Fix incorrect handling of try-finally completion values.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-06  Mark Lam  <mark.lam@apple.com>
2
3         Fix incorrect handling of try-finally completion values.
4         https://bugs.webkit.org/show_bug.cgi?id=195131
5         <rdar://problem/46222079>
6
7         Reviewed by Saam Barati and Yusuke Suzuki.
8
9         Added many permutations of new test case to test-finally.js.  test-finally.js has
10         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
11         tests passes there as well.
12
13         * stress/test-finally.js:
14
15 2019-03-06  Saam Barati  <sbarati@apple.com>
16
17         Air::reportUsedRegisters must padInterference
18         https://bugs.webkit.org/show_bug.cgi?id=195303
19         <rdar://problem/48270343>
20
21         Reviewed by Keith Miller.
22
23         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
24
25 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         [JSC] AI should not propagate AbstractValue relying on constant folding phase
28         https://bugs.webkit.org/show_bug.cgi?id=195375
29
30         Reviewed by Saam Barati.
31
32         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
33         (let.array):
34
35 2019-03-05  Saam barati  <sbarati@apple.com>
36
37         op_switch_char broken for rope strings after JSRopeString layout rewrite
38         https://bugs.webkit.org/show_bug.cgi?id=195339
39         <rdar://problem/48592545>
40
41         Reviewed by Yusuke Suzuki.
42
43         * stress/switch-on-char-llint-rope.js: Added.
44
45 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
46
47         [JSC] Store bits for JSRopeString in 3 stores
48         https://bugs.webkit.org/show_bug.cgi?id=195234
49
50         Reviewed by Saam Barati.
51
52         * stress/null-rope-and-collectors.js: Added.
53
54 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
55
56         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
57         https://bugs.webkit.org/show_bug.cgi?id=195207
58
59         Unreviewed. After test runtime was reduced in r242213, test can be
60         run again on ARM/MIPS.
61
62         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
63
64 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
65
66         [JSC] sizeof(JSString) should be 16
67         https://bugs.webkit.org/show_bug.cgi?id=194375
68
69         Reviewed by Saam Barati.
70
71         * microbenchmarks/make-rope.js: Added.
72         (makeRope):
73         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
74         (returnRope.helper): Deleted.
75         (returnRope): Deleted.
76
77 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
78
79         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
80         https://bugs.webkit.org/show_bug.cgi?id=195144
81
82         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
83         Change the number from 1e8 to 1e5.
84
85         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
86         (foo):
87
88 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
89
90         Test times out on ARM/MIPS
91         https://bugs.webkit.org/show_bug.cgi?id=195168
92
93         Unreviewed. Skip test on ARM/MIPS.
94
95         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
96
97 2019-02-27  Mark Lam  <mark.lam@apple.com>
98
99         The parser is failing to record the token location of new in new.target.
100         https://bugs.webkit.org/show_bug.cgi?id=195127
101         <rdar://problem/39645578>
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
106
107 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
108
109         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
110         https://bugs.webkit.org/show_bug.cgi?id=195144
111         <rdar://problem/47595961>
112
113         Reviewed by Mark Lam.
114
115         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
116         (bar):
117         (foo):
118         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
119         (bar):
120         (foo):
121
122 2019-02-27  Robin Morisset  <rmorisset@apple.com>
123
124         DFG: Loop-invariant code motion (LICM) should not hoist dead code
125         https://bugs.webkit.org/show_bug.cgi?id=194945
126         <rdar://problem/48311657>
127
128         Reviewed by Mark Lam.
129
130         * stress/licm-dead-code.js: Added.
131
132 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
133
134         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
135         https://bugs.webkit.org/show_bug.cgi?id=194677
136         <rdar://problem/48112492>
137
138         Reviewed by Mark Lam.
139
140         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
141         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
142         it immediately fails due the large size.
143
144         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
145         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
146         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
147         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
148
149         This patch changes the test to produce 16bit string from String.fromCharCode.
150
151         * stress/regress-178386.js:
152
153 2019-02-26  Mark Lam  <mark.lam@apple.com>
154
155         wasmToJS() should purify incoming NaNs.
156         https://bugs.webkit.org/show_bug.cgi?id=194807
157         <rdar://problem/48189132>
158
159         Reviewed by Saam Barati.
160
161         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
162
163 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
164
165         [JSC] Repeat string created from Array.prototype.join() take too much memory
166         https://bugs.webkit.org/show_bug.cgi?id=193912
167
168         Reviewed by Saam Barati.
169
170         Added a test and a microbenchmark for corner cases of
171         Array.prototype.join() with an uninitialized array.
172
173         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
174         * stress/array-prototype-join-uninitialized.js: Added.
175         (testArray):
176         (testABC):
177         (B):
178         (C):
179
180 2019-02-22  Robin Morisset  <rmorisset@apple.com>
181
182         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
183         https://bugs.webkit.org/show_bug.cgi?id=194953
184         <rdar://problem/47595253>
185
186         Reviewed by Saam Barati.
187
188         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
189
190         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
191
192 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
193
194         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
195         https://bugs.webkit.org/show_bug.cgi?id=172848
196         <rdar://problem/25709212>
197
198         Reviewed by Mark Lam.
199
200         * typeProfiler/inheritance.js:
201         Rewrite the test slightly for clarity. The hoisting was confusing.
202
203         * heapProfiler/class-names.js: Added.
204         (MyES5Class):
205         (MyES6Class):
206         (MyES6Subclass):
207         Test object types and improved class names.
208
209         * heapProfiler/driver/driver.js:
210         (CheapHeapSnapshotNode):
211         (CheapHeapSnapshot):
212         (createCheapHeapSnapshot):
213         (HeapSnapshot):
214         (createHeapSnapshot):
215         Update snapshot parsing from version 1 to version 2.
216
217 2019-02-19  Truitt Savell  <tsavell@apple.com>
218
219         Unreviewed, rolling out r241784.
220
221         Broke all OpenSource builds.
222
223         Reverted changeset:
224
225         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
226         instances view"
227         https://bugs.webkit.org/show_bug.cgi?id=172848
228         https://trac.webkit.org/changeset/241784
229
230 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
231
232         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
233         https://bugs.webkit.org/show_bug.cgi?id=172848
234         <rdar://problem/25709212>
235
236         Reviewed by Mark Lam.
237
238         * typeProfiler/inheritance.js:
239         Rewrite the test slightly for clarity. The hoisting was confusing.
240
241         * heapProfiler/class-names.js: Added.
242         (MyES5Class):
243         (MyES6Class):
244         (MyES6Subclass):
245         Test object types and improved class names.
246
247         * heapProfiler/driver/driver.js:
248         (CheapHeapSnapshotNode):
249         (CheapHeapSnapshot):
250         (createCheapHeapSnapshot):
251         (HeapSnapshot):
252         (createHeapSnapshot):
253         Update snapshot parsing from version 1 to version 2.
254
255 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
256
257         [ARM] Fix crash with sampling profiler
258         https://bugs.webkit.org/show_bug.cgi?id=194772
259
260         Reviewed by Mark Lam.
261
262         Do not skip test since crash with sampling profiler is now fixed.
263
264         * stress/sampling-profiler-richards.js:
265
266 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         [JSC] Add LazyClassStructure::getInitializedOnMainThread
269         https://bugs.webkit.org/show_bug.cgi?id=194784
270         <rdar://problem/48154820>
271
272         Reviewed by Mark Lam.
273
274         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
275         (getProperties):
276         (getRandomProperty):
277         (i.catch):
278
279 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
280
281         [ARM] Test gardening: Test running out of executable memory
282         https://bugs.webkit.org/show_bug.cgi?id=194771
283
284         Unreviewed. Do not run test without LLInt, test is running out of executable
285         memory on ARM otherwise.
286
287         * stress/tagged-template-object-collect.js:
288
289 2019-02-18  Tomas Popela  <tpopela@redhat.com>
290
291         Unreviewed, skip the test on platforms without sampling profiler
292
293         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
294         (platformSupportsSamplingProfiler.foo):
295         (platformSupportsSamplingProfiler.test):
296         (platformSupportsSamplingProfiler):
297         (foo): Deleted.
298         (test): Deleted.
299
300 2019-02-17  Saam Barati  <sbarati@apple.com>
301
302         Deadlock when adding a Structure property transition and then doing incremental marking
303         https://bugs.webkit.org/show_bug.cgi?id=194767
304
305         Reviewed by Mark Lam.
306
307         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
308
309 2019-02-15  Michael Saboff  <msaboff@apple.com>
310
311         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
312         https://bugs.webkit.org/show_bug.cgi?id=194558
313
314         Reviewed by Saam Barati.
315
316         New regression test.
317
318         * stress/regexp-unicode-within-string.js: Added.
319
320 2019-02-15  Mark Lam  <mark.lam@apple.com>
321
322         SamplingProfiler::stackTracesAsJSON() should escape strings.
323         https://bugs.webkit.org/show_bug.cgi?id=194649
324         <rdar://problem/48072386>
325
326         Reviewed by Saam Barati.
327
328         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
329         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
330         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
331         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
332
333 2019-02-15  Robin Morisset  <rmorisset@apple.com>
334         CodeBlock::jettison should clear related watchpoints
335         https://bugs.webkit.org/show_bug.cgi?id=194544
336
337         Reviewed by Mark Lam.
338
339         * stress/regexp-replace-double-watchpoint.js: Added.
340         (foo):
341
342 2019-02-15  Saam barati  <sbarati@apple.com>
343
344         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
345         https://bugs.webkit.org/show_bug.cgi?id=194036
346
347         Reviewed by Yusuke Suzuki.
348
349         * stress/tail-call-many-arguments.js: Added.
350         (foo):
351         (bar):
352
353 2019-02-14  Saam Barati  <sbarati@apple.com>
354
355         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
356         https://bugs.webkit.org/show_bug.cgi?id=194583
357         <rdar://problem/48028140>
358
359         Reviewed by Yusuke Suzuki.
360
361         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
362
363 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
364
365         [JSC] String.fromCharCode's slow path always generates 16bit string
366         https://bugs.webkit.org/show_bug.cgi?id=194466
367
368         Reviewed by Keith Miller.
369
370         * stress/string-from-char-code-slow-path.js: Added.
371         (shouldBe):
372         (testWithLength):
373
374 2019-02-08  Saam barati  <sbarati@apple.com>
375
376         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
377         https://bugs.webkit.org/show_bug.cgi?id=194334
378         <rdar://problem/47844327>
379
380         Reviewed by Mark Lam.
381
382         * stress/check-in-bounds-should-be-a-child-use.js: Added.
383         (func):
384
385 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
386
387         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
388         https://bugs.webkit.org/show_bug.cgi?id=194369
389         <rdar://problem/47813087>
390
391         Reviewed by Saam Barati.
392
393         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
394         (A):
395
396 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
397
398         [JSC] PrivateName to PublicName hash table is wasteful
399         https://bugs.webkit.org/show_bug.cgi?id=194277
400
401         Reviewed by Michael Saboff.
402
403         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
404
405         * ChakraCore.yaml:
406
407 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
408
409         [ARM] Test running out of executable memory
410         https://bugs.webkit.org/show_bug.cgi?id=194285
411
412         Unreviewed. Do no execute test with LLInt disabled, test runs out of
413         executable memory otherwise.
414
415         * stress/class-subclassing-function.js:
416
417 2019-02-04  Robin Morisset  <rmorisset@apple.com>
418
419         when lowering AssertNotEmpty, create the value before creating the patchpoint
420         https://bugs.webkit.org/show_bug.cgi?id=194231
421
422         Reviewed by Saam Barati.
423
424         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
425         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
426         So even tiny changes to this test can change the path code taken.
427
428         * stress/assert-not-empty.js: Added.
429         (foo):
430
431 2019-02-01  Mark Lam  <mark.lam@apple.com>
432
433         Remove invalid assertion in DFG's compileDoubleRep().
434         https://bugs.webkit.org/show_bug.cgi?id=194130
435         <rdar://problem/47699474>
436
437         Reviewed by Saam Barati.
438
439         * stress/constant-fold-double-rep-into-double-constant.js: Added.
440
441 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
442
443         Import latest Test262 updates.
444
445         Rubber-stamped by Keith Miller.
446
447         * test262.yaml: Deleted.
448         * test262/config.yaml:
449         * test262/expectations.yaml:
450         * test262/latest-changes-summary.txt:
451         * test262/test/:
452         * test262/test262-Revision.txt:
453
454 2019-01-30  Robin Morisset  <rmorisset@apple.com>
455
456         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
457         https://bugs.webkit.org/show_bug.cgi?id=194050
458         <rdar://problem/47595592>
459
460         Reviewed by Yusuke Suzuki.
461
462         * stress/object-keys-osr-exit.js: Added.
463         (foo):
464         (catch):
465
466 2019-01-29  Mark Lam  <mark.lam@apple.com>
467
468         ValueRecovery::recover() should purify NaN values it recovers.
469         https://bugs.webkit.org/show_bug.cgi?id=193978
470         <rdar://problem/47625488>
471
472         Reviewed by Saam Barati.
473
474         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
475
476 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
479         https://bugs.webkit.org/show_bug.cgi?id=193713
480
481         * stress/try-get-by-id-should-spill-registers-dfg.js:
482         (let.f.createBuiltin):
483
484 2019-01-28  Mark Lam  <mark.lam@apple.com>
485
486         ToString node actually does GC.
487         https://bugs.webkit.org/show_bug.cgi?id=193920
488         <rdar://problem/46695900>
489
490         Reviewed by Yusuke Suzuki.
491
492         * stress/dfg-to-string-on-int-does-gc.js: Added.
493         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
494         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
495
496 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
497
498         [JSC] NativeErrorConstructor should not have own IsoSubspace
499         https://bugs.webkit.org/show_bug.cgi?id=193713
500
501         Reviewed by Saam Barati.
502
503         Remove @Error use.
504
505         * stress/try-get-by-id-should-spill-registers-dfg.js:
506         (let.f.createBuiltin):
507
508 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
509
510         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
511         https://bugs.webkit.org/show_bug.cgi?id=190693
512
513         Reviewed by Michael Saboff.
514
515         * stress/regress-190693.js: Added.
516         (truth):
517         (assert):
518         (shouldThrowInvalidConstAssignment):
519         (taz):
520
521 2019-01-24  Saam Barati  <sbarati@apple.com>
522
523         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
524         https://bugs.webkit.org/show_bug.cgi?id=193751
525         <rdar://problem/47280215>
526
527         Reviewed by Michael Saboff.
528
529         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
530         (let.thing):
531         (foo.let.hello):
532         (foo):
533
534 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
535
536         [JSC] Reenable baseline JIT on mips
537         https://bugs.webkit.org/show_bug.cgi?id=192983
538
539         Reviewed by Mark Lam.
540
541         Added a new test for a case that was triggering a RELEASE_ASSERT when
542         testing.
543         Disable some slow tests that were already disabled for arm and x86.
544
545         * stress/json-parse-big-object.js: Added.
546         * stress/new-largeish-contiguous-array-with-size.js:
547         * stress/op_add.js:
548         * stress/op_bitand.js:
549         * stress/op_bitor.js:
550         * stress/op_bitxor.js:
551         * stress/op_lshift-ConstVar.js:
552         * stress/op_lshift-VarConst.js:
553         * stress/op_lshift-VarVar.js:
554         * stress/op_mod-ConstVar.js:
555         * stress/op_mod-VarConst.js:
556         * stress/op_mod-VarVar.js:
557         * stress/op_mul-ConstVar.js:
558         * stress/op_mul-VarConst.js:
559         * stress/op_mul-VarVar.js:
560         * stress/op_rshift-ConstVar.js:
561         * stress/op_rshift-VarConst.js:
562         * stress/op_rshift-VarVar.js:
563         * stress/op_sub-ConstVar.js:
564         * stress/op_sub-VarConst.js:
565         * stress/op_sub-VarVar.js:
566         * stress/op_urshift-ConstVar.js:
567         * stress/op_urshift-VarConst.js:
568         * stress/op_urshift-VarVar.js:
569         * stress/sampling-profiler-richards.js:
570         * stress/spread-forward-call-varargs-stack-overflow.js:
571
572 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
573
574         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
575         https://bugs.webkit.org/show_bug.cgi?id=193711
576         <rdar://problem/47250262>
577
578         Reviewed by Saam Barati.
579
580         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
581         (shouldBe):
582         (foo):
583         (bar):
584         (baz):
585
586 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
587
588         Unreviewed, fix initial global lexical binding epoch
589         https://bugs.webkit.org/show_bug.cgi?id=193603
590         <rdar://problem/47380869>
591
592         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
593         (f1.f2.f3.f4):
594         (f1.f2.f3):
595         (f1.f2):
596         (f1):
597
598 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
599
600         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
601         https://bugs.webkit.org/show_bug.cgi?id=193709
602         <rdar://problem/47363838>
603
604         Unreviewed, rollout to watch the tests.
605
606         * stress/object-tostring-changed-proto.js: Removed.
607         * stress/object-tostring-changed.js: Removed.
608         * stress/object-tostring-misc.js: Removed.
609         * stress/object-tostring-other.js: Removed.
610         * stress/object-tostring-untyped.js: Removed.
611
612 2019-01-22  Saam Barati  <sbarati@apple.com>
613
614         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
615
616         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
617         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
618         (testUncheckedLessThanZero):
619         (testUncheckedLessThanOrEqualZero):
620         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
621         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
622
623 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
624
625         [JSC] Invalidate old scope operations using global lexical binding epoch
626         https://bugs.webkit.org/show_bug.cgi?id=193603
627         <rdar://problem/47380869>
628
629         Reviewed by Saam Barati.
630
631         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
632         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
633         (shouldThrow):
634         (bar):
635         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
636         (shouldBe):
637         (get1):
638         (get2):
639         (get1If):
640         (get2If):
641         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
642         (shouldThrow):
643         (foo):
644
645 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
646
647         Unreviewed, roll out r240220 due to date-format-xparb regression
648         https://bugs.webkit.org/show_bug.cgi?id=193603
649
650         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
651         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
652         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
653         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
654
655 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
656
657         DoesGC rule is wrong for nodes with BigIntUse
658         https://bugs.webkit.org/show_bug.cgi?id=193652
659
660         Reviewed by Saam Barati.
661
662         * stress/big-int-value-op-update-gc-rules.js: Added.
663         (assert):
664         (doesGCAdd):
665         (doesGCSub):
666         (doesGCDiv):
667         (doesGCMul):
668         (doesGCBitAnd):
669         (doesGCBitOr):
670         (doesGCBitXor):
671
672 2019-01-20  Saam Barati  <sbarati@apple.com>
673
674         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
675         https://bugs.webkit.org/show_bug.cgi?id=193644
676         <rdar://problem/46209745>
677
678         Reviewed by Yusuke Suzuki.
679
680         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
681         (foo):
682         * stress/data-view-set-intrinsic-undefined-result.js: Added.
683         (foo):
684         (bar):
685
686 2019-01-20  Saam Barati  <sbarati@apple.com>
687
688         MovHint must merge NodeBytecodeUsesAsValue for its child
689         https://bugs.webkit.org/show_bug.cgi?id=186916
690         <rdar://problem/41396612>
691
692         Reviewed by Yusuke Suzuki.
693
694         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
695         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
696
697 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
698
699         [JSC] Invalidate old scope operations using global lexical binding epoch
700         https://bugs.webkit.org/show_bug.cgi?id=193603
701         <rdar://problem/47380869>
702
703         Reviewed by Saam Barati.
704
705         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
706         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
707         (shouldThrow):
708         (bar):
709         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
710         (shouldBe):
711         (get1):
712         (get2):
713         (get1If):
714         (get2If):
715         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
716         (shouldThrow):
717         (foo):
718
719 2019-01-17  Saam barati  <sbarati@apple.com>
720
721         StringObjectUse should not be a structure check for the original string object structure
722         https://bugs.webkit.org/show_bug.cgi?id=193483
723         <rdar://problem/47280522>
724
725         Reviewed by Yusuke Suzuki.
726
727         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
728         (foo):
729         (a.valueOf.0):
730
731 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
732
733         [JSC] ToThis omission in DFGByteCodeParser is wrong
734         https://bugs.webkit.org/show_bug.cgi?id=193513
735         <rdar://problem/45842236>
736
737         Reviewed by Saam Barati.
738
739         * stress/to-this-omission-with-different-strict-modes.js: Added.
740         (thisA):
741         (thisAStrictWrapper):
742
743 2019-01-15  Mark Lam  <mark.lam@apple.com>
744
745         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
746         https://bugs.webkit.org/show_bug.cgi?id=193423
747         <rdar://problem/46209355>
748
749         Reviewed by Saam Barati.
750
751         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
752         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
753         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
754         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
755
756 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
757
758         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
759         https://bugs.webkit.org/show_bug.cgi?id=193438
760         <rdar://problem/45581249>
761
762         Reviewed by Saam Barati and Keith Miller.
763
764         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
765         Then, GetByVal(String) crashed.
766
767         * stress/string-get-by-val-lowering.js: Added.
768         (shouldBe):
769         (test):
770         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
771         (Hello):
772         (foo):
773
774 2019-01-15  Tomas Popela  <tpopela@redhat.com>
775
776         Unreviewed, skip JIT tests if it's not enabled
777
778         * stress/bit-op-with-object-returning-int32.js:
779
780 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
781
782         DFGByteCodeParser rules for bitwise operations should consider type of their operands
783         https://bugs.webkit.org/show_bug.cgi?id=192966
784
785         Reviewed by Yusuke Suzuki.
786
787         * stress/bit-op-with-object-returning-int32.js: Added.
788
789 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
790
791         Skip a slow test and a flakey test on arm
792
793         Unreviewed gardening.
794
795         * typeProfiler/getter-richards.js:
796         this test always times out, it used to be always skipped on arm and
797         mips, but got accidentally enabled by r237919 now that we have DFG on
798         arm. Also skipping on mips as we plan to soon enable DFG for it too.
799
800 2019-01-14  Keith Miller  <keith_miller@apple.com>
801
802         Skip type-check-hoisting-phase-hoist... with no jit
803         https://bugs.webkit.org/show_bug.cgi?id=193421
804
805         Reviewed by Mark Lam.
806
807         It's timing out the 32-bit bots and takes 330 seconds
808         on my machine when run by itself.
809
810         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
811
812 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
813
814         [JSC] AI should check the given constant's array type when folding GetByVal into constant
815         https://bugs.webkit.org/show_bug.cgi?id=193413
816         <rdar://problem/46092389>
817
818         Reviewed by Keith Miller.
819
820         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
821         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
822         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
823         but GetByVal does not have appropriate ArrayModes, JSC crashes.
824
825         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
826         (compareArray):
827
828 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
829
830         [BigInt] Literal parsing is crashing when used inside a Object Literal
831         https://bugs.webkit.org/show_bug.cgi?id=193404
832
833         Reviewed by Yusuke Suzuki.
834
835         * stress/big-int-literal-inside-literal-object.js: Added.
836
837 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
838
839         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
840         https://bugs.webkit.org/show_bug.cgi?id=193372
841
842         Reviewed by Saam Barati.
843
844         * stress/typed-array-array-modes-profile.js: Added.
845         (foo):
846
847 2019-01-14  Mark Lam  <mark.lam@apple.com>
848
849         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
850         https://bugs.webkit.org/show_bug.cgi?id=193402
851         <rdar://problem/46012309>
852
853         Reviewed by Keith Miller.
854
855         * stress/regexp-compile-oom.js:
856         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
857           is enabled.  As a result, it will fail on cloop builds though there is no bug.
858
859 2019-01-11  Saam barati  <sbarati@apple.com>
860
861         DFG combined liveness can be wrong for terminal basic blocks
862         https://bugs.webkit.org/show_bug.cgi?id=193304
863         <rdar://problem/45268632>
864
865         Reviewed by Yusuke Suzuki.
866
867         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
868
869 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
870
871         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
872         https://bugs.webkit.org/show_bug.cgi?id=193308
873         <rdar://problem/45546542>
874
875         Reviewed by Saam Barati.
876
877         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
878         (shouldThrow):
879         (shouldBe):
880         (foo):
881         (get shouldThrow):
882         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
883         (shouldThrow):
884         (shouldBe):
885         (foo):
886         (get shouldBe):
887         (get shouldThrow):
888         (get return):
889         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
890         (shouldThrow):
891         (shouldBe):
892         (foo):
893         (get shouldBe):
894         (get shouldThrow):
895         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
896         (shouldThrow):
897         (shouldBe):
898         (foo):
899         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
900         (shouldThrow):
901         (shouldBe):
902         (foo):
903         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
904         (shouldThrow):
905         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
906         (shouldThrow):
907         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
908         (shouldThrow):
909         (shouldBe):
910         (foo):
911         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
912         (shouldThrow):
913         (shouldBe):
914         (foo):
915         (get shouldBe):
916         (get shouldThrow):
917         (get return):
918         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
919         (shouldThrow):
920         (shouldBe):
921         (foo):
922         (get shouldBe):
923         (get shouldThrow):
924         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
925         (shouldThrow):
926         (shouldBe):
927         (foo):
928         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
929         (shouldThrow):
930         (shouldBe):
931         (foo):
932
933 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
934
935         Enable DFG on ARM/Linux again
936         https://bugs.webkit.org/show_bug.cgi?id=192496
937
938         Reviewed by Yusuke Suzuki.
939
940         Test wasn't really skipped before moving the line with skip
941         to the top.
942
943         * stress/regress-192717.js:
944
945 2019-01-10  Commit Queue  <commit-queue@webkit.org>
946
947         Unreviewed, rolling out r239825.
948         https://bugs.webkit.org/show_bug.cgi?id=193330
949
950         Broke tests on armv7/linux bots (Requested by guijemont on
951         #webkit).
952
953         Reverted changeset:
954
955         "Enable DFG on ARM/Linux again"
956         https://bugs.webkit.org/show_bug.cgi?id=192496
957         https://trac.webkit.org/changeset/239825
958
959 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
960
961         Enable DFG on ARM/Linux again
962         https://bugs.webkit.org/show_bug.cgi?id=192496
963
964         Reviewed by Yusuke Suzuki.
965
966         Test wasn't really skipped before moving the line with skip
967         to the top.
968
969         * stress/regress-192717.js:
970
971 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
972
973         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
974         https://bugs.webkit.org/show_bug.cgi?id=193127
975
976         Reviewed by Saam Barati.
977
978         * stress/array-species-create-should-handle-masquerader.js: Added.
979         (shouldThrow):
980         * stress/is-undefined-or-null-builtin.js: Added.
981         (shouldBe):
982         (isUndefinedOrNull.vm.createBuiltin):
983
984 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
985
986         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
987         https://bugs.webkit.org/show_bug.cgi?id=193221
988
989         Reviewed by Mark Lam.
990
991         * stress/put-by-id-flags.js: Added.
992         (f):
993         (g):
994         (numberOfDFGCompiles):
995
996 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
997
998         Baseline version of get_by_id may corrupt metadata
999         https://bugs.webkit.org/show_bug.cgi?id=193085
1000         <rdar://problem/23453006>
1001
1002         Reviewed by Saam Barati.
1003
1004         * stress/get-by-id-change-mode.js: Added.
1005         (forEach):
1006
1007 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1008
1009         [JSC] Optimize Object.prototype.toString
1010         https://bugs.webkit.org/show_bug.cgi?id=193031
1011
1012         Reviewed by Saam Barati.
1013
1014         * stress/object-tostring-changed-proto.js: Added.
1015         (shouldBe):
1016         (test):
1017         * stress/object-tostring-changed.js: Added.
1018         (shouldBe):
1019         (test):
1020         * stress/object-tostring-misc.js: Added.
1021         (shouldBe):
1022         (test):
1023         (i.switch):
1024         * stress/object-tostring-other.js: Added.
1025         (shouldBe):
1026         (test):
1027         * stress/object-tostring-untyped.js: Added.
1028         (shouldBe):
1029         (test):
1030         (i.switch):
1031
1032 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1033
1034         test262-runner misbehaves when test file YAML has a trailing space
1035         https://bugs.webkit.org/show_bug.cgi?id=193053
1036
1037         Reviewed by Yusuke Suzuki.
1038
1039         * test262/expectations.yaml:
1040         Mark two dozen tests as passing (and correct the output of another).
1041
1042 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1043
1044         Unreviewed, JSTests gardening with memoryLimited
1045
1046         * stress/string-overflow-createError.js:
1047
1048 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1049
1050         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1051         https://bugs.webkit.org/show_bug.cgi?id=193050
1052
1053         Reviewed by Yusuke Suzuki.
1054
1055         * test262.yaml:
1056         * test262/expectations.yaml:
1057         Mark 16 tests as passing.
1058
1059 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1060
1061         [BigInt] Support BigInt in JSON.stringify
1062         https://bugs.webkit.org/show_bug.cgi?id=192624
1063
1064         Reviewed by Saam Barati.
1065
1066         * stress/big-int-json-stringify-to-json.js: Added.
1067         (shouldBe):
1068         (shouldThrow):
1069         (BigInt.prototype.toJSON):
1070         (shouldBe.JSON.stringify):
1071         * stress/big-int-json-stringify.js: Added.
1072         (shouldBe):
1073         (shouldThrow):
1074
1075 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1076
1077         [JSC] Implement "well-formed JSON.stringify" proposal
1078         https://bugs.webkit.org/show_bug.cgi?id=191677
1079
1080         Reviewed by Darin Adler.
1081
1082         * stress/json-surrogate-pair.js: Added.
1083         (shouldBe):
1084         * test262/expectations.yaml:
1085
1086 2018-12-20  Keith Miller  <keith_miller@apple.com>
1087
1088         Add support for globalThis
1089         https://bugs.webkit.org/show_bug.cgi?id=165171
1090
1091         Reviewed by Mark Lam.
1092
1093         * test262/config.yaml:
1094
1095 2018-12-19  Keith Miller  <keith_miller@apple.com>
1096
1097         Update test262 configuration to not run tests dependent on ICU version.
1098         https://bugs.webkit.org/show_bug.cgi?id=192920
1099
1100         Reviewed by Saam Barati.
1101
1102         * test262/expectations.yaml:
1103
1104 2018-12-20  Mark Lam  <mark.lam@apple.com>
1105
1106         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1107         https://bugs.webkit.org/show_bug.cgi?id=192939
1108         <rdar://problem/46869516>
1109
1110         Reviewed by Keith Miller.
1111
1112         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1113
1114 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1115
1116         WTF::String and StringImpl overflow MaxLength
1117         https://bugs.webkit.org/show_bug.cgi?id=192853
1118         <rdar://problem/45726906>
1119
1120         Reviewed by Mark Lam.
1121
1122         * stress/string-16bit-repeat-overflow.js: Added.
1123         (catch):
1124
1125 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1126
1127         Unreviewed follow-up to r192914.
1128
1129         * test262/expectations.yaml:
1130         Add the last 20 missing expectations.
1131
1132 2018-12-19  Keith Miller  <keith_miller@apple.com>
1133
1134         Fix test262 expectations
1135         https://bugs.webkit.org/show_bug.cgi?id=192914
1136
1137         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1138
1139         * test262/expectations.yaml:
1140
1141 2018-12-19  Keith Miller  <keith_miller@apple.com>
1142
1143         Update test262 tests.
1144         https://bugs.webkit.org/show_bug.cgi?id=192907
1145
1146         Rubber stamped by Mark Lam.
1147
1148         * test262/*: Omitted because prepare-changelog crashes.
1149
1150 2018-12-19  Mark Lam  <mark.lam@apple.com>
1151
1152         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1153         https://bugs.webkit.org/show_bug.cgi?id=192464
1154         <rdar://problem/46519455>
1155
1156         Reviewed by Saam Barati.
1157
1158         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1159         microbenchmark.
1160
1161         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1162         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1163
1164 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1165
1166         String overflow in JSC::createError results in ASSERT in WTF::makeString
1167         https://bugs.webkit.org/show_bug.cgi?id=192833
1168         <rdar://problem/45706868>
1169
1170         Reviewed by Mark Lam.
1171
1172         * stress/string-overflow-createError.js: Added.
1173
1174 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1175
1176         Error message for `-x ** y` contains a typo.
1177         https://bugs.webkit.org/show_bug.cgi?id=192832
1178
1179         Reviewed by Saam Barati.
1180
1181         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1182         (assert.assert.return.throws):
1183         * stress/pow-expects-update-expression-on-lhs.js:
1184         (throw.new.Error):
1185         Update test expectations which match against the exact error message.
1186
1187 2018-12-18  Mark Lam  <mark.lam@apple.com>
1188
1189         Gardening: test options fix.
1190         https://bugs.webkit.org/show_bug.cgi?id=192822
1191
1192         Unreviewed.
1193
1194         * stress/json-stringify-string-builder-overflow.js:
1195
1196 2018-12-18  Mark Lam  <mark.lam@apple.com>
1197
1198         JSON.stringify() should throw OOM on StringBuilder overflows.
1199         https://bugs.webkit.org/show_bug.cgi?id=192822
1200         <rdar://problem/46670577>
1201
1202         Reviewed by Saam Barati.
1203
1204         * stress/json-stringify-string-builder-overflow.js: Added.
1205
1206 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1207
1208         Redeclaration of var over let/const/class should be a syntax error.
1209         https://bugs.webkit.org/show_bug.cgi?id=192298
1210
1211         Reviewed by Keith Miller.
1212
1213         * test262.yaml:
1214         * test262/expectations.yaml:
1215         Mark 46 tests as passing.
1216
1217         * stress/block-scope-redeclarations.js:
1218         Add some new tests.
1219
1220         * stress/for-in-invalidate-context-weird-assignments.js:
1221         * stress/for-in-tests.js:
1222         Replace tests for outdated behavior with tests for SyntaxError.
1223
1224         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1225         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1226         Update expectations.
1227
1228 2018-12-18  Mark Lam  <mark.lam@apple.com>
1229
1230         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1231         https://bugs.webkit.org/show_bug.cgi?id=191374
1232         <rdar://problem/46525447>
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1237
1238         * stress/elidable-new-object-roflcopter-then-exit.js:
1239
1240 2018-12-17  Mark Lam  <mark.lam@apple.com>
1241
1242         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1243         https://bugs.webkit.org/show_bug.cgi?id=192019
1244         <rdar://problem/46525456>
1245
1246         Reviewed by Yusuke Suzuki.
1247
1248         The test runs too slow on 32-bit.
1249
1250         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1251
1252 2018-12-17  Mark Lam  <mark.lam@apple.com>
1253
1254         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1255         https://bugs.webkit.org/show_bug.cgi?id=191373
1256         <rdar://problem/46525458>
1257
1258         Reviewed by Yusuke Suzuki.
1259
1260         The test is already slow running with a JIT on 64-bit.  It will always timeout
1261         on 32-bit without a JIT.
1262
1263         * stress/materialize-regexp-cyclic-regexp.js:
1264
1265 2018-12-17  Mark Lam  <mark.lam@apple.com>
1266
1267         Array unshift/shift should not race against the AI in the compiler thread.
1268         https://bugs.webkit.org/show_bug.cgi?id=192795
1269         <rdar://problem/46724263>
1270
1271         Reviewed by Saam Barati.
1272
1273         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1274
1275 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1276
1277         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1278         https://bugs.webkit.org/show_bug.cgi?id=190047
1279
1280         Reviewed by Saam Barati.
1281
1282         * stress/object-keys-cached-zero.js: Added.
1283         (shouldBe):
1284         (test):
1285         * stress/object-keys-changed-attribute.js: Added.
1286         (shouldBe):
1287         (test):
1288         * stress/object-keys-changed-index.js: Added.
1289         (shouldBe):
1290         (test):
1291         * stress/object-keys-changed.js: Added.
1292         (shouldBe):
1293         (test):
1294         * stress/object-keys-indexed-non-cache.js: Added.
1295         (shouldBe):
1296         (test):
1297         * stress/object-keys-overrides-get-property-names.js: Added.
1298         (shouldBe):
1299         (test):
1300         (noInline):
1301
1302 2018-12-17  Mark Lam  <mark.lam@apple.com>
1303
1304         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1305         https://bugs.webkit.org/show_bug.cgi?id=192779
1306         <rdar://problem/46775869>
1307
1308         Reviewed by Saam Barati.
1309
1310         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1311
1312 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1313
1314         Unreviewed test gardening, address a syntax error in a new test.
1315
1316         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1317
1318 2018-12-17  Mark Lam  <mark.lam@apple.com>
1319
1320         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1321         https://bugs.webkit.org/show_bug.cgi?id=192776
1322         <rdar://problem/46772368>
1323
1324         Reviewed by Keith Miller.
1325
1326         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1327
1328 2018-12-17  Mark Lam  <mark.lam@apple.com>
1329
1330         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1331         https://bugs.webkit.org/show_bug.cgi?id=192770
1332         <rdar://problem/46449037>
1333
1334         Reviewed by Keith Miller.
1335
1336         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1337
1338 2018-12-14  Mark Lam  <mark.lam@apple.com>
1339
1340         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1341         https://bugs.webkit.org/show_bug.cgi?id=192717
1342         <rdar://problem/46660677>
1343
1344         Reviewed by Saam Barati.
1345
1346         * stress/regress-192717.js: Added.
1347
1348 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1349
1350         Unreviewed, rolling out r239153, r239154, and r239155.
1351         https://bugs.webkit.org/show_bug.cgi?id=192715
1352
1353         Caused flaky GC-related crashes seen with layout tests
1354         (Requested by ryanhaddad on #webkit).
1355
1356         Reverted changesets:
1357
1358         "[JSC] Optimize Object.keys by caching own keys results in
1359         StructureRareData"
1360         https://bugs.webkit.org/show_bug.cgi?id=190047
1361         https://trac.webkit.org/changeset/239153
1362
1363         "Unreviewed, build fix after r239153"
1364         https://bugs.webkit.org/show_bug.cgi?id=190047
1365         https://trac.webkit.org/changeset/239154
1366
1367         "Unreviewed, build fix after r239153, part 2"
1368         https://bugs.webkit.org/show_bug.cgi?id=190047
1369         https://trac.webkit.org/changeset/239155
1370
1371 2018-12-14  Keith Miller  <keith_miller@apple.com>
1372
1373         Callers of JSString::getIndex should check for OOM exceptions
1374         https://bugs.webkit.org/show_bug.cgi?id=192709
1375
1376         Reviewed by Mark Lam.
1377
1378         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1379
1380 2018-12-13  Mark Lam  <mark.lam@apple.com>
1381
1382         Add a missing exception check.
1383         https://bugs.webkit.org/show_bug.cgi?id=192626
1384         <rdar://problem/46662163>
1385
1386         Reviewed by Keith Miller.
1387
1388         * stress/regress-192626.js: Added.
1389
1390 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1391
1392         [BigInt] Add ValueDiv into DFG
1393         https://bugs.webkit.org/show_bug.cgi?id=186178
1394
1395         Reviewed by Yusuke Suzuki.
1396
1397         * stress/big-int-div-jit-osr.js: Added.
1398         * stress/big-int-div-jit-untyped.js: Added.
1399         * stress/value-div-fixup-int32-big-int.js: Added.
1400
1401 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1402
1403         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1404         https://bugs.webkit.org/show_bug.cgi?id=190047
1405
1406         Reviewed by Keith Miller.
1407
1408         * stress/object-keys-cached-zero.js: Added.
1409         (shouldBe):
1410         (test):
1411         * stress/object-keys-changed-attribute.js: Added.
1412         (shouldBe):
1413         (test):
1414         * stress/object-keys-changed-index.js: Added.
1415         (shouldBe):
1416         (test):
1417         * stress/object-keys-changed.js: Added.
1418         (shouldBe):
1419         (test):
1420         * stress/object-keys-indexed-non-cache.js: Added.
1421         (shouldBe):
1422         (test):
1423         * stress/object-keys-overrides-get-property-names.js: Added.
1424         (shouldBe):
1425         (test):
1426         (noInline):
1427
1428 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1429
1430         [DFG][FTL] Add NewSymbol
1431         https://bugs.webkit.org/show_bug.cgi?id=192620
1432
1433         Reviewed by Saam Barati.
1434
1435         * microbenchmarks/symbol-creation.js: Added.
1436         (test):
1437         * stress/symbol-description-identity.js: Added.
1438         (shouldBe):
1439         (test):
1440         * stress/symbol-identity.js: Added.
1441         (shouldBe):
1442         (test):
1443         * stress/symbol-with-description-throw-error.js: Added.
1444         (shouldBe):
1445         (shouldThrow):
1446         (test):
1447         (object.toString):
1448
1449 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1450
1451         [BigInt] Implement DFG/FTL typeof for BigInt
1452         https://bugs.webkit.org/show_bug.cgi?id=192619
1453
1454         Reviewed by Keith Miller.
1455
1456         * stress/big-int-boolean-proven-type.js: Added.
1457         (assert):
1458         (bool):
1459         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1460         (assert):
1461         (typeOf):
1462         (i.switch):
1463         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1464         (assert):
1465         (typeOf):
1466         * stress/big-int-type-of.js:
1467         (typeOf):
1468         (func):
1469
1470 2018-12-10  Mark Lam  <mark.lam@apple.com>
1471
1472         PropertyAttribute needs a CustomValue bit.
1473         https://bugs.webkit.org/show_bug.cgi?id=191993
1474         <rdar://problem/46264467>
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/regress-191993.js: Added.
1479
1480 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1481
1482         [BigInt] Add ValueMul into DFG
1483         https://bugs.webkit.org/show_bug.cgi?id=186175
1484
1485         Reviewed by Yusuke Suzuki.
1486
1487         * stress/big-int-mul-jit-osr.js: Added.
1488         * stress/big-int-mul-jit-untyped.js: Added.
1489         * stress/value-mul-fixup-int32-big-int.js: Added.
1490
1491 2018-12-06  Keith Miller  <keith_miller@apple.com>
1492
1493         stress/big-wasm-memory tests failing on 32-bit JSC bot
1494         https://bugs.webkit.org/show_bug.cgi?id=192020
1495
1496         Reviewed by Saam Barati.
1497
1498         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1499         the wasm stress tests if the WebAssembly object does not exist.
1500
1501         * stress/big-wasm-memory-grow-no-max.js:
1502         (test.foo):
1503         (test):
1504         (foo): Deleted.
1505         (catch): Deleted.
1506         * stress/big-wasm-memory-grow.js:
1507         (test.foo):
1508         (test):
1509         (foo): Deleted.
1510         (catch): Deleted.
1511         * stress/big-wasm-memory.js:
1512         (test.foo):
1513         (test):
1514         (foo): Deleted.
1515         (catch): Deleted.
1516
1517 2018-12-05  Mark Lam  <mark.lam@apple.com>
1518
1519         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1520         https://bugs.webkit.org/show_bug.cgi?id=192441
1521         <rdar://problem/46480355>
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/regress-192441.js: Added.
1526
1527 2018-12-04  Mark Lam  <mark.lam@apple.com>
1528
1529         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1530         https://bugs.webkit.org/show_bug.cgi?id=192386
1531         <rdar://problem/46445516>
1532
1533         Reviewed by Saam Barati.
1534
1535         * stress/regress-192386.js: Added.
1536
1537 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1538
1539         [ESNext][BigInt] Support logic operations
1540         https://bugs.webkit.org/show_bug.cgi?id=179903
1541
1542         Reviewed by Yusuke Suzuki.
1543
1544         * stress/big-int-branch-usage.js: Added.
1545         * stress/big-int-logical-and.js: Added.
1546         * stress/big-int-logical-not.js: Added.
1547         * stress/big-int-logical-or.js: Added.
1548
1549 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1550
1551         Unreviewed, rolling out r238833.
1552
1553         Breaks macOS and iOS debug builds.
1554
1555         Reverted changeset:
1556
1557         "[ESNext][BigInt] Support logic operations"
1558         https://bugs.webkit.org/show_bug.cgi?id=179903
1559         https://trac.webkit.org/changeset/238833
1560
1561 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1562
1563         [ESNext][BigInt] Support logic operations
1564         https://bugs.webkit.org/show_bug.cgi?id=179903
1565
1566         Reviewed by Yusuke Suzuki.
1567
1568         * stress/big-int-branch-usage.js: Added.
1569         * stress/big-int-logical-and.js: Added.
1570         * stress/big-int-logical-not.js: Added.
1571         * stress/big-int-logical-or.js: Added.
1572
1573 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1574
1575         [ESNext][BigInt] Implement support for "<<" and ">>"
1576         https://bugs.webkit.org/show_bug.cgi?id=186233
1577
1578         Reviewed by Yusuke Suzuki.
1579
1580         * stress/big-int-left-shift-general.js: Added.
1581         * stress/big-int-left-shift-range-error.js: Added.
1582         * stress/big-int-left-shift-type-error.js: Added.
1583         * stress/big-int-left-shift-wrapped-value.js: Added.
1584         * stress/big-int-right-shift-general.js: Added.
1585         * stress/big-int-right-shift-type-error.js: Added.
1586         * stress/big-int-right-shift-wrapped-value.js: Added.
1587         * stress/left-shift-to-primitive-precedence.js: Added.
1588         * stress/right-shift-to-primitive-precedence.js: Added.
1589
1590 2018-11-30  Dean Jackson  <dino@apple.com>
1591
1592         Add first-class support for .mjs files in jsc binary
1593         https://bugs.webkit.org/show_bug.cgi?id=192190
1594         <rdar://problem/46375715>
1595
1596         Reviewed by Keith Miller.
1597
1598         * stress/simple-module.mjs: Added.
1599         * stress/simple-script.js: Added.
1600
1601 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1602
1603         [BigInt] Implement ValueBitXor into DFG
1604         https://bugs.webkit.org/show_bug.cgi?id=190264
1605
1606         Reviewed by Yusuke Suzuki.
1607
1608         * stress/big-int-bitwise-xor-jit.js: Added.
1609         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1610         * stress/big-int-bitwise-xor-untyped.js: Added.
1611
1612 2018-11-27  Saam barati  <sbarati@apple.com>
1613
1614         r238510 broke scopes of size zero
1615         https://bugs.webkit.org/show_bug.cgi?id=192033
1616         <rdar://problem/46281734>
1617
1618         Reviewed by Keith Miller.
1619
1620         * stress/r238510-bad-loop.js: Added.
1621         (foo):
1622
1623 2018-11-27  Mark Lam  <mark.lam@apple.com>
1624
1625         [Re-landing] NaNs read from Wasm code needs to be be purified.
1626         https://bugs.webkit.org/show_bug.cgi?id=191056
1627         <rdar://problem/45660341>
1628
1629         Reviewed by Filip Pizlo.
1630
1631         * wasm/regress/regress-191056.js: Added.
1632
1633 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1634
1635         Unreviewed, rolling out r238509.
1636
1637         Causes JSC tests to fail on iOS.
1638
1639         Reverted changeset:
1640
1641         "NaNs read from Wasm code needs to be be purified."
1642         https://bugs.webkit.org/show_bug.cgi?id=191056
1643         https://trac.webkit.org/changeset/238509
1644
1645 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1646
1647         Re-introduce op_bitnot
1648         https://bugs.webkit.org/show_bug.cgi?id=190923
1649
1650         Reviewed by Yusuke Suzuki.
1651
1652         * stress/bit-not-must-generate.js: Added.
1653         * stress/bitwise-not-no-int32.js: Added.
1654
1655 2018-11-26  Saam barati  <sbarati@apple.com>
1656
1657         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1658         https://bugs.webkit.org/show_bug.cgi?id=191956
1659         <rdar://problem/45665806>
1660
1661         Reviewed by Yusuke Suzuki.
1662
1663         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1664         (bar):
1665         (foo):
1666
1667 2018-11-26  Saam barati  <sbarati@apple.com>
1668
1669         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1670         https://bugs.webkit.org/show_bug.cgi?id=191958
1671         <rdar://problem/46221877>
1672
1673         Reviewed by Yusuke Suzuki.
1674
1675         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1676         (x):
1677         (foo):
1678
1679 2018-11-26  Mark Lam  <mark.lam@apple.com>
1680
1681         NaNs read from Wasm code needs to be be purified.
1682         https://bugs.webkit.org/show_bug.cgi?id=191056
1683         <rdar://problem/45660341>
1684
1685         Reviewed by Filip Pizlo.
1686
1687         * wasm/regress/regress-191056.js: Added.
1688
1689 2018-11-26  Michael Saboff  <msaboff@apple.com>
1690
1691         32-bit JSC test failure: stress/regexp-compile-oom.js
1692         https://bugs.webkit.org/show_bug.cgi?id=191375
1693
1694         Reviewed by Mark Lam.
1695
1696         Disabled the test for 32 bit platforms.
1697
1698         * stress/regexp-compile-oom.js:
1699
1700 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1701
1702         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1703         https://bugs.webkit.org/show_bug.cgi?id=191716
1704         <rdar://problem/45723878>
1705
1706         Reviewed by Saam Barati.
1707
1708         * stress/regress-187373.js: Added.
1709         (async.fn):
1710
1711 2018-11-21  Saam barati  <sbarati@apple.com>
1712
1713         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1714         https://bugs.webkit.org/show_bug.cgi?id=191897
1715         <rdar://problem/45871998>
1716
1717         Reviewed by Mark Lam.
1718
1719         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1720         (bar):
1721         (foo):
1722
1723 2018-11-21  Saam barati  <sbarati@apple.com>
1724
1725         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1726         https://bugs.webkit.org/show_bug.cgi?id=191895
1727         <rdar://problem/46167406>
1728
1729         Reviewed by Mark Lam.
1730
1731         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1732         (foo):
1733         (bar):
1734
1735 2018-11-21  Mark Lam  <mark.lam@apple.com>
1736
1737         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1738         https://bugs.webkit.org/show_bug.cgi?id=191776
1739         <rdar://problem/46152851>
1740
1741         Reviewed by Saam Barati.
1742
1743         * stress/big-wasm-memory-grow-no-max.js:
1744         * stress/big-wasm-memory-grow.js:
1745         * stress/big-wasm-memory.js:
1746         - updated these to expect an OutOfMemoryError.
1747
1748         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1749         (Binary.prototype.emit_u8):
1750         (Binary.prototype.emit_u32v):
1751         (Binary.prototype.emit_header):
1752         (Binary.prototype.emit_section):
1753         (Binary):
1754         (WasmModuleBuilder):
1755         (WasmModuleBuilder.prototype.addMemory):
1756         (WasmModuleBuilder.prototype.toArray):
1757         (WasmModuleBuilder.prototype.toBuffer):
1758         (WasmModuleBuilder.prototype.instantiate):
1759         (catch):
1760         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1761         (catch):
1762
1763 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1764
1765         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1766         https://bugs.webkit.org/show_bug.cgi?id=190836
1767
1768         Reviewed by Saam Barati and Yusuke Suzuki.
1769
1770         * stress/big-int-out-of-memory-tests.js: Added.
1771
1772 2018-11-20  Mark Lam  <mark.lam@apple.com>
1773
1774         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1775         https://bugs.webkit.org/show_bug.cgi?id=191856
1776         <rdar://problem/46089992>
1777
1778         Reviewed by Yusuke Suzuki.
1779
1780         * stress/regress-191856.js: Added.
1781         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1782
1783 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1784
1785         Enable JIT on ARM/Linux
1786         https://bugs.webkit.org/show_bug.cgi?id=191548
1787
1788         Reviewed by Yusuke Suzuki.
1789
1790         Disable test on system with limited memory. Program was killed by
1791         the OS before the exception was thrown.
1792
1793         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1794
1795 2018-11-20  Saam barati  <sbarati@apple.com>
1796
1797         Merging an IC variant may lead to the IC status containing overlapping structure sets
1798         https://bugs.webkit.org/show_bug.cgi?id=191869
1799         <rdar://problem/45403453>
1800
1801         Reviewed by Mark Lam.
1802
1803         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1804
1805 2018-11-19  Mark Lam  <mark.lam@apple.com>
1806
1807         globalFuncImportModule() should return a promise when it clears exceptions.
1808         https://bugs.webkit.org/show_bug.cgi?id=191792
1809         <rdar://problem/46090763>
1810
1811         Reviewed by Michael Saboff.
1812
1813         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1814
1815 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1816
1817         Skip new memory-hungry tests on memory limited devices
1818
1819         Unreviewed gardening.
1820
1821         * stress/big-wasm-memory-grow-no-max.js:
1822         * stress/big-wasm-memory-grow.js:
1823         * stress/big-wasm-memory.js:
1824
1825 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1826
1827         Unreviewed, rolling in the rest of r237254
1828         https://bugs.webkit.org/show_bug.cgi?id=190340
1829
1830         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1831         * stress/function-cache-with-parameters-end-position.js: Added.
1832         (shouldBe):
1833         (shouldThrow):
1834         (i.anonymous):
1835         * stress/function-constructor-name.js: Added.
1836         (shouldBe):
1837         (GeneratorFunction):
1838         (AsyncFunction.async):
1839         (AsyncGeneratorFunction.async):
1840         (anonymous):
1841         (async.anonymous):
1842         * test262/expectations.yaml:
1843
1844 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1845
1846         All users of ArrayBuffer should agree on the same max size
1847         https://bugs.webkit.org/show_bug.cgi?id=191771
1848
1849         Reviewed by Mark Lam.
1850
1851         * stress/big-wasm-memory-grow-no-max.js: Added.
1852         (foo):
1853         (catch):
1854         * stress/big-wasm-memory-grow.js: Added.
1855         (foo):
1856         (catch):
1857         * stress/big-wasm-memory.js: Added.
1858         (foo):
1859         (catch):
1860
1861 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1862
1863         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1864         run for each JSC config since they're regression tests for runtime bugs.
1865
1866         * stress/json-stringified-overflow-2.js:
1867         * stress/json-stringified-overflow.js:
1868
1869 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1870
1871         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1872         config since they're regression tests for runtime bugs.
1873
1874         * stress/large-unshift-splice.js:
1875         * stress/regress-185888.js:
1876
1877 2018-11-16  Saam Barati  <sbarati@apple.com>
1878
1879         KnownCellUse should also have SpecCellCheck as its type filter
1880         https://bugs.webkit.org/show_bug.cgi?id=191729
1881         <rdar://problem/45872852>
1882
1883         Reviewed by Filip Pizlo.
1884
1885         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1886         (C):
1887
1888 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1889
1890         Fix assertion failure on BytecodeGenerator::recordOpcode
1891         https://bugs.webkit.org/show_bug.cgi?id=191724
1892         <rdar://problem/45724395>
1893
1894         Reviewed by Saam Barati.
1895
1896         * stress/regress-187373-2.js: Added.
1897         (foo):
1898
1899 2018-11-15  Mark Lam  <mark.lam@apple.com>
1900
1901         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1902         https://bugs.webkit.org/show_bug.cgi?id=191730
1903         <rdar://problem/46048517>
1904
1905         Reviewed by Saam Barati.
1906
1907         * stress/regress-187006.js: Removed.
1908           - this test is invalid because its sole purpose is to test for the non-spec
1909             compliant behavior that we just fixed.
1910
1911         * stress/regress-191730.js: Added.
1912
1913 2018-11-15  Mark Lam  <mark.lam@apple.com>
1914
1915         RegExp operations should not take fast patch if lastIndex is not numeric.
1916         https://bugs.webkit.org/show_bug.cgi?id=191731
1917         <rdar://problem/46017305>
1918
1919         Reviewed by Saam Barati.
1920
1921         * stress/regress-191731.js: Added.
1922
1923 2018-11-13  Saam Barati  <sbarati@apple.com>
1924
1925         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1926         https://bugs.webkit.org/show_bug.cgi?id=191600
1927
1928         Reviewed by Mark Lam.
1929
1930         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1931         (foo):
1932         (test):
1933         (bar):
1934
1935 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1936
1937         Unreviewed, rolling out r238132.
1938
1939         The test added with this change is timing out on Debug JSC
1940         bots.
1941
1942         Reverted changeset:
1943
1944         "[BigInt] JSBigInt::createWithLength should throw when length
1945         is greater than JSBigInt::maxLength"
1946         https://bugs.webkit.org/show_bug.cgi?id=190836
1947         https://trac.webkit.org/changeset/238132
1948
1949 2018-11-13  Mark Lam  <mark.lam@apple.com>
1950
1951         Add OOM detection to StringPrototype's substituteBackreferences().
1952         https://bugs.webkit.org/show_bug.cgi?id=191563
1953         <rdar://problem/45720428>
1954
1955         Reviewed by Saam Barati.
1956
1957         * stress/regress-191563.js: Added.
1958
1959 2018-11-13  Mark Lam  <mark.lam@apple.com>
1960
1961         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1962         https://bugs.webkit.org/show_bug.cgi?id=191579
1963         <rdar://problem/45942472>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/regress-191579.js: Added.
1968
1969 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1970
1971         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1972         https://bugs.webkit.org/show_bug.cgi?id=190836
1973
1974         Reviewed by Saam Barati.
1975
1976         * stress/big-int-out-of-memory-tests.js: Added.
1977
1978 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1979
1980         U+180E is no longer a whitespace character
1981         https://bugs.webkit.org/show_bug.cgi?id=191415
1982
1983         Reviewed by Saam Barati.
1984
1985         * ChakraCore/test/es5/regexSpace.baseline:
1986         * ChakraCore/test/es6/unicode_whitespace.js:
1987         Update tests to latest version.
1988         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1989
1990         * test262.yaml:
1991         * test262/config.yaml:
1992         * test262/expectations.yaml:
1993         Update expectations.
1994
1995 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1996
1997         [BigInt] Add support to BigInt into ValueAdd
1998         https://bugs.webkit.org/show_bug.cgi?id=186177
1999
2000         Reviewed by Keith Miller.
2001
2002         * stress/big-int-negate-jit.js:
2003         * stress/value-add-big-int-and-string.js: Added.
2004         * stress/value-add-big-int-prediction-propagation.js: Added.
2005         * stress/value-add-big-int-untyped.js: Added.
2006
2007 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2008
2009         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2010         https://bugs.webkit.org/show_bug.cgi?id=191184
2011
2012         Reviewed by Saam Barati.
2013
2014         Most tests were failing due to timeouts, since they are too slow to
2015         run on CLoop. The exceptions are:
2016
2017         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2018         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2019         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2020         to change the stack size since CLoop requires it to be page aligned.
2021
2022         * microbenchmarks/array-push-1.js:
2023         * microbenchmarks/array-push-2.js:
2024         * microbenchmarks/elidable-new-object-dag.js:
2025         * microbenchmarks/elidable-new-object-roflcopter.js:
2026         * microbenchmarks/elidable-new-object-tree.js:
2027         * microbenchmarks/getter-richards.js:
2028         * microbenchmarks/sinkable-new-object-dag.js:
2029         * microbenchmarks/string-concat-long-convert.js:
2030         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2031         * slowMicrobenchmarks/array-push-3.js:
2032         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2033         * slowMicrobenchmarks/spread-small-array.js:
2034         * slowMicrobenchmarks/undefined-property-access.js:
2035         * stress/activation-sink-default-value-tdz-error.js:
2036         * stress/activation-sink-default-value.js:
2037         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2038         * stress/activation-sink-osrexit-default-value.js:
2039         * stress/activation-sink-osrexit.js:
2040         * stress/activation-sink.js:
2041         * stress/allow-math-ic-b3-code-duplication.js:
2042         * stress/array-push-multiple-int32.js:
2043         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2044         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2045         * stress/arrowfunction-lexical-this-activation-sink.js:
2046         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2047         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2048         * stress/elide-new-object-dag-then-exit.js:
2049         * stress/materialize-regexp-cyclic.js:
2050         * stress/new-regex-inline.js:
2051         * stress/op_add.js:
2052         * stress/op_bitand.js:
2053         * stress/op_bitor.js:
2054         * stress/op_bitxor.js:
2055         * stress/op_div-ConstVar.js:
2056         * stress/op_div-VarConst.js:
2057         * stress/op_div-VarVar.js:
2058         * stress/op_lshift-ConstVar.js:
2059         * stress/op_lshift-VarConst.js:
2060         * stress/op_lshift-VarVar.js:
2061         * stress/op_mod-ConstVar.js:
2062         * stress/op_mod-VarConst.js:
2063         * stress/op_mod-VarVar.js:
2064         * stress/op_mul-ConstVar.js:
2065         * stress/op_mul-VarConst.js:
2066         * stress/op_mul-VarVar.js:
2067         * stress/op_rshift-ConstVar.js:
2068         * stress/op_rshift-VarConst.js:
2069         * stress/op_rshift-VarVar.js:
2070         * stress/op_sub-ConstVar.js:
2071         * stress/op_sub-VarConst.js:
2072         * stress/op_sub-VarVar.js:
2073         * stress/op_urshift-ConstVar.js:
2074         * stress/op_urshift-VarConst.js:
2075         * stress/op_urshift-VarVar.js:
2076         * stress/proxy-get-set-correct-receiver.js:
2077         * stress/regress-179562.js:
2078         * stress/rest-parameter-many-arguments.js:
2079         * stress/sampling-profiler-richards.js:
2080         * stress/splay-flash-access-1ms.js:
2081         * stress/tailCallForwardArguments.js:
2082         * stress/typed-array-get-by-val-profiling.js:
2083         * typeProfiler/getter-richards.js:
2084
2085 2018-11-06  Michael Saboff  <msaboff@apple.com>
2086
2087         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2088         https://bugs.webkit.org/show_bug.cgi?id=191271
2089
2090         Reviewed by Saam Barati.
2091
2092         Added more test cases and made all test cases run with the same deeply recursive stack
2093         instead of finding that same point for each test case.
2094
2095         * stress/regexp-compile-oom.js:
2096         (prototype.runTest):
2097         (recurseAndTest):
2098         (testList.push.new.TestAndExpectedException):
2099
2100 2018-11-05  Michael Saboff  <msaboff@apple.com>
2101
2102         Unreviewed build fix for linux.
2103
2104         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2105
2106 2018-11-02  Michael Saboff  <msaboff@apple.com>
2107
2108         Rolling in r237753 with unreviewed build fix.
2109
2110         Fixed issues with DECLARE_THROW_SCOPE placement.
2111
2112 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2113
2114         Unreviewed, rolling out r237753.
2115
2116         Introduced JSC test failures
2117
2118         Reverted changeset:
2119
2120         "Running out of stack space not properly handled in
2121         RegExp::compile() and its callers"
2122         https://bugs.webkit.org/show_bug.cgi?id=191206
2123         https://trac.webkit.org/changeset/237753
2124
2125 2018-11-02  Michael Saboff  <msaboff@apple.com>
2126
2127         Running out of stack space not properly handled in RegExp::compile() and its callers
2128         https://bugs.webkit.org/show_bug.cgi?id=191206
2129
2130         Reviewed by Filip Pizlo.
2131
2132         New regression test.
2133
2134         * stress/regexp-compile-oom.js: Added.
2135         (recurseAndTest):
2136
2137 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2138
2139         Skip tests on arm/mips that time out now we're running on CLoop
2140
2141         Unreviewed gardening.
2142
2143         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2144         time out on the bots and need to be disabled. There's more tests
2145         disabled on arm because the timeout is longer on the mips bot (as the
2146         device is slower to start with), so many of the tests don't time out
2147         there.
2148
2149         * microbenchmarks/getter-richards.js: disable on arm and mips.
2150         * stress/op_add.js: disable on arm.
2151         * stress/op_bitand.js: disable on arm.
2152         * stress/op_bitor.js: disable on arm.
2153         * stress/op_bitxor.js: disable on arm.
2154         * stress/op_lshift-ConstVar.js: disable on arm.
2155         * stress/op_lshift-VarConst.js: disable on arm.
2156         * stress/op_lshift-VarVar.js: disable on arm.
2157         * stress/op_mod-ConstVar.js: disable on arm.
2158         * stress/op_mod-VarConst.js: disable on arm.
2159         * stress/op_mod-VarVar.js: disable on arm.
2160         * stress/op_mul-ConstVar.js: disable on arm.
2161         * stress/op_mul-VarConst.js: disable on arm.
2162         * stress/op_mul-VarVar.js: disable on arm.
2163         * stress/op_rshift-ConstVar.js: disable on arm.
2164         * stress/op_rshift-VarConst.js: disable on arm.
2165         * stress/op_rshift-VarVar.js: disable on arm.
2166         * stress/op_sub-ConstVar.js: disable on arm.
2167         * stress/op_sub-VarConst.js: disable on arm.
2168         * stress/op_sub-VarVar.js: disable on arm.
2169         * stress/op_urshift-ConstVar.js: disable on arm.
2170         * stress/op_urshift-VarConst.js: disable on arm.
2171         * stress/op_urshift-VarVar.js: disable on arm.
2172         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2173         * stress/value-to-boolean.js: disable on arm and mips.
2174
2175 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2176
2177         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2178         https://bugs.webkit.org/show_bug.cgi?id=191108
2179         <rdar://problem/45690700>
2180
2181         Reviewed by Saam Barati.
2182
2183         * stress/wide-op_catch.js: Added.
2184         (catch):
2185
2186 2018-10-29  Mark Lam  <mark.lam@apple.com>
2187
2188         Correctly detect string overflow when using the 'Function' constructor.
2189         https://bugs.webkit.org/show_bug.cgi?id=184883
2190         <rdar://problem/36320331>
2191
2192         Reviewed by Saam Barati.
2193
2194         I've verified that this passes on 32-bit as well.
2195
2196         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2197
2198 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2199
2200         Add support for GetStack FlushedDouble
2201         https://bugs.webkit.org/show_bug.cgi?id=191012
2202         <rdar://problem/45265141>
2203
2204         Reviewed by Saam Barati.
2205
2206         * stress/get-stack-double.js: Added.
2207         (bar):
2208         (noInline):
2209
2210 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2211
2212         New bytecode format for JSC
2213         https://bugs.webkit.org/show_bug.cgi?id=187373
2214         <rdar://problem/44186758>
2215
2216         Reviewed by Filip Pizlo.
2217
2218         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2219
2220         * stress/maximum-inline-capacity.js: Added.
2221         (test1):
2222         (test3.Foo):
2223         (test3):
2224
2225 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2226
2227         Unreviewed, rolling out r237479 and r237484.
2228         https://bugs.webkit.org/show_bug.cgi?id=190978
2229
2230         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2231
2232         Reverted changesets:
2233
2234         "New bytecode format for JSC"
2235         https://bugs.webkit.org/show_bug.cgi?id=187373
2236         https://trac.webkit.org/changeset/237479
2237
2238         "Gardening: Build fix after r237479."
2239         https://bugs.webkit.org/show_bug.cgi?id=187373
2240         https://trac.webkit.org/changeset/237484
2241
2242 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2243
2244         New bytecode format for JSC
2245         https://bugs.webkit.org/show_bug.cgi?id=187373
2246         <rdar://problem/44186758>
2247
2248         Reviewed by Filip Pizlo.
2249
2250         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2251
2252         * stress/maximum-inline-capacity.js: Added.
2253         (test1):
2254         (test3.Foo):
2255         (test3):
2256
2257 2018-10-26  Mark Lam  <mark.lam@apple.com>
2258
2259         Fix missing edge cases with JSGlobalObjects having a bad time.
2260         https://bugs.webkit.org/show_bug.cgi?id=189028
2261         <rdar://problem/45204939>
2262
2263         Reviewed by Saam Barati.
2264
2265         * stress/regress-189028.js: Added.
2266
2267 2018-10-22  Mark Lam  <mark.lam@apple.com>
2268
2269         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2270         https://bugs.webkit.org/show_bug.cgi?id=190515
2271         <rdar://problem/45222379>
2272
2273         Rubber-stamped by Saam Barati.
2274
2275         Adding another test.
2276
2277         * stress/regress-190515-2.js: Added.
2278
2279 2018-10-22  Mark Lam  <mark.lam@apple.com>
2280
2281         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2282         https://bugs.webkit.org/show_bug.cgi?id=190515
2283         <rdar://problem/45222379>
2284
2285         Reviewed by Saam Barati.
2286
2287         * stress/regress-190515.js: Added.
2288
2289 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2290
2291         Unreviewed, rolling out r237254.
2292         https://bugs.webkit.org/show_bug.cgi?id=190760
2293
2294         "It regresses JetStream 2 by 5% on some iOS devices"
2295         (Requested by saamyjoon on #webkit).
2296
2297         Reverted changeset:
2298
2299         "[JSC] JSC should have "parseFunction" to optimize Function
2300         constructor"
2301         https://bugs.webkit.org/show_bug.cgi?id=190340
2302         https://trac.webkit.org/changeset/237254
2303
2304 2018-10-19  Saam Barati  <sbarati@apple.com>
2305
2306         vmCall should check if we exit before emitting an OSR exit due to exceptions
2307         https://bugs.webkit.org/show_bug.cgi?id=190740
2308         <rdar://problem/45220139>
2309
2310         Reviewed by Mark Lam.
2311
2312         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2313         (foo):
2314
2315 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2316
2317         [ESNext][BigInt] Implement support for "^"
2318         https://bugs.webkit.org/show_bug.cgi?id=186235
2319
2320         Reviewed by Yusuke Suzuki.
2321
2322         * stress/big-int-bitwise-xor-general.js: Added.
2323         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2324         * stress/big-int-bitwise-xor-type-error.js: Added.
2325         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2326
2327 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2328
2329         [BigInt] Add ValueSub into DFG
2330         https://bugs.webkit.org/show_bug.cgi?id=186176
2331
2332         Reviewed by Yusuke Suzuki.
2333
2334         * stress/big-int-subtraction-jit.js:
2335         * stress/value-sub-big-int-prediction-propagation.js: Added.
2336         * stress/value-sub-big-int-untyped.js: Added.
2337         * stress/value-sub-spec-none-case.js: Added.
2338
2339 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2340
2341         [JSC] JSC should have "parseFunction" to optimize Function constructor
2342         https://bugs.webkit.org/show_bug.cgi?id=190340
2343
2344         Reviewed by Mark Lam.
2345
2346         This patch fixes the line number of syntax errors raised by the Function constructor,
2347         since we now parse the final code only once. And we no longer use block statement
2348         for Function constructor's parsing.
2349
2350         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2351         * stress/function-cache-with-parameters-end-position.js: Added.
2352         (shouldBe):
2353         (shouldThrow):
2354         (i.anonymous):
2355         * stress/function-constructor-name.js: Added.
2356         (shouldBe):
2357         (GeneratorFunction):
2358         (AsyncFunction.async):
2359         (AsyncGeneratorFunction.async):
2360         (anonymous):
2361         (async.anonymous):
2362         * test262/expectations.yaml:
2363
2364 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2365
2366         Unreviewed, rolling out r237242.
2367         https://bugs.webkit.org/show_bug.cgi?id=190701
2368
2369         it breaks "stress/sampling-profiler-basic.js" (Requested by
2370         caiolima on #webkit).
2371
2372         Reverted changeset:
2373
2374         "[BigInt] Add ValueSub into DFG"
2375         https://bugs.webkit.org/show_bug.cgi?id=186176
2376         https://trac.webkit.org/changeset/237242
2377
2378 2018-10-17  Keith Miller  <keith_miller@apple.com>
2379
2380         AI does not clear Phantom allocation nodes.
2381         https://bugs.webkit.org/show_bug.cgi?id=190694
2382
2383         Reviewed by Saam Barati.
2384
2385         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2386         (Day):
2387         (DaysInYear):
2388         (TimeInYear):
2389         (TimeFromYear):
2390         (DayFromYear):
2391         (InLeapYear):
2392         (YearFromTime):
2393         (WeekDay):
2394         (DaylightSavingTA):
2395         (GetSecondSundayInMarch):
2396         (TimeInMonth):
2397
2398 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2399
2400         [BigInt] Add ValueSub into DFG
2401         https://bugs.webkit.org/show_bug.cgi?id=186176
2402
2403         Reviewed by Yusuke Suzuki.
2404
2405         * stress/big-int-subtraction-jit.js:
2406         * stress/value-sub-big-int-prediction-propagation.js: Added.
2407         * stress/value-sub-big-int-untyped.js: Added.
2408
2409 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2410
2411         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2412         https://bugs.webkit.org/show_bug.cgi?id=190611
2413
2414         Reviewed by Saam Barati.
2415
2416         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2417         to improve test runtime. On ARM/MIPS this test even timed out when running all
2418         tests.
2419
2420         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2421         (test):
2422
2423 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2424
2425         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2426
2427         Unreviewed gardening.
2428
2429         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2430
2431 2018-10-15  Saam barati  <sbarati@apple.com>
2432
2433         Emit fjcvtzs on ARM64E on Darwin
2434         https://bugs.webkit.org/show_bug.cgi?id=184023
2435
2436         Reviewed by Yusuke Suzuki and Filip Pizlo.
2437
2438         * stress/double-to-int32-NaN.js: Added.
2439         (assert):
2440         (foo):
2441
2442 2018-10-15  Saam Barati  <sbarati@apple.com>
2443
2444         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2445         https://bugs.webkit.org/show_bug.cgi?id=190262
2446         <rdar://problem/44986241>
2447
2448         Reviewed by Mark Lam.
2449
2450         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2451         (test):
2452         * stress/slice-array-storage-with-holes.js: Added.
2453         (main):
2454
2455 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2456
2457         Unreviewed, rolling out r237054.
2458         https://bugs.webkit.org/show_bug.cgi?id=190593
2459
2460         "this regressed JetStream 2 by 6% on iOS" (Requested by
2461         saamyjoon on #webkit).
2462
2463         Reverted changeset:
2464
2465         "[JSC] JSC should have "parseFunction" to optimize Function
2466         constructor"
2467         https://bugs.webkit.org/show_bug.cgi?id=190340
2468         https://trac.webkit.org/changeset/237054
2469
2470 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2471
2472         [JSC] JSON.stringify can accept call-with-no-arguments
2473         https://bugs.webkit.org/show_bug.cgi?id=190343
2474
2475         Reviewed by Mark Lam.
2476
2477         * stress/json-stringify-no-arguments.js: Added.
2478         (shouldBe):
2479
2480 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2481
2482         [JSC] JSC should have "parseFunction" to optimize Function constructor
2483         https://bugs.webkit.org/show_bug.cgi?id=190340
2484
2485         Reviewed by Mark Lam.
2486
2487         This patch fixes the line number of syntax errors raised by the Function constructor,
2488         since we now parse the final code only once. And we no longer use block statement
2489         for Function constructor's parsing.
2490
2491         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2492         * stress/function-cache-with-parameters-end-position.js: Added.
2493         (shouldBe):
2494         (shouldThrow):
2495         (i.anonymous):
2496         * stress/function-constructor-name.js: Added.
2497         (shouldBe):
2498         (GeneratorFunction):
2499         (AsyncFunction.async):
2500         (AsyncGeneratorFunction.async):
2501         (anonymous):
2502         (async.anonymous):
2503         * test262/expectations.yaml:
2504
2505 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2506
2507         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2508         https://bugs.webkit.org/show_bug.cgi?id=190426
2509
2510         Unreviewed gardening.
2511
2512         * stress/sampling-profiler-richards.js:
2513
2514 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2515
2516         [ESNext][BigInt] Implement support for "|"
2517         https://bugs.webkit.org/show_bug.cgi?id=186229
2518
2519         Reviewed by Yusuke Suzuki.
2520
2521         * stress/big-int-bitwise-and-jit.js:
2522         * stress/big-int-bitwise-or-general.js: Added.
2523         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2524         * stress/big-int-bitwise-or-jit.js: Added.
2525         * stress/big-int-bitwise-or-memory-stress.js: Added.
2526         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2527         * stress/big-int-bitwise-or-type-error.js: Added.
2528         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2529
2530 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2531
2532         Skip test on systems with limited memory
2533         https://bugs.webkit.org/show_bug.cgi?id=190310
2534
2535         Invoking runDefault adds test to runlist, skipping the test in the next
2536         line does not prevent the test from executing. Change order of lines such
2537         that runDefault is only executed if test is not executed.
2538
2539         Reviewed by Mark Lam.
2540
2541         * stress/regress-190187.js:
2542
2543 2018-10-03  Saam barati  <sbarati@apple.com>
2544
2545         lowXYZ in FTLLower should always filter the type of the incoming edge
2546         https://bugs.webkit.org/show_bug.cgi?id=189939
2547         <rdar://problem/44407030>
2548
2549         Reviewed by Michael Saboff.
2550
2551         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2552         (foo):
2553         (test):
2554
2555 2018-10-03  Mark Lam  <mark.lam@apple.com>
2556
2557         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2558         https://bugs.webkit.org/show_bug.cgi?id=190187
2559         <rdar://problem/42512909>
2560
2561         Reviewed by Michael Saboff.
2562
2563         * stress/regress-190187.js: Added.
2564
2565 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2566
2567         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2568         https://bugs.webkit.org/show_bug.cgi?id=190033
2569
2570         Reviewed by Yusuke Suzuki.
2571
2572         * stress/big-int-to-string.js:
2573
2574 2018-10-01  Mark Lam  <mark.lam@apple.com>
2575
2576         Function.toString() should also copy the source code Functions that are class definitions.
2577         https://bugs.webkit.org/show_bug.cgi?id=190186
2578         <rdar://problem/44733360>
2579
2580         Reviewed by Saam Barati.
2581
2582         * stress/regress-190186.js: Added.
2583
2584 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2585
2586         Split NaN-check into separate test
2587         https://bugs.webkit.org/show_bug.cgi?id=190010
2588
2589         Reviewed by Saam Barati.
2590
2591         DataView exposes NaN-representation, which is not necessarily the same on each
2592         architecture. Therefore move the check of the NaN-representation into its own
2593         file such that we can disable this test on MIPS where NaN-representation can be
2594         different on older CPUs.
2595
2596         * stress/dataview-jit-set-nan.js: Added.
2597         (assert):
2598         (test.storeLittleEndian):
2599         (test.storeBigEndian):
2600         (test.store):
2601         (test):
2602         * stress/dataview-jit-set.js:
2603         (test5):
2604
2605 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2606
2607         Unreviewed, rolling out r236647.
2608         https://bugs.webkit.org/show_bug.cgi?id=190124
2609
2610         Breaking test stress/big-int-to-string.js (Requested by
2611         caiolima_ on #webkit).
2612
2613         Reverted changeset:
2614
2615         "[BigInt] BigInt.proptotype.toString is broken when radix is
2616         power of 2"
2617         https://bugs.webkit.org/show_bug.cgi?id=190033
2618         https://trac.webkit.org/changeset/236647
2619
2620 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2621
2622         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2623         https://bugs.webkit.org/show_bug.cgi?id=190033
2624
2625         Reviewed by Yusuke Suzuki.
2626
2627         * stress/big-int-to-string.js:
2628
2629 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2630
2631         [ESNext][BigInt] Implement support for "&"
2632         https://bugs.webkit.org/show_bug.cgi?id=186228
2633
2634         Reviewed by Yusuke Suzuki.
2635
2636         * stress/big-int-bitwise-and-general.js: Added.
2637         (assert):
2638         (assert.sameValue):
2639         * stress/big-int-bitwise-and-jit.js: Added.
2640         (let.assert.sameValue):
2641         (bigIntBitAnd):
2642         * stress/big-int-bitwise-and-memory-stress.js: Added.
2643         (assert):
2644         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2645         (assert.sameValue):
2646         (let.o.Symbol.toPrimitive):
2647         (catch):
2648         * stress/big-int-bitwise-and-type-error.js: Added.
2649         (assert):
2650         (assertThrowTypeError):
2651         (let.o.valueOf):
2652         (o.valueOf):
2653         (o.toString):
2654         (o.Symbol.toPrimitive):
2655         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2656         (assert.sameValue):
2657         (testBitAnd):
2658         (let.o.Symbol.toPrimitive):
2659         (o.valueOf):
2660         (o.toString):
2661
2662 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2663
2664         JSC test stress/jsc-read.js doesn't support CRLF
2665         https://bugs.webkit.org/show_bug.cgi?id=190063
2666
2667         Reviewed by Yusuke Suzuki.
2668
2669         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2670
2671         * stress/jsc-read.js:
2672         (test):
2673
2674 2018-09-27  Saam barati  <sbarati@apple.com>
2675
2676         Verify the contents of AssemblerBuffer on arm64e
2677         https://bugs.webkit.org/show_bug.cgi?id=190057
2678         <rdar://problem/38916630>
2679
2680         Reviewed by Mark Lam.
2681
2682         * stress/regress-189132.js:
2683
2684 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2685
2686         Disable test without LLInt on ARMv7
2687         https://bugs.webkit.org/show_bug.cgi?id=190037
2688
2689         Reviewed by Mark Lam.
2690
2691         Test runs out of executable memory on ARMv7, do not run
2692         this test without LLInt enabled.
2693
2694         * stress/regress-169445.js:
2695
2696 2018-09-26  Keith Miller  <keith_miller@apple.com>
2697
2698         We should zero unused property storage when rebalancing array storage.
2699         https://bugs.webkit.org/show_bug.cgi?id=188151
2700
2701         Reviewed by Michael Saboff.
2702
2703         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2704
2705 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2706
2707         [JSC] Optimize Array#lastIndexOf
2708         https://bugs.webkit.org/show_bug.cgi?id=189780
2709
2710         Reviewed by Saam Barati.
2711
2712         * stress/array-lastindexof-array-prototype-trap.js: Added.
2713         (shouldBe):
2714         (AncestorArray.prototype.get 2):
2715         (AncestorArray):
2716         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2717         (shouldBe):
2718         * stress/array-lastindexof-hole-nan.js: Added.
2719         (shouldBe):
2720         (throw.new.Error):
2721         * stress/array-lastindexof-infinity.js: Added.
2722         (shouldBe):
2723         (throw.new.Error):
2724         * stress/array-lastindexof-negative-zero.js: Added.
2725         (shouldBe):
2726         (throw.new.Error):
2727         * stress/array-lastindexof-own-getter.js: Added.
2728         (shouldBe):
2729         (throw.new.Error.get array):
2730         (get array):
2731         * stress/array-lastindexof-prototype-trap.js: Added.
2732         (shouldBe):
2733         (DerivedArray.prototype.get 2):
2734         (DerivedArray):
2735
2736 2018-09-25  Saam Barati  <sbarati@apple.com>
2737
2738         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2739         https://bugs.webkit.org/show_bug.cgi?id=189940
2740         <rdar://problem/43640987>
2741
2742         Reviewed by Mark Lam.
2743
2744         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2745
2746 2018-09-24  Saam Barati  <sbarati@apple.com>
2747
2748         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2749         https://bugs.webkit.org/show_bug.cgi?id=189922
2750         <rdar://problem/44651275>
2751
2752         Reviewed by Mark Lam.
2753
2754         * stress/array-indexof-fast-path-effects.js: Added.
2755         * stress/array-indexof-cached-length.js: Added.
2756
2757 2018-09-24  Saam barati  <sbarati@apple.com>
2758
2759         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2760         https://bugs.webkit.org/show_bug.cgi?id=189682
2761         <rdar://problem/43557315>
2762
2763         Reviewed by Mark Lam.
2764
2765         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2766         (foo):
2767
2768 2018-09-22  Saam barati  <sbarati@apple.com>
2769
2770         The sampling should not use Strong<CodeBlock> in its machineLocation field
2771         https://bugs.webkit.org/show_bug.cgi?id=189319
2772
2773         Reviewed by Filip Pizlo.
2774
2775         * stress/sampling-profiler-richards.js: Added.
2776
2777 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2778
2779         [JSC] Optimize Array#indexOf in C++ runtime
2780         https://bugs.webkit.org/show_bug.cgi?id=189507
2781
2782         Reviewed by Saam Barati.
2783
2784         * stress/array-indexof-array-prototype-trap.js: Added.
2785         (shouldBe):
2786         (AncestorArray.prototype.get 2):
2787         (AncestorArray):
2788         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2789         (shouldBe):
2790         * stress/array-indexof-hole-nan.js: Added.
2791         (shouldBe):
2792         (throw.new.Error):
2793         * stress/array-indexof-infinity.js: Added.
2794         (shouldBe):
2795         (throw.new.Error):
2796         * stress/array-indexof-negative-zero.js: Added.
2797         (shouldBe):
2798         (throw.new.Error):
2799         * stress/array-indexof-own-getter.js: Added.
2800         (shouldBe):
2801         (throw.new.Error.get array):
2802         (get array):
2803         * stress/array-indexof-prototype-trap.js: Added.
2804         (shouldBe):
2805         (DerivedArray.prototype.get 2):
2806         (DerivedArray):
2807
2808 2018-09-19  Saam barati  <sbarati@apple.com>
2809
2810         AI rule for MultiPutByOffset executes its effects in the wrong order
2811         https://bugs.webkit.org/show_bug.cgi?id=189757
2812         <rdar://problem/43535257>
2813
2814         Reviewed by Michael Saboff.
2815
2816         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2817         (foo):
2818         (Foo):
2819         (g):
2820
2821 2018-09-17  Mark Lam  <mark.lam@apple.com>
2822
2823         Ensure that ForInContexts are invalidated if their loop local is over-written.
2824         https://bugs.webkit.org/show_bug.cgi?id=189571
2825         <rdar://problem/44402277>
2826
2827         Reviewed by Saam Barati.
2828
2829         * stress/regress-189571.js: Added.
2830
2831 2018-09-17  Saam barati  <sbarati@apple.com>
2832
2833         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2834         https://bugs.webkit.org/show_bug.cgi?id=189676
2835         <rdar://problem/39682897>
2836
2837         Reviewed by Michael Saboff.
2838
2839         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2840         (A):
2841         (K):
2842         (i.catch):
2843
2844 2018-09-14  Saam barati  <sbarati@apple.com>
2845
2846         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2847         https://bugs.webkit.org/show_bug.cgi?id=189628
2848         <rdar://problem/39481690>
2849
2850         Reviewed by Mark Lam.
2851
2852         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2853         (foo):
2854
2855 2018-09-11  Mark Lam  <mark.lam@apple.com>
2856
2857         Test for array initialization in arrayProtoFuncSplice.
2858         https://bugs.webkit.org/show_bug.cgi?id=170253
2859         <rdar://problem/31328773>
2860
2861         Rubber-stamped by Saam Barati.
2862
2863         * stress/regress-170253.js: Added.
2864
2865 2018-09-11  Mark Lam  <mark.lam@apple.com>
2866
2867         Test for IntlObject initialization.
2868         https://bugs.webkit.org/show_bug.cgi?id=170251
2869         <rdar://problem/31328419>
2870
2871         Rubber-stamped by Saam Barati.
2872
2873         * stress/regress-170251.js: Added.
2874
2875 2018-09-11  Mark Lam  <mark.lam@apple.com>
2876
2877         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2878         https://bugs.webkit.org/show_bug.cgi?id=169889
2879         <rdar://problem/31155607>
2880
2881         Reviewed by Saam Barati.
2882
2883         * stress/regress-169889-array-concat.js: Added.
2884         * stress/regress-169889-array-concat1.js: Added.
2885         * stress/regress-169889-array-slice.js: Added.
2886
2887 2018-09-11  Mark Lam  <mark.lam@apple.com>
2888
2889         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2890         https://bugs.webkit.org/show_bug.cgi?id=169445
2891         <rdar://problem/30957435>
2892
2893         Reviewed by Saam Barati.
2894
2895         * stress/regress-169445.js: Added.
2896         (let.gun.eval.A):
2897         (let.gun.eval.B.C):
2898         (let.gun.eval.B.C.prototype.trigger):
2899         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2900         (let.gun.eval.B):
2901         (let.gun.eval):
2902
2903 == Rolled over to ChangeLog-2018-09-11 ==