JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyB...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
2
3         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
4         https://bugs.webkit.org/show_bug.cgi?id=196078
5         <rdar://problem/35925380>
6
7         Reviewed by Mark Lam.
8
9         Add a new benchmark that allocates several objects and invokes put_by_val_direct
10         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
11
12         * microbenchmarks/put-by-val-direct-large-index.js: Added.
13
14 2019-03-21  Mark Lam  <mark.lam@apple.com>
15
16         Placate exception check validation in operationArrayIndexOfString().
17         https://bugs.webkit.org/show_bug.cgi?id=196067
18         <rdar://problem/49056572>
19
20         Reviewed by Michael Saboff.
21
22         * stress/string-equal-exception-check.js: Added.
23
24 2019-03-21  Mark Lam  <mark.lam@apple.com>
25
26         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
27         https://bugs.webkit.org/show_bug.cgi?id=196055
28         <rdar://problem/49067448>
29
30         Reviewed by Yusuke Suzuki.
31
32         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
33
34 2019-03-20  Saam Barati  <sbarati@apple.com>
35
36         typeOfDoubleSum is wrong for when NaN can be produced
37         https://bugs.webkit.org/show_bug.cgi?id=196030
38
39         Reviewed by Filip Pizlo.
40
41         * stress/double-add-sub-mul-can-produce-nan.js: Added.
42         (assert):
43         (noInline.sub):
44         (noInline):
45         (assert.mul):
46         (assert.add):
47
48 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
49
50         Update the test to ensure OutOfMemoryError is thrown as intended
51         https://bugs.webkit.org/show_bug.cgi?id=196032
52         <rdar://problem/46842740>
53
54         Rubber stamped by Saam Barati.
55
56         * stress/create-error-out-of-memory-rope-string.js:
57         (assert):
58         (catch):
59
60 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
61
62         JSC::createError needs to check for OOM in errorDescriptionForValue
63         https://bugs.webkit.org/show_bug.cgi?id=196032
64         <rdar://problem/46842740>
65
66         Reviewed by Mark Lam.
67
68         * stress/create-error-out-of-memory-rope-string.js: Added.
69
70 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
71
72         Unreviewed, reduce # of iterations to avoid timing out after r242991
73         https://bugs.webkit.org/show_bug.cgi?id=195791
74
75         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
76
77         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
78
79 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
80
81         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
82         https://bugs.webkit.org/show_bug.cgi?id=195950
83
84         Unreviewed, reducing the amount of memory used on this test to avoid
85         OOM on devices with memory restrictions.
86
87         * microbenchmarks/generate-multiple-llint-entrypoints.js:
88
89 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
90
91         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
92         https://bugs.webkit.org/show_bug.cgi?id=194648
93
94         Reviewed by Keith Miller.
95
96         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
97
98 2019-03-18  Mark Lam  <mark.lam@apple.com>
99
100         Missing a ThrowScope release in JSObject::toString().
101         https://bugs.webkit.org/show_bug.cgi?id=195893
102         <rdar://problem/48970986>
103
104         Reviewed by Michael Saboff.
105
106         * stress/to-string-exception-check-release.js: Added.
107
108 2019-03-18  Mark Lam  <mark.lam@apple.com>
109
110         Structure::flattenDictionary() should clear unused property slots.
111         https://bugs.webkit.org/show_bug.cgi?id=195871
112         <rdar://problem/48959497>
113
114         Reviewed by Michael Saboff.
115
116         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
117
118 2019-03-15  Mark Lam  <mark.lam@apple.com>
119
120         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
121         https://bugs.webkit.org/show_bug.cgi?id=195827
122         <rdar://problem/48845513>
123
124         Reviewed by Filip Pizlo.
125
126         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
127
128 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
129
130         [ARM,MIPS] Skip slow tests
131         https://bugs.webkit.org/show_bug.cgi?id=195799
132
133         Unreviewed, test does not finish on ARM and MIPS within the
134         timeout limit.
135
136         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
137
138 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
141         https://bugs.webkit.org/show_bug.cgi?id=195791
142         <rdar://problem/48806130>
143
144         Reviewed by Mark Lam.
145
146         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
147         (foo):
148
149 2019-03-14  Saam barati  <sbarati@apple.com>
150
151         We can't remove code after ForceOSRExit until after FixupPhase
152         https://bugs.webkit.org/show_bug.cgi?id=186916
153         <rdar://problem/41396612>
154
155         Reviewed by Yusuke Suzuki.
156
157         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
158         (foo):
159         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
160         (foo):
161
162 2019-03-13  Michael Saboff  <msaboff@apple.com>
163
164         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
165         https://bugs.webkit.org/show_bug.cgi?id=195735
166
167         Reviewed by Mark Lam.
168
169         New regression test.
170
171         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
172         (foo):
173         (bar):
174
175 2019-03-14  Saam barati  <sbarati@apple.com>
176
177         Fixup uses KnownInt32 incorrectly in some nodes
178         https://bugs.webkit.org/show_bug.cgi?id=195279
179         <rdar://problem/47915654>
180
181         Reviewed by Yusuke Suzuki.
182
183         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
184         (foo):
185
186 2019-03-14  Keith Miller  <keith_miller@apple.com>
187
188         DFG liveness can't skip tail caller inline frames
189         https://bugs.webkit.org/show_bug.cgi?id=195715
190
191         Reviewed by Saam Barati.
192
193         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
194         (i.foo):
195
196 2019-03-13  Mark Lam  <mark.lam@apple.com>
197
198         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
199         https://bugs.webkit.org/show_bug.cgi?id=195415
200
201         Not reviewed.
202
203         Changed these tests to only run the default configuration.
204         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
205         There's no strong need to run this test on that variant.
206
207         * stress/dfg-to-string-on-int-does-gc.js:
208         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
209
210 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
211
212         String overflow when using StringBuilder in JSC::createError
213         https://bugs.webkit.org/show_bug.cgi?id=194957
214
215         Reviewed by Mark Lam.
216
217         Add test string-overflow-createError-bulder.js that overflows
218         StringBuilder in notAFunctionSourceAppender. The second new test
219         string-overflow-createError-fit.js has an error message that doesn't
220         overflow, it still failed since the String's capacity can't be doubled.
221         Run test string-overflow-createError.js only in the default
222         configuration to reduce memory consumption when running the test
223         in all configurations on multiple CPUs in parallel.
224
225         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
226         (catch):
227         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
228         (catch):
229         * stress/string-overflow-createError.js:
230
231 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
232
233         [JSC] OSR entry should respect abstract values in addition to flush formats
234         https://bugs.webkit.org/show_bug.cgi?id=195653
235
236         Reviewed by Mark Lam.
237
238         * stress/osr-entry-locals-none.js: Added.
239
240 2019-03-12  Michael Saboff  <msaboff@apple.com>
241
242         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
243         https://bugs.webkit.org/show_bug.cgi?id=195613
244
245         Reviewed by Mark Lam.
246
247         New regression test.
248
249         * stress/regexp-backref-inbounds.js: Added.
250         (testRegExp):
251
252 2019-03-12  Mark Lam  <mark.lam@apple.com>
253
254         The HasIndexedProperty node does GC.
255         https://bugs.webkit.org/show_bug.cgi?id=195559
256         <rdar://problem/48767923>
257
258         Reviewed by Yusuke Suzuki.
259
260         * stress/HasIndexedProperty-does-gc.js: Added.
261
262 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
263
264         [ESNext][BigInt] Implement "~" unary operation
265         https://bugs.webkit.org/show_bug.cgi?id=182216
266
267         Reviewed by Keith Miller.
268
269         * stress/big-int-bit-not-general.js: Added.
270         * stress/big-int-bitwise-not-jit.js: Added.
271         * stress/big-int-bitwise-not-wrapped-value.js: Added.
272         * stress/bit-op-with-object-returning-int32.js:
273         * stress/bitwise-not-fixup-rules.js: Added.
274         * stress/value-bit-not-ai-rule.js: Added.
275
276 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
277
278         Invalid flags in a RegExp literal should be an early SyntaxError
279         https://bugs.webkit.org/show_bug.cgi?id=195514
280
281         Reviewed by Darin Adler.
282
283         * test262/expectations.yaml:
284         Mark 4 test cases as passing.
285
286         * stress/regexp-syntax-error-invalid-flags.js:
287         * stress/regress-161995.js: Removed.
288         Update existing test, merging in an older test for the same behavior.
289
290 2019-03-08  Mark Lam  <mark.lam@apple.com>
291
292         Stack overflow crash in JSC::JSObject::hasInstance.
293         https://bugs.webkit.org/show_bug.cgi?id=195458
294         <rdar://problem/48710195>
295
296         Reviewed by Yusuke Suzuki.
297
298         * stress/stack-overflow-in-custom-hasInstance.js: Added.
299
300 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
301
302         op_check_tdz does not def its argument
303         https://bugs.webkit.org/show_bug.cgi?id=192880
304         <rdar://problem/46221598>
305
306         Reviewed by Saam Barati.
307
308         * microbenchmarks/let-for-in.js: Added.
309         (foo):
310
311 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
314         https://bugs.webkit.org/show_bug.cgi?id=195429
315
316         Reviewed by Saam Barati.
317
318         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
319         (foo):
320         * stress/string-from-char-code-255.js: Added.
321
322 2019-03-06  Mark Lam  <mark.lam@apple.com>
323
324         Fix incorrect handling of try-finally completion values.
325         https://bugs.webkit.org/show_bug.cgi?id=195131
326         <rdar://problem/46222079>
327
328         Reviewed by Saam Barati and Yusuke Suzuki.
329
330         Added many permutations of new test case to test-finally.js.  test-finally.js has
331         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
332         tests passes there as well.
333
334         * stress/test-finally.js:
335
336 2019-03-06  Saam Barati  <sbarati@apple.com>
337
338         Air::reportUsedRegisters must padInterference
339         https://bugs.webkit.org/show_bug.cgi?id=195303
340         <rdar://problem/48270343>
341
342         Reviewed by Keith Miller.
343
344         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
345
346 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
347
348         [JSC] AI should not propagate AbstractValue relying on constant folding phase
349         https://bugs.webkit.org/show_bug.cgi?id=195375
350
351         Reviewed by Saam Barati.
352
353         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
354         (let.array):
355
356 2019-03-05  Saam barati  <sbarati@apple.com>
357
358         op_switch_char broken for rope strings after JSRopeString layout rewrite
359         https://bugs.webkit.org/show_bug.cgi?id=195339
360         <rdar://problem/48592545>
361
362         Reviewed by Yusuke Suzuki.
363
364         * stress/switch-on-char-llint-rope.js: Added.
365
366 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
367
368         [JSC] Store bits for JSRopeString in 3 stores
369         https://bugs.webkit.org/show_bug.cgi?id=195234
370
371         Reviewed by Saam Barati.
372
373         * stress/null-rope-and-collectors.js: Added.
374
375 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
376
377         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
378         https://bugs.webkit.org/show_bug.cgi?id=195207
379
380         Unreviewed. After test runtime was reduced in r242213, test can be
381         run again on ARM/MIPS.
382
383         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
384
385 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
386
387         [JSC] sizeof(JSString) should be 16
388         https://bugs.webkit.org/show_bug.cgi?id=194375
389
390         Reviewed by Saam Barati.
391
392         * microbenchmarks/make-rope.js: Added.
393         (makeRope):
394         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
395         (returnRope.helper): Deleted.
396         (returnRope): Deleted.
397
398 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
399
400         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
401         https://bugs.webkit.org/show_bug.cgi?id=195144
402
403         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
404         Change the number from 1e8 to 1e5.
405
406         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
407         (foo):
408
409 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
410
411         Test times out on ARM/MIPS
412         https://bugs.webkit.org/show_bug.cgi?id=195168
413
414         Unreviewed. Skip test on ARM/MIPS.
415
416         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
417
418 2019-02-27  Mark Lam  <mark.lam@apple.com>
419
420         The parser is failing to record the token location of new in new.target.
421         https://bugs.webkit.org/show_bug.cgi?id=195127
422         <rdar://problem/39645578>
423
424         Reviewed by Yusuke Suzuki.
425
426         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
427
428 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
429
430         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
431         https://bugs.webkit.org/show_bug.cgi?id=195144
432         <rdar://problem/47595961>
433
434         Reviewed by Mark Lam.
435
436         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
437         (bar):
438         (foo):
439         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
440         (bar):
441         (foo):
442
443 2019-02-27  Robin Morisset  <rmorisset@apple.com>
444
445         DFG: Loop-invariant code motion (LICM) should not hoist dead code
446         https://bugs.webkit.org/show_bug.cgi?id=194945
447         <rdar://problem/48311657>
448
449         Reviewed by Mark Lam.
450
451         * stress/licm-dead-code.js: Added.
452
453 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
454
455         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
456         https://bugs.webkit.org/show_bug.cgi?id=194677
457         <rdar://problem/48112492>
458
459         Reviewed by Mark Lam.
460
461         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
462         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
463         it immediately fails due the large size.
464
465         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
466         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
467         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
468         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
469
470         This patch changes the test to produce 16bit string from String.fromCharCode.
471
472         * stress/regress-178386.js:
473
474 2019-02-26  Mark Lam  <mark.lam@apple.com>
475
476         wasmToJS() should purify incoming NaNs.
477         https://bugs.webkit.org/show_bug.cgi?id=194807
478         <rdar://problem/48189132>
479
480         Reviewed by Saam Barati.
481
482         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
483
484 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
485
486         [JSC] Repeat string created from Array.prototype.join() take too much memory
487         https://bugs.webkit.org/show_bug.cgi?id=193912
488
489         Reviewed by Saam Barati.
490
491         Added a test and a microbenchmark for corner cases of
492         Array.prototype.join() with an uninitialized array.
493
494         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
495         * stress/array-prototype-join-uninitialized.js: Added.
496         (testArray):
497         (testABC):
498         (B):
499         (C):
500
501 2019-02-22  Robin Morisset  <rmorisset@apple.com>
502
503         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
504         https://bugs.webkit.org/show_bug.cgi?id=194953
505         <rdar://problem/47595253>
506
507         Reviewed by Saam Barati.
508
509         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
510
511         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
512
513 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
514
515         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
516         https://bugs.webkit.org/show_bug.cgi?id=172848
517         <rdar://problem/25709212>
518
519         Reviewed by Mark Lam.
520
521         * typeProfiler/inheritance.js:
522         Rewrite the test slightly for clarity. The hoisting was confusing.
523
524         * heapProfiler/class-names.js: Added.
525         (MyES5Class):
526         (MyES6Class):
527         (MyES6Subclass):
528         Test object types and improved class names.
529
530         * heapProfiler/driver/driver.js:
531         (CheapHeapSnapshotNode):
532         (CheapHeapSnapshot):
533         (createCheapHeapSnapshot):
534         (HeapSnapshot):
535         (createHeapSnapshot):
536         Update snapshot parsing from version 1 to version 2.
537
538 2019-02-19  Truitt Savell  <tsavell@apple.com>
539
540         Unreviewed, rolling out r241784.
541
542         Broke all OpenSource builds.
543
544         Reverted changeset:
545
546         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
547         instances view"
548         https://bugs.webkit.org/show_bug.cgi?id=172848
549         https://trac.webkit.org/changeset/241784
550
551 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
552
553         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
554         https://bugs.webkit.org/show_bug.cgi?id=172848
555         <rdar://problem/25709212>
556
557         Reviewed by Mark Lam.
558
559         * typeProfiler/inheritance.js:
560         Rewrite the test slightly for clarity. The hoisting was confusing.
561
562         * heapProfiler/class-names.js: Added.
563         (MyES5Class):
564         (MyES6Class):
565         (MyES6Subclass):
566         Test object types and improved class names.
567
568         * heapProfiler/driver/driver.js:
569         (CheapHeapSnapshotNode):
570         (CheapHeapSnapshot):
571         (createCheapHeapSnapshot):
572         (HeapSnapshot):
573         (createHeapSnapshot):
574         Update snapshot parsing from version 1 to version 2.
575
576 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
577
578         [ARM] Fix crash with sampling profiler
579         https://bugs.webkit.org/show_bug.cgi?id=194772
580
581         Reviewed by Mark Lam.
582
583         Do not skip test since crash with sampling profiler is now fixed.
584
585         * stress/sampling-profiler-richards.js:
586
587 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
588
589         [JSC] Add LazyClassStructure::getInitializedOnMainThread
590         https://bugs.webkit.org/show_bug.cgi?id=194784
591         <rdar://problem/48154820>
592
593         Reviewed by Mark Lam.
594
595         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
596         (getProperties):
597         (getRandomProperty):
598         (i.catch):
599
600 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
601
602         [ARM] Test gardening: Test running out of executable memory
603         https://bugs.webkit.org/show_bug.cgi?id=194771
604
605         Unreviewed. Do not run test without LLInt, test is running out of executable
606         memory on ARM otherwise.
607
608         * stress/tagged-template-object-collect.js:
609
610 2019-02-18  Tomas Popela  <tpopela@redhat.com>
611
612         Unreviewed, skip the test on platforms without sampling profiler
613
614         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
615         (platformSupportsSamplingProfiler.foo):
616         (platformSupportsSamplingProfiler.test):
617         (platformSupportsSamplingProfiler):
618         (foo): Deleted.
619         (test): Deleted.
620
621 2019-02-17  Saam Barati  <sbarati@apple.com>
622
623         Deadlock when adding a Structure property transition and then doing incremental marking
624         https://bugs.webkit.org/show_bug.cgi?id=194767
625
626         Reviewed by Mark Lam.
627
628         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
629
630 2019-02-15  Michael Saboff  <msaboff@apple.com>
631
632         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
633         https://bugs.webkit.org/show_bug.cgi?id=194558
634
635         Reviewed by Saam Barati.
636
637         New regression test.
638
639         * stress/regexp-unicode-within-string.js: Added.
640
641 2019-02-15  Mark Lam  <mark.lam@apple.com>
642
643         SamplingProfiler::stackTracesAsJSON() should escape strings.
644         https://bugs.webkit.org/show_bug.cgi?id=194649
645         <rdar://problem/48072386>
646
647         Reviewed by Saam Barati.
648
649         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
650         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
651         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
652         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
653
654 2019-02-15  Robin Morisset  <rmorisset@apple.com>
655         CodeBlock::jettison should clear related watchpoints
656         https://bugs.webkit.org/show_bug.cgi?id=194544
657
658         Reviewed by Mark Lam.
659
660         * stress/regexp-replace-double-watchpoint.js: Added.
661         (foo):
662
663 2019-02-15  Saam barati  <sbarati@apple.com>
664
665         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
666         https://bugs.webkit.org/show_bug.cgi?id=194036
667
668         Reviewed by Yusuke Suzuki.
669
670         * stress/tail-call-many-arguments.js: Added.
671         (foo):
672         (bar):
673
674 2019-02-14  Saam Barati  <sbarati@apple.com>
675
676         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
677         https://bugs.webkit.org/show_bug.cgi?id=194583
678         <rdar://problem/48028140>
679
680         Reviewed by Yusuke Suzuki.
681
682         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
683
684 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
685
686         [JSC] String.fromCharCode's slow path always generates 16bit string
687         https://bugs.webkit.org/show_bug.cgi?id=194466
688
689         Reviewed by Keith Miller.
690
691         * stress/string-from-char-code-slow-path.js: Added.
692         (shouldBe):
693         (testWithLength):
694
695 2019-02-08  Saam barati  <sbarati@apple.com>
696
697         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
698         https://bugs.webkit.org/show_bug.cgi?id=194334
699         <rdar://problem/47844327>
700
701         Reviewed by Mark Lam.
702
703         * stress/check-in-bounds-should-be-a-child-use.js: Added.
704         (func):
705
706 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
707
708         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
709         https://bugs.webkit.org/show_bug.cgi?id=194369
710         <rdar://problem/47813087>
711
712         Reviewed by Saam Barati.
713
714         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
715         (A):
716
717 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
718
719         [JSC] PrivateName to PublicName hash table is wasteful
720         https://bugs.webkit.org/show_bug.cgi?id=194277
721
722         Reviewed by Michael Saboff.
723
724         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
725
726         * ChakraCore.yaml:
727
728 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
729
730         [ARM] Test running out of executable memory
731         https://bugs.webkit.org/show_bug.cgi?id=194285
732
733         Unreviewed. Do no execute test with LLInt disabled, test runs out of
734         executable memory otherwise.
735
736         * stress/class-subclassing-function.js:
737
738 2019-02-04  Robin Morisset  <rmorisset@apple.com>
739
740         when lowering AssertNotEmpty, create the value before creating the patchpoint
741         https://bugs.webkit.org/show_bug.cgi?id=194231
742
743         Reviewed by Saam Barati.
744
745         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
746         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
747         So even tiny changes to this test can change the path code taken.
748
749         * stress/assert-not-empty.js: Added.
750         (foo):
751
752 2019-02-01  Mark Lam  <mark.lam@apple.com>
753
754         Remove invalid assertion in DFG's compileDoubleRep().
755         https://bugs.webkit.org/show_bug.cgi?id=194130
756         <rdar://problem/47699474>
757
758         Reviewed by Saam Barati.
759
760         * stress/constant-fold-double-rep-into-double-constant.js: Added.
761
762 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
763
764         Import latest Test262 updates.
765
766         Rubber-stamped by Keith Miller.
767
768         * test262.yaml: Deleted.
769         * test262/config.yaml:
770         * test262/expectations.yaml:
771         * test262/latest-changes-summary.txt:
772         * test262/test/:
773         * test262/test262-Revision.txt:
774
775 2019-01-30  Robin Morisset  <rmorisset@apple.com>
776
777         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
778         https://bugs.webkit.org/show_bug.cgi?id=194050
779         <rdar://problem/47595592>
780
781         Reviewed by Yusuke Suzuki.
782
783         * stress/object-keys-osr-exit.js: Added.
784         (foo):
785         (catch):
786
787 2019-01-29  Mark Lam  <mark.lam@apple.com>
788
789         ValueRecovery::recover() should purify NaN values it recovers.
790         https://bugs.webkit.org/show_bug.cgi?id=193978
791         <rdar://problem/47625488>
792
793         Reviewed by Saam Barati.
794
795         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
796
797 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
798
799         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
800         https://bugs.webkit.org/show_bug.cgi?id=193713
801
802         * stress/try-get-by-id-should-spill-registers-dfg.js:
803         (let.f.createBuiltin):
804
805 2019-01-28  Mark Lam  <mark.lam@apple.com>
806
807         ToString node actually does GC.
808         https://bugs.webkit.org/show_bug.cgi?id=193920
809         <rdar://problem/46695900>
810
811         Reviewed by Yusuke Suzuki.
812
813         * stress/dfg-to-string-on-int-does-gc.js: Added.
814         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
815         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
816
817 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] NativeErrorConstructor should not have own IsoSubspace
820         https://bugs.webkit.org/show_bug.cgi?id=193713
821
822         Reviewed by Saam Barati.
823
824         Remove @Error use.
825
826         * stress/try-get-by-id-should-spill-registers-dfg.js:
827         (let.f.createBuiltin):
828
829 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
832         https://bugs.webkit.org/show_bug.cgi?id=190693
833
834         Reviewed by Michael Saboff.
835
836         * stress/regress-190693.js: Added.
837         (truth):
838         (assert):
839         (shouldThrowInvalidConstAssignment):
840         (taz):
841
842 2019-01-24  Saam Barati  <sbarati@apple.com>
843
844         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
845         https://bugs.webkit.org/show_bug.cgi?id=193751
846         <rdar://problem/47280215>
847
848         Reviewed by Michael Saboff.
849
850         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
851         (let.thing):
852         (foo.let.hello):
853         (foo):
854
855 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
856
857         [JSC] Reenable baseline JIT on mips
858         https://bugs.webkit.org/show_bug.cgi?id=192983
859
860         Reviewed by Mark Lam.
861
862         Added a new test for a case that was triggering a RELEASE_ASSERT when
863         testing.
864         Disable some slow tests that were already disabled for arm and x86.
865
866         * stress/json-parse-big-object.js: Added.
867         * stress/new-largeish-contiguous-array-with-size.js:
868         * stress/op_add.js:
869         * stress/op_bitand.js:
870         * stress/op_bitor.js:
871         * stress/op_bitxor.js:
872         * stress/op_lshift-ConstVar.js:
873         * stress/op_lshift-VarConst.js:
874         * stress/op_lshift-VarVar.js:
875         * stress/op_mod-ConstVar.js:
876         * stress/op_mod-VarConst.js:
877         * stress/op_mod-VarVar.js:
878         * stress/op_mul-ConstVar.js:
879         * stress/op_mul-VarConst.js:
880         * stress/op_mul-VarVar.js:
881         * stress/op_rshift-ConstVar.js:
882         * stress/op_rshift-VarConst.js:
883         * stress/op_rshift-VarVar.js:
884         * stress/op_sub-ConstVar.js:
885         * stress/op_sub-VarConst.js:
886         * stress/op_sub-VarVar.js:
887         * stress/op_urshift-ConstVar.js:
888         * stress/op_urshift-VarConst.js:
889         * stress/op_urshift-VarVar.js:
890         * stress/sampling-profiler-richards.js:
891         * stress/spread-forward-call-varargs-stack-overflow.js:
892
893 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
894
895         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
896         https://bugs.webkit.org/show_bug.cgi?id=193711
897         <rdar://problem/47250262>
898
899         Reviewed by Saam Barati.
900
901         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
902         (shouldBe):
903         (foo):
904         (bar):
905         (baz):
906
907 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         Unreviewed, fix initial global lexical binding epoch
910         https://bugs.webkit.org/show_bug.cgi?id=193603
911         <rdar://problem/47380869>
912
913         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
914         (f1.f2.f3.f4):
915         (f1.f2.f3):
916         (f1.f2):
917         (f1):
918
919 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
922         https://bugs.webkit.org/show_bug.cgi?id=193709
923         <rdar://problem/47363838>
924
925         Unreviewed, rollout to watch the tests.
926
927         * stress/object-tostring-changed-proto.js: Removed.
928         * stress/object-tostring-changed.js: Removed.
929         * stress/object-tostring-misc.js: Removed.
930         * stress/object-tostring-other.js: Removed.
931         * stress/object-tostring-untyped.js: Removed.
932
933 2019-01-22  Saam Barati  <sbarati@apple.com>
934
935         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
936
937         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
938         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
939         (testUncheckedLessThanZero):
940         (testUncheckedLessThanOrEqualZero):
941         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
942         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
943
944 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
945
946         [JSC] Invalidate old scope operations using global lexical binding epoch
947         https://bugs.webkit.org/show_bug.cgi?id=193603
948         <rdar://problem/47380869>
949
950         Reviewed by Saam Barati.
951
952         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
953         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
954         (shouldThrow):
955         (bar):
956         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
957         (shouldBe):
958         (get1):
959         (get2):
960         (get1If):
961         (get2If):
962         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
963         (shouldThrow):
964         (foo):
965
966 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
967
968         Unreviewed, roll out r240220 due to date-format-xparb regression
969         https://bugs.webkit.org/show_bug.cgi?id=193603
970
971         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
972         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
973         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
974         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
975
976 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
977
978         DoesGC rule is wrong for nodes with BigIntUse
979         https://bugs.webkit.org/show_bug.cgi?id=193652
980
981         Reviewed by Saam Barati.
982
983         * stress/big-int-value-op-update-gc-rules.js: Added.
984         (assert):
985         (doesGCAdd):
986         (doesGCSub):
987         (doesGCDiv):
988         (doesGCMul):
989         (doesGCBitAnd):
990         (doesGCBitOr):
991         (doesGCBitXor):
992
993 2019-01-20  Saam Barati  <sbarati@apple.com>
994
995         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
996         https://bugs.webkit.org/show_bug.cgi?id=193644
997         <rdar://problem/46209745>
998
999         Reviewed by Yusuke Suzuki.
1000
1001         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1002         (foo):
1003         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1004         (foo):
1005         (bar):
1006
1007 2019-01-20  Saam Barati  <sbarati@apple.com>
1008
1009         MovHint must merge NodeBytecodeUsesAsValue for its child
1010         https://bugs.webkit.org/show_bug.cgi?id=186916
1011         <rdar://problem/41396612>
1012
1013         Reviewed by Yusuke Suzuki.
1014
1015         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1016         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1017
1018 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         [JSC] Invalidate old scope operations using global lexical binding epoch
1021         https://bugs.webkit.org/show_bug.cgi?id=193603
1022         <rdar://problem/47380869>
1023
1024         Reviewed by Saam Barati.
1025
1026         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1027         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1028         (shouldThrow):
1029         (bar):
1030         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1031         (shouldBe):
1032         (get1):
1033         (get2):
1034         (get1If):
1035         (get2If):
1036         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1037         (shouldThrow):
1038         (foo):
1039
1040 2019-01-17  Saam barati  <sbarati@apple.com>
1041
1042         StringObjectUse should not be a structure check for the original string object structure
1043         https://bugs.webkit.org/show_bug.cgi?id=193483
1044         <rdar://problem/47280522>
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1049         (foo):
1050         (a.valueOf.0):
1051
1052 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1053
1054         [JSC] ToThis omission in DFGByteCodeParser is wrong
1055         https://bugs.webkit.org/show_bug.cgi?id=193513
1056         <rdar://problem/45842236>
1057
1058         Reviewed by Saam Barati.
1059
1060         * stress/to-this-omission-with-different-strict-modes.js: Added.
1061         (thisA):
1062         (thisAStrictWrapper):
1063
1064 2019-01-15  Mark Lam  <mark.lam@apple.com>
1065
1066         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1067         https://bugs.webkit.org/show_bug.cgi?id=193423
1068         <rdar://problem/46209355>
1069
1070         Reviewed by Saam Barati.
1071
1072         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1073         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1074         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1075         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1076
1077 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1078
1079         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1080         https://bugs.webkit.org/show_bug.cgi?id=193438
1081         <rdar://problem/45581249>
1082
1083         Reviewed by Saam Barati and Keith Miller.
1084
1085         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1086         Then, GetByVal(String) crashed.
1087
1088         * stress/string-get-by-val-lowering.js: Added.
1089         (shouldBe):
1090         (test):
1091         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1092         (Hello):
1093         (foo):
1094
1095 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1096
1097         Unreviewed, skip JIT tests if it's not enabled
1098
1099         * stress/bit-op-with-object-returning-int32.js:
1100
1101 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1102
1103         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1104         https://bugs.webkit.org/show_bug.cgi?id=192966
1105
1106         Reviewed by Yusuke Suzuki.
1107
1108         * stress/bit-op-with-object-returning-int32.js: Added.
1109
1110 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1111
1112         Skip a slow test and a flakey test on arm
1113
1114         Unreviewed gardening.
1115
1116         * typeProfiler/getter-richards.js:
1117         this test always times out, it used to be always skipped on arm and
1118         mips, but got accidentally enabled by r237919 now that we have DFG on
1119         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1120
1121 2019-01-14  Keith Miller  <keith_miller@apple.com>
1122
1123         Skip type-check-hoisting-phase-hoist... with no jit
1124         https://bugs.webkit.org/show_bug.cgi?id=193421
1125
1126         Reviewed by Mark Lam.
1127
1128         It's timing out the 32-bit bots and takes 330 seconds
1129         on my machine when run by itself.
1130
1131         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1132
1133 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1134
1135         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1136         https://bugs.webkit.org/show_bug.cgi?id=193413
1137         <rdar://problem/46092389>
1138
1139         Reviewed by Keith Miller.
1140
1141         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1142         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1143         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1144         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1145
1146         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1147         (compareArray):
1148
1149 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1150
1151         [BigInt] Literal parsing is crashing when used inside a Object Literal
1152         https://bugs.webkit.org/show_bug.cgi?id=193404
1153
1154         Reviewed by Yusuke Suzuki.
1155
1156         * stress/big-int-literal-inside-literal-object.js: Added.
1157
1158 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1159
1160         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1161         https://bugs.webkit.org/show_bug.cgi?id=193372
1162
1163         Reviewed by Saam Barati.
1164
1165         * stress/typed-array-array-modes-profile.js: Added.
1166         (foo):
1167
1168 2019-01-14  Mark Lam  <mark.lam@apple.com>
1169
1170         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1171         https://bugs.webkit.org/show_bug.cgi?id=193402
1172         <rdar://problem/46012309>
1173
1174         Reviewed by Keith Miller.
1175
1176         * stress/regexp-compile-oom.js:
1177         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1178           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1179
1180 2019-01-11  Saam barati  <sbarati@apple.com>
1181
1182         DFG combined liveness can be wrong for terminal basic blocks
1183         https://bugs.webkit.org/show_bug.cgi?id=193304
1184         <rdar://problem/45268632>
1185
1186         Reviewed by Yusuke Suzuki.
1187
1188         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1189
1190 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1191
1192         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1193         https://bugs.webkit.org/show_bug.cgi?id=193308
1194         <rdar://problem/45546542>
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1199         (shouldThrow):
1200         (shouldBe):
1201         (foo):
1202         (get shouldThrow):
1203         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1204         (shouldThrow):
1205         (shouldBe):
1206         (foo):
1207         (get shouldBe):
1208         (get shouldThrow):
1209         (get return):
1210         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1211         (shouldThrow):
1212         (shouldBe):
1213         (foo):
1214         (get shouldBe):
1215         (get shouldThrow):
1216         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1217         (shouldThrow):
1218         (shouldBe):
1219         (foo):
1220         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1221         (shouldThrow):
1222         (shouldBe):
1223         (foo):
1224         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1225         (shouldThrow):
1226         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1227         (shouldThrow):
1228         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1229         (shouldThrow):
1230         (shouldBe):
1231         (foo):
1232         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1233         (shouldThrow):
1234         (shouldBe):
1235         (foo):
1236         (get shouldBe):
1237         (get shouldThrow):
1238         (get return):
1239         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1240         (shouldThrow):
1241         (shouldBe):
1242         (foo):
1243         (get shouldBe):
1244         (get shouldThrow):
1245         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1246         (shouldThrow):
1247         (shouldBe):
1248         (foo):
1249         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1250         (shouldThrow):
1251         (shouldBe):
1252         (foo):
1253
1254 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1255
1256         Enable DFG on ARM/Linux again
1257         https://bugs.webkit.org/show_bug.cgi?id=192496
1258
1259         Reviewed by Yusuke Suzuki.
1260
1261         Test wasn't really skipped before moving the line with skip
1262         to the top.
1263
1264         * stress/regress-192717.js:
1265
1266 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1267
1268         Unreviewed, rolling out r239825.
1269         https://bugs.webkit.org/show_bug.cgi?id=193330
1270
1271         Broke tests on armv7/linux bots (Requested by guijemont on
1272         #webkit).
1273
1274         Reverted changeset:
1275
1276         "Enable DFG on ARM/Linux again"
1277         https://bugs.webkit.org/show_bug.cgi?id=192496
1278         https://trac.webkit.org/changeset/239825
1279
1280 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1281
1282         Enable DFG on ARM/Linux again
1283         https://bugs.webkit.org/show_bug.cgi?id=192496
1284
1285         Reviewed by Yusuke Suzuki.
1286
1287         Test wasn't really skipped before moving the line with skip
1288         to the top.
1289
1290         * stress/regress-192717.js:
1291
1292 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1295         https://bugs.webkit.org/show_bug.cgi?id=193127
1296
1297         Reviewed by Saam Barati.
1298
1299         * stress/array-species-create-should-handle-masquerader.js: Added.
1300         (shouldThrow):
1301         * stress/is-undefined-or-null-builtin.js: Added.
1302         (shouldBe):
1303         (isUndefinedOrNull.vm.createBuiltin):
1304
1305 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1306
1307         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1308         https://bugs.webkit.org/show_bug.cgi?id=193221
1309
1310         Reviewed by Mark Lam.
1311
1312         * stress/put-by-id-flags.js: Added.
1313         (f):
1314         (g):
1315         (numberOfDFGCompiles):
1316
1317 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1318
1319         Baseline version of get_by_id may corrupt metadata
1320         https://bugs.webkit.org/show_bug.cgi?id=193085
1321         <rdar://problem/23453006>
1322
1323         Reviewed by Saam Barati.
1324
1325         * stress/get-by-id-change-mode.js: Added.
1326         (forEach):
1327
1328 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1329
1330         [JSC] Optimize Object.prototype.toString
1331         https://bugs.webkit.org/show_bug.cgi?id=193031
1332
1333         Reviewed by Saam Barati.
1334
1335         * stress/object-tostring-changed-proto.js: Added.
1336         (shouldBe):
1337         (test):
1338         * stress/object-tostring-changed.js: Added.
1339         (shouldBe):
1340         (test):
1341         * stress/object-tostring-misc.js: Added.
1342         (shouldBe):
1343         (test):
1344         (i.switch):
1345         * stress/object-tostring-other.js: Added.
1346         (shouldBe):
1347         (test):
1348         * stress/object-tostring-untyped.js: Added.
1349         (shouldBe):
1350         (test):
1351         (i.switch):
1352
1353 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1354
1355         test262-runner misbehaves when test file YAML has a trailing space
1356         https://bugs.webkit.org/show_bug.cgi?id=193053
1357
1358         Reviewed by Yusuke Suzuki.
1359
1360         * test262/expectations.yaml:
1361         Mark two dozen tests as passing (and correct the output of another).
1362
1363 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1364
1365         Unreviewed, JSTests gardening with memoryLimited
1366
1367         * stress/string-overflow-createError.js:
1368
1369 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1370
1371         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1372         https://bugs.webkit.org/show_bug.cgi?id=193050
1373
1374         Reviewed by Yusuke Suzuki.
1375
1376         * test262.yaml:
1377         * test262/expectations.yaml:
1378         Mark 16 tests as passing.
1379
1380 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1381
1382         [BigInt] Support BigInt in JSON.stringify
1383         https://bugs.webkit.org/show_bug.cgi?id=192624
1384
1385         Reviewed by Saam Barati.
1386
1387         * stress/big-int-json-stringify-to-json.js: Added.
1388         (shouldBe):
1389         (shouldThrow):
1390         (BigInt.prototype.toJSON):
1391         (shouldBe.JSON.stringify):
1392         * stress/big-int-json-stringify.js: Added.
1393         (shouldBe):
1394         (shouldThrow):
1395
1396 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1397
1398         [JSC] Implement "well-formed JSON.stringify" proposal
1399         https://bugs.webkit.org/show_bug.cgi?id=191677
1400
1401         Reviewed by Darin Adler.
1402
1403         * stress/json-surrogate-pair.js: Added.
1404         (shouldBe):
1405         * test262/expectations.yaml:
1406
1407 2018-12-20  Keith Miller  <keith_miller@apple.com>
1408
1409         Add support for globalThis
1410         https://bugs.webkit.org/show_bug.cgi?id=165171
1411
1412         Reviewed by Mark Lam.
1413
1414         * test262/config.yaml:
1415
1416 2018-12-19  Keith Miller  <keith_miller@apple.com>
1417
1418         Update test262 configuration to not run tests dependent on ICU version.
1419         https://bugs.webkit.org/show_bug.cgi?id=192920
1420
1421         Reviewed by Saam Barati.
1422
1423         * test262/expectations.yaml:
1424
1425 2018-12-20  Mark Lam  <mark.lam@apple.com>
1426
1427         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1428         https://bugs.webkit.org/show_bug.cgi?id=192939
1429         <rdar://problem/46869516>
1430
1431         Reviewed by Keith Miller.
1432
1433         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1434
1435 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1436
1437         WTF::String and StringImpl overflow MaxLength
1438         https://bugs.webkit.org/show_bug.cgi?id=192853
1439         <rdar://problem/45726906>
1440
1441         Reviewed by Mark Lam.
1442
1443         * stress/string-16bit-repeat-overflow.js: Added.
1444         (catch):
1445
1446 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1447
1448         Unreviewed follow-up to r192914.
1449
1450         * test262/expectations.yaml:
1451         Add the last 20 missing expectations.
1452
1453 2018-12-19  Keith Miller  <keith_miller@apple.com>
1454
1455         Fix test262 expectations
1456         https://bugs.webkit.org/show_bug.cgi?id=192914
1457
1458         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1459
1460         * test262/expectations.yaml:
1461
1462 2018-12-19  Keith Miller  <keith_miller@apple.com>
1463
1464         Update test262 tests.
1465         https://bugs.webkit.org/show_bug.cgi?id=192907
1466
1467         Rubber stamped by Mark Lam.
1468
1469         * test262/*: Omitted because prepare-changelog crashes.
1470
1471 2018-12-19  Mark Lam  <mark.lam@apple.com>
1472
1473         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1474         https://bugs.webkit.org/show_bug.cgi?id=192464
1475         <rdar://problem/46519455>
1476
1477         Reviewed by Saam Barati.
1478
1479         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1480         microbenchmark.
1481
1482         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1483         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1484
1485 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1486
1487         String overflow in JSC::createError results in ASSERT in WTF::makeString
1488         https://bugs.webkit.org/show_bug.cgi?id=192833
1489         <rdar://problem/45706868>
1490
1491         Reviewed by Mark Lam.
1492
1493         * stress/string-overflow-createError.js: Added.
1494
1495 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1496
1497         Error message for `-x ** y` contains a typo.
1498         https://bugs.webkit.org/show_bug.cgi?id=192832
1499
1500         Reviewed by Saam Barati.
1501
1502         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1503         (assert.assert.return.throws):
1504         * stress/pow-expects-update-expression-on-lhs.js:
1505         (throw.new.Error):
1506         Update test expectations which match against the exact error message.
1507
1508 2018-12-18  Mark Lam  <mark.lam@apple.com>
1509
1510         Gardening: test options fix.
1511         https://bugs.webkit.org/show_bug.cgi?id=192822
1512
1513         Unreviewed.
1514
1515         * stress/json-stringify-string-builder-overflow.js:
1516
1517 2018-12-18  Mark Lam  <mark.lam@apple.com>
1518
1519         JSON.stringify() should throw OOM on StringBuilder overflows.
1520         https://bugs.webkit.org/show_bug.cgi?id=192822
1521         <rdar://problem/46670577>
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/json-stringify-string-builder-overflow.js: Added.
1526
1527 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1528
1529         Redeclaration of var over let/const/class should be a syntax error.
1530         https://bugs.webkit.org/show_bug.cgi?id=192298
1531
1532         Reviewed by Keith Miller.
1533
1534         * test262.yaml:
1535         * test262/expectations.yaml:
1536         Mark 46 tests as passing.
1537
1538         * stress/block-scope-redeclarations.js:
1539         Add some new tests.
1540
1541         * stress/for-in-invalidate-context-weird-assignments.js:
1542         * stress/for-in-tests.js:
1543         Replace tests for outdated behavior with tests for SyntaxError.
1544
1545         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1546         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1547         Update expectations.
1548
1549 2018-12-18  Mark Lam  <mark.lam@apple.com>
1550
1551         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1552         https://bugs.webkit.org/show_bug.cgi?id=191374
1553         <rdar://problem/46525447>
1554
1555         Reviewed by Yusuke Suzuki.
1556
1557         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1558
1559         * stress/elidable-new-object-roflcopter-then-exit.js:
1560
1561 2018-12-17  Mark Lam  <mark.lam@apple.com>
1562
1563         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1564         https://bugs.webkit.org/show_bug.cgi?id=192019
1565         <rdar://problem/46525456>
1566
1567         Reviewed by Yusuke Suzuki.
1568
1569         The test runs too slow on 32-bit.
1570
1571         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1572
1573 2018-12-17  Mark Lam  <mark.lam@apple.com>
1574
1575         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1576         https://bugs.webkit.org/show_bug.cgi?id=191373
1577         <rdar://problem/46525458>
1578
1579         Reviewed by Yusuke Suzuki.
1580
1581         The test is already slow running with a JIT on 64-bit.  It will always timeout
1582         on 32-bit without a JIT.
1583
1584         * stress/materialize-regexp-cyclic-regexp.js:
1585
1586 2018-12-17  Mark Lam  <mark.lam@apple.com>
1587
1588         Array unshift/shift should not race against the AI in the compiler thread.
1589         https://bugs.webkit.org/show_bug.cgi?id=192795
1590         <rdar://problem/46724263>
1591
1592         Reviewed by Saam Barati.
1593
1594         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1595
1596 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1597
1598         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1599         https://bugs.webkit.org/show_bug.cgi?id=190047
1600
1601         Reviewed by Saam Barati.
1602
1603         * stress/object-keys-cached-zero.js: Added.
1604         (shouldBe):
1605         (test):
1606         * stress/object-keys-changed-attribute.js: Added.
1607         (shouldBe):
1608         (test):
1609         * stress/object-keys-changed-index.js: Added.
1610         (shouldBe):
1611         (test):
1612         * stress/object-keys-changed.js: Added.
1613         (shouldBe):
1614         (test):
1615         * stress/object-keys-indexed-non-cache.js: Added.
1616         (shouldBe):
1617         (test):
1618         * stress/object-keys-overrides-get-property-names.js: Added.
1619         (shouldBe):
1620         (test):
1621         (noInline):
1622
1623 2018-12-17  Mark Lam  <mark.lam@apple.com>
1624
1625         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1626         https://bugs.webkit.org/show_bug.cgi?id=192779
1627         <rdar://problem/46775869>
1628
1629         Reviewed by Saam Barati.
1630
1631         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1632
1633 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1634
1635         Unreviewed test gardening, address a syntax error in a new test.
1636
1637         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1638
1639 2018-12-17  Mark Lam  <mark.lam@apple.com>
1640
1641         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1642         https://bugs.webkit.org/show_bug.cgi?id=192776
1643         <rdar://problem/46772368>
1644
1645         Reviewed by Keith Miller.
1646
1647         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1648
1649 2018-12-17  Mark Lam  <mark.lam@apple.com>
1650
1651         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1652         https://bugs.webkit.org/show_bug.cgi?id=192770
1653         <rdar://problem/46449037>
1654
1655         Reviewed by Keith Miller.
1656
1657         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1658
1659 2018-12-14  Mark Lam  <mark.lam@apple.com>
1660
1661         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1662         https://bugs.webkit.org/show_bug.cgi?id=192717
1663         <rdar://problem/46660677>
1664
1665         Reviewed by Saam Barati.
1666
1667         * stress/regress-192717.js: Added.
1668
1669 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1670
1671         Unreviewed, rolling out r239153, r239154, and r239155.
1672         https://bugs.webkit.org/show_bug.cgi?id=192715
1673
1674         Caused flaky GC-related crashes seen with layout tests
1675         (Requested by ryanhaddad on #webkit).
1676
1677         Reverted changesets:
1678
1679         "[JSC] Optimize Object.keys by caching own keys results in
1680         StructureRareData"
1681         https://bugs.webkit.org/show_bug.cgi?id=190047
1682         https://trac.webkit.org/changeset/239153
1683
1684         "Unreviewed, build fix after r239153"
1685         https://bugs.webkit.org/show_bug.cgi?id=190047
1686         https://trac.webkit.org/changeset/239154
1687
1688         "Unreviewed, build fix after r239153, part 2"
1689         https://bugs.webkit.org/show_bug.cgi?id=190047
1690         https://trac.webkit.org/changeset/239155
1691
1692 2018-12-14  Keith Miller  <keith_miller@apple.com>
1693
1694         Callers of JSString::getIndex should check for OOM exceptions
1695         https://bugs.webkit.org/show_bug.cgi?id=192709
1696
1697         Reviewed by Mark Lam.
1698
1699         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1700
1701 2018-12-13  Mark Lam  <mark.lam@apple.com>
1702
1703         Add a missing exception check.
1704         https://bugs.webkit.org/show_bug.cgi?id=192626
1705         <rdar://problem/46662163>
1706
1707         Reviewed by Keith Miller.
1708
1709         * stress/regress-192626.js: Added.
1710
1711 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1712
1713         [BigInt] Add ValueDiv into DFG
1714         https://bugs.webkit.org/show_bug.cgi?id=186178
1715
1716         Reviewed by Yusuke Suzuki.
1717
1718         * stress/big-int-div-jit-osr.js: Added.
1719         * stress/big-int-div-jit-untyped.js: Added.
1720         * stress/value-div-fixup-int32-big-int.js: Added.
1721
1722 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1723
1724         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1725         https://bugs.webkit.org/show_bug.cgi?id=190047
1726
1727         Reviewed by Keith Miller.
1728
1729         * stress/object-keys-cached-zero.js: Added.
1730         (shouldBe):
1731         (test):
1732         * stress/object-keys-changed-attribute.js: Added.
1733         (shouldBe):
1734         (test):
1735         * stress/object-keys-changed-index.js: Added.
1736         (shouldBe):
1737         (test):
1738         * stress/object-keys-changed.js: Added.
1739         (shouldBe):
1740         (test):
1741         * stress/object-keys-indexed-non-cache.js: Added.
1742         (shouldBe):
1743         (test):
1744         * stress/object-keys-overrides-get-property-names.js: Added.
1745         (shouldBe):
1746         (test):
1747         (noInline):
1748
1749 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1750
1751         [DFG][FTL] Add NewSymbol
1752         https://bugs.webkit.org/show_bug.cgi?id=192620
1753
1754         Reviewed by Saam Barati.
1755
1756         * microbenchmarks/symbol-creation.js: Added.
1757         (test):
1758         * stress/symbol-description-identity.js: Added.
1759         (shouldBe):
1760         (test):
1761         * stress/symbol-identity.js: Added.
1762         (shouldBe):
1763         (test):
1764         * stress/symbol-with-description-throw-error.js: Added.
1765         (shouldBe):
1766         (shouldThrow):
1767         (test):
1768         (object.toString):
1769
1770 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1771
1772         [BigInt] Implement DFG/FTL typeof for BigInt
1773         https://bugs.webkit.org/show_bug.cgi?id=192619
1774
1775         Reviewed by Keith Miller.
1776
1777         * stress/big-int-boolean-proven-type.js: Added.
1778         (assert):
1779         (bool):
1780         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1781         (assert):
1782         (typeOf):
1783         (i.switch):
1784         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1785         (assert):
1786         (typeOf):
1787         * stress/big-int-type-of.js:
1788         (typeOf):
1789         (func):
1790
1791 2018-12-10  Mark Lam  <mark.lam@apple.com>
1792
1793         PropertyAttribute needs a CustomValue bit.
1794         https://bugs.webkit.org/show_bug.cgi?id=191993
1795         <rdar://problem/46264467>
1796
1797         Reviewed by Saam Barati.
1798
1799         * stress/regress-191993.js: Added.
1800
1801 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1802
1803         [BigInt] Add ValueMul into DFG
1804         https://bugs.webkit.org/show_bug.cgi?id=186175
1805
1806         Reviewed by Yusuke Suzuki.
1807
1808         * stress/big-int-mul-jit-osr.js: Added.
1809         * stress/big-int-mul-jit-untyped.js: Added.
1810         * stress/value-mul-fixup-int32-big-int.js: Added.
1811
1812 2018-12-06  Keith Miller  <keith_miller@apple.com>
1813
1814         stress/big-wasm-memory tests failing on 32-bit JSC bot
1815         https://bugs.webkit.org/show_bug.cgi?id=192020
1816
1817         Reviewed by Saam Barati.
1818
1819         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1820         the wasm stress tests if the WebAssembly object does not exist.
1821
1822         * stress/big-wasm-memory-grow-no-max.js:
1823         (test.foo):
1824         (test):
1825         (foo): Deleted.
1826         (catch): Deleted.
1827         * stress/big-wasm-memory-grow.js:
1828         (test.foo):
1829         (test):
1830         (foo): Deleted.
1831         (catch): Deleted.
1832         * stress/big-wasm-memory.js:
1833         (test.foo):
1834         (test):
1835         (foo): Deleted.
1836         (catch): Deleted.
1837
1838 2018-12-05  Mark Lam  <mark.lam@apple.com>
1839
1840         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1841         https://bugs.webkit.org/show_bug.cgi?id=192441
1842         <rdar://problem/46480355>
1843
1844         Reviewed by Saam Barati.
1845
1846         * stress/regress-192441.js: Added.
1847
1848 2018-12-04  Mark Lam  <mark.lam@apple.com>
1849
1850         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1851         https://bugs.webkit.org/show_bug.cgi?id=192386
1852         <rdar://problem/46445516>
1853
1854         Reviewed by Saam Barati.
1855
1856         * stress/regress-192386.js: Added.
1857
1858 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1859
1860         [ESNext][BigInt] Support logic operations
1861         https://bugs.webkit.org/show_bug.cgi?id=179903
1862
1863         Reviewed by Yusuke Suzuki.
1864
1865         * stress/big-int-branch-usage.js: Added.
1866         * stress/big-int-logical-and.js: Added.
1867         * stress/big-int-logical-not.js: Added.
1868         * stress/big-int-logical-or.js: Added.
1869
1870 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1871
1872         Unreviewed, rolling out r238833.
1873
1874         Breaks macOS and iOS debug builds.
1875
1876         Reverted changeset:
1877
1878         "[ESNext][BigInt] Support logic operations"
1879         https://bugs.webkit.org/show_bug.cgi?id=179903
1880         https://trac.webkit.org/changeset/238833
1881
1882 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1883
1884         [ESNext][BigInt] Support logic operations
1885         https://bugs.webkit.org/show_bug.cgi?id=179903
1886
1887         Reviewed by Yusuke Suzuki.
1888
1889         * stress/big-int-branch-usage.js: Added.
1890         * stress/big-int-logical-and.js: Added.
1891         * stress/big-int-logical-not.js: Added.
1892         * stress/big-int-logical-or.js: Added.
1893
1894 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1895
1896         [ESNext][BigInt] Implement support for "<<" and ">>"
1897         https://bugs.webkit.org/show_bug.cgi?id=186233
1898
1899         Reviewed by Yusuke Suzuki.
1900
1901         * stress/big-int-left-shift-general.js: Added.
1902         * stress/big-int-left-shift-range-error.js: Added.
1903         * stress/big-int-left-shift-type-error.js: Added.
1904         * stress/big-int-left-shift-wrapped-value.js: Added.
1905         * stress/big-int-right-shift-general.js: Added.
1906         * stress/big-int-right-shift-type-error.js: Added.
1907         * stress/big-int-right-shift-wrapped-value.js: Added.
1908         * stress/left-shift-to-primitive-precedence.js: Added.
1909         * stress/right-shift-to-primitive-precedence.js: Added.
1910
1911 2018-11-30  Dean Jackson  <dino@apple.com>
1912
1913         Add first-class support for .mjs files in jsc binary
1914         https://bugs.webkit.org/show_bug.cgi?id=192190
1915         <rdar://problem/46375715>
1916
1917         Reviewed by Keith Miller.
1918
1919         * stress/simple-module.mjs: Added.
1920         * stress/simple-script.js: Added.
1921
1922 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1923
1924         [BigInt] Implement ValueBitXor into DFG
1925         https://bugs.webkit.org/show_bug.cgi?id=190264
1926
1927         Reviewed by Yusuke Suzuki.
1928
1929         * stress/big-int-bitwise-xor-jit.js: Added.
1930         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1931         * stress/big-int-bitwise-xor-untyped.js: Added.
1932
1933 2018-11-27  Saam barati  <sbarati@apple.com>
1934
1935         r238510 broke scopes of size zero
1936         https://bugs.webkit.org/show_bug.cgi?id=192033
1937         <rdar://problem/46281734>
1938
1939         Reviewed by Keith Miller.
1940
1941         * stress/r238510-bad-loop.js: Added.
1942         (foo):
1943
1944 2018-11-27  Mark Lam  <mark.lam@apple.com>
1945
1946         [Re-landing] NaNs read from Wasm code needs to be be purified.
1947         https://bugs.webkit.org/show_bug.cgi?id=191056
1948         <rdar://problem/45660341>
1949
1950         Reviewed by Filip Pizlo.
1951
1952         * wasm/regress/regress-191056.js: Added.
1953
1954 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1955
1956         Unreviewed, rolling out r238509.
1957
1958         Causes JSC tests to fail on iOS.
1959
1960         Reverted changeset:
1961
1962         "NaNs read from Wasm code needs to be be purified."
1963         https://bugs.webkit.org/show_bug.cgi?id=191056
1964         https://trac.webkit.org/changeset/238509
1965
1966 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1967
1968         Re-introduce op_bitnot
1969         https://bugs.webkit.org/show_bug.cgi?id=190923
1970
1971         Reviewed by Yusuke Suzuki.
1972
1973         * stress/bit-not-must-generate.js: Added.
1974         * stress/bitwise-not-no-int32.js: Added.
1975
1976 2018-11-26  Saam barati  <sbarati@apple.com>
1977
1978         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1979         https://bugs.webkit.org/show_bug.cgi?id=191956
1980         <rdar://problem/45665806>
1981
1982         Reviewed by Yusuke Suzuki.
1983
1984         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1985         (bar):
1986         (foo):
1987
1988 2018-11-26  Saam barati  <sbarati@apple.com>
1989
1990         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1991         https://bugs.webkit.org/show_bug.cgi?id=191958
1992         <rdar://problem/46221877>
1993
1994         Reviewed by Yusuke Suzuki.
1995
1996         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1997         (x):
1998         (foo):
1999
2000 2018-11-26  Mark Lam  <mark.lam@apple.com>
2001
2002         NaNs read from Wasm code needs to be be purified.
2003         https://bugs.webkit.org/show_bug.cgi?id=191056
2004         <rdar://problem/45660341>
2005
2006         Reviewed by Filip Pizlo.
2007
2008         * wasm/regress/regress-191056.js: Added.
2009
2010 2018-11-26  Michael Saboff  <msaboff@apple.com>
2011
2012         32-bit JSC test failure: stress/regexp-compile-oom.js
2013         https://bugs.webkit.org/show_bug.cgi?id=191375
2014
2015         Reviewed by Mark Lam.
2016
2017         Disabled the test for 32 bit platforms.
2018
2019         * stress/regexp-compile-oom.js:
2020
2021 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2022
2023         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2024         https://bugs.webkit.org/show_bug.cgi?id=191716
2025         <rdar://problem/45723878>
2026
2027         Reviewed by Saam Barati.
2028
2029         * stress/regress-187373.js: Added.
2030         (async.fn):
2031
2032 2018-11-21  Saam barati  <sbarati@apple.com>
2033
2034         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2035         https://bugs.webkit.org/show_bug.cgi?id=191897
2036         <rdar://problem/45871998>
2037
2038         Reviewed by Mark Lam.
2039
2040         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2041         (bar):
2042         (foo):
2043
2044 2018-11-21  Saam barati  <sbarati@apple.com>
2045
2046         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2047         https://bugs.webkit.org/show_bug.cgi?id=191895
2048         <rdar://problem/46167406>
2049
2050         Reviewed by Mark Lam.
2051
2052         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2053         (foo):
2054         (bar):
2055
2056 2018-11-21  Mark Lam  <mark.lam@apple.com>
2057
2058         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2059         https://bugs.webkit.org/show_bug.cgi?id=191776
2060         <rdar://problem/46152851>
2061
2062         Reviewed by Saam Barati.
2063
2064         * stress/big-wasm-memory-grow-no-max.js:
2065         * stress/big-wasm-memory-grow.js:
2066         * stress/big-wasm-memory.js:
2067         - updated these to expect an OutOfMemoryError.
2068
2069         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2070         (Binary.prototype.emit_u8):
2071         (Binary.prototype.emit_u32v):
2072         (Binary.prototype.emit_header):
2073         (Binary.prototype.emit_section):
2074         (Binary):
2075         (WasmModuleBuilder):
2076         (WasmModuleBuilder.prototype.addMemory):
2077         (WasmModuleBuilder.prototype.toArray):
2078         (WasmModuleBuilder.prototype.toBuffer):
2079         (WasmModuleBuilder.prototype.instantiate):
2080         (catch):
2081         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2082         (catch):
2083
2084 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2085
2086         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2087         https://bugs.webkit.org/show_bug.cgi?id=190836
2088
2089         Reviewed by Saam Barati and Yusuke Suzuki.
2090
2091         * stress/big-int-out-of-memory-tests.js: Added.
2092
2093 2018-11-20  Mark Lam  <mark.lam@apple.com>
2094
2095         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2096         https://bugs.webkit.org/show_bug.cgi?id=191856
2097         <rdar://problem/46089992>
2098
2099         Reviewed by Yusuke Suzuki.
2100
2101         * stress/regress-191856.js: Added.
2102         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2103
2104 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2105
2106         Enable JIT on ARM/Linux
2107         https://bugs.webkit.org/show_bug.cgi?id=191548
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         Disable test on system with limited memory. Program was killed by
2112         the OS before the exception was thrown.
2113
2114         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2115
2116 2018-11-20  Saam barati  <sbarati@apple.com>
2117
2118         Merging an IC variant may lead to the IC status containing overlapping structure sets
2119         https://bugs.webkit.org/show_bug.cgi?id=191869
2120         <rdar://problem/45403453>
2121
2122         Reviewed by Mark Lam.
2123
2124         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2125
2126 2018-11-19  Mark Lam  <mark.lam@apple.com>
2127
2128         globalFuncImportModule() should return a promise when it clears exceptions.
2129         https://bugs.webkit.org/show_bug.cgi?id=191792
2130         <rdar://problem/46090763>
2131
2132         Reviewed by Michael Saboff.
2133
2134         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2135
2136 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2137
2138         Skip new memory-hungry tests on memory limited devices
2139
2140         Unreviewed gardening.
2141
2142         * stress/big-wasm-memory-grow-no-max.js:
2143         * stress/big-wasm-memory-grow.js:
2144         * stress/big-wasm-memory.js:
2145
2146 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2147
2148         Unreviewed, rolling in the rest of r237254
2149         https://bugs.webkit.org/show_bug.cgi?id=190340
2150
2151         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2152         * stress/function-cache-with-parameters-end-position.js: Added.
2153         (shouldBe):
2154         (shouldThrow):
2155         (i.anonymous):
2156         * stress/function-constructor-name.js: Added.
2157         (shouldBe):
2158         (GeneratorFunction):
2159         (AsyncFunction.async):
2160         (AsyncGeneratorFunction.async):
2161         (anonymous):
2162         (async.anonymous):
2163         * test262/expectations.yaml:
2164
2165 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2166
2167         All users of ArrayBuffer should agree on the same max size
2168         https://bugs.webkit.org/show_bug.cgi?id=191771
2169
2170         Reviewed by Mark Lam.
2171
2172         * stress/big-wasm-memory-grow-no-max.js: Added.
2173         (foo):
2174         (catch):
2175         * stress/big-wasm-memory-grow.js: Added.
2176         (foo):
2177         (catch):
2178         * stress/big-wasm-memory.js: Added.
2179         (foo):
2180         (catch):
2181
2182 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2183
2184         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2185         run for each JSC config since they're regression tests for runtime bugs.
2186
2187         * stress/json-stringified-overflow-2.js:
2188         * stress/json-stringified-overflow.js:
2189
2190 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2191
2192         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2193         config since they're regression tests for runtime bugs.
2194
2195         * stress/large-unshift-splice.js:
2196         * stress/regress-185888.js:
2197
2198 2018-11-16  Saam Barati  <sbarati@apple.com>
2199
2200         KnownCellUse should also have SpecCellCheck as its type filter
2201         https://bugs.webkit.org/show_bug.cgi?id=191729
2202         <rdar://problem/45872852>
2203
2204         Reviewed by Filip Pizlo.
2205
2206         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2207         (C):
2208
2209 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2210
2211         Fix assertion failure on BytecodeGenerator::recordOpcode
2212         https://bugs.webkit.org/show_bug.cgi?id=191724
2213         <rdar://problem/45724395>
2214
2215         Reviewed by Saam Barati.
2216
2217         * stress/regress-187373-2.js: Added.
2218         (foo):
2219
2220 2018-11-15  Mark Lam  <mark.lam@apple.com>
2221
2222         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2223         https://bugs.webkit.org/show_bug.cgi?id=191730
2224         <rdar://problem/46048517>
2225
2226         Reviewed by Saam Barati.
2227
2228         * stress/regress-187006.js: Removed.
2229           - this test is invalid because its sole purpose is to test for the non-spec
2230             compliant behavior that we just fixed.
2231
2232         * stress/regress-191730.js: Added.
2233
2234 2018-11-15  Mark Lam  <mark.lam@apple.com>
2235
2236         RegExp operations should not take fast patch if lastIndex is not numeric.
2237         https://bugs.webkit.org/show_bug.cgi?id=191731
2238         <rdar://problem/46017305>
2239
2240         Reviewed by Saam Barati.
2241
2242         * stress/regress-191731.js: Added.
2243
2244 2018-11-13  Saam Barati  <sbarati@apple.com>
2245
2246         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2247         https://bugs.webkit.org/show_bug.cgi?id=191600
2248
2249         Reviewed by Mark Lam.
2250
2251         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2252         (foo):
2253         (test):
2254         (bar):
2255
2256 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2257
2258         Unreviewed, rolling out r238132.
2259
2260         The test added with this change is timing out on Debug JSC
2261         bots.
2262
2263         Reverted changeset:
2264
2265         "[BigInt] JSBigInt::createWithLength should throw when length
2266         is greater than JSBigInt::maxLength"
2267         https://bugs.webkit.org/show_bug.cgi?id=190836
2268         https://trac.webkit.org/changeset/238132
2269
2270 2018-11-13  Mark Lam  <mark.lam@apple.com>
2271
2272         Add OOM detection to StringPrototype's substituteBackreferences().
2273         https://bugs.webkit.org/show_bug.cgi?id=191563
2274         <rdar://problem/45720428>
2275
2276         Reviewed by Saam Barati.
2277
2278         * stress/regress-191563.js: Added.
2279
2280 2018-11-13  Mark Lam  <mark.lam@apple.com>
2281
2282         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2283         https://bugs.webkit.org/show_bug.cgi?id=191579
2284         <rdar://problem/45942472>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/regress-191579.js: Added.
2289
2290 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2291
2292         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2293         https://bugs.webkit.org/show_bug.cgi?id=190836
2294
2295         Reviewed by Saam Barati.
2296
2297         * stress/big-int-out-of-memory-tests.js: Added.
2298
2299 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2300
2301         U+180E is no longer a whitespace character
2302         https://bugs.webkit.org/show_bug.cgi?id=191415
2303
2304         Reviewed by Saam Barati.
2305
2306         * ChakraCore/test/es5/regexSpace.baseline:
2307         * ChakraCore/test/es6/unicode_whitespace.js:
2308         Update tests to latest version.
2309         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2310
2311         * test262.yaml:
2312         * test262/config.yaml:
2313         * test262/expectations.yaml:
2314         Update expectations.
2315
2316 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2317
2318         [BigInt] Add support to BigInt into ValueAdd
2319         https://bugs.webkit.org/show_bug.cgi?id=186177
2320
2321         Reviewed by Keith Miller.
2322
2323         * stress/big-int-negate-jit.js:
2324         * stress/value-add-big-int-and-string.js: Added.
2325         * stress/value-add-big-int-prediction-propagation.js: Added.
2326         * stress/value-add-big-int-untyped.js: Added.
2327
2328 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2329
2330         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2331         https://bugs.webkit.org/show_bug.cgi?id=191184
2332
2333         Reviewed by Saam Barati.
2334
2335         Most tests were failing due to timeouts, since they are too slow to
2336         run on CLoop. The exceptions are:
2337
2338         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2339         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2340         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2341         to change the stack size since CLoop requires it to be page aligned.
2342
2343         * microbenchmarks/array-push-1.js:
2344         * microbenchmarks/array-push-2.js:
2345         * microbenchmarks/elidable-new-object-dag.js:
2346         * microbenchmarks/elidable-new-object-roflcopter.js:
2347         * microbenchmarks/elidable-new-object-tree.js:
2348         * microbenchmarks/getter-richards.js:
2349         * microbenchmarks/sinkable-new-object-dag.js:
2350         * microbenchmarks/string-concat-long-convert.js:
2351         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2352         * slowMicrobenchmarks/array-push-3.js:
2353         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2354         * slowMicrobenchmarks/spread-small-array.js:
2355         * slowMicrobenchmarks/undefined-property-access.js:
2356         * stress/activation-sink-default-value-tdz-error.js:
2357         * stress/activation-sink-default-value.js:
2358         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2359         * stress/activation-sink-osrexit-default-value.js:
2360         * stress/activation-sink-osrexit.js:
2361         * stress/activation-sink.js:
2362         * stress/allow-math-ic-b3-code-duplication.js:
2363         * stress/array-push-multiple-int32.js:
2364         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2365         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2366         * stress/arrowfunction-lexical-this-activation-sink.js:
2367         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2368         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2369         * stress/elide-new-object-dag-then-exit.js:
2370         * stress/materialize-regexp-cyclic.js:
2371         * stress/new-regex-inline.js:
2372         * stress/op_add.js:
2373         * stress/op_bitand.js:
2374         * stress/op_bitor.js:
2375         * stress/op_bitxor.js:
2376         * stress/op_div-ConstVar.js:
2377         * stress/op_div-VarConst.js:
2378         * stress/op_div-VarVar.js:
2379         * stress/op_lshift-ConstVar.js:
2380         * stress/op_lshift-VarConst.js:
2381         * stress/op_lshift-VarVar.js:
2382         * stress/op_mod-ConstVar.js:
2383         * stress/op_mod-VarConst.js:
2384         * stress/op_mod-VarVar.js:
2385         * stress/op_mul-ConstVar.js:
2386         * stress/op_mul-VarConst.js:
2387         * stress/op_mul-VarVar.js:
2388         * stress/op_rshift-ConstVar.js:
2389         * stress/op_rshift-VarConst.js:
2390         * stress/op_rshift-VarVar.js:
2391         * stress/op_sub-ConstVar.js:
2392         * stress/op_sub-VarConst.js:
2393         * stress/op_sub-VarVar.js:
2394         * stress/op_urshift-ConstVar.js:
2395         * stress/op_urshift-VarConst.js:
2396         * stress/op_urshift-VarVar.js:
2397         * stress/proxy-get-set-correct-receiver.js:
2398         * stress/regress-179562.js:
2399         * stress/rest-parameter-many-arguments.js:
2400         * stress/sampling-profiler-richards.js:
2401         * stress/splay-flash-access-1ms.js:
2402         * stress/tailCallForwardArguments.js:
2403         * stress/typed-array-get-by-val-profiling.js:
2404         * typeProfiler/getter-richards.js:
2405
2406 2018-11-06  Michael Saboff  <msaboff@apple.com>
2407
2408         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2409         https://bugs.webkit.org/show_bug.cgi?id=191271
2410
2411         Reviewed by Saam Barati.
2412
2413         Added more test cases and made all test cases run with the same deeply recursive stack
2414         instead of finding that same point for each test case.
2415
2416         * stress/regexp-compile-oom.js:
2417         (prototype.runTest):
2418         (recurseAndTest):
2419         (testList.push.new.TestAndExpectedException):
2420
2421 2018-11-05  Michael Saboff  <msaboff@apple.com>
2422
2423         Unreviewed build fix for linux.
2424
2425         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2426
2427 2018-11-02  Michael Saboff  <msaboff@apple.com>
2428
2429         Rolling in r237753 with unreviewed build fix.
2430
2431         Fixed issues with DECLARE_THROW_SCOPE placement.
2432
2433 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2434
2435         Unreviewed, rolling out r237753.
2436
2437         Introduced JSC test failures
2438
2439         Reverted changeset:
2440
2441         "Running out of stack space not properly handled in
2442         RegExp::compile() and its callers"
2443         https://bugs.webkit.org/show_bug.cgi?id=191206
2444         https://trac.webkit.org/changeset/237753
2445
2446 2018-11-02  Michael Saboff  <msaboff@apple.com>
2447
2448         Running out of stack space not properly handled in RegExp::compile() and its callers
2449         https://bugs.webkit.org/show_bug.cgi?id=191206
2450
2451         Reviewed by Filip Pizlo.
2452
2453         New regression test.
2454
2455         * stress/regexp-compile-oom.js: Added.
2456         (recurseAndTest):
2457
2458 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2459
2460         Skip tests on arm/mips that time out now we're running on CLoop
2461
2462         Unreviewed gardening.
2463
2464         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2465         time out on the bots and need to be disabled. There's more tests
2466         disabled on arm because the timeout is longer on the mips bot (as the
2467         device is slower to start with), so many of the tests don't time out
2468         there.
2469
2470         * microbenchmarks/getter-richards.js: disable on arm and mips.
2471         * stress/op_add.js: disable on arm.
2472         * stress/op_bitand.js: disable on arm.
2473         * stress/op_bitor.js: disable on arm.
2474         * stress/op_bitxor.js: disable on arm.
2475         * stress/op_lshift-ConstVar.js: disable on arm.
2476         * stress/op_lshift-VarConst.js: disable on arm.
2477         * stress/op_lshift-VarVar.js: disable on arm.
2478         * stress/op_mod-ConstVar.js: disable on arm.
2479         * stress/op_mod-VarConst.js: disable on arm.
2480         * stress/op_mod-VarVar.js: disable on arm.
2481         * stress/op_mul-ConstVar.js: disable on arm.
2482         * stress/op_mul-VarConst.js: disable on arm.
2483         * stress/op_mul-VarVar.js: disable on arm.
2484         * stress/op_rshift-ConstVar.js: disable on arm.
2485         * stress/op_rshift-VarConst.js: disable on arm.
2486         * stress/op_rshift-VarVar.js: disable on arm.
2487         * stress/op_sub-ConstVar.js: disable on arm.
2488         * stress/op_sub-VarConst.js: disable on arm.
2489         * stress/op_sub-VarVar.js: disable on arm.
2490         * stress/op_urshift-ConstVar.js: disable on arm.
2491         * stress/op_urshift-VarConst.js: disable on arm.
2492         * stress/op_urshift-VarVar.js: disable on arm.
2493         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2494         * stress/value-to-boolean.js: disable on arm and mips.
2495
2496 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2497
2498         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2499         https://bugs.webkit.org/show_bug.cgi?id=191108
2500         <rdar://problem/45690700>
2501
2502         Reviewed by Saam Barati.
2503
2504         * stress/wide-op_catch.js: Added.
2505         (catch):
2506
2507 2018-10-29  Mark Lam  <mark.lam@apple.com>
2508
2509         Correctly detect string overflow when using the 'Function' constructor.
2510         https://bugs.webkit.org/show_bug.cgi?id=184883
2511         <rdar://problem/36320331>
2512
2513         Reviewed by Saam Barati.
2514
2515         I've verified that this passes on 32-bit as well.
2516
2517         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2518
2519 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2520
2521         Add support for GetStack FlushedDouble
2522         https://bugs.webkit.org/show_bug.cgi?id=191012
2523         <rdar://problem/45265141>
2524
2525         Reviewed by Saam Barati.
2526
2527         * stress/get-stack-double.js: Added.
2528         (bar):
2529         (noInline):
2530
2531 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2532
2533         New bytecode format for JSC
2534         https://bugs.webkit.org/show_bug.cgi?id=187373
2535         <rdar://problem/44186758>
2536
2537         Reviewed by Filip Pizlo.
2538
2539         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2540
2541         * stress/maximum-inline-capacity.js: Added.
2542         (test1):
2543         (test3.Foo):
2544         (test3):
2545
2546 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2547
2548         Unreviewed, rolling out r237479 and r237484.
2549         https://bugs.webkit.org/show_bug.cgi?id=190978
2550
2551         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2552
2553         Reverted changesets:
2554
2555         "New bytecode format for JSC"
2556         https://bugs.webkit.org/show_bug.cgi?id=187373
2557         https://trac.webkit.org/changeset/237479
2558
2559         "Gardening: Build fix after r237479."
2560         https://bugs.webkit.org/show_bug.cgi?id=187373
2561         https://trac.webkit.org/changeset/237484
2562
2563 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2564
2565         New bytecode format for JSC
2566         https://bugs.webkit.org/show_bug.cgi?id=187373
2567         <rdar://problem/44186758>
2568
2569         Reviewed by Filip Pizlo.
2570
2571         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2572
2573         * stress/maximum-inline-capacity.js: Added.
2574         (test1):
2575         (test3.Foo):
2576         (test3):
2577
2578 2018-10-26  Mark Lam  <mark.lam@apple.com>
2579
2580         Fix missing edge cases with JSGlobalObjects having a bad time.
2581         https://bugs.webkit.org/show_bug.cgi?id=189028
2582         <rdar://problem/45204939>
2583
2584         Reviewed by Saam Barati.
2585
2586         * stress/regress-189028.js: Added.
2587
2588 2018-10-22  Mark Lam  <mark.lam@apple.com>
2589
2590         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2591         https://bugs.webkit.org/show_bug.cgi?id=190515
2592         <rdar://problem/45222379>
2593
2594         Rubber-stamped by Saam Barati.
2595
2596         Adding another test.
2597
2598         * stress/regress-190515-2.js: Added.
2599
2600 2018-10-22  Mark Lam  <mark.lam@apple.com>
2601
2602         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2603         https://bugs.webkit.org/show_bug.cgi?id=190515
2604         <rdar://problem/45222379>
2605
2606         Reviewed by Saam Barati.
2607
2608         * stress/regress-190515.js: Added.
2609
2610 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2611
2612         Unreviewed, rolling out r237254.
2613         https://bugs.webkit.org/show_bug.cgi?id=190760
2614
2615         "It regresses JetStream 2 by 5% on some iOS devices"
2616         (Requested by saamyjoon on #webkit).
2617
2618         Reverted changeset:
2619
2620         "[JSC] JSC should have "parseFunction" to optimize Function
2621         constructor"
2622         https://bugs.webkit.org/show_bug.cgi?id=190340
2623         https://trac.webkit.org/changeset/237254
2624
2625 2018-10-19  Saam Barati  <sbarati@apple.com>
2626
2627         vmCall should check if we exit before emitting an OSR exit due to exceptions
2628         https://bugs.webkit.org/show_bug.cgi?id=190740
2629         <rdar://problem/45220139>
2630
2631         Reviewed by Mark Lam.
2632
2633         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2634         (foo):
2635
2636 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2637
2638         [ESNext][BigInt] Implement support for "^"
2639         https://bugs.webkit.org/show_bug.cgi?id=186235
2640
2641         Reviewed by Yusuke Suzuki.
2642
2643         * stress/big-int-bitwise-xor-general.js: Added.
2644         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2645         * stress/big-int-bitwise-xor-type-error.js: Added.
2646         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2647
2648 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2649
2650         [BigInt] Add ValueSub into DFG
2651         https://bugs.webkit.org/show_bug.cgi?id=186176
2652
2653         Reviewed by Yusuke Suzuki.
2654
2655         * stress/big-int-subtraction-jit.js:
2656         * stress/value-sub-big-int-prediction-propagation.js: Added.
2657         * stress/value-sub-big-int-untyped.js: Added.
2658         * stress/value-sub-spec-none-case.js: Added.
2659
2660 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2661
2662         [JSC] JSC should have "parseFunction" to optimize Function constructor
2663         https://bugs.webkit.org/show_bug.cgi?id=190340
2664
2665         Reviewed by Mark Lam.
2666
2667         This patch fixes the line number of syntax errors raised by the Function constructor,
2668         since we now parse the final code only once. And we no longer use block statement
2669         for Function constructor's parsing.
2670
2671         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2672         * stress/function-cache-with-parameters-end-position.js: Added.
2673         (shouldBe):
2674         (shouldThrow):
2675         (i.anonymous):
2676         * stress/function-constructor-name.js: Added.
2677         (shouldBe):
2678         (GeneratorFunction):
2679         (AsyncFunction.async):
2680         (AsyncGeneratorFunction.async):
2681         (anonymous):
2682         (async.anonymous):
2683         * test262/expectations.yaml:
2684
2685 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2686
2687         Unreviewed, rolling out r237242.
2688         https://bugs.webkit.org/show_bug.cgi?id=190701
2689
2690         it breaks "stress/sampling-profiler-basic.js" (Requested by
2691         caiolima on #webkit).
2692
2693         Reverted changeset:
2694
2695         "[BigInt] Add ValueSub into DFG"
2696         https://bugs.webkit.org/show_bug.cgi?id=186176
2697         https://trac.webkit.org/changeset/237242
2698
2699 2018-10-17  Keith Miller  <keith_miller@apple.com>
2700
2701         AI does not clear Phantom allocation nodes.
2702         https://bugs.webkit.org/show_bug.cgi?id=190694
2703
2704         Reviewed by Saam Barati.
2705
2706         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2707         (Day):
2708         (DaysInYear):
2709         (TimeInYear):
2710         (TimeFromYear):
2711         (DayFromYear):
2712         (InLeapYear):
2713         (YearFromTime):
2714         (WeekDay):
2715         (DaylightSavingTA):
2716         (GetSecondSundayInMarch):
2717         (TimeInMonth):
2718
2719 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2720
2721         [BigInt] Add ValueSub into DFG
2722         https://bugs.webkit.org/show_bug.cgi?id=186176
2723
2724         Reviewed by Yusuke Suzuki.
2725
2726         * stress/big-int-subtraction-jit.js:
2727         * stress/value-sub-big-int-prediction-propagation.js: Added.
2728         * stress/value-sub-big-int-untyped.js: Added.
2729
2730 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2731
2732         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2733         https://bugs.webkit.org/show_bug.cgi?id=190611
2734
2735         Reviewed by Saam Barati.
2736
2737         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2738         to improve test runtime. On ARM/MIPS this test even timed out when running all
2739         tests.
2740
2741         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2742         (test):
2743
2744 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2745
2746         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2747
2748         Unreviewed gardening.
2749
2750         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2751
2752 2018-10-15  Saam barati  <sbarati@apple.com>
2753
2754         Emit fjcvtzs on ARM64E on Darwin
2755         https://bugs.webkit.org/show_bug.cgi?id=184023
2756
2757         Reviewed by Yusuke Suzuki and Filip Pizlo.
2758
2759         * stress/double-to-int32-NaN.js: Added.
2760         (assert):
2761         (foo):
2762
2763 2018-10-15  Saam Barati  <sbarati@apple.com>
2764
2765         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2766         https://bugs.webkit.org/show_bug.cgi?id=190262
2767         <rdar://problem/44986241>
2768
2769         Reviewed by Mark Lam.
2770
2771         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2772         (test):
2773         * stress/slice-array-storage-with-holes.js: Added.
2774         (main):
2775
2776 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2777
2778         Unreviewed, rolling out r237054.
2779         https://bugs.webkit.org/show_bug.cgi?id=190593
2780
2781         "this regressed JetStream 2 by 6% on iOS" (Requested by
2782         saamyjoon on #webkit).
2783
2784         Reverted changeset:
2785
2786         "[JSC] JSC should have "parseFunction" to optimize Function
2787         constructor"
2788         https://bugs.webkit.org/show_bug.cgi?id=190340
2789         https://trac.webkit.org/changeset/237054
2790
2791 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2792
2793         [JSC] JSON.stringify can accept call-with-no-arguments
2794         https://bugs.webkit.org/show_bug.cgi?id=190343
2795
2796         Reviewed by Mark Lam.
2797
2798         * stress/json-stringify-no-arguments.js: Added.
2799         (shouldBe):
2800
2801 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2802
2803         [JSC] JSC should have "parseFunction" to optimize Function constructor
2804         https://bugs.webkit.org/show_bug.cgi?id=190340
2805
2806         Reviewed by Mark Lam.
2807
2808         This patch fixes the line number of syntax errors raised by the Function constructor,
2809         since we now parse the final code only once. And we no longer use block statement
2810         for Function constructor's parsing.
2811
2812         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2813         * stress/function-cache-with-parameters-end-position.js: Added.
2814         (shouldBe):
2815         (shouldThrow):
2816         (i.anonymous):
2817         * stress/function-constructor-name.js: Added.
2818         (shouldBe):
2819         (GeneratorFunction):
2820         (AsyncFunction.async):
2821         (AsyncGeneratorFunction.async):
2822         (anonymous):
2823         (async.anonymous):
2824         * test262/expectations.yaml:
2825
2826 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2827
2828         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2829         https://bugs.webkit.org/show_bug.cgi?id=190426
2830
2831         Unreviewed gardening.
2832
2833         * stress/sampling-profiler-richards.js:
2834
2835 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2836
2837         [ESNext][BigInt] Implement support for "|"
2838         https://bugs.webkit.org/show_bug.cgi?id=186229
2839
2840         Reviewed by Yusuke Suzuki.
2841
2842         * stress/big-int-bitwise-and-jit.js:
2843         * stress/big-int-bitwise-or-general.js: Added.
2844         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2845         * stress/big-int-bitwise-or-jit.js: Added.
2846         * stress/big-int-bitwise-or-memory-stress.js: Added.
2847         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2848         * stress/big-int-bitwise-or-type-error.js: Added.
2849         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2850
2851 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2852
2853         Skip test on systems with limited memory
2854         https://bugs.webkit.org/show_bug.cgi?id=190310
2855
2856         Invoking runDefault adds test to runlist, skipping the test in the next
2857         line does not prevent the test from executing. Change order of lines such
2858         that runDefault is only executed if test is not executed.
2859
2860         Reviewed by Mark Lam.
2861
2862         * stress/regress-190187.js:
2863
2864 2018-10-03  Saam barati  <sbarati@apple.com>
2865
2866         lowXYZ in FTLLower should always filter the type of the incoming edge
2867         https://bugs.webkit.org/show_bug.cgi?id=189939
2868         <rdar://problem/44407030>
2869
2870         Reviewed by Michael Saboff.
2871
2872         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2873         (foo):
2874         (test):
2875
2876 2018-10-03  Mark Lam  <mark.lam@apple.com>
2877
2878         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2879         https://bugs.webkit.org/show_bug.cgi?id=190187
2880         <rdar://problem/42512909>
2881
2882         Reviewed by Michael Saboff.
2883
2884         * stress/regress-190187.js: Added.
2885
2886 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2887
2888         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2889         https://bugs.webkit.org/show_bug.cgi?id=190033
2890
2891         Reviewed by Yusuke Suzuki.
2892
2893         * stress/big-int-to-string.js:
2894
2895 2018-10-01  Mark Lam  <mark.lam@apple.com>
2896
2897         Function.toString() should also copy the source code Functions that are class definitions.
2898         https://bugs.webkit.org/show_bug.cgi?id=190186
2899         <rdar://problem/44733360>
2900
2901         Reviewed by Saam Barati.
2902
2903         * stress/regress-190186.js: Added.
2904
2905 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2906
2907         Split NaN-check into separate test
2908         https://bugs.webkit.org/show_bug.cgi?id=190010
2909
2910         Reviewed by Saam Barati.
2911
2912         DataView exposes NaN-representation, which is not necessarily the same on each
2913         architecture. Therefore move the check of the NaN-representation into its own
2914         file such that we can disable this test on MIPS where NaN-representation can be
2915         different on older CPUs.
2916
2917         * stress/dataview-jit-set-nan.js: Added.
2918         (assert):
2919         (test.storeLittleEndian):
2920         (test.storeBigEndian):
2921         (test.store):
2922         (test):
2923         * stress/dataview-jit-set.js:
2924         (test5):
2925
2926 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2927
2928         Unreviewed, rolling out r236647.
2929         https://bugs.webkit.org/show_bug.cgi?id=190124
2930
2931         Breaking test stress/big-int-to-string.js (Requested by
2932         caiolima_ on #webkit).
2933
2934         Reverted changeset:
2935
2936         "[BigInt] BigInt.proptotype.toString is broken when radix is
2937         power of 2"
2938         https://bugs.webkit.org/show_bug.cgi?id=190033
2939         https://trac.webkit.org/changeset/236647
2940
2941 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2942
2943         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2944         https://bugs.webkit.org/show_bug.cgi?id=190033
2945
2946         Reviewed by Yusuke Suzuki.
2947
2948         * stress/big-int-to-string.js:
2949
2950 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2951
2952         [ESNext][BigInt] Implement support for "&"
2953         https://bugs.webkit.org/show_bug.cgi?id=186228
2954
2955         Reviewed by Yusuke Suzuki.
2956
2957         * stress/big-int-bitwise-and-general.js: Added.
2958         (assert):
2959         (assert.sameValue):
2960         * stress/big-int-bitwise-and-jit.js: Added.
2961         (let.assert.sameValue):
2962         (bigIntBitAnd):
2963         * stress/big-int-bitwise-and-memory-stress.js: Added.
2964         (assert):
2965         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2966         (assert.sameValue):
2967         (let.o.Symbol.toPrimitive):
2968         (catch):
2969         * stress/big-int-bitwise-and-type-error.js: Added.
2970         (assert):
2971         (assertThrowTypeError):
2972         (let.o.valueOf):
2973         (o.valueOf):
2974         (o.toString):
2975         (o.Symbol.toPrimitive):
2976         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2977         (assert.sameValue):
2978         (testBitAnd):
2979         (let.o.Symbol.toPrimitive):
2980         (o.valueOf):
2981         (o.toString):
2982
2983 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2984
2985         JSC test stress/jsc-read.js doesn't support CRLF
2986         https://bugs.webkit.org/show_bug.cgi?id=190063
2987
2988         Reviewed by Yusuke Suzuki.
2989
2990         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2991
2992         * stress/jsc-read.js:
2993         (test):
2994
2995 2018-09-27  Saam barati  <sbarati@apple.com>
2996
2997         Verify the contents of AssemblerBuffer on arm64e
2998         https://bugs.webkit.org/show_bug.cgi?id=190057
2999         <rdar://problem/38916630>
3000
3001         Reviewed by Mark Lam.
3002
3003         * stress/regress-189132.js:
3004
3005 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3006
3007         Disable test without LLInt on ARMv7
3008         https://bugs.webkit.org/show_bug.cgi?id=190037
3009
3010         Reviewed by Mark Lam.
3011
3012         Test runs out of executable memory on ARMv7, do not run
3013         this test without LLInt enabled.
3014
3015         * stress/regress-169445.js:
3016
3017 2018-09-26  Keith Miller  <keith_miller@apple.com>
3018
3019         We should zero unused property storage when rebalancing array storage.
3020         https://bugs.webkit.org/show_bug.cgi?id=188151
3021
3022         Reviewed by Michael Saboff.
3023
3024         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3025
3026 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3027
3028         [JSC] Optimize Array#lastIndexOf
3029         https://bugs.webkit.org/show_bug.cgi?id=189780
3030
3031         Reviewed by Saam Barati.
3032
3033         * stress/array-lastindexof-array-prototype-trap.js: Added.
3034         (shouldBe):
3035         (AncestorArray.prototype.get 2):
3036         (AncestorArray):
3037         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3038         (shouldBe):
3039         * stress/array-lastindexof-hole-nan.js: Added.
3040         (shouldBe):
3041         (throw.new.Error):
3042         * stress/array-lastindexof-infinity.js: Added.
3043         (shouldBe):
3044         (throw.new.Error):
3045         * stress/array-lastindexof-negative-zero.js: Added.
3046         (shouldBe):
3047         (throw.new.Error):
3048         * stress/array-lastindexof-own-getter.js: Added.
3049         (shouldBe):
3050         (throw.new.Error.get array):
3051         (get array):
3052         * stress/array-lastindexof-prototype-trap.js: Added.
3053         (shouldBe):
3054         (DerivedArray.prototype.get 2):
3055         (DerivedArray):
3056
3057 2018-09-25  Saam Barati  <sbarati@apple.com>
3058
3059         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3060         https://bugs.webkit.org/show_bug.cgi?id=189940
3061         <rdar://problem/43640987>
3062
3063         Reviewed by Mark Lam.
3064
3065         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3066
3067 2018-09-24  Saam Barati  <sbarati@apple.com>
3068
3069         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3070         https://bugs.webkit.org/show_bug.cgi?id=189922
3071         <rdar://problem/44651275>
3072
3073         Reviewed by Mark Lam.
3074
3075         * stress/array-indexof-fast-path-effects.js: Added.
3076         * stress/array-indexof-cached-length.js: Added.
3077
3078 2018-09-24  Saam barati  <sbarati@apple.com>
3079
3080         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3081         https://bugs.webkit.org/show_bug.cgi?id=189682
3082         <rdar://problem/43557315>
3083
3084         Reviewed by Mark Lam.
3085
3086         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3087         (foo):
3088
3089 2018-09-22  Saam barati  <sbarati@apple.com>
3090
3091         The sampling should not use Strong<CodeBlock> in its machineLocation field
3092         https://bugs.webkit.org/show_bug.cgi?id=189319
3093
3094         Reviewed by Filip Pizlo.
3095
3096         * stress/sampling-profiler-richards.js: Added.
3097
3098 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3099
3100         [JSC] Optimize Array#indexOf in C++ runtime
3101         https://bugs.webkit.org/show_bug.cgi?id=189507
3102
3103         Reviewed by Saam Barati.
3104
3105         * stress/array-indexof-array-prototype-trap.js: Added.
3106         (shouldBe):
3107         (AncestorArray.prototype.get 2):
3108         (AncestorArray):
3109         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3110         (shouldBe):
3111         * stress/array-indexof-hole-nan.js: Added.
3112         (shouldBe):
3113         (throw.new.Error):
3114         * stress/array-indexof-infinity.js: Added.
3115         (shouldBe):
3116         (throw.new.Error):
3117         * stress/array-indexof-negative-zero.js: Added.
3118         (shouldBe):
3119         (throw.new.Error):
3120         * stress/array-indexof-own-getter.js: Added.
3121         (shouldBe):
3122         (throw.new.Error.get array):
3123         (get array):
3124         * stress/array-indexof-prototype-trap.js: Added.
3125         (shouldBe):
3126         (DerivedArray.prototype.get 2):
3127         (DerivedArray):
3128
3129 2018-09-19  Saam barati  <sbarati@apple.com>
3130
3131         AI rule for MultiPutByOffset executes its effects in the wrong order
3132         https://bugs.webkit.org/show_bug.cgi?id=189757
3133         <rdar://problem/43535257>
3134
3135         Reviewed by Michael Saboff.
3136
3137         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3138         (foo):
3139         (Foo):
3140         (g):
3141
3142 2018-09-17  Mark Lam  <mark.lam@apple.com>
3143
3144         Ensure that ForInContexts are invalidated if their loop local is over-written.
3145         https://bugs.webkit.org/show_bug.cgi?id=189571
3146         <rdar://problem/44402277>
3147
3148         Reviewed by Saam Barati.
3149
3150         * stress/regress-189571.js: Added.
3151
3152 2018-09-17  Saam barati  <sbarati@apple.com>
3153
3154         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3155         https://bugs.webkit.org/show_bug.cgi?id=189676
3156         <rdar://problem/39682897>
3157
3158         Reviewed by Michael Saboff.
3159
3160         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3161         (A):
3162         (K):
3163         (i.catch):
3164
3165 2018-09-14  Saam barati  <sbarati@apple.com>
3166
3167         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3168         https://bugs.webkit.org/show_bug.cgi?id=189628
3169         <rdar://problem/39481690>
3170
3171         Reviewed by Mark Lam.
3172
3173         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3174         (foo):
3175
3176 2018-09-11  Mark Lam  <mark.lam@apple.com>
3177
3178         Test for array initialization in arrayProtoFuncSplice.
3179         https://bugs.webkit.org/show_bug.cgi?id=170253
3180         <rdar://problem/31328773>
3181
3182         Rubber-stamped by Saam Barati.
3183
3184         * stress/regress-170253.js: Added.
3185
3186 2018-09-11  Mark Lam  <mark.lam@apple.com>
3187
3188         Test for IntlObject initialization.
3189         https://bugs.webkit.org/show_bug.cgi?id=170251
3190         <rdar://problem/31328419>
3191
3192         Rubber-stamped by Saam Barati.
3193
3194         * stress/regress-170251.js: Added.
3195
3196 2018-09-11  Mark Lam  <mark.lam@apple.com>
3197
3198         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3199         https://bugs.webkit.org/show_bug.cgi?id=169889
3200         <rdar://problem/31155607>
3201
3202         Reviewed by Saam Barati.
3203
3204         * stress/regress-169889-array-concat.js: Added.
3205         * stress/regress-169889-array-concat1.js: Added.
3206         * stress/regress-169889-array-slice.js: Added.
3207
3208 2018-09-11  Mark Lam  <mark.lam@apple.com>
3209
3210         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3211         https://bugs.webkit.org/show_bug.cgi?id=169445
3212         <rdar://problem/30957435>
3213
3214         Reviewed by Saam Barati.
3215
3216         * stress/regress-169445.js: Added.
3217         (let.gun.eval.A):
3218         (let.gun.eval.B.C):
3219         (let.gun.eval.B.C.prototype.trigger):
3220         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3221         (let.gun.eval.B):
3222         (let.gun.eval):
3223
3224 == Rolled over to ChangeLog-2018-09-11 ==