The HasIndexedProperty node does GC.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-12  Mark Lam  <mark.lam@apple.com>
2
3         The HasIndexedProperty node does GC.
4         https://bugs.webkit.org/show_bug.cgi?id=195559
5         <rdar://problem/48767923>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/HasIndexedProperty-does-gc.js: Added.
10
11 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
12
13         [ESNext][BigInt] Implement "~" unary operation
14         https://bugs.webkit.org/show_bug.cgi?id=182216
15
16         Reviewed by Keith Miller.
17
18         * stress/big-int-bit-not-general.js: Added.
19         * stress/big-int-bitwise-not-jit.js: Added.
20         * stress/big-int-bitwise-not-wrapped-value.js: Added.
21         * stress/bit-op-with-object-returning-int32.js:
22         * stress/bitwise-not-fixup-rules.js: Added.
23         * stress/value-bit-not-ai-rule.js: Added.
24
25 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
26
27         Invalid flags in a RegExp literal should be an early SyntaxError
28         https://bugs.webkit.org/show_bug.cgi?id=195514
29
30         Reviewed by Darin Adler.
31
32         * test262/expectations.yaml:
33         Mark 4 test cases as passing.
34
35         * stress/regexp-syntax-error-invalid-flags.js:
36         * stress/regress-161995.js: Removed.
37         Update existing test, merging in an older test for the same behavior.
38
39 2019-03-08  Mark Lam  <mark.lam@apple.com>
40
41         Stack overflow crash in JSC::JSObject::hasInstance.
42         https://bugs.webkit.org/show_bug.cgi?id=195458
43         <rdar://problem/48710195>
44
45         Reviewed by Yusuke Suzuki.
46
47         * stress/stack-overflow-in-custom-hasInstance.js: Added.
48
49 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
50
51         op_check_tdz does not def its argument
52         https://bugs.webkit.org/show_bug.cgi?id=192880
53         <rdar://problem/46221598>
54
55         Reviewed by Saam Barati.
56
57         * microbenchmarks/let-for-in.js: Added.
58         (foo):
59
60 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
61
62         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
63         https://bugs.webkit.org/show_bug.cgi?id=195429
64
65         Reviewed by Saam Barati.
66
67         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
68         (foo):
69         * stress/string-from-char-code-255.js: Added.
70
71 2019-03-06  Mark Lam  <mark.lam@apple.com>
72
73         Fix incorrect handling of try-finally completion values.
74         https://bugs.webkit.org/show_bug.cgi?id=195131
75         <rdar://problem/46222079>
76
77         Reviewed by Saam Barati and Yusuke Suzuki.
78
79         Added many permutations of new test case to test-finally.js.  test-finally.js has
80         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
81         tests passes there as well.
82
83         * stress/test-finally.js:
84
85 2019-03-06  Saam Barati  <sbarati@apple.com>
86
87         Air::reportUsedRegisters must padInterference
88         https://bugs.webkit.org/show_bug.cgi?id=195303
89         <rdar://problem/48270343>
90
91         Reviewed by Keith Miller.
92
93         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
94
95 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
96
97         [JSC] AI should not propagate AbstractValue relying on constant folding phase
98         https://bugs.webkit.org/show_bug.cgi?id=195375
99
100         Reviewed by Saam Barati.
101
102         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
103         (let.array):
104
105 2019-03-05  Saam barati  <sbarati@apple.com>
106
107         op_switch_char broken for rope strings after JSRopeString layout rewrite
108         https://bugs.webkit.org/show_bug.cgi?id=195339
109         <rdar://problem/48592545>
110
111         Reviewed by Yusuke Suzuki.
112
113         * stress/switch-on-char-llint-rope.js: Added.
114
115 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
116
117         [JSC] Store bits for JSRopeString in 3 stores
118         https://bugs.webkit.org/show_bug.cgi?id=195234
119
120         Reviewed by Saam Barati.
121
122         * stress/null-rope-and-collectors.js: Added.
123
124 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
125
126         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
127         https://bugs.webkit.org/show_bug.cgi?id=195207
128
129         Unreviewed. After test runtime was reduced in r242213, test can be
130         run again on ARM/MIPS.
131
132         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
133
134 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
135
136         [JSC] sizeof(JSString) should be 16
137         https://bugs.webkit.org/show_bug.cgi?id=194375
138
139         Reviewed by Saam Barati.
140
141         * microbenchmarks/make-rope.js: Added.
142         (makeRope):
143         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
144         (returnRope.helper): Deleted.
145         (returnRope): Deleted.
146
147 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
148
149         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
150         https://bugs.webkit.org/show_bug.cgi?id=195144
151
152         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
153         Change the number from 1e8 to 1e5.
154
155         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
156         (foo):
157
158 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
159
160         Test times out on ARM/MIPS
161         https://bugs.webkit.org/show_bug.cgi?id=195168
162
163         Unreviewed. Skip test on ARM/MIPS.
164
165         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
166
167 2019-02-27  Mark Lam  <mark.lam@apple.com>
168
169         The parser is failing to record the token location of new in new.target.
170         https://bugs.webkit.org/show_bug.cgi?id=195127
171         <rdar://problem/39645578>
172
173         Reviewed by Yusuke Suzuki.
174
175         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
176
177 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
178
179         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
180         https://bugs.webkit.org/show_bug.cgi?id=195144
181         <rdar://problem/47595961>
182
183         Reviewed by Mark Lam.
184
185         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
186         (bar):
187         (foo):
188         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
189         (bar):
190         (foo):
191
192 2019-02-27  Robin Morisset  <rmorisset@apple.com>
193
194         DFG: Loop-invariant code motion (LICM) should not hoist dead code
195         https://bugs.webkit.org/show_bug.cgi?id=194945
196         <rdar://problem/48311657>
197
198         Reviewed by Mark Lam.
199
200         * stress/licm-dead-code.js: Added.
201
202 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
203
204         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
205         https://bugs.webkit.org/show_bug.cgi?id=194677
206         <rdar://problem/48112492>
207
208         Reviewed by Mark Lam.
209
210         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
211         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
212         it immediately fails due the large size.
213
214         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
215         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
216         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
217         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
218
219         This patch changes the test to produce 16bit string from String.fromCharCode.
220
221         * stress/regress-178386.js:
222
223 2019-02-26  Mark Lam  <mark.lam@apple.com>
224
225         wasmToJS() should purify incoming NaNs.
226         https://bugs.webkit.org/show_bug.cgi?id=194807
227         <rdar://problem/48189132>
228
229         Reviewed by Saam Barati.
230
231         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
232
233 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
234
235         [JSC] Repeat string created from Array.prototype.join() take too much memory
236         https://bugs.webkit.org/show_bug.cgi?id=193912
237
238         Reviewed by Saam Barati.
239
240         Added a test and a microbenchmark for corner cases of
241         Array.prototype.join() with an uninitialized array.
242
243         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
244         * stress/array-prototype-join-uninitialized.js: Added.
245         (testArray):
246         (testABC):
247         (B):
248         (C):
249
250 2019-02-22  Robin Morisset  <rmorisset@apple.com>
251
252         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
253         https://bugs.webkit.org/show_bug.cgi?id=194953
254         <rdar://problem/47595253>
255
256         Reviewed by Saam Barati.
257
258         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
259
260         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
261
262 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
263
264         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
265         https://bugs.webkit.org/show_bug.cgi?id=172848
266         <rdar://problem/25709212>
267
268         Reviewed by Mark Lam.
269
270         * typeProfiler/inheritance.js:
271         Rewrite the test slightly for clarity. The hoisting was confusing.
272
273         * heapProfiler/class-names.js: Added.
274         (MyES5Class):
275         (MyES6Class):
276         (MyES6Subclass):
277         Test object types and improved class names.
278
279         * heapProfiler/driver/driver.js:
280         (CheapHeapSnapshotNode):
281         (CheapHeapSnapshot):
282         (createCheapHeapSnapshot):
283         (HeapSnapshot):
284         (createHeapSnapshot):
285         Update snapshot parsing from version 1 to version 2.
286
287 2019-02-19  Truitt Savell  <tsavell@apple.com>
288
289         Unreviewed, rolling out r241784.
290
291         Broke all OpenSource builds.
292
293         Reverted changeset:
294
295         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
296         instances view"
297         https://bugs.webkit.org/show_bug.cgi?id=172848
298         https://trac.webkit.org/changeset/241784
299
300 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
301
302         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
303         https://bugs.webkit.org/show_bug.cgi?id=172848
304         <rdar://problem/25709212>
305
306         Reviewed by Mark Lam.
307
308         * typeProfiler/inheritance.js:
309         Rewrite the test slightly for clarity. The hoisting was confusing.
310
311         * heapProfiler/class-names.js: Added.
312         (MyES5Class):
313         (MyES6Class):
314         (MyES6Subclass):
315         Test object types and improved class names.
316
317         * heapProfiler/driver/driver.js:
318         (CheapHeapSnapshotNode):
319         (CheapHeapSnapshot):
320         (createCheapHeapSnapshot):
321         (HeapSnapshot):
322         (createHeapSnapshot):
323         Update snapshot parsing from version 1 to version 2.
324
325 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
326
327         [ARM] Fix crash with sampling profiler
328         https://bugs.webkit.org/show_bug.cgi?id=194772
329
330         Reviewed by Mark Lam.
331
332         Do not skip test since crash with sampling profiler is now fixed.
333
334         * stress/sampling-profiler-richards.js:
335
336 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
337
338         [JSC] Add LazyClassStructure::getInitializedOnMainThread
339         https://bugs.webkit.org/show_bug.cgi?id=194784
340         <rdar://problem/48154820>
341
342         Reviewed by Mark Lam.
343
344         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
345         (getProperties):
346         (getRandomProperty):
347         (i.catch):
348
349 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
350
351         [ARM] Test gardening: Test running out of executable memory
352         https://bugs.webkit.org/show_bug.cgi?id=194771
353
354         Unreviewed. Do not run test without LLInt, test is running out of executable
355         memory on ARM otherwise.
356
357         * stress/tagged-template-object-collect.js:
358
359 2019-02-18  Tomas Popela  <tpopela@redhat.com>
360
361         Unreviewed, skip the test on platforms without sampling profiler
362
363         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
364         (platformSupportsSamplingProfiler.foo):
365         (platformSupportsSamplingProfiler.test):
366         (platformSupportsSamplingProfiler):
367         (foo): Deleted.
368         (test): Deleted.
369
370 2019-02-17  Saam Barati  <sbarati@apple.com>
371
372         Deadlock when adding a Structure property transition and then doing incremental marking
373         https://bugs.webkit.org/show_bug.cgi?id=194767
374
375         Reviewed by Mark Lam.
376
377         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
378
379 2019-02-15  Michael Saboff  <msaboff@apple.com>
380
381         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
382         https://bugs.webkit.org/show_bug.cgi?id=194558
383
384         Reviewed by Saam Barati.
385
386         New regression test.
387
388         * stress/regexp-unicode-within-string.js: Added.
389
390 2019-02-15  Mark Lam  <mark.lam@apple.com>
391
392         SamplingProfiler::stackTracesAsJSON() should escape strings.
393         https://bugs.webkit.org/show_bug.cgi?id=194649
394         <rdar://problem/48072386>
395
396         Reviewed by Saam Barati.
397
398         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
399         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
400         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
401         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
402
403 2019-02-15  Robin Morisset  <rmorisset@apple.com>
404         CodeBlock::jettison should clear related watchpoints
405         https://bugs.webkit.org/show_bug.cgi?id=194544
406
407         Reviewed by Mark Lam.
408
409         * stress/regexp-replace-double-watchpoint.js: Added.
410         (foo):
411
412 2019-02-15  Saam barati  <sbarati@apple.com>
413
414         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
415         https://bugs.webkit.org/show_bug.cgi?id=194036
416
417         Reviewed by Yusuke Suzuki.
418
419         * stress/tail-call-many-arguments.js: Added.
420         (foo):
421         (bar):
422
423 2019-02-14  Saam Barati  <sbarati@apple.com>
424
425         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
426         https://bugs.webkit.org/show_bug.cgi?id=194583
427         <rdar://problem/48028140>
428
429         Reviewed by Yusuke Suzuki.
430
431         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
432
433 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
434
435         [JSC] String.fromCharCode's slow path always generates 16bit string
436         https://bugs.webkit.org/show_bug.cgi?id=194466
437
438         Reviewed by Keith Miller.
439
440         * stress/string-from-char-code-slow-path.js: Added.
441         (shouldBe):
442         (testWithLength):
443
444 2019-02-08  Saam barati  <sbarati@apple.com>
445
446         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
447         https://bugs.webkit.org/show_bug.cgi?id=194334
448         <rdar://problem/47844327>
449
450         Reviewed by Mark Lam.
451
452         * stress/check-in-bounds-should-be-a-child-use.js: Added.
453         (func):
454
455 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
456
457         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
458         https://bugs.webkit.org/show_bug.cgi?id=194369
459         <rdar://problem/47813087>
460
461         Reviewed by Saam Barati.
462
463         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
464         (A):
465
466 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
467
468         [JSC] PrivateName to PublicName hash table is wasteful
469         https://bugs.webkit.org/show_bug.cgi?id=194277
470
471         Reviewed by Michael Saboff.
472
473         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
474
475         * ChakraCore.yaml:
476
477 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
478
479         [ARM] Test running out of executable memory
480         https://bugs.webkit.org/show_bug.cgi?id=194285
481
482         Unreviewed. Do no execute test with LLInt disabled, test runs out of
483         executable memory otherwise.
484
485         * stress/class-subclassing-function.js:
486
487 2019-02-04  Robin Morisset  <rmorisset@apple.com>
488
489         when lowering AssertNotEmpty, create the value before creating the patchpoint
490         https://bugs.webkit.org/show_bug.cgi?id=194231
491
492         Reviewed by Saam Barati.
493
494         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
495         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
496         So even tiny changes to this test can change the path code taken.
497
498         * stress/assert-not-empty.js: Added.
499         (foo):
500
501 2019-02-01  Mark Lam  <mark.lam@apple.com>
502
503         Remove invalid assertion in DFG's compileDoubleRep().
504         https://bugs.webkit.org/show_bug.cgi?id=194130
505         <rdar://problem/47699474>
506
507         Reviewed by Saam Barati.
508
509         * stress/constant-fold-double-rep-into-double-constant.js: Added.
510
511 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
512
513         Import latest Test262 updates.
514
515         Rubber-stamped by Keith Miller.
516
517         * test262.yaml: Deleted.
518         * test262/config.yaml:
519         * test262/expectations.yaml:
520         * test262/latest-changes-summary.txt:
521         * test262/test/:
522         * test262/test262-Revision.txt:
523
524 2019-01-30  Robin Morisset  <rmorisset@apple.com>
525
526         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
527         https://bugs.webkit.org/show_bug.cgi?id=194050
528         <rdar://problem/47595592>
529
530         Reviewed by Yusuke Suzuki.
531
532         * stress/object-keys-osr-exit.js: Added.
533         (foo):
534         (catch):
535
536 2019-01-29  Mark Lam  <mark.lam@apple.com>
537
538         ValueRecovery::recover() should purify NaN values it recovers.
539         https://bugs.webkit.org/show_bug.cgi?id=193978
540         <rdar://problem/47625488>
541
542         Reviewed by Saam Barati.
543
544         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
545
546 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
547
548         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
549         https://bugs.webkit.org/show_bug.cgi?id=193713
550
551         * stress/try-get-by-id-should-spill-registers-dfg.js:
552         (let.f.createBuiltin):
553
554 2019-01-28  Mark Lam  <mark.lam@apple.com>
555
556         ToString node actually does GC.
557         https://bugs.webkit.org/show_bug.cgi?id=193920
558         <rdar://problem/46695900>
559
560         Reviewed by Yusuke Suzuki.
561
562         * stress/dfg-to-string-on-int-does-gc.js: Added.
563         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
564         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
565
566 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
567
568         [JSC] NativeErrorConstructor should not have own IsoSubspace
569         https://bugs.webkit.org/show_bug.cgi?id=193713
570
571         Reviewed by Saam Barati.
572
573         Remove @Error use.
574
575         * stress/try-get-by-id-should-spill-registers-dfg.js:
576         (let.f.createBuiltin):
577
578 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
579
580         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
581         https://bugs.webkit.org/show_bug.cgi?id=190693
582
583         Reviewed by Michael Saboff.
584
585         * stress/regress-190693.js: Added.
586         (truth):
587         (assert):
588         (shouldThrowInvalidConstAssignment):
589         (taz):
590
591 2019-01-24  Saam Barati  <sbarati@apple.com>
592
593         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
594         https://bugs.webkit.org/show_bug.cgi?id=193751
595         <rdar://problem/47280215>
596
597         Reviewed by Michael Saboff.
598
599         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
600         (let.thing):
601         (foo.let.hello):
602         (foo):
603
604 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
605
606         [JSC] Reenable baseline JIT on mips
607         https://bugs.webkit.org/show_bug.cgi?id=192983
608
609         Reviewed by Mark Lam.
610
611         Added a new test for a case that was triggering a RELEASE_ASSERT when
612         testing.
613         Disable some slow tests that were already disabled for arm and x86.
614
615         * stress/json-parse-big-object.js: Added.
616         * stress/new-largeish-contiguous-array-with-size.js:
617         * stress/op_add.js:
618         * stress/op_bitand.js:
619         * stress/op_bitor.js:
620         * stress/op_bitxor.js:
621         * stress/op_lshift-ConstVar.js:
622         * stress/op_lshift-VarConst.js:
623         * stress/op_lshift-VarVar.js:
624         * stress/op_mod-ConstVar.js:
625         * stress/op_mod-VarConst.js:
626         * stress/op_mod-VarVar.js:
627         * stress/op_mul-ConstVar.js:
628         * stress/op_mul-VarConst.js:
629         * stress/op_mul-VarVar.js:
630         * stress/op_rshift-ConstVar.js:
631         * stress/op_rshift-VarConst.js:
632         * stress/op_rshift-VarVar.js:
633         * stress/op_sub-ConstVar.js:
634         * stress/op_sub-VarConst.js:
635         * stress/op_sub-VarVar.js:
636         * stress/op_urshift-ConstVar.js:
637         * stress/op_urshift-VarConst.js:
638         * stress/op_urshift-VarVar.js:
639         * stress/sampling-profiler-richards.js:
640         * stress/spread-forward-call-varargs-stack-overflow.js:
641
642 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
643
644         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
645         https://bugs.webkit.org/show_bug.cgi?id=193711
646         <rdar://problem/47250262>
647
648         Reviewed by Saam Barati.
649
650         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
651         (shouldBe):
652         (foo):
653         (bar):
654         (baz):
655
656 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
657
658         Unreviewed, fix initial global lexical binding epoch
659         https://bugs.webkit.org/show_bug.cgi?id=193603
660         <rdar://problem/47380869>
661
662         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
663         (f1.f2.f3.f4):
664         (f1.f2.f3):
665         (f1.f2):
666         (f1):
667
668 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
669
670         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
671         https://bugs.webkit.org/show_bug.cgi?id=193709
672         <rdar://problem/47363838>
673
674         Unreviewed, rollout to watch the tests.
675
676         * stress/object-tostring-changed-proto.js: Removed.
677         * stress/object-tostring-changed.js: Removed.
678         * stress/object-tostring-misc.js: Removed.
679         * stress/object-tostring-other.js: Removed.
680         * stress/object-tostring-untyped.js: Removed.
681
682 2019-01-22  Saam Barati  <sbarati@apple.com>
683
684         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
685
686         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
687         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
688         (testUncheckedLessThanZero):
689         (testUncheckedLessThanOrEqualZero):
690         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
691         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
692
693 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
694
695         [JSC] Invalidate old scope operations using global lexical binding epoch
696         https://bugs.webkit.org/show_bug.cgi?id=193603
697         <rdar://problem/47380869>
698
699         Reviewed by Saam Barati.
700
701         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
702         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
703         (shouldThrow):
704         (bar):
705         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
706         (shouldBe):
707         (get1):
708         (get2):
709         (get1If):
710         (get2If):
711         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
712         (shouldThrow):
713         (foo):
714
715 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
716
717         Unreviewed, roll out r240220 due to date-format-xparb regression
718         https://bugs.webkit.org/show_bug.cgi?id=193603
719
720         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
721         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
722         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
723         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
724
725 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
726
727         DoesGC rule is wrong for nodes with BigIntUse
728         https://bugs.webkit.org/show_bug.cgi?id=193652
729
730         Reviewed by Saam Barati.
731
732         * stress/big-int-value-op-update-gc-rules.js: Added.
733         (assert):
734         (doesGCAdd):
735         (doesGCSub):
736         (doesGCDiv):
737         (doesGCMul):
738         (doesGCBitAnd):
739         (doesGCBitOr):
740         (doesGCBitXor):
741
742 2019-01-20  Saam Barati  <sbarati@apple.com>
743
744         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
745         https://bugs.webkit.org/show_bug.cgi?id=193644
746         <rdar://problem/46209745>
747
748         Reviewed by Yusuke Suzuki.
749
750         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
751         (foo):
752         * stress/data-view-set-intrinsic-undefined-result.js: Added.
753         (foo):
754         (bar):
755
756 2019-01-20  Saam Barati  <sbarati@apple.com>
757
758         MovHint must merge NodeBytecodeUsesAsValue for its child
759         https://bugs.webkit.org/show_bug.cgi?id=186916
760         <rdar://problem/41396612>
761
762         Reviewed by Yusuke Suzuki.
763
764         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
765         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
766
767 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
768
769         [JSC] Invalidate old scope operations using global lexical binding epoch
770         https://bugs.webkit.org/show_bug.cgi?id=193603
771         <rdar://problem/47380869>
772
773         Reviewed by Saam Barati.
774
775         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
776         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
777         (shouldThrow):
778         (bar):
779         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
780         (shouldBe):
781         (get1):
782         (get2):
783         (get1If):
784         (get2If):
785         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
786         (shouldThrow):
787         (foo):
788
789 2019-01-17  Saam barati  <sbarati@apple.com>
790
791         StringObjectUse should not be a structure check for the original string object structure
792         https://bugs.webkit.org/show_bug.cgi?id=193483
793         <rdar://problem/47280522>
794
795         Reviewed by Yusuke Suzuki.
796
797         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
798         (foo):
799         (a.valueOf.0):
800
801 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
802
803         [JSC] ToThis omission in DFGByteCodeParser is wrong
804         https://bugs.webkit.org/show_bug.cgi?id=193513
805         <rdar://problem/45842236>
806
807         Reviewed by Saam Barati.
808
809         * stress/to-this-omission-with-different-strict-modes.js: Added.
810         (thisA):
811         (thisAStrictWrapper):
812
813 2019-01-15  Mark Lam  <mark.lam@apple.com>
814
815         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
816         https://bugs.webkit.org/show_bug.cgi?id=193423
817         <rdar://problem/46209355>
818
819         Reviewed by Saam Barati.
820
821         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
822         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
823         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
824         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
825
826 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
827
828         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
829         https://bugs.webkit.org/show_bug.cgi?id=193438
830         <rdar://problem/45581249>
831
832         Reviewed by Saam Barati and Keith Miller.
833
834         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
835         Then, GetByVal(String) crashed.
836
837         * stress/string-get-by-val-lowering.js: Added.
838         (shouldBe):
839         (test):
840         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
841         (Hello):
842         (foo):
843
844 2019-01-15  Tomas Popela  <tpopela@redhat.com>
845
846         Unreviewed, skip JIT tests if it's not enabled
847
848         * stress/bit-op-with-object-returning-int32.js:
849
850 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
851
852         DFGByteCodeParser rules for bitwise operations should consider type of their operands
853         https://bugs.webkit.org/show_bug.cgi?id=192966
854
855         Reviewed by Yusuke Suzuki.
856
857         * stress/bit-op-with-object-returning-int32.js: Added.
858
859 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
860
861         Skip a slow test and a flakey test on arm
862
863         Unreviewed gardening.
864
865         * typeProfiler/getter-richards.js:
866         this test always times out, it used to be always skipped on arm and
867         mips, but got accidentally enabled by r237919 now that we have DFG on
868         arm. Also skipping on mips as we plan to soon enable DFG for it too.
869
870 2019-01-14  Keith Miller  <keith_miller@apple.com>
871
872         Skip type-check-hoisting-phase-hoist... with no jit
873         https://bugs.webkit.org/show_bug.cgi?id=193421
874
875         Reviewed by Mark Lam.
876
877         It's timing out the 32-bit bots and takes 330 seconds
878         on my machine when run by itself.
879
880         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
881
882 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
883
884         [JSC] AI should check the given constant's array type when folding GetByVal into constant
885         https://bugs.webkit.org/show_bug.cgi?id=193413
886         <rdar://problem/46092389>
887
888         Reviewed by Keith Miller.
889
890         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
891         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
892         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
893         but GetByVal does not have appropriate ArrayModes, JSC crashes.
894
895         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
896         (compareArray):
897
898 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
899
900         [BigInt] Literal parsing is crashing when used inside a Object Literal
901         https://bugs.webkit.org/show_bug.cgi?id=193404
902
903         Reviewed by Yusuke Suzuki.
904
905         * stress/big-int-literal-inside-literal-object.js: Added.
906
907 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
908
909         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
910         https://bugs.webkit.org/show_bug.cgi?id=193372
911
912         Reviewed by Saam Barati.
913
914         * stress/typed-array-array-modes-profile.js: Added.
915         (foo):
916
917 2019-01-14  Mark Lam  <mark.lam@apple.com>
918
919         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
920         https://bugs.webkit.org/show_bug.cgi?id=193402
921         <rdar://problem/46012309>
922
923         Reviewed by Keith Miller.
924
925         * stress/regexp-compile-oom.js:
926         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
927           is enabled.  As a result, it will fail on cloop builds though there is no bug.
928
929 2019-01-11  Saam barati  <sbarati@apple.com>
930
931         DFG combined liveness can be wrong for terminal basic blocks
932         https://bugs.webkit.org/show_bug.cgi?id=193304
933         <rdar://problem/45268632>
934
935         Reviewed by Yusuke Suzuki.
936
937         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
938
939 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
940
941         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
942         https://bugs.webkit.org/show_bug.cgi?id=193308
943         <rdar://problem/45546542>
944
945         Reviewed by Saam Barati.
946
947         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
948         (shouldThrow):
949         (shouldBe):
950         (foo):
951         (get shouldThrow):
952         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
953         (shouldThrow):
954         (shouldBe):
955         (foo):
956         (get shouldBe):
957         (get shouldThrow):
958         (get return):
959         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
960         (shouldThrow):
961         (shouldBe):
962         (foo):
963         (get shouldBe):
964         (get shouldThrow):
965         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
966         (shouldThrow):
967         (shouldBe):
968         (foo):
969         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
970         (shouldThrow):
971         (shouldBe):
972         (foo):
973         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
974         (shouldThrow):
975         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
976         (shouldThrow):
977         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
978         (shouldThrow):
979         (shouldBe):
980         (foo):
981         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
982         (shouldThrow):
983         (shouldBe):
984         (foo):
985         (get shouldBe):
986         (get shouldThrow):
987         (get return):
988         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
989         (shouldThrow):
990         (shouldBe):
991         (foo):
992         (get shouldBe):
993         (get shouldThrow):
994         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
995         (shouldThrow):
996         (shouldBe):
997         (foo):
998         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
999         (shouldThrow):
1000         (shouldBe):
1001         (foo):
1002
1003 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1004
1005         Enable DFG on ARM/Linux again
1006         https://bugs.webkit.org/show_bug.cgi?id=192496
1007
1008         Reviewed by Yusuke Suzuki.
1009
1010         Test wasn't really skipped before moving the line with skip
1011         to the top.
1012
1013         * stress/regress-192717.js:
1014
1015 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1016
1017         Unreviewed, rolling out r239825.
1018         https://bugs.webkit.org/show_bug.cgi?id=193330
1019
1020         Broke tests on armv7/linux bots (Requested by guijemont on
1021         #webkit).
1022
1023         Reverted changeset:
1024
1025         "Enable DFG on ARM/Linux again"
1026         https://bugs.webkit.org/show_bug.cgi?id=192496
1027         https://trac.webkit.org/changeset/239825
1028
1029 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1030
1031         Enable DFG on ARM/Linux again
1032         https://bugs.webkit.org/show_bug.cgi?id=192496
1033
1034         Reviewed by Yusuke Suzuki.
1035
1036         Test wasn't really skipped before moving the line with skip
1037         to the top.
1038
1039         * stress/regress-192717.js:
1040
1041 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1042
1043         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1044         https://bugs.webkit.org/show_bug.cgi?id=193127
1045
1046         Reviewed by Saam Barati.
1047
1048         * stress/array-species-create-should-handle-masquerader.js: Added.
1049         (shouldThrow):
1050         * stress/is-undefined-or-null-builtin.js: Added.
1051         (shouldBe):
1052         (isUndefinedOrNull.vm.createBuiltin):
1053
1054 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1055
1056         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1057         https://bugs.webkit.org/show_bug.cgi?id=193221
1058
1059         Reviewed by Mark Lam.
1060
1061         * stress/put-by-id-flags.js: Added.
1062         (f):
1063         (g):
1064         (numberOfDFGCompiles):
1065
1066 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1067
1068         Baseline version of get_by_id may corrupt metadata
1069         https://bugs.webkit.org/show_bug.cgi?id=193085
1070         <rdar://problem/23453006>
1071
1072         Reviewed by Saam Barati.
1073
1074         * stress/get-by-id-change-mode.js: Added.
1075         (forEach):
1076
1077 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1078
1079         [JSC] Optimize Object.prototype.toString
1080         https://bugs.webkit.org/show_bug.cgi?id=193031
1081
1082         Reviewed by Saam Barati.
1083
1084         * stress/object-tostring-changed-proto.js: Added.
1085         (shouldBe):
1086         (test):
1087         * stress/object-tostring-changed.js: Added.
1088         (shouldBe):
1089         (test):
1090         * stress/object-tostring-misc.js: Added.
1091         (shouldBe):
1092         (test):
1093         (i.switch):
1094         * stress/object-tostring-other.js: Added.
1095         (shouldBe):
1096         (test):
1097         * stress/object-tostring-untyped.js: Added.
1098         (shouldBe):
1099         (test):
1100         (i.switch):
1101
1102 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1103
1104         test262-runner misbehaves when test file YAML has a trailing space
1105         https://bugs.webkit.org/show_bug.cgi?id=193053
1106
1107         Reviewed by Yusuke Suzuki.
1108
1109         * test262/expectations.yaml:
1110         Mark two dozen tests as passing (and correct the output of another).
1111
1112 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1113
1114         Unreviewed, JSTests gardening with memoryLimited
1115
1116         * stress/string-overflow-createError.js:
1117
1118 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1119
1120         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1121         https://bugs.webkit.org/show_bug.cgi?id=193050
1122
1123         Reviewed by Yusuke Suzuki.
1124
1125         * test262.yaml:
1126         * test262/expectations.yaml:
1127         Mark 16 tests as passing.
1128
1129 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1130
1131         [BigInt] Support BigInt in JSON.stringify
1132         https://bugs.webkit.org/show_bug.cgi?id=192624
1133
1134         Reviewed by Saam Barati.
1135
1136         * stress/big-int-json-stringify-to-json.js: Added.
1137         (shouldBe):
1138         (shouldThrow):
1139         (BigInt.prototype.toJSON):
1140         (shouldBe.JSON.stringify):
1141         * stress/big-int-json-stringify.js: Added.
1142         (shouldBe):
1143         (shouldThrow):
1144
1145 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1146
1147         [JSC] Implement "well-formed JSON.stringify" proposal
1148         https://bugs.webkit.org/show_bug.cgi?id=191677
1149
1150         Reviewed by Darin Adler.
1151
1152         * stress/json-surrogate-pair.js: Added.
1153         (shouldBe):
1154         * test262/expectations.yaml:
1155
1156 2018-12-20  Keith Miller  <keith_miller@apple.com>
1157
1158         Add support for globalThis
1159         https://bugs.webkit.org/show_bug.cgi?id=165171
1160
1161         Reviewed by Mark Lam.
1162
1163         * test262/config.yaml:
1164
1165 2018-12-19  Keith Miller  <keith_miller@apple.com>
1166
1167         Update test262 configuration to not run tests dependent on ICU version.
1168         https://bugs.webkit.org/show_bug.cgi?id=192920
1169
1170         Reviewed by Saam Barati.
1171
1172         * test262/expectations.yaml:
1173
1174 2018-12-20  Mark Lam  <mark.lam@apple.com>
1175
1176         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1177         https://bugs.webkit.org/show_bug.cgi?id=192939
1178         <rdar://problem/46869516>
1179
1180         Reviewed by Keith Miller.
1181
1182         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1183
1184 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1185
1186         WTF::String and StringImpl overflow MaxLength
1187         https://bugs.webkit.org/show_bug.cgi?id=192853
1188         <rdar://problem/45726906>
1189
1190         Reviewed by Mark Lam.
1191
1192         * stress/string-16bit-repeat-overflow.js: Added.
1193         (catch):
1194
1195 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1196
1197         Unreviewed follow-up to r192914.
1198
1199         * test262/expectations.yaml:
1200         Add the last 20 missing expectations.
1201
1202 2018-12-19  Keith Miller  <keith_miller@apple.com>
1203
1204         Fix test262 expectations
1205         https://bugs.webkit.org/show_bug.cgi?id=192914
1206
1207         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1208
1209         * test262/expectations.yaml:
1210
1211 2018-12-19  Keith Miller  <keith_miller@apple.com>
1212
1213         Update test262 tests.
1214         https://bugs.webkit.org/show_bug.cgi?id=192907
1215
1216         Rubber stamped by Mark Lam.
1217
1218         * test262/*: Omitted because prepare-changelog crashes.
1219
1220 2018-12-19  Mark Lam  <mark.lam@apple.com>
1221
1222         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1223         https://bugs.webkit.org/show_bug.cgi?id=192464
1224         <rdar://problem/46519455>
1225
1226         Reviewed by Saam Barati.
1227
1228         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1229         microbenchmark.
1230
1231         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1232         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1233
1234 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1235
1236         String overflow in JSC::createError results in ASSERT in WTF::makeString
1237         https://bugs.webkit.org/show_bug.cgi?id=192833
1238         <rdar://problem/45706868>
1239
1240         Reviewed by Mark Lam.
1241
1242         * stress/string-overflow-createError.js: Added.
1243
1244 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1245
1246         Error message for `-x ** y` contains a typo.
1247         https://bugs.webkit.org/show_bug.cgi?id=192832
1248
1249         Reviewed by Saam Barati.
1250
1251         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1252         (assert.assert.return.throws):
1253         * stress/pow-expects-update-expression-on-lhs.js:
1254         (throw.new.Error):
1255         Update test expectations which match against the exact error message.
1256
1257 2018-12-18  Mark Lam  <mark.lam@apple.com>
1258
1259         Gardening: test options fix.
1260         https://bugs.webkit.org/show_bug.cgi?id=192822
1261
1262         Unreviewed.
1263
1264         * stress/json-stringify-string-builder-overflow.js:
1265
1266 2018-12-18  Mark Lam  <mark.lam@apple.com>
1267
1268         JSON.stringify() should throw OOM on StringBuilder overflows.
1269         https://bugs.webkit.org/show_bug.cgi?id=192822
1270         <rdar://problem/46670577>
1271
1272         Reviewed by Saam Barati.
1273
1274         * stress/json-stringify-string-builder-overflow.js: Added.
1275
1276 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1277
1278         Redeclaration of var over let/const/class should be a syntax error.
1279         https://bugs.webkit.org/show_bug.cgi?id=192298
1280
1281         Reviewed by Keith Miller.
1282
1283         * test262.yaml:
1284         * test262/expectations.yaml:
1285         Mark 46 tests as passing.
1286
1287         * stress/block-scope-redeclarations.js:
1288         Add some new tests.
1289
1290         * stress/for-in-invalidate-context-weird-assignments.js:
1291         * stress/for-in-tests.js:
1292         Replace tests for outdated behavior with tests for SyntaxError.
1293
1294         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1295         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1296         Update expectations.
1297
1298 2018-12-18  Mark Lam  <mark.lam@apple.com>
1299
1300         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1301         https://bugs.webkit.org/show_bug.cgi?id=191374
1302         <rdar://problem/46525447>
1303
1304         Reviewed by Yusuke Suzuki.
1305
1306         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1307
1308         * stress/elidable-new-object-roflcopter-then-exit.js:
1309
1310 2018-12-17  Mark Lam  <mark.lam@apple.com>
1311
1312         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1313         https://bugs.webkit.org/show_bug.cgi?id=192019
1314         <rdar://problem/46525456>
1315
1316         Reviewed by Yusuke Suzuki.
1317
1318         The test runs too slow on 32-bit.
1319
1320         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1321
1322 2018-12-17  Mark Lam  <mark.lam@apple.com>
1323
1324         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1325         https://bugs.webkit.org/show_bug.cgi?id=191373
1326         <rdar://problem/46525458>
1327
1328         Reviewed by Yusuke Suzuki.
1329
1330         The test is already slow running with a JIT on 64-bit.  It will always timeout
1331         on 32-bit without a JIT.
1332
1333         * stress/materialize-regexp-cyclic-regexp.js:
1334
1335 2018-12-17  Mark Lam  <mark.lam@apple.com>
1336
1337         Array unshift/shift should not race against the AI in the compiler thread.
1338         https://bugs.webkit.org/show_bug.cgi?id=192795
1339         <rdar://problem/46724263>
1340
1341         Reviewed by Saam Barati.
1342
1343         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1344
1345 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1346
1347         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1348         https://bugs.webkit.org/show_bug.cgi?id=190047
1349
1350         Reviewed by Saam Barati.
1351
1352         * stress/object-keys-cached-zero.js: Added.
1353         (shouldBe):
1354         (test):
1355         * stress/object-keys-changed-attribute.js: Added.
1356         (shouldBe):
1357         (test):
1358         * stress/object-keys-changed-index.js: Added.
1359         (shouldBe):
1360         (test):
1361         * stress/object-keys-changed.js: Added.
1362         (shouldBe):
1363         (test):
1364         * stress/object-keys-indexed-non-cache.js: Added.
1365         (shouldBe):
1366         (test):
1367         * stress/object-keys-overrides-get-property-names.js: Added.
1368         (shouldBe):
1369         (test):
1370         (noInline):
1371
1372 2018-12-17  Mark Lam  <mark.lam@apple.com>
1373
1374         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1375         https://bugs.webkit.org/show_bug.cgi?id=192779
1376         <rdar://problem/46775869>
1377
1378         Reviewed by Saam Barati.
1379
1380         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1381
1382 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1383
1384         Unreviewed test gardening, address a syntax error in a new test.
1385
1386         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1387
1388 2018-12-17  Mark Lam  <mark.lam@apple.com>
1389
1390         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1391         https://bugs.webkit.org/show_bug.cgi?id=192776
1392         <rdar://problem/46772368>
1393
1394         Reviewed by Keith Miller.
1395
1396         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1397
1398 2018-12-17  Mark Lam  <mark.lam@apple.com>
1399
1400         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1401         https://bugs.webkit.org/show_bug.cgi?id=192770
1402         <rdar://problem/46449037>
1403
1404         Reviewed by Keith Miller.
1405
1406         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1407
1408 2018-12-14  Mark Lam  <mark.lam@apple.com>
1409
1410         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1411         https://bugs.webkit.org/show_bug.cgi?id=192717
1412         <rdar://problem/46660677>
1413
1414         Reviewed by Saam Barati.
1415
1416         * stress/regress-192717.js: Added.
1417
1418 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1419
1420         Unreviewed, rolling out r239153, r239154, and r239155.
1421         https://bugs.webkit.org/show_bug.cgi?id=192715
1422
1423         Caused flaky GC-related crashes seen with layout tests
1424         (Requested by ryanhaddad on #webkit).
1425
1426         Reverted changesets:
1427
1428         "[JSC] Optimize Object.keys by caching own keys results in
1429         StructureRareData"
1430         https://bugs.webkit.org/show_bug.cgi?id=190047
1431         https://trac.webkit.org/changeset/239153
1432
1433         "Unreviewed, build fix after r239153"
1434         https://bugs.webkit.org/show_bug.cgi?id=190047
1435         https://trac.webkit.org/changeset/239154
1436
1437         "Unreviewed, build fix after r239153, part 2"
1438         https://bugs.webkit.org/show_bug.cgi?id=190047
1439         https://trac.webkit.org/changeset/239155
1440
1441 2018-12-14  Keith Miller  <keith_miller@apple.com>
1442
1443         Callers of JSString::getIndex should check for OOM exceptions
1444         https://bugs.webkit.org/show_bug.cgi?id=192709
1445
1446         Reviewed by Mark Lam.
1447
1448         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1449
1450 2018-12-13  Mark Lam  <mark.lam@apple.com>
1451
1452         Add a missing exception check.
1453         https://bugs.webkit.org/show_bug.cgi?id=192626
1454         <rdar://problem/46662163>
1455
1456         Reviewed by Keith Miller.
1457
1458         * stress/regress-192626.js: Added.
1459
1460 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1461
1462         [BigInt] Add ValueDiv into DFG
1463         https://bugs.webkit.org/show_bug.cgi?id=186178
1464
1465         Reviewed by Yusuke Suzuki.
1466
1467         * stress/big-int-div-jit-osr.js: Added.
1468         * stress/big-int-div-jit-untyped.js: Added.
1469         * stress/value-div-fixup-int32-big-int.js: Added.
1470
1471 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1472
1473         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1474         https://bugs.webkit.org/show_bug.cgi?id=190047
1475
1476         Reviewed by Keith Miller.
1477
1478         * stress/object-keys-cached-zero.js: Added.
1479         (shouldBe):
1480         (test):
1481         * stress/object-keys-changed-attribute.js: Added.
1482         (shouldBe):
1483         (test):
1484         * stress/object-keys-changed-index.js: Added.
1485         (shouldBe):
1486         (test):
1487         * stress/object-keys-changed.js: Added.
1488         (shouldBe):
1489         (test):
1490         * stress/object-keys-indexed-non-cache.js: Added.
1491         (shouldBe):
1492         (test):
1493         * stress/object-keys-overrides-get-property-names.js: Added.
1494         (shouldBe):
1495         (test):
1496         (noInline):
1497
1498 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1499
1500         [DFG][FTL] Add NewSymbol
1501         https://bugs.webkit.org/show_bug.cgi?id=192620
1502
1503         Reviewed by Saam Barati.
1504
1505         * microbenchmarks/symbol-creation.js: Added.
1506         (test):
1507         * stress/symbol-description-identity.js: Added.
1508         (shouldBe):
1509         (test):
1510         * stress/symbol-identity.js: Added.
1511         (shouldBe):
1512         (test):
1513         * stress/symbol-with-description-throw-error.js: Added.
1514         (shouldBe):
1515         (shouldThrow):
1516         (test):
1517         (object.toString):
1518
1519 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1520
1521         [BigInt] Implement DFG/FTL typeof for BigInt
1522         https://bugs.webkit.org/show_bug.cgi?id=192619
1523
1524         Reviewed by Keith Miller.
1525
1526         * stress/big-int-boolean-proven-type.js: Added.
1527         (assert):
1528         (bool):
1529         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1530         (assert):
1531         (typeOf):
1532         (i.switch):
1533         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1534         (assert):
1535         (typeOf):
1536         * stress/big-int-type-of.js:
1537         (typeOf):
1538         (func):
1539
1540 2018-12-10  Mark Lam  <mark.lam@apple.com>
1541
1542         PropertyAttribute needs a CustomValue bit.
1543         https://bugs.webkit.org/show_bug.cgi?id=191993
1544         <rdar://problem/46264467>
1545
1546         Reviewed by Saam Barati.
1547
1548         * stress/regress-191993.js: Added.
1549
1550 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1551
1552         [BigInt] Add ValueMul into DFG
1553         https://bugs.webkit.org/show_bug.cgi?id=186175
1554
1555         Reviewed by Yusuke Suzuki.
1556
1557         * stress/big-int-mul-jit-osr.js: Added.
1558         * stress/big-int-mul-jit-untyped.js: Added.
1559         * stress/value-mul-fixup-int32-big-int.js: Added.
1560
1561 2018-12-06  Keith Miller  <keith_miller@apple.com>
1562
1563         stress/big-wasm-memory tests failing on 32-bit JSC bot
1564         https://bugs.webkit.org/show_bug.cgi?id=192020
1565
1566         Reviewed by Saam Barati.
1567
1568         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1569         the wasm stress tests if the WebAssembly object does not exist.
1570
1571         * stress/big-wasm-memory-grow-no-max.js:
1572         (test.foo):
1573         (test):
1574         (foo): Deleted.
1575         (catch): Deleted.
1576         * stress/big-wasm-memory-grow.js:
1577         (test.foo):
1578         (test):
1579         (foo): Deleted.
1580         (catch): Deleted.
1581         * stress/big-wasm-memory.js:
1582         (test.foo):
1583         (test):
1584         (foo): Deleted.
1585         (catch): Deleted.
1586
1587 2018-12-05  Mark Lam  <mark.lam@apple.com>
1588
1589         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1590         https://bugs.webkit.org/show_bug.cgi?id=192441
1591         <rdar://problem/46480355>
1592
1593         Reviewed by Saam Barati.
1594
1595         * stress/regress-192441.js: Added.
1596
1597 2018-12-04  Mark Lam  <mark.lam@apple.com>
1598
1599         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1600         https://bugs.webkit.org/show_bug.cgi?id=192386
1601         <rdar://problem/46445516>
1602
1603         Reviewed by Saam Barati.
1604
1605         * stress/regress-192386.js: Added.
1606
1607 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1608
1609         [ESNext][BigInt] Support logic operations
1610         https://bugs.webkit.org/show_bug.cgi?id=179903
1611
1612         Reviewed by Yusuke Suzuki.
1613
1614         * stress/big-int-branch-usage.js: Added.
1615         * stress/big-int-logical-and.js: Added.
1616         * stress/big-int-logical-not.js: Added.
1617         * stress/big-int-logical-or.js: Added.
1618
1619 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1620
1621         Unreviewed, rolling out r238833.
1622
1623         Breaks macOS and iOS debug builds.
1624
1625         Reverted changeset:
1626
1627         "[ESNext][BigInt] Support logic operations"
1628         https://bugs.webkit.org/show_bug.cgi?id=179903
1629         https://trac.webkit.org/changeset/238833
1630
1631 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1632
1633         [ESNext][BigInt] Support logic operations
1634         https://bugs.webkit.org/show_bug.cgi?id=179903
1635
1636         Reviewed by Yusuke Suzuki.
1637
1638         * stress/big-int-branch-usage.js: Added.
1639         * stress/big-int-logical-and.js: Added.
1640         * stress/big-int-logical-not.js: Added.
1641         * stress/big-int-logical-or.js: Added.
1642
1643 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1644
1645         [ESNext][BigInt] Implement support for "<<" and ">>"
1646         https://bugs.webkit.org/show_bug.cgi?id=186233
1647
1648         Reviewed by Yusuke Suzuki.
1649
1650         * stress/big-int-left-shift-general.js: Added.
1651         * stress/big-int-left-shift-range-error.js: Added.
1652         * stress/big-int-left-shift-type-error.js: Added.
1653         * stress/big-int-left-shift-wrapped-value.js: Added.
1654         * stress/big-int-right-shift-general.js: Added.
1655         * stress/big-int-right-shift-type-error.js: Added.
1656         * stress/big-int-right-shift-wrapped-value.js: Added.
1657         * stress/left-shift-to-primitive-precedence.js: Added.
1658         * stress/right-shift-to-primitive-precedence.js: Added.
1659
1660 2018-11-30  Dean Jackson  <dino@apple.com>
1661
1662         Add first-class support for .mjs files in jsc binary
1663         https://bugs.webkit.org/show_bug.cgi?id=192190
1664         <rdar://problem/46375715>
1665
1666         Reviewed by Keith Miller.
1667
1668         * stress/simple-module.mjs: Added.
1669         * stress/simple-script.js: Added.
1670
1671 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1672
1673         [BigInt] Implement ValueBitXor into DFG
1674         https://bugs.webkit.org/show_bug.cgi?id=190264
1675
1676         Reviewed by Yusuke Suzuki.
1677
1678         * stress/big-int-bitwise-xor-jit.js: Added.
1679         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1680         * stress/big-int-bitwise-xor-untyped.js: Added.
1681
1682 2018-11-27  Saam barati  <sbarati@apple.com>
1683
1684         r238510 broke scopes of size zero
1685         https://bugs.webkit.org/show_bug.cgi?id=192033
1686         <rdar://problem/46281734>
1687
1688         Reviewed by Keith Miller.
1689
1690         * stress/r238510-bad-loop.js: Added.
1691         (foo):
1692
1693 2018-11-27  Mark Lam  <mark.lam@apple.com>
1694
1695         [Re-landing] NaNs read from Wasm code needs to be be purified.
1696         https://bugs.webkit.org/show_bug.cgi?id=191056
1697         <rdar://problem/45660341>
1698
1699         Reviewed by Filip Pizlo.
1700
1701         * wasm/regress/regress-191056.js: Added.
1702
1703 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1704
1705         Unreviewed, rolling out r238509.
1706
1707         Causes JSC tests to fail on iOS.
1708
1709         Reverted changeset:
1710
1711         "NaNs read from Wasm code needs to be be purified."
1712         https://bugs.webkit.org/show_bug.cgi?id=191056
1713         https://trac.webkit.org/changeset/238509
1714
1715 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1716
1717         Re-introduce op_bitnot
1718         https://bugs.webkit.org/show_bug.cgi?id=190923
1719
1720         Reviewed by Yusuke Suzuki.
1721
1722         * stress/bit-not-must-generate.js: Added.
1723         * stress/bitwise-not-no-int32.js: Added.
1724
1725 2018-11-26  Saam barati  <sbarati@apple.com>
1726
1727         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1728         https://bugs.webkit.org/show_bug.cgi?id=191956
1729         <rdar://problem/45665806>
1730
1731         Reviewed by Yusuke Suzuki.
1732
1733         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1734         (bar):
1735         (foo):
1736
1737 2018-11-26  Saam barati  <sbarati@apple.com>
1738
1739         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1740         https://bugs.webkit.org/show_bug.cgi?id=191958
1741         <rdar://problem/46221877>
1742
1743         Reviewed by Yusuke Suzuki.
1744
1745         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1746         (x):
1747         (foo):
1748
1749 2018-11-26  Mark Lam  <mark.lam@apple.com>
1750
1751         NaNs read from Wasm code needs to be be purified.
1752         https://bugs.webkit.org/show_bug.cgi?id=191056
1753         <rdar://problem/45660341>
1754
1755         Reviewed by Filip Pizlo.
1756
1757         * wasm/regress/regress-191056.js: Added.
1758
1759 2018-11-26  Michael Saboff  <msaboff@apple.com>
1760
1761         32-bit JSC test failure: stress/regexp-compile-oom.js
1762         https://bugs.webkit.org/show_bug.cgi?id=191375
1763
1764         Reviewed by Mark Lam.
1765
1766         Disabled the test for 32 bit platforms.
1767
1768         * stress/regexp-compile-oom.js:
1769
1770 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1771
1772         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1773         https://bugs.webkit.org/show_bug.cgi?id=191716
1774         <rdar://problem/45723878>
1775
1776         Reviewed by Saam Barati.
1777
1778         * stress/regress-187373.js: Added.
1779         (async.fn):
1780
1781 2018-11-21  Saam barati  <sbarati@apple.com>
1782
1783         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1784         https://bugs.webkit.org/show_bug.cgi?id=191897
1785         <rdar://problem/45871998>
1786
1787         Reviewed by Mark Lam.
1788
1789         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1790         (bar):
1791         (foo):
1792
1793 2018-11-21  Saam barati  <sbarati@apple.com>
1794
1795         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1796         https://bugs.webkit.org/show_bug.cgi?id=191895
1797         <rdar://problem/46167406>
1798
1799         Reviewed by Mark Lam.
1800
1801         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1802         (foo):
1803         (bar):
1804
1805 2018-11-21  Mark Lam  <mark.lam@apple.com>
1806
1807         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1808         https://bugs.webkit.org/show_bug.cgi?id=191776
1809         <rdar://problem/46152851>
1810
1811         Reviewed by Saam Barati.
1812
1813         * stress/big-wasm-memory-grow-no-max.js:
1814         * stress/big-wasm-memory-grow.js:
1815         * stress/big-wasm-memory.js:
1816         - updated these to expect an OutOfMemoryError.
1817
1818         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1819         (Binary.prototype.emit_u8):
1820         (Binary.prototype.emit_u32v):
1821         (Binary.prototype.emit_header):
1822         (Binary.prototype.emit_section):
1823         (Binary):
1824         (WasmModuleBuilder):
1825         (WasmModuleBuilder.prototype.addMemory):
1826         (WasmModuleBuilder.prototype.toArray):
1827         (WasmModuleBuilder.prototype.toBuffer):
1828         (WasmModuleBuilder.prototype.instantiate):
1829         (catch):
1830         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1831         (catch):
1832
1833 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1834
1835         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1836         https://bugs.webkit.org/show_bug.cgi?id=190836
1837
1838         Reviewed by Saam Barati and Yusuke Suzuki.
1839
1840         * stress/big-int-out-of-memory-tests.js: Added.
1841
1842 2018-11-20  Mark Lam  <mark.lam@apple.com>
1843
1844         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1845         https://bugs.webkit.org/show_bug.cgi?id=191856
1846         <rdar://problem/46089992>
1847
1848         Reviewed by Yusuke Suzuki.
1849
1850         * stress/regress-191856.js: Added.
1851         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1852
1853 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1854
1855         Enable JIT on ARM/Linux
1856         https://bugs.webkit.org/show_bug.cgi?id=191548
1857
1858         Reviewed by Yusuke Suzuki.
1859
1860         Disable test on system with limited memory. Program was killed by
1861         the OS before the exception was thrown.
1862
1863         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1864
1865 2018-11-20  Saam barati  <sbarati@apple.com>
1866
1867         Merging an IC variant may lead to the IC status containing overlapping structure sets
1868         https://bugs.webkit.org/show_bug.cgi?id=191869
1869         <rdar://problem/45403453>
1870
1871         Reviewed by Mark Lam.
1872
1873         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1874
1875 2018-11-19  Mark Lam  <mark.lam@apple.com>
1876
1877         globalFuncImportModule() should return a promise when it clears exceptions.
1878         https://bugs.webkit.org/show_bug.cgi?id=191792
1879         <rdar://problem/46090763>
1880
1881         Reviewed by Michael Saboff.
1882
1883         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1884
1885 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1886
1887         Skip new memory-hungry tests on memory limited devices
1888
1889         Unreviewed gardening.
1890
1891         * stress/big-wasm-memory-grow-no-max.js:
1892         * stress/big-wasm-memory-grow.js:
1893         * stress/big-wasm-memory.js:
1894
1895 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1896
1897         Unreviewed, rolling in the rest of r237254
1898         https://bugs.webkit.org/show_bug.cgi?id=190340
1899
1900         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1901         * stress/function-cache-with-parameters-end-position.js: Added.
1902         (shouldBe):
1903         (shouldThrow):
1904         (i.anonymous):
1905         * stress/function-constructor-name.js: Added.
1906         (shouldBe):
1907         (GeneratorFunction):
1908         (AsyncFunction.async):
1909         (AsyncGeneratorFunction.async):
1910         (anonymous):
1911         (async.anonymous):
1912         * test262/expectations.yaml:
1913
1914 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1915
1916         All users of ArrayBuffer should agree on the same max size
1917         https://bugs.webkit.org/show_bug.cgi?id=191771
1918
1919         Reviewed by Mark Lam.
1920
1921         * stress/big-wasm-memory-grow-no-max.js: Added.
1922         (foo):
1923         (catch):
1924         * stress/big-wasm-memory-grow.js: Added.
1925         (foo):
1926         (catch):
1927         * stress/big-wasm-memory.js: Added.
1928         (foo):
1929         (catch):
1930
1931 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1932
1933         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1934         run for each JSC config since they're regression tests for runtime bugs.
1935
1936         * stress/json-stringified-overflow-2.js:
1937         * stress/json-stringified-overflow.js:
1938
1939 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1940
1941         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1942         config since they're regression tests for runtime bugs.
1943
1944         * stress/large-unshift-splice.js:
1945         * stress/regress-185888.js:
1946
1947 2018-11-16  Saam Barati  <sbarati@apple.com>
1948
1949         KnownCellUse should also have SpecCellCheck as its type filter
1950         https://bugs.webkit.org/show_bug.cgi?id=191729
1951         <rdar://problem/45872852>
1952
1953         Reviewed by Filip Pizlo.
1954
1955         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1956         (C):
1957
1958 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1959
1960         Fix assertion failure on BytecodeGenerator::recordOpcode
1961         https://bugs.webkit.org/show_bug.cgi?id=191724
1962         <rdar://problem/45724395>
1963
1964         Reviewed by Saam Barati.
1965
1966         * stress/regress-187373-2.js: Added.
1967         (foo):
1968
1969 2018-11-15  Mark Lam  <mark.lam@apple.com>
1970
1971         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1972         https://bugs.webkit.org/show_bug.cgi?id=191730
1973         <rdar://problem/46048517>
1974
1975         Reviewed by Saam Barati.
1976
1977         * stress/regress-187006.js: Removed.
1978           - this test is invalid because its sole purpose is to test for the non-spec
1979             compliant behavior that we just fixed.
1980
1981         * stress/regress-191730.js: Added.
1982
1983 2018-11-15  Mark Lam  <mark.lam@apple.com>
1984
1985         RegExp operations should not take fast patch if lastIndex is not numeric.
1986         https://bugs.webkit.org/show_bug.cgi?id=191731
1987         <rdar://problem/46017305>
1988
1989         Reviewed by Saam Barati.
1990
1991         * stress/regress-191731.js: Added.
1992
1993 2018-11-13  Saam Barati  <sbarati@apple.com>
1994
1995         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1996         https://bugs.webkit.org/show_bug.cgi?id=191600
1997
1998         Reviewed by Mark Lam.
1999
2000         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2001         (foo):
2002         (test):
2003         (bar):
2004
2005 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2006
2007         Unreviewed, rolling out r238132.
2008
2009         The test added with this change is timing out on Debug JSC
2010         bots.
2011
2012         Reverted changeset:
2013
2014         "[BigInt] JSBigInt::createWithLength should throw when length
2015         is greater than JSBigInt::maxLength"
2016         https://bugs.webkit.org/show_bug.cgi?id=190836
2017         https://trac.webkit.org/changeset/238132
2018
2019 2018-11-13  Mark Lam  <mark.lam@apple.com>
2020
2021         Add OOM detection to StringPrototype's substituteBackreferences().
2022         https://bugs.webkit.org/show_bug.cgi?id=191563
2023         <rdar://problem/45720428>
2024
2025         Reviewed by Saam Barati.
2026
2027         * stress/regress-191563.js: Added.
2028
2029 2018-11-13  Mark Lam  <mark.lam@apple.com>
2030
2031         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2032         https://bugs.webkit.org/show_bug.cgi?id=191579
2033         <rdar://problem/45942472>
2034
2035         Reviewed by Saam Barati.
2036
2037         * stress/regress-191579.js: Added.
2038
2039 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2040
2041         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2042         https://bugs.webkit.org/show_bug.cgi?id=190836
2043
2044         Reviewed by Saam Barati.
2045
2046         * stress/big-int-out-of-memory-tests.js: Added.
2047
2048 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2049
2050         U+180E is no longer a whitespace character
2051         https://bugs.webkit.org/show_bug.cgi?id=191415
2052
2053         Reviewed by Saam Barati.
2054
2055         * ChakraCore/test/es5/regexSpace.baseline:
2056         * ChakraCore/test/es6/unicode_whitespace.js:
2057         Update tests to latest version.
2058         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2059
2060         * test262.yaml:
2061         * test262/config.yaml:
2062         * test262/expectations.yaml:
2063         Update expectations.
2064
2065 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2066
2067         [BigInt] Add support to BigInt into ValueAdd
2068         https://bugs.webkit.org/show_bug.cgi?id=186177
2069
2070         Reviewed by Keith Miller.
2071
2072         * stress/big-int-negate-jit.js:
2073         * stress/value-add-big-int-and-string.js: Added.
2074         * stress/value-add-big-int-prediction-propagation.js: Added.
2075         * stress/value-add-big-int-untyped.js: Added.
2076
2077 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2078
2079         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2080         https://bugs.webkit.org/show_bug.cgi?id=191184
2081
2082         Reviewed by Saam Barati.
2083
2084         Most tests were failing due to timeouts, since they are too slow to
2085         run on CLoop. The exceptions are:
2086
2087         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2088         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2089         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2090         to change the stack size since CLoop requires it to be page aligned.
2091
2092         * microbenchmarks/array-push-1.js:
2093         * microbenchmarks/array-push-2.js:
2094         * microbenchmarks/elidable-new-object-dag.js:
2095         * microbenchmarks/elidable-new-object-roflcopter.js:
2096         * microbenchmarks/elidable-new-object-tree.js:
2097         * microbenchmarks/getter-richards.js:
2098         * microbenchmarks/sinkable-new-object-dag.js:
2099         * microbenchmarks/string-concat-long-convert.js:
2100         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2101         * slowMicrobenchmarks/array-push-3.js:
2102         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2103         * slowMicrobenchmarks/spread-small-array.js:
2104         * slowMicrobenchmarks/undefined-property-access.js:
2105         * stress/activation-sink-default-value-tdz-error.js:
2106         * stress/activation-sink-default-value.js:
2107         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2108         * stress/activation-sink-osrexit-default-value.js:
2109         * stress/activation-sink-osrexit.js:
2110         * stress/activation-sink.js:
2111         * stress/allow-math-ic-b3-code-duplication.js:
2112         * stress/array-push-multiple-int32.js:
2113         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2114         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2115         * stress/arrowfunction-lexical-this-activation-sink.js:
2116         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2117         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2118         * stress/elide-new-object-dag-then-exit.js:
2119         * stress/materialize-regexp-cyclic.js:
2120         * stress/new-regex-inline.js:
2121         * stress/op_add.js:
2122         * stress/op_bitand.js:
2123         * stress/op_bitor.js:
2124         * stress/op_bitxor.js:
2125         * stress/op_div-ConstVar.js:
2126         * stress/op_div-VarConst.js:
2127         * stress/op_div-VarVar.js:
2128         * stress/op_lshift-ConstVar.js:
2129         * stress/op_lshift-VarConst.js:
2130         * stress/op_lshift-VarVar.js:
2131         * stress/op_mod-ConstVar.js:
2132         * stress/op_mod-VarConst.js:
2133         * stress/op_mod-VarVar.js:
2134         * stress/op_mul-ConstVar.js:
2135         * stress/op_mul-VarConst.js:
2136         * stress/op_mul-VarVar.js:
2137         * stress/op_rshift-ConstVar.js:
2138         * stress/op_rshift-VarConst.js:
2139         * stress/op_rshift-VarVar.js:
2140         * stress/op_sub-ConstVar.js:
2141         * stress/op_sub-VarConst.js:
2142         * stress/op_sub-VarVar.js:
2143         * stress/op_urshift-ConstVar.js:
2144         * stress/op_urshift-VarConst.js:
2145         * stress/op_urshift-VarVar.js:
2146         * stress/proxy-get-set-correct-receiver.js:
2147         * stress/regress-179562.js:
2148         * stress/rest-parameter-many-arguments.js:
2149         * stress/sampling-profiler-richards.js:
2150         * stress/splay-flash-access-1ms.js:
2151         * stress/tailCallForwardArguments.js:
2152         * stress/typed-array-get-by-val-profiling.js:
2153         * typeProfiler/getter-richards.js:
2154
2155 2018-11-06  Michael Saboff  <msaboff@apple.com>
2156
2157         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2158         https://bugs.webkit.org/show_bug.cgi?id=191271
2159
2160         Reviewed by Saam Barati.
2161
2162         Added more test cases and made all test cases run with the same deeply recursive stack
2163         instead of finding that same point for each test case.
2164
2165         * stress/regexp-compile-oom.js:
2166         (prototype.runTest):
2167         (recurseAndTest):
2168         (testList.push.new.TestAndExpectedException):
2169
2170 2018-11-05  Michael Saboff  <msaboff@apple.com>
2171
2172         Unreviewed build fix for linux.
2173
2174         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2175
2176 2018-11-02  Michael Saboff  <msaboff@apple.com>
2177
2178         Rolling in r237753 with unreviewed build fix.
2179
2180         Fixed issues with DECLARE_THROW_SCOPE placement.
2181
2182 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2183
2184         Unreviewed, rolling out r237753.
2185
2186         Introduced JSC test failures
2187
2188         Reverted changeset:
2189
2190         "Running out of stack space not properly handled in
2191         RegExp::compile() and its callers"
2192         https://bugs.webkit.org/show_bug.cgi?id=191206
2193         https://trac.webkit.org/changeset/237753
2194
2195 2018-11-02  Michael Saboff  <msaboff@apple.com>
2196
2197         Running out of stack space not properly handled in RegExp::compile() and its callers
2198         https://bugs.webkit.org/show_bug.cgi?id=191206
2199
2200         Reviewed by Filip Pizlo.
2201
2202         New regression test.
2203
2204         * stress/regexp-compile-oom.js: Added.
2205         (recurseAndTest):
2206
2207 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2208
2209         Skip tests on arm/mips that time out now we're running on CLoop
2210
2211         Unreviewed gardening.
2212
2213         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2214         time out on the bots and need to be disabled. There's more tests
2215         disabled on arm because the timeout is longer on the mips bot (as the
2216         device is slower to start with), so many of the tests don't time out
2217         there.
2218
2219         * microbenchmarks/getter-richards.js: disable on arm and mips.
2220         * stress/op_add.js: disable on arm.
2221         * stress/op_bitand.js: disable on arm.
2222         * stress/op_bitor.js: disable on arm.
2223         * stress/op_bitxor.js: disable on arm.
2224         * stress/op_lshift-ConstVar.js: disable on arm.
2225         * stress/op_lshift-VarConst.js: disable on arm.
2226         * stress/op_lshift-VarVar.js: disable on arm.
2227         * stress/op_mod-ConstVar.js: disable on arm.
2228         * stress/op_mod-VarConst.js: disable on arm.
2229         * stress/op_mod-VarVar.js: disable on arm.
2230         * stress/op_mul-ConstVar.js: disable on arm.
2231         * stress/op_mul-VarConst.js: disable on arm.
2232         * stress/op_mul-VarVar.js: disable on arm.
2233         * stress/op_rshift-ConstVar.js: disable on arm.
2234         * stress/op_rshift-VarConst.js: disable on arm.
2235         * stress/op_rshift-VarVar.js: disable on arm.
2236         * stress/op_sub-ConstVar.js: disable on arm.
2237         * stress/op_sub-VarConst.js: disable on arm.
2238         * stress/op_sub-VarVar.js: disable on arm.
2239         * stress/op_urshift-ConstVar.js: disable on arm.
2240         * stress/op_urshift-VarConst.js: disable on arm.
2241         * stress/op_urshift-VarVar.js: disable on arm.
2242         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2243         * stress/value-to-boolean.js: disable on arm and mips.
2244
2245 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2246
2247         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2248         https://bugs.webkit.org/show_bug.cgi?id=191108
2249         <rdar://problem/45690700>
2250
2251         Reviewed by Saam Barati.
2252
2253         * stress/wide-op_catch.js: Added.
2254         (catch):
2255
2256 2018-10-29  Mark Lam  <mark.lam@apple.com>
2257
2258         Correctly detect string overflow when using the 'Function' constructor.
2259         https://bugs.webkit.org/show_bug.cgi?id=184883
2260         <rdar://problem/36320331>
2261
2262         Reviewed by Saam Barati.
2263
2264         I've verified that this passes on 32-bit as well.
2265
2266         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2267
2268 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2269
2270         Add support for GetStack FlushedDouble
2271         https://bugs.webkit.org/show_bug.cgi?id=191012
2272         <rdar://problem/45265141>
2273
2274         Reviewed by Saam Barati.
2275
2276         * stress/get-stack-double.js: Added.
2277         (bar):
2278         (noInline):
2279
2280 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2281
2282         New bytecode format for JSC
2283         https://bugs.webkit.org/show_bug.cgi?id=187373
2284         <rdar://problem/44186758>
2285
2286         Reviewed by Filip Pizlo.
2287
2288         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2289
2290         * stress/maximum-inline-capacity.js: Added.
2291         (test1):
2292         (test3.Foo):
2293         (test3):
2294
2295 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2296
2297         Unreviewed, rolling out r237479 and r237484.
2298         https://bugs.webkit.org/show_bug.cgi?id=190978
2299
2300         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2301
2302         Reverted changesets:
2303
2304         "New bytecode format for JSC"
2305         https://bugs.webkit.org/show_bug.cgi?id=187373
2306         https://trac.webkit.org/changeset/237479
2307
2308         "Gardening: Build fix after r237479."
2309         https://bugs.webkit.org/show_bug.cgi?id=187373
2310         https://trac.webkit.org/changeset/237484
2311
2312 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2313
2314         New bytecode format for JSC
2315         https://bugs.webkit.org/show_bug.cgi?id=187373
2316         <rdar://problem/44186758>
2317
2318         Reviewed by Filip Pizlo.
2319
2320         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2321
2322         * stress/maximum-inline-capacity.js: Added.
2323         (test1):
2324         (test3.Foo):
2325         (test3):
2326
2327 2018-10-26  Mark Lam  <mark.lam@apple.com>
2328
2329         Fix missing edge cases with JSGlobalObjects having a bad time.
2330         https://bugs.webkit.org/show_bug.cgi?id=189028
2331         <rdar://problem/45204939>
2332
2333         Reviewed by Saam Barati.
2334
2335         * stress/regress-189028.js: Added.
2336
2337 2018-10-22  Mark Lam  <mark.lam@apple.com>
2338
2339         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2340         https://bugs.webkit.org/show_bug.cgi?id=190515
2341         <rdar://problem/45222379>
2342
2343         Rubber-stamped by Saam Barati.
2344
2345         Adding another test.
2346
2347         * stress/regress-190515-2.js: Added.
2348
2349 2018-10-22  Mark Lam  <mark.lam@apple.com>
2350
2351         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2352         https://bugs.webkit.org/show_bug.cgi?id=190515
2353         <rdar://problem/45222379>
2354
2355         Reviewed by Saam Barati.
2356
2357         * stress/regress-190515.js: Added.
2358
2359 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2360
2361         Unreviewed, rolling out r237254.
2362         https://bugs.webkit.org/show_bug.cgi?id=190760
2363
2364         "It regresses JetStream 2 by 5% on some iOS devices"
2365         (Requested by saamyjoon on #webkit).
2366
2367         Reverted changeset:
2368
2369         "[JSC] JSC should have "parseFunction" to optimize Function
2370         constructor"
2371         https://bugs.webkit.org/show_bug.cgi?id=190340
2372         https://trac.webkit.org/changeset/237254
2373
2374 2018-10-19  Saam Barati  <sbarati@apple.com>
2375
2376         vmCall should check if we exit before emitting an OSR exit due to exceptions
2377         https://bugs.webkit.org/show_bug.cgi?id=190740
2378         <rdar://problem/45220139>
2379
2380         Reviewed by Mark Lam.
2381
2382         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2383         (foo):
2384
2385 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2386
2387         [ESNext][BigInt] Implement support for "^"
2388         https://bugs.webkit.org/show_bug.cgi?id=186235
2389
2390         Reviewed by Yusuke Suzuki.
2391
2392         * stress/big-int-bitwise-xor-general.js: Added.
2393         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2394         * stress/big-int-bitwise-xor-type-error.js: Added.
2395         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2396
2397 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2398
2399         [BigInt] Add ValueSub into DFG
2400         https://bugs.webkit.org/show_bug.cgi?id=186176
2401
2402         Reviewed by Yusuke Suzuki.
2403
2404         * stress/big-int-subtraction-jit.js:
2405         * stress/value-sub-big-int-prediction-propagation.js: Added.
2406         * stress/value-sub-big-int-untyped.js: Added.
2407         * stress/value-sub-spec-none-case.js: Added.
2408
2409 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2410
2411         [JSC] JSC should have "parseFunction" to optimize Function constructor
2412         https://bugs.webkit.org/show_bug.cgi?id=190340
2413
2414         Reviewed by Mark Lam.
2415
2416         This patch fixes the line number of syntax errors raised by the Function constructor,
2417         since we now parse the final code only once. And we no longer use block statement
2418         for Function constructor's parsing.
2419
2420         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2421         * stress/function-cache-with-parameters-end-position.js: Added.
2422         (shouldBe):
2423         (shouldThrow):
2424         (i.anonymous):
2425         * stress/function-constructor-name.js: Added.
2426         (shouldBe):
2427         (GeneratorFunction):
2428         (AsyncFunction.async):
2429         (AsyncGeneratorFunction.async):
2430         (anonymous):
2431         (async.anonymous):
2432         * test262/expectations.yaml:
2433
2434 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2435
2436         Unreviewed, rolling out r237242.
2437         https://bugs.webkit.org/show_bug.cgi?id=190701
2438
2439         it breaks "stress/sampling-profiler-basic.js" (Requested by
2440         caiolima on #webkit).
2441
2442         Reverted changeset:
2443
2444         "[BigInt] Add ValueSub into DFG"
2445         https://bugs.webkit.org/show_bug.cgi?id=186176
2446         https://trac.webkit.org/changeset/237242
2447
2448 2018-10-17  Keith Miller  <keith_miller@apple.com>
2449
2450         AI does not clear Phantom allocation nodes.
2451         https://bugs.webkit.org/show_bug.cgi?id=190694
2452
2453         Reviewed by Saam Barati.
2454
2455         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2456         (Day):
2457         (DaysInYear):
2458         (TimeInYear):
2459         (TimeFromYear):
2460         (DayFromYear):
2461         (InLeapYear):
2462         (YearFromTime):
2463         (WeekDay):
2464         (DaylightSavingTA):
2465         (GetSecondSundayInMarch):
2466         (TimeInMonth):
2467
2468 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2469
2470         [BigInt] Add ValueSub into DFG
2471         https://bugs.webkit.org/show_bug.cgi?id=186176
2472
2473         Reviewed by Yusuke Suzuki.
2474
2475         * stress/big-int-subtraction-jit.js:
2476         * stress/value-sub-big-int-prediction-propagation.js: Added.
2477         * stress/value-sub-big-int-untyped.js: Added.
2478
2479 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2480
2481         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2482         https://bugs.webkit.org/show_bug.cgi?id=190611
2483
2484         Reviewed by Saam Barati.
2485
2486         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2487         to improve test runtime. On ARM/MIPS this test even timed out when running all
2488         tests.
2489
2490         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2491         (test):
2492
2493 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2494
2495         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2496
2497         Unreviewed gardening.
2498
2499         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2500
2501 2018-10-15  Saam barati  <sbarati@apple.com>
2502
2503         Emit fjcvtzs on ARM64E on Darwin
2504         https://bugs.webkit.org/show_bug.cgi?id=184023
2505
2506         Reviewed by Yusuke Suzuki and Filip Pizlo.
2507
2508         * stress/double-to-int32-NaN.js: Added.
2509         (assert):
2510         (foo):
2511
2512 2018-10-15  Saam Barati  <sbarati@apple.com>
2513
2514         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2515         https://bugs.webkit.org/show_bug.cgi?id=190262
2516         <rdar://problem/44986241>
2517
2518         Reviewed by Mark Lam.
2519
2520         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2521         (test):
2522         * stress/slice-array-storage-with-holes.js: Added.
2523         (main):
2524
2525 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2526
2527         Unreviewed, rolling out r237054.
2528         https://bugs.webkit.org/show_bug.cgi?id=190593
2529
2530         "this regressed JetStream 2 by 6% on iOS" (Requested by
2531         saamyjoon on #webkit).
2532
2533         Reverted changeset:
2534
2535         "[JSC] JSC should have "parseFunction" to optimize Function
2536         constructor"
2537         https://bugs.webkit.org/show_bug.cgi?id=190340
2538         https://trac.webkit.org/changeset/237054
2539
2540 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2541
2542         [JSC] JSON.stringify can accept call-with-no-arguments
2543         https://bugs.webkit.org/show_bug.cgi?id=190343
2544
2545         Reviewed by Mark Lam.
2546
2547         * stress/json-stringify-no-arguments.js: Added.
2548         (shouldBe):
2549
2550 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2551
2552         [JSC] JSC should have "parseFunction" to optimize Function constructor
2553         https://bugs.webkit.org/show_bug.cgi?id=190340
2554
2555         Reviewed by Mark Lam.
2556
2557         This patch fixes the line number of syntax errors raised by the Function constructor,
2558         since we now parse the final code only once. And we no longer use block statement
2559         for Function constructor's parsing.
2560
2561         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2562         * stress/function-cache-with-parameters-end-position.js: Added.
2563         (shouldBe):
2564         (shouldThrow):
2565         (i.anonymous):
2566         * stress/function-constructor-name.js: Added.
2567         (shouldBe):
2568         (GeneratorFunction):
2569         (AsyncFunction.async):
2570         (AsyncGeneratorFunction.async):
2571         (anonymous):
2572         (async.anonymous):
2573         * test262/expectations.yaml:
2574
2575 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2576
2577         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2578         https://bugs.webkit.org/show_bug.cgi?id=190426
2579
2580         Unreviewed gardening.
2581
2582         * stress/sampling-profiler-richards.js:
2583
2584 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2585
2586         [ESNext][BigInt] Implement support for "|"
2587         https://bugs.webkit.org/show_bug.cgi?id=186229
2588
2589         Reviewed by Yusuke Suzuki.
2590
2591         * stress/big-int-bitwise-and-jit.js:
2592         * stress/big-int-bitwise-or-general.js: Added.
2593         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2594         * stress/big-int-bitwise-or-jit.js: Added.
2595         * stress/big-int-bitwise-or-memory-stress.js: Added.
2596         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2597         * stress/big-int-bitwise-or-type-error.js: Added.
2598         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2599
2600 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2601
2602         Skip test on systems with limited memory
2603         https://bugs.webkit.org/show_bug.cgi?id=190310
2604
2605         Invoking runDefault adds test to runlist, skipping the test in the next
2606         line does not prevent the test from executing. Change order of lines such
2607         that runDefault is only executed if test is not executed.
2608
2609         Reviewed by Mark Lam.
2610
2611         * stress/regress-190187.js:
2612
2613 2018-10-03  Saam barati  <sbarati@apple.com>
2614
2615         lowXYZ in FTLLower should always filter the type of the incoming edge
2616         https://bugs.webkit.org/show_bug.cgi?id=189939
2617         <rdar://problem/44407030>
2618
2619         Reviewed by Michael Saboff.
2620
2621         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2622         (foo):
2623         (test):
2624
2625 2018-10-03  Mark Lam  <mark.lam@apple.com>
2626
2627         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2628         https://bugs.webkit.org/show_bug.cgi?id=190187
2629         <rdar://problem/42512909>
2630
2631         Reviewed by Michael Saboff.
2632
2633         * stress/regress-190187.js: Added.
2634
2635 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2636
2637         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2638         https://bugs.webkit.org/show_bug.cgi?id=190033
2639
2640         Reviewed by Yusuke Suzuki.
2641
2642         * stress/big-int-to-string.js:
2643
2644 2018-10-01  Mark Lam  <mark.lam@apple.com>
2645
2646         Function.toString() should also copy the source code Functions that are class definitions.
2647         https://bugs.webkit.org/show_bug.cgi?id=190186
2648         <rdar://problem/44733360>
2649
2650         Reviewed by Saam Barati.
2651
2652         * stress/regress-190186.js: Added.
2653
2654 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2655
2656         Split NaN-check into separate test
2657         https://bugs.webkit.org/show_bug.cgi?id=190010
2658
2659         Reviewed by Saam Barati.
2660
2661         DataView exposes NaN-representation, which is not necessarily the same on each
2662         architecture. Therefore move the check of the NaN-representation into its own
2663         file such that we can disable this test on MIPS where NaN-representation can be
2664         different on older CPUs.
2665
2666         * stress/dataview-jit-set-nan.js: Added.
2667         (assert):
2668         (test.storeLittleEndian):
2669         (test.storeBigEndian):
2670         (test.store):
2671         (test):
2672         * stress/dataview-jit-set.js:
2673         (test5):
2674
2675 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2676
2677         Unreviewed, rolling out r236647.
2678         https://bugs.webkit.org/show_bug.cgi?id=190124
2679
2680         Breaking test stress/big-int-to-string.js (Requested by
2681         caiolima_ on #webkit).
2682
2683         Reverted changeset:
2684
2685         "[BigInt] BigInt.proptotype.toString is broken when radix is
2686         power of 2"
2687         https://bugs.webkit.org/show_bug.cgi?id=190033
2688         https://trac.webkit.org/changeset/236647
2689
2690 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2691
2692         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2693         https://bugs.webkit.org/show_bug.cgi?id=190033
2694
2695         Reviewed by Yusuke Suzuki.
2696
2697         * stress/big-int-to-string.js:
2698
2699 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2700
2701         [ESNext][BigInt] Implement support for "&"
2702         https://bugs.webkit.org/show_bug.cgi?id=186228
2703
2704         Reviewed by Yusuke Suzuki.
2705
2706         * stress/big-int-bitwise-and-general.js: Added.
2707         (assert):
2708         (assert.sameValue):
2709         * stress/big-int-bitwise-and-jit.js: Added.
2710         (let.assert.sameValue):
2711         (bigIntBitAnd):
2712         * stress/big-int-bitwise-and-memory-stress.js: Added.
2713         (assert):
2714         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2715         (assert.sameValue):
2716         (let.o.Symbol.toPrimitive):
2717         (catch):
2718         * stress/big-int-bitwise-and-type-error.js: Added.
2719         (assert):
2720         (assertThrowTypeError):
2721         (let.o.valueOf):
2722         (o.valueOf):
2723         (o.toString):
2724         (o.Symbol.toPrimitive):
2725         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2726         (assert.sameValue):
2727         (testBitAnd):
2728         (let.o.Symbol.toPrimitive):
2729         (o.valueOf):
2730         (o.toString):
2731
2732 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2733
2734         JSC test stress/jsc-read.js doesn't support CRLF
2735         https://bugs.webkit.org/show_bug.cgi?id=190063
2736
2737         Reviewed by Yusuke Suzuki.
2738
2739         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2740
2741         * stress/jsc-read.js:
2742         (test):
2743
2744 2018-09-27  Saam barati  <sbarati@apple.com>
2745
2746         Verify the contents of AssemblerBuffer on arm64e
2747         https://bugs.webkit.org/show_bug.cgi?id=190057
2748         <rdar://problem/38916630>
2749
2750         Reviewed by Mark Lam.
2751
2752         * stress/regress-189132.js:
2753
2754 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2755
2756         Disable test without LLInt on ARMv7
2757         https://bugs.webkit.org/show_bug.cgi?id=190037
2758
2759         Reviewed by Mark Lam.
2760
2761         Test runs out of executable memory on ARMv7, do not run
2762         this test without LLInt enabled.
2763
2764         * stress/regress-169445.js:
2765
2766 2018-09-26  Keith Miller  <keith_miller@apple.com>
2767
2768         We should zero unused property storage when rebalancing array storage.
2769         https://bugs.webkit.org/show_bug.cgi?id=188151
2770
2771         Reviewed by Michael Saboff.
2772
2773         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2774
2775 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2776
2777         [JSC] Optimize Array#lastIndexOf
2778         https://bugs.webkit.org/show_bug.cgi?id=189780
2779
2780         Reviewed by Saam Barati.
2781
2782         * stress/array-lastindexof-array-prototype-trap.js: Added.
2783         (shouldBe):
2784         (AncestorArray.prototype.get 2):
2785         (AncestorArray):
2786         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2787         (shouldBe):
2788         * stress/array-lastindexof-hole-nan.js: Added.
2789         (shouldBe):
2790         (throw.new.Error):
2791         * stress/array-lastindexof-infinity.js: Added.
2792         (shouldBe):
2793         (throw.new.Error):
2794         * stress/array-lastindexof-negative-zero.js: Added.
2795         (shouldBe):
2796         (throw.new.Error):
2797         * stress/array-lastindexof-own-getter.js: Added.
2798         (shouldBe):
2799         (throw.new.Error.get array):
2800         (get array):
2801         * stress/array-lastindexof-prototype-trap.js: Added.
2802         (shouldBe):
2803         (DerivedArray.prototype.get 2):
2804         (DerivedArray):
2805
2806 2018-09-25  Saam Barati  <sbarati@apple.com>
2807
2808         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2809         https://bugs.webkit.org/show_bug.cgi?id=189940
2810         <rdar://problem/43640987>
2811
2812         Reviewed by Mark Lam.
2813
2814         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2815
2816 2018-09-24  Saam Barati  <sbarati@apple.com>
2817
2818         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2819         https://bugs.webkit.org/show_bug.cgi?id=189922
2820         <rdar://problem/44651275>
2821
2822         Reviewed by Mark Lam.
2823
2824         * stress/array-indexof-fast-path-effects.js: Added.
2825         * stress/array-indexof-cached-length.js: Added.
2826
2827 2018-09-24  Saam barati  <sbarati@apple.com>
2828
2829         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2830         https://bugs.webkit.org/show_bug.cgi?id=189682
2831         <rdar://problem/43557315>
2832
2833         Reviewed by Mark Lam.
2834
2835         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2836         (foo):
2837
2838 2018-09-22  Saam barati  <sbarati@apple.com>
2839
2840         The sampling should not use Strong<CodeBlock> in its machineLocation field
2841         https://bugs.webkit.org/show_bug.cgi?id=189319
2842
2843         Reviewed by Filip Pizlo.
2844
2845         * stress/sampling-profiler-richards.js: Added.
2846
2847 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2848
2849         [JSC] Optimize Array#indexOf in C++ runtime
2850         https://bugs.webkit.org/show_bug.cgi?id=189507
2851
2852         Reviewed by Saam Barati.
2853
2854         * stress/array-indexof-array-prototype-trap.js: Added.
2855         (shouldBe):
2856         (AncestorArray.prototype.get 2):
2857         (AncestorArray):
2858         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2859         (shouldBe):
2860         * stress/array-indexof-hole-nan.js: Added.
2861         (shouldBe):
2862         (throw.new.Error):
2863         * stress/array-indexof-infinity.js: Added.
2864         (shouldBe):
2865         (throw.new.Error):
2866         * stress/array-indexof-negative-zero.js: Added.
2867         (shouldBe):
2868         (throw.new.Error):
2869         * stress/array-indexof-own-getter.js: Added.
2870         (shouldBe):
2871         (throw.new.Error.get array):
2872         (get array):
2873         * stress/array-indexof-prototype-trap.js: Added.
2874         (shouldBe):
2875         (DerivedArray.prototype.get 2):
2876         (DerivedArray):
2877
2878 2018-09-19  Saam barati  <sbarati@apple.com>
2879
2880         AI rule for MultiPutByOffset executes its effects in the wrong order
2881         https://bugs.webkit.org/show_bug.cgi?id=189757
2882         <rdar://problem/43535257>
2883
2884         Reviewed by Michael Saboff.
2885
2886         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2887         (foo):
2888         (Foo):
2889         (g):
2890
2891 2018-09-17  Mark Lam  <mark.lam@apple.com>
2892
2893         Ensure that ForInContexts are invalidated if their loop local is over-written.
2894         https://bugs.webkit.org/show_bug.cgi?id=189571
2895         <rdar://problem/44402277>
2896
2897         Reviewed by Saam Barati.
2898
2899         * stress/regress-189571.js: Added.
2900
2901 2018-09-17  Saam barati  <sbarati@apple.com>
2902
2903         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2904         https://bugs.webkit.org/show_bug.cgi?id=189676
2905         <rdar://problem/39682897>
2906
2907         Reviewed by Michael Saboff.
2908
2909         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2910         (A):
2911         (K):
2912         (i.catch):
2913
2914 2018-09-14  Saam barati  <sbarati@apple.com>
2915
2916         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2917         https://bugs.webkit.org/show_bug.cgi?id=189628
2918         <rdar://problem/39481690>
2919
2920         Reviewed by Mark Lam.
2921
2922         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2923         (foo):
2924
2925 2018-09-11  Mark Lam  <mark.lam@apple.com>
2926
2927         Test for array initialization in arrayProtoFuncSplice.
2928         https://bugs.webkit.org/show_bug.cgi?id=170253
2929         <rdar://problem/31328773>
2930
2931         Rubber-stamped by Saam Barati.
2932
2933         * stress/regress-170253.js: Added.
2934
2935 2018-09-11  Mark Lam  <mark.lam@apple.com>
2936
2937         Test for IntlObject initialization.
2938         https://bugs.webkit.org/show_bug.cgi?id=170251
2939         <rdar://problem/31328419>
2940
2941         Rubber-stamped by Saam Barati.
2942
2943         * stress/regress-170251.js: Added.
2944
2945 2018-09-11  Mark Lam  <mark.lam@apple.com>
2946
2947         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2948         https://bugs.webkit.org/show_bug.cgi?id=169889
2949         <rdar://problem/31155607>
2950
2951         Reviewed by Saam Barati.
2952
2953         * stress/regress-169889-array-concat.js: Added.
2954         * stress/regress-169889-array-concat1.js: Added.
2955         * stress/regress-169889-array-slice.js: Added.
2956
2957 2018-09-11  Mark Lam  <mark.lam@apple.com>
2958
2959         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2960         https://bugs.webkit.org/show_bug.cgi?id=169445
2961         <rdar://problem/30957435>
2962
2963         Reviewed by Saam Barati.
2964
2965         * stress/regress-169445.js: Added.
2966         (let.gun.eval.A):
2967         (let.gun.eval.B.C):
2968         (let.gun.eval.B.C.prototype.trigger):
2969         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2970         (let.gun.eval.B):
2971         (let.gun.eval):
2972
2973 == Rolled over to ChangeLog-2018-09-11 ==