Missing a ThrowScope release in JSObject::toString().
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-18  Mark Lam  <mark.lam@apple.com>
2
3         Missing a ThrowScope release in JSObject::toString().
4         https://bugs.webkit.org/show_bug.cgi?id=195893
5         <rdar://problem/48970986>
6
7         Reviewed by Michael Saboff.
8
9         * stress/to-string-exception-check-release.js: Added.
10
11 2019-03-18  Mark Lam  <mark.lam@apple.com>
12
13         Structure::flattenDictionary() should clear unused property slots.
14         https://bugs.webkit.org/show_bug.cgi?id=195871
15         <rdar://problem/48959497>
16
17         Reviewed by Michael Saboff.
18
19         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
20
21 2019-03-15  Mark Lam  <mark.lam@apple.com>
22
23         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
24         https://bugs.webkit.org/show_bug.cgi?id=195827
25         <rdar://problem/48845513>
26
27         Reviewed by Filip Pizlo.
28
29         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
30
31 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
32
33         [ARM,MIPS] Skip slow tests
34         https://bugs.webkit.org/show_bug.cgi?id=195799
35
36         Unreviewed, test does not finish on ARM and MIPS within the
37         timeout limit.
38
39         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
40
41 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
42
43         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
44         https://bugs.webkit.org/show_bug.cgi?id=195791
45         <rdar://problem/48806130>
46
47         Reviewed by Mark Lam.
48
49         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
50         (foo):
51
52 2019-03-14  Saam barati  <sbarati@apple.com>
53
54         We can't remove code after ForceOSRExit until after FixupPhase
55         https://bugs.webkit.org/show_bug.cgi?id=186916
56         <rdar://problem/41396612>
57
58         Reviewed by Yusuke Suzuki.
59
60         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
61         (foo):
62         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
63         (foo):
64
65 2019-03-13  Michael Saboff  <msaboff@apple.com>
66
67         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
68         https://bugs.webkit.org/show_bug.cgi?id=195735
69
70         Reviewed by Mark Lam.
71
72         New regression test.
73
74         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
75         (foo):
76         (bar):
77
78 2019-03-14  Saam barati  <sbarati@apple.com>
79
80         Fixup uses KnownInt32 incorrectly in some nodes
81         https://bugs.webkit.org/show_bug.cgi?id=195279
82         <rdar://problem/47915654>
83
84         Reviewed by Yusuke Suzuki.
85
86         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
87         (foo):
88
89 2019-03-14  Keith Miller  <keith_miller@apple.com>
90
91         DFG liveness can't skip tail caller inline frames
92         https://bugs.webkit.org/show_bug.cgi?id=195715
93
94         Reviewed by Saam Barati.
95
96         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
97         (i.foo):
98
99 2019-03-13  Mark Lam  <mark.lam@apple.com>
100
101         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
102         https://bugs.webkit.org/show_bug.cgi?id=195415
103
104         Not reviewed.
105
106         Changed these tests to only run the default configuration.
107         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
108         There's no strong need to run this test on that variant.
109
110         * stress/dfg-to-string-on-int-does-gc.js:
111         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
112
113 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
114
115         String overflow when using StringBuilder in JSC::createError
116         https://bugs.webkit.org/show_bug.cgi?id=194957
117
118         Reviewed by Mark Lam.
119
120         Add test string-overflow-createError-bulder.js that overflows
121         StringBuilder in notAFunctionSourceAppender. The second new test
122         string-overflow-createError-fit.js has an error message that doesn't
123         overflow, it still failed since the String's capacity can't be doubled.
124         Run test string-overflow-createError.js only in the default
125         configuration to reduce memory consumption when running the test
126         in all configurations on multiple CPUs in parallel.
127
128         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
129         (catch):
130         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
131         (catch):
132         * stress/string-overflow-createError.js:
133
134 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
135
136         [JSC] OSR entry should respect abstract values in addition to flush formats
137         https://bugs.webkit.org/show_bug.cgi?id=195653
138
139         Reviewed by Mark Lam.
140
141         * stress/osr-entry-locals-none.js: Added.
142
143 2019-03-12  Michael Saboff  <msaboff@apple.com>
144
145         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
146         https://bugs.webkit.org/show_bug.cgi?id=195613
147
148         Reviewed by Mark Lam.
149
150         New regression test.
151
152         * stress/regexp-backref-inbounds.js: Added.
153         (testRegExp):
154
155 2019-03-12  Mark Lam  <mark.lam@apple.com>
156
157         The HasIndexedProperty node does GC.
158         https://bugs.webkit.org/show_bug.cgi?id=195559
159         <rdar://problem/48767923>
160
161         Reviewed by Yusuke Suzuki.
162
163         * stress/HasIndexedProperty-does-gc.js: Added.
164
165 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
166
167         [ESNext][BigInt] Implement "~" unary operation
168         https://bugs.webkit.org/show_bug.cgi?id=182216
169
170         Reviewed by Keith Miller.
171
172         * stress/big-int-bit-not-general.js: Added.
173         * stress/big-int-bitwise-not-jit.js: Added.
174         * stress/big-int-bitwise-not-wrapped-value.js: Added.
175         * stress/bit-op-with-object-returning-int32.js:
176         * stress/bitwise-not-fixup-rules.js: Added.
177         * stress/value-bit-not-ai-rule.js: Added.
178
179 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
180
181         Invalid flags in a RegExp literal should be an early SyntaxError
182         https://bugs.webkit.org/show_bug.cgi?id=195514
183
184         Reviewed by Darin Adler.
185
186         * test262/expectations.yaml:
187         Mark 4 test cases as passing.
188
189         * stress/regexp-syntax-error-invalid-flags.js:
190         * stress/regress-161995.js: Removed.
191         Update existing test, merging in an older test for the same behavior.
192
193 2019-03-08  Mark Lam  <mark.lam@apple.com>
194
195         Stack overflow crash in JSC::JSObject::hasInstance.
196         https://bugs.webkit.org/show_bug.cgi?id=195458
197         <rdar://problem/48710195>
198
199         Reviewed by Yusuke Suzuki.
200
201         * stress/stack-overflow-in-custom-hasInstance.js: Added.
202
203 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
204
205         op_check_tdz does not def its argument
206         https://bugs.webkit.org/show_bug.cgi?id=192880
207         <rdar://problem/46221598>
208
209         Reviewed by Saam Barati.
210
211         * microbenchmarks/let-for-in.js: Added.
212         (foo):
213
214 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
217         https://bugs.webkit.org/show_bug.cgi?id=195429
218
219         Reviewed by Saam Barati.
220
221         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
222         (foo):
223         * stress/string-from-char-code-255.js: Added.
224
225 2019-03-06  Mark Lam  <mark.lam@apple.com>
226
227         Fix incorrect handling of try-finally completion values.
228         https://bugs.webkit.org/show_bug.cgi?id=195131
229         <rdar://problem/46222079>
230
231         Reviewed by Saam Barati and Yusuke Suzuki.
232
233         Added many permutations of new test case to test-finally.js.  test-finally.js has
234         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
235         tests passes there as well.
236
237         * stress/test-finally.js:
238
239 2019-03-06  Saam Barati  <sbarati@apple.com>
240
241         Air::reportUsedRegisters must padInterference
242         https://bugs.webkit.org/show_bug.cgi?id=195303
243         <rdar://problem/48270343>
244
245         Reviewed by Keith Miller.
246
247         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
248
249 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
250
251         [JSC] AI should not propagate AbstractValue relying on constant folding phase
252         https://bugs.webkit.org/show_bug.cgi?id=195375
253
254         Reviewed by Saam Barati.
255
256         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
257         (let.array):
258
259 2019-03-05  Saam barati  <sbarati@apple.com>
260
261         op_switch_char broken for rope strings after JSRopeString layout rewrite
262         https://bugs.webkit.org/show_bug.cgi?id=195339
263         <rdar://problem/48592545>
264
265         Reviewed by Yusuke Suzuki.
266
267         * stress/switch-on-char-llint-rope.js: Added.
268
269 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
270
271         [JSC] Store bits for JSRopeString in 3 stores
272         https://bugs.webkit.org/show_bug.cgi?id=195234
273
274         Reviewed by Saam Barati.
275
276         * stress/null-rope-and-collectors.js: Added.
277
278 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
279
280         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
281         https://bugs.webkit.org/show_bug.cgi?id=195207
282
283         Unreviewed. After test runtime was reduced in r242213, test can be
284         run again on ARM/MIPS.
285
286         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
287
288 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] sizeof(JSString) should be 16
291         https://bugs.webkit.org/show_bug.cgi?id=194375
292
293         Reviewed by Saam Barati.
294
295         * microbenchmarks/make-rope.js: Added.
296         (makeRope):
297         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
298         (returnRope.helper): Deleted.
299         (returnRope): Deleted.
300
301 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
302
303         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
304         https://bugs.webkit.org/show_bug.cgi?id=195144
305
306         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
307         Change the number from 1e8 to 1e5.
308
309         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
310         (foo):
311
312 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
313
314         Test times out on ARM/MIPS
315         https://bugs.webkit.org/show_bug.cgi?id=195168
316
317         Unreviewed. Skip test on ARM/MIPS.
318
319         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
320
321 2019-02-27  Mark Lam  <mark.lam@apple.com>
322
323         The parser is failing to record the token location of new in new.target.
324         https://bugs.webkit.org/show_bug.cgi?id=195127
325         <rdar://problem/39645578>
326
327         Reviewed by Yusuke Suzuki.
328
329         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
330
331 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
332
333         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
334         https://bugs.webkit.org/show_bug.cgi?id=195144
335         <rdar://problem/47595961>
336
337         Reviewed by Mark Lam.
338
339         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
340         (bar):
341         (foo):
342         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
343         (bar):
344         (foo):
345
346 2019-02-27  Robin Morisset  <rmorisset@apple.com>
347
348         DFG: Loop-invariant code motion (LICM) should not hoist dead code
349         https://bugs.webkit.org/show_bug.cgi?id=194945
350         <rdar://problem/48311657>
351
352         Reviewed by Mark Lam.
353
354         * stress/licm-dead-code.js: Added.
355
356 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
357
358         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
359         https://bugs.webkit.org/show_bug.cgi?id=194677
360         <rdar://problem/48112492>
361
362         Reviewed by Mark Lam.
363
364         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
365         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
366         it immediately fails due the large size.
367
368         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
369         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
370         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
371         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
372
373         This patch changes the test to produce 16bit string from String.fromCharCode.
374
375         * stress/regress-178386.js:
376
377 2019-02-26  Mark Lam  <mark.lam@apple.com>
378
379         wasmToJS() should purify incoming NaNs.
380         https://bugs.webkit.org/show_bug.cgi?id=194807
381         <rdar://problem/48189132>
382
383         Reviewed by Saam Barati.
384
385         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
386
387 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
388
389         [JSC] Repeat string created from Array.prototype.join() take too much memory
390         https://bugs.webkit.org/show_bug.cgi?id=193912
391
392         Reviewed by Saam Barati.
393
394         Added a test and a microbenchmark for corner cases of
395         Array.prototype.join() with an uninitialized array.
396
397         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
398         * stress/array-prototype-join-uninitialized.js: Added.
399         (testArray):
400         (testABC):
401         (B):
402         (C):
403
404 2019-02-22  Robin Morisset  <rmorisset@apple.com>
405
406         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
407         https://bugs.webkit.org/show_bug.cgi?id=194953
408         <rdar://problem/47595253>
409
410         Reviewed by Saam Barati.
411
412         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
413
414         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
415
416 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
417
418         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
419         https://bugs.webkit.org/show_bug.cgi?id=172848
420         <rdar://problem/25709212>
421
422         Reviewed by Mark Lam.
423
424         * typeProfiler/inheritance.js:
425         Rewrite the test slightly for clarity. The hoisting was confusing.
426
427         * heapProfiler/class-names.js: Added.
428         (MyES5Class):
429         (MyES6Class):
430         (MyES6Subclass):
431         Test object types and improved class names.
432
433         * heapProfiler/driver/driver.js:
434         (CheapHeapSnapshotNode):
435         (CheapHeapSnapshot):
436         (createCheapHeapSnapshot):
437         (HeapSnapshot):
438         (createHeapSnapshot):
439         Update snapshot parsing from version 1 to version 2.
440
441 2019-02-19  Truitt Savell  <tsavell@apple.com>
442
443         Unreviewed, rolling out r241784.
444
445         Broke all OpenSource builds.
446
447         Reverted changeset:
448
449         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
450         instances view"
451         https://bugs.webkit.org/show_bug.cgi?id=172848
452         https://trac.webkit.org/changeset/241784
453
454 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
455
456         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
457         https://bugs.webkit.org/show_bug.cgi?id=172848
458         <rdar://problem/25709212>
459
460         Reviewed by Mark Lam.
461
462         * typeProfiler/inheritance.js:
463         Rewrite the test slightly for clarity. The hoisting was confusing.
464
465         * heapProfiler/class-names.js: Added.
466         (MyES5Class):
467         (MyES6Class):
468         (MyES6Subclass):
469         Test object types and improved class names.
470
471         * heapProfiler/driver/driver.js:
472         (CheapHeapSnapshotNode):
473         (CheapHeapSnapshot):
474         (createCheapHeapSnapshot):
475         (HeapSnapshot):
476         (createHeapSnapshot):
477         Update snapshot parsing from version 1 to version 2.
478
479 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
480
481         [ARM] Fix crash with sampling profiler
482         https://bugs.webkit.org/show_bug.cgi?id=194772
483
484         Reviewed by Mark Lam.
485
486         Do not skip test since crash with sampling profiler is now fixed.
487
488         * stress/sampling-profiler-richards.js:
489
490 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
491
492         [JSC] Add LazyClassStructure::getInitializedOnMainThread
493         https://bugs.webkit.org/show_bug.cgi?id=194784
494         <rdar://problem/48154820>
495
496         Reviewed by Mark Lam.
497
498         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
499         (getProperties):
500         (getRandomProperty):
501         (i.catch):
502
503 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
504
505         [ARM] Test gardening: Test running out of executable memory
506         https://bugs.webkit.org/show_bug.cgi?id=194771
507
508         Unreviewed. Do not run test without LLInt, test is running out of executable
509         memory on ARM otherwise.
510
511         * stress/tagged-template-object-collect.js:
512
513 2019-02-18  Tomas Popela  <tpopela@redhat.com>
514
515         Unreviewed, skip the test on platforms without sampling profiler
516
517         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
518         (platformSupportsSamplingProfiler.foo):
519         (platformSupportsSamplingProfiler.test):
520         (platformSupportsSamplingProfiler):
521         (foo): Deleted.
522         (test): Deleted.
523
524 2019-02-17  Saam Barati  <sbarati@apple.com>
525
526         Deadlock when adding a Structure property transition and then doing incremental marking
527         https://bugs.webkit.org/show_bug.cgi?id=194767
528
529         Reviewed by Mark Lam.
530
531         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
532
533 2019-02-15  Michael Saboff  <msaboff@apple.com>
534
535         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
536         https://bugs.webkit.org/show_bug.cgi?id=194558
537
538         Reviewed by Saam Barati.
539
540         New regression test.
541
542         * stress/regexp-unicode-within-string.js: Added.
543
544 2019-02-15  Mark Lam  <mark.lam@apple.com>
545
546         SamplingProfiler::stackTracesAsJSON() should escape strings.
547         https://bugs.webkit.org/show_bug.cgi?id=194649
548         <rdar://problem/48072386>
549
550         Reviewed by Saam Barati.
551
552         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
553         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
554         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
555         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
556
557 2019-02-15  Robin Morisset  <rmorisset@apple.com>
558         CodeBlock::jettison should clear related watchpoints
559         https://bugs.webkit.org/show_bug.cgi?id=194544
560
561         Reviewed by Mark Lam.
562
563         * stress/regexp-replace-double-watchpoint.js: Added.
564         (foo):
565
566 2019-02-15  Saam barati  <sbarati@apple.com>
567
568         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
569         https://bugs.webkit.org/show_bug.cgi?id=194036
570
571         Reviewed by Yusuke Suzuki.
572
573         * stress/tail-call-many-arguments.js: Added.
574         (foo):
575         (bar):
576
577 2019-02-14  Saam Barati  <sbarati@apple.com>
578
579         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
580         https://bugs.webkit.org/show_bug.cgi?id=194583
581         <rdar://problem/48028140>
582
583         Reviewed by Yusuke Suzuki.
584
585         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
586
587 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
588
589         [JSC] String.fromCharCode's slow path always generates 16bit string
590         https://bugs.webkit.org/show_bug.cgi?id=194466
591
592         Reviewed by Keith Miller.
593
594         * stress/string-from-char-code-slow-path.js: Added.
595         (shouldBe):
596         (testWithLength):
597
598 2019-02-08  Saam barati  <sbarati@apple.com>
599
600         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
601         https://bugs.webkit.org/show_bug.cgi?id=194334
602         <rdar://problem/47844327>
603
604         Reviewed by Mark Lam.
605
606         * stress/check-in-bounds-should-be-a-child-use.js: Added.
607         (func):
608
609 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
610
611         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
612         https://bugs.webkit.org/show_bug.cgi?id=194369
613         <rdar://problem/47813087>
614
615         Reviewed by Saam Barati.
616
617         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
618         (A):
619
620 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
621
622         [JSC] PrivateName to PublicName hash table is wasteful
623         https://bugs.webkit.org/show_bug.cgi?id=194277
624
625         Reviewed by Michael Saboff.
626
627         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
628
629         * ChakraCore.yaml:
630
631 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
632
633         [ARM] Test running out of executable memory
634         https://bugs.webkit.org/show_bug.cgi?id=194285
635
636         Unreviewed. Do no execute test with LLInt disabled, test runs out of
637         executable memory otherwise.
638
639         * stress/class-subclassing-function.js:
640
641 2019-02-04  Robin Morisset  <rmorisset@apple.com>
642
643         when lowering AssertNotEmpty, create the value before creating the patchpoint
644         https://bugs.webkit.org/show_bug.cgi?id=194231
645
646         Reviewed by Saam Barati.
647
648         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
649         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
650         So even tiny changes to this test can change the path code taken.
651
652         * stress/assert-not-empty.js: Added.
653         (foo):
654
655 2019-02-01  Mark Lam  <mark.lam@apple.com>
656
657         Remove invalid assertion in DFG's compileDoubleRep().
658         https://bugs.webkit.org/show_bug.cgi?id=194130
659         <rdar://problem/47699474>
660
661         Reviewed by Saam Barati.
662
663         * stress/constant-fold-double-rep-into-double-constant.js: Added.
664
665 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
666
667         Import latest Test262 updates.
668
669         Rubber-stamped by Keith Miller.
670
671         * test262.yaml: Deleted.
672         * test262/config.yaml:
673         * test262/expectations.yaml:
674         * test262/latest-changes-summary.txt:
675         * test262/test/:
676         * test262/test262-Revision.txt:
677
678 2019-01-30  Robin Morisset  <rmorisset@apple.com>
679
680         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
681         https://bugs.webkit.org/show_bug.cgi?id=194050
682         <rdar://problem/47595592>
683
684         Reviewed by Yusuke Suzuki.
685
686         * stress/object-keys-osr-exit.js: Added.
687         (foo):
688         (catch):
689
690 2019-01-29  Mark Lam  <mark.lam@apple.com>
691
692         ValueRecovery::recover() should purify NaN values it recovers.
693         https://bugs.webkit.org/show_bug.cgi?id=193978
694         <rdar://problem/47625488>
695
696         Reviewed by Saam Barati.
697
698         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
699
700 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
701
702         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
703         https://bugs.webkit.org/show_bug.cgi?id=193713
704
705         * stress/try-get-by-id-should-spill-registers-dfg.js:
706         (let.f.createBuiltin):
707
708 2019-01-28  Mark Lam  <mark.lam@apple.com>
709
710         ToString node actually does GC.
711         https://bugs.webkit.org/show_bug.cgi?id=193920
712         <rdar://problem/46695900>
713
714         Reviewed by Yusuke Suzuki.
715
716         * stress/dfg-to-string-on-int-does-gc.js: Added.
717         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
718         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
719
720 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
721
722         [JSC] NativeErrorConstructor should not have own IsoSubspace
723         https://bugs.webkit.org/show_bug.cgi?id=193713
724
725         Reviewed by Saam Barati.
726
727         Remove @Error use.
728
729         * stress/try-get-by-id-should-spill-registers-dfg.js:
730         (let.f.createBuiltin):
731
732 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
733
734         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
735         https://bugs.webkit.org/show_bug.cgi?id=190693
736
737         Reviewed by Michael Saboff.
738
739         * stress/regress-190693.js: Added.
740         (truth):
741         (assert):
742         (shouldThrowInvalidConstAssignment):
743         (taz):
744
745 2019-01-24  Saam Barati  <sbarati@apple.com>
746
747         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
748         https://bugs.webkit.org/show_bug.cgi?id=193751
749         <rdar://problem/47280215>
750
751         Reviewed by Michael Saboff.
752
753         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
754         (let.thing):
755         (foo.let.hello):
756         (foo):
757
758 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
759
760         [JSC] Reenable baseline JIT on mips
761         https://bugs.webkit.org/show_bug.cgi?id=192983
762
763         Reviewed by Mark Lam.
764
765         Added a new test for a case that was triggering a RELEASE_ASSERT when
766         testing.
767         Disable some slow tests that were already disabled for arm and x86.
768
769         * stress/json-parse-big-object.js: Added.
770         * stress/new-largeish-contiguous-array-with-size.js:
771         * stress/op_add.js:
772         * stress/op_bitand.js:
773         * stress/op_bitor.js:
774         * stress/op_bitxor.js:
775         * stress/op_lshift-ConstVar.js:
776         * stress/op_lshift-VarConst.js:
777         * stress/op_lshift-VarVar.js:
778         * stress/op_mod-ConstVar.js:
779         * stress/op_mod-VarConst.js:
780         * stress/op_mod-VarVar.js:
781         * stress/op_mul-ConstVar.js:
782         * stress/op_mul-VarConst.js:
783         * stress/op_mul-VarVar.js:
784         * stress/op_rshift-ConstVar.js:
785         * stress/op_rshift-VarConst.js:
786         * stress/op_rshift-VarVar.js:
787         * stress/op_sub-ConstVar.js:
788         * stress/op_sub-VarConst.js:
789         * stress/op_sub-VarVar.js:
790         * stress/op_urshift-ConstVar.js:
791         * stress/op_urshift-VarConst.js:
792         * stress/op_urshift-VarVar.js:
793         * stress/sampling-profiler-richards.js:
794         * stress/spread-forward-call-varargs-stack-overflow.js:
795
796 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
797
798         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
799         https://bugs.webkit.org/show_bug.cgi?id=193711
800         <rdar://problem/47250262>
801
802         Reviewed by Saam Barati.
803
804         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
805         (shouldBe):
806         (foo):
807         (bar):
808         (baz):
809
810 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
811
812         Unreviewed, fix initial global lexical binding epoch
813         https://bugs.webkit.org/show_bug.cgi?id=193603
814         <rdar://problem/47380869>
815
816         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
817         (f1.f2.f3.f4):
818         (f1.f2.f3):
819         (f1.f2):
820         (f1):
821
822 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
823
824         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
825         https://bugs.webkit.org/show_bug.cgi?id=193709
826         <rdar://problem/47363838>
827
828         Unreviewed, rollout to watch the tests.
829
830         * stress/object-tostring-changed-proto.js: Removed.
831         * stress/object-tostring-changed.js: Removed.
832         * stress/object-tostring-misc.js: Removed.
833         * stress/object-tostring-other.js: Removed.
834         * stress/object-tostring-untyped.js: Removed.
835
836 2019-01-22  Saam Barati  <sbarati@apple.com>
837
838         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
839
840         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
841         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
842         (testUncheckedLessThanZero):
843         (testUncheckedLessThanOrEqualZero):
844         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
845         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
846
847 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
848
849         [JSC] Invalidate old scope operations using global lexical binding epoch
850         https://bugs.webkit.org/show_bug.cgi?id=193603
851         <rdar://problem/47380869>
852
853         Reviewed by Saam Barati.
854
855         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
856         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
857         (shouldThrow):
858         (bar):
859         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
860         (shouldBe):
861         (get1):
862         (get2):
863         (get1If):
864         (get2If):
865         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
866         (shouldThrow):
867         (foo):
868
869 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
870
871         Unreviewed, roll out r240220 due to date-format-xparb regression
872         https://bugs.webkit.org/show_bug.cgi?id=193603
873
874         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
875         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
876         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
877         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
878
879 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
880
881         DoesGC rule is wrong for nodes with BigIntUse
882         https://bugs.webkit.org/show_bug.cgi?id=193652
883
884         Reviewed by Saam Barati.
885
886         * stress/big-int-value-op-update-gc-rules.js: Added.
887         (assert):
888         (doesGCAdd):
889         (doesGCSub):
890         (doesGCDiv):
891         (doesGCMul):
892         (doesGCBitAnd):
893         (doesGCBitOr):
894         (doesGCBitXor):
895
896 2019-01-20  Saam Barati  <sbarati@apple.com>
897
898         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
899         https://bugs.webkit.org/show_bug.cgi?id=193644
900         <rdar://problem/46209745>
901
902         Reviewed by Yusuke Suzuki.
903
904         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
905         (foo):
906         * stress/data-view-set-intrinsic-undefined-result.js: Added.
907         (foo):
908         (bar):
909
910 2019-01-20  Saam Barati  <sbarati@apple.com>
911
912         MovHint must merge NodeBytecodeUsesAsValue for its child
913         https://bugs.webkit.org/show_bug.cgi?id=186916
914         <rdar://problem/41396612>
915
916         Reviewed by Yusuke Suzuki.
917
918         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
919         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
920
921 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
922
923         [JSC] Invalidate old scope operations using global lexical binding epoch
924         https://bugs.webkit.org/show_bug.cgi?id=193603
925         <rdar://problem/47380869>
926
927         Reviewed by Saam Barati.
928
929         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
930         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
931         (shouldThrow):
932         (bar):
933         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
934         (shouldBe):
935         (get1):
936         (get2):
937         (get1If):
938         (get2If):
939         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
940         (shouldThrow):
941         (foo):
942
943 2019-01-17  Saam barati  <sbarati@apple.com>
944
945         StringObjectUse should not be a structure check for the original string object structure
946         https://bugs.webkit.org/show_bug.cgi?id=193483
947         <rdar://problem/47280522>
948
949         Reviewed by Yusuke Suzuki.
950
951         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
952         (foo):
953         (a.valueOf.0):
954
955 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
956
957         [JSC] ToThis omission in DFGByteCodeParser is wrong
958         https://bugs.webkit.org/show_bug.cgi?id=193513
959         <rdar://problem/45842236>
960
961         Reviewed by Saam Barati.
962
963         * stress/to-this-omission-with-different-strict-modes.js: Added.
964         (thisA):
965         (thisAStrictWrapper):
966
967 2019-01-15  Mark Lam  <mark.lam@apple.com>
968
969         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
970         https://bugs.webkit.org/show_bug.cgi?id=193423
971         <rdar://problem/46209355>
972
973         Reviewed by Saam Barati.
974
975         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
976         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
977         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
978         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
979
980 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
981
982         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
983         https://bugs.webkit.org/show_bug.cgi?id=193438
984         <rdar://problem/45581249>
985
986         Reviewed by Saam Barati and Keith Miller.
987
988         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
989         Then, GetByVal(String) crashed.
990
991         * stress/string-get-by-val-lowering.js: Added.
992         (shouldBe):
993         (test):
994         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
995         (Hello):
996         (foo):
997
998 2019-01-15  Tomas Popela  <tpopela@redhat.com>
999
1000         Unreviewed, skip JIT tests if it's not enabled
1001
1002         * stress/bit-op-with-object-returning-int32.js:
1003
1004 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1005
1006         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1007         https://bugs.webkit.org/show_bug.cgi?id=192966
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         * stress/bit-op-with-object-returning-int32.js: Added.
1012
1013 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1014
1015         Skip a slow test and a flakey test on arm
1016
1017         Unreviewed gardening.
1018
1019         * typeProfiler/getter-richards.js:
1020         this test always times out, it used to be always skipped on arm and
1021         mips, but got accidentally enabled by r237919 now that we have DFG on
1022         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1023
1024 2019-01-14  Keith Miller  <keith_miller@apple.com>
1025
1026         Skip type-check-hoisting-phase-hoist... with no jit
1027         https://bugs.webkit.org/show_bug.cgi?id=193421
1028
1029         Reviewed by Mark Lam.
1030
1031         It's timing out the 32-bit bots and takes 330 seconds
1032         on my machine when run by itself.
1033
1034         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1035
1036 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1037
1038         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1039         https://bugs.webkit.org/show_bug.cgi?id=193413
1040         <rdar://problem/46092389>
1041
1042         Reviewed by Keith Miller.
1043
1044         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1045         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1046         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1047         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1048
1049         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1050         (compareArray):
1051
1052 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1053
1054         [BigInt] Literal parsing is crashing when used inside a Object Literal
1055         https://bugs.webkit.org/show_bug.cgi?id=193404
1056
1057         Reviewed by Yusuke Suzuki.
1058
1059         * stress/big-int-literal-inside-literal-object.js: Added.
1060
1061 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1062
1063         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1064         https://bugs.webkit.org/show_bug.cgi?id=193372
1065
1066         Reviewed by Saam Barati.
1067
1068         * stress/typed-array-array-modes-profile.js: Added.
1069         (foo):
1070
1071 2019-01-14  Mark Lam  <mark.lam@apple.com>
1072
1073         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1074         https://bugs.webkit.org/show_bug.cgi?id=193402
1075         <rdar://problem/46012309>
1076
1077         Reviewed by Keith Miller.
1078
1079         * stress/regexp-compile-oom.js:
1080         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1081           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1082
1083 2019-01-11  Saam barati  <sbarati@apple.com>
1084
1085         DFG combined liveness can be wrong for terminal basic blocks
1086         https://bugs.webkit.org/show_bug.cgi?id=193304
1087         <rdar://problem/45268632>
1088
1089         Reviewed by Yusuke Suzuki.
1090
1091         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1092
1093 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1094
1095         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1096         https://bugs.webkit.org/show_bug.cgi?id=193308
1097         <rdar://problem/45546542>
1098
1099         Reviewed by Saam Barati.
1100
1101         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1102         (shouldThrow):
1103         (shouldBe):
1104         (foo):
1105         (get shouldThrow):
1106         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1107         (shouldThrow):
1108         (shouldBe):
1109         (foo):
1110         (get shouldBe):
1111         (get shouldThrow):
1112         (get return):
1113         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1114         (shouldThrow):
1115         (shouldBe):
1116         (foo):
1117         (get shouldBe):
1118         (get shouldThrow):
1119         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1120         (shouldThrow):
1121         (shouldBe):
1122         (foo):
1123         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1124         (shouldThrow):
1125         (shouldBe):
1126         (foo):
1127         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1128         (shouldThrow):
1129         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1130         (shouldThrow):
1131         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1132         (shouldThrow):
1133         (shouldBe):
1134         (foo):
1135         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1136         (shouldThrow):
1137         (shouldBe):
1138         (foo):
1139         (get shouldBe):
1140         (get shouldThrow):
1141         (get return):
1142         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1143         (shouldThrow):
1144         (shouldBe):
1145         (foo):
1146         (get shouldBe):
1147         (get shouldThrow):
1148         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1149         (shouldThrow):
1150         (shouldBe):
1151         (foo):
1152         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1153         (shouldThrow):
1154         (shouldBe):
1155         (foo):
1156
1157 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1158
1159         Enable DFG on ARM/Linux again
1160         https://bugs.webkit.org/show_bug.cgi?id=192496
1161
1162         Reviewed by Yusuke Suzuki.
1163
1164         Test wasn't really skipped before moving the line with skip
1165         to the top.
1166
1167         * stress/regress-192717.js:
1168
1169 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1170
1171         Unreviewed, rolling out r239825.
1172         https://bugs.webkit.org/show_bug.cgi?id=193330
1173
1174         Broke tests on armv7/linux bots (Requested by guijemont on
1175         #webkit).
1176
1177         Reverted changeset:
1178
1179         "Enable DFG on ARM/Linux again"
1180         https://bugs.webkit.org/show_bug.cgi?id=192496
1181         https://trac.webkit.org/changeset/239825
1182
1183 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1184
1185         Enable DFG on ARM/Linux again
1186         https://bugs.webkit.org/show_bug.cgi?id=192496
1187
1188         Reviewed by Yusuke Suzuki.
1189
1190         Test wasn't really skipped before moving the line with skip
1191         to the top.
1192
1193         * stress/regress-192717.js:
1194
1195 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1196
1197         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1198         https://bugs.webkit.org/show_bug.cgi?id=193127
1199
1200         Reviewed by Saam Barati.
1201
1202         * stress/array-species-create-should-handle-masquerader.js: Added.
1203         (shouldThrow):
1204         * stress/is-undefined-or-null-builtin.js: Added.
1205         (shouldBe):
1206         (isUndefinedOrNull.vm.createBuiltin):
1207
1208 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1209
1210         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1211         https://bugs.webkit.org/show_bug.cgi?id=193221
1212
1213         Reviewed by Mark Lam.
1214
1215         * stress/put-by-id-flags.js: Added.
1216         (f):
1217         (g):
1218         (numberOfDFGCompiles):
1219
1220 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1221
1222         Baseline version of get_by_id may corrupt metadata
1223         https://bugs.webkit.org/show_bug.cgi?id=193085
1224         <rdar://problem/23453006>
1225
1226         Reviewed by Saam Barati.
1227
1228         * stress/get-by-id-change-mode.js: Added.
1229         (forEach):
1230
1231 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1232
1233         [JSC] Optimize Object.prototype.toString
1234         https://bugs.webkit.org/show_bug.cgi?id=193031
1235
1236         Reviewed by Saam Barati.
1237
1238         * stress/object-tostring-changed-proto.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/object-tostring-changed.js: Added.
1242         (shouldBe):
1243         (test):
1244         * stress/object-tostring-misc.js: Added.
1245         (shouldBe):
1246         (test):
1247         (i.switch):
1248         * stress/object-tostring-other.js: Added.
1249         (shouldBe):
1250         (test):
1251         * stress/object-tostring-untyped.js: Added.
1252         (shouldBe):
1253         (test):
1254         (i.switch):
1255
1256 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1257
1258         test262-runner misbehaves when test file YAML has a trailing space
1259         https://bugs.webkit.org/show_bug.cgi?id=193053
1260
1261         Reviewed by Yusuke Suzuki.
1262
1263         * test262/expectations.yaml:
1264         Mark two dozen tests as passing (and correct the output of another).
1265
1266 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1267
1268         Unreviewed, JSTests gardening with memoryLimited
1269
1270         * stress/string-overflow-createError.js:
1271
1272 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1273
1274         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1275         https://bugs.webkit.org/show_bug.cgi?id=193050
1276
1277         Reviewed by Yusuke Suzuki.
1278
1279         * test262.yaml:
1280         * test262/expectations.yaml:
1281         Mark 16 tests as passing.
1282
1283 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1284
1285         [BigInt] Support BigInt in JSON.stringify
1286         https://bugs.webkit.org/show_bug.cgi?id=192624
1287
1288         Reviewed by Saam Barati.
1289
1290         * stress/big-int-json-stringify-to-json.js: Added.
1291         (shouldBe):
1292         (shouldThrow):
1293         (BigInt.prototype.toJSON):
1294         (shouldBe.JSON.stringify):
1295         * stress/big-int-json-stringify.js: Added.
1296         (shouldBe):
1297         (shouldThrow):
1298
1299 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1300
1301         [JSC] Implement "well-formed JSON.stringify" proposal
1302         https://bugs.webkit.org/show_bug.cgi?id=191677
1303
1304         Reviewed by Darin Adler.
1305
1306         * stress/json-surrogate-pair.js: Added.
1307         (shouldBe):
1308         * test262/expectations.yaml:
1309
1310 2018-12-20  Keith Miller  <keith_miller@apple.com>
1311
1312         Add support for globalThis
1313         https://bugs.webkit.org/show_bug.cgi?id=165171
1314
1315         Reviewed by Mark Lam.
1316
1317         * test262/config.yaml:
1318
1319 2018-12-19  Keith Miller  <keith_miller@apple.com>
1320
1321         Update test262 configuration to not run tests dependent on ICU version.
1322         https://bugs.webkit.org/show_bug.cgi?id=192920
1323
1324         Reviewed by Saam Barati.
1325
1326         * test262/expectations.yaml:
1327
1328 2018-12-20  Mark Lam  <mark.lam@apple.com>
1329
1330         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1331         https://bugs.webkit.org/show_bug.cgi?id=192939
1332         <rdar://problem/46869516>
1333
1334         Reviewed by Keith Miller.
1335
1336         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1337
1338 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1339
1340         WTF::String and StringImpl overflow MaxLength
1341         https://bugs.webkit.org/show_bug.cgi?id=192853
1342         <rdar://problem/45726906>
1343
1344         Reviewed by Mark Lam.
1345
1346         * stress/string-16bit-repeat-overflow.js: Added.
1347         (catch):
1348
1349 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1350
1351         Unreviewed follow-up to r192914.
1352
1353         * test262/expectations.yaml:
1354         Add the last 20 missing expectations.
1355
1356 2018-12-19  Keith Miller  <keith_miller@apple.com>
1357
1358         Fix test262 expectations
1359         https://bugs.webkit.org/show_bug.cgi?id=192914
1360
1361         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1362
1363         * test262/expectations.yaml:
1364
1365 2018-12-19  Keith Miller  <keith_miller@apple.com>
1366
1367         Update test262 tests.
1368         https://bugs.webkit.org/show_bug.cgi?id=192907
1369
1370         Rubber stamped by Mark Lam.
1371
1372         * test262/*: Omitted because prepare-changelog crashes.
1373
1374 2018-12-19  Mark Lam  <mark.lam@apple.com>
1375
1376         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1377         https://bugs.webkit.org/show_bug.cgi?id=192464
1378         <rdar://problem/46519455>
1379
1380         Reviewed by Saam Barati.
1381
1382         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1383         microbenchmark.
1384
1385         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1386         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1387
1388 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1389
1390         String overflow in JSC::createError results in ASSERT in WTF::makeString
1391         https://bugs.webkit.org/show_bug.cgi?id=192833
1392         <rdar://problem/45706868>
1393
1394         Reviewed by Mark Lam.
1395
1396         * stress/string-overflow-createError.js: Added.
1397
1398 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1399
1400         Error message for `-x ** y` contains a typo.
1401         https://bugs.webkit.org/show_bug.cgi?id=192832
1402
1403         Reviewed by Saam Barati.
1404
1405         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1406         (assert.assert.return.throws):
1407         * stress/pow-expects-update-expression-on-lhs.js:
1408         (throw.new.Error):
1409         Update test expectations which match against the exact error message.
1410
1411 2018-12-18  Mark Lam  <mark.lam@apple.com>
1412
1413         Gardening: test options fix.
1414         https://bugs.webkit.org/show_bug.cgi?id=192822
1415
1416         Unreviewed.
1417
1418         * stress/json-stringify-string-builder-overflow.js:
1419
1420 2018-12-18  Mark Lam  <mark.lam@apple.com>
1421
1422         JSON.stringify() should throw OOM on StringBuilder overflows.
1423         https://bugs.webkit.org/show_bug.cgi?id=192822
1424         <rdar://problem/46670577>
1425
1426         Reviewed by Saam Barati.
1427
1428         * stress/json-stringify-string-builder-overflow.js: Added.
1429
1430 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1431
1432         Redeclaration of var over let/const/class should be a syntax error.
1433         https://bugs.webkit.org/show_bug.cgi?id=192298
1434
1435         Reviewed by Keith Miller.
1436
1437         * test262.yaml:
1438         * test262/expectations.yaml:
1439         Mark 46 tests as passing.
1440
1441         * stress/block-scope-redeclarations.js:
1442         Add some new tests.
1443
1444         * stress/for-in-invalidate-context-weird-assignments.js:
1445         * stress/for-in-tests.js:
1446         Replace tests for outdated behavior with tests for SyntaxError.
1447
1448         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1449         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1450         Update expectations.
1451
1452 2018-12-18  Mark Lam  <mark.lam@apple.com>
1453
1454         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1455         https://bugs.webkit.org/show_bug.cgi?id=191374
1456         <rdar://problem/46525447>
1457
1458         Reviewed by Yusuke Suzuki.
1459
1460         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1461
1462         * stress/elidable-new-object-roflcopter-then-exit.js:
1463
1464 2018-12-17  Mark Lam  <mark.lam@apple.com>
1465
1466         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1467         https://bugs.webkit.org/show_bug.cgi?id=192019
1468         <rdar://problem/46525456>
1469
1470         Reviewed by Yusuke Suzuki.
1471
1472         The test runs too slow on 32-bit.
1473
1474         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1475
1476 2018-12-17  Mark Lam  <mark.lam@apple.com>
1477
1478         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1479         https://bugs.webkit.org/show_bug.cgi?id=191373
1480         <rdar://problem/46525458>
1481
1482         Reviewed by Yusuke Suzuki.
1483
1484         The test is already slow running with a JIT on 64-bit.  It will always timeout
1485         on 32-bit without a JIT.
1486
1487         * stress/materialize-regexp-cyclic-regexp.js:
1488
1489 2018-12-17  Mark Lam  <mark.lam@apple.com>
1490
1491         Array unshift/shift should not race against the AI in the compiler thread.
1492         https://bugs.webkit.org/show_bug.cgi?id=192795
1493         <rdar://problem/46724263>
1494
1495         Reviewed by Saam Barati.
1496
1497         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1498
1499 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1500
1501         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1502         https://bugs.webkit.org/show_bug.cgi?id=190047
1503
1504         Reviewed by Saam Barati.
1505
1506         * stress/object-keys-cached-zero.js: Added.
1507         (shouldBe):
1508         (test):
1509         * stress/object-keys-changed-attribute.js: Added.
1510         (shouldBe):
1511         (test):
1512         * stress/object-keys-changed-index.js: Added.
1513         (shouldBe):
1514         (test):
1515         * stress/object-keys-changed.js: Added.
1516         (shouldBe):
1517         (test):
1518         * stress/object-keys-indexed-non-cache.js: Added.
1519         (shouldBe):
1520         (test):
1521         * stress/object-keys-overrides-get-property-names.js: Added.
1522         (shouldBe):
1523         (test):
1524         (noInline):
1525
1526 2018-12-17  Mark Lam  <mark.lam@apple.com>
1527
1528         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1529         https://bugs.webkit.org/show_bug.cgi?id=192779
1530         <rdar://problem/46775869>
1531
1532         Reviewed by Saam Barati.
1533
1534         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1535
1536 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1537
1538         Unreviewed test gardening, address a syntax error in a new test.
1539
1540         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1541
1542 2018-12-17  Mark Lam  <mark.lam@apple.com>
1543
1544         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1545         https://bugs.webkit.org/show_bug.cgi?id=192776
1546         <rdar://problem/46772368>
1547
1548         Reviewed by Keith Miller.
1549
1550         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1551
1552 2018-12-17  Mark Lam  <mark.lam@apple.com>
1553
1554         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1555         https://bugs.webkit.org/show_bug.cgi?id=192770
1556         <rdar://problem/46449037>
1557
1558         Reviewed by Keith Miller.
1559
1560         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1561
1562 2018-12-14  Mark Lam  <mark.lam@apple.com>
1563
1564         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1565         https://bugs.webkit.org/show_bug.cgi?id=192717
1566         <rdar://problem/46660677>
1567
1568         Reviewed by Saam Barati.
1569
1570         * stress/regress-192717.js: Added.
1571
1572 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1573
1574         Unreviewed, rolling out r239153, r239154, and r239155.
1575         https://bugs.webkit.org/show_bug.cgi?id=192715
1576
1577         Caused flaky GC-related crashes seen with layout tests
1578         (Requested by ryanhaddad on #webkit).
1579
1580         Reverted changesets:
1581
1582         "[JSC] Optimize Object.keys by caching own keys results in
1583         StructureRareData"
1584         https://bugs.webkit.org/show_bug.cgi?id=190047
1585         https://trac.webkit.org/changeset/239153
1586
1587         "Unreviewed, build fix after r239153"
1588         https://bugs.webkit.org/show_bug.cgi?id=190047
1589         https://trac.webkit.org/changeset/239154
1590
1591         "Unreviewed, build fix after r239153, part 2"
1592         https://bugs.webkit.org/show_bug.cgi?id=190047
1593         https://trac.webkit.org/changeset/239155
1594
1595 2018-12-14  Keith Miller  <keith_miller@apple.com>
1596
1597         Callers of JSString::getIndex should check for OOM exceptions
1598         https://bugs.webkit.org/show_bug.cgi?id=192709
1599
1600         Reviewed by Mark Lam.
1601
1602         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1603
1604 2018-12-13  Mark Lam  <mark.lam@apple.com>
1605
1606         Add a missing exception check.
1607         https://bugs.webkit.org/show_bug.cgi?id=192626
1608         <rdar://problem/46662163>
1609
1610         Reviewed by Keith Miller.
1611
1612         * stress/regress-192626.js: Added.
1613
1614 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1615
1616         [BigInt] Add ValueDiv into DFG
1617         https://bugs.webkit.org/show_bug.cgi?id=186178
1618
1619         Reviewed by Yusuke Suzuki.
1620
1621         * stress/big-int-div-jit-osr.js: Added.
1622         * stress/big-int-div-jit-untyped.js: Added.
1623         * stress/value-div-fixup-int32-big-int.js: Added.
1624
1625 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1626
1627         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1628         https://bugs.webkit.org/show_bug.cgi?id=190047
1629
1630         Reviewed by Keith Miller.
1631
1632         * stress/object-keys-cached-zero.js: Added.
1633         (shouldBe):
1634         (test):
1635         * stress/object-keys-changed-attribute.js: Added.
1636         (shouldBe):
1637         (test):
1638         * stress/object-keys-changed-index.js: Added.
1639         (shouldBe):
1640         (test):
1641         * stress/object-keys-changed.js: Added.
1642         (shouldBe):
1643         (test):
1644         * stress/object-keys-indexed-non-cache.js: Added.
1645         (shouldBe):
1646         (test):
1647         * stress/object-keys-overrides-get-property-names.js: Added.
1648         (shouldBe):
1649         (test):
1650         (noInline):
1651
1652 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1653
1654         [DFG][FTL] Add NewSymbol
1655         https://bugs.webkit.org/show_bug.cgi?id=192620
1656
1657         Reviewed by Saam Barati.
1658
1659         * microbenchmarks/symbol-creation.js: Added.
1660         (test):
1661         * stress/symbol-description-identity.js: Added.
1662         (shouldBe):
1663         (test):
1664         * stress/symbol-identity.js: Added.
1665         (shouldBe):
1666         (test):
1667         * stress/symbol-with-description-throw-error.js: Added.
1668         (shouldBe):
1669         (shouldThrow):
1670         (test):
1671         (object.toString):
1672
1673 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1674
1675         [BigInt] Implement DFG/FTL typeof for BigInt
1676         https://bugs.webkit.org/show_bug.cgi?id=192619
1677
1678         Reviewed by Keith Miller.
1679
1680         * stress/big-int-boolean-proven-type.js: Added.
1681         (assert):
1682         (bool):
1683         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1684         (assert):
1685         (typeOf):
1686         (i.switch):
1687         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1688         (assert):
1689         (typeOf):
1690         * stress/big-int-type-of.js:
1691         (typeOf):
1692         (func):
1693
1694 2018-12-10  Mark Lam  <mark.lam@apple.com>
1695
1696         PropertyAttribute needs a CustomValue bit.
1697         https://bugs.webkit.org/show_bug.cgi?id=191993
1698         <rdar://problem/46264467>
1699
1700         Reviewed by Saam Barati.
1701
1702         * stress/regress-191993.js: Added.
1703
1704 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1705
1706         [BigInt] Add ValueMul into DFG
1707         https://bugs.webkit.org/show_bug.cgi?id=186175
1708
1709         Reviewed by Yusuke Suzuki.
1710
1711         * stress/big-int-mul-jit-osr.js: Added.
1712         * stress/big-int-mul-jit-untyped.js: Added.
1713         * stress/value-mul-fixup-int32-big-int.js: Added.
1714
1715 2018-12-06  Keith Miller  <keith_miller@apple.com>
1716
1717         stress/big-wasm-memory tests failing on 32-bit JSC bot
1718         https://bugs.webkit.org/show_bug.cgi?id=192020
1719
1720         Reviewed by Saam Barati.
1721
1722         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1723         the wasm stress tests if the WebAssembly object does not exist.
1724
1725         * stress/big-wasm-memory-grow-no-max.js:
1726         (test.foo):
1727         (test):
1728         (foo): Deleted.
1729         (catch): Deleted.
1730         * stress/big-wasm-memory-grow.js:
1731         (test.foo):
1732         (test):
1733         (foo): Deleted.
1734         (catch): Deleted.
1735         * stress/big-wasm-memory.js:
1736         (test.foo):
1737         (test):
1738         (foo): Deleted.
1739         (catch): Deleted.
1740
1741 2018-12-05  Mark Lam  <mark.lam@apple.com>
1742
1743         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1744         https://bugs.webkit.org/show_bug.cgi?id=192441
1745         <rdar://problem/46480355>
1746
1747         Reviewed by Saam Barati.
1748
1749         * stress/regress-192441.js: Added.
1750
1751 2018-12-04  Mark Lam  <mark.lam@apple.com>
1752
1753         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1754         https://bugs.webkit.org/show_bug.cgi?id=192386
1755         <rdar://problem/46445516>
1756
1757         Reviewed by Saam Barati.
1758
1759         * stress/regress-192386.js: Added.
1760
1761 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1762
1763         [ESNext][BigInt] Support logic operations
1764         https://bugs.webkit.org/show_bug.cgi?id=179903
1765
1766         Reviewed by Yusuke Suzuki.
1767
1768         * stress/big-int-branch-usage.js: Added.
1769         * stress/big-int-logical-and.js: Added.
1770         * stress/big-int-logical-not.js: Added.
1771         * stress/big-int-logical-or.js: Added.
1772
1773 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1774
1775         Unreviewed, rolling out r238833.
1776
1777         Breaks macOS and iOS debug builds.
1778
1779         Reverted changeset:
1780
1781         "[ESNext][BigInt] Support logic operations"
1782         https://bugs.webkit.org/show_bug.cgi?id=179903
1783         https://trac.webkit.org/changeset/238833
1784
1785 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1786
1787         [ESNext][BigInt] Support logic operations
1788         https://bugs.webkit.org/show_bug.cgi?id=179903
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         * stress/big-int-branch-usage.js: Added.
1793         * stress/big-int-logical-and.js: Added.
1794         * stress/big-int-logical-not.js: Added.
1795         * stress/big-int-logical-or.js: Added.
1796
1797 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1798
1799         [ESNext][BigInt] Implement support for "<<" and ">>"
1800         https://bugs.webkit.org/show_bug.cgi?id=186233
1801
1802         Reviewed by Yusuke Suzuki.
1803
1804         * stress/big-int-left-shift-general.js: Added.
1805         * stress/big-int-left-shift-range-error.js: Added.
1806         * stress/big-int-left-shift-type-error.js: Added.
1807         * stress/big-int-left-shift-wrapped-value.js: Added.
1808         * stress/big-int-right-shift-general.js: Added.
1809         * stress/big-int-right-shift-type-error.js: Added.
1810         * stress/big-int-right-shift-wrapped-value.js: Added.
1811         * stress/left-shift-to-primitive-precedence.js: Added.
1812         * stress/right-shift-to-primitive-precedence.js: Added.
1813
1814 2018-11-30  Dean Jackson  <dino@apple.com>
1815
1816         Add first-class support for .mjs files in jsc binary
1817         https://bugs.webkit.org/show_bug.cgi?id=192190
1818         <rdar://problem/46375715>
1819
1820         Reviewed by Keith Miller.
1821
1822         * stress/simple-module.mjs: Added.
1823         * stress/simple-script.js: Added.
1824
1825 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1826
1827         [BigInt] Implement ValueBitXor into DFG
1828         https://bugs.webkit.org/show_bug.cgi?id=190264
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         * stress/big-int-bitwise-xor-jit.js: Added.
1833         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1834         * stress/big-int-bitwise-xor-untyped.js: Added.
1835
1836 2018-11-27  Saam barati  <sbarati@apple.com>
1837
1838         r238510 broke scopes of size zero
1839         https://bugs.webkit.org/show_bug.cgi?id=192033
1840         <rdar://problem/46281734>
1841
1842         Reviewed by Keith Miller.
1843
1844         * stress/r238510-bad-loop.js: Added.
1845         (foo):
1846
1847 2018-11-27  Mark Lam  <mark.lam@apple.com>
1848
1849         [Re-landing] NaNs read from Wasm code needs to be be purified.
1850         https://bugs.webkit.org/show_bug.cgi?id=191056
1851         <rdar://problem/45660341>
1852
1853         Reviewed by Filip Pizlo.
1854
1855         * wasm/regress/regress-191056.js: Added.
1856
1857 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1858
1859         Unreviewed, rolling out r238509.
1860
1861         Causes JSC tests to fail on iOS.
1862
1863         Reverted changeset:
1864
1865         "NaNs read from Wasm code needs to be be purified."
1866         https://bugs.webkit.org/show_bug.cgi?id=191056
1867         https://trac.webkit.org/changeset/238509
1868
1869 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1870
1871         Re-introduce op_bitnot
1872         https://bugs.webkit.org/show_bug.cgi?id=190923
1873
1874         Reviewed by Yusuke Suzuki.
1875
1876         * stress/bit-not-must-generate.js: Added.
1877         * stress/bitwise-not-no-int32.js: Added.
1878
1879 2018-11-26  Saam barati  <sbarati@apple.com>
1880
1881         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1882         https://bugs.webkit.org/show_bug.cgi?id=191956
1883         <rdar://problem/45665806>
1884
1885         Reviewed by Yusuke Suzuki.
1886
1887         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1888         (bar):
1889         (foo):
1890
1891 2018-11-26  Saam barati  <sbarati@apple.com>
1892
1893         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1894         https://bugs.webkit.org/show_bug.cgi?id=191958
1895         <rdar://problem/46221877>
1896
1897         Reviewed by Yusuke Suzuki.
1898
1899         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1900         (x):
1901         (foo):
1902
1903 2018-11-26  Mark Lam  <mark.lam@apple.com>
1904
1905         NaNs read from Wasm code needs to be be purified.
1906         https://bugs.webkit.org/show_bug.cgi?id=191056
1907         <rdar://problem/45660341>
1908
1909         Reviewed by Filip Pizlo.
1910
1911         * wasm/regress/regress-191056.js: Added.
1912
1913 2018-11-26  Michael Saboff  <msaboff@apple.com>
1914
1915         32-bit JSC test failure: stress/regexp-compile-oom.js
1916         https://bugs.webkit.org/show_bug.cgi?id=191375
1917
1918         Reviewed by Mark Lam.
1919
1920         Disabled the test for 32 bit platforms.
1921
1922         * stress/regexp-compile-oom.js:
1923
1924 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1925
1926         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1927         https://bugs.webkit.org/show_bug.cgi?id=191716
1928         <rdar://problem/45723878>
1929
1930         Reviewed by Saam Barati.
1931
1932         * stress/regress-187373.js: Added.
1933         (async.fn):
1934
1935 2018-11-21  Saam barati  <sbarati@apple.com>
1936
1937         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1938         https://bugs.webkit.org/show_bug.cgi?id=191897
1939         <rdar://problem/45871998>
1940
1941         Reviewed by Mark Lam.
1942
1943         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1944         (bar):
1945         (foo):
1946
1947 2018-11-21  Saam barati  <sbarati@apple.com>
1948
1949         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1950         https://bugs.webkit.org/show_bug.cgi?id=191895
1951         <rdar://problem/46167406>
1952
1953         Reviewed by Mark Lam.
1954
1955         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1956         (foo):
1957         (bar):
1958
1959 2018-11-21  Mark Lam  <mark.lam@apple.com>
1960
1961         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1962         https://bugs.webkit.org/show_bug.cgi?id=191776
1963         <rdar://problem/46152851>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/big-wasm-memory-grow-no-max.js:
1968         * stress/big-wasm-memory-grow.js:
1969         * stress/big-wasm-memory.js:
1970         - updated these to expect an OutOfMemoryError.
1971
1972         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1973         (Binary.prototype.emit_u8):
1974         (Binary.prototype.emit_u32v):
1975         (Binary.prototype.emit_header):
1976         (Binary.prototype.emit_section):
1977         (Binary):
1978         (WasmModuleBuilder):
1979         (WasmModuleBuilder.prototype.addMemory):
1980         (WasmModuleBuilder.prototype.toArray):
1981         (WasmModuleBuilder.prototype.toBuffer):
1982         (WasmModuleBuilder.prototype.instantiate):
1983         (catch):
1984         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1985         (catch):
1986
1987 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1988
1989         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1990         https://bugs.webkit.org/show_bug.cgi?id=190836
1991
1992         Reviewed by Saam Barati and Yusuke Suzuki.
1993
1994         * stress/big-int-out-of-memory-tests.js: Added.
1995
1996 2018-11-20  Mark Lam  <mark.lam@apple.com>
1997
1998         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1999         https://bugs.webkit.org/show_bug.cgi?id=191856
2000         <rdar://problem/46089992>
2001
2002         Reviewed by Yusuke Suzuki.
2003
2004         * stress/regress-191856.js: Added.
2005         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2006
2007 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2008
2009         Enable JIT on ARM/Linux
2010         https://bugs.webkit.org/show_bug.cgi?id=191548
2011
2012         Reviewed by Yusuke Suzuki.
2013
2014         Disable test on system with limited memory. Program was killed by
2015         the OS before the exception was thrown.
2016
2017         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2018
2019 2018-11-20  Saam barati  <sbarati@apple.com>
2020
2021         Merging an IC variant may lead to the IC status containing overlapping structure sets
2022         https://bugs.webkit.org/show_bug.cgi?id=191869
2023         <rdar://problem/45403453>
2024
2025         Reviewed by Mark Lam.
2026
2027         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2028
2029 2018-11-19  Mark Lam  <mark.lam@apple.com>
2030
2031         globalFuncImportModule() should return a promise when it clears exceptions.
2032         https://bugs.webkit.org/show_bug.cgi?id=191792
2033         <rdar://problem/46090763>
2034
2035         Reviewed by Michael Saboff.
2036
2037         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2038
2039 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2040
2041         Skip new memory-hungry tests on memory limited devices
2042
2043         Unreviewed gardening.
2044
2045         * stress/big-wasm-memory-grow-no-max.js:
2046         * stress/big-wasm-memory-grow.js:
2047         * stress/big-wasm-memory.js:
2048
2049 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2050
2051         Unreviewed, rolling in the rest of r237254
2052         https://bugs.webkit.org/show_bug.cgi?id=190340
2053
2054         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2055         * stress/function-cache-with-parameters-end-position.js: Added.
2056         (shouldBe):
2057         (shouldThrow):
2058         (i.anonymous):
2059         * stress/function-constructor-name.js: Added.
2060         (shouldBe):
2061         (GeneratorFunction):
2062         (AsyncFunction.async):
2063         (AsyncGeneratorFunction.async):
2064         (anonymous):
2065         (async.anonymous):
2066         * test262/expectations.yaml:
2067
2068 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2069
2070         All users of ArrayBuffer should agree on the same max size
2071         https://bugs.webkit.org/show_bug.cgi?id=191771
2072
2073         Reviewed by Mark Lam.
2074
2075         * stress/big-wasm-memory-grow-no-max.js: Added.
2076         (foo):
2077         (catch):
2078         * stress/big-wasm-memory-grow.js: Added.
2079         (foo):
2080         (catch):
2081         * stress/big-wasm-memory.js: Added.
2082         (foo):
2083         (catch):
2084
2085 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2086
2087         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2088         run for each JSC config since they're regression tests for runtime bugs.
2089
2090         * stress/json-stringified-overflow-2.js:
2091         * stress/json-stringified-overflow.js:
2092
2093 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2094
2095         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2096         config since they're regression tests for runtime bugs.
2097
2098         * stress/large-unshift-splice.js:
2099         * stress/regress-185888.js:
2100
2101 2018-11-16  Saam Barati  <sbarati@apple.com>
2102
2103         KnownCellUse should also have SpecCellCheck as its type filter
2104         https://bugs.webkit.org/show_bug.cgi?id=191729
2105         <rdar://problem/45872852>
2106
2107         Reviewed by Filip Pizlo.
2108
2109         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2110         (C):
2111
2112 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2113
2114         Fix assertion failure on BytecodeGenerator::recordOpcode
2115         https://bugs.webkit.org/show_bug.cgi?id=191724
2116         <rdar://problem/45724395>
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/regress-187373-2.js: Added.
2121         (foo):
2122
2123 2018-11-15  Mark Lam  <mark.lam@apple.com>
2124
2125         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2126         https://bugs.webkit.org/show_bug.cgi?id=191730
2127         <rdar://problem/46048517>
2128
2129         Reviewed by Saam Barati.
2130
2131         * stress/regress-187006.js: Removed.
2132           - this test is invalid because its sole purpose is to test for the non-spec
2133             compliant behavior that we just fixed.
2134
2135         * stress/regress-191730.js: Added.
2136
2137 2018-11-15  Mark Lam  <mark.lam@apple.com>
2138
2139         RegExp operations should not take fast patch if lastIndex is not numeric.
2140         https://bugs.webkit.org/show_bug.cgi?id=191731
2141         <rdar://problem/46017305>
2142
2143         Reviewed by Saam Barati.
2144
2145         * stress/regress-191731.js: Added.
2146
2147 2018-11-13  Saam Barati  <sbarati@apple.com>
2148
2149         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2150         https://bugs.webkit.org/show_bug.cgi?id=191600
2151
2152         Reviewed by Mark Lam.
2153
2154         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2155         (foo):
2156         (test):
2157         (bar):
2158
2159 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2160
2161         Unreviewed, rolling out r238132.
2162
2163         The test added with this change is timing out on Debug JSC
2164         bots.
2165
2166         Reverted changeset:
2167
2168         "[BigInt] JSBigInt::createWithLength should throw when length
2169         is greater than JSBigInt::maxLength"
2170         https://bugs.webkit.org/show_bug.cgi?id=190836
2171         https://trac.webkit.org/changeset/238132
2172
2173 2018-11-13  Mark Lam  <mark.lam@apple.com>
2174
2175         Add OOM detection to StringPrototype's substituteBackreferences().
2176         https://bugs.webkit.org/show_bug.cgi?id=191563
2177         <rdar://problem/45720428>
2178
2179         Reviewed by Saam Barati.
2180
2181         * stress/regress-191563.js: Added.
2182
2183 2018-11-13  Mark Lam  <mark.lam@apple.com>
2184
2185         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2186         https://bugs.webkit.org/show_bug.cgi?id=191579
2187         <rdar://problem/45942472>
2188
2189         Reviewed by Saam Barati.
2190
2191         * stress/regress-191579.js: Added.
2192
2193 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2194
2195         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2196         https://bugs.webkit.org/show_bug.cgi?id=190836
2197
2198         Reviewed by Saam Barati.
2199
2200         * stress/big-int-out-of-memory-tests.js: Added.
2201
2202 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2203
2204         U+180E is no longer a whitespace character
2205         https://bugs.webkit.org/show_bug.cgi?id=191415
2206
2207         Reviewed by Saam Barati.
2208
2209         * ChakraCore/test/es5/regexSpace.baseline:
2210         * ChakraCore/test/es6/unicode_whitespace.js:
2211         Update tests to latest version.
2212         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2213
2214         * test262.yaml:
2215         * test262/config.yaml:
2216         * test262/expectations.yaml:
2217         Update expectations.
2218
2219 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2220
2221         [BigInt] Add support to BigInt into ValueAdd
2222         https://bugs.webkit.org/show_bug.cgi?id=186177
2223
2224         Reviewed by Keith Miller.
2225
2226         * stress/big-int-negate-jit.js:
2227         * stress/value-add-big-int-and-string.js: Added.
2228         * stress/value-add-big-int-prediction-propagation.js: Added.
2229         * stress/value-add-big-int-untyped.js: Added.
2230
2231 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2232
2233         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2234         https://bugs.webkit.org/show_bug.cgi?id=191184
2235
2236         Reviewed by Saam Barati.
2237
2238         Most tests were failing due to timeouts, since they are too slow to
2239         run on CLoop. The exceptions are:
2240
2241         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2242         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2243         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2244         to change the stack size since CLoop requires it to be page aligned.
2245
2246         * microbenchmarks/array-push-1.js:
2247         * microbenchmarks/array-push-2.js:
2248         * microbenchmarks/elidable-new-object-dag.js:
2249         * microbenchmarks/elidable-new-object-roflcopter.js:
2250         * microbenchmarks/elidable-new-object-tree.js:
2251         * microbenchmarks/getter-richards.js:
2252         * microbenchmarks/sinkable-new-object-dag.js:
2253         * microbenchmarks/string-concat-long-convert.js:
2254         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2255         * slowMicrobenchmarks/array-push-3.js:
2256         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2257         * slowMicrobenchmarks/spread-small-array.js:
2258         * slowMicrobenchmarks/undefined-property-access.js:
2259         * stress/activation-sink-default-value-tdz-error.js:
2260         * stress/activation-sink-default-value.js:
2261         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2262         * stress/activation-sink-osrexit-default-value.js:
2263         * stress/activation-sink-osrexit.js:
2264         * stress/activation-sink.js:
2265         * stress/allow-math-ic-b3-code-duplication.js:
2266         * stress/array-push-multiple-int32.js:
2267         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2268         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2269         * stress/arrowfunction-lexical-this-activation-sink.js:
2270         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2271         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2272         * stress/elide-new-object-dag-then-exit.js:
2273         * stress/materialize-regexp-cyclic.js:
2274         * stress/new-regex-inline.js:
2275         * stress/op_add.js:
2276         * stress/op_bitand.js:
2277         * stress/op_bitor.js:
2278         * stress/op_bitxor.js:
2279         * stress/op_div-ConstVar.js:
2280         * stress/op_div-VarConst.js:
2281         * stress/op_div-VarVar.js:
2282         * stress/op_lshift-ConstVar.js:
2283         * stress/op_lshift-VarConst.js:
2284         * stress/op_lshift-VarVar.js:
2285         * stress/op_mod-ConstVar.js:
2286         * stress/op_mod-VarConst.js:
2287         * stress/op_mod-VarVar.js:
2288         * stress/op_mul-ConstVar.js:
2289         * stress/op_mul-VarConst.js:
2290         * stress/op_mul-VarVar.js:
2291         * stress/op_rshift-ConstVar.js:
2292         * stress/op_rshift-VarConst.js:
2293         * stress/op_rshift-VarVar.js:
2294         * stress/op_sub-ConstVar.js:
2295         * stress/op_sub-VarConst.js:
2296         * stress/op_sub-VarVar.js:
2297         * stress/op_urshift-ConstVar.js:
2298         * stress/op_urshift-VarConst.js:
2299         * stress/op_urshift-VarVar.js:
2300         * stress/proxy-get-set-correct-receiver.js:
2301         * stress/regress-179562.js:
2302         * stress/rest-parameter-many-arguments.js:
2303         * stress/sampling-profiler-richards.js:
2304         * stress/splay-flash-access-1ms.js:
2305         * stress/tailCallForwardArguments.js:
2306         * stress/typed-array-get-by-val-profiling.js:
2307         * typeProfiler/getter-richards.js:
2308
2309 2018-11-06  Michael Saboff  <msaboff@apple.com>
2310
2311         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2312         https://bugs.webkit.org/show_bug.cgi?id=191271
2313
2314         Reviewed by Saam Barati.
2315
2316         Added more test cases and made all test cases run with the same deeply recursive stack
2317         instead of finding that same point for each test case.
2318
2319         * stress/regexp-compile-oom.js:
2320         (prototype.runTest):
2321         (recurseAndTest):
2322         (testList.push.new.TestAndExpectedException):
2323
2324 2018-11-05  Michael Saboff  <msaboff@apple.com>
2325
2326         Unreviewed build fix for linux.
2327
2328         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2329
2330 2018-11-02  Michael Saboff  <msaboff@apple.com>
2331
2332         Rolling in r237753 with unreviewed build fix.
2333
2334         Fixed issues with DECLARE_THROW_SCOPE placement.
2335
2336 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2337
2338         Unreviewed, rolling out r237753.
2339
2340         Introduced JSC test failures
2341
2342         Reverted changeset:
2343
2344         "Running out of stack space not properly handled in
2345         RegExp::compile() and its callers"
2346         https://bugs.webkit.org/show_bug.cgi?id=191206
2347         https://trac.webkit.org/changeset/237753
2348
2349 2018-11-02  Michael Saboff  <msaboff@apple.com>
2350
2351         Running out of stack space not properly handled in RegExp::compile() and its callers
2352         https://bugs.webkit.org/show_bug.cgi?id=191206
2353
2354         Reviewed by Filip Pizlo.
2355
2356         New regression test.
2357
2358         * stress/regexp-compile-oom.js: Added.
2359         (recurseAndTest):
2360
2361 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2362
2363         Skip tests on arm/mips that time out now we're running on CLoop
2364
2365         Unreviewed gardening.
2366
2367         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2368         time out on the bots and need to be disabled. There's more tests
2369         disabled on arm because the timeout is longer on the mips bot (as the
2370         device is slower to start with), so many of the tests don't time out
2371         there.
2372
2373         * microbenchmarks/getter-richards.js: disable on arm and mips.
2374         * stress/op_add.js: disable on arm.
2375         * stress/op_bitand.js: disable on arm.
2376         * stress/op_bitor.js: disable on arm.
2377         * stress/op_bitxor.js: disable on arm.
2378         * stress/op_lshift-ConstVar.js: disable on arm.
2379         * stress/op_lshift-VarConst.js: disable on arm.
2380         * stress/op_lshift-VarVar.js: disable on arm.
2381         * stress/op_mod-ConstVar.js: disable on arm.
2382         * stress/op_mod-VarConst.js: disable on arm.
2383         * stress/op_mod-VarVar.js: disable on arm.
2384         * stress/op_mul-ConstVar.js: disable on arm.
2385         * stress/op_mul-VarConst.js: disable on arm.
2386         * stress/op_mul-VarVar.js: disable on arm.
2387         * stress/op_rshift-ConstVar.js: disable on arm.
2388         * stress/op_rshift-VarConst.js: disable on arm.
2389         * stress/op_rshift-VarVar.js: disable on arm.
2390         * stress/op_sub-ConstVar.js: disable on arm.
2391         * stress/op_sub-VarConst.js: disable on arm.
2392         * stress/op_sub-VarVar.js: disable on arm.
2393         * stress/op_urshift-ConstVar.js: disable on arm.
2394         * stress/op_urshift-VarConst.js: disable on arm.
2395         * stress/op_urshift-VarVar.js: disable on arm.
2396         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2397         * stress/value-to-boolean.js: disable on arm and mips.
2398
2399 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2400
2401         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2402         https://bugs.webkit.org/show_bug.cgi?id=191108
2403         <rdar://problem/45690700>
2404
2405         Reviewed by Saam Barati.
2406
2407         * stress/wide-op_catch.js: Added.
2408         (catch):
2409
2410 2018-10-29  Mark Lam  <mark.lam@apple.com>
2411
2412         Correctly detect string overflow when using the 'Function' constructor.
2413         https://bugs.webkit.org/show_bug.cgi?id=184883
2414         <rdar://problem/36320331>
2415
2416         Reviewed by Saam Barati.
2417
2418         I've verified that this passes on 32-bit as well.
2419
2420         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2421
2422 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2423
2424         Add support for GetStack FlushedDouble
2425         https://bugs.webkit.org/show_bug.cgi?id=191012
2426         <rdar://problem/45265141>
2427
2428         Reviewed by Saam Barati.
2429
2430         * stress/get-stack-double.js: Added.
2431         (bar):
2432         (noInline):
2433
2434 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2435
2436         New bytecode format for JSC
2437         https://bugs.webkit.org/show_bug.cgi?id=187373
2438         <rdar://problem/44186758>
2439
2440         Reviewed by Filip Pizlo.
2441
2442         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2443
2444         * stress/maximum-inline-capacity.js: Added.
2445         (test1):
2446         (test3.Foo):
2447         (test3):
2448
2449 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2450
2451         Unreviewed, rolling out r237479 and r237484.
2452         https://bugs.webkit.org/show_bug.cgi?id=190978
2453
2454         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2455
2456         Reverted changesets:
2457
2458         "New bytecode format for JSC"
2459         https://bugs.webkit.org/show_bug.cgi?id=187373
2460         https://trac.webkit.org/changeset/237479
2461
2462         "Gardening: Build fix after r237479."
2463         https://bugs.webkit.org/show_bug.cgi?id=187373
2464         https://trac.webkit.org/changeset/237484
2465
2466 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2467
2468         New bytecode format for JSC
2469         https://bugs.webkit.org/show_bug.cgi?id=187373
2470         <rdar://problem/44186758>
2471
2472         Reviewed by Filip Pizlo.
2473
2474         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2475
2476         * stress/maximum-inline-capacity.js: Added.
2477         (test1):
2478         (test3.Foo):
2479         (test3):
2480
2481 2018-10-26  Mark Lam  <mark.lam@apple.com>
2482
2483         Fix missing edge cases with JSGlobalObjects having a bad time.
2484         https://bugs.webkit.org/show_bug.cgi?id=189028
2485         <rdar://problem/45204939>
2486
2487         Reviewed by Saam Barati.
2488
2489         * stress/regress-189028.js: Added.
2490
2491 2018-10-22  Mark Lam  <mark.lam@apple.com>
2492
2493         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2494         https://bugs.webkit.org/show_bug.cgi?id=190515
2495         <rdar://problem/45222379>
2496
2497         Rubber-stamped by Saam Barati.
2498
2499         Adding another test.
2500
2501         * stress/regress-190515-2.js: Added.
2502
2503 2018-10-22  Mark Lam  <mark.lam@apple.com>
2504
2505         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2506         https://bugs.webkit.org/show_bug.cgi?id=190515
2507         <rdar://problem/45222379>
2508
2509         Reviewed by Saam Barati.
2510
2511         * stress/regress-190515.js: Added.
2512
2513 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2514
2515         Unreviewed, rolling out r237254.
2516         https://bugs.webkit.org/show_bug.cgi?id=190760
2517
2518         "It regresses JetStream 2 by 5% on some iOS devices"
2519         (Requested by saamyjoon on #webkit).
2520
2521         Reverted changeset:
2522
2523         "[JSC] JSC should have "parseFunction" to optimize Function
2524         constructor"
2525         https://bugs.webkit.org/show_bug.cgi?id=190340
2526         https://trac.webkit.org/changeset/237254
2527
2528 2018-10-19  Saam Barati  <sbarati@apple.com>
2529
2530         vmCall should check if we exit before emitting an OSR exit due to exceptions
2531         https://bugs.webkit.org/show_bug.cgi?id=190740
2532         <rdar://problem/45220139>
2533
2534         Reviewed by Mark Lam.
2535
2536         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2537         (foo):
2538
2539 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2540
2541         [ESNext][BigInt] Implement support for "^"
2542         https://bugs.webkit.org/show_bug.cgi?id=186235
2543
2544         Reviewed by Yusuke Suzuki.
2545
2546         * stress/big-int-bitwise-xor-general.js: Added.
2547         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2548         * stress/big-int-bitwise-xor-type-error.js: Added.
2549         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2550
2551 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2552
2553         [BigInt] Add ValueSub into DFG
2554         https://bugs.webkit.org/show_bug.cgi?id=186176
2555
2556         Reviewed by Yusuke Suzuki.
2557
2558         * stress/big-int-subtraction-jit.js:
2559         * stress/value-sub-big-int-prediction-propagation.js: Added.
2560         * stress/value-sub-big-int-untyped.js: Added.
2561         * stress/value-sub-spec-none-case.js: Added.
2562
2563 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2564
2565         [JSC] JSC should have "parseFunction" to optimize Function constructor
2566         https://bugs.webkit.org/show_bug.cgi?id=190340
2567
2568         Reviewed by Mark Lam.
2569
2570         This patch fixes the line number of syntax errors raised by the Function constructor,
2571         since we now parse the final code only once. And we no longer use block statement
2572         for Function constructor's parsing.
2573
2574         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2575         * stress/function-cache-with-parameters-end-position.js: Added.
2576         (shouldBe):
2577         (shouldThrow):
2578         (i.anonymous):
2579         * stress/function-constructor-name.js: Added.
2580         (shouldBe):
2581         (GeneratorFunction):
2582         (AsyncFunction.async):
2583         (AsyncGeneratorFunction.async):
2584         (anonymous):
2585         (async.anonymous):
2586         * test262/expectations.yaml:
2587
2588 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2589
2590         Unreviewed, rolling out r237242.
2591         https://bugs.webkit.org/show_bug.cgi?id=190701
2592
2593         it breaks "stress/sampling-profiler-basic.js" (Requested by
2594         caiolima on #webkit).
2595
2596         Reverted changeset:
2597
2598         "[BigInt] Add ValueSub into DFG"
2599         https://bugs.webkit.org/show_bug.cgi?id=186176
2600         https://trac.webkit.org/changeset/237242
2601
2602 2018-10-17  Keith Miller  <keith_miller@apple.com>
2603
2604         AI does not clear Phantom allocation nodes.
2605         https://bugs.webkit.org/show_bug.cgi?id=190694
2606
2607         Reviewed by Saam Barati.
2608
2609         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2610         (Day):
2611         (DaysInYear):
2612         (TimeInYear):
2613         (TimeFromYear):
2614         (DayFromYear):
2615         (InLeapYear):
2616         (YearFromTime):
2617         (WeekDay):
2618         (DaylightSavingTA):
2619         (GetSecondSundayInMarch):
2620         (TimeInMonth):
2621
2622 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2623
2624         [BigInt] Add ValueSub into DFG
2625         https://bugs.webkit.org/show_bug.cgi?id=186176
2626
2627         Reviewed by Yusuke Suzuki.
2628
2629         * stress/big-int-subtraction-jit.js:
2630         * stress/value-sub-big-int-prediction-propagation.js: Added.
2631         * stress/value-sub-big-int-untyped.js: Added.
2632
2633 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2634
2635         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2636         https://bugs.webkit.org/show_bug.cgi?id=190611
2637
2638         Reviewed by Saam Barati.
2639
2640         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2641         to improve test runtime. On ARM/MIPS this test even timed out when running all
2642         tests.
2643
2644         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2645         (test):
2646
2647 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2648
2649         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2650
2651         Unreviewed gardening.
2652
2653         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2654
2655 2018-10-15  Saam barati  <sbarati@apple.com>
2656
2657         Emit fjcvtzs on ARM64E on Darwin
2658         https://bugs.webkit.org/show_bug.cgi?id=184023
2659
2660         Reviewed by Yusuke Suzuki and Filip Pizlo.
2661
2662         * stress/double-to-int32-NaN.js: Added.
2663         (assert):
2664         (foo):
2665
2666 2018-10-15  Saam Barati  <sbarati@apple.com>
2667
2668         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2669         https://bugs.webkit.org/show_bug.cgi?id=190262
2670         <rdar://problem/44986241>
2671
2672         Reviewed by Mark Lam.
2673
2674         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2675         (test):
2676         * stress/slice-array-storage-with-holes.js: Added.
2677         (main):
2678
2679 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2680
2681         Unreviewed, rolling out r237054.
2682         https://bugs.webkit.org/show_bug.cgi?id=190593
2683
2684         "this regressed JetStream 2 by 6% on iOS" (Requested by
2685         saamyjoon on #webkit).
2686
2687         Reverted changeset:
2688
2689         "[JSC] JSC should have "parseFunction" to optimize Function
2690         constructor"
2691         https://bugs.webkit.org/show_bug.cgi?id=190340
2692         https://trac.webkit.org/changeset/237054
2693
2694 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2695
2696         [JSC] JSON.stringify can accept call-with-no-arguments
2697         https://bugs.webkit.org/show_bug.cgi?id=190343
2698
2699         Reviewed by Mark Lam.
2700
2701         * stress/json-stringify-no-arguments.js: Added.
2702         (shouldBe):
2703
2704 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2705
2706         [JSC] JSC should have "parseFunction" to optimize Function constructor
2707         https://bugs.webkit.org/show_bug.cgi?id=190340
2708
2709         Reviewed by Mark Lam.
2710
2711         This patch fixes the line number of syntax errors raised by the Function constructor,
2712         since we now parse the final code only once. And we no longer use block statement
2713         for Function constructor's parsing.
2714
2715         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2716         * stress/function-cache-with-parameters-end-position.js: Added.
2717         (shouldBe):
2718         (shouldThrow):
2719         (i.anonymous):
2720         * stress/function-constructor-name.js: Added.
2721         (shouldBe):
2722         (GeneratorFunction):
2723         (AsyncFunction.async):
2724         (AsyncGeneratorFunction.async):
2725         (anonymous):
2726         (async.anonymous):
2727         * test262/expectations.yaml:
2728
2729 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2730
2731         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2732         https://bugs.webkit.org/show_bug.cgi?id=190426
2733
2734         Unreviewed gardening.
2735
2736         * stress/sampling-profiler-richards.js:
2737
2738 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2739
2740         [ESNext][BigInt] Implement support for "|"
2741         https://bugs.webkit.org/show_bug.cgi?id=186229
2742
2743         Reviewed by Yusuke Suzuki.
2744
2745         * stress/big-int-bitwise-and-jit.js:
2746         * stress/big-int-bitwise-or-general.js: Added.
2747         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2748         * stress/big-int-bitwise-or-jit.js: Added.
2749         * stress/big-int-bitwise-or-memory-stress.js: Added.
2750         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2751         * stress/big-int-bitwise-or-type-error.js: Added.
2752         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2753
2754 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2755
2756         Skip test on systems with limited memory
2757         https://bugs.webkit.org/show_bug.cgi?id=190310
2758
2759         Invoking runDefault adds test to runlist, skipping the test in the next
2760         line does not prevent the test from executing. Change order of lines such
2761         that runDefault is only executed if test is not executed.
2762
2763         Reviewed by Mark Lam.
2764
2765         * stress/regress-190187.js:
2766
2767 2018-10-03  Saam barati  <sbarati@apple.com>
2768
2769         lowXYZ in FTLLower should always filter the type of the incoming edge
2770         https://bugs.webkit.org/show_bug.cgi?id=189939
2771         <rdar://problem/44407030>
2772
2773         Reviewed by Michael Saboff.
2774
2775         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2776         (foo):
2777         (test):
2778
2779 2018-10-03  Mark Lam  <mark.lam@apple.com>
2780
2781         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2782         https://bugs.webkit.org/show_bug.cgi?id=190187
2783         <rdar://problem/42512909>
2784
2785         Reviewed by Michael Saboff.
2786
2787         * stress/regress-190187.js: Added.
2788
2789 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2790
2791         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2792         https://bugs.webkit.org/show_bug.cgi?id=190033
2793
2794         Reviewed by Yusuke Suzuki.
2795
2796         * stress/big-int-to-string.js:
2797
2798 2018-10-01  Mark Lam  <mark.lam@apple.com>
2799
2800         Function.toString() should also copy the source code Functions that are class definitions.
2801         https://bugs.webkit.org/show_bug.cgi?id=190186
2802         <rdar://problem/44733360>
2803
2804         Reviewed by Saam Barati.
2805
2806         * stress/regress-190186.js: Added.
2807
2808 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2809
2810         Split NaN-check into separate test
2811         https://bugs.webkit.org/show_bug.cgi?id=190010
2812
2813         Reviewed by Saam Barati.
2814
2815         DataView exposes NaN-representation, which is not necessarily the same on each
2816         architecture. Therefore move the check of the NaN-representation into its own
2817         file such that we can disable this test on MIPS where NaN-representation can be
2818         different on older CPUs.
2819
2820         * stress/dataview-jit-set-nan.js: Added.
2821         (assert):
2822         (test.storeLittleEndian):
2823         (test.storeBigEndian):
2824         (test.store):
2825         (test):
2826         * stress/dataview-jit-set.js:
2827         (test5):
2828
2829 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2830
2831         Unreviewed, rolling out r236647.
2832         https://bugs.webkit.org/show_bug.cgi?id=190124
2833
2834         Breaking test stress/big-int-to-string.js (Requested by
2835         caiolima_ on #webkit).
2836
2837         Reverted changeset:
2838
2839         "[BigInt] BigInt.proptotype.toString is broken when radix is
2840         power of 2"
2841         https://bugs.webkit.org/show_bug.cgi?id=190033
2842         https://trac.webkit.org/changeset/236647
2843
2844 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2845
2846         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2847         https://bugs.webkit.org/show_bug.cgi?id=190033
2848
2849         Reviewed by Yusuke Suzuki.
2850
2851         * stress/big-int-to-string.js:
2852
2853 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2854
2855         [ESNext][BigInt] Implement support for "&"
2856         https://bugs.webkit.org/show_bug.cgi?id=186228
2857
2858         Reviewed by Yusuke Suzuki.
2859
2860         * stress/big-int-bitwise-and-general.js: Added.
2861         (assert):
2862         (assert.sameValue):
2863         * stress/big-int-bitwise-and-jit.js: Added.
2864         (let.assert.sameValue):
2865         (bigIntBitAnd):
2866         * stress/big-int-bitwise-and-memory-stress.js: Added.
2867         (assert):
2868         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2869         (assert.sameValue):
2870         (let.o.Symbol.toPrimitive):
2871         (catch):
2872         * stress/big-int-bitwise-and-type-error.js: Added.
2873         (assert):
2874         (assertThrowTypeError):
2875         (let.o.valueOf):
2876         (o.valueOf):
2877         (o.toString):
2878         (o.Symbol.toPrimitive):
2879         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2880         (assert.sameValue):
2881         (testBitAnd):
2882         (let.o.Symbol.toPrimitive):
2883         (o.valueOf):
2884         (o.toString):
2885
2886 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2887
2888         JSC test stress/jsc-read.js doesn't support CRLF
2889         https://bugs.webkit.org/show_bug.cgi?id=190063
2890
2891         Reviewed by Yusuke Suzuki.
2892
2893         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2894
2895         * stress/jsc-read.js:
2896         (test):
2897
2898 2018-09-27  Saam barati  <sbarati@apple.com>
2899
2900         Verify the contents of AssemblerBuffer on arm64e
2901         https://bugs.webkit.org/show_bug.cgi?id=190057
2902         <rdar://problem/38916630>
2903
2904         Reviewed by Mark Lam.
2905
2906         * stress/regress-189132.js:
2907
2908 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2909
2910         Disable test without LLInt on ARMv7
2911         https://bugs.webkit.org/show_bug.cgi?id=190037
2912
2913         Reviewed by Mark Lam.
2914
2915         Test runs out of executable memory on ARMv7, do not run
2916         this test without LLInt enabled.
2917
2918         * stress/regress-169445.js:
2919
2920 2018-09-26  Keith Miller  <keith_miller@apple.com>
2921
2922         We should zero unused property storage when rebalancing array storage.
2923         https://bugs.webkit.org/show_bug.cgi?id=188151
2924
2925         Reviewed by Michael Saboff.
2926
2927         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2928
2929 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2930
2931         [JSC] Optimize Array#lastIndexOf
2932         https://bugs.webkit.org/show_bug.cgi?id=189780
2933
2934         Reviewed by Saam Barati.
2935
2936         * stress/array-lastindexof-array-prototype-trap.js: Added.
2937         (shouldBe):
2938         (AncestorArray.prototype.get 2):
2939         (AncestorArray):
2940         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2941         (shouldBe):
2942         * stress/array-lastindexof-hole-nan.js: Added.
2943         (shouldBe):
2944         (throw.new.Error):
2945         * stress/array-lastindexof-infinity.js: Added.
2946         (shouldBe):
2947         (throw.new.Error):
2948         * stress/array-lastindexof-negative-zero.js: Added.
2949         (shouldBe):
2950         (throw.new.Error):
2951         * stress/array-lastindexof-own-getter.js: Added.
2952         (shouldBe):
2953         (throw.new.Error.get array):
2954         (get array):
2955         * stress/array-lastindexof-prototype-trap.js: Added.
2956         (shouldBe):
2957         (DerivedArray.prototype.get 2):
2958         (DerivedArray):
2959
2960 2018-09-25  Saam Barati  <sbarati@apple.com>
2961
2962         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2963         https://bugs.webkit.org/show_bug.cgi?id=189940
2964         <rdar://problem/43640987>
2965
2966         Reviewed by Mark Lam.
2967
2968         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2969
2970 2018-09-24  Saam Barati  <sbarati@apple.com>
2971
2972         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2973         https://bugs.webkit.org/show_bug.cgi?id=189922
2974         <rdar://problem/44651275>
2975
2976         Reviewed by Mark Lam.
2977
2978         * stress/array-indexof-fast-path-effects.js: Added.
2979         * stress/array-indexof-cached-length.js: Added.
2980
2981 2018-09-24  Saam barati  <sbarati@apple.com>
2982
2983         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2984         https://bugs.webkit.org/show_bug.cgi?id=189682
2985         <rdar://problem/43557315>
2986
2987         Reviewed by Mark Lam.
2988
2989         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2990         (foo):
2991
2992 2018-09-22  Saam barati  <sbarati@apple.com>
2993
2994         The sampling should not use Strong<CodeBlock> in its machineLocation field
2995         https://bugs.webkit.org/show_bug.cgi?id=189319
2996
2997         Reviewed by Filip Pizlo.
2998
2999         * stress/sampling-profiler-richards.js: Added.
3000
3001 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3002
3003         [JSC] Optimize Array#indexOf in C++ runtime
3004         https://bugs.webkit.org/show_bug.cgi?id=189507
3005
3006         Reviewed by Saam Barati.
3007
3008         * stress/array-indexof-array-prototype-trap.js: Added.
3009         (shouldBe):
3010         (AncestorArray.prototype.get 2):
3011         (AncestorArray):
3012         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3013         (shouldBe):
3014         * stress/array-indexof-hole-nan.js: Added.
3015         (shouldBe):
3016         (throw.new.Error):
3017         * stress/array-indexof-infinity.js: Added.
3018         (shouldBe):
3019         (throw.new.Error):
3020         * stress/array-indexof-negative-zero.js: Added.
3021         (shouldBe):
3022         (throw.new.Error):
3023         * stress/array-indexof-own-getter.js: Added.
3024         (shouldBe):
3025         (throw.new.Error.get array):
3026         (get array):
3027         * stress/array-indexof-prototype-trap.js: Added.
3028         (shouldBe):
3029         (DerivedArray.prototype.get 2):
3030         (DerivedArray):
3031
3032 2018-09-19  Saam barati  <sbarati@apple.com>
3033
3034         AI rule for MultiPutByOffset executes its effects in the wrong order
3035         https://bugs.webkit.org/show_bug.cgi?id=189757
3036         <rdar://problem/43535257>
3037
3038         Reviewed by Michael Saboff.
3039
3040         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3041         (foo):
3042         (Foo):
3043         (g):
3044
3045 2018-09-17  Mark Lam  <mark.lam@apple.com>
3046
3047         Ensure that ForInContexts are invalidated if their loop local is over-written.
3048         https://bugs.webkit.org/show_bug.cgi?id=189571
3049         <rdar://problem/44402277>
3050
3051         Reviewed by Saam Barati.
3052
3053         * stress/regress-189571.js: Added.
3054
3055 2018-09-17  Saam barati  <sbarati@apple.com>
3056
3057         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3058         https://bugs.webkit.org/show_bug.cgi?id=189676
3059         <rdar://problem/39682897>
3060
3061         Reviewed by Michael Saboff.
3062
3063         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3064         (A):
3065         (K):
3066         (i.catch):
3067
3068 2018-09-14  Saam barati  <sbarati@apple.com>
3069
3070         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3071         https://bugs.webkit.org/show_bug.cgi?id=189628
3072         <rdar://problem/39481690>
3073
3074         Reviewed by Mark Lam.
3075
3076         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3077         (foo):
3078
3079 2018-09-11  Mark Lam  <mark.lam@apple.com>
3080
3081         Test for array initialization in arrayProtoFuncSplice.
3082         https://bugs.webkit.org/show_bug.cgi?id=170253
3083         <rdar://problem/31328773>
3084
3085         Rubber-stamped by Saam Barati.
3086
3087         * stress/regress-170253.js: Added.
3088
3089 2018-09-11  Mark Lam  <mark.lam@apple.com>
3090
3091         Test for IntlObject initialization.
3092         https://bugs.webkit.org/show_bug.cgi?id=170251
3093         <rdar://problem/31328419>
3094
3095         Rubber-stamped by Saam Barati.
3096
3097         * stress/regress-170251.js: Added.
3098
3099 2018-09-11  Mark Lam  <mark.lam@apple.com>
3100
3101         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3102         https://bugs.webkit.org/show_bug.cgi?id=169889
3103         <rdar://problem/31155607>
3104
3105         Reviewed by Saam Barati.
3106
3107         * stress/regress-169889-array-concat.js: Added.
3108         * stress/regress-169889-array-concat1.js: Added.
3109         * stress/regress-169889-array-slice.js: Added.
3110
3111 2018-09-11  Mark Lam  <mark.lam@apple.com>
3112
3113         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3114         https://bugs.webkit.org/show_bug.cgi?id=169445
3115         <rdar://problem/30957435>
3116
3117         Reviewed by Saam Barati.
3118
3119         * stress/regress-169445.js: Added.
3120         (let.gun.eval.A):
3121         (let.gun.eval.B.C):
3122         (let.gun.eval.B.C.prototype.trigger):
3123         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3124         (let.gun.eval.B):
3125         (let.gun.eval):
3126
3127 == Rolled over to ChangeLog-2018-09-11 ==