Structure::flattenDictionary() should clear unused property slots.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-18  Mark Lam  <mark.lam@apple.com>
2
3         Structure::flattenDictionary() should clear unused property slots.
4         https://bugs.webkit.org/show_bug.cgi?id=195871
5         <rdar://problem/48959497>
6
7         Reviewed by Michael Saboff.
8
9         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
10
11 2019-03-15  Mark Lam  <mark.lam@apple.com>
12
13         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
14         https://bugs.webkit.org/show_bug.cgi?id=195827
15         <rdar://problem/48845513>
16
17         Reviewed by Filip Pizlo.
18
19         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
20
21 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
22
23         [ARM,MIPS] Skip slow tests
24         https://bugs.webkit.org/show_bug.cgi?id=195799
25
26         Unreviewed, test does not finish on ARM and MIPS within the
27         timeout limit.
28
29         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
30
31 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
32
33         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
34         https://bugs.webkit.org/show_bug.cgi?id=195791
35         <rdar://problem/48806130>
36
37         Reviewed by Mark Lam.
38
39         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
40         (foo):
41
42 2019-03-14  Saam barati  <sbarati@apple.com>
43
44         We can't remove code after ForceOSRExit until after FixupPhase
45         https://bugs.webkit.org/show_bug.cgi?id=186916
46         <rdar://problem/41396612>
47
48         Reviewed by Yusuke Suzuki.
49
50         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
51         (foo):
52         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
53         (foo):
54
55 2019-03-13  Michael Saboff  <msaboff@apple.com>
56
57         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
58         https://bugs.webkit.org/show_bug.cgi?id=195735
59
60         Reviewed by Mark Lam.
61
62         New regression test.
63
64         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
65         (foo):
66         (bar):
67
68 2019-03-14  Saam barati  <sbarati@apple.com>
69
70         Fixup uses KnownInt32 incorrectly in some nodes
71         https://bugs.webkit.org/show_bug.cgi?id=195279
72         <rdar://problem/47915654>
73
74         Reviewed by Yusuke Suzuki.
75
76         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
77         (foo):
78
79 2019-03-14  Keith Miller  <keith_miller@apple.com>
80
81         DFG liveness can't skip tail caller inline frames
82         https://bugs.webkit.org/show_bug.cgi?id=195715
83
84         Reviewed by Saam Barati.
85
86         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
87         (i.foo):
88
89 2019-03-13  Mark Lam  <mark.lam@apple.com>
90
91         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
92         https://bugs.webkit.org/show_bug.cgi?id=195415
93
94         Not reviewed.
95
96         Changed these tests to only run the default configuration.
97         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
98         There's no strong need to run this test on that variant.
99
100         * stress/dfg-to-string-on-int-does-gc.js:
101         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
102
103 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
104
105         String overflow when using StringBuilder in JSC::createError
106         https://bugs.webkit.org/show_bug.cgi?id=194957
107
108         Reviewed by Mark Lam.
109
110         Add test string-overflow-createError-bulder.js that overflows
111         StringBuilder in notAFunctionSourceAppender. The second new test
112         string-overflow-createError-fit.js has an error message that doesn't
113         overflow, it still failed since the String's capacity can't be doubled.
114         Run test string-overflow-createError.js only in the default
115         configuration to reduce memory consumption when running the test
116         in all configurations on multiple CPUs in parallel.
117
118         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
119         (catch):
120         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
121         (catch):
122         * stress/string-overflow-createError.js:
123
124 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
125
126         [JSC] OSR entry should respect abstract values in addition to flush formats
127         https://bugs.webkit.org/show_bug.cgi?id=195653
128
129         Reviewed by Mark Lam.
130
131         * stress/osr-entry-locals-none.js: Added.
132
133 2019-03-12  Michael Saboff  <msaboff@apple.com>
134
135         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
136         https://bugs.webkit.org/show_bug.cgi?id=195613
137
138         Reviewed by Mark Lam.
139
140         New regression test.
141
142         * stress/regexp-backref-inbounds.js: Added.
143         (testRegExp):
144
145 2019-03-12  Mark Lam  <mark.lam@apple.com>
146
147         The HasIndexedProperty node does GC.
148         https://bugs.webkit.org/show_bug.cgi?id=195559
149         <rdar://problem/48767923>
150
151         Reviewed by Yusuke Suzuki.
152
153         * stress/HasIndexedProperty-does-gc.js: Added.
154
155 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
156
157         [ESNext][BigInt] Implement "~" unary operation
158         https://bugs.webkit.org/show_bug.cgi?id=182216
159
160         Reviewed by Keith Miller.
161
162         * stress/big-int-bit-not-general.js: Added.
163         * stress/big-int-bitwise-not-jit.js: Added.
164         * stress/big-int-bitwise-not-wrapped-value.js: Added.
165         * stress/bit-op-with-object-returning-int32.js:
166         * stress/bitwise-not-fixup-rules.js: Added.
167         * stress/value-bit-not-ai-rule.js: Added.
168
169 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
170
171         Invalid flags in a RegExp literal should be an early SyntaxError
172         https://bugs.webkit.org/show_bug.cgi?id=195514
173
174         Reviewed by Darin Adler.
175
176         * test262/expectations.yaml:
177         Mark 4 test cases as passing.
178
179         * stress/regexp-syntax-error-invalid-flags.js:
180         * stress/regress-161995.js: Removed.
181         Update existing test, merging in an older test for the same behavior.
182
183 2019-03-08  Mark Lam  <mark.lam@apple.com>
184
185         Stack overflow crash in JSC::JSObject::hasInstance.
186         https://bugs.webkit.org/show_bug.cgi?id=195458
187         <rdar://problem/48710195>
188
189         Reviewed by Yusuke Suzuki.
190
191         * stress/stack-overflow-in-custom-hasInstance.js: Added.
192
193 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
194
195         op_check_tdz does not def its argument
196         https://bugs.webkit.org/show_bug.cgi?id=192880
197         <rdar://problem/46221598>
198
199         Reviewed by Saam Barati.
200
201         * microbenchmarks/let-for-in.js: Added.
202         (foo):
203
204 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
205
206         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
207         https://bugs.webkit.org/show_bug.cgi?id=195429
208
209         Reviewed by Saam Barati.
210
211         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
212         (foo):
213         * stress/string-from-char-code-255.js: Added.
214
215 2019-03-06  Mark Lam  <mark.lam@apple.com>
216
217         Fix incorrect handling of try-finally completion values.
218         https://bugs.webkit.org/show_bug.cgi?id=195131
219         <rdar://problem/46222079>
220
221         Reviewed by Saam Barati and Yusuke Suzuki.
222
223         Added many permutations of new test case to test-finally.js.  test-finally.js has
224         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
225         tests passes there as well.
226
227         * stress/test-finally.js:
228
229 2019-03-06  Saam Barati  <sbarati@apple.com>
230
231         Air::reportUsedRegisters must padInterference
232         https://bugs.webkit.org/show_bug.cgi?id=195303
233         <rdar://problem/48270343>
234
235         Reviewed by Keith Miller.
236
237         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
238
239 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
240
241         [JSC] AI should not propagate AbstractValue relying on constant folding phase
242         https://bugs.webkit.org/show_bug.cgi?id=195375
243
244         Reviewed by Saam Barati.
245
246         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
247         (let.array):
248
249 2019-03-05  Saam barati  <sbarati@apple.com>
250
251         op_switch_char broken for rope strings after JSRopeString layout rewrite
252         https://bugs.webkit.org/show_bug.cgi?id=195339
253         <rdar://problem/48592545>
254
255         Reviewed by Yusuke Suzuki.
256
257         * stress/switch-on-char-llint-rope.js: Added.
258
259 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
260
261         [JSC] Store bits for JSRopeString in 3 stores
262         https://bugs.webkit.org/show_bug.cgi?id=195234
263
264         Reviewed by Saam Barati.
265
266         * stress/null-rope-and-collectors.js: Added.
267
268 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
269
270         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
271         https://bugs.webkit.org/show_bug.cgi?id=195207
272
273         Unreviewed. After test runtime was reduced in r242213, test can be
274         run again on ARM/MIPS.
275
276         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
277
278 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
279
280         [JSC] sizeof(JSString) should be 16
281         https://bugs.webkit.org/show_bug.cgi?id=194375
282
283         Reviewed by Saam Barati.
284
285         * microbenchmarks/make-rope.js: Added.
286         (makeRope):
287         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
288         (returnRope.helper): Deleted.
289         (returnRope): Deleted.
290
291 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
292
293         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
294         https://bugs.webkit.org/show_bug.cgi?id=195144
295
296         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
297         Change the number from 1e8 to 1e5.
298
299         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
300         (foo):
301
302 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
303
304         Test times out on ARM/MIPS
305         https://bugs.webkit.org/show_bug.cgi?id=195168
306
307         Unreviewed. Skip test on ARM/MIPS.
308
309         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
310
311 2019-02-27  Mark Lam  <mark.lam@apple.com>
312
313         The parser is failing to record the token location of new in new.target.
314         https://bugs.webkit.org/show_bug.cgi?id=195127
315         <rdar://problem/39645578>
316
317         Reviewed by Yusuke Suzuki.
318
319         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
320
321 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
324         https://bugs.webkit.org/show_bug.cgi?id=195144
325         <rdar://problem/47595961>
326
327         Reviewed by Mark Lam.
328
329         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
330         (bar):
331         (foo):
332         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
333         (bar):
334         (foo):
335
336 2019-02-27  Robin Morisset  <rmorisset@apple.com>
337
338         DFG: Loop-invariant code motion (LICM) should not hoist dead code
339         https://bugs.webkit.org/show_bug.cgi?id=194945
340         <rdar://problem/48311657>
341
342         Reviewed by Mark Lam.
343
344         * stress/licm-dead-code.js: Added.
345
346 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
347
348         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
349         https://bugs.webkit.org/show_bug.cgi?id=194677
350         <rdar://problem/48112492>
351
352         Reviewed by Mark Lam.
353
354         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
355         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
356         it immediately fails due the large size.
357
358         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
359         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
360         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
361         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
362
363         This patch changes the test to produce 16bit string from String.fromCharCode.
364
365         * stress/regress-178386.js:
366
367 2019-02-26  Mark Lam  <mark.lam@apple.com>
368
369         wasmToJS() should purify incoming NaNs.
370         https://bugs.webkit.org/show_bug.cgi?id=194807
371         <rdar://problem/48189132>
372
373         Reviewed by Saam Barati.
374
375         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
376
377 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
378
379         [JSC] Repeat string created from Array.prototype.join() take too much memory
380         https://bugs.webkit.org/show_bug.cgi?id=193912
381
382         Reviewed by Saam Barati.
383
384         Added a test and a microbenchmark for corner cases of
385         Array.prototype.join() with an uninitialized array.
386
387         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
388         * stress/array-prototype-join-uninitialized.js: Added.
389         (testArray):
390         (testABC):
391         (B):
392         (C):
393
394 2019-02-22  Robin Morisset  <rmorisset@apple.com>
395
396         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
397         https://bugs.webkit.org/show_bug.cgi?id=194953
398         <rdar://problem/47595253>
399
400         Reviewed by Saam Barati.
401
402         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
403
404         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
405
406 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
407
408         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
409         https://bugs.webkit.org/show_bug.cgi?id=172848
410         <rdar://problem/25709212>
411
412         Reviewed by Mark Lam.
413
414         * typeProfiler/inheritance.js:
415         Rewrite the test slightly for clarity. The hoisting was confusing.
416
417         * heapProfiler/class-names.js: Added.
418         (MyES5Class):
419         (MyES6Class):
420         (MyES6Subclass):
421         Test object types and improved class names.
422
423         * heapProfiler/driver/driver.js:
424         (CheapHeapSnapshotNode):
425         (CheapHeapSnapshot):
426         (createCheapHeapSnapshot):
427         (HeapSnapshot):
428         (createHeapSnapshot):
429         Update snapshot parsing from version 1 to version 2.
430
431 2019-02-19  Truitt Savell  <tsavell@apple.com>
432
433         Unreviewed, rolling out r241784.
434
435         Broke all OpenSource builds.
436
437         Reverted changeset:
438
439         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
440         instances view"
441         https://bugs.webkit.org/show_bug.cgi?id=172848
442         https://trac.webkit.org/changeset/241784
443
444 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
445
446         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
447         https://bugs.webkit.org/show_bug.cgi?id=172848
448         <rdar://problem/25709212>
449
450         Reviewed by Mark Lam.
451
452         * typeProfiler/inheritance.js:
453         Rewrite the test slightly for clarity. The hoisting was confusing.
454
455         * heapProfiler/class-names.js: Added.
456         (MyES5Class):
457         (MyES6Class):
458         (MyES6Subclass):
459         Test object types and improved class names.
460
461         * heapProfiler/driver/driver.js:
462         (CheapHeapSnapshotNode):
463         (CheapHeapSnapshot):
464         (createCheapHeapSnapshot):
465         (HeapSnapshot):
466         (createHeapSnapshot):
467         Update snapshot parsing from version 1 to version 2.
468
469 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
470
471         [ARM] Fix crash with sampling profiler
472         https://bugs.webkit.org/show_bug.cgi?id=194772
473
474         Reviewed by Mark Lam.
475
476         Do not skip test since crash with sampling profiler is now fixed.
477
478         * stress/sampling-profiler-richards.js:
479
480 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
481
482         [JSC] Add LazyClassStructure::getInitializedOnMainThread
483         https://bugs.webkit.org/show_bug.cgi?id=194784
484         <rdar://problem/48154820>
485
486         Reviewed by Mark Lam.
487
488         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
489         (getProperties):
490         (getRandomProperty):
491         (i.catch):
492
493 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
494
495         [ARM] Test gardening: Test running out of executable memory
496         https://bugs.webkit.org/show_bug.cgi?id=194771
497
498         Unreviewed. Do not run test without LLInt, test is running out of executable
499         memory on ARM otherwise.
500
501         * stress/tagged-template-object-collect.js:
502
503 2019-02-18  Tomas Popela  <tpopela@redhat.com>
504
505         Unreviewed, skip the test on platforms without sampling profiler
506
507         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
508         (platformSupportsSamplingProfiler.foo):
509         (platformSupportsSamplingProfiler.test):
510         (platformSupportsSamplingProfiler):
511         (foo): Deleted.
512         (test): Deleted.
513
514 2019-02-17  Saam Barati  <sbarati@apple.com>
515
516         Deadlock when adding a Structure property transition and then doing incremental marking
517         https://bugs.webkit.org/show_bug.cgi?id=194767
518
519         Reviewed by Mark Lam.
520
521         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
522
523 2019-02-15  Michael Saboff  <msaboff@apple.com>
524
525         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
526         https://bugs.webkit.org/show_bug.cgi?id=194558
527
528         Reviewed by Saam Barati.
529
530         New regression test.
531
532         * stress/regexp-unicode-within-string.js: Added.
533
534 2019-02-15  Mark Lam  <mark.lam@apple.com>
535
536         SamplingProfiler::stackTracesAsJSON() should escape strings.
537         https://bugs.webkit.org/show_bug.cgi?id=194649
538         <rdar://problem/48072386>
539
540         Reviewed by Saam Barati.
541
542         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
543         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
544         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
545         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
546
547 2019-02-15  Robin Morisset  <rmorisset@apple.com>
548         CodeBlock::jettison should clear related watchpoints
549         https://bugs.webkit.org/show_bug.cgi?id=194544
550
551         Reviewed by Mark Lam.
552
553         * stress/regexp-replace-double-watchpoint.js: Added.
554         (foo):
555
556 2019-02-15  Saam barati  <sbarati@apple.com>
557
558         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
559         https://bugs.webkit.org/show_bug.cgi?id=194036
560
561         Reviewed by Yusuke Suzuki.
562
563         * stress/tail-call-many-arguments.js: Added.
564         (foo):
565         (bar):
566
567 2019-02-14  Saam Barati  <sbarati@apple.com>
568
569         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
570         https://bugs.webkit.org/show_bug.cgi?id=194583
571         <rdar://problem/48028140>
572
573         Reviewed by Yusuke Suzuki.
574
575         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
576
577 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
578
579         [JSC] String.fromCharCode's slow path always generates 16bit string
580         https://bugs.webkit.org/show_bug.cgi?id=194466
581
582         Reviewed by Keith Miller.
583
584         * stress/string-from-char-code-slow-path.js: Added.
585         (shouldBe):
586         (testWithLength):
587
588 2019-02-08  Saam barati  <sbarati@apple.com>
589
590         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
591         https://bugs.webkit.org/show_bug.cgi?id=194334
592         <rdar://problem/47844327>
593
594         Reviewed by Mark Lam.
595
596         * stress/check-in-bounds-should-be-a-child-use.js: Added.
597         (func):
598
599 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
600
601         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
602         https://bugs.webkit.org/show_bug.cgi?id=194369
603         <rdar://problem/47813087>
604
605         Reviewed by Saam Barati.
606
607         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
608         (A):
609
610 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
611
612         [JSC] PrivateName to PublicName hash table is wasteful
613         https://bugs.webkit.org/show_bug.cgi?id=194277
614
615         Reviewed by Michael Saboff.
616
617         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
618
619         * ChakraCore.yaml:
620
621 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
622
623         [ARM] Test running out of executable memory
624         https://bugs.webkit.org/show_bug.cgi?id=194285
625
626         Unreviewed. Do no execute test with LLInt disabled, test runs out of
627         executable memory otherwise.
628
629         * stress/class-subclassing-function.js:
630
631 2019-02-04  Robin Morisset  <rmorisset@apple.com>
632
633         when lowering AssertNotEmpty, create the value before creating the patchpoint
634         https://bugs.webkit.org/show_bug.cgi?id=194231
635
636         Reviewed by Saam Barati.
637
638         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
639         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
640         So even tiny changes to this test can change the path code taken.
641
642         * stress/assert-not-empty.js: Added.
643         (foo):
644
645 2019-02-01  Mark Lam  <mark.lam@apple.com>
646
647         Remove invalid assertion in DFG's compileDoubleRep().
648         https://bugs.webkit.org/show_bug.cgi?id=194130
649         <rdar://problem/47699474>
650
651         Reviewed by Saam Barati.
652
653         * stress/constant-fold-double-rep-into-double-constant.js: Added.
654
655 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
656
657         Import latest Test262 updates.
658
659         Rubber-stamped by Keith Miller.
660
661         * test262.yaml: Deleted.
662         * test262/config.yaml:
663         * test262/expectations.yaml:
664         * test262/latest-changes-summary.txt:
665         * test262/test/:
666         * test262/test262-Revision.txt:
667
668 2019-01-30  Robin Morisset  <rmorisset@apple.com>
669
670         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
671         https://bugs.webkit.org/show_bug.cgi?id=194050
672         <rdar://problem/47595592>
673
674         Reviewed by Yusuke Suzuki.
675
676         * stress/object-keys-osr-exit.js: Added.
677         (foo):
678         (catch):
679
680 2019-01-29  Mark Lam  <mark.lam@apple.com>
681
682         ValueRecovery::recover() should purify NaN values it recovers.
683         https://bugs.webkit.org/show_bug.cgi?id=193978
684         <rdar://problem/47625488>
685
686         Reviewed by Saam Barati.
687
688         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
689
690 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
691
692         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
693         https://bugs.webkit.org/show_bug.cgi?id=193713
694
695         * stress/try-get-by-id-should-spill-registers-dfg.js:
696         (let.f.createBuiltin):
697
698 2019-01-28  Mark Lam  <mark.lam@apple.com>
699
700         ToString node actually does GC.
701         https://bugs.webkit.org/show_bug.cgi?id=193920
702         <rdar://problem/46695900>
703
704         Reviewed by Yusuke Suzuki.
705
706         * stress/dfg-to-string-on-int-does-gc.js: Added.
707         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
708         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
709
710 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
711
712         [JSC] NativeErrorConstructor should not have own IsoSubspace
713         https://bugs.webkit.org/show_bug.cgi?id=193713
714
715         Reviewed by Saam Barati.
716
717         Remove @Error use.
718
719         * stress/try-get-by-id-should-spill-registers-dfg.js:
720         (let.f.createBuiltin):
721
722 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
723
724         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
725         https://bugs.webkit.org/show_bug.cgi?id=190693
726
727         Reviewed by Michael Saboff.
728
729         * stress/regress-190693.js: Added.
730         (truth):
731         (assert):
732         (shouldThrowInvalidConstAssignment):
733         (taz):
734
735 2019-01-24  Saam Barati  <sbarati@apple.com>
736
737         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
738         https://bugs.webkit.org/show_bug.cgi?id=193751
739         <rdar://problem/47280215>
740
741         Reviewed by Michael Saboff.
742
743         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
744         (let.thing):
745         (foo.let.hello):
746         (foo):
747
748 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
749
750         [JSC] Reenable baseline JIT on mips
751         https://bugs.webkit.org/show_bug.cgi?id=192983
752
753         Reviewed by Mark Lam.
754
755         Added a new test for a case that was triggering a RELEASE_ASSERT when
756         testing.
757         Disable some slow tests that were already disabled for arm and x86.
758
759         * stress/json-parse-big-object.js: Added.
760         * stress/new-largeish-contiguous-array-with-size.js:
761         * stress/op_add.js:
762         * stress/op_bitand.js:
763         * stress/op_bitor.js:
764         * stress/op_bitxor.js:
765         * stress/op_lshift-ConstVar.js:
766         * stress/op_lshift-VarConst.js:
767         * stress/op_lshift-VarVar.js:
768         * stress/op_mod-ConstVar.js:
769         * stress/op_mod-VarConst.js:
770         * stress/op_mod-VarVar.js:
771         * stress/op_mul-ConstVar.js:
772         * stress/op_mul-VarConst.js:
773         * stress/op_mul-VarVar.js:
774         * stress/op_rshift-ConstVar.js:
775         * stress/op_rshift-VarConst.js:
776         * stress/op_rshift-VarVar.js:
777         * stress/op_sub-ConstVar.js:
778         * stress/op_sub-VarConst.js:
779         * stress/op_sub-VarVar.js:
780         * stress/op_urshift-ConstVar.js:
781         * stress/op_urshift-VarConst.js:
782         * stress/op_urshift-VarVar.js:
783         * stress/sampling-profiler-richards.js:
784         * stress/spread-forward-call-varargs-stack-overflow.js:
785
786 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
789         https://bugs.webkit.org/show_bug.cgi?id=193711
790         <rdar://problem/47250262>
791
792         Reviewed by Saam Barati.
793
794         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
795         (shouldBe):
796         (foo):
797         (bar):
798         (baz):
799
800 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
801
802         Unreviewed, fix initial global lexical binding epoch
803         https://bugs.webkit.org/show_bug.cgi?id=193603
804         <rdar://problem/47380869>
805
806         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
807         (f1.f2.f3.f4):
808         (f1.f2.f3):
809         (f1.f2):
810         (f1):
811
812 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
813
814         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
815         https://bugs.webkit.org/show_bug.cgi?id=193709
816         <rdar://problem/47363838>
817
818         Unreviewed, rollout to watch the tests.
819
820         * stress/object-tostring-changed-proto.js: Removed.
821         * stress/object-tostring-changed.js: Removed.
822         * stress/object-tostring-misc.js: Removed.
823         * stress/object-tostring-other.js: Removed.
824         * stress/object-tostring-untyped.js: Removed.
825
826 2019-01-22  Saam Barati  <sbarati@apple.com>
827
828         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
829
830         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
831         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
832         (testUncheckedLessThanZero):
833         (testUncheckedLessThanOrEqualZero):
834         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
835         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
836
837 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
838
839         [JSC] Invalidate old scope operations using global lexical binding epoch
840         https://bugs.webkit.org/show_bug.cgi?id=193603
841         <rdar://problem/47380869>
842
843         Reviewed by Saam Barati.
844
845         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
846         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
847         (shouldThrow):
848         (bar):
849         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
850         (shouldBe):
851         (get1):
852         (get2):
853         (get1If):
854         (get2If):
855         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
856         (shouldThrow):
857         (foo):
858
859 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
860
861         Unreviewed, roll out r240220 due to date-format-xparb regression
862         https://bugs.webkit.org/show_bug.cgi?id=193603
863
864         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
865         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
866         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
867         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
868
869 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
870
871         DoesGC rule is wrong for nodes with BigIntUse
872         https://bugs.webkit.org/show_bug.cgi?id=193652
873
874         Reviewed by Saam Barati.
875
876         * stress/big-int-value-op-update-gc-rules.js: Added.
877         (assert):
878         (doesGCAdd):
879         (doesGCSub):
880         (doesGCDiv):
881         (doesGCMul):
882         (doesGCBitAnd):
883         (doesGCBitOr):
884         (doesGCBitXor):
885
886 2019-01-20  Saam Barati  <sbarati@apple.com>
887
888         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
889         https://bugs.webkit.org/show_bug.cgi?id=193644
890         <rdar://problem/46209745>
891
892         Reviewed by Yusuke Suzuki.
893
894         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
895         (foo):
896         * stress/data-view-set-intrinsic-undefined-result.js: Added.
897         (foo):
898         (bar):
899
900 2019-01-20  Saam Barati  <sbarati@apple.com>
901
902         MovHint must merge NodeBytecodeUsesAsValue for its child
903         https://bugs.webkit.org/show_bug.cgi?id=186916
904         <rdar://problem/41396612>
905
906         Reviewed by Yusuke Suzuki.
907
908         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
909         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
910
911 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
912
913         [JSC] Invalidate old scope operations using global lexical binding epoch
914         https://bugs.webkit.org/show_bug.cgi?id=193603
915         <rdar://problem/47380869>
916
917         Reviewed by Saam Barati.
918
919         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
920         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
921         (shouldThrow):
922         (bar):
923         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
924         (shouldBe):
925         (get1):
926         (get2):
927         (get1If):
928         (get2If):
929         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
930         (shouldThrow):
931         (foo):
932
933 2019-01-17  Saam barati  <sbarati@apple.com>
934
935         StringObjectUse should not be a structure check for the original string object structure
936         https://bugs.webkit.org/show_bug.cgi?id=193483
937         <rdar://problem/47280522>
938
939         Reviewed by Yusuke Suzuki.
940
941         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
942         (foo):
943         (a.valueOf.0):
944
945 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
946
947         [JSC] ToThis omission in DFGByteCodeParser is wrong
948         https://bugs.webkit.org/show_bug.cgi?id=193513
949         <rdar://problem/45842236>
950
951         Reviewed by Saam Barati.
952
953         * stress/to-this-omission-with-different-strict-modes.js: Added.
954         (thisA):
955         (thisAStrictWrapper):
956
957 2019-01-15  Mark Lam  <mark.lam@apple.com>
958
959         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
960         https://bugs.webkit.org/show_bug.cgi?id=193423
961         <rdar://problem/46209355>
962
963         Reviewed by Saam Barati.
964
965         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
966         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
967         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
968         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
969
970 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
971
972         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
973         https://bugs.webkit.org/show_bug.cgi?id=193438
974         <rdar://problem/45581249>
975
976         Reviewed by Saam Barati and Keith Miller.
977
978         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
979         Then, GetByVal(String) crashed.
980
981         * stress/string-get-by-val-lowering.js: Added.
982         (shouldBe):
983         (test):
984         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
985         (Hello):
986         (foo):
987
988 2019-01-15  Tomas Popela  <tpopela@redhat.com>
989
990         Unreviewed, skip JIT tests if it's not enabled
991
992         * stress/bit-op-with-object-returning-int32.js:
993
994 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
995
996         DFGByteCodeParser rules for bitwise operations should consider type of their operands
997         https://bugs.webkit.org/show_bug.cgi?id=192966
998
999         Reviewed by Yusuke Suzuki.
1000
1001         * stress/bit-op-with-object-returning-int32.js: Added.
1002
1003 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1004
1005         Skip a slow test and a flakey test on arm
1006
1007         Unreviewed gardening.
1008
1009         * typeProfiler/getter-richards.js:
1010         this test always times out, it used to be always skipped on arm and
1011         mips, but got accidentally enabled by r237919 now that we have DFG on
1012         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1013
1014 2019-01-14  Keith Miller  <keith_miller@apple.com>
1015
1016         Skip type-check-hoisting-phase-hoist... with no jit
1017         https://bugs.webkit.org/show_bug.cgi?id=193421
1018
1019         Reviewed by Mark Lam.
1020
1021         It's timing out the 32-bit bots and takes 330 seconds
1022         on my machine when run by itself.
1023
1024         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1025
1026 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1027
1028         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1029         https://bugs.webkit.org/show_bug.cgi?id=193413
1030         <rdar://problem/46092389>
1031
1032         Reviewed by Keith Miller.
1033
1034         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1035         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1036         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1037         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1038
1039         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1040         (compareArray):
1041
1042 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1043
1044         [BigInt] Literal parsing is crashing when used inside a Object Literal
1045         https://bugs.webkit.org/show_bug.cgi?id=193404
1046
1047         Reviewed by Yusuke Suzuki.
1048
1049         * stress/big-int-literal-inside-literal-object.js: Added.
1050
1051 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1052
1053         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1054         https://bugs.webkit.org/show_bug.cgi?id=193372
1055
1056         Reviewed by Saam Barati.
1057
1058         * stress/typed-array-array-modes-profile.js: Added.
1059         (foo):
1060
1061 2019-01-14  Mark Lam  <mark.lam@apple.com>
1062
1063         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1064         https://bugs.webkit.org/show_bug.cgi?id=193402
1065         <rdar://problem/46012309>
1066
1067         Reviewed by Keith Miller.
1068
1069         * stress/regexp-compile-oom.js:
1070         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1071           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1072
1073 2019-01-11  Saam barati  <sbarati@apple.com>
1074
1075         DFG combined liveness can be wrong for terminal basic blocks
1076         https://bugs.webkit.org/show_bug.cgi?id=193304
1077         <rdar://problem/45268632>
1078
1079         Reviewed by Yusuke Suzuki.
1080
1081         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1082
1083 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1084
1085         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1086         https://bugs.webkit.org/show_bug.cgi?id=193308
1087         <rdar://problem/45546542>
1088
1089         Reviewed by Saam Barati.
1090
1091         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1092         (shouldThrow):
1093         (shouldBe):
1094         (foo):
1095         (get shouldThrow):
1096         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1097         (shouldThrow):
1098         (shouldBe):
1099         (foo):
1100         (get shouldBe):
1101         (get shouldThrow):
1102         (get return):
1103         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1104         (shouldThrow):
1105         (shouldBe):
1106         (foo):
1107         (get shouldBe):
1108         (get shouldThrow):
1109         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1110         (shouldThrow):
1111         (shouldBe):
1112         (foo):
1113         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1114         (shouldThrow):
1115         (shouldBe):
1116         (foo):
1117         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1118         (shouldThrow):
1119         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1120         (shouldThrow):
1121         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1122         (shouldThrow):
1123         (shouldBe):
1124         (foo):
1125         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1126         (shouldThrow):
1127         (shouldBe):
1128         (foo):
1129         (get shouldBe):
1130         (get shouldThrow):
1131         (get return):
1132         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1133         (shouldThrow):
1134         (shouldBe):
1135         (foo):
1136         (get shouldBe):
1137         (get shouldThrow):
1138         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1139         (shouldThrow):
1140         (shouldBe):
1141         (foo):
1142         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1143         (shouldThrow):
1144         (shouldBe):
1145         (foo):
1146
1147 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1148
1149         Enable DFG on ARM/Linux again
1150         https://bugs.webkit.org/show_bug.cgi?id=192496
1151
1152         Reviewed by Yusuke Suzuki.
1153
1154         Test wasn't really skipped before moving the line with skip
1155         to the top.
1156
1157         * stress/regress-192717.js:
1158
1159 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1160
1161         Unreviewed, rolling out r239825.
1162         https://bugs.webkit.org/show_bug.cgi?id=193330
1163
1164         Broke tests on armv7/linux bots (Requested by guijemont on
1165         #webkit).
1166
1167         Reverted changeset:
1168
1169         "Enable DFG on ARM/Linux again"
1170         https://bugs.webkit.org/show_bug.cgi?id=192496
1171         https://trac.webkit.org/changeset/239825
1172
1173 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1174
1175         Enable DFG on ARM/Linux again
1176         https://bugs.webkit.org/show_bug.cgi?id=192496
1177
1178         Reviewed by Yusuke Suzuki.
1179
1180         Test wasn't really skipped before moving the line with skip
1181         to the top.
1182
1183         * stress/regress-192717.js:
1184
1185 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1186
1187         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1188         https://bugs.webkit.org/show_bug.cgi?id=193127
1189
1190         Reviewed by Saam Barati.
1191
1192         * stress/array-species-create-should-handle-masquerader.js: Added.
1193         (shouldThrow):
1194         * stress/is-undefined-or-null-builtin.js: Added.
1195         (shouldBe):
1196         (isUndefinedOrNull.vm.createBuiltin):
1197
1198 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1199
1200         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1201         https://bugs.webkit.org/show_bug.cgi?id=193221
1202
1203         Reviewed by Mark Lam.
1204
1205         * stress/put-by-id-flags.js: Added.
1206         (f):
1207         (g):
1208         (numberOfDFGCompiles):
1209
1210 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1211
1212         Baseline version of get_by_id may corrupt metadata
1213         https://bugs.webkit.org/show_bug.cgi?id=193085
1214         <rdar://problem/23453006>
1215
1216         Reviewed by Saam Barati.
1217
1218         * stress/get-by-id-change-mode.js: Added.
1219         (forEach):
1220
1221 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1222
1223         [JSC] Optimize Object.prototype.toString
1224         https://bugs.webkit.org/show_bug.cgi?id=193031
1225
1226         Reviewed by Saam Barati.
1227
1228         * stress/object-tostring-changed-proto.js: Added.
1229         (shouldBe):
1230         (test):
1231         * stress/object-tostring-changed.js: Added.
1232         (shouldBe):
1233         (test):
1234         * stress/object-tostring-misc.js: Added.
1235         (shouldBe):
1236         (test):
1237         (i.switch):
1238         * stress/object-tostring-other.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/object-tostring-untyped.js: Added.
1242         (shouldBe):
1243         (test):
1244         (i.switch):
1245
1246 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1247
1248         test262-runner misbehaves when test file YAML has a trailing space
1249         https://bugs.webkit.org/show_bug.cgi?id=193053
1250
1251         Reviewed by Yusuke Suzuki.
1252
1253         * test262/expectations.yaml:
1254         Mark two dozen tests as passing (and correct the output of another).
1255
1256 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1257
1258         Unreviewed, JSTests gardening with memoryLimited
1259
1260         * stress/string-overflow-createError.js:
1261
1262 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1263
1264         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1265         https://bugs.webkit.org/show_bug.cgi?id=193050
1266
1267         Reviewed by Yusuke Suzuki.
1268
1269         * test262.yaml:
1270         * test262/expectations.yaml:
1271         Mark 16 tests as passing.
1272
1273 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1274
1275         [BigInt] Support BigInt in JSON.stringify
1276         https://bugs.webkit.org/show_bug.cgi?id=192624
1277
1278         Reviewed by Saam Barati.
1279
1280         * stress/big-int-json-stringify-to-json.js: Added.
1281         (shouldBe):
1282         (shouldThrow):
1283         (BigInt.prototype.toJSON):
1284         (shouldBe.JSON.stringify):
1285         * stress/big-int-json-stringify.js: Added.
1286         (shouldBe):
1287         (shouldThrow):
1288
1289 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1290
1291         [JSC] Implement "well-formed JSON.stringify" proposal
1292         https://bugs.webkit.org/show_bug.cgi?id=191677
1293
1294         Reviewed by Darin Adler.
1295
1296         * stress/json-surrogate-pair.js: Added.
1297         (shouldBe):
1298         * test262/expectations.yaml:
1299
1300 2018-12-20  Keith Miller  <keith_miller@apple.com>
1301
1302         Add support for globalThis
1303         https://bugs.webkit.org/show_bug.cgi?id=165171
1304
1305         Reviewed by Mark Lam.
1306
1307         * test262/config.yaml:
1308
1309 2018-12-19  Keith Miller  <keith_miller@apple.com>
1310
1311         Update test262 configuration to not run tests dependent on ICU version.
1312         https://bugs.webkit.org/show_bug.cgi?id=192920
1313
1314         Reviewed by Saam Barati.
1315
1316         * test262/expectations.yaml:
1317
1318 2018-12-20  Mark Lam  <mark.lam@apple.com>
1319
1320         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1321         https://bugs.webkit.org/show_bug.cgi?id=192939
1322         <rdar://problem/46869516>
1323
1324         Reviewed by Keith Miller.
1325
1326         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1327
1328 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1329
1330         WTF::String and StringImpl overflow MaxLength
1331         https://bugs.webkit.org/show_bug.cgi?id=192853
1332         <rdar://problem/45726906>
1333
1334         Reviewed by Mark Lam.
1335
1336         * stress/string-16bit-repeat-overflow.js: Added.
1337         (catch):
1338
1339 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1340
1341         Unreviewed follow-up to r192914.
1342
1343         * test262/expectations.yaml:
1344         Add the last 20 missing expectations.
1345
1346 2018-12-19  Keith Miller  <keith_miller@apple.com>
1347
1348         Fix test262 expectations
1349         https://bugs.webkit.org/show_bug.cgi?id=192914
1350
1351         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1352
1353         * test262/expectations.yaml:
1354
1355 2018-12-19  Keith Miller  <keith_miller@apple.com>
1356
1357         Update test262 tests.
1358         https://bugs.webkit.org/show_bug.cgi?id=192907
1359
1360         Rubber stamped by Mark Lam.
1361
1362         * test262/*: Omitted because prepare-changelog crashes.
1363
1364 2018-12-19  Mark Lam  <mark.lam@apple.com>
1365
1366         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1367         https://bugs.webkit.org/show_bug.cgi?id=192464
1368         <rdar://problem/46519455>
1369
1370         Reviewed by Saam Barati.
1371
1372         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1373         microbenchmark.
1374
1375         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1376         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1377
1378 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1379
1380         String overflow in JSC::createError results in ASSERT in WTF::makeString
1381         https://bugs.webkit.org/show_bug.cgi?id=192833
1382         <rdar://problem/45706868>
1383
1384         Reviewed by Mark Lam.
1385
1386         * stress/string-overflow-createError.js: Added.
1387
1388 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1389
1390         Error message for `-x ** y` contains a typo.
1391         https://bugs.webkit.org/show_bug.cgi?id=192832
1392
1393         Reviewed by Saam Barati.
1394
1395         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1396         (assert.assert.return.throws):
1397         * stress/pow-expects-update-expression-on-lhs.js:
1398         (throw.new.Error):
1399         Update test expectations which match against the exact error message.
1400
1401 2018-12-18  Mark Lam  <mark.lam@apple.com>
1402
1403         Gardening: test options fix.
1404         https://bugs.webkit.org/show_bug.cgi?id=192822
1405
1406         Unreviewed.
1407
1408         * stress/json-stringify-string-builder-overflow.js:
1409
1410 2018-12-18  Mark Lam  <mark.lam@apple.com>
1411
1412         JSON.stringify() should throw OOM on StringBuilder overflows.
1413         https://bugs.webkit.org/show_bug.cgi?id=192822
1414         <rdar://problem/46670577>
1415
1416         Reviewed by Saam Barati.
1417
1418         * stress/json-stringify-string-builder-overflow.js: Added.
1419
1420 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1421
1422         Redeclaration of var over let/const/class should be a syntax error.
1423         https://bugs.webkit.org/show_bug.cgi?id=192298
1424
1425         Reviewed by Keith Miller.
1426
1427         * test262.yaml:
1428         * test262/expectations.yaml:
1429         Mark 46 tests as passing.
1430
1431         * stress/block-scope-redeclarations.js:
1432         Add some new tests.
1433
1434         * stress/for-in-invalidate-context-weird-assignments.js:
1435         * stress/for-in-tests.js:
1436         Replace tests for outdated behavior with tests for SyntaxError.
1437
1438         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1439         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1440         Update expectations.
1441
1442 2018-12-18  Mark Lam  <mark.lam@apple.com>
1443
1444         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1445         https://bugs.webkit.org/show_bug.cgi?id=191374
1446         <rdar://problem/46525447>
1447
1448         Reviewed by Yusuke Suzuki.
1449
1450         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1451
1452         * stress/elidable-new-object-roflcopter-then-exit.js:
1453
1454 2018-12-17  Mark Lam  <mark.lam@apple.com>
1455
1456         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1457         https://bugs.webkit.org/show_bug.cgi?id=192019
1458         <rdar://problem/46525456>
1459
1460         Reviewed by Yusuke Suzuki.
1461
1462         The test runs too slow on 32-bit.
1463
1464         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1465
1466 2018-12-17  Mark Lam  <mark.lam@apple.com>
1467
1468         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1469         https://bugs.webkit.org/show_bug.cgi?id=191373
1470         <rdar://problem/46525458>
1471
1472         Reviewed by Yusuke Suzuki.
1473
1474         The test is already slow running with a JIT on 64-bit.  It will always timeout
1475         on 32-bit without a JIT.
1476
1477         * stress/materialize-regexp-cyclic-regexp.js:
1478
1479 2018-12-17  Mark Lam  <mark.lam@apple.com>
1480
1481         Array unshift/shift should not race against the AI in the compiler thread.
1482         https://bugs.webkit.org/show_bug.cgi?id=192795
1483         <rdar://problem/46724263>
1484
1485         Reviewed by Saam Barati.
1486
1487         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1488
1489 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1490
1491         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1492         https://bugs.webkit.org/show_bug.cgi?id=190047
1493
1494         Reviewed by Saam Barati.
1495
1496         * stress/object-keys-cached-zero.js: Added.
1497         (shouldBe):
1498         (test):
1499         * stress/object-keys-changed-attribute.js: Added.
1500         (shouldBe):
1501         (test):
1502         * stress/object-keys-changed-index.js: Added.
1503         (shouldBe):
1504         (test):
1505         * stress/object-keys-changed.js: Added.
1506         (shouldBe):
1507         (test):
1508         * stress/object-keys-indexed-non-cache.js: Added.
1509         (shouldBe):
1510         (test):
1511         * stress/object-keys-overrides-get-property-names.js: Added.
1512         (shouldBe):
1513         (test):
1514         (noInline):
1515
1516 2018-12-17  Mark Lam  <mark.lam@apple.com>
1517
1518         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1519         https://bugs.webkit.org/show_bug.cgi?id=192779
1520         <rdar://problem/46775869>
1521
1522         Reviewed by Saam Barati.
1523
1524         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1525
1526 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1527
1528         Unreviewed test gardening, address a syntax error in a new test.
1529
1530         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1531
1532 2018-12-17  Mark Lam  <mark.lam@apple.com>
1533
1534         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1535         https://bugs.webkit.org/show_bug.cgi?id=192776
1536         <rdar://problem/46772368>
1537
1538         Reviewed by Keith Miller.
1539
1540         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1541
1542 2018-12-17  Mark Lam  <mark.lam@apple.com>
1543
1544         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1545         https://bugs.webkit.org/show_bug.cgi?id=192770
1546         <rdar://problem/46449037>
1547
1548         Reviewed by Keith Miller.
1549
1550         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1551
1552 2018-12-14  Mark Lam  <mark.lam@apple.com>
1553
1554         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1555         https://bugs.webkit.org/show_bug.cgi?id=192717
1556         <rdar://problem/46660677>
1557
1558         Reviewed by Saam Barati.
1559
1560         * stress/regress-192717.js: Added.
1561
1562 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1563
1564         Unreviewed, rolling out r239153, r239154, and r239155.
1565         https://bugs.webkit.org/show_bug.cgi?id=192715
1566
1567         Caused flaky GC-related crashes seen with layout tests
1568         (Requested by ryanhaddad on #webkit).
1569
1570         Reverted changesets:
1571
1572         "[JSC] Optimize Object.keys by caching own keys results in
1573         StructureRareData"
1574         https://bugs.webkit.org/show_bug.cgi?id=190047
1575         https://trac.webkit.org/changeset/239153
1576
1577         "Unreviewed, build fix after r239153"
1578         https://bugs.webkit.org/show_bug.cgi?id=190047
1579         https://trac.webkit.org/changeset/239154
1580
1581         "Unreviewed, build fix after r239153, part 2"
1582         https://bugs.webkit.org/show_bug.cgi?id=190047
1583         https://trac.webkit.org/changeset/239155
1584
1585 2018-12-14  Keith Miller  <keith_miller@apple.com>
1586
1587         Callers of JSString::getIndex should check for OOM exceptions
1588         https://bugs.webkit.org/show_bug.cgi?id=192709
1589
1590         Reviewed by Mark Lam.
1591
1592         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1593
1594 2018-12-13  Mark Lam  <mark.lam@apple.com>
1595
1596         Add a missing exception check.
1597         https://bugs.webkit.org/show_bug.cgi?id=192626
1598         <rdar://problem/46662163>
1599
1600         Reviewed by Keith Miller.
1601
1602         * stress/regress-192626.js: Added.
1603
1604 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1605
1606         [BigInt] Add ValueDiv into DFG
1607         https://bugs.webkit.org/show_bug.cgi?id=186178
1608
1609         Reviewed by Yusuke Suzuki.
1610
1611         * stress/big-int-div-jit-osr.js: Added.
1612         * stress/big-int-div-jit-untyped.js: Added.
1613         * stress/value-div-fixup-int32-big-int.js: Added.
1614
1615 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1616
1617         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1618         https://bugs.webkit.org/show_bug.cgi?id=190047
1619
1620         Reviewed by Keith Miller.
1621
1622         * stress/object-keys-cached-zero.js: Added.
1623         (shouldBe):
1624         (test):
1625         * stress/object-keys-changed-attribute.js: Added.
1626         (shouldBe):
1627         (test):
1628         * stress/object-keys-changed-index.js: Added.
1629         (shouldBe):
1630         (test):
1631         * stress/object-keys-changed.js: Added.
1632         (shouldBe):
1633         (test):
1634         * stress/object-keys-indexed-non-cache.js: Added.
1635         (shouldBe):
1636         (test):
1637         * stress/object-keys-overrides-get-property-names.js: Added.
1638         (shouldBe):
1639         (test):
1640         (noInline):
1641
1642 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1643
1644         [DFG][FTL] Add NewSymbol
1645         https://bugs.webkit.org/show_bug.cgi?id=192620
1646
1647         Reviewed by Saam Barati.
1648
1649         * microbenchmarks/symbol-creation.js: Added.
1650         (test):
1651         * stress/symbol-description-identity.js: Added.
1652         (shouldBe):
1653         (test):
1654         * stress/symbol-identity.js: Added.
1655         (shouldBe):
1656         (test):
1657         * stress/symbol-with-description-throw-error.js: Added.
1658         (shouldBe):
1659         (shouldThrow):
1660         (test):
1661         (object.toString):
1662
1663 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1664
1665         [BigInt] Implement DFG/FTL typeof for BigInt
1666         https://bugs.webkit.org/show_bug.cgi?id=192619
1667
1668         Reviewed by Keith Miller.
1669
1670         * stress/big-int-boolean-proven-type.js: Added.
1671         (assert):
1672         (bool):
1673         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1674         (assert):
1675         (typeOf):
1676         (i.switch):
1677         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1678         (assert):
1679         (typeOf):
1680         * stress/big-int-type-of.js:
1681         (typeOf):
1682         (func):
1683
1684 2018-12-10  Mark Lam  <mark.lam@apple.com>
1685
1686         PropertyAttribute needs a CustomValue bit.
1687         https://bugs.webkit.org/show_bug.cgi?id=191993
1688         <rdar://problem/46264467>
1689
1690         Reviewed by Saam Barati.
1691
1692         * stress/regress-191993.js: Added.
1693
1694 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1695
1696         [BigInt] Add ValueMul into DFG
1697         https://bugs.webkit.org/show_bug.cgi?id=186175
1698
1699         Reviewed by Yusuke Suzuki.
1700
1701         * stress/big-int-mul-jit-osr.js: Added.
1702         * stress/big-int-mul-jit-untyped.js: Added.
1703         * stress/value-mul-fixup-int32-big-int.js: Added.
1704
1705 2018-12-06  Keith Miller  <keith_miller@apple.com>
1706
1707         stress/big-wasm-memory tests failing on 32-bit JSC bot
1708         https://bugs.webkit.org/show_bug.cgi?id=192020
1709
1710         Reviewed by Saam Barati.
1711
1712         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1713         the wasm stress tests if the WebAssembly object does not exist.
1714
1715         * stress/big-wasm-memory-grow-no-max.js:
1716         (test.foo):
1717         (test):
1718         (foo): Deleted.
1719         (catch): Deleted.
1720         * stress/big-wasm-memory-grow.js:
1721         (test.foo):
1722         (test):
1723         (foo): Deleted.
1724         (catch): Deleted.
1725         * stress/big-wasm-memory.js:
1726         (test.foo):
1727         (test):
1728         (foo): Deleted.
1729         (catch): Deleted.
1730
1731 2018-12-05  Mark Lam  <mark.lam@apple.com>
1732
1733         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1734         https://bugs.webkit.org/show_bug.cgi?id=192441
1735         <rdar://problem/46480355>
1736
1737         Reviewed by Saam Barati.
1738
1739         * stress/regress-192441.js: Added.
1740
1741 2018-12-04  Mark Lam  <mark.lam@apple.com>
1742
1743         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1744         https://bugs.webkit.org/show_bug.cgi?id=192386
1745         <rdar://problem/46445516>
1746
1747         Reviewed by Saam Barati.
1748
1749         * stress/regress-192386.js: Added.
1750
1751 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1752
1753         [ESNext][BigInt] Support logic operations
1754         https://bugs.webkit.org/show_bug.cgi?id=179903
1755
1756         Reviewed by Yusuke Suzuki.
1757
1758         * stress/big-int-branch-usage.js: Added.
1759         * stress/big-int-logical-and.js: Added.
1760         * stress/big-int-logical-not.js: Added.
1761         * stress/big-int-logical-or.js: Added.
1762
1763 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1764
1765         Unreviewed, rolling out r238833.
1766
1767         Breaks macOS and iOS debug builds.
1768
1769         Reverted changeset:
1770
1771         "[ESNext][BigInt] Support logic operations"
1772         https://bugs.webkit.org/show_bug.cgi?id=179903
1773         https://trac.webkit.org/changeset/238833
1774
1775 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1776
1777         [ESNext][BigInt] Support logic operations
1778         https://bugs.webkit.org/show_bug.cgi?id=179903
1779
1780         Reviewed by Yusuke Suzuki.
1781
1782         * stress/big-int-branch-usage.js: Added.
1783         * stress/big-int-logical-and.js: Added.
1784         * stress/big-int-logical-not.js: Added.
1785         * stress/big-int-logical-or.js: Added.
1786
1787 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1788
1789         [ESNext][BigInt] Implement support for "<<" and ">>"
1790         https://bugs.webkit.org/show_bug.cgi?id=186233
1791
1792         Reviewed by Yusuke Suzuki.
1793
1794         * stress/big-int-left-shift-general.js: Added.
1795         * stress/big-int-left-shift-range-error.js: Added.
1796         * stress/big-int-left-shift-type-error.js: Added.
1797         * stress/big-int-left-shift-wrapped-value.js: Added.
1798         * stress/big-int-right-shift-general.js: Added.
1799         * stress/big-int-right-shift-type-error.js: Added.
1800         * stress/big-int-right-shift-wrapped-value.js: Added.
1801         * stress/left-shift-to-primitive-precedence.js: Added.
1802         * stress/right-shift-to-primitive-precedence.js: Added.
1803
1804 2018-11-30  Dean Jackson  <dino@apple.com>
1805
1806         Add first-class support for .mjs files in jsc binary
1807         https://bugs.webkit.org/show_bug.cgi?id=192190
1808         <rdar://problem/46375715>
1809
1810         Reviewed by Keith Miller.
1811
1812         * stress/simple-module.mjs: Added.
1813         * stress/simple-script.js: Added.
1814
1815 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1816
1817         [BigInt] Implement ValueBitXor into DFG
1818         https://bugs.webkit.org/show_bug.cgi?id=190264
1819
1820         Reviewed by Yusuke Suzuki.
1821
1822         * stress/big-int-bitwise-xor-jit.js: Added.
1823         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1824         * stress/big-int-bitwise-xor-untyped.js: Added.
1825
1826 2018-11-27  Saam barati  <sbarati@apple.com>
1827
1828         r238510 broke scopes of size zero
1829         https://bugs.webkit.org/show_bug.cgi?id=192033
1830         <rdar://problem/46281734>
1831
1832         Reviewed by Keith Miller.
1833
1834         * stress/r238510-bad-loop.js: Added.
1835         (foo):
1836
1837 2018-11-27  Mark Lam  <mark.lam@apple.com>
1838
1839         [Re-landing] NaNs read from Wasm code needs to be be purified.
1840         https://bugs.webkit.org/show_bug.cgi?id=191056
1841         <rdar://problem/45660341>
1842
1843         Reviewed by Filip Pizlo.
1844
1845         * wasm/regress/regress-191056.js: Added.
1846
1847 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1848
1849         Unreviewed, rolling out r238509.
1850
1851         Causes JSC tests to fail on iOS.
1852
1853         Reverted changeset:
1854
1855         "NaNs read from Wasm code needs to be be purified."
1856         https://bugs.webkit.org/show_bug.cgi?id=191056
1857         https://trac.webkit.org/changeset/238509
1858
1859 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1860
1861         Re-introduce op_bitnot
1862         https://bugs.webkit.org/show_bug.cgi?id=190923
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         * stress/bit-not-must-generate.js: Added.
1867         * stress/bitwise-not-no-int32.js: Added.
1868
1869 2018-11-26  Saam barati  <sbarati@apple.com>
1870
1871         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1872         https://bugs.webkit.org/show_bug.cgi?id=191956
1873         <rdar://problem/45665806>
1874
1875         Reviewed by Yusuke Suzuki.
1876
1877         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1878         (bar):
1879         (foo):
1880
1881 2018-11-26  Saam barati  <sbarati@apple.com>
1882
1883         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1884         https://bugs.webkit.org/show_bug.cgi?id=191958
1885         <rdar://problem/46221877>
1886
1887         Reviewed by Yusuke Suzuki.
1888
1889         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1890         (x):
1891         (foo):
1892
1893 2018-11-26  Mark Lam  <mark.lam@apple.com>
1894
1895         NaNs read from Wasm code needs to be be purified.
1896         https://bugs.webkit.org/show_bug.cgi?id=191056
1897         <rdar://problem/45660341>
1898
1899         Reviewed by Filip Pizlo.
1900
1901         * wasm/regress/regress-191056.js: Added.
1902
1903 2018-11-26  Michael Saboff  <msaboff@apple.com>
1904
1905         32-bit JSC test failure: stress/regexp-compile-oom.js
1906         https://bugs.webkit.org/show_bug.cgi?id=191375
1907
1908         Reviewed by Mark Lam.
1909
1910         Disabled the test for 32 bit platforms.
1911
1912         * stress/regexp-compile-oom.js:
1913
1914 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1915
1916         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1917         https://bugs.webkit.org/show_bug.cgi?id=191716
1918         <rdar://problem/45723878>
1919
1920         Reviewed by Saam Barati.
1921
1922         * stress/regress-187373.js: Added.
1923         (async.fn):
1924
1925 2018-11-21  Saam barati  <sbarati@apple.com>
1926
1927         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1928         https://bugs.webkit.org/show_bug.cgi?id=191897
1929         <rdar://problem/45871998>
1930
1931         Reviewed by Mark Lam.
1932
1933         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1934         (bar):
1935         (foo):
1936
1937 2018-11-21  Saam barati  <sbarati@apple.com>
1938
1939         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1940         https://bugs.webkit.org/show_bug.cgi?id=191895
1941         <rdar://problem/46167406>
1942
1943         Reviewed by Mark Lam.
1944
1945         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1946         (foo):
1947         (bar):
1948
1949 2018-11-21  Mark Lam  <mark.lam@apple.com>
1950
1951         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1952         https://bugs.webkit.org/show_bug.cgi?id=191776
1953         <rdar://problem/46152851>
1954
1955         Reviewed by Saam Barati.
1956
1957         * stress/big-wasm-memory-grow-no-max.js:
1958         * stress/big-wasm-memory-grow.js:
1959         * stress/big-wasm-memory.js:
1960         - updated these to expect an OutOfMemoryError.
1961
1962         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1963         (Binary.prototype.emit_u8):
1964         (Binary.prototype.emit_u32v):
1965         (Binary.prototype.emit_header):
1966         (Binary.prototype.emit_section):
1967         (Binary):
1968         (WasmModuleBuilder):
1969         (WasmModuleBuilder.prototype.addMemory):
1970         (WasmModuleBuilder.prototype.toArray):
1971         (WasmModuleBuilder.prototype.toBuffer):
1972         (WasmModuleBuilder.prototype.instantiate):
1973         (catch):
1974         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1975         (catch):
1976
1977 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1978
1979         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1980         https://bugs.webkit.org/show_bug.cgi?id=190836
1981
1982         Reviewed by Saam Barati and Yusuke Suzuki.
1983
1984         * stress/big-int-out-of-memory-tests.js: Added.
1985
1986 2018-11-20  Mark Lam  <mark.lam@apple.com>
1987
1988         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1989         https://bugs.webkit.org/show_bug.cgi?id=191856
1990         <rdar://problem/46089992>
1991
1992         Reviewed by Yusuke Suzuki.
1993
1994         * stress/regress-191856.js: Added.
1995         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1996
1997 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1998
1999         Enable JIT on ARM/Linux
2000         https://bugs.webkit.org/show_bug.cgi?id=191548
2001
2002         Reviewed by Yusuke Suzuki.
2003
2004         Disable test on system with limited memory. Program was killed by
2005         the OS before the exception was thrown.
2006
2007         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2008
2009 2018-11-20  Saam barati  <sbarati@apple.com>
2010
2011         Merging an IC variant may lead to the IC status containing overlapping structure sets
2012         https://bugs.webkit.org/show_bug.cgi?id=191869
2013         <rdar://problem/45403453>
2014
2015         Reviewed by Mark Lam.
2016
2017         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2018
2019 2018-11-19  Mark Lam  <mark.lam@apple.com>
2020
2021         globalFuncImportModule() should return a promise when it clears exceptions.
2022         https://bugs.webkit.org/show_bug.cgi?id=191792
2023         <rdar://problem/46090763>
2024
2025         Reviewed by Michael Saboff.
2026
2027         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2028
2029 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2030
2031         Skip new memory-hungry tests on memory limited devices
2032
2033         Unreviewed gardening.
2034
2035         * stress/big-wasm-memory-grow-no-max.js:
2036         * stress/big-wasm-memory-grow.js:
2037         * stress/big-wasm-memory.js:
2038
2039 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2040
2041         Unreviewed, rolling in the rest of r237254
2042         https://bugs.webkit.org/show_bug.cgi?id=190340
2043
2044         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2045         * stress/function-cache-with-parameters-end-position.js: Added.
2046         (shouldBe):
2047         (shouldThrow):
2048         (i.anonymous):
2049         * stress/function-constructor-name.js: Added.
2050         (shouldBe):
2051         (GeneratorFunction):
2052         (AsyncFunction.async):
2053         (AsyncGeneratorFunction.async):
2054         (anonymous):
2055         (async.anonymous):
2056         * test262/expectations.yaml:
2057
2058 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2059
2060         All users of ArrayBuffer should agree on the same max size
2061         https://bugs.webkit.org/show_bug.cgi?id=191771
2062
2063         Reviewed by Mark Lam.
2064
2065         * stress/big-wasm-memory-grow-no-max.js: Added.
2066         (foo):
2067         (catch):
2068         * stress/big-wasm-memory-grow.js: Added.
2069         (foo):
2070         (catch):
2071         * stress/big-wasm-memory.js: Added.
2072         (foo):
2073         (catch):
2074
2075 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2076
2077         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2078         run for each JSC config since they're regression tests for runtime bugs.
2079
2080         * stress/json-stringified-overflow-2.js:
2081         * stress/json-stringified-overflow.js:
2082
2083 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2084
2085         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2086         config since they're regression tests for runtime bugs.
2087
2088         * stress/large-unshift-splice.js:
2089         * stress/regress-185888.js:
2090
2091 2018-11-16  Saam Barati  <sbarati@apple.com>
2092
2093         KnownCellUse should also have SpecCellCheck as its type filter
2094         https://bugs.webkit.org/show_bug.cgi?id=191729
2095         <rdar://problem/45872852>
2096
2097         Reviewed by Filip Pizlo.
2098
2099         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2100         (C):
2101
2102 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2103
2104         Fix assertion failure on BytecodeGenerator::recordOpcode
2105         https://bugs.webkit.org/show_bug.cgi?id=191724
2106         <rdar://problem/45724395>
2107
2108         Reviewed by Saam Barati.
2109
2110         * stress/regress-187373-2.js: Added.
2111         (foo):
2112
2113 2018-11-15  Mark Lam  <mark.lam@apple.com>
2114
2115         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2116         https://bugs.webkit.org/show_bug.cgi?id=191730
2117         <rdar://problem/46048517>
2118
2119         Reviewed by Saam Barati.
2120
2121         * stress/regress-187006.js: Removed.
2122           - this test is invalid because its sole purpose is to test for the non-spec
2123             compliant behavior that we just fixed.
2124
2125         * stress/regress-191730.js: Added.
2126
2127 2018-11-15  Mark Lam  <mark.lam@apple.com>
2128
2129         RegExp operations should not take fast patch if lastIndex is not numeric.
2130         https://bugs.webkit.org/show_bug.cgi?id=191731
2131         <rdar://problem/46017305>
2132
2133         Reviewed by Saam Barati.
2134
2135         * stress/regress-191731.js: Added.
2136
2137 2018-11-13  Saam Barati  <sbarati@apple.com>
2138
2139         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2140         https://bugs.webkit.org/show_bug.cgi?id=191600
2141
2142         Reviewed by Mark Lam.
2143
2144         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2145         (foo):
2146         (test):
2147         (bar):
2148
2149 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2150
2151         Unreviewed, rolling out r238132.
2152
2153         The test added with this change is timing out on Debug JSC
2154         bots.
2155
2156         Reverted changeset:
2157
2158         "[BigInt] JSBigInt::createWithLength should throw when length
2159         is greater than JSBigInt::maxLength"
2160         https://bugs.webkit.org/show_bug.cgi?id=190836
2161         https://trac.webkit.org/changeset/238132
2162
2163 2018-11-13  Mark Lam  <mark.lam@apple.com>
2164
2165         Add OOM detection to StringPrototype's substituteBackreferences().
2166         https://bugs.webkit.org/show_bug.cgi?id=191563
2167         <rdar://problem/45720428>
2168
2169         Reviewed by Saam Barati.
2170
2171         * stress/regress-191563.js: Added.
2172
2173 2018-11-13  Mark Lam  <mark.lam@apple.com>
2174
2175         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2176         https://bugs.webkit.org/show_bug.cgi?id=191579
2177         <rdar://problem/45942472>
2178
2179         Reviewed by Saam Barati.
2180
2181         * stress/regress-191579.js: Added.
2182
2183 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2184
2185         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2186         https://bugs.webkit.org/show_bug.cgi?id=190836
2187
2188         Reviewed by Saam Barati.
2189
2190         * stress/big-int-out-of-memory-tests.js: Added.
2191
2192 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2193
2194         U+180E is no longer a whitespace character
2195         https://bugs.webkit.org/show_bug.cgi?id=191415
2196
2197         Reviewed by Saam Barati.
2198
2199         * ChakraCore/test/es5/regexSpace.baseline:
2200         * ChakraCore/test/es6/unicode_whitespace.js:
2201         Update tests to latest version.
2202         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2203
2204         * test262.yaml:
2205         * test262/config.yaml:
2206         * test262/expectations.yaml:
2207         Update expectations.
2208
2209 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2210
2211         [BigInt] Add support to BigInt into ValueAdd
2212         https://bugs.webkit.org/show_bug.cgi?id=186177
2213
2214         Reviewed by Keith Miller.
2215
2216         * stress/big-int-negate-jit.js:
2217         * stress/value-add-big-int-and-string.js: Added.
2218         * stress/value-add-big-int-prediction-propagation.js: Added.
2219         * stress/value-add-big-int-untyped.js: Added.
2220
2221 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2222
2223         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2224         https://bugs.webkit.org/show_bug.cgi?id=191184
2225
2226         Reviewed by Saam Barati.
2227
2228         Most tests were failing due to timeouts, since they are too slow to
2229         run on CLoop. The exceptions are:
2230
2231         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2232         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2233         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2234         to change the stack size since CLoop requires it to be page aligned.
2235
2236         * microbenchmarks/array-push-1.js:
2237         * microbenchmarks/array-push-2.js:
2238         * microbenchmarks/elidable-new-object-dag.js:
2239         * microbenchmarks/elidable-new-object-roflcopter.js:
2240         * microbenchmarks/elidable-new-object-tree.js:
2241         * microbenchmarks/getter-richards.js:
2242         * microbenchmarks/sinkable-new-object-dag.js:
2243         * microbenchmarks/string-concat-long-convert.js:
2244         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2245         * slowMicrobenchmarks/array-push-3.js:
2246         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2247         * slowMicrobenchmarks/spread-small-array.js:
2248         * slowMicrobenchmarks/undefined-property-access.js:
2249         * stress/activation-sink-default-value-tdz-error.js:
2250         * stress/activation-sink-default-value.js:
2251         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2252         * stress/activation-sink-osrexit-default-value.js:
2253         * stress/activation-sink-osrexit.js:
2254         * stress/activation-sink.js:
2255         * stress/allow-math-ic-b3-code-duplication.js:
2256         * stress/array-push-multiple-int32.js:
2257         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2258         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2259         * stress/arrowfunction-lexical-this-activation-sink.js:
2260         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2261         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2262         * stress/elide-new-object-dag-then-exit.js:
2263         * stress/materialize-regexp-cyclic.js:
2264         * stress/new-regex-inline.js:
2265         * stress/op_add.js:
2266         * stress/op_bitand.js:
2267         * stress/op_bitor.js:
2268         * stress/op_bitxor.js:
2269         * stress/op_div-ConstVar.js:
2270         * stress/op_div-VarConst.js:
2271         * stress/op_div-VarVar.js:
2272         * stress/op_lshift-ConstVar.js:
2273         * stress/op_lshift-VarConst.js:
2274         * stress/op_lshift-VarVar.js:
2275         * stress/op_mod-ConstVar.js:
2276         * stress/op_mod-VarConst.js:
2277         * stress/op_mod-VarVar.js:
2278         * stress/op_mul-ConstVar.js:
2279         * stress/op_mul-VarConst.js:
2280         * stress/op_mul-VarVar.js:
2281         * stress/op_rshift-ConstVar.js:
2282         * stress/op_rshift-VarConst.js:
2283         * stress/op_rshift-VarVar.js:
2284         * stress/op_sub-ConstVar.js:
2285         * stress/op_sub-VarConst.js:
2286         * stress/op_sub-VarVar.js:
2287         * stress/op_urshift-ConstVar.js:
2288         * stress/op_urshift-VarConst.js:
2289         * stress/op_urshift-VarVar.js:
2290         * stress/proxy-get-set-correct-receiver.js:
2291         * stress/regress-179562.js:
2292         * stress/rest-parameter-many-arguments.js:
2293         * stress/sampling-profiler-richards.js:
2294         * stress/splay-flash-access-1ms.js:
2295         * stress/tailCallForwardArguments.js:
2296         * stress/typed-array-get-by-val-profiling.js:
2297         * typeProfiler/getter-richards.js:
2298
2299 2018-11-06  Michael Saboff  <msaboff@apple.com>
2300
2301         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2302         https://bugs.webkit.org/show_bug.cgi?id=191271
2303
2304         Reviewed by Saam Barati.
2305
2306         Added more test cases and made all test cases run with the same deeply recursive stack
2307         instead of finding that same point for each test case.
2308
2309         * stress/regexp-compile-oom.js:
2310         (prototype.runTest):
2311         (recurseAndTest):
2312         (testList.push.new.TestAndExpectedException):
2313
2314 2018-11-05  Michael Saboff  <msaboff@apple.com>
2315
2316         Unreviewed build fix for linux.
2317
2318         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2319
2320 2018-11-02  Michael Saboff  <msaboff@apple.com>
2321
2322         Rolling in r237753 with unreviewed build fix.
2323
2324         Fixed issues with DECLARE_THROW_SCOPE placement.
2325
2326 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2327
2328         Unreviewed, rolling out r237753.
2329
2330         Introduced JSC test failures
2331
2332         Reverted changeset:
2333
2334         "Running out of stack space not properly handled in
2335         RegExp::compile() and its callers"
2336         https://bugs.webkit.org/show_bug.cgi?id=191206
2337         https://trac.webkit.org/changeset/237753
2338
2339 2018-11-02  Michael Saboff  <msaboff@apple.com>
2340
2341         Running out of stack space not properly handled in RegExp::compile() and its callers
2342         https://bugs.webkit.org/show_bug.cgi?id=191206
2343
2344         Reviewed by Filip Pizlo.
2345
2346         New regression test.
2347
2348         * stress/regexp-compile-oom.js: Added.
2349         (recurseAndTest):
2350
2351 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2352
2353         Skip tests on arm/mips that time out now we're running on CLoop
2354
2355         Unreviewed gardening.
2356
2357         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2358         time out on the bots and need to be disabled. There's more tests
2359         disabled on arm because the timeout is longer on the mips bot (as the
2360         device is slower to start with), so many of the tests don't time out
2361         there.
2362
2363         * microbenchmarks/getter-richards.js: disable on arm and mips.
2364         * stress/op_add.js: disable on arm.
2365         * stress/op_bitand.js: disable on arm.
2366         * stress/op_bitor.js: disable on arm.
2367         * stress/op_bitxor.js: disable on arm.
2368         * stress/op_lshift-ConstVar.js: disable on arm.
2369         * stress/op_lshift-VarConst.js: disable on arm.
2370         * stress/op_lshift-VarVar.js: disable on arm.
2371         * stress/op_mod-ConstVar.js: disable on arm.
2372         * stress/op_mod-VarConst.js: disable on arm.
2373         * stress/op_mod-VarVar.js: disable on arm.
2374         * stress/op_mul-ConstVar.js: disable on arm.
2375         * stress/op_mul-VarConst.js: disable on arm.
2376         * stress/op_mul-VarVar.js: disable on arm.
2377         * stress/op_rshift-ConstVar.js: disable on arm.
2378         * stress/op_rshift-VarConst.js: disable on arm.
2379         * stress/op_rshift-VarVar.js: disable on arm.
2380         * stress/op_sub-ConstVar.js: disable on arm.
2381         * stress/op_sub-VarConst.js: disable on arm.
2382         * stress/op_sub-VarVar.js: disable on arm.
2383         * stress/op_urshift-ConstVar.js: disable on arm.
2384         * stress/op_urshift-VarConst.js: disable on arm.
2385         * stress/op_urshift-VarVar.js: disable on arm.
2386         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2387         * stress/value-to-boolean.js: disable on arm and mips.
2388
2389 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2390
2391         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2392         https://bugs.webkit.org/show_bug.cgi?id=191108
2393         <rdar://problem/45690700>
2394
2395         Reviewed by Saam Barati.
2396
2397         * stress/wide-op_catch.js: Added.
2398         (catch):
2399
2400 2018-10-29  Mark Lam  <mark.lam@apple.com>
2401
2402         Correctly detect string overflow when using the 'Function' constructor.
2403         https://bugs.webkit.org/show_bug.cgi?id=184883
2404         <rdar://problem/36320331>
2405
2406         Reviewed by Saam Barati.
2407
2408         I've verified that this passes on 32-bit as well.
2409
2410         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2411
2412 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2413
2414         Add support for GetStack FlushedDouble
2415         https://bugs.webkit.org/show_bug.cgi?id=191012
2416         <rdar://problem/45265141>
2417
2418         Reviewed by Saam Barati.
2419
2420         * stress/get-stack-double.js: Added.
2421         (bar):
2422         (noInline):
2423
2424 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2425
2426         New bytecode format for JSC
2427         https://bugs.webkit.org/show_bug.cgi?id=187373
2428         <rdar://problem/44186758>
2429
2430         Reviewed by Filip Pizlo.
2431
2432         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2433
2434         * stress/maximum-inline-capacity.js: Added.
2435         (test1):
2436         (test3.Foo):
2437         (test3):
2438
2439 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2440
2441         Unreviewed, rolling out r237479 and r237484.
2442         https://bugs.webkit.org/show_bug.cgi?id=190978
2443
2444         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2445
2446         Reverted changesets:
2447
2448         "New bytecode format for JSC"
2449         https://bugs.webkit.org/show_bug.cgi?id=187373
2450         https://trac.webkit.org/changeset/237479
2451
2452         "Gardening: Build fix after r237479."
2453         https://bugs.webkit.org/show_bug.cgi?id=187373
2454         https://trac.webkit.org/changeset/237484
2455
2456 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2457
2458         New bytecode format for JSC
2459         https://bugs.webkit.org/show_bug.cgi?id=187373
2460         <rdar://problem/44186758>
2461
2462         Reviewed by Filip Pizlo.
2463
2464         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2465
2466         * stress/maximum-inline-capacity.js: Added.
2467         (test1):
2468         (test3.Foo):
2469         (test3):
2470
2471 2018-10-26  Mark Lam  <mark.lam@apple.com>
2472
2473         Fix missing edge cases with JSGlobalObjects having a bad time.
2474         https://bugs.webkit.org/show_bug.cgi?id=189028
2475         <rdar://problem/45204939>
2476
2477         Reviewed by Saam Barati.
2478
2479         * stress/regress-189028.js: Added.
2480
2481 2018-10-22  Mark Lam  <mark.lam@apple.com>
2482
2483         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2484         https://bugs.webkit.org/show_bug.cgi?id=190515
2485         <rdar://problem/45222379>
2486
2487         Rubber-stamped by Saam Barati.
2488
2489         Adding another test.
2490
2491         * stress/regress-190515-2.js: Added.
2492
2493 2018-10-22  Mark Lam  <mark.lam@apple.com>
2494
2495         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2496         https://bugs.webkit.org/show_bug.cgi?id=190515
2497         <rdar://problem/45222379>
2498
2499         Reviewed by Saam Barati.
2500
2501         * stress/regress-190515.js: Added.
2502
2503 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2504
2505         Unreviewed, rolling out r237254.
2506         https://bugs.webkit.org/show_bug.cgi?id=190760
2507
2508         "It regresses JetStream 2 by 5% on some iOS devices"
2509         (Requested by saamyjoon on #webkit).
2510
2511         Reverted changeset:
2512
2513         "[JSC] JSC should have "parseFunction" to optimize Function
2514         constructor"
2515         https://bugs.webkit.org/show_bug.cgi?id=190340
2516         https://trac.webkit.org/changeset/237254
2517
2518 2018-10-19  Saam Barati  <sbarati@apple.com>
2519
2520         vmCall should check if we exit before emitting an OSR exit due to exceptions
2521         https://bugs.webkit.org/show_bug.cgi?id=190740
2522         <rdar://problem/45220139>
2523
2524         Reviewed by Mark Lam.
2525
2526         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2527         (foo):
2528
2529 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2530
2531         [ESNext][BigInt] Implement support for "^"
2532         https://bugs.webkit.org/show_bug.cgi?id=186235
2533
2534         Reviewed by Yusuke Suzuki.
2535
2536         * stress/big-int-bitwise-xor-general.js: Added.
2537         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2538         * stress/big-int-bitwise-xor-type-error.js: Added.
2539         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2540
2541 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2542
2543         [BigInt] Add ValueSub into DFG
2544         https://bugs.webkit.org/show_bug.cgi?id=186176
2545
2546         Reviewed by Yusuke Suzuki.
2547
2548         * stress/big-int-subtraction-jit.js:
2549         * stress/value-sub-big-int-prediction-propagation.js: Added.
2550         * stress/value-sub-big-int-untyped.js: Added.
2551         * stress/value-sub-spec-none-case.js: Added.
2552
2553 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2554
2555         [JSC] JSC should have "parseFunction" to optimize Function constructor
2556         https://bugs.webkit.org/show_bug.cgi?id=190340
2557
2558         Reviewed by Mark Lam.
2559
2560         This patch fixes the line number of syntax errors raised by the Function constructor,
2561         since we now parse the final code only once. And we no longer use block statement
2562         for Function constructor's parsing.
2563
2564         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2565         * stress/function-cache-with-parameters-end-position.js: Added.
2566         (shouldBe):
2567         (shouldThrow):
2568         (i.anonymous):
2569         * stress/function-constructor-name.js: Added.
2570         (shouldBe):
2571         (GeneratorFunction):
2572         (AsyncFunction.async):
2573         (AsyncGeneratorFunction.async):
2574         (anonymous):
2575         (async.anonymous):
2576         * test262/expectations.yaml:
2577
2578 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2579
2580         Unreviewed, rolling out r237242.
2581         https://bugs.webkit.org/show_bug.cgi?id=190701
2582
2583         it breaks "stress/sampling-profiler-basic.js" (Requested by
2584         caiolima on #webkit).
2585
2586         Reverted changeset:
2587
2588         "[BigInt] Add ValueSub into DFG"
2589         https://bugs.webkit.org/show_bug.cgi?id=186176
2590         https://trac.webkit.org/changeset/237242
2591
2592 2018-10-17  Keith Miller  <keith_miller@apple.com>
2593
2594         AI does not clear Phantom allocation nodes.
2595         https://bugs.webkit.org/show_bug.cgi?id=190694
2596
2597         Reviewed by Saam Barati.
2598
2599         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2600         (Day):
2601         (DaysInYear):
2602         (TimeInYear):
2603         (TimeFromYear):
2604         (DayFromYear):
2605         (InLeapYear):
2606         (YearFromTime):
2607         (WeekDay):
2608         (DaylightSavingTA):
2609         (GetSecondSundayInMarch):
2610         (TimeInMonth):
2611
2612 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2613
2614         [BigInt] Add ValueSub into DFG
2615         https://bugs.webkit.org/show_bug.cgi?id=186176
2616
2617         Reviewed by Yusuke Suzuki.
2618
2619         * stress/big-int-subtraction-jit.js:
2620         * stress/value-sub-big-int-prediction-propagation.js: Added.
2621         * stress/value-sub-big-int-untyped.js: Added.
2622
2623 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2624
2625         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2626         https://bugs.webkit.org/show_bug.cgi?id=190611
2627
2628         Reviewed by Saam Barati.
2629
2630         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2631         to improve test runtime. On ARM/MIPS this test even timed out when running all
2632         tests.
2633
2634         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2635         (test):
2636
2637 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2638
2639         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2640
2641         Unreviewed gardening.
2642
2643         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2644
2645 2018-10-15  Saam barati  <sbarati@apple.com>
2646
2647         Emit fjcvtzs on ARM64E on Darwin
2648         https://bugs.webkit.org/show_bug.cgi?id=184023
2649
2650         Reviewed by Yusuke Suzuki and Filip Pizlo.
2651
2652         * stress/double-to-int32-NaN.js: Added.
2653         (assert):
2654         (foo):
2655
2656 2018-10-15  Saam Barati  <sbarati@apple.com>
2657
2658         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2659         https://bugs.webkit.org/show_bug.cgi?id=190262
2660         <rdar://problem/44986241>
2661
2662         Reviewed by Mark Lam.
2663
2664         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2665         (test):
2666         * stress/slice-array-storage-with-holes.js: Added.
2667         (main):
2668
2669 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2670
2671         Unreviewed, rolling out r237054.
2672         https://bugs.webkit.org/show_bug.cgi?id=190593
2673
2674         "this regressed JetStream 2 by 6% on iOS" (Requested by
2675         saamyjoon on #webkit).
2676
2677         Reverted changeset:
2678
2679         "[JSC] JSC should have "parseFunction" to optimize Function
2680         constructor"
2681         https://bugs.webkit.org/show_bug.cgi?id=190340
2682         https://trac.webkit.org/changeset/237054
2683
2684 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2685
2686         [JSC] JSON.stringify can accept call-with-no-arguments
2687         https://bugs.webkit.org/show_bug.cgi?id=190343
2688
2689         Reviewed by Mark Lam.
2690
2691         * stress/json-stringify-no-arguments.js: Added.
2692         (shouldBe):
2693
2694 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2695
2696         [JSC] JSC should have "parseFunction" to optimize Function constructor
2697         https://bugs.webkit.org/show_bug.cgi?id=190340
2698
2699         Reviewed by Mark Lam.
2700
2701         This patch fixes the line number of syntax errors raised by the Function constructor,
2702         since we now parse the final code only once. And we no longer use block statement
2703         for Function constructor's parsing.
2704
2705         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2706         * stress/function-cache-with-parameters-end-position.js: Added.
2707         (shouldBe):
2708         (shouldThrow):
2709         (i.anonymous):
2710         * stress/function-constructor-name.js: Added.
2711         (shouldBe):
2712         (GeneratorFunction):
2713         (AsyncFunction.async):
2714         (AsyncGeneratorFunction.async):
2715         (anonymous):
2716         (async.anonymous):
2717         * test262/expectations.yaml:
2718
2719 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2720
2721         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2722         https://bugs.webkit.org/show_bug.cgi?id=190426
2723
2724         Unreviewed gardening.
2725
2726         * stress/sampling-profiler-richards.js:
2727
2728 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2729
2730         [ESNext][BigInt] Implement support for "|"
2731         https://bugs.webkit.org/show_bug.cgi?id=186229
2732
2733         Reviewed by Yusuke Suzuki.
2734
2735         * stress/big-int-bitwise-and-jit.js:
2736         * stress/big-int-bitwise-or-general.js: Added.
2737         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2738         * stress/big-int-bitwise-or-jit.js: Added.
2739         * stress/big-int-bitwise-or-memory-stress.js: Added.
2740         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2741         * stress/big-int-bitwise-or-type-error.js: Added.
2742         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2743
2744 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2745
2746         Skip test on systems with limited memory
2747         https://bugs.webkit.org/show_bug.cgi?id=190310
2748
2749         Invoking runDefault adds test to runlist, skipping the test in the next
2750         line does not prevent the test from executing. Change order of lines such
2751         that runDefault is only executed if test is not executed.
2752
2753         Reviewed by Mark Lam.
2754
2755         * stress/regress-190187.js:
2756
2757 2018-10-03  Saam barati  <sbarati@apple.com>
2758
2759         lowXYZ in FTLLower should always filter the type of the incoming edge
2760         https://bugs.webkit.org/show_bug.cgi?id=189939
2761         <rdar://problem/44407030>
2762
2763         Reviewed by Michael Saboff.
2764
2765         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2766         (foo):
2767         (test):
2768
2769 2018-10-03  Mark Lam  <mark.lam@apple.com>
2770
2771         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2772         https://bugs.webkit.org/show_bug.cgi?id=190187
2773         <rdar://problem/42512909>
2774
2775         Reviewed by Michael Saboff.
2776
2777         * stress/regress-190187.js: Added.
2778
2779 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2780
2781         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2782         https://bugs.webkit.org/show_bug.cgi?id=190033
2783
2784         Reviewed by Yusuke Suzuki.
2785
2786         * stress/big-int-to-string.js:
2787
2788 2018-10-01  Mark Lam  <mark.lam@apple.com>
2789
2790         Function.toString() should also copy the source code Functions that are class definitions.
2791         https://bugs.webkit.org/show_bug.cgi?id=190186
2792         <rdar://problem/44733360>
2793
2794         Reviewed by Saam Barati.
2795
2796         * stress/regress-190186.js: Added.
2797
2798 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2799
2800         Split NaN-check into separate test
2801         https://bugs.webkit.org/show_bug.cgi?id=190010
2802
2803         Reviewed by Saam Barati.
2804
2805         DataView exposes NaN-representation, which is not necessarily the same on each
2806         architecture. Therefore move the check of the NaN-representation into its own
2807         file such that we can disable this test on MIPS where NaN-representation can be
2808         different on older CPUs.
2809
2810         * stress/dataview-jit-set-nan.js: Added.
2811         (assert):
2812         (test.storeLittleEndian):
2813         (test.storeBigEndian):
2814         (test.store):
2815         (test):
2816         * stress/dataview-jit-set.js:
2817         (test5):
2818
2819 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2820
2821         Unreviewed, rolling out r236647.
2822         https://bugs.webkit.org/show_bug.cgi?id=190124
2823
2824         Breaking test stress/big-int-to-string.js (Requested by
2825         caiolima_ on #webkit).
2826
2827         Reverted changeset:
2828
2829         "[BigInt] BigInt.proptotype.toString is broken when radix is
2830         power of 2"
2831         https://bugs.webkit.org/show_bug.cgi?id=190033
2832         https://trac.webkit.org/changeset/236647
2833
2834 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2835
2836         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2837         https://bugs.webkit.org/show_bug.cgi?id=190033
2838
2839         Reviewed by Yusuke Suzuki.
2840
2841         * stress/big-int-to-string.js:
2842
2843 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2844
2845         [ESNext][BigInt] Implement support for "&"
2846         https://bugs.webkit.org/show_bug.cgi?id=186228
2847
2848         Reviewed by Yusuke Suzuki.
2849
2850         * stress/big-int-bitwise-and-general.js: Added.
2851         (assert):
2852         (assert.sameValue):
2853         * stress/big-int-bitwise-and-jit.js: Added.
2854         (let.assert.sameValue):
2855         (bigIntBitAnd):
2856         * stress/big-int-bitwise-and-memory-stress.js: Added.
2857         (assert):
2858         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2859         (assert.sameValue):
2860         (let.o.Symbol.toPrimitive):
2861         (catch):
2862         * stress/big-int-bitwise-and-type-error.js: Added.
2863         (assert):
2864         (assertThrowTypeError):
2865         (let.o.valueOf):
2866         (o.valueOf):
2867         (o.toString):
2868         (o.Symbol.toPrimitive):
2869         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2870         (assert.sameValue):
2871         (testBitAnd):
2872         (let.o.Symbol.toPrimitive):
2873         (o.valueOf):
2874         (o.toString):
2875
2876 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2877
2878         JSC test stress/jsc-read.js doesn't support CRLF
2879         https://bugs.webkit.org/show_bug.cgi?id=190063
2880
2881         Reviewed by Yusuke Suzuki.
2882
2883         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2884
2885         * stress/jsc-read.js:
2886         (test):
2887
2888 2018-09-27  Saam barati  <sbarati@apple.com>
2889
2890         Verify the contents of AssemblerBuffer on arm64e
2891         https://bugs.webkit.org/show_bug.cgi?id=190057
2892         <rdar://problem/38916630>
2893
2894         Reviewed by Mark Lam.
2895
2896         * stress/regress-189132.js:
2897
2898 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2899
2900         Disable test without LLInt on ARMv7
2901         https://bugs.webkit.org/show_bug.cgi?id=190037
2902
2903         Reviewed by Mark Lam.
2904
2905         Test runs out of executable memory on ARMv7, do not run
2906         this test without LLInt enabled.
2907
2908         * stress/regress-169445.js:
2909
2910 2018-09-26  Keith Miller  <keith_miller@apple.com>
2911
2912         We should zero unused property storage when rebalancing array storage.
2913         https://bugs.webkit.org/show_bug.cgi?id=188151
2914
2915         Reviewed by Michael Saboff.
2916
2917         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2918
2919 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2920
2921         [JSC] Optimize Array#lastIndexOf
2922         https://bugs.webkit.org/show_bug.cgi?id=189780
2923
2924         Reviewed by Saam Barati.
2925
2926         * stress/array-lastindexof-array-prototype-trap.js: Added.
2927         (shouldBe):
2928         (AncestorArray.prototype.get 2):
2929         (AncestorArray):
2930         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2931         (shouldBe):
2932         * stress/array-lastindexof-hole-nan.js: Added.
2933         (shouldBe):
2934         (throw.new.Error):
2935         * stress/array-lastindexof-infinity.js: Added.
2936         (shouldBe):
2937         (throw.new.Error):
2938         * stress/array-lastindexof-negative-zero.js: Added.
2939         (shouldBe):
2940         (throw.new.Error):
2941         * stress/array-lastindexof-own-getter.js: Added.
2942         (shouldBe):
2943         (throw.new.Error.get array):
2944         (get array):
2945         * stress/array-lastindexof-prototype-trap.js: Added.
2946         (shouldBe):
2947         (DerivedArray.prototype.get 2):
2948         (DerivedArray):
2949
2950 2018-09-25  Saam Barati  <sbarati@apple.com>
2951
2952         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2953         https://bugs.webkit.org/show_bug.cgi?id=189940
2954         <rdar://problem/43640987>
2955
2956         Reviewed by Mark Lam.
2957
2958         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2959
2960 2018-09-24  Saam Barati  <sbarati@apple.com>
2961
2962         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2963         https://bugs.webkit.org/show_bug.cgi?id=189922
2964         <rdar://problem/44651275>
2965
2966         Reviewed by Mark Lam.
2967
2968         * stress/array-indexof-fast-path-effects.js: Added.
2969         * stress/array-indexof-cached-length.js: Added.
2970
2971 2018-09-24  Saam barati  <sbarati@apple.com>
2972
2973         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2974         https://bugs.webkit.org/show_bug.cgi?id=189682
2975         <rdar://problem/43557315>
2976
2977         Reviewed by Mark Lam.
2978
2979         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2980         (foo):
2981
2982 2018-09-22  Saam barati  <sbarati@apple.com>
2983
2984         The sampling should not use Strong<CodeBlock> in its machineLocation field
2985         https://bugs.webkit.org/show_bug.cgi?id=189319
2986
2987         Reviewed by Filip Pizlo.
2988
2989         * stress/sampling-profiler-richards.js: Added.
2990
2991 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2992
2993         [JSC] Optimize Array#indexOf in C++ runtime
2994         https://bugs.webkit.org/show_bug.cgi?id=189507
2995
2996         Reviewed by Saam Barati.
2997
2998         * stress/array-indexof-array-prototype-trap.js: Added.
2999         (shouldBe):
3000         (AncestorArray.prototype.get 2):
3001         (AncestorArray):
3002         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3003         (shouldBe):
3004         * stress/array-indexof-hole-nan.js: Added.
3005         (shouldBe):
3006         (throw.new.Error):
3007         * stress/array-indexof-infinity.js: Added.
3008         (shouldBe):
3009         (throw.new.Error):
3010         * stress/array-indexof-negative-zero.js: Added.
3011         (shouldBe):
3012         (throw.new.Error):
3013         * stress/array-indexof-own-getter.js: Added.
3014         (shouldBe):
3015         (throw.new.Error.get array):
3016         (get array):
3017         * stress/array-indexof-prototype-trap.js: Added.
3018         (shouldBe):
3019         (DerivedArray.prototype.get 2):
3020         (DerivedArray):
3021
3022 2018-09-19  Saam barati  <sbarati@apple.com>
3023
3024         AI rule for MultiPutByOffset executes its effects in the wrong order
3025         https://bugs.webkit.org/show_bug.cgi?id=189757
3026         <rdar://problem/43535257>
3027
3028         Reviewed by Michael Saboff.
3029
3030         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3031         (foo):
3032         (Foo):
3033         (g):
3034
3035 2018-09-17  Mark Lam  <mark.lam@apple.com>
3036
3037         Ensure that ForInContexts are invalidated if their loop local is over-written.
3038         https://bugs.webkit.org/show_bug.cgi?id=189571
3039         <rdar://problem/44402277>
3040
3041         Reviewed by Saam Barati.
3042
3043         * stress/regress-189571.js: Added.
3044
3045 2018-09-17  Saam barati  <sbarati@apple.com>
3046
3047         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3048         https://bugs.webkit.org/show_bug.cgi?id=189676
3049         <rdar://problem/39682897>
3050
3051         Reviewed by Michael Saboff.
3052
3053         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3054         (A):
3055         (K):
3056         (i.catch):
3057
3058 2018-09-14  Saam barati  <sbarati@apple.com>
3059
3060         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3061         https://bugs.webkit.org/show_bug.cgi?id=189628
3062         <rdar://problem/39481690>
3063
3064         Reviewed by Mark Lam.
3065
3066         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3067         (foo):
3068
3069 2018-09-11  Mark Lam  <mark.lam@apple.com>
3070
3071         Test for array initialization in arrayProtoFuncSplice.
3072         https://bugs.webkit.org/show_bug.cgi?id=170253
3073         <rdar://problem/31328773>
3074
3075         Rubber-stamped by Saam Barati.
3076
3077         * stress/regress-170253.js: Added.
3078
3079 2018-09-11  Mark Lam  <mark.lam@apple.com>
3080
3081         Test for IntlObject initialization.
3082         https://bugs.webkit.org/show_bug.cgi?id=170251
3083         <rdar://problem/31328419>
3084
3085         Rubber-stamped by Saam Barati.
3086
3087         * stress/regress-170251.js: Added.
3088
3089 2018-09-11  Mark Lam  <mark.lam@apple.com>
3090
3091         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3092         https://bugs.webkit.org/show_bug.cgi?id=169889
3093         <rdar://problem/31155607>
3094
3095         Reviewed by Saam Barati.
3096
3097         * stress/regress-169889-array-concat.js: Added.
3098         * stress/regress-169889-array-concat1.js: Added.
3099         * stress/regress-169889-array-slice.js: Added.
3100
3101 2018-09-11  Mark Lam  <mark.lam@apple.com>
3102
3103         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3104         https://bugs.webkit.org/show_bug.cgi?id=169445
3105         <rdar://problem/30957435>
3106
3107         Reviewed by Saam Barati.
3108
3109         * stress/regress-169445.js: Added.
3110         (let.gun.eval.A):
3111         (let.gun.eval.B.C):
3112         (let.gun.eval.B.C.prototype.trigger):
3113         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3114         (let.gun.eval.B):
3115         (let.gun.eval):
3116
3117 == Rolled over to ChangeLog-2018-09-11 ==