2225         <rdar://problem/44186758>
2226
2227         Reviewed by Filip Pizlo.
2228
2229         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2230
2231         * stress/maximum-inline-capacity.js: Added.
2232         (test1):
2233         (test3.Foo):
2234         (test3):
2235
2236 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2237
2238         Unreviewed, rolling out r237479 and r237484.
2239         https://bugs.webkit.org/show_bug.cgi?id=190978
2240
2241         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2242
2243         Reverted changesets:
2244
2245         "New bytecode format for JSC"
2246         https://bugs.webkit.org/show_bug.cgi?id=187373
2247         https://trac.webkit.org/changeset/237479
2248
2249         "Gardening: Build fix after r237479."
2250         https://bugs.webkit.org/show_bug.cgi?id=187373
2251         https://trac.webkit.org/changeset/237484
2252
2253 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2254
2255         New bytecode format for JSC
2256         https://bugs.webkit.org/show_bug.cgi?id=187373
2257         <rdar://problem/44186758>
2258
2259         Reviewed by Filip Pizlo.
2260
2261         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2262
2263         * stress/maximum-inline-capacity.js: Added.
2264         (test1):
2265         (test3.Foo):
2266         (test3):
2267
2268 2018-10-26  Mark Lam  <mark.lam@apple.com>
2269
2270         Fix missing edge cases with JSGlobalObjects having a bad time.
2271         https://bugs.webkit.org/show_bug.cgi?id=189028
2272         <rdar://problem/45204939>
2273
2274         Reviewed by Saam Barati.
2275
2276         * stress/regress-189028.js: Added.
2277
2278 2018-10-22  Mark Lam  <mark.lam@apple.com>
2279
2280         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2281         https://bugs.webkit.org/show_bug.cgi?id=190515
2282         <rdar://problem/45222379>
2283
2284         Rubber-stamped by Saam Barati.
2285
2286         Adding another test.
2287
2288         * stress/regress-190515-2.js: Added.
2289
2290 2018-10-22  Mark Lam  <mark.lam@apple.com>
2291
2292         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2293         https://bugs.webkit.org/show_bug.cgi?id=190515
2294         <rdar://problem/45222379>
2295
2296         Reviewed by Saam Barati.
2297
2298         * stress/regress-190515.js: Added.
2299
2300 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2301
2302         Unreviewed, rolling out r237254.
2303         https://bugs.webkit.org/show_bug.cgi?id=190760
2304
2305         "It regresses JetStream 2 by 5% on some iOS devices"
2306         (Requested by saamyjoon on #webkit).
2307
2308         Reverted changeset:
2309
2310         "[JSC] JSC should have "parseFunction" to optimize Function
2311         constructor"
2312         https://bugs.webkit.org/show_bug.cgi?id=190340
2313         https://trac.webkit.org/changeset/237254
2314
2315 2018-10-19  Saam Barati  <sbarati@apple.com>
2316
2317         vmCall should check if we exit before emitting an OSR exit due to exceptions
2318         https://bugs.webkit.org/show_bug.cgi?id=190740
2319         <rdar://problem/45220139>
2320
2321         Reviewed by Mark Lam.
2322
2323         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2324         (foo):
2325
2326 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2327
2328         [ESNext][BigInt] Implement support for "^"
2329         https://bugs.webkit.org/show_bug.cgi?id=186235
2330
2331         Reviewed by Yusuke Suzuki.
2332
2333         * stress/big-int-bitwise-xor-general.js: Added.
2334         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2335         * stress/big-int-bitwise-xor-type-error.js: Added.
2336         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2337
2338 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2339
2340         [BigInt] Add ValueSub into DFG
2341         https://bugs.webkit.org/show_bug.cgi?id=186176
2342
2343         Reviewed by Yusuke Suzuki.
2344
2345         * stress/big-int-subtraction-jit.js:
2346         * stress/value-sub-big-int-prediction-propagation.js: Added.
2347         * stress/value-sub-big-int-untyped.js: Added.
2348         * stress/value-sub-spec-none-case.js: Added.
2349
2350 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2351
2352         [JSC] JSC should have "parseFunction" to optimize Function constructor
2353         https://bugs.webkit.org/show_bug.cgi?id=190340
2354
2355         Reviewed by Mark Lam.
2356
2357         This patch fixes the line number of syntax errors raised by the Function constructor,
2358         since we now parse the final code only once. And we no longer use block statement
2359         for Function constructor's parsing.
2360
2361         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2362         * stress/function-cache-with-parameters-end-position.js: Added.
2363         (shouldBe):
2364         (shouldThrow):
2365         (i.anonymous):
2366         * stress/function-constructor-name.js: Added.
2367         (shouldBe):
2368         (GeneratorFunction):
2369         (AsyncFunction.async):
2370         (AsyncGeneratorFunction.async):
2371         (anonymous):
2372         (async.anonymous):
2373         * test262/expectations.yaml:
2374
2375 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2376
2377         Unreviewed, rolling out r237242.
2378         https://bugs.webkit.org/show_bug.cgi?id=190701
2379
2380         it breaks "stress/sampling-profiler-basic.js" (Requested by
2381         caiolima on #webkit).
2382
2383         Reverted changeset:
2384
2385         "[BigInt] Add ValueSub into DFG"
2386         https://bugs.webkit.org/show_bug.cgi?id=186176
2387         https://trac.webkit.org/changeset/237242
2388
2389 2018-10-17  Keith Miller  <keith_miller@apple.com>
2390
2391         AI does not clear Phantom allocation nodes.
2392         https://bugs.webkit.org/show_bug.cgi?id=190694
2393
2394         Reviewed by Saam Barati.
2395
2396         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2397         (Day):
2398         (DaysInYear):
2399         (TimeInYear):
2400         (TimeFromYear):
2401         (DayFromYear):
2402         (InLeapYear):
2403         (YearFromTime):
2404         (WeekDay):
2405         (DaylightSavingTA):
2406         (GetSecondSundayInMarch):
2407         (TimeInMonth):
2408
2409 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2410
2411         [BigInt] Add ValueSub into DFG
2412         https://bugs.webkit.org/show_bug.cgi?id=186176
2413
2414         Reviewed by Yusuke Suzuki.
2415
2416         * stress/big-int-subtraction-jit.js:
2417         * stress/value-sub-big-int-prediction-propagation.js: Added.
2418         * stress/value-sub-big-int-untyped.js: Added.
2419
2420 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2421
2422         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2423         https://bugs.webkit.org/show_bug.cgi?id=190611
2424
2425         Reviewed by Saam Barati.
2426
2427         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2428         to improve test runtime. On ARM/MIPS this test even timed out when running all
2429         tests.
2430
2431         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2432         (test):
2433
2434 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2435
2436         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2437
2438         Unreviewed gardening.
2439
2440         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2441
2442 2018-10-15  Saam barati  <sbarati@apple.com>
2443
2444         Emit fjcvtzs on ARM64E on Darwin
2445         https://bugs.webkit.org/show_bug.cgi?id=184023
2446
2447         Reviewed by Yusuke Suzuki and Filip Pizlo.
2448
2449         * stress/double-to-int32-NaN.js: Added.
2450         (assert):
2451         (foo):
2452
2453 2018-10-15  Saam Barati  <sbarati@apple.com>
2454
2455         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2456         https://bugs.webkit.org/show_bug.cgi?id=190262
2457         <rdar://problem/44986241>
2458
2459         Reviewed by Mark Lam.
2460
2461         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2462         (test):
2463         * stress/slice-array-storage-with-holes.js: Added.
2464         (main):
2465
2466 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2467
2468         Unreviewed, rolling out r237054.
2469         https://bugs.webkit.org/show_bug.cgi?id=190593
2470
2471         "this regressed JetStream 2 by 6% on iOS" (Requested by
2472         saamyjoon on #webkit).
2473
2474         Reverted changeset:
2475
2476         "[JSC] JSC should have "parseFunction" to optimize Function
2477         constructor"
2478         https://bugs.webkit.org/show_bug.cgi?id=190340
2479         https://trac.webkit.org/changeset/237054
2480
2481 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2482
2483         [JSC] JSON.stringify can accept call-with-no-arguments
2484         https://bugs.webkit.org/show_bug.cgi?id=190343
2485
2486         Reviewed by Mark Lam.
2487
2488         * stress/json-stringify-no-arguments.js: Added.
2489         (shouldBe):
2490
2491 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2492
2493         [JSC] JSC should have "parseFunction" to optimize Function constructor
2494         https://bugs.webkit.org/show_bug.cgi?id=190340
2495
2496         Reviewed by Mark Lam.
2497
2498         This patch fixes the line number of syntax errors raised by the Function constructor,
2499         since we now parse the final code only once. And we no longer use block statement
2500         for Function constructor's parsing.
2501
2502         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2503         * stress/function-cache-with-parameters-end-position.js: Added.
2504         (shouldBe):
2505         (shouldThrow):
2506         (i.anonymous):
2507         * stress/function-constructor-name.js: Added.
2508         (shouldBe):
2509         (GeneratorFunction):
2510         (AsyncFunction.async):
2511         (AsyncGeneratorFunction.async):
2512         (anonymous):
2513         (async.anonymous):
2514         * test262/expectations.yaml:
2515
2516 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2517
2518         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2519         https://bugs.webkit.org/show_bug.cgi?id=190426
2520
2521         Unreviewed gardening.
2522
2523         * stress/sampling-profiler-richards.js:
2524
2525 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2526
2527         [ESNext][BigInt] Implement support for "|"
2528         https://bugs.webkit.org/show_bug.cgi?id=186229
2529
2530         Reviewed by Yusuke Suzuki.
2531
2532         * stress/big-int-bitwise-and-jit.js:
2533         * stress/big-int-bitwise-or-general.js: Added.
2534         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2535         * stress/big-int-bitwise-or-jit.js: Added.
2536         * stress/big-int-bitwise-or-memory-stress.js: Added.
2537         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2538         * stress/big-int-bitwise-or-type-error.js: Added.
2539         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2540
2541 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2542
2543         Skip test on systems with limited memory
2544         https://bugs.webkit.org/show_bug.cgi?id=190310
2545
2546         Invoking runDefault adds test to runlist, skipping the test in the next
2547         line does not prevent the test from executing. Change order of lines such
2548         that runDefault is only executed if test is not executed.
2549
2550         Reviewed by Mark Lam.
2551
2552         * stress/regress-190187.js:
2553
2554 2018-10-03  Saam barati  <sbarati@apple.com>
2555
2556         lowXYZ in FTLLower should always filter the type of the incoming edge
2557         https://bugs.webkit.org/show_bug.cgi?id=189939
2558         <rdar://problem/44407030>
2559
2560         Reviewed by Michael Saboff.
2561
2562         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2563         (foo):
2564         (test):
2565
2566 2018-10-03  Mark Lam  <mark.lam@apple.com>
2567
2568         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2569         https://bugs.webkit.org/show_bug.cgi?id=190187
2570         <rdar://problem/42512909>
2571
2572         Reviewed by Michael Saboff.
2573
2574         * stress/regress-190187.js: Added.
2575
2576 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2577
2578         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2579         https://bugs.webkit.org/show_bug.cgi?id=190033
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         * stress/big-int-to-string.js:
2584
2585 2018-10-01  Mark Lam  <mark.lam@apple.com>
2586
2587         Function.toString() should also copy the source code Functions that are class definitions.
2588         https://bugs.webkit.org/show_bug.cgi?id=190186
2589         <rdar://problem/44733360>
2590
2591         Reviewed by Saam Barati.
2592
2593         * stress/regress-190186.js: Added.
2594
2595 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2596
2597         Split NaN-check into separate test
2598         https://bugs.webkit.org/show_bug.cgi?id=190010
2599
2600         Reviewed by Saam Barati.
2601
2602         DataView exposes NaN-representation, which is not necessarily the same on each
2603         architecture. Therefore move the check of the NaN-representation into its own
2604         file such that we can disable this test on MIPS where NaN-representation can be
2605         different on older CPUs.
2606
2607         * stress/dataview-jit-set-nan.js: Added.
2608         (assert):
2609         (test.storeLittleEndian):
2610         (test.storeBigEndian):
2611         (test.store):
2612         (test):
2613         * stress/dataview-jit-set.js:
2614         (test5):
2615
2616 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2617
2618         Unreviewed, rolling out r236647.
2619         https://bugs.webkit.org/show_bug.cgi?id=190124
2620
2621         Breaking test stress/big-int-to-string.js (Requested by
2622         caiolima_ on #webkit).
2623
2624         Reverted changeset:
2625
2626         "[BigInt] BigInt.proptotype.toString is broken when radix is
2627         power of 2"
2628         https://bugs.webkit.org/show_bug.cgi?id=190033
2629         https://trac.webkit.org/changeset/236647
2630
2631 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2632
2633         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2634         https://bugs.webkit.org/show_bug.cgi?id=190033
2635
2636         Reviewed by Yusuke Suzuki.
2637
2638         * stress/big-int-to-string.js:
2639
2640 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2641
2642         [ESNext][BigInt] Implement support for "&"
2643         https://bugs.webkit.org/show_bug.cgi?id=186228
2644
2645         Reviewed by Yusuke Suzuki.
2646
2647         * stress/big-int-bitwise-and-general.js: Added.
2648         (assert):
2649         (assert.sameValue):
2650         * stress/big-int-bitwise-and-jit.js: Added.
2651         (let.assert.sameValue):
2652         (bigIntBitAnd):
2653         * stress/big-int-bitwise-and-memory-stress.js: Added.
2654         (assert):
2655         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2656         (assert.sameValue):
2657         (let.o.Symbol.toPrimitive):
2658         (catch):
2659         * stress/big-int-bitwise-and-type-error.js: Added.
2660         (assert):
2661         (assertThrowTypeError):
2662         (let.o.valueOf):
2663         (o.valueOf):
2664         (o.toString):
2665         (o.Symbol.toPrimitive):
2666         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2667         (assert.sameValue):
2668         (testBitAnd):
2669         (let.o.Symbol.toPrimitive):
2670         (o.valueOf):
2671         (o.toString):
2672
2673 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2674
2675         JSC test stress/jsc-read.js doesn't support CRLF
2676         https://bugs.webkit.org/show_bug.cgi?id=190063
2677
2678         Reviewed by Yusuke Suzuki.
2679
2680         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2681
2682         * stress/jsc-read.js:
2683         (test):
2684
2685 2018-09-27  Saam barati  <sbarati@apple.com>
2686
2687         Verify the contents of AssemblerBuffer on arm64e
2688         https://bugs.webkit.org/show_bug.cgi?id=190057
2689         <rdar://problem/38916630>
2690
2691         Reviewed by Mark Lam.
2692
2693         * stress/regress-189132.js:
2694
2695 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2696
2697         Disable test without LLInt on ARMv7
2698         https://bugs.webkit.org/show_bug.cgi?id=190037
2699
2700         Reviewed by Mark Lam.
2701
2702         Test runs out of executable memory on ARMv7, do not run
2703         this test without LLInt enabled.
2704
2705         * stress/regress-169445.js:
2706
2707 2018-09-26  Keith Miller  <keith_miller@apple.com>
2708
2709         We should zero unused property storage when rebalancing array storage.
2710         https://bugs.webkit.org/show_bug.cgi?id=188151
2711
2712         Reviewed by Michael Saboff.
2713
2714         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2715
2716 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2717
2718         [JSC] Optimize Array#lastIndexOf
2719         https://bugs.webkit.org/show_bug.cgi?id=189780
2720
2721         Reviewed by Saam Barati.
2722
2723         * stress/array-lastindexof-array-prototype-trap.js: Added.
2724         (shouldBe):
2725         (AncestorArray.prototype.get 2):
2726         (AncestorArray):
2727         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2728         (shouldBe):
2729         * stress/array-lastindexof-hole-nan.js: Added.
2730         (shouldBe):
2731         (throw.new.Error):
2732         * stress/array-lastindexof-infinity.js: Added.
2733         (shouldBe):
2734         (throw.new.Error):
2735         * stress/array-lastindexof-negative-zero.js: Added.
2736         (shouldBe):
2737         (throw.new.Error):
2738         * stress/array-lastindexof-own-getter.js: Added.
2739         (shouldBe):
2740         (throw.new.Error.get array):
2741         (get array):
2742         * stress/array-lastindexof-prototype-trap.js: Added.
2743         (shouldBe):
2744         (DerivedArray.prototype.get 2):
2745         (DerivedArray):
2746
2747 2018-09-25  Saam Barati  <sbarati@apple.com>
2748
2749         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2750         https://bugs.webkit.org/show_bug.cgi?id=189940
2751         <rdar://problem/43640987>
2752
2753         Reviewed by Mark Lam.
2754
2755         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2756
2757 2018-09-24  Saam Barati  <sbarati@apple.com>
2758
2759         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2760         https://bugs.webkit.org/show_bug.cgi?id=189922
2761         <rdar://problem/44651275>
2762
2763         Reviewed by Mark Lam.
2764
2765         * stress/array-indexof-fast-path-effects.js: Added.
2766         * stress/array-indexof-cached-length.js: Added.
2767
2768 2018-09-24  Saam barati  <sbarati@apple.com>
2769
2770         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2771         https://bugs.webkit.org/show_bug.cgi?id=189682
2772         <rdar://problem/43557315>
2773
2774         Reviewed by Mark Lam.
2775
2776         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2777         (foo):
2778
2779 2018-09-22  Saam barati  <sbarati@apple.com>
2780
2781         The sampling should not use Strong<CodeBlock> in its machineLocation field
2782         https://bugs.webkit.org/show_bug.cgi?id=189319
2783
2784         Reviewed by Filip Pizlo.
2785
2786         * stress/sampling-profiler-richards.js: Added.
2787
2788 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2789
2790         [JSC] Optimize Array#indexOf in C++ runtime
2791         https://bugs.webkit.org/show_bug.cgi?id=189507
2792
2793         Reviewed by Saam Barati.
2794
2795         * stress/array-indexof-array-prototype-trap.js: Added.
2796         (shouldBe):
2797         (AncestorArray.prototype.get 2):
2798         (AncestorArray):
2799         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2800         (shouldBe):
2801         * stress/array-indexof-hole-nan.js: Added.
2802         (shouldBe):
2803         (throw.new.Error):
2804         * stress/array-indexof-infinity.js: Added.
2805         (shouldBe):
2806         (throw.new.Error):
2807         * stress/array-indexof-negative-zero.js: Added.
2808         (shouldBe):
2809         (throw.new.Error):
2810         * stress/array-indexof-own-getter.js: Added.
2811         (shouldBe):
2812         (throw.new.Error.get array):
2813         (get array):
2814         * stress/array-indexof-prototype-trap.js: Added.
2815         (shouldBe):
2816         (DerivedArray.prototype.get 2):
2817         (DerivedArray):
2818
2819 2018-09-19  Saam barati  <sbarati@apple.com>
2820
2821         AI rule for MultiPutByOffset executes its effects in the wrong order
2822         https://bugs.webkit.org/show_bug.cgi?id=189757
2823         <rdar://problem/43535257>
2824
2825         Reviewed by Michael Saboff.
2826
2827         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2828         (foo):
2829         (Foo):
2830         (g):
2831
2832 2018-09-17  Mark Lam  <mark.lam@apple.com>
2833
2834         Ensure that ForInContexts are invalidated if their loop local is over-written.
2835         https://bugs.webkit.org/show_bug.cgi?id=189571
2836         <rdar://problem/44402277>
2837
2838         Reviewed by Saam Barati.
2839
2840         * stress/regress-189571.js: Added.
2841
2842 2018-09-17  Saam barati  <sbarati@apple.com>
2843
2844         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2845         https://bugs.webkit.org/show_bug.cgi?id=189676
2846         <rdar://problem/39682897>
2847
2848         Reviewed by Michael Saboff.
2849
2850         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2851         (A):
2852         (K):
2853         (i.catch):
2854
2855 2018-09-14  Saam barati  <sbarati@apple.com>
2856
2857         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2858         https://bugs.webkit.org/show_bug.cgi?id=189628
2859         <rdar://problem/39481690>
2860
2861         Reviewed by Mark Lam.
2862
2863         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2864         (foo):
2865
2866 2018-09-11  Mark Lam  <mark.lam@apple.com>
2867
2868         Test for array initialization in arrayProtoFuncSplice.
2869         https://bugs.webkit.org/show_bug.cgi?id=170253
2870         <rdar://problem/31328773>
2871
2872         Rubber-stamped by Saam Barati.
2873
2874         * stress/regress-170253.js: Added.
2875
2876 2018-09-11  Mark Lam  <mark.lam@apple.com>
2877
2878         Test for IntlObject initialization.
2879         https://bugs.webkit.org/show_bug.cgi?id=170251
2880         <rdar://problem/31328419>
2881
2882         Rubber-stamped by Saam Barati.
2883
2884         * stress/regress-170251.js: Added.
2885
2886 2018-09-11  Mark Lam  <mark.lam@apple.com>
2887
2888         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2889         https://bugs.webkit.org/show_bug.cgi?id=169889
2890         <rdar://problem/31155607>
2891
2892         Reviewed by Saam Barati.
2893
2894         * stress/regress-169889-array-concat.js: Added.
2895         * stress/regress-169889-array-concat1.js: Added.
2896         * stress/regress-169889-array-slice.js: Added.
2897
2898 2018-09-11  Mark Lam  <mark.lam@apple.com>
2899
2900         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2901         https://bugs.webkit.org/show_bug.cgi?id=169445
2902         <rdar://problem/30957435>
2903
2904         Reviewed by Saam Barati.
2905
2906         * stress/regress-169445.js: Added.
2907         (let.gun.eval.A):
2908         (let.gun.eval.B.C):
2909         (let.gun.eval.B.C.prototype.trigger):
2910         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2911         (let.gun.eval.B):
2912         (let.gun.eval):
2913
2914 == Rolled over to ChangeLog-2018-09-11 ==