createRegExpMatchesArray does not respect inferred types
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-04  Saam Barati  <sbarati@apple.com>
2
3         createRegExpMatchesArray does not respect inferred types
4         https://bugs.webkit.org/show_bug.cgi?id=193287
5
6         Reviewed by Yusuke Suzuki.
7
8         This checks in the test case for 193287. This issue was discovered by
9         Samuel GroƟ of Google Project Zero.
10
11         * stress/inferred-types-regex-matches-array.js: Added.
12
13 2019-04-04  Saam barati  <sbarati@apple.com>
14
15         Teach Call ICs how to call Wasm
16         https://bugs.webkit.org/show_bug.cgi?id=196387
17
18         Reviewed by Filip Pizlo.
19
20         * wasm/function-tests/stack-trace.js:
21
22 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
23
24         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
25         https://bugs.webkit.org/show_bug.cgi?id=194944
26
27         Reviewed by Keith Miller.
28
29         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
30
31 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
32
33         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
34         https://bugs.webkit.org/show_bug.cgi?id=196409
35
36         Reviewed by Saam Barati.
37
38         * stress/bytecode-cache-cached-string-impl.js: Added.
39         (f):
40         (g):
41         * stress/bytecode-cache-run-string.js: Added.
42
43 2019-04-03  Robin Morisset  <rmorisset@apple.com>
44
45         B3 should use associativity to optimize expression trees
46         https://bugs.webkit.org/show_bug.cgi?id=194081
47
48         Reviewed by Filip Pizlo.
49
50         Added three microbenchmarks:
51         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
52         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
53           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
54         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
55
56         * microbenchmarks/add-tree.js: Added.
57         * microbenchmarks/bit-or-tree.js: Added.
58         * microbenchmarks/bit-xor-tree.js: Added.
59
60 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
61
62         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
63         https://bugs.webkit.org/show_bug.cgi?id=196574
64
65         Reviewed by Saam Barati.
66
67         * stress/string-index-of-exception-check.js: Added.
68         (blurType):
69         (1.forEach):
70
71 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
72
73         Assertion failed in JSC::createError
74         https://bugs.webkit.org/show_bug.cgi?id=196305
75         <rdar://problem/49387382>
76
77         Reviewed by Saam Barati.
78
79         * stress/create-error-out-of-memory-rope-string-2.js: Added.
80         (assert):
81         (catch):
82
83 2019-03-28  Saam Barati  <sbarati@apple.com>
84
85         BackwardsGraph needs to consider back edges as the backward's root successor
86         https://bugs.webkit.org/show_bug.cgi?id=195991
87
88         Reviewed by Filip Pizlo.
89
90         * stress/map-b3-licm-infinite-loop.js: Added.
91
92 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
93
94         CodeBlock::jettison() should disallow repatching its own calls
95         https://bugs.webkit.org/show_bug.cgi?id=196359
96         <rdar://problem/48973663>
97
98         Reviewed by Saam Barati.
99
100         * stress/call-link-info-osrexit-repatch.js: Added.
101         (foo):
102
103 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
104
105         [JSC] imports-oom.js intermittently fails
106         https://bugs.webkit.org/show_bug.cgi?id=196373
107
108         Reviewed by Saam Barati.
109
110         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
111         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
112         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
113         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
114         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
115
116         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
117         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
118
119         * wasm/lowExecutableMemory/imports-oom.js:
120
121 2019-03-27  Saam Barati  <sbarati@apple.com>
122
123         validateOSREntryValue with Int52 should box the value being checked into double format
124         https://bugs.webkit.org/show_bug.cgi?id=196313
125         <rdar://problem/49306703>
126
127         Reviewed by Yusuke Suzuki.
128
129         * stress/validate-int-52-ai-state.js: Added.
130
131 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
132
133         [JSC] Owner of watchpoints should validate at GC finalizing phase
134         https://bugs.webkit.org/show_bug.cgi?id=195827
135
136         Reviewed by Filip Pizlo.
137
138         * stress/gc-should-reap-dead-watchpoints.js: Added.
139         (foo):
140         (A.prototype.y):
141         (A):
142
143 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
144
145         Skip WebAssembly test on 32-bit systems
146         https://bugs.webkit.org/show_bug.cgi?id=196206
147
148         Reviewed by Saam Barati.
149
150         Invoking runDefault executes test immediately even though
151         that test should be skipped due to missing WASM support.
152         Therefore remove runDefault.
153
154         * wasm/regress/web-assembly-link-error-exception-check.js:
155
156 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
157
158         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
159         https://bugs.webkit.org/show_bug.cgi?id=196217
160
161         Reviewed by Saam Barati.
162
163         Re-enable all NaN tests for f32.min, f64.min and f64.max.
164
165         * wasm/spec-tests/f32.wast.js:
166         * wasm/spec-tests/f64.wast.js:
167         * wasm/wasm.json:
168
169 2019-03-25  Keith Miller  <keith_miller@apple.com>
170
171         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
172         https://bugs.webkit.org/show_bug.cgi?id=196176
173
174         Reviewed by Saam Barati.
175
176         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
177         (main.v10):
178         (main):
179
180 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
181
182         WebAssembly: f32.max with NaN generates incorrect result
183         https://bugs.webkit.org/show_bug.cgi?id=175691
184         <rdar://problem/33952228>
185
186         Reviewed by Saam Barati.
187
188         Enable all f32.max NaN tests
189
190         * wasm/spec-tests/f32.wast.js:
191         * wasm/wasm.json:
192
193 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
194
195         [JSC] Move test into directory for WASM tests
196         https://bugs.webkit.org/show_bug.cgi?id=196187
197
198         Reviewed by Mark Lam.
199
200         Move Test into wasm-directory. Otherwise this test
201         is also executed on systems without WASM support.
202
203         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
204
205 2019-03-23  Mark Lam  <mark.lam@apple.com>
206
207         Rolling out r243032 and r243071 because the fix is incorrect.
208         https://bugs.webkit.org/show_bug.cgi?id=195892
209         <rdar://problem/48981239>
210
211         Not reviewed.
212
213         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
214
215 2019-03-22  Mark Lam  <mark.lam@apple.com>
216
217         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
218         https://bugs.webkit.org/show_bug.cgi?id=196154
219         <rdar://problem/49145307>
220
221         Reviewed by Filip Pizlo.
222
223         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
224         There's no need to run this test on more than 1 test configuration.
225
226         * stress/typed-array-lastIndexOf-exception-check.js: Added.
227         * stress/web-assembly-link-error-exception-check.js:
228
229 2019-03-22  Mark Lam  <mark.lam@apple.com>
230
231         Placate exception check validation in constructJSWebAssemblyLinkError().
232         https://bugs.webkit.org/show_bug.cgi?id=196152
233         <rdar://problem/49145257>
234
235         Reviewed by Michael Saboff.
236
237         * stress/web-assembly-link-error-exception-check.js: Added.
238
239 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
240
241         Skip tests running out of memory on ARM/MIPS
242         https://bugs.webkit.org/show_bug.cgi?id=196131
243
244         Unreviewed. Skip test if memory is limited.
245
246         * microbenchmarks/put-by-val-direct-large-index.js:
247
248 2019-03-21  Mark Lam  <mark.lam@apple.com>
249
250         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
251         https://bugs.webkit.org/show_bug.cgi?id=196116
252         <rdar://problem/48976951>
253
254         Reviewed by Filip Pizlo.
255
256         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
257
258 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
259
260         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
261         https://bugs.webkit.org/show_bug.cgi?id=196078
262         <rdar://problem/35925380>
263
264         Reviewed by Mark Lam.
265
266         Add a new benchmark that allocates several objects and invokes put_by_val_direct
267         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
268
269         * microbenchmarks/put-by-val-direct-large-index.js: Added.
270
271 2019-03-21  Mark Lam  <mark.lam@apple.com>
272
273         Placate exception check validation in operationArrayIndexOfString().
274         https://bugs.webkit.org/show_bug.cgi?id=196067
275         <rdar://problem/49056572>
276
277         Reviewed by Michael Saboff.
278
279         * stress/string-equal-exception-check.js: Added.
280
281 2019-03-21  Mark Lam  <mark.lam@apple.com>
282
283         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
284         https://bugs.webkit.org/show_bug.cgi?id=196055
285         <rdar://problem/49067448>
286
287         Reviewed by Yusuke Suzuki.
288
289         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
290
291 2019-03-20  Saam Barati  <sbarati@apple.com>
292
293         typeOfDoubleSum is wrong for when NaN can be produced
294         https://bugs.webkit.org/show_bug.cgi?id=196030
295
296         Reviewed by Filip Pizlo.
297
298         * stress/double-add-sub-mul-can-produce-nan.js: Added.
299         (assert):
300         (noInline.sub):
301         (noInline):
302         (assert.mul):
303         (assert.add):
304
305 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         Update the test to ensure OutOfMemoryError is thrown as intended
308         https://bugs.webkit.org/show_bug.cgi?id=196032
309         <rdar://problem/46842740>
310
311         Rubber stamped by Saam Barati.
312
313         * stress/create-error-out-of-memory-rope-string.js:
314         (assert):
315         (catch):
316
317 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
318
319         JSC::createError needs to check for OOM in errorDescriptionForValue
320         https://bugs.webkit.org/show_bug.cgi?id=196032
321         <rdar://problem/46842740>
322
323         Reviewed by Mark Lam.
324
325         * stress/create-error-out-of-memory-rope-string.js: Added.
326
327 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
328
329         Unreviewed, reduce # of iterations to avoid timing out after r242991
330         https://bugs.webkit.org/show_bug.cgi?id=195791
331
332         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
333
334         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
335
336 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
337
338         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
339         https://bugs.webkit.org/show_bug.cgi?id=195950
340
341         Unreviewed, reducing the amount of memory used on this test to avoid
342         OOM on devices with memory restrictions.
343
344         * microbenchmarks/generate-multiple-llint-entrypoints.js:
345
346 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
347
348         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
349         https://bugs.webkit.org/show_bug.cgi?id=194648
350
351         Reviewed by Keith Miller.
352
353         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
354
355 2019-03-18  Mark Lam  <mark.lam@apple.com>
356
357         Missing a ThrowScope release in JSObject::toString().
358         https://bugs.webkit.org/show_bug.cgi?id=195893
359         <rdar://problem/48970986>
360
361         Reviewed by Michael Saboff.
362
363         * stress/to-string-exception-check-release.js: Added.
364
365 2019-03-18  Mark Lam  <mark.lam@apple.com>
366
367         Structure::flattenDictionary() should clear unused property slots.
368         https://bugs.webkit.org/show_bug.cgi?id=195871
369         <rdar://problem/48959497>
370
371         Reviewed by Michael Saboff.
372
373         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
374
375 2019-03-15  Mark Lam  <mark.lam@apple.com>
376
377         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
378         https://bugs.webkit.org/show_bug.cgi?id=195827
379         <rdar://problem/48845513>
380
381         Reviewed by Filip Pizlo.
382
383         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
384
385 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
386
387         [ARM,MIPS] Skip slow tests
388         https://bugs.webkit.org/show_bug.cgi?id=195799
389
390         Unreviewed, test does not finish on ARM and MIPS within the
391         timeout limit.
392
393         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
394
395 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
398         https://bugs.webkit.org/show_bug.cgi?id=195791
399         <rdar://problem/48806130>
400
401         Reviewed by Mark Lam.
402
403         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
404         (foo):
405
406 2019-03-14  Saam barati  <sbarati@apple.com>
407
408         We can't remove code after ForceOSRExit until after FixupPhase
409         https://bugs.webkit.org/show_bug.cgi?id=186916
410         <rdar://problem/41396612>
411
412         Reviewed by Yusuke Suzuki.
413
414         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
415         (foo):
416         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
417         (foo):
418
419 2019-03-13  Michael Saboff  <msaboff@apple.com>
420
421         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
422         https://bugs.webkit.org/show_bug.cgi?id=195735
423
424         Reviewed by Mark Lam.
425
426         New regression test.
427
428         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
429         (foo):
430         (bar):
431
432 2019-03-14  Saam barati  <sbarati@apple.com>
433
434         Fixup uses KnownInt32 incorrectly in some nodes
435         https://bugs.webkit.org/show_bug.cgi?id=195279
436         <rdar://problem/47915654>
437
438         Reviewed by Yusuke Suzuki.
439
440         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
441         (foo):
442
443 2019-03-14  Keith Miller  <keith_miller@apple.com>
444
445         DFG liveness can't skip tail caller inline frames
446         https://bugs.webkit.org/show_bug.cgi?id=195715
447
448         Reviewed by Saam Barati.
449
450         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
451         (i.foo):
452
453 2019-03-13  Mark Lam  <mark.lam@apple.com>
454
455         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
456         https://bugs.webkit.org/show_bug.cgi?id=195415
457
458         Not reviewed.
459
460         Changed these tests to only run the default configuration.
461         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
462         There's no strong need to run this test on that variant.
463
464         * stress/dfg-to-string-on-int-does-gc.js:
465         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
466
467 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
468
469         String overflow when using StringBuilder in JSC::createError
470         https://bugs.webkit.org/show_bug.cgi?id=194957
471
472         Reviewed by Mark Lam.
473
474         Add test string-overflow-createError-bulder.js that overflows
475         StringBuilder in notAFunctionSourceAppender. The second new test
476         string-overflow-createError-fit.js has an error message that doesn't
477         overflow, it still failed since the String's capacity can't be doubled.
478         Run test string-overflow-createError.js only in the default
479         configuration to reduce memory consumption when running the test
480         in all configurations on multiple CPUs in parallel.
481
482         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
483         (catch):
484         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
485         (catch):
486         * stress/string-overflow-createError.js:
487
488 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
489
490         [JSC] OSR entry should respect abstract values in addition to flush formats
491         https://bugs.webkit.org/show_bug.cgi?id=195653
492
493         Reviewed by Mark Lam.
494
495         * stress/osr-entry-locals-none.js: Added.
496
497 2019-03-12  Michael Saboff  <msaboff@apple.com>
498
499         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
500         https://bugs.webkit.org/show_bug.cgi?id=195613
501
502         Reviewed by Mark Lam.
503
504         New regression test.
505
506         * stress/regexp-backref-inbounds.js: Added.
507         (testRegExp):
508
509 2019-03-12  Mark Lam  <mark.lam@apple.com>
510
511         The HasIndexedProperty node does GC.
512         https://bugs.webkit.org/show_bug.cgi?id=195559
513         <rdar://problem/48767923>
514
515         Reviewed by Yusuke Suzuki.
516
517         * stress/HasIndexedProperty-does-gc.js: Added.
518
519 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
520
521         [ESNext][BigInt] Implement "~" unary operation
522         https://bugs.webkit.org/show_bug.cgi?id=182216
523
524         Reviewed by Keith Miller.
525
526         * stress/big-int-bit-not-general.js: Added.
527         * stress/big-int-bitwise-not-jit.js: Added.
528         * stress/big-int-bitwise-not-wrapped-value.js: Added.
529         * stress/bit-op-with-object-returning-int32.js:
530         * stress/bitwise-not-fixup-rules.js: Added.
531         * stress/value-bit-not-ai-rule.js: Added.
532
533 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
534
535         Invalid flags in a RegExp literal should be an early SyntaxError
536         https://bugs.webkit.org/show_bug.cgi?id=195514
537
538         Reviewed by Darin Adler.
539
540         * test262/expectations.yaml:
541         Mark 4 test cases as passing.
542
543         * stress/regexp-syntax-error-invalid-flags.js:
544         * stress/regress-161995.js: Removed.
545         Update existing test, merging in an older test for the same behavior.
546
547 2019-03-08  Mark Lam  <mark.lam@apple.com>
548
549         Stack overflow crash in JSC::JSObject::hasInstance.
550         https://bugs.webkit.org/show_bug.cgi?id=195458
551         <rdar://problem/48710195>
552
553         Reviewed by Yusuke Suzuki.
554
555         * stress/stack-overflow-in-custom-hasInstance.js: Added.
556
557 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
558
559         op_check_tdz does not def its argument
560         https://bugs.webkit.org/show_bug.cgi?id=192880
561         <rdar://problem/46221598>
562
563         Reviewed by Saam Barati.
564
565         * microbenchmarks/let-for-in.js: Added.
566         (foo):
567
568 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
569
570         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
571         https://bugs.webkit.org/show_bug.cgi?id=195429
572
573         Reviewed by Saam Barati.
574
575         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
576         (foo):
577         * stress/string-from-char-code-255.js: Added.
578
579 2019-03-06  Mark Lam  <mark.lam@apple.com>
580
581         Fix incorrect handling of try-finally completion values.
582         https://bugs.webkit.org/show_bug.cgi?id=195131
583         <rdar://problem/46222079>
584
585         Reviewed by Saam Barati and Yusuke Suzuki.
586
587         Added many permutations of new test case to test-finally.js.  test-finally.js has
588         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
589         tests passes there as well.
590
591         * stress/test-finally.js:
592
593 2019-03-06  Saam Barati  <sbarati@apple.com>
594
595         Air::reportUsedRegisters must padInterference
596         https://bugs.webkit.org/show_bug.cgi?id=195303
597         <rdar://problem/48270343>
598
599         Reviewed by Keith Miller.
600
601         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
602
603 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
604
605         [JSC] AI should not propagate AbstractValue relying on constant folding phase
606         https://bugs.webkit.org/show_bug.cgi?id=195375
607
608         Reviewed by Saam Barati.
609
610         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
611         (let.array):
612
613 2019-03-05  Saam barati  <sbarati@apple.com>
614
615         op_switch_char broken for rope strings after JSRopeString layout rewrite
616         https://bugs.webkit.org/show_bug.cgi?id=195339
617         <rdar://problem/48592545>
618
619         Reviewed by Yusuke Suzuki.
620
621         * stress/switch-on-char-llint-rope.js: Added.
622
623 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
624
625         [JSC] Store bits for JSRopeString in 3 stores
626         https://bugs.webkit.org/show_bug.cgi?id=195234
627
628         Reviewed by Saam Barati.
629
630         * stress/null-rope-and-collectors.js: Added.
631
632 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
633
634         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
635         https://bugs.webkit.org/show_bug.cgi?id=195207
636
637         Unreviewed. After test runtime was reduced in r242213, test can be
638         run again on ARM/MIPS.
639
640         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
641
642 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
643
644         [JSC] sizeof(JSString) should be 16
645         https://bugs.webkit.org/show_bug.cgi?id=194375
646
647         Reviewed by Saam Barati.
648
649         * microbenchmarks/make-rope.js: Added.
650         (makeRope):
651         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
652         (returnRope.helper): Deleted.
653         (returnRope): Deleted.
654
655 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
656
657         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
658         https://bugs.webkit.org/show_bug.cgi?id=195144
659
660         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
661         Change the number from 1e8 to 1e5.
662
663         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
664         (foo):
665
666 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
667
668         Test times out on ARM/MIPS
669         https://bugs.webkit.org/show_bug.cgi?id=195168
670
671         Unreviewed. Skip test on ARM/MIPS.
672
673         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
674
675 2019-02-27  Mark Lam  <mark.lam@apple.com>
676
677         The parser is failing to record the token location of new in new.target.
678         https://bugs.webkit.org/show_bug.cgi?id=195127
679         <rdar://problem/39645578>
680
681         Reviewed by Yusuke Suzuki.
682
683         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
684
685 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
686
687         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
688         https://bugs.webkit.org/show_bug.cgi?id=195144
689         <rdar://problem/47595961>
690
691         Reviewed by Mark Lam.
692
693         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
694         (bar):
695         (foo):
696         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
697         (bar):
698         (foo):
699
700 2019-02-27  Robin Morisset  <rmorisset@apple.com>
701
702         DFG: Loop-invariant code motion (LICM) should not hoist dead code
703         https://bugs.webkit.org/show_bug.cgi?id=194945
704         <rdar://problem/48311657>
705
706         Reviewed by Mark Lam.
707
708         * stress/licm-dead-code.js: Added.
709
710 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
711
712         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
713         https://bugs.webkit.org/show_bug.cgi?id=194677
714         <rdar://problem/48112492>
715
716         Reviewed by Mark Lam.
717
718         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
719         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
720         it immediately fails due the large size.
721
722         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
723         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
724         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
725         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
726
727         This patch changes the test to produce 16bit string from String.fromCharCode.
728
729         * stress/regress-178386.js:
730
731 2019-02-26  Mark Lam  <mark.lam@apple.com>
732
733         wasmToJS() should purify incoming NaNs.
734         https://bugs.webkit.org/show_bug.cgi?id=194807
735         <rdar://problem/48189132>
736
737         Reviewed by Saam Barati.
738
739         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
740
741 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
742
743         [JSC] Repeat string created from Array.prototype.join() take too much memory
744         https://bugs.webkit.org/show_bug.cgi?id=193912
745
746         Reviewed by Saam Barati.
747
748         Added a test and a microbenchmark for corner cases of
749         Array.prototype.join() with an uninitialized array.
750
751         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
752         * stress/array-prototype-join-uninitialized.js: Added.
753         (testArray):
754         (testABC):
755         (B):
756         (C):
757
758 2019-02-22  Robin Morisset  <rmorisset@apple.com>
759
760         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
761         https://bugs.webkit.org/show_bug.cgi?id=194953
762         <rdar://problem/47595253>
763
764         Reviewed by Saam Barati.
765
766         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
767
768         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
769
770 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
771
772         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
773         https://bugs.webkit.org/show_bug.cgi?id=172848
774         <rdar://problem/25709212>
775
776         Reviewed by Mark Lam.
777
778         * typeProfiler/inheritance.js:
779         Rewrite the test slightly for clarity. The hoisting was confusing.
780
781         * heapProfiler/class-names.js: Added.
782         (MyES5Class):
783         (MyES6Class):
784         (MyES6Subclass):
785         Test object types and improved class names.
786
787         * heapProfiler/driver/driver.js:
788         (CheapHeapSnapshotNode):
789         (CheapHeapSnapshot):
790         (createCheapHeapSnapshot):
791         (HeapSnapshot):
792         (createHeapSnapshot):
793         Update snapshot parsing from version 1 to version 2.
794
795 2019-02-19  Truitt Savell  <tsavell@apple.com>
796
797         Unreviewed, rolling out r241784.
798
799         Broke all OpenSource builds.
800
801         Reverted changeset:
802
803         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
804         instances view"
805         https://bugs.webkit.org/show_bug.cgi?id=172848
806         https://trac.webkit.org/changeset/241784
807
808 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
809
810         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
811         https://bugs.webkit.org/show_bug.cgi?id=172848
812         <rdar://problem/25709212>
813
814         Reviewed by Mark Lam.
815
816         * typeProfiler/inheritance.js:
817         Rewrite the test slightly for clarity. The hoisting was confusing.
818
819         * heapProfiler/class-names.js: Added.
820         (MyES5Class):
821         (MyES6Class):
822         (MyES6Subclass):
823         Test object types and improved class names.
824
825         * heapProfiler/driver/driver.js:
826         (CheapHeapSnapshotNode):
827         (CheapHeapSnapshot):
828         (createCheapHeapSnapshot):
829         (HeapSnapshot):
830         (createHeapSnapshot):
831         Update snapshot parsing from version 1 to version 2.
832
833 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
834
835         [ARM] Fix crash with sampling profiler
836         https://bugs.webkit.org/show_bug.cgi?id=194772
837
838         Reviewed by Mark Lam.
839
840         Do not skip test since crash with sampling profiler is now fixed.
841
842         * stress/sampling-profiler-richards.js:
843
844 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] Add LazyClassStructure::getInitializedOnMainThread
847         https://bugs.webkit.org/show_bug.cgi?id=194784
848         <rdar://problem/48154820>
849
850         Reviewed by Mark Lam.
851
852         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
853         (getProperties):
854         (getRandomProperty):
855         (i.catch):
856
857 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
858
859         [ARM] Test gardening: Test running out of executable memory
860         https://bugs.webkit.org/show_bug.cgi?id=194771
861
862         Unreviewed. Do not run test without LLInt, test is running out of executable
863         memory on ARM otherwise.
864
865         * stress/tagged-template-object-collect.js:
866
867 2019-02-18  Tomas Popela  <tpopela@redhat.com>
868
869         Unreviewed, skip the test on platforms without sampling profiler
870
871         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
872         (platformSupportsSamplingProfiler.foo):
873         (platformSupportsSamplingProfiler.test):
874         (platformSupportsSamplingProfiler):
875         (foo): Deleted.
876         (test): Deleted.
877
878 2019-02-17  Saam Barati  <sbarati@apple.com>
879
880         Deadlock when adding a Structure property transition and then doing incremental marking
881         https://bugs.webkit.org/show_bug.cgi?id=194767
882
883         Reviewed by Mark Lam.
884
885         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
886
887 2019-02-15  Michael Saboff  <msaboff@apple.com>
888
889         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
890         https://bugs.webkit.org/show_bug.cgi?id=194558
891
892         Reviewed by Saam Barati.
893
894         New regression test.
895
896         * stress/regexp-unicode-within-string.js: Added.
897
898 2019-02-15  Mark Lam  <mark.lam@apple.com>
899
900         SamplingProfiler::stackTracesAsJSON() should escape strings.
901         https://bugs.webkit.org/show_bug.cgi?id=194649
902         <rdar://problem/48072386>
903
904         Reviewed by Saam Barati.
905
906         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
907         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
908         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
909         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
910
911 2019-02-15  Robin Morisset  <rmorisset@apple.com>
912         CodeBlock::jettison should clear related watchpoints
913         https://bugs.webkit.org/show_bug.cgi?id=194544
914
915         Reviewed by Mark Lam.
916
917         * stress/regexp-replace-double-watchpoint.js: Added.
918         (foo):
919
920 2019-02-15  Saam barati  <sbarati@apple.com>
921
922         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
923         https://bugs.webkit.org/show_bug.cgi?id=194036
924
925         Reviewed by Yusuke Suzuki.
926
927         * stress/tail-call-many-arguments.js: Added.
928         (foo):
929         (bar):
930
931 2019-02-14  Saam Barati  <sbarati@apple.com>
932
933         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
934         https://bugs.webkit.org/show_bug.cgi?id=194583
935         <rdar://problem/48028140>
936
937         Reviewed by Yusuke Suzuki.
938
939         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
940
941 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
942
943         [JSC] String.fromCharCode's slow path always generates 16bit string
944         https://bugs.webkit.org/show_bug.cgi?id=194466
945
946         Reviewed by Keith Miller.
947
948         * stress/string-from-char-code-slow-path.js: Added.
949         (shouldBe):
950         (testWithLength):
951
952 2019-02-08  Saam barati  <sbarati@apple.com>
953
954         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
955         https://bugs.webkit.org/show_bug.cgi?id=194334
956         <rdar://problem/47844327>
957
958         Reviewed by Mark Lam.
959
960         * stress/check-in-bounds-should-be-a-child-use.js: Added.
961         (func):
962
963 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
964
965         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
966         https://bugs.webkit.org/show_bug.cgi?id=194369
967         <rdar://problem/47813087>
968
969         Reviewed by Saam Barati.
970
971         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
972         (A):
973
974 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
975
976         [JSC] PrivateName to PublicName hash table is wasteful
977         https://bugs.webkit.org/show_bug.cgi?id=194277
978
979         Reviewed by Michael Saboff.
980
981         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
982
983         * ChakraCore.yaml:
984
985 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
986
987         [ARM] Test running out of executable memory
988         https://bugs.webkit.org/show_bug.cgi?id=194285
989
990         Unreviewed. Do no execute test with LLInt disabled, test runs out of
991         executable memory otherwise.
992
993         * stress/class-subclassing-function.js:
994
995 2019-02-04  Robin Morisset  <rmorisset@apple.com>
996
997         when lowering AssertNotEmpty, create the value before creating the patchpoint
998         https://bugs.webkit.org/show_bug.cgi?id=194231
999
1000         Reviewed by Saam Barati.
1001
1002         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1003         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1004         So even tiny changes to this test can change the path code taken.
1005
1006         * stress/assert-not-empty.js: Added.
1007         (foo):
1008
1009 2019-02-01  Mark Lam  <mark.lam@apple.com>
1010
1011         Remove invalid assertion in DFG's compileDoubleRep().
1012         https://bugs.webkit.org/show_bug.cgi?id=194130
1013         <rdar://problem/47699474>
1014
1015         Reviewed by Saam Barati.
1016
1017         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1018
1019 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1020
1021         Import latest Test262 updates.
1022
1023         Rubber-stamped by Keith Miller.
1024
1025         * test262.yaml: Deleted.
1026         * test262/config.yaml:
1027         * test262/expectations.yaml:
1028         * test262/latest-changes-summary.txt:
1029         * test262/test/:
1030         * test262/test262-Revision.txt:
1031
1032 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1033
1034         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1035         https://bugs.webkit.org/show_bug.cgi?id=194050
1036         <rdar://problem/47595592>
1037
1038         Reviewed by Yusuke Suzuki.
1039
1040         * stress/object-keys-osr-exit.js: Added.
1041         (foo):
1042         (catch):
1043
1044 2019-01-29  Mark Lam  <mark.lam@apple.com>
1045
1046         ValueRecovery::recover() should purify NaN values it recovers.
1047         https://bugs.webkit.org/show_bug.cgi?id=193978
1048         <rdar://problem/47625488>
1049
1050         Reviewed by Saam Barati.
1051
1052         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1053
1054 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1055
1056         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1057         https://bugs.webkit.org/show_bug.cgi?id=193713
1058
1059         * stress/try-get-by-id-should-spill-registers-dfg.js:
1060         (let.f.createBuiltin):
1061
1062 2019-01-28  Mark Lam  <mark.lam@apple.com>
1063
1064         ToString node actually does GC.
1065         https://bugs.webkit.org/show_bug.cgi?id=193920
1066         <rdar://problem/46695900>
1067
1068         Reviewed by Yusuke Suzuki.
1069
1070         * stress/dfg-to-string-on-int-does-gc.js: Added.
1071         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1072         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1073
1074 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1075
1076         [JSC] NativeErrorConstructor should not have own IsoSubspace
1077         https://bugs.webkit.org/show_bug.cgi?id=193713
1078
1079         Reviewed by Saam Barati.
1080
1081         Remove @Error use.
1082
1083         * stress/try-get-by-id-should-spill-registers-dfg.js:
1084         (let.f.createBuiltin):
1085
1086 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1087
1088         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1089         https://bugs.webkit.org/show_bug.cgi?id=190693
1090
1091         Reviewed by Michael Saboff.
1092
1093         * stress/regress-190693.js: Added.
1094         (truth):
1095         (assert):
1096         (shouldThrowInvalidConstAssignment):
1097         (taz):
1098
1099 2019-01-24  Saam Barati  <sbarati@apple.com>
1100
1101         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1102         https://bugs.webkit.org/show_bug.cgi?id=193751
1103         <rdar://problem/47280215>
1104
1105         Reviewed by Michael Saboff.
1106
1107         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1108         (let.thing):
1109         (foo.let.hello):
1110         (foo):
1111
1112 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1113
1114         [JSC] Reenable baseline JIT on mips
1115         https://bugs.webkit.org/show_bug.cgi?id=192983
1116
1117         Reviewed by Mark Lam.
1118
1119         Added a new test for a case that was triggering a RELEASE_ASSERT when
1120         testing.
1121         Disable some slow tests that were already disabled for arm and x86.
1122
1123         * stress/json-parse-big-object.js: Added.
1124         * stress/new-largeish-contiguous-array-with-size.js:
1125         * stress/op_add.js:
1126         * stress/op_bitand.js:
1127         * stress/op_bitor.js:
1128         * stress/op_bitxor.js:
1129         * stress/op_lshift-ConstVar.js:
1130         * stress/op_lshift-VarConst.js:
1131         * stress/op_lshift-VarVar.js:
1132         * stress/op_mod-ConstVar.js:
1133         * stress/op_mod-VarConst.js:
1134         * stress/op_mod-VarVar.js:
1135         * stress/op_mul-ConstVar.js:
1136         * stress/op_mul-VarConst.js:
1137         * stress/op_mul-VarVar.js:
1138         * stress/op_rshift-ConstVar.js:
1139         * stress/op_rshift-VarConst.js:
1140         * stress/op_rshift-VarVar.js:
1141         * stress/op_sub-ConstVar.js:
1142         * stress/op_sub-VarConst.js:
1143         * stress/op_sub-VarVar.js:
1144         * stress/op_urshift-ConstVar.js:
1145         * stress/op_urshift-VarConst.js:
1146         * stress/op_urshift-VarVar.js:
1147         * stress/sampling-profiler-richards.js:
1148         * stress/spread-forward-call-varargs-stack-overflow.js:
1149
1150 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1151
1152         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1153         https://bugs.webkit.org/show_bug.cgi?id=193711
1154         <rdar://problem/47250262>
1155
1156         Reviewed by Saam Barati.
1157
1158         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1159         (shouldBe):
1160         (foo):
1161         (bar):
1162         (baz):
1163
1164 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1165
1166         Unreviewed, fix initial global lexical binding epoch
1167         https://bugs.webkit.org/show_bug.cgi?id=193603
1168         <rdar://problem/47380869>
1169
1170         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1171         (f1.f2.f3.f4):
1172         (f1.f2.f3):
1173         (f1.f2):
1174         (f1):
1175
1176 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1177
1178         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1179         https://bugs.webkit.org/show_bug.cgi?id=193709
1180         <rdar://problem/47363838>
1181
1182         Unreviewed, rollout to watch the tests.
1183
1184         * stress/object-tostring-changed-proto.js: Removed.
1185         * stress/object-tostring-changed.js: Removed.
1186         * stress/object-tostring-misc.js: Removed.
1187         * stress/object-tostring-other.js: Removed.
1188         * stress/object-tostring-untyped.js: Removed.
1189
1190 2019-01-22  Saam Barati  <sbarati@apple.com>
1191
1192         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1193
1194         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1195         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1196         (testUncheckedLessThanZero):
1197         (testUncheckedLessThanOrEqualZero):
1198         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1199         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1200
1201 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1202
1203         [JSC] Invalidate old scope operations using global lexical binding epoch
1204         https://bugs.webkit.org/show_bug.cgi?id=193603
1205         <rdar://problem/47380869>
1206
1207         Reviewed by Saam Barati.
1208
1209         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1210         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1211         (shouldThrow):
1212         (bar):
1213         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1214         (shouldBe):
1215         (get1):
1216         (get2):
1217         (get1If):
1218         (get2If):
1219         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1220         (shouldThrow):
1221         (foo):
1222
1223 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1224
1225         Unreviewed, roll out r240220 due to date-format-xparb regression
1226         https://bugs.webkit.org/show_bug.cgi?id=193603
1227
1228         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1229         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1230         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1231         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1232
1233 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1234
1235         DoesGC rule is wrong for nodes with BigIntUse
1236         https://bugs.webkit.org/show_bug.cgi?id=193652
1237
1238         Reviewed by Saam Barati.
1239
1240         * stress/big-int-value-op-update-gc-rules.js: Added.
1241         (assert):
1242         (doesGCAdd):
1243         (doesGCSub):
1244         (doesGCDiv):
1245         (doesGCMul):
1246         (doesGCBitAnd):
1247         (doesGCBitOr):
1248         (doesGCBitXor):
1249
1250 2019-01-20  Saam Barati  <sbarati@apple.com>
1251
1252         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1253         https://bugs.webkit.org/show_bug.cgi?id=193644
1254         <rdar://problem/46209745>
1255
1256         Reviewed by Yusuke Suzuki.
1257
1258         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1259         (foo):
1260         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1261         (foo):
1262         (bar):
1263
1264 2019-01-20  Saam Barati  <sbarati@apple.com>
1265
1266         MovHint must merge NodeBytecodeUsesAsValue for its child
1267         https://bugs.webkit.org/show_bug.cgi?id=186916
1268         <rdar://problem/41396612>
1269
1270         Reviewed by Yusuke Suzuki.
1271
1272         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1273         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1274
1275 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1276
1277         [JSC] Invalidate old scope operations using global lexical binding epoch
1278         https://bugs.webkit.org/show_bug.cgi?id=193603
1279         <rdar://problem/47380869>
1280
1281         Reviewed by Saam Barati.
1282
1283         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1284         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1285         (shouldThrow):
1286         (bar):
1287         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1288         (shouldBe):
1289         (get1):
1290         (get2):
1291         (get1If):
1292         (get2If):
1293         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1294         (shouldThrow):
1295         (foo):
1296
1297 2019-01-17  Saam barati  <sbarati@apple.com>
1298
1299         StringObjectUse should not be a structure check for the original string object structure
1300         https://bugs.webkit.org/show_bug.cgi?id=193483
1301         <rdar://problem/47280522>
1302
1303         Reviewed by Yusuke Suzuki.
1304
1305         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1306         (foo):
1307         (a.valueOf.0):
1308
1309 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1310
1311         [JSC] ToThis omission in DFGByteCodeParser is wrong
1312         https://bugs.webkit.org/show_bug.cgi?id=193513
1313         <rdar://problem/45842236>
1314
1315         Reviewed by Saam Barati.
1316
1317         * stress/to-this-omission-with-different-strict-modes.js: Added.
1318         (thisA):
1319         (thisAStrictWrapper):
1320
1321 2019-01-15  Mark Lam  <mark.lam@apple.com>
1322
1323         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1324         https://bugs.webkit.org/show_bug.cgi?id=193423
1325         <rdar://problem/46209355>
1326
1327         Reviewed by Saam Barati.
1328
1329         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1330         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1331         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1332         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1333
1334 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1335
1336         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1337         https://bugs.webkit.org/show_bug.cgi?id=193438
1338         <rdar://problem/45581249>
1339
1340         Reviewed by Saam Barati and Keith Miller.
1341
1342         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1343         Then, GetByVal(String) crashed.
1344
1345         * stress/string-get-by-val-lowering.js: Added.
1346         (shouldBe):
1347         (test):
1348         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1349         (Hello):
1350         (foo):
1351
1352 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1353
1354         Unreviewed, skip JIT tests if it's not enabled
1355
1356         * stress/bit-op-with-object-returning-int32.js:
1357
1358 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1359
1360         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1361         https://bugs.webkit.org/show_bug.cgi?id=192966
1362
1363         Reviewed by Yusuke Suzuki.
1364
1365         * stress/bit-op-with-object-returning-int32.js: Added.
1366
1367 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1368
1369         Skip a slow test and a flakey test on arm
1370
1371         Unreviewed gardening.
1372
1373         * typeProfiler/getter-richards.js:
1374         this test always times out, it used to be always skipped on arm and
1375         mips, but got accidentally enabled by r237919 now that we have DFG on
1376         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1377
1378 2019-01-14  Keith Miller  <keith_miller@apple.com>
1379
1380         Skip type-check-hoisting-phase-hoist... with no jit
1381         https://bugs.webkit.org/show_bug.cgi?id=193421
1382
1383         Reviewed by Mark Lam.
1384
1385         It's timing out the 32-bit bots and takes 330 seconds
1386         on my machine when run by itself.
1387
1388         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1389
1390 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1391
1392         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1393         https://bugs.webkit.org/show_bug.cgi?id=193413
1394         <rdar://problem/46092389>
1395
1396         Reviewed by Keith Miller.
1397
1398         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1399         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1400         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1401         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1402
1403         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1404         (compareArray):
1405
1406 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1407
1408         [BigInt] Literal parsing is crashing when used inside a Object Literal
1409         https://bugs.webkit.org/show_bug.cgi?id=193404
1410
1411         Reviewed by Yusuke Suzuki.
1412
1413         * stress/big-int-literal-inside-literal-object.js: Added.
1414
1415 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1416
1417         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1418         https://bugs.webkit.org/show_bug.cgi?id=193372
1419
1420         Reviewed by Saam Barati.
1421
1422         * stress/typed-array-array-modes-profile.js: Added.
1423         (foo):
1424
1425 2019-01-14  Mark Lam  <mark.lam@apple.com>
1426
1427         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1428         https://bugs.webkit.org/show_bug.cgi?id=193402
1429         <rdar://problem/46012309>
1430
1431         Reviewed by Keith Miller.
1432
1433         * stress/regexp-compile-oom.js:
1434         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1435           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1436
1437 2019-01-11  Saam barati  <sbarati@apple.com>
1438
1439         DFG combined liveness can be wrong for terminal basic blocks
1440         https://bugs.webkit.org/show_bug.cgi?id=193304
1441         <rdar://problem/45268632>
1442
1443         Reviewed by Yusuke Suzuki.
1444
1445         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1446
1447 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1448
1449         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1450         https://bugs.webkit.org/show_bug.cgi?id=193308
1451         <rdar://problem/45546542>
1452
1453         Reviewed by Saam Barati.
1454
1455         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1456         (shouldThrow):
1457         (shouldBe):
1458         (foo):
1459         (get shouldThrow):
1460         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1461         (shouldThrow):
1462         (shouldBe):
1463         (foo):
1464         (get shouldBe):
1465         (get shouldThrow):
1466         (get return):
1467         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1468         (shouldThrow):
1469         (shouldBe):
1470         (foo):
1471         (get shouldBe):
1472         (get shouldThrow):
1473         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1474         (shouldThrow):
1475         (shouldBe):
1476         (foo):
1477         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1478         (shouldThrow):
1479         (shouldBe):
1480         (foo):
1481         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1482         (shouldThrow):
1483         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1484         (shouldThrow):
1485         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1486         (shouldThrow):
1487         (shouldBe):
1488         (foo):
1489         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1490         (shouldThrow):
1491         (shouldBe):
1492         (foo):
1493         (get shouldBe):
1494         (get shouldThrow):
1495         (get return):
1496         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1497         (shouldThrow):
1498         (shouldBe):
1499         (foo):
1500         (get shouldBe):
1501         (get shouldThrow):
1502         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1503         (shouldThrow):
1504         (shouldBe):
1505         (foo):
1506         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1507         (shouldThrow):
1508         (shouldBe):
1509         (foo):
1510
1511 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1512
1513         Enable DFG on ARM/Linux again
1514         https://bugs.webkit.org/show_bug.cgi?id=192496
1515
1516         Reviewed by Yusuke Suzuki.
1517
1518         Test wasn't really skipped before moving the line with skip
1519         to the top.
1520
1521         * stress/regress-192717.js:
1522
1523 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1524
1525         Unreviewed, rolling out r239825.
1526         https://bugs.webkit.org/show_bug.cgi?id=193330
1527
1528         Broke tests on armv7/linux bots (Requested by guijemont on
1529         #webkit).
1530
1531         Reverted changeset:
1532
1533         "Enable DFG on ARM/Linux again"
1534         https://bugs.webkit.org/show_bug.cgi?id=192496
1535         https://trac.webkit.org/changeset/239825
1536
1537 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1538
1539         Enable DFG on ARM/Linux again
1540         https://bugs.webkit.org/show_bug.cgi?id=192496
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         Test wasn't really skipped before moving the line with skip
1545         to the top.
1546
1547         * stress/regress-192717.js:
1548
1549 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1550
1551         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1552         https://bugs.webkit.org/show_bug.cgi?id=193127
1553
1554         Reviewed by Saam Barati.
1555
1556         * stress/array-species-create-should-handle-masquerader.js: Added.
1557         (shouldThrow):
1558         * stress/is-undefined-or-null-builtin.js: Added.
1559         (shouldBe):
1560         (isUndefinedOrNull.vm.createBuiltin):
1561
1562 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1563
1564         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1565         https://bugs.webkit.org/show_bug.cgi?id=193221
1566
1567         Reviewed by Mark Lam.
1568
1569         * stress/put-by-id-flags.js: Added.
1570         (f):
1571         (g):
1572         (numberOfDFGCompiles):
1573
1574 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1575
1576         Baseline version of get_by_id may corrupt metadata
1577         https://bugs.webkit.org/show_bug.cgi?id=193085
1578         <rdar://problem/23453006>
1579
1580         Reviewed by Saam Barati.
1581
1582         * stress/get-by-id-change-mode.js: Added.
1583         (forEach):
1584
1585 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1586
1587         [JSC] Optimize Object.prototype.toString
1588         https://bugs.webkit.org/show_bug.cgi?id=193031
1589
1590         Reviewed by Saam Barati.
1591
1592         * stress/object-tostring-changed-proto.js: Added.
1593         (shouldBe):
1594         (test):
1595         * stress/object-tostring-changed.js: Added.
1596         (shouldBe):
1597         (test):
1598         * stress/object-tostring-misc.js: Added.
1599         (shouldBe):
1600         (test):
1601         (i.switch):
1602         * stress/object-tostring-other.js: Added.
1603         (shouldBe):
1604         (test):
1605         * stress/object-tostring-untyped.js: Added.
1606         (shouldBe):
1607         (test):
1608         (i.switch):
1609
1610 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1611
1612         test262-runner misbehaves when test file YAML has a trailing space
1613         https://bugs.webkit.org/show_bug.cgi?id=193053
1614
1615         Reviewed by Yusuke Suzuki.
1616
1617         * test262/expectations.yaml:
1618         Mark two dozen tests as passing (and correct the output of another).
1619
1620 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1621
1622         Unreviewed, JSTests gardening with memoryLimited
1623
1624         * stress/string-overflow-createError.js:
1625
1626 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1627
1628         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1629         https://bugs.webkit.org/show_bug.cgi?id=193050
1630
1631         Reviewed by Yusuke Suzuki.
1632
1633         * test262.yaml:
1634         * test262/expectations.yaml:
1635         Mark 16 tests as passing.
1636
1637 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1638
1639         [BigInt] Support BigInt in JSON.stringify
1640         https://bugs.webkit.org/show_bug.cgi?id=192624
1641
1642         Reviewed by Saam Barati.
1643
1644         * stress/big-int-json-stringify-to-json.js: Added.
1645         (shouldBe):
1646         (shouldThrow):
1647         (BigInt.prototype.toJSON):
1648         (shouldBe.JSON.stringify):
1649         * stress/big-int-json-stringify.js: Added.
1650         (shouldBe):
1651         (shouldThrow):
1652
1653 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1654
1655         [JSC] Implement "well-formed JSON.stringify" proposal
1656         https://bugs.webkit.org/show_bug.cgi?id=191677
1657
1658         Reviewed by Darin Adler.
1659
1660         * stress/json-surrogate-pair.js: Added.
1661         (shouldBe):
1662         * test262/expectations.yaml:
1663
1664 2018-12-20  Keith Miller  <keith_miller@apple.com>
1665
1666         Add support for globalThis
1667         https://bugs.webkit.org/show_bug.cgi?id=165171
1668
1669         Reviewed by Mark Lam.
1670
1671         * test262/config.yaml:
1672
1673 2018-12-19  Keith Miller  <keith_miller@apple.com>
1674
1675         Update test262 configuration to not run tests dependent on ICU version.
1676         https://bugs.webkit.org/show_bug.cgi?id=192920
1677
1678         Reviewed by Saam Barati.
1679
1680         * test262/expectations.yaml:
1681
1682 2018-12-20  Mark Lam  <mark.lam@apple.com>
1683
1684         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1685         https://bugs.webkit.org/show_bug.cgi?id=192939
1686         <rdar://problem/46869516>
1687
1688         Reviewed by Keith Miller.
1689
1690         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1691
1692 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1693
1694         WTF::String and StringImpl overflow MaxLength
1695         https://bugs.webkit.org/show_bug.cgi?id=192853
1696         <rdar://problem/45726906>
1697
1698         Reviewed by Mark Lam.
1699
1700         * stress/string-16bit-repeat-overflow.js: Added.
1701         (catch):
1702
1703 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1704
1705         Unreviewed follow-up to r192914.
1706
1707         * test262/expectations.yaml:
1708         Add the last 20 missing expectations.
1709
1710 2018-12-19  Keith Miller  <keith_miller@apple.com>
1711
1712         Fix test262 expectations
1713         https://bugs.webkit.org/show_bug.cgi?id=192914
1714
1715         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1716
1717         * test262/expectations.yaml:
1718
1719 2018-12-19  Keith Miller  <keith_miller@apple.com>
1720
1721         Update test262 tests.
1722         https://bugs.webkit.org/show_bug.cgi?id=192907
1723
1724         Rubber stamped by Mark Lam.
1725
1726         * test262/*: Omitted because prepare-changelog crashes.
1727
1728 2018-12-19  Mark Lam  <mark.lam@apple.com>
1729
1730         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1731         https://bugs.webkit.org/show_bug.cgi?id=192464
1732         <rdar://problem/46519455>
1733
1734         Reviewed by Saam Barati.
1735
1736         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1737         microbenchmark.
1738
1739         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1740         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1741
1742 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1743
1744         String overflow in JSC::createError results in ASSERT in WTF::makeString
1745         https://bugs.webkit.org/show_bug.cgi?id=192833
1746         <rdar://problem/45706868>
1747
1748         Reviewed by Mark Lam.
1749
1750         * stress/string-overflow-createError.js: Added.
1751
1752 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1753
1754         Error message for `-x ** y` contains a typo.
1755         https://bugs.webkit.org/show_bug.cgi?id=192832
1756
1757         Reviewed by Saam Barati.
1758
1759         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1760         (assert.assert.return.throws):
1761         * stress/pow-expects-update-expression-on-lhs.js:
1762         (throw.new.Error):
1763         Update test expectations which match against the exact error message.
1764
1765 2018-12-18  Mark Lam  <mark.lam@apple.com>
1766
1767         Gardening: test options fix.
1768         https://bugs.webkit.org/show_bug.cgi?id=192822
1769
1770         Unreviewed.
1771
1772         * stress/json-stringify-string-builder-overflow.js:
1773
1774 2018-12-18  Mark Lam  <mark.lam@apple.com>
1775
1776         JSON.stringify() should throw OOM on StringBuilder overflows.
1777         https://bugs.webkit.org/show_bug.cgi?id=192822
1778         <rdar://problem/46670577>
1779
1780         Reviewed by Saam Barati.
1781
1782         * stress/json-stringify-string-builder-overflow.js: Added.
1783
1784 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1785
1786         Redeclaration of var over let/const/class should be a syntax error.
1787         https://bugs.webkit.org/show_bug.cgi?id=192298
1788
1789         Reviewed by Keith Miller.
1790
1791         * test262.yaml:
1792         * test262/expectations.yaml:
1793         Mark 46 tests as passing.
1794
1795         * stress/block-scope-redeclarations.js:
1796         Add some new tests.
1797
1798         * stress/for-in-invalidate-context-weird-assignments.js:
1799         * stress/for-in-tests.js:
1800         Replace tests for outdated behavior with tests for SyntaxError.
1801
1802         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1803         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1804         Update expectations.
1805
1806 2018-12-18  Mark Lam  <mark.lam@apple.com>
1807
1808         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1809         https://bugs.webkit.org/show_bug.cgi?id=191374
1810         <rdar://problem/46525447>
1811
1812         Reviewed by Yusuke Suzuki.
1813
1814         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1815
1816         * stress/elidable-new-object-roflcopter-then-exit.js:
1817
1818 2018-12-17  Mark Lam  <mark.lam@apple.com>
1819
1820         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1821         https://bugs.webkit.org/show_bug.cgi?id=192019
1822         <rdar://problem/46525456>
1823
1824         Reviewed by Yusuke Suzuki.
1825
1826         The test runs too slow on 32-bit.
1827
1828         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1829
1830 2018-12-17  Mark Lam  <mark.lam@apple.com>
1831
1832         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1833         https://bugs.webkit.org/show_bug.cgi?id=191373
1834         <rdar://problem/46525458>
1835
1836         Reviewed by Yusuke Suzuki.
1837
1838         The test is already slow running with a JIT on 64-bit.  It will always timeout
1839         on 32-bit without a JIT.
1840
1841         * stress/materialize-regexp-cyclic-regexp.js:
1842
1843 2018-12-17  Mark Lam  <mark.lam@apple.com>
1844
1845         Array unshift/shift should not race against the AI in the compiler thread.
1846         https://bugs.webkit.org/show_bug.cgi?id=192795
1847         <rdar://problem/46724263>
1848
1849         Reviewed by Saam Barati.
1850
1851         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1852
1853 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1854
1855         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1856         https://bugs.webkit.org/show_bug.cgi?id=190047
1857
1858         Reviewed by Saam Barati.
1859
1860         * stress/object-keys-cached-zero.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/object-keys-changed-attribute.js: Added.
1864         (shouldBe):
1865         (test):
1866         * stress/object-keys-changed-index.js: Added.
1867         (shouldBe):
1868         (test):
1869         * stress/object-keys-changed.js: Added.
1870         (shouldBe):
1871         (test):
1872         * stress/object-keys-indexed-non-cache.js: Added.
1873         (shouldBe):
1874         (test):
1875         * stress/object-keys-overrides-get-property-names.js: Added.
1876         (shouldBe):
1877         (test):
1878         (noInline):
1879
1880 2018-12-17  Mark Lam  <mark.lam@apple.com>
1881
1882         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1883         https://bugs.webkit.org/show_bug.cgi?id=192779
1884         <rdar://problem/46775869>
1885
1886         Reviewed by Saam Barati.
1887
1888         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1889
1890 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1891
1892         Unreviewed test gardening, address a syntax error in a new test.
1893
1894         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1895
1896 2018-12-17  Mark Lam  <mark.lam@apple.com>
1897
1898         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1899         https://bugs.webkit.org/show_bug.cgi?id=192776
1900         <rdar://problem/46772368>
1901
1902         Reviewed by Keith Miller.
1903
1904         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1905
1906 2018-12-17  Mark Lam  <mark.lam@apple.com>
1907
1908         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1909         https://bugs.webkit.org/show_bug.cgi?id=192770
1910         <rdar://problem/46449037>
1911
1912         Reviewed by Keith Miller.
1913
1914         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1915
1916 2018-12-14  Mark Lam  <mark.lam@apple.com>
1917
1918         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1919         https://bugs.webkit.org/show_bug.cgi?id=192717
1920         <rdar://problem/46660677>
1921
1922         Reviewed by Saam Barati.
1923
1924         * stress/regress-192717.js: Added.
1925
1926 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1927
1928         Unreviewed, rolling out r239153, r239154, and r239155.
1929         https://bugs.webkit.org/show_bug.cgi?id=192715
1930
1931         Caused flaky GC-related crashes seen with layout tests
1932         (Requested by ryanhaddad on #webkit).
1933
1934         Reverted changesets:
1935
1936         "[JSC] Optimize Object.keys by caching own keys results in
1937         StructureRareData"
1938         https://bugs.webkit.org/show_bug.cgi?id=190047
1939         https://trac.webkit.org/changeset/239153
1940
1941         "Unreviewed, build fix after r239153"
1942         https://bugs.webkit.org/show_bug.cgi?id=190047
1943         https://trac.webkit.org/changeset/239154
1944
1945         "Unreviewed, build fix after r239153, part 2"
1946         https://bugs.webkit.org/show_bug.cgi?id=190047
1947         https://trac.webkit.org/changeset/239155
1948
1949 2018-12-14  Keith Miller  <keith_miller@apple.com>
1950
1951         Callers of JSString::getIndex should check for OOM exceptions
1952         https://bugs.webkit.org/show_bug.cgi?id=192709
1953
1954         Reviewed by Mark Lam.
1955
1956         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1957
1958 2018-12-13  Mark Lam  <mark.lam@apple.com>
1959
1960         Add a missing exception check.
1961         https://bugs.webkit.org/show_bug.cgi?id=192626
1962         <rdar://problem/46662163>
1963
1964         Reviewed by Keith Miller.
1965
1966         * stress/regress-192626.js: Added.
1967
1968 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1969
1970         [BigInt] Add ValueDiv into DFG
1971         https://bugs.webkit.org/show_bug.cgi?id=186178
1972
1973         Reviewed by Yusuke Suzuki.
1974
1975         * stress/big-int-div-jit-osr.js: Added.
1976         * stress/big-int-div-jit-untyped.js: Added.
1977         * stress/value-div-fixup-int32-big-int.js: Added.
1978
1979 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1980
1981         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1982         https://bugs.webkit.org/show_bug.cgi?id=190047
1983
1984         Reviewed by Keith Miller.
1985
1986         * stress/object-keys-cached-zero.js: Added.
1987         (shouldBe):
1988         (test):
1989         * stress/object-keys-changed-attribute.js: Added.
1990         (shouldBe):
1991         (test):
1992         * stress/object-keys-changed-index.js: Added.
1993         (shouldBe):
1994         (test):
1995         * stress/object-keys-changed.js: Added.
1996         (shouldBe):
1997         (test):
1998         * stress/object-keys-indexed-non-cache.js: Added.
1999         (shouldBe):
2000         (test):
2001         * stress/object-keys-overrides-get-property-names.js: Added.
2002         (shouldBe):
2003         (test):
2004         (noInline):
2005
2006 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2007
2008         [DFG][FTL] Add NewSymbol
2009         https://bugs.webkit.org/show_bug.cgi?id=192620
2010
2011         Reviewed by Saam Barati.
2012
2013         * microbenchmarks/symbol-creation.js: Added.
2014         (test):
2015         * stress/symbol-description-identity.js: Added.
2016         (shouldBe):
2017         (test):
2018         * stress/symbol-identity.js: Added.
2019         (shouldBe):
2020         (test):
2021         * stress/symbol-with-description-throw-error.js: Added.
2022         (shouldBe):
2023         (shouldThrow):
2024         (test):
2025         (object.toString):
2026
2027 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2028
2029         [BigInt] Implement DFG/FTL typeof for BigInt
2030         https://bugs.webkit.org/show_bug.cgi?id=192619
2031
2032         Reviewed by Keith Miller.
2033
2034         * stress/big-int-boolean-proven-type.js: Added.
2035         (assert):
2036         (bool):
2037         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2038         (assert):
2039         (typeOf):
2040         (i.switch):
2041         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2042         (assert):
2043         (typeOf):
2044         * stress/big-int-type-of.js:
2045         (typeOf):
2046         (func):
2047
2048 2018-12-10  Mark Lam  <mark.lam@apple.com>
2049
2050         PropertyAttribute needs a CustomValue bit.
2051         https://bugs.webkit.org/show_bug.cgi?id=191993
2052         <rdar://problem/46264467>
2053
2054         Reviewed by Saam Barati.
2055
2056         * stress/regress-191993.js: Added.
2057
2058 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2059
2060         [BigInt] Add ValueMul into DFG
2061         https://bugs.webkit.org/show_bug.cgi?id=186175
2062
2063         Reviewed by Yusuke Suzuki.
2064
2065         * stress/big-int-mul-jit-osr.js: Added.
2066         * stress/big-int-mul-jit-untyped.js: Added.
2067         * stress/value-mul-fixup-int32-big-int.js: Added.
2068
2069 2018-12-06  Keith Miller  <keith_miller@apple.com>
2070
2071         stress/big-wasm-memory tests failing on 32-bit JSC bot
2072         https://bugs.webkit.org/show_bug.cgi?id=192020
2073
2074         Reviewed by Saam Barati.
2075
2076         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2077         the wasm stress tests if the WebAssembly object does not exist.
2078
2079         * stress/big-wasm-memory-grow-no-max.js:
2080         (test.foo):
2081         (test):
2082         (foo): Deleted.
2083         (catch): Deleted.
2084         * stress/big-wasm-memory-grow.js:
2085         (test.foo):
2086         (test):
2087         (foo): Deleted.
2088         (catch): Deleted.
2089         * stress/big-wasm-memory.js:
2090         (test.foo):
2091         (test):
2092         (foo): Deleted.
2093         (catch): Deleted.
2094
2095 2018-12-05  Mark Lam  <mark.lam@apple.com>
2096
2097         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2098         https://bugs.webkit.org/show_bug.cgi?id=192441
2099         <rdar://problem/46480355>
2100
2101         Reviewed by Saam Barati.
2102
2103         * stress/regress-192441.js: Added.
2104
2105 2018-12-04  Mark Lam  <mark.lam@apple.com>
2106
2107         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2108         https://bugs.webkit.org/show_bug.cgi?id=192386
2109         <rdar://problem/46445516>
2110
2111         Reviewed by Saam Barati.
2112
2113         * stress/regress-192386.js: Added.
2114
2115 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2116
2117         [ESNext][BigInt] Support logic operations
2118         https://bugs.webkit.org/show_bug.cgi?id=179903
2119
2120         Reviewed by Yusuke Suzuki.
2121
2122         * stress/big-int-branch-usage.js: Added.
2123         * stress/big-int-logical-and.js: Added.
2124         * stress/big-int-logical-not.js: Added.
2125         * stress/big-int-logical-or.js: Added.
2126
2127 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2128
2129         Unreviewed, rolling out r238833.
2130
2131         Breaks macOS and iOS debug builds.
2132
2133         Reverted changeset:
2134
2135         "[ESNext][BigInt] Support logic operations"
2136         https://bugs.webkit.org/show_bug.cgi?id=179903
2137         https://trac.webkit.org/changeset/238833
2138
2139 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2140
2141         [ESNext][BigInt] Support logic operations
2142         https://bugs.webkit.org/show_bug.cgi?id=179903
2143
2144         Reviewed by Yusuke Suzuki.
2145
2146         * stress/big-int-branch-usage.js: Added.
2147         * stress/big-int-logical-and.js: Added.
2148         * stress/big-int-logical-not.js: Added.
2149         * stress/big-int-logical-or.js: Added.
2150
2151 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2152
2153         [ESNext][BigInt] Implement support for "<<" and ">>"
2154         https://bugs.webkit.org/show_bug.cgi?id=186233
2155
2156         Reviewed by Yusuke Suzuki.
2157
2158         * stress/big-int-left-shift-general.js: Added.
2159         * stress/big-int-left-shift-range-error.js: Added.
2160         * stress/big-int-left-shift-type-error.js: Added.
2161         * stress/big-int-left-shift-wrapped-value.js: Added.
2162         * stress/big-int-right-shift-general.js: Added.
2163         * stress/big-int-right-shift-type-error.js: Added.
2164         * stress/big-int-right-shift-wrapped-value.js: Added.
2165         * stress/left-shift-to-primitive-precedence.js: Added.
2166         * stress/right-shift-to-primitive-precedence.js: Added.
2167
2168 2018-11-30  Dean Jackson  <dino@apple.com>
2169
2170         Add first-class support for .mjs files in jsc binary
2171         https://bugs.webkit.org/show_bug.cgi?id=192190
2172         <rdar://problem/46375715>
2173
2174         Reviewed by Keith Miller.
2175
2176         * stress/simple-module.mjs: Added.
2177         * stress/simple-script.js: Added.
2178
2179 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2180
2181         [BigInt] Implement ValueBitXor into DFG
2182         https://bugs.webkit.org/show_bug.cgi?id=190264
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         * stress/big-int-bitwise-xor-jit.js: Added.
2187         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2188         * stress/big-int-bitwise-xor-untyped.js: Added.
2189
2190 2018-11-27  Saam barati  <sbarati@apple.com>
2191
2192         r238510 broke scopes of size zero
2193         https://bugs.webkit.org/show_bug.cgi?id=192033
2194         <rdar://problem/46281734>
2195
2196         Reviewed by Keith Miller.
2197
2198         * stress/r238510-bad-loop.js: Added.
2199         (foo):
2200
2201 2018-11-27  Mark Lam  <mark.lam@apple.com>
2202
2203         [Re-landing] NaNs read from Wasm code needs to be be purified.
2204         https://bugs.webkit.org/show_bug.cgi?id=191056
2205         <rdar://problem/45660341>
2206
2207         Reviewed by Filip Pizlo.
2208
2209         * wasm/regress/regress-191056.js: Added.
2210
2211 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2212
2213         Unreviewed, rolling out r238509.
2214
2215         Causes JSC tests to fail on iOS.
2216
2217         Reverted changeset:
2218
2219         "NaNs read from Wasm code needs to be be purified."
2220         https://bugs.webkit.org/show_bug.cgi?id=191056
2221         https://trac.webkit.org/changeset/238509
2222
2223 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2224
2225         Re-introduce op_bitnot
2226         https://bugs.webkit.org/show_bug.cgi?id=190923
2227
2228         Reviewed by Yusuke Suzuki.
2229
2230         * stress/bit-not-must-generate.js: Added.
2231         * stress/bitwise-not-no-int32.js: Added.
2232
2233 2018-11-26  Saam barati  <sbarati@apple.com>
2234
2235         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2236         https://bugs.webkit.org/show_bug.cgi?id=191956
2237         <rdar://problem/45665806>
2238
2239         Reviewed by Yusuke Suzuki.
2240
2241         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2242         (bar):
2243         (foo):
2244
2245 2018-11-26  Saam barati  <sbarati@apple.com>
2246
2247         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2248         https://bugs.webkit.org/show_bug.cgi?id=191958
2249         <rdar://problem/46221877>
2250
2251         Reviewed by Yusuke Suzuki.
2252
2253         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2254         (x):
2255         (foo):
2256
2257 2018-11-26  Mark Lam  <mark.lam@apple.com>
2258
2259         NaNs read from Wasm code needs to be be purified.
2260         https://bugs.webkit.org/show_bug.cgi?id=191056
2261         <rdar://problem/45660341>
2262
2263         Reviewed by Filip Pizlo.
2264
2265         * wasm/regress/regress-191056.js: Added.
2266
2267 2018-11-26  Michael Saboff  <msaboff@apple.com>
2268
2269         32-bit JSC test failure: stress/regexp-compile-oom.js
2270         https://bugs.webkit.org/show_bug.cgi?id=191375
2271
2272         Reviewed by Mark Lam.
2273
2274         Disabled the test for 32 bit platforms.
2275
2276         * stress/regexp-compile-oom.js:
2277
2278 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2279
2280         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2281         https://bugs.webkit.org/show_bug.cgi?id=191716
2282         <rdar://problem/45723878>
2283
2284         Reviewed by Saam Barati.
2285
2286         * stress/regress-187373.js: Added.
2287         (async.fn):
2288
2289 2018-11-21  Saam barati  <sbarati@apple.com>
2290
2291         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2292         https://bugs.webkit.org/show_bug.cgi?id=191897
2293         <rdar://problem/45871998>
2294
2295         Reviewed by Mark Lam.
2296
2297         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2298         (bar):
2299         (foo):
2300
2301 2018-11-21  Saam barati  <sbarati@apple.com>
2302
2303         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2304         https://bugs.webkit.org/show_bug.cgi?id=191895
2305         <rdar://problem/46167406>
2306
2307         Reviewed by Mark Lam.
2308
2309         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2310         (foo):
2311         (bar):
2312
2313 2018-11-21  Mark Lam  <mark.lam@apple.com>
2314
2315         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2316         https://bugs.webkit.org/show_bug.cgi?id=191776
2317         <rdar://problem/46152851>
2318
2319         Reviewed by Saam Barati.
2320
2321         * stress/big-wasm-memory-grow-no-max.js:
2322         * stress/big-wasm-memory-grow.js:
2323         * stress/big-wasm-memory.js:
2324         - updated these to expect an OutOfMemoryError.
2325
2326         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2327         (Binary.prototype.emit_u8):
2328         (Binary.prototype.emit_u32v):
2329         (Binary.prototype.emit_header):
2330         (Binary.prototype.emit_section):
2331         (Binary):
2332         (WasmModuleBuilder):
2333         (WasmModuleBuilder.prototype.addMemory):
2334         (WasmModuleBuilder.prototype.toArray):
2335         (WasmModuleBuilder.prototype.toBuffer):
2336         (WasmModuleBuilder.prototype.instantiate):
2337         (catch):
2338         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2339         (catch):
2340
2341 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2342
2343         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2344         https://bugs.webkit.org/show_bug.cgi?id=190836
2345
2346         Reviewed by Saam Barati and Yusuke Suzuki.
2347
2348         * stress/big-int-out-of-memory-tests.js: Added.
2349
2350 2018-11-20  Mark Lam  <mark.lam@apple.com>
2351
2352         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2353         https://bugs.webkit.org/show_bug.cgi?id=191856
2354         <rdar://problem/46089992>
2355
2356         Reviewed by Yusuke Suzuki.
2357
2358         * stress/regress-191856.js: Added.
2359         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2360
2361 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2362
2363         Enable JIT on ARM/Linux
2364         https://bugs.webkit.org/show_bug.cgi?id=191548
2365
2366         Reviewed by Yusuke Suzuki.
2367
2368         Disable test on system with limited memory. Program was killed by
2369         the OS before the exception was thrown.
2370
2371         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2372
2373 2018-11-20  Saam barati  <sbarati@apple.com>
2374
2375         Merging an IC variant may lead to the IC status containing overlapping structure sets
2376         https://bugs.webkit.org/show_bug.cgi?id=191869
2377         <rdar://problem/45403453>
2378
2379         Reviewed by Mark Lam.
2380
2381         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2382
2383 2018-11-19  Mark Lam  <mark.lam@apple.com>
2384
2385         globalFuncImportModule() should return a promise when it clears exceptions.
2386         https://bugs.webkit.org/show_bug.cgi?id=191792
2387         <rdar://problem/46090763>
2388
2389         Reviewed by Michael Saboff.
2390
2391         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2392
2393 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2394
2395         Skip new memory-hungry tests on memory limited devices
2396
2397         Unreviewed gardening.
2398
2399         * stress/big-wasm-memory-grow-no-max.js:
2400         * stress/big-wasm-memory-grow.js:
2401         * stress/big-wasm-memory.js:
2402
2403 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2404
2405         Unreviewed, rolling in the rest of r237254
2406         https://bugs.webkit.org/show_bug.cgi?id=190340
2407
2408         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2409         * stress/function-cache-with-parameters-end-position.js: Added.
2410         (shouldBe):
2411         (shouldThrow):
2412         (i.anonymous):
2413         * stress/function-constructor-name.js: Added.
2414         (shouldBe):
2415         (GeneratorFunction):
2416         (AsyncFunction.async):
2417         (AsyncGeneratorFunction.async):
2418         (anonymous):
2419         (async.anonymous):
2420         * test262/expectations.yaml:
2421
2422 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2423
2424         All users of ArrayBuffer should agree on the same max size
2425         https://bugs.webkit.org/show_bug.cgi?id=191771
2426
2427         Reviewed by Mark Lam.
2428
2429         * stress/big-wasm-memory-grow-no-max.js: Added.
2430         (foo):
2431         (catch):
2432         * stress/big-wasm-memory-grow.js: Added.
2433         (foo):
2434         (catch):
2435         * stress/big-wasm-memory.js: Added.
2436         (foo):
2437         (catch):
2438
2439 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2440
2441         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2442         run for each JSC config since they're regression tests for runtime bugs.
2443
2444         * stress/json-stringified-overflow-2.js:
2445         * stress/json-stringified-overflow.js:
2446
2447 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2448
2449         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2450         config since they're regression tests for runtime bugs.
2451
2452         * stress/large-unshift-splice.js:
2453         * stress/regress-185888.js:
2454
2455 2018-11-16  Saam Barati  <sbarati@apple.com>
2456
2457         KnownCellUse should also have SpecCellCheck as its type filter
2458         https://bugs.webkit.org/show_bug.cgi?id=191729
2459         <rdar://problem/45872852>
2460
2461         Reviewed by Filip Pizlo.
2462
2463         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2464         (C):
2465
2466 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2467
2468         Fix assertion failure on BytecodeGenerator::recordOpcode
2469         https://bugs.webkit.org/show_bug.cgi?id=191724
2470         <rdar://problem/45724395>
2471
2472         Reviewed by Saam Barati.
2473
2474         * stress/regress-187373-2.js: Added.
2475         (foo):
2476
2477 2018-11-15  Mark Lam  <mark.lam@apple.com>
2478
2479         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2480         https://bugs.webkit.org/show_bug.cgi?id=191730
2481         <rdar://problem/46048517>
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/regress-187006.js: Removed.
2486           - this test is invalid because its sole purpose is to test for the non-spec
2487             compliant behavior that we just fixed.
2488
2489         * stress/regress-191730.js: Added.
2490
2491 2018-11-15  Mark Lam  <mark.lam@apple.com>
2492
2493         RegExp operations should not take fast patch if lastIndex is not numeric.
2494         https://bugs.webkit.org/show_bug.cgi?id=191731
2495         <rdar://problem/46017305>
2496
2497         Reviewed by Saam Barati.
2498
2499         * stress/regress-191731.js: Added.
2500
2501 2018-11-13  Saam Barati  <sbarati@apple.com>
2502
2503         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2504         https://bugs.webkit.org/show_bug.cgi?id=191600
2505
2506         Reviewed by Mark Lam.
2507
2508         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2509         (foo):
2510         (test):
2511         (bar):
2512
2513 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2514
2515         Unreviewed, rolling out r238132.
2516
2517         The test added with this change is timing out on Debug JSC
2518         bots.
2519
2520         Reverted changeset:
2521
2522         "[BigInt] JSBigInt::createWithLength should throw when length
2523         is greater than JSBigInt::maxLength"
2524         https://bugs.webkit.org/show_bug.cgi?id=190836
2525         https://trac.webkit.org/changeset/238132
2526
2527 2018-11-13  Mark Lam  <mark.lam@apple.com>
2528
2529         Add OOM detection to StringPrototype's substituteBackreferences().
2530         https://bugs.webkit.org/show_bug.cgi?id=191563
2531         <rdar://problem/45720428>
2532
2533         Reviewed by Saam Barati.
2534
2535         * stress/regress-191563.js: Added.
2536
2537 2018-11-13  Mark Lam  <mark.lam@apple.com>
2538
2539         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2540         https://bugs.webkit.org/show_bug.cgi?id=191579
2541         <rdar://problem/45942472>
2542
2543         Reviewed by Saam Barati.
2544
2545         * stress/regress-191579.js: Added.
2546
2547 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2548
2549         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2550         https://bugs.webkit.org/show_bug.cgi?id=190836
2551
2552         Reviewed by Saam Barati.
2553
2554         * stress/big-int-out-of-memory-tests.js: Added.
2555
2556 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2557
2558         U+180E is no longer a whitespace character
2559         https://bugs.webkit.org/show_bug.cgi?id=191415
2560
2561         Reviewed by Saam Barati.
2562
2563         * ChakraCore/test/es5/regexSpace.baseline:
2564         * ChakraCore/test/es6/unicode_whitespace.js:
2565         Update tests to latest version.
2566         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2567
2568         * test262.yaml:
2569         * test262/config.yaml:
2570         * test262/expectations.yaml:
2571         Update expectations.
2572
2573 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2574
2575         [BigInt] Add support to BigInt into ValueAdd
2576         https://bugs.webkit.org/show_bug.cgi?id=186177
2577
2578         Reviewed by Keith Miller.
2579
2580         * stress/big-int-negate-jit.js:
2581         * stress/value-add-big-int-and-string.js: Added.
2582         * stress/value-add-big-int-prediction-propagation.js: Added.
2583         * stress/value-add-big-int-untyped.js: Added.
2584
2585 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2586
2587         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2588         https://bugs.webkit.org/show_bug.cgi?id=191184
2589
2590         Reviewed by Saam Barati.
2591
2592         Most tests were failing due to timeouts, since they are too slow to
2593         run on CLoop. The exceptions are:
2594
2595         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2596         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2597         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2598         to change the stack size since CLoop requires it to be page aligned.
2599
2600         * microbenchmarks/array-push-1.js:
2601         * microbenchmarks/array-push-2.js:
2602         * microbenchmarks/elidable-new-object-dag.js:
2603         * microbenchmarks/elidable-new-object-roflcopter.js:
2604         * microbenchmarks/elidable-new-object-tree.js:
2605         * microbenchmarks/getter-richards.js:
2606         * microbenchmarks/sinkable-new-object-dag.js:
2607         * microbenchmarks/string-concat-long-convert.js:
2608         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2609         * slowMicrobenchmarks/array-push-3.js:
2610         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2611         * slowMicrobenchmarks/spread-small-array.js:
2612         * slowMicrobenchmarks/undefined-property-access.js:
2613         * stress/activation-sink-default-value-tdz-error.js:
2614         * stress/activation-sink-default-value.js:
2615         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2616         * stress/activation-sink-osrexit-default-value.js:
2617         * stress/activation-sink-osrexit.js:
2618         * stress/activation-sink.js:
2619         * stress/allow-math-ic-b3-code-duplication.js:
2620         * stress/array-push-multiple-int32.js:
2621         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2622         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2623         * stress/arrowfunction-lexical-this-activation-sink.js:
2624         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2625         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2626         * stress/elide-new-object-dag-then-exit.js:
2627         * stress/materialize-regexp-cyclic.js:
2628         * stress/new-regex-inline.js:
2629         * stress/op_add.js:
2630         * stress/op_bitand.js:
2631         * stress/op_bitor.js:
2632         * stress/op_bitxor.js:
2633         * stress/op_div-ConstVar.js:
2634         * stress/op_div-VarConst.js:
2635         * stress/op_div-VarVar.js:
2636         * stress/op_lshift-ConstVar.js:
2637         * stress/op_lshift-VarConst.js:
2638         * stress/op_lshift-VarVar.js:
2639         * stress/op_mod-ConstVar.js:
2640         * stress/op_mod-VarConst.js:
2641         * stress/op_mod-VarVar.js:
2642         * stress/op_mul-ConstVar.js:
2643         * stress/op_mul-VarConst.js:
2644         * stress/op_mul-VarVar.js:
2645         * stress/op_rshift-ConstVar.js:
2646         * stress/op_rshift-VarConst.js:
2647         * stress/op_rshift-VarVar.js:
2648         * stress/op_sub-ConstVar.js:
2649         * stress/op_sub-VarConst.js:
2650         * stress/op_sub-VarVar.js:
2651         * stress/op_urshift-ConstVar.js:
2652         * stress/op_urshift-VarConst.js:
2653         * stress/op_urshift-VarVar.js:
2654         * stress/proxy-get-set-correct-receiver.js:
2655         * stress/regress-179562.js:
2656         * stress/rest-parameter-many-arguments.js:
2657         * stress/sampling-profiler-richards.js:
2658         * stress/splay-flash-access-1ms.js:
2659         * stress/tailCallForwardArguments.js:
2660         * stress/typed-array-get-by-val-profiling.js:
2661         * typeProfiler/getter-richards.js:
2662
2663 2018-11-06  Michael Saboff  <msaboff@apple.com>
2664
2665         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2666         https://bugs.webkit.org/show_bug.cgi?id=191271
2667
2668         Reviewed by Saam Barati.
2669
2670         Added more test cases and made all test cases run with the same deeply recursive stack
2671         instead of finding that same point for each test case.
2672
2673         * stress/regexp-compile-oom.js:
2674         (prototype.runTest):
2675         (recurseAndTest):
2676         (testList.push.new.TestAndExpectedException):
2677
2678 2018-11-05  Michael Saboff  <msaboff@apple.com>
2679
2680         Unreviewed build fix for linux.
2681
2682         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2683
2684 2018-11-02  Michael Saboff  <msaboff@apple.com>
2685
2686         Rolling in r237753 with unreviewed build fix.
2687
2688         Fixed issues with DECLARE_THROW_SCOPE placement.
2689
2690 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2691
2692         Unreviewed, rolling out r237753.
2693
2694         Introduced JSC test failures
2695
2696         Reverted changeset:
2697
2698         "Running out of stack space not properly handled in
2699         RegExp::compile() and its callers"
2700         https://bugs.webkit.org/show_bug.cgi?id=191206
2701         https://trac.webkit.org/changeset/237753
2702
2703 2018-11-02  Michael Saboff  <msaboff@apple.com>
2704
2705         Running out of stack space not properly handled in RegExp::compile() and its callers
2706         https://bugs.webkit.org/show_bug.cgi?id=191206
2707
2708         Reviewed by Filip Pizlo.
2709
2710         New regression test.
2711
2712         * stress/regexp-compile-oom.js: Added.
2713         (recurseAndTest):
2714
2715 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2716
2717         Skip tests on arm/mips that time out now we're running on CLoop
2718
2719         Unreviewed gardening.
2720
2721         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2722         time out on the bots and need to be disabled. There's more tests
2723         disabled on arm because the timeout is longer on the mips bot (as the
2724         device is slower to start with), so many of the tests don't time out
2725         there.
2726
2727         * microbenchmarks/getter-richards.js: disable on arm and mips.
2728         * stress/op_add.js: disable on arm.
2729         * stress/op_bitand.js: disable on arm.
2730         * stress/op_bitor.js: disable on arm.
2731         * stress/op_bitxor.js: disable on arm.
2732         * stress/op_lshift-ConstVar.js: disable on arm.
2733         * stress/op_lshift-VarConst.js: disable on arm.
2734         * stress/op_lshift-VarVar.js: disable on arm.
2735         * stress/op_mod-ConstVar.js: disable on arm.
2736         * stress/op_mod-VarConst.js: disable on arm.
2737         * stress/op_mod-VarVar.js: disable on arm.
2738         * stress/op_mul-ConstVar.js: disable on arm.
2739         * stress/op_mul-VarConst.js: disable on arm.
2740         * stress/op_mul-VarVar.js: disable on arm.
2741         * stress/op_rshift-ConstVar.js: disable on arm.
2742         * stress/op_rshift-VarConst.js: disable on arm.
2743         * stress/op_rshift-VarVar.js: disable on arm.
2744         * stress/op_sub-ConstVar.js: disable on arm.
2745         * stress/op_sub-VarConst.js: disable on arm.
2746         * stress/op_sub-VarVar.js: disable on arm.
2747         * stress/op_urshift-ConstVar.js: disable on arm.
2748         * stress/op_urshift-VarConst.js: disable on arm.
2749         * stress/op_urshift-VarVar.js: disable on arm.
2750         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2751         * stress/value-to-boolean.js: disable on arm and mips.
2752
2753 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2754
2755         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2756         https://bugs.webkit.org/show_bug.cgi?id=191108
2757         <rdar://problem/45690700>
2758
2759         Reviewed by Saam Barati.
2760
2761         * stress/wide-op_catch.js: Added.
2762         (catch):
2763
2764 2018-10-29  Mark Lam  <mark.lam@apple.com>
2765
2766         Correctly detect string overflow when using the 'Function' constructor.
2767         https://bugs.webkit.org/show_bug.cgi?id=184883
2768         <rdar://problem/36320331>
2769
2770         Reviewed by Saam Barati.
2771
2772         I've verified that this passes on 32-bit as well.
2773
2774         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2775
2776 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2777
2778         Add support for GetStack FlushedDouble
2779         https://bugs.webkit.org/show_bug.cgi?id=191012
2780         <rdar://problem/45265141>
2781
2782         Reviewed by Saam Barati.
2783
2784         * stress/get-stack-double.js: Added.
2785         (bar):
2786         (noInline):
2787
2788 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2789
2790         New bytecode format for JSC
2791         https://bugs.webkit.org/show_bug.cgi?id=187373
2792         <rdar://problem/44186758>
2793
2794         Reviewed by Filip Pizlo.
2795
2796         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2797
2798         * stress/maximum-inline-capacity.js: Added.
2799         (test1):
2800         (test3.Foo):
2801         (test3):
2802
2803 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2804
2805         Unreviewed, rolling out r237479 and r237484.
2806         https://bugs.webkit.org/show_bug.cgi?id=190978
2807
2808         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2809
2810         Reverted changesets:
2811
2812         "New bytecode format for JSC"
2813         https://bugs.webkit.org/show_bug.cgi?id=187373
2814         https://trac.webkit.org/changeset/237479
2815
2816         "Gardening: Build fix after r237479."
2817         https://bugs.webkit.org/show_bug.cgi?id=187373
2818         https://trac.webkit.org/changeset/237484
2819
2820 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2821
2822         New bytecode format for JSC
2823         https://bugs.webkit.org/show_bug.cgi?id=187373
2824         <rdar://problem/44186758>
2825
2826         Reviewed by Filip Pizlo.
2827
2828         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2829
2830         * stress/maximum-inline-capacity.js: Added.
2831         (test1):
2832         (test3.Foo):
2833         (test3):
2834
2835 2018-10-26  Mark Lam  <mark.lam@apple.com>
2836
2837         Fix missing edge cases with JSGlobalObjects having a bad time.
2838         https://bugs.webkit.org/show_bug.cgi?id=189028
2839         <rdar://problem/45204939>
2840
2841         Reviewed by Saam Barati.
2842
2843         * stress/regress-189028.js: Added.
2844
2845 2018-10-22  Mark Lam  <mark.lam@apple.com>
2846
2847         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2848         https://bugs.webkit.org/show_bug.cgi?id=190515
2849         <rdar://problem/45222379>
2850
2851         Rubber-stamped by Saam Barati.
2852
2853         Adding another test.
2854
2855         * stress/regress-190515-2.js: Added.
2856
2857 2018-10-22  Mark Lam  <mark.lam@apple.com>
2858
2859         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2860         https://bugs.webkit.org/show_bug.cgi?id=190515
2861         <rdar://problem/45222379>
2862
2863         Reviewed by Saam Barati.
2864
2865         * stress/regress-190515.js: Added.
2866
2867 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2868
2869         Unreviewed, rolling out r237254.
2870         https://bugs.webkit.org/show_bug.cgi?id=190760
2871
2872         "It regresses JetStream 2 by 5% on some iOS devices"
2873         (Requested by saamyjoon on #webkit).
2874
2875         Reverted changeset:
2876
2877         "[JSC] JSC should have "parseFunction" to optimize Function
2878         constructor"
2879         https://bugs.webkit.org/show_bug.cgi?id=190340
2880         https://trac.webkit.org/changeset/237254
2881
2882 2018-10-19  Saam Barati  <sbarati@apple.com>
2883
2884         vmCall should check if we exit before emitting an OSR exit due to exceptions
2885         https://bugs.webkit.org/show_bug.cgi?id=190740
2886         <rdar://problem/45220139>
2887
2888         Reviewed by Mark Lam.
2889
2890         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2891         (foo):
2892
2893 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2894
2895         [ESNext][BigInt] Implement support for "^"
2896         https://bugs.webkit.org/show_bug.cgi?id=186235
2897
2898         Reviewed by Yusuke Suzuki.
2899
2900         * stress/big-int-bitwise-xor-general.js: Added.
2901         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2902         * stress/big-int-bitwise-xor-type-error.js: Added.
2903         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2904
2905 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2906
2907         [BigInt] Add ValueSub into DFG
2908         https://bugs.webkit.org/show_bug.cgi?id=186176
2909
2910         Reviewed by Yusuke Suzuki.
2911
2912         * stress/big-int-subtraction-jit.js:
2913         * stress/value-sub-big-int-prediction-propagation.js: Added.
2914         * stress/value-sub-big-int-untyped.js: Added.
2915         * stress/value-sub-spec-none-case.js: Added.
2916
2917 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2918
2919         [JSC] JSC should have "parseFunction" to optimize Function constructor
2920         https://bugs.webkit.org/show_bug.cgi?id=190340
2921
2922         Reviewed by Mark Lam.
2923
2924         This patch fixes the line number of syntax errors raised by the Function constructor,
2925         since we now parse the final code only once. And we no longer use block statement
2926         for Function constructor's parsing.
2927
2928         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2929         * stress/function-cache-with-parameters-end-position.js: Added.
2930         (shouldBe):
2931         (shouldThrow):
2932         (i.anonymous):
2933         * stress/function-constructor-name.js: Added.
2934         (shouldBe):
2935         (GeneratorFunction):
2936         (AsyncFunction.async):
2937         (AsyncGeneratorFunction.async):
2938         (anonymous):
2939         (async.anonymous):
2940         * test262/expectations.yaml:
2941
2942 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2943
2944         Unreviewed, rolling out r237242.
2945         https://bugs.webkit.org/show_bug.cgi?id=190701
2946
2947         it breaks "stress/sampling-profiler-basic.js" (Requested by
2948         caiolima on #webkit).
2949
2950         Reverted changeset:
2951
2952         "[BigInt] Add ValueSub into DFG"
2953         https://bugs.webkit.org/show_bug.cgi?id=186176
2954         https://trac.webkit.org/changeset/237242
2955
2956 2018-10-17  Keith Miller  <keith_miller@apple.com>
2957
2958         AI does not clear Phantom allocation nodes.
2959         https://bugs.webkit.org/show_bug.cgi?id=190694
2960
2961         Reviewed by Saam Barati.
2962
2963         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2964         (Day):
2965         (DaysInYear):
2966         (TimeInYear):
2967         (TimeFromYear):
2968         (DayFromYear):
2969         (InLeapYear):
2970         (YearFromTime):
2971         (WeekDay):
2972         (DaylightSavingTA):
2973         (GetSecondSundayInMarch):
2974         (TimeInMonth):
2975
2976 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2977
2978         [BigInt] Add ValueSub into DFG
2979         https://bugs.webkit.org/show_bug.cgi?id=186176
2980
2981         Reviewed by Yusuke Suzuki.
2982
2983         * stress/big-int-subtraction-jit.js:
2984         * stress/value-sub-big-int-prediction-propagation.js: Added.
2985         * stress/value-sub-big-int-untyped.js: Added.
2986
2987 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2988
2989         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2990         https://bugs.webkit.org/show_bug.cgi?id=190611
2991
2992         Reviewed by Saam Barati.
2993
2994         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2995         to improve test runtime. On ARM/MIPS this test even timed out when running all
2996         tests.
2997
2998         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2999         (test):
3000
3001 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3002
3003         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3004
3005         Unreviewed gardening.
3006
3007         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3008
3009 2018-10-15  Saam barati  <sbarati@apple.com>
3010
3011         Emit fjcvtzs on ARM64E on Darwin
3012         https://bugs.webkit.org/show_bug.cgi?id=184023
3013
3014         Reviewed by Yusuke Suzuki and Filip Pizlo.
3015
3016         * stress/double-to-int32-NaN.js: Added.
3017         (assert):
3018         (foo):
3019
3020 2018-10-15  Saam Barati  <sbarati@apple.com>
3021
3022         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3023         https://bugs.webkit.org/show_bug.cgi?id=190262
3024         <rdar://problem/44986241>
3025
3026         Reviewed by Mark Lam.
3027
3028         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3029         (test):
3030         * stress/slice-array-storage-with-holes.js: Added.
3031         (main):
3032
3033 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3034
3035         Unreviewed, rolling out r237054.
3036         https://bugs.webkit.org/show_bug.cgi?id=190593
3037
3038         "this regressed JetStream 2 by 6% on iOS" (Requested by
3039         saamyjoon on #webkit).
3040
3041         Reverted changeset:
3042
3043         "[JSC] JSC should have "parseFunction" to optimize Function
3044         constructor"
3045         https://bugs.webkit.org/show_bug.cgi?id=190340
3046         https://trac.webkit.org/changeset/237054
3047
3048 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3049
3050         [JSC] JSON.stringify can accept call-with-no-arguments
3051         https://bugs.webkit.org/show_bug.cgi?id=190343
3052
3053         Reviewed by Mark Lam.
3054
3055         * stress/json-stringify-no-arguments.js: Added.
3056         (shouldBe):
3057
3058 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3059
3060         [JSC] JSC should have "parseFunction" to optimize Function constructor
3061         https://bugs.webkit.org/show_bug.cgi?id=190340
3062
3063         Reviewed by Mark Lam.
3064
3065         This patch fixes the line number of syntax errors raised by the Function constructor,
3066         since we now parse the final code only once. And we no longer use block statement
3067         for Function constructor's parsing.
3068
3069         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3070         * stress/function-cache-with-parameters-end-position.js: Added.
3071         (shouldBe):
3072         (shouldThrow):
3073         (i.anonymous):
3074         * stress/function-constructor-name.js: Added.
3075         (shouldBe):
3076         (GeneratorFunction):
3077         (AsyncFunction.async):
3078         (AsyncGeneratorFunction.async):
3079         (anonymous):
3080         (async.anonymous):
3081         * test262/expectations.yaml:
3082
3083 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3084
3085         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3086         https://bugs.webkit.org/show_bug.cgi?id=190426
3087
3088         Unreviewed gardening.
3089
3090         * stress/sampling-profiler-richards.js:
3091
3092 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3093
3094         [ESNext][BigInt] Implement support for "|"
3095         https://bugs.webkit.org/show_bug.cgi?id=186229
3096
3097         Reviewed by Yusuke Suzuki.
3098
3099         * stress/big-int-bitwise-and-jit.js:
3100         * stress/big-int-bitwise-or-general.js: Added.
3101         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3102         * stress/big-int-bitwise-or-jit.js: Added.
3103         * stress/big-int-bitwise-or-memory-stress.js: Added.
3104         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3105         * stress/big-int-bitwise-or-type-error.js: Added.
3106         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3107
3108 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3109
3110         Skip test on systems with limited memory
3111         https://bugs.webkit.org/show_bug.cgi?id=190310
3112
3113         Invoking runDefault adds test to runlist, skipping the test in the next
3114         line does not prevent the test from executing. Change order of lines such
3115         that runDefault is only executed if test is not executed.
3116
3117         Reviewed by Mark Lam.
3118
3119         * stress/regress-190187.js:
3120
3121 2018-10-03  Saam barati  <sbarati@apple.com>
3122
3123         lowXYZ in FTLLower should always filter the type of the incoming edge
3124         https://bugs.webkit.org/show_bug.cgi?id=189939
3125         <rdar://problem/44407030>
3126
3127         Reviewed by Michael Saboff.
3128
3129         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3130         (foo):
3131         (test):
3132
3133 2018-10-03  Mark Lam  <mark.lam@apple.com>
3134
3135         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3136         https://bugs.webkit.org/show_bug.cgi?id=190187
3137         <rdar://problem/42512909>
3138
3139         Reviewed by Michael Saboff.
3140
3141         * stress/regress-190187.js: Added.
3142
3143 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3144
3145         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3146         https://bugs.webkit.org/show_bug.cgi?id=190033
3147
3148         Reviewed by Yusuke Suzuki.
3149
3150         * stress/big-int-to-string.js:
3151
3152 2018-10-01  Mark Lam  <mark.lam@apple.com>
3153
3154         Function.toString() should also copy the source code Functions that are class definitions.
3155         https://bugs.webkit.org/show_bug.cgi?id=190186
3156         <rdar://problem/44733360>
3157
3158         Reviewed by Saam Barati.
3159
3160         * stress/regress-190186.js: Added.
3161
3162 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3163
3164         Split NaN-check into separate test
3165         https://bugs.webkit.org/show_bug.cgi?id=190010
3166
3167         Reviewed by Saam Barati.
3168
3169         DataView exposes NaN-representation, which is not necessarily the same on each
3170         architecture. Therefore move the check of the NaN-representation into its own
3171         file such that we can disable this test on MIPS where NaN-representation can be
3172         different on older CPUs.
3173
3174         * stress/dataview-jit-set-nan.js: Added.
3175         (assert):
3176         (test.storeLittleEndian):
3177         (test.storeBigEndian):
3178         (test.store):
3179         (test):
3180         * stress/dataview-jit-set.js:
3181         (test5):
3182
3183 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3184
3185         Unreviewed, rolling out r236647.
3186         https://bugs.webkit.org/show_bug.cgi?id=190124
3187
3188         Breaking test stress/big-int-to-string.js (Requested by
3189         caiolima_ on #webkit).
3190
3191         Reverted changeset:
3192
3193         "[BigInt] BigInt.proptotype.toString is broken when radix is
3194         power of 2"
3195         https://bugs.webkit.org/show_bug.cgi?id=190033
3196         https://trac.webkit.org/changeset/236647
3197
3198 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3199
3200         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3201         https://bugs.webkit.org/show_bug.cgi?id=190033
3202
3203         Reviewed by Yusuke Suzuki.
3204
3205         * stress/big-int-to-string.js:
3206
3207 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3208
3209         [ESNext][BigInt] Implement support for "&"
3210         https://bugs.webkit.org/show_bug.cgi?id=186228
3211
3212         Reviewed by Yusuke Suzuki.
3213
3214         * stress/big-int-bitwise-and-general.js: Added.
3215         (assert):
3216         (assert.sameValue):
3217         * stress/big-int-bitwise-and-jit.js: Added.
3218         (let.assert.sameValue):
3219         (bigIntBitAnd):
3220         * stress/big-int-bitwise-and-memory-stress.js: Added.
3221         (assert):
3222         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3223         (assert.sameValue):
3224         (let.o.Symbol.toPrimitive):
3225         (catch):
3226         * stress/big-int-bitwise-and-type-error.js: Added.
3227         (assert):
3228         (assertThrowTypeError):
3229         (let.o.valueOf):
3230         (o.valueOf):
3231         (o.toString):
3232         (o.Symbol.toPrimitive):
3233         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3234         (assert.sameValue):
3235         (testBitAnd):
3236         (let.o.Symbol.toPrimitive):
3237         (o.valueOf):
3238         (o.toString):
3239
3240 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3241
3242         JSC test stress/jsc-read.js doesn't support CRLF
3243         https://bugs.webkit.org/show_bug.cgi?id=190063
3244
3245         Reviewed by Yusuke Suzuki.
3246
3247         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3248
3249         * stress/jsc-read.js:
3250         (test):
3251
3252 2018-09-27  Saam barati  <sbarati@apple.com>
3253
3254         Verify the contents of AssemblerBuffer on arm64e
3255         https://bugs.webkit.org/show_bug.cgi?id=190057
3256         <rdar://problem/38916630>
3257
3258         Reviewed by Mark Lam.
3259
3260         * stress/regress-189132.js:
3261
3262 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3263
3264         Disable test without LLInt on ARMv7
3265         https://bugs.webkit.org/show_bug.cgi?id=190037
3266
3267         Reviewed by Mark Lam.
3268
3269         Test runs out of executable memory on ARMv7, do not run
3270         this test without LLInt enabled.
3271
3272         * stress/regress-169445.js:
3273
3274 2018-09-26  Keith Miller  <keith_miller@apple.com>
3275
3276         We should zero unused property storage when rebalancing array storage.
3277         https://bugs.webkit.org/show_bug.cgi?id=188151
3278
3279         Reviewed by Michael Saboff.
3280
3281         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3282
3283 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3284
3285         [JSC] Optimize Array#lastIndexOf
3286         https://bugs.webkit.org/show_bug.cgi?id=189780
3287
3288         Reviewed by Saam Barati.
3289
3290         * stress/array-lastindexof-array-prototype-trap.js: Added.
3291         (shouldBe):
3292         (AncestorArray.prototype.get 2):
3293         (AncestorArray):
3294         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3295         (shouldBe):
3296         * stress/array-lastindexof-hole-nan.js: Added.
3297         (shouldBe):
3298         (throw.new.Error):
3299         * stress/array-lastindexof-infinity.js: Added.
3300         (shouldBe):
3301         (throw.new.Error):
3302         * stress/array-lastindexof-negative-zero.js: Added.
3303         (shouldBe):
3304         (throw.new.Error):
3305         * stress/array-lastindexof-own-getter.js: Added.
3306         (shouldBe):
3307         (throw.new.Error.get array):
3308         (get array):
3309         * stress/array-lastindexof-prototype-trap.js: Added.
3310         (shouldBe):
3311         (DerivedArray.prototype.get 2):
3312         (DerivedArray):
3313
3314 2018-09-25  Saam Barati  <sbarati@apple.com>
3315
3316         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3317         https://bugs.webkit.org/show_bug.cgi?id=189940
3318         <rdar://problem/43640987>
3319
3320         Reviewed by Mark Lam.
3321
3322         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3323
3324 2018-09-24  Saam Barati  <sbarati@apple.com>
3325
3326         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3327         https://bugs.webkit.org/show_bug.cgi?id=189922
3328         <rdar://problem/44651275>
3329
3330         Reviewed by Mark Lam.
3331
3332         * stress/array-indexof-fast-path-effects.js: Added.
3333         * stress/array-indexof-cached-length.js: Added.
3334
3335 2018-09-24  Saam barati  <sbarati@apple.com>
3336
3337         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3338         https://bugs.webkit.org/show_bug.cgi?id=189682
3339         <rdar://problem/43557315>
3340
3341         Reviewed by Mark Lam.
3342
3343         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3344         (foo):
3345
3346 2018-09-22  Saam barati  <sbarati@apple.com>
3347
3348         The sampling should not use Strong<CodeBlock> in its machineLocation field
3349         https://bugs.webkit.org/show_bug.cgi?id=189319
3350
3351         Reviewed by Filip Pizlo.
3352
3353         * stress/sampling-profiler-richards.js: Added.
3354
3355 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3356
3357         [JSC] Optimize Array#indexOf in C++ runtime
3358         https://bugs.webkit.org/show_bug.cgi?id=189507
3359
3360         Reviewed by Saam Barati.
3361
3362         * stress/array-indexof-array-prototype-trap.js: Added.
3363         (shouldBe):
3364         (AncestorArray.prototype.get 2):
3365         (AncestorArray):
3366         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3367         (shouldBe):
3368         * stress/array-indexof-hole-nan.js: Added.
3369         (shouldBe):
3370         (throw.new.Error):
3371         * stress/array-indexof-infinity.js: Added.
3372         (shouldBe):
3373         (throw.new.Error):
3374         * stress/array-indexof-negative-zero.js: Added.
3375         (shouldBe):
3376         (throw.new.Error):
3377         * stress/array-indexof-own-getter.js: Added.
3378         (shouldBe):
3379         (throw.new.Error.get array):
3380         (get array):
3381         * stress/array-indexof-prototype-trap.js: Added.
3382         (shouldBe):
3383         (DerivedArray.prototype.get 2):
3384         (DerivedArray):
3385
3386 2018-09-19  Saam barati  <sbarati@apple.com>
3387
3388         AI rule for MultiPutByOffset executes its effects in the wrong order
3389         https://bugs.webkit.org/show_bug.cgi?id=189757
3390         <rdar://problem/43535257>
3391
3392         Reviewed by Michael Saboff.
3393
3394         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3395         (foo):
3396         (Foo):
3397         (g):
3398
3399 2018-09-17  Mark Lam  <mark.lam@apple.com>
3400
3401         Ensure that ForInContexts are invalidated if their loop local is over-written.
3402         https://bugs.webkit.org/show_bug.cgi?id=189571
3403         <rdar://problem/44402277>
3404
3405         Reviewed by Saam Barati.
3406
3407         * stress/regress-189571.js: Added.
3408
3409 2018-09-17  Saam barati  <sbarati@apple.com>
3410
3411         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3412         https://bugs.webkit.org/show_bug.cgi?id=189676
3413         <rdar://problem/39682897>
3414
3415         Reviewed by Michael Saboff.
3416
3417         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3418         (A):
3419         (K):
3420         (i.catch):
3421
3422 2018-09-14  Saam barati  <sbarati@apple.com>
3423
3424         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3425         https://bugs.webkit.org/show_bug.cgi?id=189628
3426         <rdar://problem/39481690>
3427
3428         Reviewed by Mark Lam.
3429
3430         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3431         (foo):
3432
3433 2018-09-11  Mark Lam  <mark.lam@apple.com>
3434
3435         Test for array initialization in arrayProtoFuncSplice.
3436         https://bugs.webkit.org/show_bug.cgi?id=170253
3437         <rdar://problem/31328773>
3438
3439         Rubber-stamped by Saam Barati.
3440
3441         * stress/regress-170253.js: Added.
3442
3443 2018-09-11  Mark Lam  <mark.lam@apple.com>
3444
3445         Test for IntlObject initialization.
3446         https://bugs.webkit.org/show_bug.cgi?id=170251
3447         <rdar://problem/31328419>
3448
3449         Rubber-stamped by Saam Barati.
3450
3451         * stress/regress-170251.js: Added.
3452
3453 2018-09-11  Mark Lam  <mark.lam@apple.com>
3454
3455         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3456         https://bugs.webkit.org/show_bug.cgi?id=169889
3457         <rdar://problem/31155607>
3458
3459         Reviewed by Saam Barati.
3460
3461         * stress/regress-169889-array-concat.js: Added.
3462         * stress/regress-169889-array-concat1.js: Added.
3463         * stress/regress-169889-array-slice.js: Added.
3464
3465 2018-09-11  Mark Lam  <mark.lam@apple.com>
3466
3467         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3468         https://bugs.webkit.org/show_bug.cgi?id=169445
3469         <rdar://problem/30957435>
3470
3471         Reviewed by Saam Barati.
3472
3473         * stress/regress-169445.js: Added.
3474         (let.gun.eval.A):
3475         (let.gun.eval.B.C):
3476         (let.gun.eval.B.C.prototype.trigger):
3477         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3478         (let.gun.eval.B):
3479         (let.gun.eval):
3480
3481 == Rolled over to ChangeLog-2018-09-11 ==