[JSC] Optimize Object.keys by caching own keys results in StructureRareData
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
4         https://bugs.webkit.org/show_bug.cgi?id=190047
5
6         Reviewed by Saam Barati.
7
8         * stress/object-keys-cached-zero.js: Added.
9         (shouldBe):
10         (test):
11         * stress/object-keys-changed-attribute.js: Added.
12         (shouldBe):
13         (test):
14         * stress/object-keys-changed-index.js: Added.
15         (shouldBe):
16         (test):
17         * stress/object-keys-changed.js: Added.
18         (shouldBe):
19         (test):
20         * stress/object-keys-indexed-non-cache.js: Added.
21         (shouldBe):
22         (test):
23         * stress/object-keys-overrides-get-property-names.js: Added.
24         (shouldBe):
25         (test):
26         (noInline):
27
28 2018-12-17  Mark Lam  <mark.lam@apple.com>
29
30         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
31         https://bugs.webkit.org/show_bug.cgi?id=192779
32         <rdar://problem/46775869>
33
34         Reviewed by Saam Barati.
35
36         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
37
38 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
39
40         Unreviewed test gardening, address a syntax error in a new test.
41
42         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
43
44 2018-12-17  Mark Lam  <mark.lam@apple.com>
45
46         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
47         https://bugs.webkit.org/show_bug.cgi?id=192776
48         <rdar://problem/46772368>
49
50         Reviewed by Keith Miller.
51
52         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
53
54 2018-12-17  Mark Lam  <mark.lam@apple.com>
55
56         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
57         https://bugs.webkit.org/show_bug.cgi?id=192770
58         <rdar://problem/46449037>
59
60         Reviewed by Keith Miller.
61
62         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
63
64 2018-12-14  Mark Lam  <mark.lam@apple.com>
65
66         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
67         https://bugs.webkit.org/show_bug.cgi?id=192717
68         <rdar://problem/46660677>
69
70         Reviewed by Saam Barati.
71
72         * stress/regress-192717.js: Added.
73
74 2018-12-14  Commit Queue  <commit-queue@webkit.org>
75
76         Unreviewed, rolling out r239153, r239154, and r239155.
77         https://bugs.webkit.org/show_bug.cgi?id=192715
78
79         Caused flaky GC-related crashes seen with layout tests
80         (Requested by ryanhaddad on #webkit).
81
82         Reverted changesets:
83
84         "[JSC] Optimize Object.keys by caching own keys results in
85         StructureRareData"
86         https://bugs.webkit.org/show_bug.cgi?id=190047
87         https://trac.webkit.org/changeset/239153
88
89         "Unreviewed, build fix after r239153"
90         https://bugs.webkit.org/show_bug.cgi?id=190047
91         https://trac.webkit.org/changeset/239154
92
93         "Unreviewed, build fix after r239153, part 2"
94         https://bugs.webkit.org/show_bug.cgi?id=190047
95         https://trac.webkit.org/changeset/239155
96
97 2018-12-14  Keith Miller  <keith_miller@apple.com>
98
99         Callers of JSString::getIndex should check for OOM exceptions
100         https://bugs.webkit.org/show_bug.cgi?id=192709
101
102         Reviewed by Mark Lam.
103
104         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
105
106 2018-12-13  Mark Lam  <mark.lam@apple.com>
107
108         Add a missing exception check.
109         https://bugs.webkit.org/show_bug.cgi?id=192626
110         <rdar://problem/46662163>
111
112         Reviewed by Keith Miller.
113
114         * stress/regress-192626.js: Added.
115
116 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
117
118         [BigInt] Add ValueDiv into DFG
119         https://bugs.webkit.org/show_bug.cgi?id=186178
120
121         Reviewed by Yusuke Suzuki.
122
123         * stress/big-int-div-jit-osr.js: Added.
124         * stress/big-int-div-jit-untyped.js: Added.
125         * stress/value-div-fixup-int32-big-int.js: Added.
126
127 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
128
129         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
130         https://bugs.webkit.org/show_bug.cgi?id=190047
131
132         Reviewed by Keith Miller.
133
134         * stress/object-keys-cached-zero.js: Added.
135         (shouldBe):
136         (test):
137         * stress/object-keys-changed-attribute.js: Added.
138         (shouldBe):
139         (test):
140         * stress/object-keys-changed-index.js: Added.
141         (shouldBe):
142         (test):
143         * stress/object-keys-changed.js: Added.
144         (shouldBe):
145         (test):
146         * stress/object-keys-indexed-non-cache.js: Added.
147         (shouldBe):
148         (test):
149         * stress/object-keys-overrides-get-property-names.js: Added.
150         (shouldBe):
151         (test):
152         (noInline):
153
154 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
155
156         [DFG][FTL] Add NewSymbol
157         https://bugs.webkit.org/show_bug.cgi?id=192620
158
159         Reviewed by Saam Barati.
160
161         * microbenchmarks/symbol-creation.js: Added.
162         (test):
163         * stress/symbol-description-identity.js: Added.
164         (shouldBe):
165         (test):
166         * stress/symbol-identity.js: Added.
167         (shouldBe):
168         (test):
169         * stress/symbol-with-description-throw-error.js: Added.
170         (shouldBe):
171         (shouldThrow):
172         (test):
173         (object.toString):
174
175 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
176
177         [BigInt] Implement DFG/FTL typeof for BigInt
178         https://bugs.webkit.org/show_bug.cgi?id=192619
179
180         Reviewed by Keith Miller.
181
182         * stress/big-int-boolean-proven-type.js: Added.
183         (assert):
184         (bool):
185         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
186         (assert):
187         (typeOf):
188         (i.switch):
189         * stress/big-int-type-of-proven-type-non-constant.js: Added.
190         (assert):
191         (typeOf):
192         * stress/big-int-type-of.js:
193         (typeOf):
194         (func):
195
196 2018-12-10  Mark Lam  <mark.lam@apple.com>
197
198         PropertyAttribute needs a CustomValue bit.
199         https://bugs.webkit.org/show_bug.cgi?id=191993
200         <rdar://problem/46264467>
201
202         Reviewed by Saam Barati.
203
204         * stress/regress-191993.js: Added.
205
206 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
207
208         [BigInt] Add ValueMul into DFG
209         https://bugs.webkit.org/show_bug.cgi?id=186175
210
211         Reviewed by Yusuke Suzuki.
212
213         * stress/big-int-mul-jit-osr.js: Added.
214         * stress/big-int-mul-jit-untyped.js: Added.
215         * stress/value-mul-fixup-int32-big-int.js: Added.
216
217 2018-12-06  Keith Miller  <keith_miller@apple.com>
218
219         stress/big-wasm-memory tests failing on 32-bit JSC bot
220         https://bugs.webkit.org/show_bug.cgi?id=192020
221
222         Reviewed by Saam Barati.
223
224         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
225         the wasm stress tests if the WebAssembly object does not exist.
226
227         * stress/big-wasm-memory-grow-no-max.js:
228         (test.foo):
229         (test):
230         (foo): Deleted.
231         (catch): Deleted.
232         * stress/big-wasm-memory-grow.js:
233         (test.foo):
234         (test):
235         (foo): Deleted.
236         (catch): Deleted.
237         * stress/big-wasm-memory.js:
238         (test.foo):
239         (test):
240         (foo): Deleted.
241         (catch): Deleted.
242
243 2018-12-05  Mark Lam  <mark.lam@apple.com>
244
245         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
246         https://bugs.webkit.org/show_bug.cgi?id=192441
247         <rdar://problem/46480355>
248
249         Reviewed by Saam Barati.
250
251         * stress/regress-192441.js: Added.
252
253 2018-12-04  Mark Lam  <mark.lam@apple.com>
254
255         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
256         https://bugs.webkit.org/show_bug.cgi?id=192386
257         <rdar://problem/46445516>
258
259         Reviewed by Saam Barati.
260
261         * stress/regress-192386.js: Added.
262
263 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
264
265         [ESNext][BigInt] Support logic operations
266         https://bugs.webkit.org/show_bug.cgi?id=179903
267
268         Reviewed by Yusuke Suzuki.
269
270         * stress/big-int-branch-usage.js: Added.
271         * stress/big-int-logical-and.js: Added.
272         * stress/big-int-logical-not.js: Added.
273         * stress/big-int-logical-or.js: Added.
274
275 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
276
277         Unreviewed, rolling out r238833.
278
279         Breaks macOS and iOS debug builds.
280
281         Reverted changeset:
282
283         "[ESNext][BigInt] Support logic operations"
284         https://bugs.webkit.org/show_bug.cgi?id=179903
285         https://trac.webkit.org/changeset/238833
286
287 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
288
289         [ESNext][BigInt] Support logic operations
290         https://bugs.webkit.org/show_bug.cgi?id=179903
291
292         Reviewed by Yusuke Suzuki.
293
294         * stress/big-int-branch-usage.js: Added.
295         * stress/big-int-logical-and.js: Added.
296         * stress/big-int-logical-not.js: Added.
297         * stress/big-int-logical-or.js: Added.
298
299 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
300
301         [ESNext][BigInt] Implement support for "<<" and ">>"
302         https://bugs.webkit.org/show_bug.cgi?id=186233
303
304         Reviewed by Yusuke Suzuki.
305
306         * stress/big-int-left-shift-general.js: Added.
307         * stress/big-int-left-shift-range-error.js: Added.
308         * stress/big-int-left-shift-type-error.js: Added.
309         * stress/big-int-left-shift-wrapped-value.js: Added.
310         * stress/big-int-right-shift-general.js: Added.
311         * stress/big-int-right-shift-type-error.js: Added.
312         * stress/big-int-right-shift-wrapped-value.js: Added.
313         * stress/left-shift-to-primitive-precedence.js: Added.
314         * stress/right-shift-to-primitive-precedence.js: Added.
315
316 2018-11-30  Dean Jackson  <dino@apple.com>
317
318         Add first-class support for .mjs files in jsc binary
319         https://bugs.webkit.org/show_bug.cgi?id=192190
320         <rdar://problem/46375715>
321
322         Reviewed by Keith Miller.
323
324         * stress/simple-module.mjs: Added.
325         * stress/simple-script.js: Added.
326
327 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
328
329         [BigInt] Implement ValueBitXor into DFG
330         https://bugs.webkit.org/show_bug.cgi?id=190264
331
332         Reviewed by Yusuke Suzuki.
333
334         * stress/big-int-bitwise-xor-jit.js: Added.
335         * stress/big-int-bitwise-xor-memory-stress.js: Added.
336         * stress/big-int-bitwise-xor-untyped.js: Added.
337
338 2018-11-27  Saam barati  <sbarati@apple.com>
339
340         r238510 broke scopes of size zero
341         https://bugs.webkit.org/show_bug.cgi?id=192033
342         <rdar://problem/46281734>
343
344         Reviewed by Keith Miller.
345
346         * stress/r238510-bad-loop.js: Added.
347         (foo):
348
349 2018-11-27  Mark Lam  <mark.lam@apple.com>
350
351         [Re-landing] NaNs read from Wasm code needs to be be purified.
352         https://bugs.webkit.org/show_bug.cgi?id=191056
353         <rdar://problem/45660341>
354
355         Reviewed by Filip Pizlo.
356
357         * wasm/regress/regress-191056.js: Added.
358
359 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
360
361         Unreviewed, rolling out r238509.
362
363         Causes JSC tests to fail on iOS.
364
365         Reverted changeset:
366
367         "NaNs read from Wasm code needs to be be purified."
368         https://bugs.webkit.org/show_bug.cgi?id=191056
369         https://trac.webkit.org/changeset/238509
370
371 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
372
373         Re-introduce op_bitnot
374         https://bugs.webkit.org/show_bug.cgi?id=190923
375
376         Reviewed by Yusuke Suzuki.
377
378         * stress/bit-not-must-generate.js: Added.
379         * stress/bitwise-not-no-int32.js: Added.
380
381 2018-11-26  Saam barati  <sbarati@apple.com>
382
383         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
384         https://bugs.webkit.org/show_bug.cgi?id=191956
385         <rdar://problem/45665806>
386
387         Reviewed by Yusuke Suzuki.
388
389         * stress/end-basic-block-set-local-should-filter-type.js: Added.
390         (bar):
391         (foo):
392
393 2018-11-26  Saam barati  <sbarati@apple.com>
394
395         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
396         https://bugs.webkit.org/show_bug.cgi?id=191958
397         <rdar://problem/46221877>
398
399         Reviewed by Yusuke Suzuki.
400
401         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
402         (x):
403         (foo):
404
405 2018-11-26  Mark Lam  <mark.lam@apple.com>
406
407         NaNs read from Wasm code needs to be be purified.
408         https://bugs.webkit.org/show_bug.cgi?id=191056
409         <rdar://problem/45660341>
410
411         Reviewed by Filip Pizlo.
412
413         * wasm/regress/regress-191056.js: Added.
414
415 2018-11-26  Michael Saboff  <msaboff@apple.com>
416
417         32-bit JSC test failure: stress/regexp-compile-oom.js
418         https://bugs.webkit.org/show_bug.cgi?id=191375
419
420         Reviewed by Mark Lam.
421
422         Disabled the test for 32 bit platforms.
423
424         * stress/regexp-compile-oom.js:
425
426 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
427
428         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
429         https://bugs.webkit.org/show_bug.cgi?id=191716
430         <rdar://problem/45723878>
431
432         Reviewed by Saam Barati.
433
434         * stress/regress-187373.js: Added.
435         (async.fn):
436
437 2018-11-21  Saam barati  <sbarati@apple.com>
438
439         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
440         https://bugs.webkit.org/show_bug.cgi?id=191897
441         <rdar://problem/45871998>
442
443         Reviewed by Mark Lam.
444
445         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
446         (bar):
447         (foo):
448
449 2018-11-21  Saam barati  <sbarati@apple.com>
450
451         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
452         https://bugs.webkit.org/show_bug.cgi?id=191895
453         <rdar://problem/46167406>
454
455         Reviewed by Mark Lam.
456
457         * stress/known-cell-use-needs-type-check-assertion.js: Added.
458         (foo):
459         (bar):
460
461 2018-11-21  Mark Lam  <mark.lam@apple.com>
462
463         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
464         https://bugs.webkit.org/show_bug.cgi?id=191776
465         <rdar://problem/46152851>
466
467         Reviewed by Saam Barati.
468
469         * stress/big-wasm-memory-grow-no-max.js:
470         * stress/big-wasm-memory-grow.js:
471         * stress/big-wasm-memory.js:
472         - updated these to expect an OutOfMemoryError.
473
474         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
475         (Binary.prototype.emit_u8):
476         (Binary.prototype.emit_u32v):
477         (Binary.prototype.emit_header):
478         (Binary.prototype.emit_section):
479         (Binary):
480         (WasmModuleBuilder):
481         (WasmModuleBuilder.prototype.addMemory):
482         (WasmModuleBuilder.prototype.toArray):
483         (WasmModuleBuilder.prototype.toBuffer):
484         (WasmModuleBuilder.prototype.instantiate):
485         (catch):
486         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
487         (catch):
488
489 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
490
491         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
492         https://bugs.webkit.org/show_bug.cgi?id=190836
493
494         Reviewed by Saam Barati and Yusuke Suzuki.
495
496         * stress/big-int-out-of-memory-tests.js: Added.
497
498 2018-11-20  Mark Lam  <mark.lam@apple.com>
499
500         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
501         https://bugs.webkit.org/show_bug.cgi?id=191856
502         <rdar://problem/46089992>
503
504         Reviewed by Yusuke Suzuki.
505
506         * stress/regress-191856.js: Added.
507         - this test is skipped for now until we have a fix for webkit.org/b/191855.
508
509 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
510
511         Enable JIT on ARM/Linux
512         https://bugs.webkit.org/show_bug.cgi?id=191548
513
514         Reviewed by Yusuke Suzuki.
515
516         Disable test on system with limited memory. Program was killed by
517         the OS before the exception was thrown.
518
519         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
520
521 2018-11-20  Saam barati  <sbarati@apple.com>
522
523         Merging an IC variant may lead to the IC status containing overlapping structure sets
524         https://bugs.webkit.org/show_bug.cgi?id=191869
525         <rdar://problem/45403453>
526
527         Reviewed by Mark Lam.
528
529         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
530
531 2018-11-19  Mark Lam  <mark.lam@apple.com>
532
533         globalFuncImportModule() should return a promise when it clears exceptions.
534         https://bugs.webkit.org/show_bug.cgi?id=191792
535         <rdar://problem/46090763>
536
537         Reviewed by Michael Saboff.
538
539         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
540
541 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
542
543         Skip new memory-hungry tests on memory limited devices
544
545         Unreviewed gardening.
546
547         * stress/big-wasm-memory-grow-no-max.js:
548         * stress/big-wasm-memory-grow.js:
549         * stress/big-wasm-memory.js:
550
551 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
552
553         Unreviewed, rolling in the rest of r237254
554         https://bugs.webkit.org/show_bug.cgi?id=190340
555
556         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
557         * stress/function-cache-with-parameters-end-position.js: Added.
558         (shouldBe):
559         (shouldThrow):
560         (i.anonymous):
561         * stress/function-constructor-name.js: Added.
562         (shouldBe):
563         (GeneratorFunction):
564         (AsyncFunction.async):
565         (AsyncGeneratorFunction.async):
566         (anonymous):
567         (async.anonymous):
568         * test262/expectations.yaml:
569
570 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
571
572         All users of ArrayBuffer should agree on the same max size
573         https://bugs.webkit.org/show_bug.cgi?id=191771
574
575         Reviewed by Mark Lam.
576
577         * stress/big-wasm-memory-grow-no-max.js: Added.
578         (foo):
579         (catch):
580         * stress/big-wasm-memory-grow.js: Added.
581         (foo):
582         (catch):
583         * stress/big-wasm-memory.js: Added.
584         (foo):
585         (catch):
586
587 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
588
589         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
590         run for each JSC config since they're regression tests for runtime bugs.
591
592         * stress/json-stringified-overflow-2.js:
593         * stress/json-stringified-overflow.js:
594
595 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
596
597         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
598         config since they're regression tests for runtime bugs.
599
600         * stress/large-unshift-splice.js:
601         * stress/regress-185888.js:
602
603 2018-11-16  Saam Barati  <sbarati@apple.com>
604
605         KnownCellUse should also have SpecCellCheck as its type filter
606         https://bugs.webkit.org/show_bug.cgi?id=191729
607         <rdar://problem/45872852>
608
609         Reviewed by Filip Pizlo.
610
611         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
612         (C):
613
614 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
615
616         Fix assertion failure on BytecodeGenerator::recordOpcode
617         https://bugs.webkit.org/show_bug.cgi?id=191724
618         <rdar://problem/45724395>
619
620         Reviewed by Saam Barati.
621
622         * stress/regress-187373-2.js: Added.
623         (foo):
624
625 2018-11-15  Mark Lam  <mark.lam@apple.com>
626
627         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
628         https://bugs.webkit.org/show_bug.cgi?id=191730
629         <rdar://problem/46048517>
630
631         Reviewed by Saam Barati.
632
633         * stress/regress-187006.js: Removed.
634           - this test is invalid because its sole purpose is to test for the non-spec
635             compliant behavior that we just fixed.
636
637         * stress/regress-191730.js: Added.
638
639 2018-11-15  Mark Lam  <mark.lam@apple.com>
640
641         RegExp operations should not take fast patch if lastIndex is not numeric.
642         https://bugs.webkit.org/show_bug.cgi?id=191731
643         <rdar://problem/46017305>
644
645         Reviewed by Saam Barati.
646
647         * stress/regress-191731.js: Added.
648
649 2018-11-13  Saam Barati  <sbarati@apple.com>
650
651         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
652         https://bugs.webkit.org/show_bug.cgi?id=191600
653
654         Reviewed by Mark Lam.
655
656         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
657         (foo):
658         (test):
659         (bar):
660
661 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
662
663         Unreviewed, rolling out r238132.
664
665         The test added with this change is timing out on Debug JSC
666         bots.
667
668         Reverted changeset:
669
670         "[BigInt] JSBigInt::createWithLength should throw when length
671         is greater than JSBigInt::maxLength"
672         https://bugs.webkit.org/show_bug.cgi?id=190836
673         https://trac.webkit.org/changeset/238132
674
675 2018-11-13  Mark Lam  <mark.lam@apple.com>
676
677         Add OOM detection to StringPrototype's substituteBackreferences().
678         https://bugs.webkit.org/show_bug.cgi?id=191563
679         <rdar://problem/45720428>
680
681         Reviewed by Saam Barati.
682
683         * stress/regress-191563.js: Added.
684
685 2018-11-13  Mark Lam  <mark.lam@apple.com>
686
687         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
688         https://bugs.webkit.org/show_bug.cgi?id=191579
689         <rdar://problem/45942472>
690
691         Reviewed by Saam Barati.
692
693         * stress/regress-191579.js: Added.
694
695 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
696
697         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
698         https://bugs.webkit.org/show_bug.cgi?id=190836
699
700         Reviewed by Saam Barati.
701
702         * stress/big-int-out-of-memory-tests.js: Added.
703
704 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
705
706         U+180E is no longer a whitespace character
707         https://bugs.webkit.org/show_bug.cgi?id=191415
708
709         Reviewed by Saam Barati.
710
711         * ChakraCore/test/es5/regexSpace.baseline:
712         * ChakraCore/test/es6/unicode_whitespace.js:
713         Update tests to latest version.
714         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
715
716         * test262.yaml:
717         * test262/config.yaml:
718         * test262/expectations.yaml:
719         Update expectations.
720
721 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
722
723         [BigInt] Add support to BigInt into ValueAdd
724         https://bugs.webkit.org/show_bug.cgi?id=186177
725
726         Reviewed by Keith Miller.
727
728         * stress/big-int-negate-jit.js:
729         * stress/value-add-big-int-and-string.js: Added.
730         * stress/value-add-big-int-prediction-propagation.js: Added.
731         * stress/value-add-big-int-untyped.js: Added.
732
733 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
734
735         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
736         https://bugs.webkit.org/show_bug.cgi?id=191184
737
738         Reviewed by Saam Barati.
739
740         Most tests were failing due to timeouts, since they are too slow to
741         run on CLoop. The exceptions are:
742
743         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
744         dont-crash-on-stack-overflow-when-parsing-builtin.js and
745         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
746         to change the stack size since CLoop requires it to be page aligned.
747
748         * microbenchmarks/array-push-1.js:
749         * microbenchmarks/array-push-2.js:
750         * microbenchmarks/elidable-new-object-dag.js:
751         * microbenchmarks/elidable-new-object-roflcopter.js:
752         * microbenchmarks/elidable-new-object-tree.js:
753         * microbenchmarks/getter-richards.js:
754         * microbenchmarks/sinkable-new-object-dag.js:
755         * microbenchmarks/string-concat-long-convert.js:
756         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
757         * slowMicrobenchmarks/array-push-3.js:
758         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
759         * slowMicrobenchmarks/spread-small-array.js:
760         * slowMicrobenchmarks/undefined-property-access.js:
761         * stress/activation-sink-default-value-tdz-error.js:
762         * stress/activation-sink-default-value.js:
763         * stress/activation-sink-osrexit-default-value-tdz-error.js:
764         * stress/activation-sink-osrexit-default-value.js:
765         * stress/activation-sink-osrexit.js:
766         * stress/activation-sink.js:
767         * stress/allow-math-ic-b3-code-duplication.js:
768         * stress/array-push-multiple-int32.js:
769         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
770         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
771         * stress/arrowfunction-lexical-this-activation-sink.js:
772         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
773         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
774         * stress/elide-new-object-dag-then-exit.js:
775         * stress/materialize-regexp-cyclic.js:
776         * stress/new-regex-inline.js:
777         * stress/op_add.js:
778         * stress/op_bitand.js:
779         * stress/op_bitor.js:
780         * stress/op_bitxor.js:
781         * stress/op_div-ConstVar.js:
782         * stress/op_div-VarConst.js:
783         * stress/op_div-VarVar.js:
784         * stress/op_lshift-ConstVar.js:
785         * stress/op_lshift-VarConst.js:
786         * stress/op_lshift-VarVar.js:
787         * stress/op_mod-ConstVar.js:
788         * stress/op_mod-VarConst.js:
789         * stress/op_mod-VarVar.js:
790         * stress/op_mul-ConstVar.js:
791         * stress/op_mul-VarConst.js:
792         * stress/op_mul-VarVar.js:
793         * stress/op_rshift-ConstVar.js:
794         * stress/op_rshift-VarConst.js:
795         * stress/op_rshift-VarVar.js:
796         * stress/op_sub-ConstVar.js:
797         * stress/op_sub-VarConst.js:
798         * stress/op_sub-VarVar.js:
799         * stress/op_urshift-ConstVar.js:
800         * stress/op_urshift-VarConst.js:
801         * stress/op_urshift-VarVar.js:
802         * stress/proxy-get-set-correct-receiver.js:
803         * stress/regress-179562.js:
804         * stress/rest-parameter-many-arguments.js:
805         * stress/sampling-profiler-richards.js:
806         * stress/splay-flash-access-1ms.js:
807         * stress/tailCallForwardArguments.js:
808         * stress/typed-array-get-by-val-profiling.js:
809         * typeProfiler/getter-richards.js:
810
811 2018-11-06  Michael Saboff  <msaboff@apple.com>
812
813         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
814         https://bugs.webkit.org/show_bug.cgi?id=191271
815
816         Reviewed by Saam Barati.
817
818         Added more test cases and made all test cases run with the same deeply recursive stack
819         instead of finding that same point for each test case.
820
821         * stress/regexp-compile-oom.js:
822         (prototype.runTest):
823         (recurseAndTest):
824         (testList.push.new.TestAndExpectedException):
825
826 2018-11-05  Michael Saboff  <msaboff@apple.com>
827
828         Unreviewed build fix for linux.
829
830         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
831
832 2018-11-02  Michael Saboff  <msaboff@apple.com>
833
834         Rolling in r237753 with unreviewed build fix.
835
836         Fixed issues with DECLARE_THROW_SCOPE placement.
837
838 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
839
840         Unreviewed, rolling out r237753.
841
842         Introduced JSC test failures
843
844         Reverted changeset:
845
846         "Running out of stack space not properly handled in
847         RegExp::compile() and its callers"
848         https://bugs.webkit.org/show_bug.cgi?id=191206
849         https://trac.webkit.org/changeset/237753
850
851 2018-11-02  Michael Saboff  <msaboff@apple.com>
852
853         Running out of stack space not properly handled in RegExp::compile() and its callers
854         https://bugs.webkit.org/show_bug.cgi?id=191206
855
856         Reviewed by Filip Pizlo.
857
858         New regression test.
859
860         * stress/regexp-compile-oom.js: Added.
861         (recurseAndTest):
862
863 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
864
865         Skip tests on arm/mips that time out now we're running on CLoop
866
867         Unreviewed gardening.
868
869         Since the JIT is temporarily disabled on 32-bit platforms, these tests
870         time out on the bots and need to be disabled. There's more tests
871         disabled on arm because the timeout is longer on the mips bot (as the
872         device is slower to start with), so many of the tests don't time out
873         there.
874
875         * microbenchmarks/getter-richards.js: disable on arm and mips.
876         * stress/op_add.js: disable on arm.
877         * stress/op_bitand.js: disable on arm.
878         * stress/op_bitor.js: disable on arm.
879         * stress/op_bitxor.js: disable on arm.
880         * stress/op_lshift-ConstVar.js: disable on arm.
881         * stress/op_lshift-VarConst.js: disable on arm.
882         * stress/op_lshift-VarVar.js: disable on arm.
883         * stress/op_mod-ConstVar.js: disable on arm.
884         * stress/op_mod-VarConst.js: disable on arm.
885         * stress/op_mod-VarVar.js: disable on arm.
886         * stress/op_mul-ConstVar.js: disable on arm.
887         * stress/op_mul-VarConst.js: disable on arm.
888         * stress/op_mul-VarVar.js: disable on arm.
889         * stress/op_rshift-ConstVar.js: disable on arm.
890         * stress/op_rshift-VarConst.js: disable on arm.
891         * stress/op_rshift-VarVar.js: disable on arm.
892         * stress/op_sub-ConstVar.js: disable on arm.
893         * stress/op_sub-VarConst.js: disable on arm.
894         * stress/op_sub-VarVar.js: disable on arm.
895         * stress/op_urshift-ConstVar.js: disable on arm.
896         * stress/op_urshift-VarConst.js: disable on arm.
897         * stress/op_urshift-VarVar.js: disable on arm.
898         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
899         * stress/value-to-boolean.js: disable on arm and mips.
900
901 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
902
903         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
904         https://bugs.webkit.org/show_bug.cgi?id=191108
905         <rdar://problem/45690700>
906
907         Reviewed by Saam Barati.
908
909         * stress/wide-op_catch.js: Added.
910         (catch):
911
912 2018-10-29  Mark Lam  <mark.lam@apple.com>
913
914         Correctly detect string overflow when using the 'Function' constructor.
915         https://bugs.webkit.org/show_bug.cgi?id=184883
916         <rdar://problem/36320331>
917
918         Reviewed by Saam Barati.
919
920         I've verified that this passes on 32-bit as well.
921
922         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
923
924 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
925
926         Add support for GetStack FlushedDouble
927         https://bugs.webkit.org/show_bug.cgi?id=191012
928         <rdar://problem/45265141>
929
930         Reviewed by Saam Barati.
931
932         * stress/get-stack-double.js: Added.
933         (bar):
934         (noInline):
935
936 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
937
938         New bytecode format for JSC
939         https://bugs.webkit.org/show_bug.cgi?id=187373
940         <rdar://problem/44186758>
941
942         Reviewed by Filip Pizlo.
943
944         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
945
946         * stress/maximum-inline-capacity.js: Added.
947         (test1):
948         (test3.Foo):
949         (test3):
950
951 2018-10-26  Commit Queue  <commit-queue@webkit.org>
952
953         Unreviewed, rolling out r237479 and r237484.
954         https://bugs.webkit.org/show_bug.cgi?id=190978
955
956         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
957
958         Reverted changesets:
959
960         "New bytecode format for JSC"
961         https://bugs.webkit.org/show_bug.cgi?id=187373
962         https://trac.webkit.org/changeset/237479
963
964         "Gardening: Build fix after r237479."
965         https://bugs.webkit.org/show_bug.cgi?id=187373
966         https://trac.webkit.org/changeset/237484
967
968 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
969
970         New bytecode format for JSC
971         https://bugs.webkit.org/show_bug.cgi?id=187373
972         <rdar://problem/44186758>
973
974         Reviewed by Filip Pizlo.
975
976         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
977
978         * stress/maximum-inline-capacity.js: Added.
979         (test1):
980         (test3.Foo):
981         (test3):
982
983 2018-10-26  Mark Lam  <mark.lam@apple.com>
984
985         Fix missing edge cases with JSGlobalObjects having a bad time.
986         https://bugs.webkit.org/show_bug.cgi?id=189028
987         <rdar://problem/45204939>
988
989         Reviewed by Saam Barati.
990
991         * stress/regress-189028.js: Added.
992
993 2018-10-22  Mark Lam  <mark.lam@apple.com>
994
995         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
996         https://bugs.webkit.org/show_bug.cgi?id=190515
997         <rdar://problem/45222379>
998
999         Rubber-stamped by Saam Barati.
1000
1001         Adding another test.
1002
1003         * stress/regress-190515-2.js: Added.
1004
1005 2018-10-22  Mark Lam  <mark.lam@apple.com>
1006
1007         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1008         https://bugs.webkit.org/show_bug.cgi?id=190515
1009         <rdar://problem/45222379>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/regress-190515.js: Added.
1014
1015 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1016
1017         Unreviewed, rolling out r237254.
1018         https://bugs.webkit.org/show_bug.cgi?id=190760
1019
1020         "It regresses JetStream 2 by 5% on some iOS devices"
1021         (Requested by saamyjoon on #webkit).
1022
1023         Reverted changeset:
1024
1025         "[JSC] JSC should have "parseFunction" to optimize Function
1026         constructor"
1027         https://bugs.webkit.org/show_bug.cgi?id=190340
1028         https://trac.webkit.org/changeset/237254
1029
1030 2018-10-19  Saam Barati  <sbarati@apple.com>
1031
1032         vmCall should check if we exit before emitting an OSR exit due to exceptions
1033         https://bugs.webkit.org/show_bug.cgi?id=190740
1034         <rdar://problem/45220139>
1035
1036         Reviewed by Mark Lam.
1037
1038         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1039         (foo):
1040
1041 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1042
1043         [ESNext][BigInt] Implement support for "^"
1044         https://bugs.webkit.org/show_bug.cgi?id=186235
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         * stress/big-int-bitwise-xor-general.js: Added.
1049         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1050         * stress/big-int-bitwise-xor-type-error.js: Added.
1051         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1052
1053 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1054
1055         [BigInt] Add ValueSub into DFG
1056         https://bugs.webkit.org/show_bug.cgi?id=186176
1057
1058         Reviewed by Yusuke Suzuki.
1059
1060         * stress/big-int-subtraction-jit.js:
1061         * stress/value-sub-big-int-prediction-propagation.js: Added.
1062         * stress/value-sub-big-int-untyped.js: Added.
1063         * stress/value-sub-spec-none-case.js: Added.
1064
1065 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1066
1067         [JSC] JSC should have "parseFunction" to optimize Function constructor
1068         https://bugs.webkit.org/show_bug.cgi?id=190340
1069
1070         Reviewed by Mark Lam.
1071
1072         This patch fixes the line number of syntax errors raised by the Function constructor,
1073         since we now parse the final code only once. And we no longer use block statement
1074         for Function constructor's parsing.
1075
1076         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1077         * stress/function-cache-with-parameters-end-position.js: Added.
1078         (shouldBe):
1079         (shouldThrow):
1080         (i.anonymous):
1081         * stress/function-constructor-name.js: Added.
1082         (shouldBe):
1083         (GeneratorFunction):
1084         (AsyncFunction.async):
1085         (AsyncGeneratorFunction.async):
1086         (anonymous):
1087         (async.anonymous):
1088         * test262/expectations.yaml:
1089
1090 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1091
1092         Unreviewed, rolling out r237242.
1093         https://bugs.webkit.org/show_bug.cgi?id=190701
1094
1095         it breaks "stress/sampling-profiler-basic.js" (Requested by
1096         caiolima on #webkit).
1097
1098         Reverted changeset:
1099
1100         "[BigInt] Add ValueSub into DFG"
1101         https://bugs.webkit.org/show_bug.cgi?id=186176
1102         https://trac.webkit.org/changeset/237242
1103
1104 2018-10-17  Keith Miller  <keith_miller@apple.com>
1105
1106         AI does not clear Phantom allocation nodes.
1107         https://bugs.webkit.org/show_bug.cgi?id=190694
1108
1109         Reviewed by Saam Barati.
1110
1111         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1112         (Day):
1113         (DaysInYear):
1114         (TimeInYear):
1115         (TimeFromYear):
1116         (DayFromYear):
1117         (InLeapYear):
1118         (YearFromTime):
1119         (WeekDay):
1120         (DaylightSavingTA):
1121         (GetSecondSundayInMarch):
1122         (TimeInMonth):
1123
1124 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1125
1126         [BigInt] Add ValueSub into DFG
1127         https://bugs.webkit.org/show_bug.cgi?id=186176
1128
1129         Reviewed by Yusuke Suzuki.
1130
1131         * stress/big-int-subtraction-jit.js:
1132         * stress/value-sub-big-int-prediction-propagation.js: Added.
1133         * stress/value-sub-big-int-untyped.js: Added.
1134
1135 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1136
1137         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1138         https://bugs.webkit.org/show_bug.cgi?id=190611
1139
1140         Reviewed by Saam Barati.
1141
1142         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1143         to improve test runtime. On ARM/MIPS this test even timed out when running all
1144         tests.
1145
1146         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1147         (test):
1148
1149 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1150
1151         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1152
1153         Unreviewed gardening.
1154
1155         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1156
1157 2018-10-15  Saam barati  <sbarati@apple.com>
1158
1159         Emit fjcvtzs on ARM64E on Darwin
1160         https://bugs.webkit.org/show_bug.cgi?id=184023
1161
1162         Reviewed by Yusuke Suzuki and Filip Pizlo.
1163
1164         * stress/double-to-int32-NaN.js: Added.
1165         (assert):
1166         (foo):
1167
1168 2018-10-15  Saam Barati  <sbarati@apple.com>
1169
1170         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1171         https://bugs.webkit.org/show_bug.cgi?id=190262
1172         <rdar://problem/44986241>
1173
1174         Reviewed by Mark Lam.
1175
1176         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1177         (test):
1178         * stress/slice-array-storage-with-holes.js: Added.
1179         (main):
1180
1181 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1182
1183         Unreviewed, rolling out r237054.
1184         https://bugs.webkit.org/show_bug.cgi?id=190593
1185
1186         "this regressed JetStream 2 by 6% on iOS" (Requested by
1187         saamyjoon on #webkit).
1188
1189         Reverted changeset:
1190
1191         "[JSC] JSC should have "parseFunction" to optimize Function
1192         constructor"
1193         https://bugs.webkit.org/show_bug.cgi?id=190340
1194         https://trac.webkit.org/changeset/237054
1195
1196 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1197
1198         [JSC] JSON.stringify can accept call-with-no-arguments
1199         https://bugs.webkit.org/show_bug.cgi?id=190343
1200
1201         Reviewed by Mark Lam.
1202
1203         * stress/json-stringify-no-arguments.js: Added.
1204         (shouldBe):
1205
1206 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1207
1208         [JSC] JSC should have "parseFunction" to optimize Function constructor
1209         https://bugs.webkit.org/show_bug.cgi?id=190340
1210
1211         Reviewed by Mark Lam.
1212
1213         This patch fixes the line number of syntax errors raised by the Function constructor,
1214         since we now parse the final code only once. And we no longer use block statement
1215         for Function constructor's parsing.
1216
1217         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1218         * stress/function-cache-with-parameters-end-position.js: Added.
1219         (shouldBe):
1220         (shouldThrow):
1221         (i.anonymous):
1222         * stress/function-constructor-name.js: Added.
1223         (shouldBe):
1224         (GeneratorFunction):
1225         (AsyncFunction.async):
1226         (AsyncGeneratorFunction.async):
1227         (anonymous):
1228         (async.anonymous):
1229         * test262/expectations.yaml:
1230
1231 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1232
1233         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1234         https://bugs.webkit.org/show_bug.cgi?id=190426
1235
1236         Unreviewed gardening.
1237
1238         * stress/sampling-profiler-richards.js:
1239
1240 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1241
1242         [ESNext][BigInt] Implement support for "|"
1243         https://bugs.webkit.org/show_bug.cgi?id=186229
1244
1245         Reviewed by Yusuke Suzuki.
1246
1247         * stress/big-int-bitwise-and-jit.js:
1248         * stress/big-int-bitwise-or-general.js: Added.
1249         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1250         * stress/big-int-bitwise-or-jit.js: Added.
1251         * stress/big-int-bitwise-or-memory-stress.js: Added.
1252         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1253         * stress/big-int-bitwise-or-type-error.js: Added.
1254         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1255
1256 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1257
1258         Skip test on systems with limited memory
1259         https://bugs.webkit.org/show_bug.cgi?id=190310
1260
1261         Invoking runDefault adds test to runlist, skipping the test in the next
1262         line does not prevent the test from executing. Change order of lines such
1263         that runDefault is only executed if test is not executed.
1264
1265         Reviewed by Mark Lam.
1266
1267         * stress/regress-190187.js:
1268
1269 2018-10-03  Saam barati  <sbarati@apple.com>
1270
1271         lowXYZ in FTLLower should always filter the type of the incoming edge
1272         https://bugs.webkit.org/show_bug.cgi?id=189939
1273         <rdar://problem/44407030>
1274
1275         Reviewed by Michael Saboff.
1276
1277         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1278         (foo):
1279         (test):
1280
1281 2018-10-03  Mark Lam  <mark.lam@apple.com>
1282
1283         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1284         https://bugs.webkit.org/show_bug.cgi?id=190187
1285         <rdar://problem/42512909>
1286
1287         Reviewed by Michael Saboff.
1288
1289         * stress/regress-190187.js: Added.
1290
1291 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1292
1293         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1294         https://bugs.webkit.org/show_bug.cgi?id=190033
1295
1296         Reviewed by Yusuke Suzuki.
1297
1298         * stress/big-int-to-string.js:
1299
1300 2018-10-01  Mark Lam  <mark.lam@apple.com>
1301
1302         Function.toString() should also copy the source code Functions that are class definitions.
1303         https://bugs.webkit.org/show_bug.cgi?id=190186
1304         <rdar://problem/44733360>
1305
1306         Reviewed by Saam Barati.
1307
1308         * stress/regress-190186.js: Added.
1309
1310 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1311
1312         Split NaN-check into separate test
1313         https://bugs.webkit.org/show_bug.cgi?id=190010
1314
1315         Reviewed by Saam Barati.
1316
1317         DataView exposes NaN-representation, which is not necessarily the same on each
1318         architecture. Therefore move the check of the NaN-representation into its own
1319         file such that we can disable this test on MIPS where NaN-representation can be
1320         different on older CPUs.
1321
1322         * stress/dataview-jit-set-nan.js: Added.
1323         (assert):
1324         (test.storeLittleEndian):
1325         (test.storeBigEndian):
1326         (test.store):
1327         (test):
1328         * stress/dataview-jit-set.js:
1329         (test5):
1330
1331 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1332
1333         Unreviewed, rolling out r236647.
1334         https://bugs.webkit.org/show_bug.cgi?id=190124
1335
1336         Breaking test stress/big-int-to-string.js (Requested by
1337         caiolima_ on #webkit).
1338
1339         Reverted changeset:
1340
1341         "[BigInt] BigInt.proptotype.toString is broken when radix is
1342         power of 2"
1343         https://bugs.webkit.org/show_bug.cgi?id=190033
1344         https://trac.webkit.org/changeset/236647
1345
1346 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1347
1348         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1349         https://bugs.webkit.org/show_bug.cgi?id=190033
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/big-int-to-string.js:
1354
1355 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1356
1357         [ESNext][BigInt] Implement support for "&"
1358         https://bugs.webkit.org/show_bug.cgi?id=186228
1359
1360         Reviewed by Yusuke Suzuki.
1361
1362         * stress/big-int-bitwise-and-general.js: Added.
1363         (assert):
1364         (assert.sameValue):
1365         * stress/big-int-bitwise-and-jit.js: Added.
1366         (let.assert.sameValue):
1367         (bigIntBitAnd):
1368         * stress/big-int-bitwise-and-memory-stress.js: Added.
1369         (assert):
1370         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1371         (assert.sameValue):
1372         (let.o.Symbol.toPrimitive):
1373         (catch):
1374         * stress/big-int-bitwise-and-type-error.js: Added.
1375         (assert):
1376         (assertThrowTypeError):
1377         (let.o.valueOf):
1378         (o.valueOf):
1379         (o.toString):
1380         (o.Symbol.toPrimitive):
1381         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1382         (assert.sameValue):
1383         (testBitAnd):
1384         (let.o.Symbol.toPrimitive):
1385         (o.valueOf):
1386         (o.toString):
1387
1388 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1389
1390         JSC test stress/jsc-read.js doesn't support CRLF
1391         https://bugs.webkit.org/show_bug.cgi?id=190063
1392
1393         Reviewed by Yusuke Suzuki.
1394
1395         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1396
1397         * stress/jsc-read.js:
1398         (test):
1399
1400 2018-09-27  Saam barati  <sbarati@apple.com>
1401
1402         Verify the contents of AssemblerBuffer on arm64e
1403         https://bugs.webkit.org/show_bug.cgi?id=190057
1404         <rdar://problem/38916630>
1405
1406         Reviewed by Mark Lam.
1407
1408         * stress/regress-189132.js:
1409
1410 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1411
1412         Disable test without LLInt on ARMv7
1413         https://bugs.webkit.org/show_bug.cgi?id=190037
1414
1415         Reviewed by Mark Lam.
1416
1417         Test runs out of executable memory on ARMv7, do not run
1418         this test without LLInt enabled.
1419
1420         * stress/regress-169445.js:
1421
1422 2018-09-26  Keith Miller  <keith_miller@apple.com>
1423
1424         We should zero unused property storage when rebalancing array storage.
1425         https://bugs.webkit.org/show_bug.cgi?id=188151
1426
1427         Reviewed by Michael Saboff.
1428
1429         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1430
1431 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1432
1433         [JSC] Optimize Array#lastIndexOf
1434         https://bugs.webkit.org/show_bug.cgi?id=189780
1435
1436         Reviewed by Saam Barati.
1437
1438         * stress/array-lastindexof-array-prototype-trap.js: Added.
1439         (shouldBe):
1440         (AncestorArray.prototype.get 2):
1441         (AncestorArray):
1442         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1443         (shouldBe):
1444         * stress/array-lastindexof-hole-nan.js: Added.
1445         (shouldBe):
1446         (throw.new.Error):
1447         * stress/array-lastindexof-infinity.js: Added.
1448         (shouldBe):
1449         (throw.new.Error):
1450         * stress/array-lastindexof-negative-zero.js: Added.
1451         (shouldBe):
1452         (throw.new.Error):
1453         * stress/array-lastindexof-own-getter.js: Added.
1454         (shouldBe):
1455         (throw.new.Error.get array):
1456         (get array):
1457         * stress/array-lastindexof-prototype-trap.js: Added.
1458         (shouldBe):
1459         (DerivedArray.prototype.get 2):
1460         (DerivedArray):
1461
1462 2018-09-25  Saam Barati  <sbarati@apple.com>
1463
1464         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1465         https://bugs.webkit.org/show_bug.cgi?id=189940
1466         <rdar://problem/43640987>
1467
1468         Reviewed by Mark Lam.
1469
1470         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1471
1472 2018-09-24  Saam Barati  <sbarati@apple.com>
1473
1474         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1475         https://bugs.webkit.org/show_bug.cgi?id=189922
1476         <rdar://problem/44651275>
1477
1478         Reviewed by Mark Lam.
1479
1480         * stress/array-indexof-fast-path-effects.js: Added.
1481         * stress/array-indexof-cached-length.js: Added.
1482
1483 2018-09-24  Saam barati  <sbarati@apple.com>
1484
1485         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1486         https://bugs.webkit.org/show_bug.cgi?id=189682
1487         <rdar://problem/43557315>
1488
1489         Reviewed by Mark Lam.
1490
1491         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1492         (foo):
1493
1494 2018-09-22  Saam barati  <sbarati@apple.com>
1495
1496         The sampling should not use Strong<CodeBlock> in its machineLocation field
1497         https://bugs.webkit.org/show_bug.cgi?id=189319
1498
1499         Reviewed by Filip Pizlo.
1500
1501         * stress/sampling-profiler-richards.js: Added.
1502
1503 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1504
1505         [JSC] Optimize Array#indexOf in C++ runtime
1506         https://bugs.webkit.org/show_bug.cgi?id=189507
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/array-indexof-array-prototype-trap.js: Added.
1511         (shouldBe):
1512         (AncestorArray.prototype.get 2):
1513         (AncestorArray):
1514         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1515         (shouldBe):
1516         * stress/array-indexof-hole-nan.js: Added.
1517         (shouldBe):
1518         (throw.new.Error):
1519         * stress/array-indexof-infinity.js: Added.
1520         (shouldBe):
1521         (throw.new.Error):
1522         * stress/array-indexof-negative-zero.js: Added.
1523         (shouldBe):
1524         (throw.new.Error):
1525         * stress/array-indexof-own-getter.js: Added.
1526         (shouldBe):
1527         (throw.new.Error.get array):
1528         (get array):
1529         * stress/array-indexof-prototype-trap.js: Added.
1530         (shouldBe):
1531         (DerivedArray.prototype.get 2):
1532         (DerivedArray):
1533
1534 2018-09-19  Saam barati  <sbarati@apple.com>
1535
1536         AI rule for MultiPutByOffset executes its effects in the wrong order
1537         https://bugs.webkit.org/show_bug.cgi?id=189757
1538         <rdar://problem/43535257>
1539
1540         Reviewed by Michael Saboff.
1541
1542         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1543         (foo):
1544         (Foo):
1545         (g):
1546
1547 2018-09-17  Mark Lam  <mark.lam@apple.com>
1548
1549         Ensure that ForInContexts are invalidated if their loop local is over-written.
1550         https://bugs.webkit.org/show_bug.cgi?id=189571
1551         <rdar://problem/44402277>
1552
1553         Reviewed by Saam Barati.
1554
1555         * stress/regress-189571.js: Added.
1556
1557 2018-09-17  Saam barati  <sbarati@apple.com>
1558
1559         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1560         https://bugs.webkit.org/show_bug.cgi?id=189676
1561         <rdar://problem/39682897>
1562
1563         Reviewed by Michael Saboff.
1564
1565         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1566         (A):
1567         (K):
1568         (i.catch):
1569
1570 2018-09-14  Saam barati  <sbarati@apple.com>
1571
1572         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1573         https://bugs.webkit.org/show_bug.cgi?id=189628
1574         <rdar://problem/39481690>
1575
1576         Reviewed by Mark Lam.
1577
1578         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1579         (foo):
1580
1581 2018-09-11  Mark Lam  <mark.lam@apple.com>
1582
1583         Test for array initialization in arrayProtoFuncSplice.
1584         https://bugs.webkit.org/show_bug.cgi?id=170253
1585         <rdar://problem/31328773>
1586
1587         Rubber-stamped by Saam Barati.
1588
1589         * stress/regress-170253.js: Added.
1590
1591 2018-09-11  Mark Lam  <mark.lam@apple.com>
1592
1593         Test for IntlObject initialization.
1594         https://bugs.webkit.org/show_bug.cgi?id=170251
1595         <rdar://problem/31328419>
1596
1597         Rubber-stamped by Saam Barati.
1598
1599         * stress/regress-170251.js: Added.
1600
1601 2018-09-11  Mark Lam  <mark.lam@apple.com>
1602
1603         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1604         https://bugs.webkit.org/show_bug.cgi?id=169889
1605         <rdar://problem/31155607>
1606
1607         Reviewed by Saam Barati.
1608
1609         * stress/regress-169889-array-concat.js: Added.
1610         * stress/regress-169889-array-concat1.js: Added.
1611         * stress/regress-169889-array-slice.js: Added.
1612
1613 2018-09-11  Mark Lam  <mark.lam@apple.com>
1614
1615         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1616         https://bugs.webkit.org/show_bug.cgi?id=169445
1617         <rdar://problem/30957435>
1618
1619         Reviewed by Saam Barati.
1620
1621         * stress/regress-169445.js: Added.
1622         (let.gun.eval.A):
1623         (let.gun.eval.B.C):
1624         (let.gun.eval.B.C.prototype.trigger):
1625         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1626         (let.gun.eval.B):
1627         (let.gun.eval):
1628
1629 == Rolled over to ChangeLog-2018-09-11 ==