validateOSREntryValue with Int52 should box the value being checked into double format
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-27  Saam Barati  <sbarati@apple.com>
2
3         validateOSREntryValue with Int52 should box the value being checked into double format
4         https://bugs.webkit.org/show_bug.cgi?id=196313
5         <rdar://problem/49306703>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/validate-int-52-ai-state.js: Added.
10
11 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] Owner of watchpoints should validate at GC finalizing phase
14         https://bugs.webkit.org/show_bug.cgi?id=195827
15
16         Reviewed by Filip Pizlo.
17
18         * stress/gc-should-reap-dead-watchpoints.js: Added.
19         (foo):
20         (A.prototype.y):
21         (A):
22
23 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
24
25         Skip WebAssembly test on 32-bit systems
26         https://bugs.webkit.org/show_bug.cgi?id=196206
27
28         Reviewed by Saam Barati.
29
30         Invoking runDefault executes test immediately even though
31         that test should be skipped due to missing WASM support.
32         Therefore remove runDefault.
33
34         * wasm/regress/web-assembly-link-error-exception-check.js:
35
36 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
37
38         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
39         https://bugs.webkit.org/show_bug.cgi?id=196217
40
41         Reviewed by Saam Barati.
42
43         Re-enable all NaN tests for f32.min, f64.min and f64.max.
44
45         * wasm/spec-tests/f32.wast.js:
46         * wasm/spec-tests/f64.wast.js:
47         * wasm/wasm.json:
48
49 2019-03-25  Keith Miller  <keith_miller@apple.com>
50
51         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
52         https://bugs.webkit.org/show_bug.cgi?id=196176
53
54         Reviewed by Saam Barati.
55
56         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
57         (main.v10):
58         (main):
59
60 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
61
62         WebAssembly: f32.max with NaN generates incorrect result
63         https://bugs.webkit.org/show_bug.cgi?id=175691
64         <rdar://problem/33952228>
65
66         Reviewed by Saam Barati.
67
68         Enable all f32.max NaN tests
69
70         * wasm/spec-tests/f32.wast.js:
71         * wasm/wasm.json:
72
73 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
74
75         [JSC] Move test into directory for WASM tests
76         https://bugs.webkit.org/show_bug.cgi?id=196187
77
78         Reviewed by Mark Lam.
79
80         Move Test into wasm-directory. Otherwise this test
81         is also executed on systems without WASM support.
82
83         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
84
85 2019-03-23  Mark Lam  <mark.lam@apple.com>
86
87         Rolling out r243032 and r243071 because the fix is incorrect.
88         https://bugs.webkit.org/show_bug.cgi?id=195892
89         <rdar://problem/48981239>
90
91         Not reviewed.
92
93         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
94
95 2019-03-22  Mark Lam  <mark.lam@apple.com>
96
97         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
98         https://bugs.webkit.org/show_bug.cgi?id=196154
99         <rdar://problem/49145307>
100
101         Reviewed by Filip Pizlo.
102
103         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
104         There's no need to run this test on more than 1 test configuration.
105
106         * stress/typed-array-lastIndexOf-exception-check.js: Added.
107         * stress/web-assembly-link-error-exception-check.js:
108
109 2019-03-22  Mark Lam  <mark.lam@apple.com>
110
111         Placate exception check validation in constructJSWebAssemblyLinkError().
112         https://bugs.webkit.org/show_bug.cgi?id=196152
113         <rdar://problem/49145257>
114
115         Reviewed by Michael Saboff.
116
117         * stress/web-assembly-link-error-exception-check.js: Added.
118
119 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
120
121         Skip tests running out of memory on ARM/MIPS
122         https://bugs.webkit.org/show_bug.cgi?id=196131
123
124         Unreviewed. Skip test if memory is limited.
125
126         * microbenchmarks/put-by-val-direct-large-index.js:
127
128 2019-03-21  Mark Lam  <mark.lam@apple.com>
129
130         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
131         https://bugs.webkit.org/show_bug.cgi?id=196116
132         <rdar://problem/48976951>
133
134         Reviewed by Filip Pizlo.
135
136         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
137
138 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
139
140         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
141         https://bugs.webkit.org/show_bug.cgi?id=196078
142         <rdar://problem/35925380>
143
144         Reviewed by Mark Lam.
145
146         Add a new benchmark that allocates several objects and invokes put_by_val_direct
147         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
148
149         * microbenchmarks/put-by-val-direct-large-index.js: Added.
150
151 2019-03-21  Mark Lam  <mark.lam@apple.com>
152
153         Placate exception check validation in operationArrayIndexOfString().
154         https://bugs.webkit.org/show_bug.cgi?id=196067
155         <rdar://problem/49056572>
156
157         Reviewed by Michael Saboff.
158
159         * stress/string-equal-exception-check.js: Added.
160
161 2019-03-21  Mark Lam  <mark.lam@apple.com>
162
163         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
164         https://bugs.webkit.org/show_bug.cgi?id=196055
165         <rdar://problem/49067448>
166
167         Reviewed by Yusuke Suzuki.
168
169         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
170
171 2019-03-20  Saam Barati  <sbarati@apple.com>
172
173         typeOfDoubleSum is wrong for when NaN can be produced
174         https://bugs.webkit.org/show_bug.cgi?id=196030
175
176         Reviewed by Filip Pizlo.
177
178         * stress/double-add-sub-mul-can-produce-nan.js: Added.
179         (assert):
180         (noInline.sub):
181         (noInline):
182         (assert.mul):
183         (assert.add):
184
185 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
186
187         Update the test to ensure OutOfMemoryError is thrown as intended
188         https://bugs.webkit.org/show_bug.cgi?id=196032
189         <rdar://problem/46842740>
190
191         Rubber stamped by Saam Barati.
192
193         * stress/create-error-out-of-memory-rope-string.js:
194         (assert):
195         (catch):
196
197 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
198
199         JSC::createError needs to check for OOM in errorDescriptionForValue
200         https://bugs.webkit.org/show_bug.cgi?id=196032
201         <rdar://problem/46842740>
202
203         Reviewed by Mark Lam.
204
205         * stress/create-error-out-of-memory-rope-string.js: Added.
206
207 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
208
209         Unreviewed, reduce # of iterations to avoid timing out after r242991
210         https://bugs.webkit.org/show_bug.cgi?id=195791
211
212         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
213
214         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
215
216 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
217
218         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
219         https://bugs.webkit.org/show_bug.cgi?id=195950
220
221         Unreviewed, reducing the amount of memory used on this test to avoid
222         OOM on devices with memory restrictions.
223
224         * microbenchmarks/generate-multiple-llint-entrypoints.js:
225
226 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
227
228         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
229         https://bugs.webkit.org/show_bug.cgi?id=194648
230
231         Reviewed by Keith Miller.
232
233         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
234
235 2019-03-18  Mark Lam  <mark.lam@apple.com>
236
237         Missing a ThrowScope release in JSObject::toString().
238         https://bugs.webkit.org/show_bug.cgi?id=195893
239         <rdar://problem/48970986>
240
241         Reviewed by Michael Saboff.
242
243         * stress/to-string-exception-check-release.js: Added.
244
245 2019-03-18  Mark Lam  <mark.lam@apple.com>
246
247         Structure::flattenDictionary() should clear unused property slots.
248         https://bugs.webkit.org/show_bug.cgi?id=195871
249         <rdar://problem/48959497>
250
251         Reviewed by Michael Saboff.
252
253         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
254
255 2019-03-15  Mark Lam  <mark.lam@apple.com>
256
257         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
258         https://bugs.webkit.org/show_bug.cgi?id=195827
259         <rdar://problem/48845513>
260
261         Reviewed by Filip Pizlo.
262
263         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
264
265 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
266
267         [ARM,MIPS] Skip slow tests
268         https://bugs.webkit.org/show_bug.cgi?id=195799
269
270         Unreviewed, test does not finish on ARM and MIPS within the
271         timeout limit.
272
273         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
274
275 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
276
277         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
278         https://bugs.webkit.org/show_bug.cgi?id=195791
279         <rdar://problem/48806130>
280
281         Reviewed by Mark Lam.
282
283         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
284         (foo):
285
286 2019-03-14  Saam barati  <sbarati@apple.com>
287
288         We can't remove code after ForceOSRExit until after FixupPhase
289         https://bugs.webkit.org/show_bug.cgi?id=186916
290         <rdar://problem/41396612>
291
292         Reviewed by Yusuke Suzuki.
293
294         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
295         (foo):
296         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
297         (foo):
298
299 2019-03-13  Michael Saboff  <msaboff@apple.com>
300
301         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
302         https://bugs.webkit.org/show_bug.cgi?id=195735
303
304         Reviewed by Mark Lam.
305
306         New regression test.
307
308         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
309         (foo):
310         (bar):
311
312 2019-03-14  Saam barati  <sbarati@apple.com>
313
314         Fixup uses KnownInt32 incorrectly in some nodes
315         https://bugs.webkit.org/show_bug.cgi?id=195279
316         <rdar://problem/47915654>
317
318         Reviewed by Yusuke Suzuki.
319
320         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
321         (foo):
322
323 2019-03-14  Keith Miller  <keith_miller@apple.com>
324
325         DFG liveness can't skip tail caller inline frames
326         https://bugs.webkit.org/show_bug.cgi?id=195715
327
328         Reviewed by Saam Barati.
329
330         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
331         (i.foo):
332
333 2019-03-13  Mark Lam  <mark.lam@apple.com>
334
335         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
336         https://bugs.webkit.org/show_bug.cgi?id=195415
337
338         Not reviewed.
339
340         Changed these tests to only run the default configuration.
341         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
342         There's no strong need to run this test on that variant.
343
344         * stress/dfg-to-string-on-int-does-gc.js:
345         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
346
347 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
348
349         String overflow when using StringBuilder in JSC::createError
350         https://bugs.webkit.org/show_bug.cgi?id=194957
351
352         Reviewed by Mark Lam.
353
354         Add test string-overflow-createError-bulder.js that overflows
355         StringBuilder in notAFunctionSourceAppender. The second new test
356         string-overflow-createError-fit.js has an error message that doesn't
357         overflow, it still failed since the String's capacity can't be doubled.
358         Run test string-overflow-createError.js only in the default
359         configuration to reduce memory consumption when running the test
360         in all configurations on multiple CPUs in parallel.
361
362         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
363         (catch):
364         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
365         (catch):
366         * stress/string-overflow-createError.js:
367
368 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
369
370         [JSC] OSR entry should respect abstract values in addition to flush formats
371         https://bugs.webkit.org/show_bug.cgi?id=195653
372
373         Reviewed by Mark Lam.
374
375         * stress/osr-entry-locals-none.js: Added.
376
377 2019-03-12  Michael Saboff  <msaboff@apple.com>
378
379         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
380         https://bugs.webkit.org/show_bug.cgi?id=195613
381
382         Reviewed by Mark Lam.
383
384         New regression test.
385
386         * stress/regexp-backref-inbounds.js: Added.
387         (testRegExp):
388
389 2019-03-12  Mark Lam  <mark.lam@apple.com>
390
391         The HasIndexedProperty node does GC.
392         https://bugs.webkit.org/show_bug.cgi?id=195559
393         <rdar://problem/48767923>
394
395         Reviewed by Yusuke Suzuki.
396
397         * stress/HasIndexedProperty-does-gc.js: Added.
398
399 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
400
401         [ESNext][BigInt] Implement "~" unary operation
402         https://bugs.webkit.org/show_bug.cgi?id=182216
403
404         Reviewed by Keith Miller.
405
406         * stress/big-int-bit-not-general.js: Added.
407         * stress/big-int-bitwise-not-jit.js: Added.
408         * stress/big-int-bitwise-not-wrapped-value.js: Added.
409         * stress/bit-op-with-object-returning-int32.js:
410         * stress/bitwise-not-fixup-rules.js: Added.
411         * stress/value-bit-not-ai-rule.js: Added.
412
413 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
414
415         Invalid flags in a RegExp literal should be an early SyntaxError
416         https://bugs.webkit.org/show_bug.cgi?id=195514
417
418         Reviewed by Darin Adler.
419
420         * test262/expectations.yaml:
421         Mark 4 test cases as passing.
422
423         * stress/regexp-syntax-error-invalid-flags.js:
424         * stress/regress-161995.js: Removed.
425         Update existing test, merging in an older test for the same behavior.
426
427 2019-03-08  Mark Lam  <mark.lam@apple.com>
428
429         Stack overflow crash in JSC::JSObject::hasInstance.
430         https://bugs.webkit.org/show_bug.cgi?id=195458
431         <rdar://problem/48710195>
432
433         Reviewed by Yusuke Suzuki.
434
435         * stress/stack-overflow-in-custom-hasInstance.js: Added.
436
437 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
438
439         op_check_tdz does not def its argument
440         https://bugs.webkit.org/show_bug.cgi?id=192880
441         <rdar://problem/46221598>
442
443         Reviewed by Saam Barati.
444
445         * microbenchmarks/let-for-in.js: Added.
446         (foo):
447
448 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
449
450         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
451         https://bugs.webkit.org/show_bug.cgi?id=195429
452
453         Reviewed by Saam Barati.
454
455         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
456         (foo):
457         * stress/string-from-char-code-255.js: Added.
458
459 2019-03-06  Mark Lam  <mark.lam@apple.com>
460
461         Fix incorrect handling of try-finally completion values.
462         https://bugs.webkit.org/show_bug.cgi?id=195131
463         <rdar://problem/46222079>
464
465         Reviewed by Saam Barati and Yusuke Suzuki.
466
467         Added many permutations of new test case to test-finally.js.  test-finally.js has
468         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
469         tests passes there as well.
470
471         * stress/test-finally.js:
472
473 2019-03-06  Saam Barati  <sbarati@apple.com>
474
475         Air::reportUsedRegisters must padInterference
476         https://bugs.webkit.org/show_bug.cgi?id=195303
477         <rdar://problem/48270343>
478
479         Reviewed by Keith Miller.
480
481         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
482
483 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
484
485         [JSC] AI should not propagate AbstractValue relying on constant folding phase
486         https://bugs.webkit.org/show_bug.cgi?id=195375
487
488         Reviewed by Saam Barati.
489
490         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
491         (let.array):
492
493 2019-03-05  Saam barati  <sbarati@apple.com>
494
495         op_switch_char broken for rope strings after JSRopeString layout rewrite
496         https://bugs.webkit.org/show_bug.cgi?id=195339
497         <rdar://problem/48592545>
498
499         Reviewed by Yusuke Suzuki.
500
501         * stress/switch-on-char-llint-rope.js: Added.
502
503 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
504
505         [JSC] Store bits for JSRopeString in 3 stores
506         https://bugs.webkit.org/show_bug.cgi?id=195234
507
508         Reviewed by Saam Barati.
509
510         * stress/null-rope-and-collectors.js: Added.
511
512 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
513
514         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
515         https://bugs.webkit.org/show_bug.cgi?id=195207
516
517         Unreviewed. After test runtime was reduced in r242213, test can be
518         run again on ARM/MIPS.
519
520         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
521
522 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
523
524         [JSC] sizeof(JSString) should be 16
525         https://bugs.webkit.org/show_bug.cgi?id=194375
526
527         Reviewed by Saam Barati.
528
529         * microbenchmarks/make-rope.js: Added.
530         (makeRope):
531         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
532         (returnRope.helper): Deleted.
533         (returnRope): Deleted.
534
535 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
538         https://bugs.webkit.org/show_bug.cgi?id=195144
539
540         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
541         Change the number from 1e8 to 1e5.
542
543         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
544         (foo):
545
546 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
547
548         Test times out on ARM/MIPS
549         https://bugs.webkit.org/show_bug.cgi?id=195168
550
551         Unreviewed. Skip test on ARM/MIPS.
552
553         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
554
555 2019-02-27  Mark Lam  <mark.lam@apple.com>
556
557         The parser is failing to record the token location of new in new.target.
558         https://bugs.webkit.org/show_bug.cgi?id=195127
559         <rdar://problem/39645578>
560
561         Reviewed by Yusuke Suzuki.
562
563         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
564
565 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
566
567         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
568         https://bugs.webkit.org/show_bug.cgi?id=195144
569         <rdar://problem/47595961>
570
571         Reviewed by Mark Lam.
572
573         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
574         (bar):
575         (foo):
576         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
577         (bar):
578         (foo):
579
580 2019-02-27  Robin Morisset  <rmorisset@apple.com>
581
582         DFG: Loop-invariant code motion (LICM) should not hoist dead code
583         https://bugs.webkit.org/show_bug.cgi?id=194945
584         <rdar://problem/48311657>
585
586         Reviewed by Mark Lam.
587
588         * stress/licm-dead-code.js: Added.
589
590 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
591
592         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
593         https://bugs.webkit.org/show_bug.cgi?id=194677
594         <rdar://problem/48112492>
595
596         Reviewed by Mark Lam.
597
598         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
599         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
600         it immediately fails due the large size.
601
602         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
603         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
604         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
605         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
606
607         This patch changes the test to produce 16bit string from String.fromCharCode.
608
609         * stress/regress-178386.js:
610
611 2019-02-26  Mark Lam  <mark.lam@apple.com>
612
613         wasmToJS() should purify incoming NaNs.
614         https://bugs.webkit.org/show_bug.cgi?id=194807
615         <rdar://problem/48189132>
616
617         Reviewed by Saam Barati.
618
619         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
620
621 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
622
623         [JSC] Repeat string created from Array.prototype.join() take too much memory
624         https://bugs.webkit.org/show_bug.cgi?id=193912
625
626         Reviewed by Saam Barati.
627
628         Added a test and a microbenchmark for corner cases of
629         Array.prototype.join() with an uninitialized array.
630
631         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
632         * stress/array-prototype-join-uninitialized.js: Added.
633         (testArray):
634         (testABC):
635         (B):
636         (C):
637
638 2019-02-22  Robin Morisset  <rmorisset@apple.com>
639
640         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
641         https://bugs.webkit.org/show_bug.cgi?id=194953
642         <rdar://problem/47595253>
643
644         Reviewed by Saam Barati.
645
646         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
647
648         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
649
650 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
651
652         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
653         https://bugs.webkit.org/show_bug.cgi?id=172848
654         <rdar://problem/25709212>
655
656         Reviewed by Mark Lam.
657
658         * typeProfiler/inheritance.js:
659         Rewrite the test slightly for clarity. The hoisting was confusing.
660
661         * heapProfiler/class-names.js: Added.
662         (MyES5Class):
663         (MyES6Class):
664         (MyES6Subclass):
665         Test object types and improved class names.
666
667         * heapProfiler/driver/driver.js:
668         (CheapHeapSnapshotNode):
669         (CheapHeapSnapshot):
670         (createCheapHeapSnapshot):
671         (HeapSnapshot):
672         (createHeapSnapshot):
673         Update snapshot parsing from version 1 to version 2.
674
675 2019-02-19  Truitt Savell  <tsavell@apple.com>
676
677         Unreviewed, rolling out r241784.
678
679         Broke all OpenSource builds.
680
681         Reverted changeset:
682
683         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
684         instances view"
685         https://bugs.webkit.org/show_bug.cgi?id=172848
686         https://trac.webkit.org/changeset/241784
687
688 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
689
690         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
691         https://bugs.webkit.org/show_bug.cgi?id=172848
692         <rdar://problem/25709212>
693
694         Reviewed by Mark Lam.
695
696         * typeProfiler/inheritance.js:
697         Rewrite the test slightly for clarity. The hoisting was confusing.
698
699         * heapProfiler/class-names.js: Added.
700         (MyES5Class):
701         (MyES6Class):
702         (MyES6Subclass):
703         Test object types and improved class names.
704
705         * heapProfiler/driver/driver.js:
706         (CheapHeapSnapshotNode):
707         (CheapHeapSnapshot):
708         (createCheapHeapSnapshot):
709         (HeapSnapshot):
710         (createHeapSnapshot):
711         Update snapshot parsing from version 1 to version 2.
712
713 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
714
715         [ARM] Fix crash with sampling profiler
716         https://bugs.webkit.org/show_bug.cgi?id=194772
717
718         Reviewed by Mark Lam.
719
720         Do not skip test since crash with sampling profiler is now fixed.
721
722         * stress/sampling-profiler-richards.js:
723
724 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
725
726         [JSC] Add LazyClassStructure::getInitializedOnMainThread
727         https://bugs.webkit.org/show_bug.cgi?id=194784
728         <rdar://problem/48154820>
729
730         Reviewed by Mark Lam.
731
732         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
733         (getProperties):
734         (getRandomProperty):
735         (i.catch):
736
737 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
738
739         [ARM] Test gardening: Test running out of executable memory
740         https://bugs.webkit.org/show_bug.cgi?id=194771
741
742         Unreviewed. Do not run test without LLInt, test is running out of executable
743         memory on ARM otherwise.
744
745         * stress/tagged-template-object-collect.js:
746
747 2019-02-18  Tomas Popela  <tpopela@redhat.com>
748
749         Unreviewed, skip the test on platforms without sampling profiler
750
751         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
752         (platformSupportsSamplingProfiler.foo):
753         (platformSupportsSamplingProfiler.test):
754         (platformSupportsSamplingProfiler):
755         (foo): Deleted.
756         (test): Deleted.
757
758 2019-02-17  Saam Barati  <sbarati@apple.com>
759
760         Deadlock when adding a Structure property transition and then doing incremental marking
761         https://bugs.webkit.org/show_bug.cgi?id=194767
762
763         Reviewed by Mark Lam.
764
765         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
766
767 2019-02-15  Michael Saboff  <msaboff@apple.com>
768
769         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
770         https://bugs.webkit.org/show_bug.cgi?id=194558
771
772         Reviewed by Saam Barati.
773
774         New regression test.
775
776         * stress/regexp-unicode-within-string.js: Added.
777
778 2019-02-15  Mark Lam  <mark.lam@apple.com>
779
780         SamplingProfiler::stackTracesAsJSON() should escape strings.
781         https://bugs.webkit.org/show_bug.cgi?id=194649
782         <rdar://problem/48072386>
783
784         Reviewed by Saam Barati.
785
786         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
787         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
788         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
789         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
790
791 2019-02-15  Robin Morisset  <rmorisset@apple.com>
792         CodeBlock::jettison should clear related watchpoints
793         https://bugs.webkit.org/show_bug.cgi?id=194544
794
795         Reviewed by Mark Lam.
796
797         * stress/regexp-replace-double-watchpoint.js: Added.
798         (foo):
799
800 2019-02-15  Saam barati  <sbarati@apple.com>
801
802         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
803         https://bugs.webkit.org/show_bug.cgi?id=194036
804
805         Reviewed by Yusuke Suzuki.
806
807         * stress/tail-call-many-arguments.js: Added.
808         (foo):
809         (bar):
810
811 2019-02-14  Saam Barati  <sbarati@apple.com>
812
813         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
814         https://bugs.webkit.org/show_bug.cgi?id=194583
815         <rdar://problem/48028140>
816
817         Reviewed by Yusuke Suzuki.
818
819         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
820
821 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
822
823         [JSC] String.fromCharCode's slow path always generates 16bit string
824         https://bugs.webkit.org/show_bug.cgi?id=194466
825
826         Reviewed by Keith Miller.
827
828         * stress/string-from-char-code-slow-path.js: Added.
829         (shouldBe):
830         (testWithLength):
831
832 2019-02-08  Saam barati  <sbarati@apple.com>
833
834         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
835         https://bugs.webkit.org/show_bug.cgi?id=194334
836         <rdar://problem/47844327>
837
838         Reviewed by Mark Lam.
839
840         * stress/check-in-bounds-should-be-a-child-use.js: Added.
841         (func):
842
843 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
844
845         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
846         https://bugs.webkit.org/show_bug.cgi?id=194369
847         <rdar://problem/47813087>
848
849         Reviewed by Saam Barati.
850
851         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
852         (A):
853
854 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
855
856         [JSC] PrivateName to PublicName hash table is wasteful
857         https://bugs.webkit.org/show_bug.cgi?id=194277
858
859         Reviewed by Michael Saboff.
860
861         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
862
863         * ChakraCore.yaml:
864
865 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
866
867         [ARM] Test running out of executable memory
868         https://bugs.webkit.org/show_bug.cgi?id=194285
869
870         Unreviewed. Do no execute test with LLInt disabled, test runs out of
871         executable memory otherwise.
872
873         * stress/class-subclassing-function.js:
874
875 2019-02-04  Robin Morisset  <rmorisset@apple.com>
876
877         when lowering AssertNotEmpty, create the value before creating the patchpoint
878         https://bugs.webkit.org/show_bug.cgi?id=194231
879
880         Reviewed by Saam Barati.
881
882         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
883         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
884         So even tiny changes to this test can change the path code taken.
885
886         * stress/assert-not-empty.js: Added.
887         (foo):
888
889 2019-02-01  Mark Lam  <mark.lam@apple.com>
890
891         Remove invalid assertion in DFG's compileDoubleRep().
892         https://bugs.webkit.org/show_bug.cgi?id=194130
893         <rdar://problem/47699474>
894
895         Reviewed by Saam Barati.
896
897         * stress/constant-fold-double-rep-into-double-constant.js: Added.
898
899 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
900
901         Import latest Test262 updates.
902
903         Rubber-stamped by Keith Miller.
904
905         * test262.yaml: Deleted.
906         * test262/config.yaml:
907         * test262/expectations.yaml:
908         * test262/latest-changes-summary.txt:
909         * test262/test/:
910         * test262/test262-Revision.txt:
911
912 2019-01-30  Robin Morisset  <rmorisset@apple.com>
913
914         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
915         https://bugs.webkit.org/show_bug.cgi?id=194050
916         <rdar://problem/47595592>
917
918         Reviewed by Yusuke Suzuki.
919
920         * stress/object-keys-osr-exit.js: Added.
921         (foo):
922         (catch):
923
924 2019-01-29  Mark Lam  <mark.lam@apple.com>
925
926         ValueRecovery::recover() should purify NaN values it recovers.
927         https://bugs.webkit.org/show_bug.cgi?id=193978
928         <rdar://problem/47625488>
929
930         Reviewed by Saam Barati.
931
932         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
933
934 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
935
936         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
937         https://bugs.webkit.org/show_bug.cgi?id=193713
938
939         * stress/try-get-by-id-should-spill-registers-dfg.js:
940         (let.f.createBuiltin):
941
942 2019-01-28  Mark Lam  <mark.lam@apple.com>
943
944         ToString node actually does GC.
945         https://bugs.webkit.org/show_bug.cgi?id=193920
946         <rdar://problem/46695900>
947
948         Reviewed by Yusuke Suzuki.
949
950         * stress/dfg-to-string-on-int-does-gc.js: Added.
951         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
952         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
953
954 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
955
956         [JSC] NativeErrorConstructor should not have own IsoSubspace
957         https://bugs.webkit.org/show_bug.cgi?id=193713
958
959         Reviewed by Saam Barati.
960
961         Remove @Error use.
962
963         * stress/try-get-by-id-should-spill-registers-dfg.js:
964         (let.f.createBuiltin):
965
966 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
967
968         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
969         https://bugs.webkit.org/show_bug.cgi?id=190693
970
971         Reviewed by Michael Saboff.
972
973         * stress/regress-190693.js: Added.
974         (truth):
975         (assert):
976         (shouldThrowInvalidConstAssignment):
977         (taz):
978
979 2019-01-24  Saam Barati  <sbarati@apple.com>
980
981         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
982         https://bugs.webkit.org/show_bug.cgi?id=193751
983         <rdar://problem/47280215>
984
985         Reviewed by Michael Saboff.
986
987         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
988         (let.thing):
989         (foo.let.hello):
990         (foo):
991
992 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
993
994         [JSC] Reenable baseline JIT on mips
995         https://bugs.webkit.org/show_bug.cgi?id=192983
996
997         Reviewed by Mark Lam.
998
999         Added a new test for a case that was triggering a RELEASE_ASSERT when
1000         testing.
1001         Disable some slow tests that were already disabled for arm and x86.
1002
1003         * stress/json-parse-big-object.js: Added.
1004         * stress/new-largeish-contiguous-array-with-size.js:
1005         * stress/op_add.js:
1006         * stress/op_bitand.js:
1007         * stress/op_bitor.js:
1008         * stress/op_bitxor.js:
1009         * stress/op_lshift-ConstVar.js:
1010         * stress/op_lshift-VarConst.js:
1011         * stress/op_lshift-VarVar.js:
1012         * stress/op_mod-ConstVar.js:
1013         * stress/op_mod-VarConst.js:
1014         * stress/op_mod-VarVar.js:
1015         * stress/op_mul-ConstVar.js:
1016         * stress/op_mul-VarConst.js:
1017         * stress/op_mul-VarVar.js:
1018         * stress/op_rshift-ConstVar.js:
1019         * stress/op_rshift-VarConst.js:
1020         * stress/op_rshift-VarVar.js:
1021         * stress/op_sub-ConstVar.js:
1022         * stress/op_sub-VarConst.js:
1023         * stress/op_sub-VarVar.js:
1024         * stress/op_urshift-ConstVar.js:
1025         * stress/op_urshift-VarConst.js:
1026         * stress/op_urshift-VarVar.js:
1027         * stress/sampling-profiler-richards.js:
1028         * stress/spread-forward-call-varargs-stack-overflow.js:
1029
1030 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1031
1032         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1033         https://bugs.webkit.org/show_bug.cgi?id=193711
1034         <rdar://problem/47250262>
1035
1036         Reviewed by Saam Barati.
1037
1038         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1039         (shouldBe):
1040         (foo):
1041         (bar):
1042         (baz):
1043
1044 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         Unreviewed, fix initial global lexical binding epoch
1047         https://bugs.webkit.org/show_bug.cgi?id=193603
1048         <rdar://problem/47380869>
1049
1050         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1051         (f1.f2.f3.f4):
1052         (f1.f2.f3):
1053         (f1.f2):
1054         (f1):
1055
1056 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1057
1058         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1059         https://bugs.webkit.org/show_bug.cgi?id=193709
1060         <rdar://problem/47363838>
1061
1062         Unreviewed, rollout to watch the tests.
1063
1064         * stress/object-tostring-changed-proto.js: Removed.
1065         * stress/object-tostring-changed.js: Removed.
1066         * stress/object-tostring-misc.js: Removed.
1067         * stress/object-tostring-other.js: Removed.
1068         * stress/object-tostring-untyped.js: Removed.
1069
1070 2019-01-22  Saam Barati  <sbarati@apple.com>
1071
1072         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1073
1074         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1075         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1076         (testUncheckedLessThanZero):
1077         (testUncheckedLessThanOrEqualZero):
1078         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1079         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1080
1081 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1082
1083         [JSC] Invalidate old scope operations using global lexical binding epoch
1084         https://bugs.webkit.org/show_bug.cgi?id=193603
1085         <rdar://problem/47380869>
1086
1087         Reviewed by Saam Barati.
1088
1089         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1090         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1091         (shouldThrow):
1092         (bar):
1093         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1094         (shouldBe):
1095         (get1):
1096         (get2):
1097         (get1If):
1098         (get2If):
1099         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1100         (shouldThrow):
1101         (foo):
1102
1103 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1104
1105         Unreviewed, roll out r240220 due to date-format-xparb regression
1106         https://bugs.webkit.org/show_bug.cgi?id=193603
1107
1108         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1109         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1110         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1111         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1112
1113 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1114
1115         DoesGC rule is wrong for nodes with BigIntUse
1116         https://bugs.webkit.org/show_bug.cgi?id=193652
1117
1118         Reviewed by Saam Barati.
1119
1120         * stress/big-int-value-op-update-gc-rules.js: Added.
1121         (assert):
1122         (doesGCAdd):
1123         (doesGCSub):
1124         (doesGCDiv):
1125         (doesGCMul):
1126         (doesGCBitAnd):
1127         (doesGCBitOr):
1128         (doesGCBitXor):
1129
1130 2019-01-20  Saam Barati  <sbarati@apple.com>
1131
1132         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1133         https://bugs.webkit.org/show_bug.cgi?id=193644
1134         <rdar://problem/46209745>
1135
1136         Reviewed by Yusuke Suzuki.
1137
1138         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1139         (foo):
1140         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1141         (foo):
1142         (bar):
1143
1144 2019-01-20  Saam Barati  <sbarati@apple.com>
1145
1146         MovHint must merge NodeBytecodeUsesAsValue for its child
1147         https://bugs.webkit.org/show_bug.cgi?id=186916
1148         <rdar://problem/41396612>
1149
1150         Reviewed by Yusuke Suzuki.
1151
1152         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1153         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1154
1155 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1156
1157         [JSC] Invalidate old scope operations using global lexical binding epoch
1158         https://bugs.webkit.org/show_bug.cgi?id=193603
1159         <rdar://problem/47380869>
1160
1161         Reviewed by Saam Barati.
1162
1163         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1164         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1165         (shouldThrow):
1166         (bar):
1167         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1168         (shouldBe):
1169         (get1):
1170         (get2):
1171         (get1If):
1172         (get2If):
1173         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1174         (shouldThrow):
1175         (foo):
1176
1177 2019-01-17  Saam barati  <sbarati@apple.com>
1178
1179         StringObjectUse should not be a structure check for the original string object structure
1180         https://bugs.webkit.org/show_bug.cgi?id=193483
1181         <rdar://problem/47280522>
1182
1183         Reviewed by Yusuke Suzuki.
1184
1185         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1186         (foo):
1187         (a.valueOf.0):
1188
1189 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1190
1191         [JSC] ToThis omission in DFGByteCodeParser is wrong
1192         https://bugs.webkit.org/show_bug.cgi?id=193513
1193         <rdar://problem/45842236>
1194
1195         Reviewed by Saam Barati.
1196
1197         * stress/to-this-omission-with-different-strict-modes.js: Added.
1198         (thisA):
1199         (thisAStrictWrapper):
1200
1201 2019-01-15  Mark Lam  <mark.lam@apple.com>
1202
1203         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1204         https://bugs.webkit.org/show_bug.cgi?id=193423
1205         <rdar://problem/46209355>
1206
1207         Reviewed by Saam Barati.
1208
1209         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1210         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1211         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1212         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1213
1214 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1215
1216         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1217         https://bugs.webkit.org/show_bug.cgi?id=193438
1218         <rdar://problem/45581249>
1219
1220         Reviewed by Saam Barati and Keith Miller.
1221
1222         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1223         Then, GetByVal(String) crashed.
1224
1225         * stress/string-get-by-val-lowering.js: Added.
1226         (shouldBe):
1227         (test):
1228         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1229         (Hello):
1230         (foo):
1231
1232 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1233
1234         Unreviewed, skip JIT tests if it's not enabled
1235
1236         * stress/bit-op-with-object-returning-int32.js:
1237
1238 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1239
1240         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1241         https://bugs.webkit.org/show_bug.cgi?id=192966
1242
1243         Reviewed by Yusuke Suzuki.
1244
1245         * stress/bit-op-with-object-returning-int32.js: Added.
1246
1247 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1248
1249         Skip a slow test and a flakey test on arm
1250
1251         Unreviewed gardening.
1252
1253         * typeProfiler/getter-richards.js:
1254         this test always times out, it used to be always skipped on arm and
1255         mips, but got accidentally enabled by r237919 now that we have DFG on
1256         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1257
1258 2019-01-14  Keith Miller  <keith_miller@apple.com>
1259
1260         Skip type-check-hoisting-phase-hoist... with no jit
1261         https://bugs.webkit.org/show_bug.cgi?id=193421
1262
1263         Reviewed by Mark Lam.
1264
1265         It's timing out the 32-bit bots and takes 330 seconds
1266         on my machine when run by itself.
1267
1268         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1269
1270 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1271
1272         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1273         https://bugs.webkit.org/show_bug.cgi?id=193413
1274         <rdar://problem/46092389>
1275
1276         Reviewed by Keith Miller.
1277
1278         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1279         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1280         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1281         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1282
1283         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1284         (compareArray):
1285
1286 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1287
1288         [BigInt] Literal parsing is crashing when used inside a Object Literal
1289         https://bugs.webkit.org/show_bug.cgi?id=193404
1290
1291         Reviewed by Yusuke Suzuki.
1292
1293         * stress/big-int-literal-inside-literal-object.js: Added.
1294
1295 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1296
1297         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1298         https://bugs.webkit.org/show_bug.cgi?id=193372
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/typed-array-array-modes-profile.js: Added.
1303         (foo):
1304
1305 2019-01-14  Mark Lam  <mark.lam@apple.com>
1306
1307         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1308         https://bugs.webkit.org/show_bug.cgi?id=193402
1309         <rdar://problem/46012309>
1310
1311         Reviewed by Keith Miller.
1312
1313         * stress/regexp-compile-oom.js:
1314         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1315           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1316
1317 2019-01-11  Saam barati  <sbarati@apple.com>
1318
1319         DFG combined liveness can be wrong for terminal basic blocks
1320         https://bugs.webkit.org/show_bug.cgi?id=193304
1321         <rdar://problem/45268632>
1322
1323         Reviewed by Yusuke Suzuki.
1324
1325         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1326
1327 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1328
1329         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1330         https://bugs.webkit.org/show_bug.cgi?id=193308
1331         <rdar://problem/45546542>
1332
1333         Reviewed by Saam Barati.
1334
1335         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1336         (shouldThrow):
1337         (shouldBe):
1338         (foo):
1339         (get shouldThrow):
1340         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1341         (shouldThrow):
1342         (shouldBe):
1343         (foo):
1344         (get shouldBe):
1345         (get shouldThrow):
1346         (get return):
1347         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1348         (shouldThrow):
1349         (shouldBe):
1350         (foo):
1351         (get shouldBe):
1352         (get shouldThrow):
1353         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1354         (shouldThrow):
1355         (shouldBe):
1356         (foo):
1357         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1358         (shouldThrow):
1359         (shouldBe):
1360         (foo):
1361         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1362         (shouldThrow):
1363         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1364         (shouldThrow):
1365         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1366         (shouldThrow):
1367         (shouldBe):
1368         (foo):
1369         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1370         (shouldThrow):
1371         (shouldBe):
1372         (foo):
1373         (get shouldBe):
1374         (get shouldThrow):
1375         (get return):
1376         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1377         (shouldThrow):
1378         (shouldBe):
1379         (foo):
1380         (get shouldBe):
1381         (get shouldThrow):
1382         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1383         (shouldThrow):
1384         (shouldBe):
1385         (foo):
1386         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1387         (shouldThrow):
1388         (shouldBe):
1389         (foo):
1390
1391 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1392
1393         Enable DFG on ARM/Linux again
1394         https://bugs.webkit.org/show_bug.cgi?id=192496
1395
1396         Reviewed by Yusuke Suzuki.
1397
1398         Test wasn't really skipped before moving the line with skip
1399         to the top.
1400
1401         * stress/regress-192717.js:
1402
1403 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1404
1405         Unreviewed, rolling out r239825.
1406         https://bugs.webkit.org/show_bug.cgi?id=193330
1407
1408         Broke tests on armv7/linux bots (Requested by guijemont on
1409         #webkit).
1410
1411         Reverted changeset:
1412
1413         "Enable DFG on ARM/Linux again"
1414         https://bugs.webkit.org/show_bug.cgi?id=192496
1415         https://trac.webkit.org/changeset/239825
1416
1417 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1418
1419         Enable DFG on ARM/Linux again
1420         https://bugs.webkit.org/show_bug.cgi?id=192496
1421
1422         Reviewed by Yusuke Suzuki.
1423
1424         Test wasn't really skipped before moving the line with skip
1425         to the top.
1426
1427         * stress/regress-192717.js:
1428
1429 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1430
1431         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1432         https://bugs.webkit.org/show_bug.cgi?id=193127
1433
1434         Reviewed by Saam Barati.
1435
1436         * stress/array-species-create-should-handle-masquerader.js: Added.
1437         (shouldThrow):
1438         * stress/is-undefined-or-null-builtin.js: Added.
1439         (shouldBe):
1440         (isUndefinedOrNull.vm.createBuiltin):
1441
1442 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1443
1444         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1445         https://bugs.webkit.org/show_bug.cgi?id=193221
1446
1447         Reviewed by Mark Lam.
1448
1449         * stress/put-by-id-flags.js: Added.
1450         (f):
1451         (g):
1452         (numberOfDFGCompiles):
1453
1454 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1455
1456         Baseline version of get_by_id may corrupt metadata
1457         https://bugs.webkit.org/show_bug.cgi?id=193085
1458         <rdar://problem/23453006>
1459
1460         Reviewed by Saam Barati.
1461
1462         * stress/get-by-id-change-mode.js: Added.
1463         (forEach):
1464
1465 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1466
1467         [JSC] Optimize Object.prototype.toString
1468         https://bugs.webkit.org/show_bug.cgi?id=193031
1469
1470         Reviewed by Saam Barati.
1471
1472         * stress/object-tostring-changed-proto.js: Added.
1473         (shouldBe):
1474         (test):
1475         * stress/object-tostring-changed.js: Added.
1476         (shouldBe):
1477         (test):
1478         * stress/object-tostring-misc.js: Added.
1479         (shouldBe):
1480         (test):
1481         (i.switch):
1482         * stress/object-tostring-other.js: Added.
1483         (shouldBe):
1484         (test):
1485         * stress/object-tostring-untyped.js: Added.
1486         (shouldBe):
1487         (test):
1488         (i.switch):
1489
1490 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1491
1492         test262-runner misbehaves when test file YAML has a trailing space
1493         https://bugs.webkit.org/show_bug.cgi?id=193053
1494
1495         Reviewed by Yusuke Suzuki.
1496
1497         * test262/expectations.yaml:
1498         Mark two dozen tests as passing (and correct the output of another).
1499
1500 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1501
1502         Unreviewed, JSTests gardening with memoryLimited
1503
1504         * stress/string-overflow-createError.js:
1505
1506 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1507
1508         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1509         https://bugs.webkit.org/show_bug.cgi?id=193050
1510
1511         Reviewed by Yusuke Suzuki.
1512
1513         * test262.yaml:
1514         * test262/expectations.yaml:
1515         Mark 16 tests as passing.
1516
1517 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1518
1519         [BigInt] Support BigInt in JSON.stringify
1520         https://bugs.webkit.org/show_bug.cgi?id=192624
1521
1522         Reviewed by Saam Barati.
1523
1524         * stress/big-int-json-stringify-to-json.js: Added.
1525         (shouldBe):
1526         (shouldThrow):
1527         (BigInt.prototype.toJSON):
1528         (shouldBe.JSON.stringify):
1529         * stress/big-int-json-stringify.js: Added.
1530         (shouldBe):
1531         (shouldThrow):
1532
1533 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1534
1535         [JSC] Implement "well-formed JSON.stringify" proposal
1536         https://bugs.webkit.org/show_bug.cgi?id=191677
1537
1538         Reviewed by Darin Adler.
1539
1540         * stress/json-surrogate-pair.js: Added.
1541         (shouldBe):
1542         * test262/expectations.yaml:
1543
1544 2018-12-20  Keith Miller  <keith_miller@apple.com>
1545
1546         Add support for globalThis
1547         https://bugs.webkit.org/show_bug.cgi?id=165171
1548
1549         Reviewed by Mark Lam.
1550
1551         * test262/config.yaml:
1552
1553 2018-12-19  Keith Miller  <keith_miller@apple.com>
1554
1555         Update test262 configuration to not run tests dependent on ICU version.
1556         https://bugs.webkit.org/show_bug.cgi?id=192920
1557
1558         Reviewed by Saam Barati.
1559
1560         * test262/expectations.yaml:
1561
1562 2018-12-20  Mark Lam  <mark.lam@apple.com>
1563
1564         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1565         https://bugs.webkit.org/show_bug.cgi?id=192939
1566         <rdar://problem/46869516>
1567
1568         Reviewed by Keith Miller.
1569
1570         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1571
1572 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1573
1574         WTF::String and StringImpl overflow MaxLength
1575         https://bugs.webkit.org/show_bug.cgi?id=192853
1576         <rdar://problem/45726906>
1577
1578         Reviewed by Mark Lam.
1579
1580         * stress/string-16bit-repeat-overflow.js: Added.
1581         (catch):
1582
1583 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1584
1585         Unreviewed follow-up to r192914.
1586
1587         * test262/expectations.yaml:
1588         Add the last 20 missing expectations.
1589
1590 2018-12-19  Keith Miller  <keith_miller@apple.com>
1591
1592         Fix test262 expectations
1593         https://bugs.webkit.org/show_bug.cgi?id=192914
1594
1595         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1596
1597         * test262/expectations.yaml:
1598
1599 2018-12-19  Keith Miller  <keith_miller@apple.com>
1600
1601         Update test262 tests.
1602         https://bugs.webkit.org/show_bug.cgi?id=192907
1603
1604         Rubber stamped by Mark Lam.
1605
1606         * test262/*: Omitted because prepare-changelog crashes.
1607
1608 2018-12-19  Mark Lam  <mark.lam@apple.com>
1609
1610         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1611         https://bugs.webkit.org/show_bug.cgi?id=192464
1612         <rdar://problem/46519455>
1613
1614         Reviewed by Saam Barati.
1615
1616         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1617         microbenchmark.
1618
1619         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1620         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1621
1622 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1623
1624         String overflow in JSC::createError results in ASSERT in WTF::makeString
1625         https://bugs.webkit.org/show_bug.cgi?id=192833
1626         <rdar://problem/45706868>
1627
1628         Reviewed by Mark Lam.
1629
1630         * stress/string-overflow-createError.js: Added.
1631
1632 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1633
1634         Error message for `-x ** y` contains a typo.
1635         https://bugs.webkit.org/show_bug.cgi?id=192832
1636
1637         Reviewed by Saam Barati.
1638
1639         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1640         (assert.assert.return.throws):
1641         * stress/pow-expects-update-expression-on-lhs.js:
1642         (throw.new.Error):
1643         Update test expectations which match against the exact error message.
1644
1645 2018-12-18  Mark Lam  <mark.lam@apple.com>
1646
1647         Gardening: test options fix.
1648         https://bugs.webkit.org/show_bug.cgi?id=192822
1649
1650         Unreviewed.
1651
1652         * stress/json-stringify-string-builder-overflow.js:
1653
1654 2018-12-18  Mark Lam  <mark.lam@apple.com>
1655
1656         JSON.stringify() should throw OOM on StringBuilder overflows.
1657         https://bugs.webkit.org/show_bug.cgi?id=192822
1658         <rdar://problem/46670577>
1659
1660         Reviewed by Saam Barati.
1661
1662         * stress/json-stringify-string-builder-overflow.js: Added.
1663
1664 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1665
1666         Redeclaration of var over let/const/class should be a syntax error.
1667         https://bugs.webkit.org/show_bug.cgi?id=192298
1668
1669         Reviewed by Keith Miller.
1670
1671         * test262.yaml:
1672         * test262/expectations.yaml:
1673         Mark 46 tests as passing.
1674
1675         * stress/block-scope-redeclarations.js:
1676         Add some new tests.
1677
1678         * stress/for-in-invalidate-context-weird-assignments.js:
1679         * stress/for-in-tests.js:
1680         Replace tests for outdated behavior with tests for SyntaxError.
1681
1682         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1683         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1684         Update expectations.
1685
1686 2018-12-18  Mark Lam  <mark.lam@apple.com>
1687
1688         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1689         https://bugs.webkit.org/show_bug.cgi?id=191374
1690         <rdar://problem/46525447>
1691
1692         Reviewed by Yusuke Suzuki.
1693
1694         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1695
1696         * stress/elidable-new-object-roflcopter-then-exit.js:
1697
1698 2018-12-17  Mark Lam  <mark.lam@apple.com>
1699
1700         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1701         https://bugs.webkit.org/show_bug.cgi?id=192019
1702         <rdar://problem/46525456>
1703
1704         Reviewed by Yusuke Suzuki.
1705
1706         The test runs too slow on 32-bit.
1707
1708         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1709
1710 2018-12-17  Mark Lam  <mark.lam@apple.com>
1711
1712         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1713         https://bugs.webkit.org/show_bug.cgi?id=191373
1714         <rdar://problem/46525458>
1715
1716         Reviewed by Yusuke Suzuki.
1717
1718         The test is already slow running with a JIT on 64-bit.  It will always timeout
1719         on 32-bit without a JIT.
1720
1721         * stress/materialize-regexp-cyclic-regexp.js:
1722
1723 2018-12-17  Mark Lam  <mark.lam@apple.com>
1724
1725         Array unshift/shift should not race against the AI in the compiler thread.
1726         https://bugs.webkit.org/show_bug.cgi?id=192795
1727         <rdar://problem/46724263>
1728
1729         Reviewed by Saam Barati.
1730
1731         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1732
1733 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1734
1735         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1736         https://bugs.webkit.org/show_bug.cgi?id=190047
1737
1738         Reviewed by Saam Barati.
1739
1740         * stress/object-keys-cached-zero.js: Added.
1741         (shouldBe):
1742         (test):
1743         * stress/object-keys-changed-attribute.js: Added.
1744         (shouldBe):
1745         (test):
1746         * stress/object-keys-changed-index.js: Added.
1747         (shouldBe):
1748         (test):
1749         * stress/object-keys-changed.js: Added.
1750         (shouldBe):
1751         (test):
1752         * stress/object-keys-indexed-non-cache.js: Added.
1753         (shouldBe):
1754         (test):
1755         * stress/object-keys-overrides-get-property-names.js: Added.
1756         (shouldBe):
1757         (test):
1758         (noInline):
1759
1760 2018-12-17  Mark Lam  <mark.lam@apple.com>
1761
1762         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1763         https://bugs.webkit.org/show_bug.cgi?id=192779
1764         <rdar://problem/46775869>
1765
1766         Reviewed by Saam Barati.
1767
1768         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1769
1770 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1771
1772         Unreviewed test gardening, address a syntax error in a new test.
1773
1774         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1775
1776 2018-12-17  Mark Lam  <mark.lam@apple.com>
1777
1778         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1779         https://bugs.webkit.org/show_bug.cgi?id=192776
1780         <rdar://problem/46772368>
1781
1782         Reviewed by Keith Miller.
1783
1784         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1785
1786 2018-12-17  Mark Lam  <mark.lam@apple.com>
1787
1788         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1789         https://bugs.webkit.org/show_bug.cgi?id=192770
1790         <rdar://problem/46449037>
1791
1792         Reviewed by Keith Miller.
1793
1794         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1795
1796 2018-12-14  Mark Lam  <mark.lam@apple.com>
1797
1798         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1799         https://bugs.webkit.org/show_bug.cgi?id=192717
1800         <rdar://problem/46660677>
1801
1802         Reviewed by Saam Barati.
1803
1804         * stress/regress-192717.js: Added.
1805
1806 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1807
1808         Unreviewed, rolling out r239153, r239154, and r239155.
1809         https://bugs.webkit.org/show_bug.cgi?id=192715
1810
1811         Caused flaky GC-related crashes seen with layout tests
1812         (Requested by ryanhaddad on #webkit).
1813
1814         Reverted changesets:
1815
1816         "[JSC] Optimize Object.keys by caching own keys results in
1817         StructureRareData"
1818         https://bugs.webkit.org/show_bug.cgi?id=190047
1819         https://trac.webkit.org/changeset/239153
1820
1821         "Unreviewed, build fix after r239153"
1822         https://bugs.webkit.org/show_bug.cgi?id=190047
1823         https://trac.webkit.org/changeset/239154
1824
1825         "Unreviewed, build fix after r239153, part 2"
1826         https://bugs.webkit.org/show_bug.cgi?id=190047
1827         https://trac.webkit.org/changeset/239155
1828
1829 2018-12-14  Keith Miller  <keith_miller@apple.com>
1830
1831         Callers of JSString::getIndex should check for OOM exceptions
1832         https://bugs.webkit.org/show_bug.cgi?id=192709
1833
1834         Reviewed by Mark Lam.
1835
1836         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1837
1838 2018-12-13  Mark Lam  <mark.lam@apple.com>
1839
1840         Add a missing exception check.
1841         https://bugs.webkit.org/show_bug.cgi?id=192626
1842         <rdar://problem/46662163>
1843
1844         Reviewed by Keith Miller.
1845
1846         * stress/regress-192626.js: Added.
1847
1848 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1849
1850         [BigInt] Add ValueDiv into DFG
1851         https://bugs.webkit.org/show_bug.cgi?id=186178
1852
1853         Reviewed by Yusuke Suzuki.
1854
1855         * stress/big-int-div-jit-osr.js: Added.
1856         * stress/big-int-div-jit-untyped.js: Added.
1857         * stress/value-div-fixup-int32-big-int.js: Added.
1858
1859 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1860
1861         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1862         https://bugs.webkit.org/show_bug.cgi?id=190047
1863
1864         Reviewed by Keith Miller.
1865
1866         * stress/object-keys-cached-zero.js: Added.
1867         (shouldBe):
1868         (test):
1869         * stress/object-keys-changed-attribute.js: Added.
1870         (shouldBe):
1871         (test):
1872         * stress/object-keys-changed-index.js: Added.
1873         (shouldBe):
1874         (test):
1875         * stress/object-keys-changed.js: Added.
1876         (shouldBe):
1877         (test):
1878         * stress/object-keys-indexed-non-cache.js: Added.
1879         (shouldBe):
1880         (test):
1881         * stress/object-keys-overrides-get-property-names.js: Added.
1882         (shouldBe):
1883         (test):
1884         (noInline):
1885
1886 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1887
1888         [DFG][FTL] Add NewSymbol
1889         https://bugs.webkit.org/show_bug.cgi?id=192620
1890
1891         Reviewed by Saam Barati.
1892
1893         * microbenchmarks/symbol-creation.js: Added.
1894         (test):
1895         * stress/symbol-description-identity.js: Added.
1896         (shouldBe):
1897         (test):
1898         * stress/symbol-identity.js: Added.
1899         (shouldBe):
1900         (test):
1901         * stress/symbol-with-description-throw-error.js: Added.
1902         (shouldBe):
1903         (shouldThrow):
1904         (test):
1905         (object.toString):
1906
1907 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1908
1909         [BigInt] Implement DFG/FTL typeof for BigInt
1910         https://bugs.webkit.org/show_bug.cgi?id=192619
1911
1912         Reviewed by Keith Miller.
1913
1914         * stress/big-int-boolean-proven-type.js: Added.
1915         (assert):
1916         (bool):
1917         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1918         (assert):
1919         (typeOf):
1920         (i.switch):
1921         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1922         (assert):
1923         (typeOf):
1924         * stress/big-int-type-of.js:
1925         (typeOf):
1926         (func):
1927
1928 2018-12-10  Mark Lam  <mark.lam@apple.com>
1929
1930         PropertyAttribute needs a CustomValue bit.
1931         https://bugs.webkit.org/show_bug.cgi?id=191993
1932         <rdar://problem/46264467>
1933
1934         Reviewed by Saam Barati.
1935
1936         * stress/regress-191993.js: Added.
1937
1938 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1939
1940         [BigInt] Add ValueMul into DFG
1941         https://bugs.webkit.org/show_bug.cgi?id=186175
1942
1943         Reviewed by Yusuke Suzuki.
1944
1945         * stress/big-int-mul-jit-osr.js: Added.
1946         * stress/big-int-mul-jit-untyped.js: Added.
1947         * stress/value-mul-fixup-int32-big-int.js: Added.
1948
1949 2018-12-06  Keith Miller  <keith_miller@apple.com>
1950
1951         stress/big-wasm-memory tests failing on 32-bit JSC bot
1952         https://bugs.webkit.org/show_bug.cgi?id=192020
1953
1954         Reviewed by Saam Barati.
1955
1956         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1957         the wasm stress tests if the WebAssembly object does not exist.
1958
1959         * stress/big-wasm-memory-grow-no-max.js:
1960         (test.foo):
1961         (test):
1962         (foo): Deleted.
1963         (catch): Deleted.
1964         * stress/big-wasm-memory-grow.js:
1965         (test.foo):
1966         (test):
1967         (foo): Deleted.
1968         (catch): Deleted.
1969         * stress/big-wasm-memory.js:
1970         (test.foo):
1971         (test):
1972         (foo): Deleted.
1973         (catch): Deleted.
1974
1975 2018-12-05  Mark Lam  <mark.lam@apple.com>
1976
1977         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1978         https://bugs.webkit.org/show_bug.cgi?id=192441
1979         <rdar://problem/46480355>
1980
1981         Reviewed by Saam Barati.
1982
1983         * stress/regress-192441.js: Added.
1984
1985 2018-12-04  Mark Lam  <mark.lam@apple.com>
1986
1987         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1988         https://bugs.webkit.org/show_bug.cgi?id=192386
1989         <rdar://problem/46445516>
1990
1991         Reviewed by Saam Barati.
1992
1993         * stress/regress-192386.js: Added.
1994
1995 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1996
1997         [ESNext][BigInt] Support logic operations
1998         https://bugs.webkit.org/show_bug.cgi?id=179903
1999
2000         Reviewed by Yusuke Suzuki.
2001
2002         * stress/big-int-branch-usage.js: Added.
2003         * stress/big-int-logical-and.js: Added.
2004         * stress/big-int-logical-not.js: Added.
2005         * stress/big-int-logical-or.js: Added.
2006
2007 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2008
2009         Unreviewed, rolling out r238833.
2010
2011         Breaks macOS and iOS debug builds.
2012
2013         Reverted changeset:
2014
2015         "[ESNext][BigInt] Support logic operations"
2016         https://bugs.webkit.org/show_bug.cgi?id=179903
2017         https://trac.webkit.org/changeset/238833
2018
2019 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2020
2021         [ESNext][BigInt] Support logic operations
2022         https://bugs.webkit.org/show_bug.cgi?id=179903
2023
2024         Reviewed by Yusuke Suzuki.
2025
2026         * stress/big-int-branch-usage.js: Added.
2027         * stress/big-int-logical-and.js: Added.
2028         * stress/big-int-logical-not.js: Added.
2029         * stress/big-int-logical-or.js: Added.
2030
2031 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2032
2033         [ESNext][BigInt] Implement support for "<<" and ">>"
2034         https://bugs.webkit.org/show_bug.cgi?id=186233
2035
2036         Reviewed by Yusuke Suzuki.
2037
2038         * stress/big-int-left-shift-general.js: Added.
2039         * stress/big-int-left-shift-range-error.js: Added.
2040         * stress/big-int-left-shift-type-error.js: Added.
2041         * stress/big-int-left-shift-wrapped-value.js: Added.
2042         * stress/big-int-right-shift-general.js: Added.
2043         * stress/big-int-right-shift-type-error.js: Added.
2044         * stress/big-int-right-shift-wrapped-value.js: Added.
2045         * stress/left-shift-to-primitive-precedence.js: Added.
2046         * stress/right-shift-to-primitive-precedence.js: Added.
2047
2048 2018-11-30  Dean Jackson  <dino@apple.com>
2049
2050         Add first-class support for .mjs files in jsc binary
2051         https://bugs.webkit.org/show_bug.cgi?id=192190
2052         <rdar://problem/46375715>
2053
2054         Reviewed by Keith Miller.
2055
2056         * stress/simple-module.mjs: Added.
2057         * stress/simple-script.js: Added.
2058
2059 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2060
2061         [BigInt] Implement ValueBitXor into DFG
2062         https://bugs.webkit.org/show_bug.cgi?id=190264
2063
2064         Reviewed by Yusuke Suzuki.
2065
2066         * stress/big-int-bitwise-xor-jit.js: Added.
2067         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2068         * stress/big-int-bitwise-xor-untyped.js: Added.
2069
2070 2018-11-27  Saam barati  <sbarati@apple.com>
2071
2072         r238510 broke scopes of size zero
2073         https://bugs.webkit.org/show_bug.cgi?id=192033
2074         <rdar://problem/46281734>
2075
2076         Reviewed by Keith Miller.
2077
2078         * stress/r238510-bad-loop.js: Added.
2079         (foo):
2080
2081 2018-11-27  Mark Lam  <mark.lam@apple.com>
2082
2083         [Re-landing] NaNs read from Wasm code needs to be be purified.
2084         https://bugs.webkit.org/show_bug.cgi?id=191056
2085         <rdar://problem/45660341>
2086
2087         Reviewed by Filip Pizlo.
2088
2089         * wasm/regress/regress-191056.js: Added.
2090
2091 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2092
2093         Unreviewed, rolling out r238509.
2094
2095         Causes JSC tests to fail on iOS.
2096
2097         Reverted changeset:
2098
2099         "NaNs read from Wasm code needs to be be purified."
2100         https://bugs.webkit.org/show_bug.cgi?id=191056
2101         https://trac.webkit.org/changeset/238509
2102
2103 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2104
2105         Re-introduce op_bitnot
2106         https://bugs.webkit.org/show_bug.cgi?id=190923
2107
2108         Reviewed by Yusuke Suzuki.
2109
2110         * stress/bit-not-must-generate.js: Added.
2111         * stress/bitwise-not-no-int32.js: Added.
2112
2113 2018-11-26  Saam barati  <sbarati@apple.com>
2114
2115         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2116         https://bugs.webkit.org/show_bug.cgi?id=191956
2117         <rdar://problem/45665806>
2118
2119         Reviewed by Yusuke Suzuki.
2120
2121         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2122         (bar):
2123         (foo):
2124
2125 2018-11-26  Saam barati  <sbarati@apple.com>
2126
2127         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2128         https://bugs.webkit.org/show_bug.cgi?id=191958
2129         <rdar://problem/46221877>
2130
2131         Reviewed by Yusuke Suzuki.
2132
2133         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2134         (x):
2135         (foo):
2136
2137 2018-11-26  Mark Lam  <mark.lam@apple.com>
2138
2139         NaNs read from Wasm code needs to be be purified.
2140         https://bugs.webkit.org/show_bug.cgi?id=191056
2141         <rdar://problem/45660341>
2142
2143         Reviewed by Filip Pizlo.
2144
2145         * wasm/regress/regress-191056.js: Added.
2146
2147 2018-11-26  Michael Saboff  <msaboff@apple.com>
2148
2149         32-bit JSC test failure: stress/regexp-compile-oom.js
2150         https://bugs.webkit.org/show_bug.cgi?id=191375
2151
2152         Reviewed by Mark Lam.
2153
2154         Disabled the test for 32 bit platforms.
2155
2156         * stress/regexp-compile-oom.js:
2157
2158 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2159
2160         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2161         https://bugs.webkit.org/show_bug.cgi?id=191716
2162         <rdar://problem/45723878>
2163
2164         Reviewed by Saam Barati.
2165
2166         * stress/regress-187373.js: Added.
2167         (async.fn):
2168
2169 2018-11-21  Saam barati  <sbarati@apple.com>
2170
2171         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2172         https://bugs.webkit.org/show_bug.cgi?id=191897
2173         <rdar://problem/45871998>
2174
2175         Reviewed by Mark Lam.
2176
2177         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2178         (bar):
2179         (foo):
2180
2181 2018-11-21  Saam barati  <sbarati@apple.com>
2182
2183         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2184         https://bugs.webkit.org/show_bug.cgi?id=191895
2185         <rdar://problem/46167406>
2186
2187         Reviewed by Mark Lam.
2188
2189         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2190         (foo):
2191         (bar):
2192
2193 2018-11-21  Mark Lam  <mark.lam@apple.com>
2194
2195         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2196         https://bugs.webkit.org/show_bug.cgi?id=191776
2197         <rdar://problem/46152851>
2198
2199         Reviewed by Saam Barati.
2200
2201         * stress/big-wasm-memory-grow-no-max.js:
2202         * stress/big-wasm-memory-grow.js:
2203         * stress/big-wasm-memory.js:
2204         - updated these to expect an OutOfMemoryError.
2205
2206         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2207         (Binary.prototype.emit_u8):
2208         (Binary.prototype.emit_u32v):
2209         (Binary.prototype.emit_header):
2210         (Binary.prototype.emit_section):
2211         (Binary):
2212         (WasmModuleBuilder):
2213         (WasmModuleBuilder.prototype.addMemory):
2214         (WasmModuleBuilder.prototype.toArray):
2215         (WasmModuleBuilder.prototype.toBuffer):
2216         (WasmModuleBuilder.prototype.instantiate):
2217         (catch):
2218         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2219         (catch):
2220
2221 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2222
2223         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2224         https://bugs.webkit.org/show_bug.cgi?id=190836
2225
2226         Reviewed by Saam Barati and Yusuke Suzuki.
2227
2228         * stress/big-int-out-of-memory-tests.js: Added.
2229
2230 2018-11-20  Mark Lam  <mark.lam@apple.com>
2231
2232         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2233         https://bugs.webkit.org/show_bug.cgi?id=191856
2234         <rdar://problem/46089992>
2235
2236         Reviewed by Yusuke Suzuki.
2237
2238         * stress/regress-191856.js: Added.
2239         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2240
2241 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2242
2243         Enable JIT on ARM/Linux
2244         https://bugs.webkit.org/show_bug.cgi?id=191548
2245
2246         Reviewed by Yusuke Suzuki.
2247
2248         Disable test on system with limited memory. Program was killed by
2249         the OS before the exception was thrown.
2250
2251         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2252
2253 2018-11-20  Saam barati  <sbarati@apple.com>
2254
2255         Merging an IC variant may lead to the IC status containing overlapping structure sets
2256         https://bugs.webkit.org/show_bug.cgi?id=191869
2257         <rdar://problem/45403453>
2258
2259         Reviewed by Mark Lam.
2260
2261         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2262
2263 2018-11-19  Mark Lam  <mark.lam@apple.com>
2264
2265         globalFuncImportModule() should return a promise when it clears exceptions.
2266         https://bugs.webkit.org/show_bug.cgi?id=191792
2267         <rdar://problem/46090763>
2268
2269         Reviewed by Michael Saboff.
2270
2271         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2272
2273 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2274
2275         Skip new memory-hungry tests on memory limited devices
2276
2277         Unreviewed gardening.
2278
2279         * stress/big-wasm-memory-grow-no-max.js:
2280         * stress/big-wasm-memory-grow.js:
2281         * stress/big-wasm-memory.js:
2282
2283 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2284
2285         Unreviewed, rolling in the rest of r237254
2286         https://bugs.webkit.org/show_bug.cgi?id=190340
2287
2288         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2289         * stress/function-cache-with-parameters-end-position.js: Added.
2290         (shouldBe):
2291         (shouldThrow):
2292         (i.anonymous):
2293         * stress/function-constructor-name.js: Added.
2294         (shouldBe):
2295         (GeneratorFunction):
2296         (AsyncFunction.async):
2297         (AsyncGeneratorFunction.async):
2298         (anonymous):
2299         (async.anonymous):
2300         * test262/expectations.yaml:
2301
2302 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2303
2304         All users of ArrayBuffer should agree on the same max size
2305         https://bugs.webkit.org/show_bug.cgi?id=191771
2306
2307         Reviewed by Mark Lam.
2308
2309         * stress/big-wasm-memory-grow-no-max.js: Added.
2310         (foo):
2311         (catch):
2312         * stress/big-wasm-memory-grow.js: Added.
2313         (foo):
2314         (catch):
2315         * stress/big-wasm-memory.js: Added.
2316         (foo):
2317         (catch):
2318
2319 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2320
2321         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2322         run for each JSC config since they're regression tests for runtime bugs.
2323
2324         * stress/json-stringified-overflow-2.js:
2325         * stress/json-stringified-overflow.js:
2326
2327 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2328
2329         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2330         config since they're regression tests for runtime bugs.
2331
2332         * stress/large-unshift-splice.js:
2333         * stress/regress-185888.js:
2334
2335 2018-11-16  Saam Barati  <sbarati@apple.com>
2336
2337         KnownCellUse should also have SpecCellCheck as its type filter
2338         https://bugs.webkit.org/show_bug.cgi?id=191729
2339         <rdar://problem/45872852>
2340
2341         Reviewed by Filip Pizlo.
2342
2343         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2344         (C):
2345
2346 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2347
2348         Fix assertion failure on BytecodeGenerator::recordOpcode
2349         https://bugs.webkit.org/show_bug.cgi?id=191724
2350         <rdar://problem/45724395>
2351
2352         Reviewed by Saam Barati.
2353
2354         * stress/regress-187373-2.js: Added.
2355         (foo):
2356
2357 2018-11-15  Mark Lam  <mark.lam@apple.com>
2358
2359         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2360         https://bugs.webkit.org/show_bug.cgi?id=191730
2361         <rdar://problem/46048517>
2362
2363         Reviewed by Saam Barati.
2364
2365         * stress/regress-187006.js: Removed.
2366           - this test is invalid because its sole purpose is to test for the non-spec
2367             compliant behavior that we just fixed.
2368
2369         * stress/regress-191730.js: Added.
2370
2371 2018-11-15  Mark Lam  <mark.lam@apple.com>
2372
2373         RegExp operations should not take fast patch if lastIndex is not numeric.
2374         https://bugs.webkit.org/show_bug.cgi?id=191731
2375         <rdar://problem/46017305>
2376
2377         Reviewed by Saam Barati.
2378
2379         * stress/regress-191731.js: Added.
2380
2381 2018-11-13  Saam Barati  <sbarati@apple.com>
2382
2383         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2384         https://bugs.webkit.org/show_bug.cgi?id=191600
2385
2386         Reviewed by Mark Lam.
2387
2388         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2389         (foo):
2390         (test):
2391         (bar):
2392
2393 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2394
2395         Unreviewed, rolling out r238132.
2396
2397         The test added with this change is timing out on Debug JSC
2398         bots.
2399
2400         Reverted changeset:
2401
2402         "[BigInt] JSBigInt::createWithLength should throw when length
2403         is greater than JSBigInt::maxLength"
2404         https://bugs.webkit.org/show_bug.cgi?id=190836
2405         https://trac.webkit.org/changeset/238132
2406
2407 2018-11-13  Mark Lam  <mark.lam@apple.com>
2408
2409         Add OOM detection to StringPrototype's substituteBackreferences().
2410         https://bugs.webkit.org/show_bug.cgi?id=191563
2411         <rdar://problem/45720428>
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/regress-191563.js: Added.
2416
2417 2018-11-13  Mark Lam  <mark.lam@apple.com>
2418
2419         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2420         https://bugs.webkit.org/show_bug.cgi?id=191579
2421         <rdar://problem/45942472>
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/regress-191579.js: Added.
2426
2427 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2428
2429         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2430         https://bugs.webkit.org/show_bug.cgi?id=190836
2431
2432         Reviewed by Saam Barati.
2433
2434         * stress/big-int-out-of-memory-tests.js: Added.
2435
2436 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2437
2438         U+180E is no longer a whitespace character
2439         https://bugs.webkit.org/show_bug.cgi?id=191415
2440
2441         Reviewed by Saam Barati.
2442
2443         * ChakraCore/test/es5/regexSpace.baseline:
2444         * ChakraCore/test/es6/unicode_whitespace.js:
2445         Update tests to latest version.
2446         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2447
2448         * test262.yaml:
2449         * test262/config.yaml:
2450         * test262/expectations.yaml:
2451         Update expectations.
2452
2453 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2454
2455         [BigInt] Add support to BigInt into ValueAdd
2456         https://bugs.webkit.org/show_bug.cgi?id=186177
2457
2458         Reviewed by Keith Miller.
2459
2460         * stress/big-int-negate-jit.js:
2461         * stress/value-add-big-int-and-string.js: Added.
2462         * stress/value-add-big-int-prediction-propagation.js: Added.
2463         * stress/value-add-big-int-untyped.js: Added.
2464
2465 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2466
2467         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2468         https://bugs.webkit.org/show_bug.cgi?id=191184
2469
2470         Reviewed by Saam Barati.
2471
2472         Most tests were failing due to timeouts, since they are too slow to
2473         run on CLoop. The exceptions are:
2474
2475         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2476         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2477         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2478         to change the stack size since CLoop requires it to be page aligned.
2479
2480         * microbenchmarks/array-push-1.js:
2481         * microbenchmarks/array-push-2.js:
2482         * microbenchmarks/elidable-new-object-dag.js:
2483         * microbenchmarks/elidable-new-object-roflcopter.js:
2484         * microbenchmarks/elidable-new-object-tree.js:
2485         * microbenchmarks/getter-richards.js:
2486         * microbenchmarks/sinkable-new-object-dag.js:
2487         * microbenchmarks/string-concat-long-convert.js:
2488         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2489         * slowMicrobenchmarks/array-push-3.js:
2490         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2491         * slowMicrobenchmarks/spread-small-array.js:
2492         * slowMicrobenchmarks/undefined-property-access.js:
2493         * stress/activation-sink-default-value-tdz-error.js:
2494         * stress/activation-sink-default-value.js:
2495         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2496         * stress/activation-sink-osrexit-default-value.js:
2497         * stress/activation-sink-osrexit.js:
2498         * stress/activation-sink.js:
2499         * stress/allow-math-ic-b3-code-duplication.js:
2500         * stress/array-push-multiple-int32.js:
2501         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2502         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2503         * stress/arrowfunction-lexical-this-activation-sink.js:
2504         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2505         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2506         * stress/elide-new-object-dag-then-exit.js:
2507         * stress/materialize-regexp-cyclic.js:
2508         * stress/new-regex-inline.js:
2509         * stress/op_add.js:
2510         * stress/op_bitand.js:
2511         * stress/op_bitor.js:
2512         * stress/op_bitxor.js:
2513         * stress/op_div-ConstVar.js:
2514         * stress/op_div-VarConst.js:
2515         * stress/op_div-VarVar.js:
2516         * stress/op_lshift-ConstVar.js:
2517         * stress/op_lshift-VarConst.js:
2518         * stress/op_lshift-VarVar.js:
2519         * stress/op_mod-ConstVar.js:
2520         * stress/op_mod-VarConst.js:
2521         * stress/op_mod-VarVar.js:
2522         * stress/op_mul-ConstVar.js:
2523         * stress/op_mul-VarConst.js:
2524         * stress/op_mul-VarVar.js:
2525         * stress/op_rshift-ConstVar.js:
2526         * stress/op_rshift-VarConst.js:
2527         * stress/op_rshift-VarVar.js:
2528         * stress/op_sub-ConstVar.js:
2529         * stress/op_sub-VarConst.js:
2530         * stress/op_sub-VarVar.js:
2531         * stress/op_urshift-ConstVar.js:
2532         * stress/op_urshift-VarConst.js:
2533         * stress/op_urshift-VarVar.js:
2534         * stress/proxy-get-set-correct-receiver.js:
2535         * stress/regress-179562.js:
2536         * stress/rest-parameter-many-arguments.js:
2537         * stress/sampling-profiler-richards.js:
2538         * stress/splay-flash-access-1ms.js:
2539         * stress/tailCallForwardArguments.js:
2540         * stress/typed-array-get-by-val-profiling.js:
2541         * typeProfiler/getter-richards.js:
2542
2543 2018-11-06  Michael Saboff  <msaboff@apple.com>
2544
2545         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2546         https://bugs.webkit.org/show_bug.cgi?id=191271
2547
2548         Reviewed by Saam Barati.
2549
2550         Added more test cases and made all test cases run with the same deeply recursive stack
2551         instead of finding that same point for each test case.
2552
2553         * stress/regexp-compile-oom.js:
2554         (prototype.runTest):
2555         (recurseAndTest):
2556         (testList.push.new.TestAndExpectedException):
2557
2558 2018-11-05  Michael Saboff  <msaboff@apple.com>
2559
2560         Unreviewed build fix for linux.
2561
2562         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2563
2564 2018-11-02  Michael Saboff  <msaboff@apple.com>
2565
2566         Rolling in r237753 with unreviewed build fix.
2567
2568         Fixed issues with DECLARE_THROW_SCOPE placement.
2569
2570 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2571
2572         Unreviewed, rolling out r237753.
2573
2574         Introduced JSC test failures
2575
2576         Reverted changeset:
2577
2578         "Running out of stack space not properly handled in
2579         RegExp::compile() and its callers"
2580         https://bugs.webkit.org/show_bug.cgi?id=191206
2581         https://trac.webkit.org/changeset/237753
2582
2583 2018-11-02  Michael Saboff  <msaboff@apple.com>
2584
2585         Running out of stack space not properly handled in RegExp::compile() and its callers
2586         https://bugs.webkit.org/show_bug.cgi?id=191206
2587
2588         Reviewed by Filip Pizlo.
2589
2590         New regression test.
2591
2592         * stress/regexp-compile-oom.js: Added.
2593         (recurseAndTest):
2594
2595 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2596
2597         Skip tests on arm/mips that time out now we're running on CLoop
2598
2599         Unreviewed gardening.
2600
2601         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2602         time out on the bots and need to be disabled. There's more tests
2603         disabled on arm because the timeout is longer on the mips bot (as the
2604         device is slower to start with), so many of the tests don't time out
2605         there.
2606
2607         * microbenchmarks/getter-richards.js: disable on arm and mips.
2608         * stress/op_add.js: disable on arm.
2609         * stress/op_bitand.js: disable on arm.
2610         * stress/op_bitor.js: disable on arm.
2611         * stress/op_bitxor.js: disable on arm.
2612         * stress/op_lshift-ConstVar.js: disable on arm.
2613         * stress/op_lshift-VarConst.js: disable on arm.
2614         * stress/op_lshift-VarVar.js: disable on arm.
2615         * stress/op_mod-ConstVar.js: disable on arm.
2616         * stress/op_mod-VarConst.js: disable on arm.
2617         * stress/op_mod-VarVar.js: disable on arm.
2618         * stress/op_mul-ConstVar.js: disable on arm.
2619         * stress/op_mul-VarConst.js: disable on arm.
2620         * stress/op_mul-VarVar.js: disable on arm.
2621         * stress/op_rshift-ConstVar.js: disable on arm.
2622         * stress/op_rshift-VarConst.js: disable on arm.
2623         * stress/op_rshift-VarVar.js: disable on arm.
2624         * stress/op_sub-ConstVar.js: disable on arm.
2625         * stress/op_sub-VarConst.js: disable on arm.
2626         * stress/op_sub-VarVar.js: disable on arm.
2627         * stress/op_urshift-ConstVar.js: disable on arm.
2628         * stress/op_urshift-VarConst.js: disable on arm.
2629         * stress/op_urshift-VarVar.js: disable on arm.
2630         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2631         * stress/value-to-boolean.js: disable on arm and mips.
2632
2633 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2634
2635         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2636         https://bugs.webkit.org/show_bug.cgi?id=191108
2637         <rdar://problem/45690700>
2638
2639         Reviewed by Saam Barati.
2640
2641         * stress/wide-op_catch.js: Added.
2642         (catch):
2643
2644 2018-10-29  Mark Lam  <mark.lam@apple.com>
2645
2646         Correctly detect string overflow when using the 'Function' constructor.
2647         https://bugs.webkit.org/show_bug.cgi?id=184883
2648         <rdar://problem/36320331>
2649
2650         Reviewed by Saam Barati.
2651
2652         I've verified that this passes on 32-bit as well.
2653
2654         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2655
2656 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2657
2658         Add support for GetStack FlushedDouble
2659         https://bugs.webkit.org/show_bug.cgi?id=191012
2660         <rdar://problem/45265141>
2661
2662         Reviewed by Saam Barati.
2663
2664         * stress/get-stack-double.js: Added.
2665         (bar):
2666         (noInline):
2667
2668 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2669
2670         New bytecode format for JSC
2671         https://bugs.webkit.org/show_bug.cgi?id=187373
2672         <rdar://problem/44186758>
2673
2674         Reviewed by Filip Pizlo.
2675
2676         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2677
2678         * stress/maximum-inline-capacity.js: Added.
2679         (test1):
2680         (test3.Foo):
2681         (test3):
2682
2683 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2684
2685         Unreviewed, rolling out r237479 and r237484.
2686         https://bugs.webkit.org/show_bug.cgi?id=190978
2687
2688         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2689
2690         Reverted changesets:
2691
2692         "New bytecode format for JSC"
2693         https://bugs.webkit.org/show_bug.cgi?id=187373
2694         https://trac.webkit.org/changeset/237479
2695
2696         "Gardening: Build fix after r237479."
2697         https://bugs.webkit.org/show_bug.cgi?id=187373
2698         https://trac.webkit.org/changeset/237484
2699
2700 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2701
2702         New bytecode format for JSC
2703         https://bugs.webkit.org/show_bug.cgi?id=187373
2704         <rdar://problem/44186758>
2705
2706         Reviewed by Filip Pizlo.
2707
2708         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2709
2710         * stress/maximum-inline-capacity.js: Added.
2711         (test1):
2712         (test3.Foo):
2713         (test3):
2714
2715 2018-10-26  Mark Lam  <mark.lam@apple.com>
2716
2717         Fix missing edge cases with JSGlobalObjects having a bad time.
2718         https://bugs.webkit.org/show_bug.cgi?id=189028
2719         <rdar://problem/45204939>
2720
2721         Reviewed by Saam Barati.
2722
2723         * stress/regress-189028.js: Added.
2724
2725 2018-10-22  Mark Lam  <mark.lam@apple.com>
2726
2727         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2728         https://bugs.webkit.org/show_bug.cgi?id=190515
2729         <rdar://problem/45222379>
2730
2731         Rubber-stamped by Saam Barati.
2732
2733         Adding another test.
2734
2735         * stress/regress-190515-2.js: Added.
2736
2737 2018-10-22  Mark Lam  <mark.lam@apple.com>
2738
2739         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2740         https://bugs.webkit.org/show_bug.cgi?id=190515
2741         <rdar://problem/45222379>
2742
2743         Reviewed by Saam Barati.
2744
2745         * stress/regress-190515.js: Added.
2746
2747 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2748
2749         Unreviewed, rolling out r237254.
2750         https://bugs.webkit.org/show_bug.cgi?id=190760
2751
2752         "It regresses JetStream 2 by 5% on some iOS devices"
2753         (Requested by saamyjoon on #webkit).
2754
2755         Reverted changeset:
2756
2757         "[JSC] JSC should have "parseFunction" to optimize Function
2758         constructor"
2759         https://bugs.webkit.org/show_bug.cgi?id=190340
2760         https://trac.webkit.org/changeset/237254
2761
2762 2018-10-19  Saam Barati  <sbarati@apple.com>
2763
2764         vmCall should check if we exit before emitting an OSR exit due to exceptions
2765         https://bugs.webkit.org/show_bug.cgi?id=190740
2766         <rdar://problem/45220139>
2767
2768         Reviewed by Mark Lam.
2769
2770         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2771         (foo):
2772
2773 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2774
2775         [ESNext][BigInt] Implement support for "^"
2776         https://bugs.webkit.org/show_bug.cgi?id=186235
2777
2778         Reviewed by Yusuke Suzuki.
2779
2780         * stress/big-int-bitwise-xor-general.js: Added.
2781         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2782         * stress/big-int-bitwise-xor-type-error.js: Added.
2783         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2784
2785 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2786
2787         [BigInt] Add ValueSub into DFG
2788         https://bugs.webkit.org/show_bug.cgi?id=186176
2789
2790         Reviewed by Yusuke Suzuki.
2791
2792         * stress/big-int-subtraction-jit.js:
2793         * stress/value-sub-big-int-prediction-propagation.js: Added.
2794         * stress/value-sub-big-int-untyped.js: Added.
2795         * stress/value-sub-spec-none-case.js: Added.
2796
2797 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2798
2799         [JSC] JSC should have "parseFunction" to optimize Function constructor
2800         https://bugs.webkit.org/show_bug.cgi?id=190340
2801
2802         Reviewed by Mark Lam.
2803
2804         This patch fixes the line number of syntax errors raised by the Function constructor,
2805         since we now parse the final code only once. And we no longer use block statement
2806         for Function constructor's parsing.
2807
2808         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2809         * stress/function-cache-with-parameters-end-position.js: Added.
2810         (shouldBe):
2811         (shouldThrow):
2812         (i.anonymous):
2813         * stress/function-constructor-name.js: Added.
2814         (shouldBe):
2815         (GeneratorFunction):
2816         (AsyncFunction.async):
2817         (AsyncGeneratorFunction.async):
2818         (anonymous):
2819         (async.anonymous):
2820         * test262/expectations.yaml:
2821
2822 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2823
2824         Unreviewed, rolling out r237242.
2825         https://bugs.webkit.org/show_bug.cgi?id=190701
2826
2827         it breaks "stress/sampling-profiler-basic.js" (Requested by
2828         caiolima on #webkit).
2829
2830         Reverted changeset:
2831
2832         "[BigInt] Add ValueSub into DFG"
2833         https://bugs.webkit.org/show_bug.cgi?id=186176
2834         https://trac.webkit.org/changeset/237242
2835
2836 2018-10-17  Keith Miller  <keith_miller@apple.com>
2837
2838         AI does not clear Phantom allocation nodes.
2839         https://bugs.webkit.org/show_bug.cgi?id=190694
2840
2841         Reviewed by Saam Barati.
2842
2843         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2844         (Day):
2845         (DaysInYear):
2846         (TimeInYear):
2847         (TimeFromYear):
2848         (DayFromYear):
2849         (InLeapYear):
2850         (YearFromTime):
2851         (WeekDay):
2852         (DaylightSavingTA):
2853         (GetSecondSundayInMarch):
2854         (TimeInMonth):
2855
2856 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2857
2858         [BigInt] Add ValueSub into DFG
2859         https://bugs.webkit.org/show_bug.cgi?id=186176
2860
2861         Reviewed by Yusuke Suzuki.
2862
2863         * stress/big-int-subtraction-jit.js:
2864         * stress/value-sub-big-int-prediction-propagation.js: Added.
2865         * stress/value-sub-big-int-untyped.js: Added.
2866
2867 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2868
2869         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2870         https://bugs.webkit.org/show_bug.cgi?id=190611
2871
2872         Reviewed by Saam Barati.
2873
2874         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2875         to improve test runtime. On ARM/MIPS this test even timed out when running all
2876         tests.
2877
2878         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2879         (test):
2880
2881 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2882
2883         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2884
2885         Unreviewed gardening.
2886
2887         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2888
2889 2018-10-15  Saam barati  <sbarati@apple.com>
2890
2891         Emit fjcvtzs on ARM64E on Darwin
2892         https://bugs.webkit.org/show_bug.cgi?id=184023
2893
2894         Reviewed by Yusuke Suzuki and Filip Pizlo.
2895
2896         * stress/double-to-int32-NaN.js: Added.
2897         (assert):
2898         (foo):
2899
2900 2018-10-15  Saam Barati  <sbarati@apple.com>
2901
2902         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2903         https://bugs.webkit.org/show_bug.cgi?id=190262
2904         <rdar://problem/44986241>
2905
2906         Reviewed by Mark Lam.
2907
2908         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2909         (test):
2910         * stress/slice-array-storage-with-holes.js: Added.
2911         (main):
2912
2913 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2914
2915         Unreviewed, rolling out r237054.
2916         https://bugs.webkit.org/show_bug.cgi?id=190593
2917
2918         "this regressed JetStream 2 by 6% on iOS" (Requested by
2919         saamyjoon on #webkit).
2920
2921         Reverted changeset:
2922
2923         "[JSC] JSC should have "parseFunction" to optimize Function
2924         constructor"
2925         https://bugs.webkit.org/show_bug.cgi?id=190340
2926         https://trac.webkit.org/changeset/237054
2927
2928 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2929
2930         [JSC] JSON.stringify can accept call-with-no-arguments
2931         https://bugs.webkit.org/show_bug.cgi?id=190343
2932
2933         Reviewed by Mark Lam.
2934
2935         * stress/json-stringify-no-arguments.js: Added.
2936         (shouldBe):
2937
2938 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2939
2940         [JSC] JSC should have "parseFunction" to optimize Function constructor
2941         https://bugs.webkit.org/show_bug.cgi?id=190340
2942
2943         Reviewed by Mark Lam.
2944
2945         This patch fixes the line number of syntax errors raised by the Function constructor,
2946         since we now parse the final code only once. And we no longer use block statement
2947         for Function constructor's parsing.
2948
2949         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2950         * stress/function-cache-with-parameters-end-position.js: Added.
2951         (shouldBe):
2952         (shouldThrow):
2953         (i.anonymous):
2954         * stress/function-constructor-name.js: Added.
2955         (shouldBe):
2956         (GeneratorFunction):
2957         (AsyncFunction.async):
2958         (AsyncGeneratorFunction.async):
2959         (anonymous):
2960         (async.anonymous):
2961         * test262/expectations.yaml:
2962
2963 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2964
2965         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2966         https://bugs.webkit.org/show_bug.cgi?id=190426
2967
2968         Unreviewed gardening.
2969
2970         * stress/sampling-profiler-richards.js:
2971
2972 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2973
2974         [ESNext][BigInt] Implement support for "|"
2975         https://bugs.webkit.org/show_bug.cgi?id=186229
2976
2977         Reviewed by Yusuke Suzuki.
2978
2979         * stress/big-int-bitwise-and-jit.js:
2980         * stress/big-int-bitwise-or-general.js: Added.
2981         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2982         * stress/big-int-bitwise-or-jit.js: Added.
2983         * stress/big-int-bitwise-or-memory-stress.js: Added.
2984         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2985         * stress/big-int-bitwise-or-type-error.js: Added.
2986         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2987
2988 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2989
2990         Skip test on systems with limited memory
2991         https://bugs.webkit.org/show_bug.cgi?id=190310
2992
2993         Invoking runDefault adds test to runlist, skipping the test in the next
2994         line does not prevent the test from executing. Change order of lines such
2995         that runDefault is only executed if test is not executed.
2996
2997         Reviewed by Mark Lam.
2998
2999         * stress/regress-190187.js:
3000
3001 2018-10-03  Saam barati  <sbarati@apple.com>
3002
3003         lowXYZ in FTLLower should always filter the type of the incoming edge
3004         https://bugs.webkit.org/show_bug.cgi?id=189939
3005         <rdar://problem/44407030>
3006
3007         Reviewed by Michael Saboff.
3008
3009         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3010         (foo):
3011         (test):
3012
3013 2018-10-03  Mark Lam  <mark.lam@apple.com>
3014
3015         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3016         https://bugs.webkit.org/show_bug.cgi?id=190187
3017         <rdar://problem/42512909>
3018
3019         Reviewed by Michael Saboff.
3020
3021         * stress/regress-190187.js: Added.
3022
3023 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3024
3025         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3026         https://bugs.webkit.org/show_bug.cgi?id=190033
3027
3028         Reviewed by Yusuke Suzuki.
3029
3030         * stress/big-int-to-string.js:
3031
3032 2018-10-01  Mark Lam  <mark.lam@apple.com>
3033
3034         Function.toString() should also copy the source code Functions that are class definitions.
3035         https://bugs.webkit.org/show_bug.cgi?id=190186
3036         <rdar://problem/44733360>
3037
3038         Reviewed by Saam Barati.
3039
3040         * stress/regress-190186.js: Added.
3041
3042 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3043
3044         Split NaN-check into separate test
3045         https://bugs.webkit.org/show_bug.cgi?id=190010
3046
3047         Reviewed by Saam Barati.
3048
3049         DataView exposes NaN-representation, which is not necessarily the same on each
3050         architecture. Therefore move the check of the NaN-representation into its own
3051         file such that we can disable this test on MIPS where NaN-representation can be
3052         different on older CPUs.
3053
3054         * stress/dataview-jit-set-nan.js: Added.
3055         (assert):
3056         (test.storeLittleEndian):
3057         (test.storeBigEndian):
3058         (test.store):
3059         (test):
3060         * stress/dataview-jit-set.js:
3061         (test5):
3062
3063 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3064
3065         Unreviewed, rolling out r236647.
3066         https://bugs.webkit.org/show_bug.cgi?id=190124
3067
3068         Breaking test stress/big-int-to-string.js (Requested by
3069         caiolima_ on #webkit).
3070
3071         Reverted changeset:
3072
3073         "[BigInt] BigInt.proptotype.toString is broken when radix is
3074         power of 2"
3075         https://bugs.webkit.org/show_bug.cgi?id=190033
3076         https://trac.webkit.org/changeset/236647
3077
3078 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3079
3080         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3081         https://bugs.webkit.org/show_bug.cgi?id=190033
3082
3083         Reviewed by Yusuke Suzuki.
3084
3085         * stress/big-int-to-string.js:
3086
3087 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3088
3089         [ESNext][BigInt] Implement support for "&"
3090         https://bugs.webkit.org/show_bug.cgi?id=186228
3091
3092         Reviewed by Yusuke Suzuki.
3093
3094         * stress/big-int-bitwise-and-general.js: Added.
3095         (assert):
3096         (assert.sameValue):
3097         * stress/big-int-bitwise-and-jit.js: Added.
3098         (let.assert.sameValue):
3099         (bigIntBitAnd):
3100         * stress/big-int-bitwise-and-memory-stress.js: Added.
3101         (assert):
3102         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3103         (assert.sameValue):
3104         (let.o.Symbol.toPrimitive):
3105         (catch):
3106         * stress/big-int-bitwise-and-type-error.js: Added.
3107         (assert):
3108         (assertThrowTypeError):
3109         (let.o.valueOf):
3110         (o.valueOf):
3111         (o.toString):
3112         (o.Symbol.toPrimitive):
3113         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3114         (assert.sameValue):
3115         (testBitAnd):
3116         (let.o.Symbol.toPrimitive):
3117         (o.valueOf):
3118         (o.toString):
3119
3120 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3121
3122         JSC test stress/jsc-read.js doesn't support CRLF
3123         https://bugs.webkit.org/show_bug.cgi?id=190063
3124
3125         Reviewed by Yusuke Suzuki.
3126
3127         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3128
3129         * stress/jsc-read.js:
3130         (test):
3131
3132 2018-09-27  Saam barati  <sbarati@apple.com>
3133
3134         Verify the contents of AssemblerBuffer on arm64e
3135         https://bugs.webkit.org/show_bug.cgi?id=190057
3136         <rdar://problem/38916630>
3137
3138         Reviewed by Mark Lam.
3139
3140         * stress/regress-189132.js:
3141
3142 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3143
3144         Disable test without LLInt on ARMv7
3145         https://bugs.webkit.org/show_bug.cgi?id=190037
3146
3147         Reviewed by Mark Lam.
3148
3149         Test runs out of executable memory on ARMv7, do not run
3150         this test without LLInt enabled.
3151
3152         * stress/regress-169445.js:
3153
3154 2018-09-26  Keith Miller  <keith_miller@apple.com>
3155
3156         We should zero unused property storage when rebalancing array storage.
3157         https://bugs.webkit.org/show_bug.cgi?id=188151
3158
3159         Reviewed by Michael Saboff.
3160
3161         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3162
3163 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3164
3165         [JSC] Optimize Array#lastIndexOf
3166         https://bugs.webkit.org/show_bug.cgi?id=189780
3167
3168         Reviewed by Saam Barati.
3169
3170         * stress/array-lastindexof-array-prototype-trap.js: Added.
3171         (shouldBe):
3172         (AncestorArray.prototype.get 2):
3173         (AncestorArray):
3174         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3175         (shouldBe):
3176         * stress/array-lastindexof-hole-nan.js: Added.
3177         (shouldBe):
3178         (throw.new.Error):
3179         * stress/array-lastindexof-infinity.js: Added.
3180         (shouldBe):
3181         (throw.new.Error):
3182         * stress/array-lastindexof-negative-zero.js: Added.
3183         (shouldBe):
3184         (throw.new.Error):
3185         * stress/array-lastindexof-own-getter.js: Added.
3186         (shouldBe):
3187         (throw.new.Error.get array):
3188         (get array):
3189         * stress/array-lastindexof-prototype-trap.js: Added.
3190         (shouldBe):
3191         (DerivedArray.prototype.get 2):
3192         (DerivedArray):
3193
3194 2018-09-25  Saam Barati  <sbarati@apple.com>
3195
3196         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3197         https://bugs.webkit.org/show_bug.cgi?id=189940
3198         <rdar://problem/43640987>
3199
3200         Reviewed by Mark Lam.
3201
3202         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3203
3204 2018-09-24  Saam Barati  <sbarati@apple.com>
3205
3206         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3207         https://bugs.webkit.org/show_bug.cgi?id=189922
3208         <rdar://problem/44651275>
3209
3210         Reviewed by Mark Lam.
3211
3212         * stress/array-indexof-fast-path-effects.js: Added.
3213         * stress/array-indexof-cached-length.js: Added.
3214
3215 2018-09-24  Saam barati  <sbarati@apple.com>
3216
3217         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3218         https://bugs.webkit.org/show_bug.cgi?id=189682
3219         <rdar://problem/43557315>
3220
3221         Reviewed by Mark Lam.
3222
3223         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3224         (foo):
3225
3226 2018-09-22  Saam barati  <sbarati@apple.com>
3227
3228         The sampling should not use Strong<CodeBlock> in its machineLocation field
3229         https://bugs.webkit.org/show_bug.cgi?id=189319
3230
3231         Reviewed by Filip Pizlo.
3232
3233         * stress/sampling-profiler-richards.js: Added.
3234
3235 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3236
3237         [JSC] Optimize Array#indexOf in C++ runtime
3238         https://bugs.webkit.org/show_bug.cgi?id=189507
3239
3240         Reviewed by Saam Barati.
3241
3242         * stress/array-indexof-array-prototype-trap.js: Added.
3243         (shouldBe):
3244         (AncestorArray.prototype.get 2):
3245         (AncestorArray):
3246         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3247         (shouldBe):
3248         * stress/array-indexof-hole-nan.js: Added.
3249         (shouldBe):
3250         (throw.new.Error):
3251         * stress/array-indexof-infinity.js: Added.
3252         (shouldBe):
3253         (throw.new.Error):
3254         * stress/array-indexof-negative-zero.js: Added.
3255         (shouldBe):
3256         (throw.new.Error):
3257         * stress/array-indexof-own-getter.js: Added.
3258         (shouldBe):
3259         (throw.new.Error.get array):
3260         (get array):
3261         * stress/array-indexof-prototype-trap.js: Added.
3262         (shouldBe):
3263         (DerivedArray.prototype.get 2):
3264         (DerivedArray):
3265
3266 2018-09-19  Saam barati  <sbarati@apple.com>
3267
3268         AI rule for MultiPutByOffset executes its effects in the wrong order
3269         https://bugs.webkit.org/show_bug.cgi?id=189757
3270         <rdar://problem/43535257>
3271
3272         Reviewed by Michael Saboff.
3273
3274         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3275         (foo):
3276         (Foo):
3277         (g):
3278
3279 2018-09-17  Mark Lam  <mark.lam@apple.com>
3280
3281         Ensure that ForInContexts are invalidated if their loop local is over-written.
3282         https://bugs.webkit.org/show_bug.cgi?id=189571
3283         <rdar://problem/44402277>
3284
3285         Reviewed by Saam Barati.
3286
3287         * stress/regress-189571.js: Added.
3288
3289 2018-09-17  Saam barati  <sbarati@apple.com>
3290
3291         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3292         https://bugs.webkit.org/show_bug.cgi?id=189676
3293         <rdar://problem/39682897>
3294
3295         Reviewed by Michael Saboff.
3296
3297         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3298         (A):
3299         (K):
3300         (i.catch):
3301
3302 2018-09-14  Saam barati  <sbarati@apple.com>
3303
3304         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3305         https://bugs.webkit.org/show_bug.cgi?id=189628
3306         <rdar://problem/39481690>
3307
3308         Reviewed by Mark Lam.
3309
3310         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3311         (foo):
3312
3313 2018-09-11  Mark Lam  <mark.lam@apple.com>
3314
3315         Test for array initialization in arrayProtoFuncSplice.
3316         https://bugs.webkit.org/show_bug.cgi?id=170253
3317         <rdar://problem/31328773>
3318
3319         Rubber-stamped by Saam Barati.
3320
3321         * stress/regress-170253.js: Added.
3322
3323 2018-09-11  Mark Lam  <mark.lam@apple.com>
3324
3325         Test for IntlObject initialization.
3326         https://bugs.webkit.org/show_bug.cgi?id=170251
3327         <rdar://problem/31328419>
3328
3329         Rubber-stamped by Saam Barati.
3330
3331         * stress/regress-170251.js: Added.
3332
3333 2018-09-11  Mark Lam  <mark.lam@apple.com>
3334
3335         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3336         https://bugs.webkit.org/show_bug.cgi?id=169889
3337         <rdar://problem/31155607>
3338
3339         Reviewed by Saam Barati.
3340
3341         * stress/regress-169889-array-concat.js: Added.
3342         * stress/regress-169889-array-concat1.js: Added.
3343         * stress/regress-169889-array-slice.js: Added.
3344
3345 2018-09-11  Mark Lam  <mark.lam@apple.com>
3346
3347         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3348         https://bugs.webkit.org/show_bug.cgi?id=169445
3349         <rdar://problem/30957435>
3350
3351         Reviewed by Saam Barati.
3352
3353         * stress/regress-169445.js: Added.
3354         (let.gun.eval.A):
3355         (let.gun.eval.B.C):
3356         (let.gun.eval.B.C.prototype.trigger):
3357         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3358         (let.gun.eval.B):
3359         (let.gun.eval):
3360
3361 == Rolled over to ChangeLog-2018-09-11 ==