Unreviewed, rolling out r241784.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-19  Truitt Savell  <tsavell@apple.com>
2
3         Unreviewed, rolling out r241784.
4
5         Broke all OpenSource builds.
6
7         Reverted changeset:
8
9         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
10         instances view"
11         https://bugs.webkit.org/show_bug.cgi?id=172848
12         https://trac.webkit.org/changeset/241784
13
14 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
15
16         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
17         https://bugs.webkit.org/show_bug.cgi?id=172848
18         <rdar://problem/25709212>
19
20         Reviewed by Mark Lam.
21
22         * typeProfiler/inheritance.js:
23         Rewrite the test slightly for clarity. The hoisting was confusing.
24
25         * heapProfiler/class-names.js: Added.
26         (MyES5Class):
27         (MyES6Class):
28         (MyES6Subclass):
29         Test object types and improved class names.
30
31         * heapProfiler/driver/driver.js:
32         (CheapHeapSnapshotNode):
33         (CheapHeapSnapshot):
34         (createCheapHeapSnapshot):
35         (HeapSnapshot):
36         (createHeapSnapshot):
37         Update snapshot parsing from version 1 to version 2.
38
39 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
40
41         [ARM] Fix crash with sampling profiler
42         https://bugs.webkit.org/show_bug.cgi?id=194772
43
44         Reviewed by Mark Lam.
45
46         Do not skip test since crash with sampling profiler is now fixed.
47
48         * stress/sampling-profiler-richards.js:
49
50 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
51
52         [JSC] Add LazyClassStructure::getInitializedOnMainThread
53         https://bugs.webkit.org/show_bug.cgi?id=194784
54         <rdar://problem/48154820>
55
56         Reviewed by Mark Lam.
57
58         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
59         (getProperties):
60         (getRandomProperty):
61         (i.catch):
62
63 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
64
65         [ARM] Test gardening: Test running out of executable memory
66         https://bugs.webkit.org/show_bug.cgi?id=194771
67
68         Unreviewed. Do not run test without LLInt, test is running out of executable
69         memory on ARM otherwise.
70
71         * stress/tagged-template-object-collect.js:
72
73 2019-02-18  Tomas Popela  <tpopela@redhat.com>
74
75         Unreviewed, skip the test on platforms without sampling profiler
76
77         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
78         (platformSupportsSamplingProfiler.foo):
79         (platformSupportsSamplingProfiler.test):
80         (platformSupportsSamplingProfiler):
81         (foo): Deleted.
82         (test): Deleted.
83
84 2019-02-17  Saam Barati  <sbarati@apple.com>
85
86         Deadlock when adding a Structure property transition and then doing incremental marking
87         https://bugs.webkit.org/show_bug.cgi?id=194767
88
89         Reviewed by Mark Lam.
90
91         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
92
93 2019-02-15  Michael Saboff  <msaboff@apple.com>
94
95         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
96         https://bugs.webkit.org/show_bug.cgi?id=194558
97
98         Reviewed by Saam Barati.
99
100         New regression test.
101
102         * stress/regexp-unicode-within-string.js: Added.
103
104 2019-02-15  Mark Lam  <mark.lam@apple.com>
105
106         SamplingProfiler::stackTracesAsJSON() should escape strings.
107         https://bugs.webkit.org/show_bug.cgi?id=194649
108         <rdar://problem/48072386>
109
110         Reviewed by Saam Barati.
111
112         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
113         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
114         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
115         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
116
117 2019-02-15  Robin Morisset  <rmorisset@apple.com>
118         CodeBlock::jettison should clear related watchpoints
119         https://bugs.webkit.org/show_bug.cgi?id=194544
120
121         Reviewed by Mark Lam.
122
123         * stress/regexp-replace-double-watchpoint.js: Added.
124         (foo):
125
126 2019-02-15  Saam barati  <sbarati@apple.com>
127
128         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
129         https://bugs.webkit.org/show_bug.cgi?id=194036
130
131         Reviewed by Yusuke Suzuki.
132
133         * stress/tail-call-many-arguments.js: Added.
134         (foo):
135         (bar):
136
137 2019-02-14  Saam Barati  <sbarati@apple.com>
138
139         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
140         https://bugs.webkit.org/show_bug.cgi?id=194583
141         <rdar://problem/48028140>
142
143         Reviewed by Yusuke Suzuki.
144
145         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
146
147 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
148
149         [JSC] String.fromCharCode's slow path always generates 16bit string
150         https://bugs.webkit.org/show_bug.cgi?id=194466
151
152         Reviewed by Keith Miller.
153
154         * stress/string-from-char-code-slow-path.js: Added.
155         (shouldBe):
156         (testWithLength):
157
158 2019-02-08  Saam barati  <sbarati@apple.com>
159
160         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
161         https://bugs.webkit.org/show_bug.cgi?id=194334
162         <rdar://problem/47844327>
163
164         Reviewed by Mark Lam.
165
166         * stress/check-in-bounds-should-be-a-child-use.js: Added.
167         (func):
168
169 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
170
171         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
172         https://bugs.webkit.org/show_bug.cgi?id=194369
173         <rdar://problem/47813087>
174
175         Reviewed by Saam Barati.
176
177         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
178         (A):
179
180 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
181
182         [JSC] PrivateName to PublicName hash table is wasteful
183         https://bugs.webkit.org/show_bug.cgi?id=194277
184
185         Reviewed by Michael Saboff.
186
187         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
188
189         * ChakraCore.yaml:
190
191 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
192
193         [ARM] Test running out of executable memory
194         https://bugs.webkit.org/show_bug.cgi?id=194285
195
196         Unreviewed. Do no execute test with LLInt disabled, test runs out of
197         executable memory otherwise.
198
199         * stress/class-subclassing-function.js:
200
201 2019-02-04  Robin Morisset  <rmorisset@apple.com>
202
203         when lowering AssertNotEmpty, create the value before creating the patchpoint
204         https://bugs.webkit.org/show_bug.cgi?id=194231
205
206         Reviewed by Saam Barati.
207
208         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
209         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
210         So even tiny changes to this test can change the path code taken.
211
212         * stress/assert-not-empty.js: Added.
213         (foo):
214
215 2019-02-01  Mark Lam  <mark.lam@apple.com>
216
217         Remove invalid assertion in DFG's compileDoubleRep().
218         https://bugs.webkit.org/show_bug.cgi?id=194130
219         <rdar://problem/47699474>
220
221         Reviewed by Saam Barati.
222
223         * stress/constant-fold-double-rep-into-double-constant.js: Added.
224
225 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
226
227         Import latest Test262 updates.
228
229         Rubber-stamped by Keith Miller.
230
231         * test262.yaml: Deleted.
232         * test262/config.yaml:
233         * test262/expectations.yaml:
234         * test262/latest-changes-summary.txt:
235         * test262/test/:
236         * test262/test262-Revision.txt:
237
238 2019-01-30  Robin Morisset  <rmorisset@apple.com>
239
240         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
241         https://bugs.webkit.org/show_bug.cgi?id=194050
242         <rdar://problem/47595592>
243
244         Reviewed by Yusuke Suzuki.
245
246         * stress/object-keys-osr-exit.js: Added.
247         (foo):
248         (catch):
249
250 2019-01-29  Mark Lam  <mark.lam@apple.com>
251
252         ValueRecovery::recover() should purify NaN values it recovers.
253         https://bugs.webkit.org/show_bug.cgi?id=193978
254         <rdar://problem/47625488>
255
256         Reviewed by Saam Barati.
257
258         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
259
260 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
261
262         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
263         https://bugs.webkit.org/show_bug.cgi?id=193713
264
265         * stress/try-get-by-id-should-spill-registers-dfg.js:
266         (let.f.createBuiltin):
267
268 2019-01-28  Mark Lam  <mark.lam@apple.com>
269
270         ToString node actually does GC.
271         https://bugs.webkit.org/show_bug.cgi?id=193920
272         <rdar://problem/46695900>
273
274         Reviewed by Yusuke Suzuki.
275
276         * stress/dfg-to-string-on-int-does-gc.js: Added.
277         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
278         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
279
280 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
281
282         [JSC] NativeErrorConstructor should not have own IsoSubspace
283         https://bugs.webkit.org/show_bug.cgi?id=193713
284
285         Reviewed by Saam Barati.
286
287         Remove @Error use.
288
289         * stress/try-get-by-id-should-spill-registers-dfg.js:
290         (let.f.createBuiltin):
291
292 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
293
294         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
295         https://bugs.webkit.org/show_bug.cgi?id=190693
296
297         Reviewed by Michael Saboff.
298
299         * stress/regress-190693.js: Added.
300         (truth):
301         (assert):
302         (shouldThrowInvalidConstAssignment):
303         (taz):
304
305 2019-01-24  Saam Barati  <sbarati@apple.com>
306
307         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
308         https://bugs.webkit.org/show_bug.cgi?id=193751
309         <rdar://problem/47280215>
310
311         Reviewed by Michael Saboff.
312
313         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
314         (let.thing):
315         (foo.let.hello):
316         (foo):
317
318 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
319
320         [JSC] Reenable baseline JIT on mips
321         https://bugs.webkit.org/show_bug.cgi?id=192983
322
323         Reviewed by Mark Lam.
324
325         Added a new test for a case that was triggering a RELEASE_ASSERT when
326         testing.
327         Disable some slow tests that were already disabled for arm and x86.
328
329         * stress/json-parse-big-object.js: Added.
330         * stress/new-largeish-contiguous-array-with-size.js:
331         * stress/op_add.js:
332         * stress/op_bitand.js:
333         * stress/op_bitor.js:
334         * stress/op_bitxor.js:
335         * stress/op_lshift-ConstVar.js:
336         * stress/op_lshift-VarConst.js:
337         * stress/op_lshift-VarVar.js:
338         * stress/op_mod-ConstVar.js:
339         * stress/op_mod-VarConst.js:
340         * stress/op_mod-VarVar.js:
341         * stress/op_mul-ConstVar.js:
342         * stress/op_mul-VarConst.js:
343         * stress/op_mul-VarVar.js:
344         * stress/op_rshift-ConstVar.js:
345         * stress/op_rshift-VarConst.js:
346         * stress/op_rshift-VarVar.js:
347         * stress/op_sub-ConstVar.js:
348         * stress/op_sub-VarConst.js:
349         * stress/op_sub-VarVar.js:
350         * stress/op_urshift-ConstVar.js:
351         * stress/op_urshift-VarConst.js:
352         * stress/op_urshift-VarVar.js:
353         * stress/sampling-profiler-richards.js:
354         * stress/spread-forward-call-varargs-stack-overflow.js:
355
356 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
357
358         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
359         https://bugs.webkit.org/show_bug.cgi?id=193711
360         <rdar://problem/47250262>
361
362         Reviewed by Saam Barati.
363
364         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
365         (shouldBe):
366         (foo):
367         (bar):
368         (baz):
369
370 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
371
372         Unreviewed, fix initial global lexical binding epoch
373         https://bugs.webkit.org/show_bug.cgi?id=193603
374         <rdar://problem/47380869>
375
376         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
377         (f1.f2.f3.f4):
378         (f1.f2.f3):
379         (f1.f2):
380         (f1):
381
382 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
383
384         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
385         https://bugs.webkit.org/show_bug.cgi?id=193709
386         <rdar://problem/47363838>
387
388         Unreviewed, rollout to watch the tests.
389
390         * stress/object-tostring-changed-proto.js: Removed.
391         * stress/object-tostring-changed.js: Removed.
392         * stress/object-tostring-misc.js: Removed.
393         * stress/object-tostring-other.js: Removed.
394         * stress/object-tostring-untyped.js: Removed.
395
396 2019-01-22  Saam Barati  <sbarati@apple.com>
397
398         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
399
400         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
401         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
402         (testUncheckedLessThanZero):
403         (testUncheckedLessThanOrEqualZero):
404         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
405         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
406
407 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
408
409         [JSC] Invalidate old scope operations using global lexical binding epoch
410         https://bugs.webkit.org/show_bug.cgi?id=193603
411         <rdar://problem/47380869>
412
413         Reviewed by Saam Barati.
414
415         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
416         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
417         (shouldThrow):
418         (bar):
419         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
420         (shouldBe):
421         (get1):
422         (get2):
423         (get1If):
424         (get2If):
425         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
426         (shouldThrow):
427         (foo):
428
429 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
430
431         Unreviewed, roll out r240220 due to date-format-xparb regression
432         https://bugs.webkit.org/show_bug.cgi?id=193603
433
434         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
435         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
436         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
437         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
438
439 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
440
441         DoesGC rule is wrong for nodes with BigIntUse
442         https://bugs.webkit.org/show_bug.cgi?id=193652
443
444         Reviewed by Saam Barati.
445
446         * stress/big-int-value-op-update-gc-rules.js: Added.
447         (assert):
448         (doesGCAdd):
449         (doesGCSub):
450         (doesGCDiv):
451         (doesGCMul):
452         (doesGCBitAnd):
453         (doesGCBitOr):
454         (doesGCBitXor):
455
456 2019-01-20  Saam Barati  <sbarati@apple.com>
457
458         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
459         https://bugs.webkit.org/show_bug.cgi?id=193644
460         <rdar://problem/46209745>
461
462         Reviewed by Yusuke Suzuki.
463
464         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
465         (foo):
466         * stress/data-view-set-intrinsic-undefined-result.js: Added.
467         (foo):
468         (bar):
469
470 2019-01-20  Saam Barati  <sbarati@apple.com>
471
472         MovHint must merge NodeBytecodeUsesAsValue for its child
473         https://bugs.webkit.org/show_bug.cgi?id=186916
474         <rdar://problem/41396612>
475
476         Reviewed by Yusuke Suzuki.
477
478         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
479         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
480
481 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
482
483         [JSC] Invalidate old scope operations using global lexical binding epoch
484         https://bugs.webkit.org/show_bug.cgi?id=193603
485         <rdar://problem/47380869>
486
487         Reviewed by Saam Barati.
488
489         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
490         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
491         (shouldThrow):
492         (bar):
493         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
494         (shouldBe):
495         (get1):
496         (get2):
497         (get1If):
498         (get2If):
499         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
500         (shouldThrow):
501         (foo):
502
503 2019-01-17  Saam barati  <sbarati@apple.com>
504
505         StringObjectUse should not be a structure check for the original string object structure
506         https://bugs.webkit.org/show_bug.cgi?id=193483
507         <rdar://problem/47280522>
508
509         Reviewed by Yusuke Suzuki.
510
511         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
512         (foo):
513         (a.valueOf.0):
514
515 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
516
517         [JSC] ToThis omission in DFGByteCodeParser is wrong
518         https://bugs.webkit.org/show_bug.cgi?id=193513
519         <rdar://problem/45842236>
520
521         Reviewed by Saam Barati.
522
523         * stress/to-this-omission-with-different-strict-modes.js: Added.
524         (thisA):
525         (thisAStrictWrapper):
526
527 2019-01-15  Mark Lam  <mark.lam@apple.com>
528
529         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
530         https://bugs.webkit.org/show_bug.cgi?id=193423
531         <rdar://problem/46209355>
532
533         Reviewed by Saam Barati.
534
535         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
536         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
537         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
538         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
539
540 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
541
542         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
543         https://bugs.webkit.org/show_bug.cgi?id=193438
544         <rdar://problem/45581249>
545
546         Reviewed by Saam Barati and Keith Miller.
547
548         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
549         Then, GetByVal(String) crashed.
550
551         * stress/string-get-by-val-lowering.js: Added.
552         (shouldBe):
553         (test):
554         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
555         (Hello):
556         (foo):
557
558 2019-01-15  Tomas Popela  <tpopela@redhat.com>
559
560         Unreviewed, skip JIT tests if it's not enabled
561
562         * stress/bit-op-with-object-returning-int32.js:
563
564 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
565
566         DFGByteCodeParser rules for bitwise operations should consider type of their operands
567         https://bugs.webkit.org/show_bug.cgi?id=192966
568
569         Reviewed by Yusuke Suzuki.
570
571         * stress/bit-op-with-object-returning-int32.js: Added.
572
573 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
574
575         Skip a slow test and a flakey test on arm
576
577         Unreviewed gardening.
578
579         * typeProfiler/getter-richards.js:
580         this test always times out, it used to be always skipped on arm and
581         mips, but got accidentally enabled by r237919 now that we have DFG on
582         arm. Also skipping on mips as we plan to soon enable DFG for it too.
583
584 2019-01-14  Keith Miller  <keith_miller@apple.com>
585
586         Skip type-check-hoisting-phase-hoist... with no jit
587         https://bugs.webkit.org/show_bug.cgi?id=193421
588
589         Reviewed by Mark Lam.
590
591         It's timing out the 32-bit bots and takes 330 seconds
592         on my machine when run by itself.
593
594         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
595
596 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
597
598         [JSC] AI should check the given constant's array type when folding GetByVal into constant
599         https://bugs.webkit.org/show_bug.cgi?id=193413
600         <rdar://problem/46092389>
601
602         Reviewed by Keith Miller.
603
604         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
605         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
606         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
607         but GetByVal does not have appropriate ArrayModes, JSC crashes.
608
609         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
610         (compareArray):
611
612 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
613
614         [BigInt] Literal parsing is crashing when used inside a Object Literal
615         https://bugs.webkit.org/show_bug.cgi?id=193404
616
617         Reviewed by Yusuke Suzuki.
618
619         * stress/big-int-literal-inside-literal-object.js: Added.
620
621 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
622
623         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
624         https://bugs.webkit.org/show_bug.cgi?id=193372
625
626         Reviewed by Saam Barati.
627
628         * stress/typed-array-array-modes-profile.js: Added.
629         (foo):
630
631 2019-01-14  Mark Lam  <mark.lam@apple.com>
632
633         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
634         https://bugs.webkit.org/show_bug.cgi?id=193402
635         <rdar://problem/46012309>
636
637         Reviewed by Keith Miller.
638
639         * stress/regexp-compile-oom.js:
640         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
641           is enabled.  As a result, it will fail on cloop builds though there is no bug.
642
643 2019-01-11  Saam barati  <sbarati@apple.com>
644
645         DFG combined liveness can be wrong for terminal basic blocks
646         https://bugs.webkit.org/show_bug.cgi?id=193304
647         <rdar://problem/45268632>
648
649         Reviewed by Yusuke Suzuki.
650
651         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
652
653 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
654
655         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
656         https://bugs.webkit.org/show_bug.cgi?id=193308
657         <rdar://problem/45546542>
658
659         Reviewed by Saam Barati.
660
661         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
662         (shouldThrow):
663         (shouldBe):
664         (foo):
665         (get shouldThrow):
666         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
667         (shouldThrow):
668         (shouldBe):
669         (foo):
670         (get shouldBe):
671         (get shouldThrow):
672         (get return):
673         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
674         (shouldThrow):
675         (shouldBe):
676         (foo):
677         (get shouldBe):
678         (get shouldThrow):
679         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
680         (shouldThrow):
681         (shouldBe):
682         (foo):
683         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
684         (shouldThrow):
685         (shouldBe):
686         (foo):
687         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
688         (shouldThrow):
689         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
690         (shouldThrow):
691         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
692         (shouldThrow):
693         (shouldBe):
694         (foo):
695         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
696         (shouldThrow):
697         (shouldBe):
698         (foo):
699         (get shouldBe):
700         (get shouldThrow):
701         (get return):
702         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
703         (shouldThrow):
704         (shouldBe):
705         (foo):
706         (get shouldBe):
707         (get shouldThrow):
708         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
709         (shouldThrow):
710         (shouldBe):
711         (foo):
712         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
713         (shouldThrow):
714         (shouldBe):
715         (foo):
716
717 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
718
719         Enable DFG on ARM/Linux again
720         https://bugs.webkit.org/show_bug.cgi?id=192496
721
722         Reviewed by Yusuke Suzuki.
723
724         Test wasn't really skipped before moving the line with skip
725         to the top.
726
727         * stress/regress-192717.js:
728
729 2019-01-10  Commit Queue  <commit-queue@webkit.org>
730
731         Unreviewed, rolling out r239825.
732         https://bugs.webkit.org/show_bug.cgi?id=193330
733
734         Broke tests on armv7/linux bots (Requested by guijemont on
735         #webkit).
736
737         Reverted changeset:
738
739         "Enable DFG on ARM/Linux again"
740         https://bugs.webkit.org/show_bug.cgi?id=192496
741         https://trac.webkit.org/changeset/239825
742
743 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
744
745         Enable DFG on ARM/Linux again
746         https://bugs.webkit.org/show_bug.cgi?id=192496
747
748         Reviewed by Yusuke Suzuki.
749
750         Test wasn't really skipped before moving the line with skip
751         to the top.
752
753         * stress/regress-192717.js:
754
755 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
756
757         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
758         https://bugs.webkit.org/show_bug.cgi?id=193127
759
760         Reviewed by Saam Barati.
761
762         * stress/array-species-create-should-handle-masquerader.js: Added.
763         (shouldThrow):
764         * stress/is-undefined-or-null-builtin.js: Added.
765         (shouldBe):
766         (isUndefinedOrNull.vm.createBuiltin):
767
768 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
769
770         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
771         https://bugs.webkit.org/show_bug.cgi?id=193221
772
773         Reviewed by Mark Lam.
774
775         * stress/put-by-id-flags.js: Added.
776         (f):
777         (g):
778         (numberOfDFGCompiles):
779
780 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
781
782         Baseline version of get_by_id may corrupt metadata
783         https://bugs.webkit.org/show_bug.cgi?id=193085
784         <rdar://problem/23453006>
785
786         Reviewed by Saam Barati.
787
788         * stress/get-by-id-change-mode.js: Added.
789         (forEach):
790
791 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
792
793         [JSC] Optimize Object.prototype.toString
794         https://bugs.webkit.org/show_bug.cgi?id=193031
795
796         Reviewed by Saam Barati.
797
798         * stress/object-tostring-changed-proto.js: Added.
799         (shouldBe):
800         (test):
801         * stress/object-tostring-changed.js: Added.
802         (shouldBe):
803         (test):
804         * stress/object-tostring-misc.js: Added.
805         (shouldBe):
806         (test):
807         (i.switch):
808         * stress/object-tostring-other.js: Added.
809         (shouldBe):
810         (test):
811         * stress/object-tostring-untyped.js: Added.
812         (shouldBe):
813         (test):
814         (i.switch):
815
816 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
817
818         test262-runner misbehaves when test file YAML has a trailing space
819         https://bugs.webkit.org/show_bug.cgi?id=193053
820
821         Reviewed by Yusuke Suzuki.
822
823         * test262/expectations.yaml:
824         Mark two dozen tests as passing (and correct the output of another).
825
826 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
827
828         Unreviewed, JSTests gardening with memoryLimited
829
830         * stress/string-overflow-createError.js:
831
832 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
833
834         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
835         https://bugs.webkit.org/show_bug.cgi?id=193050
836
837         Reviewed by Yusuke Suzuki.
838
839         * test262.yaml:
840         * test262/expectations.yaml:
841         Mark 16 tests as passing.
842
843 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
844
845         [BigInt] Support BigInt in JSON.stringify
846         https://bugs.webkit.org/show_bug.cgi?id=192624
847
848         Reviewed by Saam Barati.
849
850         * stress/big-int-json-stringify-to-json.js: Added.
851         (shouldBe):
852         (shouldThrow):
853         (BigInt.prototype.toJSON):
854         (shouldBe.JSON.stringify):
855         * stress/big-int-json-stringify.js: Added.
856         (shouldBe):
857         (shouldThrow):
858
859 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
860
861         [JSC] Implement "well-formed JSON.stringify" proposal
862         https://bugs.webkit.org/show_bug.cgi?id=191677
863
864         Reviewed by Darin Adler.
865
866         * stress/json-surrogate-pair.js: Added.
867         (shouldBe):
868         * test262/expectations.yaml:
869
870 2018-12-20  Keith Miller  <keith_miller@apple.com>
871
872         Add support for globalThis
873         https://bugs.webkit.org/show_bug.cgi?id=165171
874
875         Reviewed by Mark Lam.
876
877         * test262/config.yaml:
878
879 2018-12-19  Keith Miller  <keith_miller@apple.com>
880
881         Update test262 configuration to not run tests dependent on ICU version.
882         https://bugs.webkit.org/show_bug.cgi?id=192920
883
884         Reviewed by Saam Barati.
885
886         * test262/expectations.yaml:
887
888 2018-12-20  Mark Lam  <mark.lam@apple.com>
889
890         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
891         https://bugs.webkit.org/show_bug.cgi?id=192939
892         <rdar://problem/46869516>
893
894         Reviewed by Keith Miller.
895
896         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
897
898 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
899
900         WTF::String and StringImpl overflow MaxLength
901         https://bugs.webkit.org/show_bug.cgi?id=192853
902         <rdar://problem/45726906>
903
904         Reviewed by Mark Lam.
905
906         * stress/string-16bit-repeat-overflow.js: Added.
907         (catch):
908
909 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
910
911         Unreviewed follow-up to r192914.
912
913         * test262/expectations.yaml:
914         Add the last 20 missing expectations.
915
916 2018-12-19  Keith Miller  <keith_miller@apple.com>
917
918         Fix test262 expectations
919         https://bugs.webkit.org/show_bug.cgi?id=192914
920
921         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
922
923         * test262/expectations.yaml:
924
925 2018-12-19  Keith Miller  <keith_miller@apple.com>
926
927         Update test262 tests.
928         https://bugs.webkit.org/show_bug.cgi?id=192907
929
930         Rubber stamped by Mark Lam.
931
932         * test262/*: Omitted because prepare-changelog crashes.
933
934 2018-12-19  Mark Lam  <mark.lam@apple.com>
935
936         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
937         https://bugs.webkit.org/show_bug.cgi?id=192464
938         <rdar://problem/46519455>
939
940         Reviewed by Saam Barati.
941
942         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
943         microbenchmark.
944
945         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
946         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
947
948 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
949
950         String overflow in JSC::createError results in ASSERT in WTF::makeString
951         https://bugs.webkit.org/show_bug.cgi?id=192833
952         <rdar://problem/45706868>
953
954         Reviewed by Mark Lam.
955
956         * stress/string-overflow-createError.js: Added.
957
958 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
959
960         Error message for `-x ** y` contains a typo.
961         https://bugs.webkit.org/show_bug.cgi?id=192832
962
963         Reviewed by Saam Barati.
964
965         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
966         (assert.assert.return.throws):
967         * stress/pow-expects-update-expression-on-lhs.js:
968         (throw.new.Error):
969         Update test expectations which match against the exact error message.
970
971 2018-12-18  Mark Lam  <mark.lam@apple.com>
972
973         Gardening: test options fix.
974         https://bugs.webkit.org/show_bug.cgi?id=192822
975
976         Unreviewed.
977
978         * stress/json-stringify-string-builder-overflow.js:
979
980 2018-12-18  Mark Lam  <mark.lam@apple.com>
981
982         JSON.stringify() should throw OOM on StringBuilder overflows.
983         https://bugs.webkit.org/show_bug.cgi?id=192822
984         <rdar://problem/46670577>
985
986         Reviewed by Saam Barati.
987
988         * stress/json-stringify-string-builder-overflow.js: Added.
989
990 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
991
992         Redeclaration of var over let/const/class should be a syntax error.
993         https://bugs.webkit.org/show_bug.cgi?id=192298
994
995         Reviewed by Keith Miller.
996
997         * test262.yaml:
998         * test262/expectations.yaml:
999         Mark 46 tests as passing.
1000
1001         * stress/block-scope-redeclarations.js:
1002         Add some new tests.
1003
1004         * stress/for-in-invalidate-context-weird-assignments.js:
1005         * stress/for-in-tests.js:
1006         Replace tests for outdated behavior with tests for SyntaxError.
1007
1008         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1009         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1010         Update expectations.
1011
1012 2018-12-18  Mark Lam  <mark.lam@apple.com>
1013
1014         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1015         https://bugs.webkit.org/show_bug.cgi?id=191374
1016         <rdar://problem/46525447>
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1021
1022         * stress/elidable-new-object-roflcopter-then-exit.js:
1023
1024 2018-12-17  Mark Lam  <mark.lam@apple.com>
1025
1026         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1027         https://bugs.webkit.org/show_bug.cgi?id=192019
1028         <rdar://problem/46525456>
1029
1030         Reviewed by Yusuke Suzuki.
1031
1032         The test runs too slow on 32-bit.
1033
1034         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1035
1036 2018-12-17  Mark Lam  <mark.lam@apple.com>
1037
1038         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1039         https://bugs.webkit.org/show_bug.cgi?id=191373
1040         <rdar://problem/46525458>
1041
1042         Reviewed by Yusuke Suzuki.
1043
1044         The test is already slow running with a JIT on 64-bit.  It will always timeout
1045         on 32-bit without a JIT.
1046
1047         * stress/materialize-regexp-cyclic-regexp.js:
1048
1049 2018-12-17  Mark Lam  <mark.lam@apple.com>
1050
1051         Array unshift/shift should not race against the AI in the compiler thread.
1052         https://bugs.webkit.org/show_bug.cgi?id=192795
1053         <rdar://problem/46724263>
1054
1055         Reviewed by Saam Barati.
1056
1057         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1058
1059 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1060
1061         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1062         https://bugs.webkit.org/show_bug.cgi?id=190047
1063
1064         Reviewed by Saam Barati.
1065
1066         * stress/object-keys-cached-zero.js: Added.
1067         (shouldBe):
1068         (test):
1069         * stress/object-keys-changed-attribute.js: Added.
1070         (shouldBe):
1071         (test):
1072         * stress/object-keys-changed-index.js: Added.
1073         (shouldBe):
1074         (test):
1075         * stress/object-keys-changed.js: Added.
1076         (shouldBe):
1077         (test):
1078         * stress/object-keys-indexed-non-cache.js: Added.
1079         (shouldBe):
1080         (test):
1081         * stress/object-keys-overrides-get-property-names.js: Added.
1082         (shouldBe):
1083         (test):
1084         (noInline):
1085
1086 2018-12-17  Mark Lam  <mark.lam@apple.com>
1087
1088         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1089         https://bugs.webkit.org/show_bug.cgi?id=192779
1090         <rdar://problem/46775869>
1091
1092         Reviewed by Saam Barati.
1093
1094         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1095
1096 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1097
1098         Unreviewed test gardening, address a syntax error in a new test.
1099
1100         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1101
1102 2018-12-17  Mark Lam  <mark.lam@apple.com>
1103
1104         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1105         https://bugs.webkit.org/show_bug.cgi?id=192776
1106         <rdar://problem/46772368>
1107
1108         Reviewed by Keith Miller.
1109
1110         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1111
1112 2018-12-17  Mark Lam  <mark.lam@apple.com>
1113
1114         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1115         https://bugs.webkit.org/show_bug.cgi?id=192770
1116         <rdar://problem/46449037>
1117
1118         Reviewed by Keith Miller.
1119
1120         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1121
1122 2018-12-14  Mark Lam  <mark.lam@apple.com>
1123
1124         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1125         https://bugs.webkit.org/show_bug.cgi?id=192717
1126         <rdar://problem/46660677>
1127
1128         Reviewed by Saam Barati.
1129
1130         * stress/regress-192717.js: Added.
1131
1132 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1133
1134         Unreviewed, rolling out r239153, r239154, and r239155.
1135         https://bugs.webkit.org/show_bug.cgi?id=192715
1136
1137         Caused flaky GC-related crashes seen with layout tests
1138         (Requested by ryanhaddad on #webkit).
1139
1140         Reverted changesets:
1141
1142         "[JSC] Optimize Object.keys by caching own keys results in
1143         StructureRareData"
1144         https://bugs.webkit.org/show_bug.cgi?id=190047
1145         https://trac.webkit.org/changeset/239153
1146
1147         "Unreviewed, build fix after r239153"
1148         https://bugs.webkit.org/show_bug.cgi?id=190047
1149         https://trac.webkit.org/changeset/239154
1150
1151         "Unreviewed, build fix after r239153, part 2"
1152         https://bugs.webkit.org/show_bug.cgi?id=190047
1153         https://trac.webkit.org/changeset/239155
1154
1155 2018-12-14  Keith Miller  <keith_miller@apple.com>
1156
1157         Callers of JSString::getIndex should check for OOM exceptions
1158         https://bugs.webkit.org/show_bug.cgi?id=192709
1159
1160         Reviewed by Mark Lam.
1161
1162         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1163
1164 2018-12-13  Mark Lam  <mark.lam@apple.com>
1165
1166         Add a missing exception check.
1167         https://bugs.webkit.org/show_bug.cgi?id=192626
1168         <rdar://problem/46662163>
1169
1170         Reviewed by Keith Miller.
1171
1172         * stress/regress-192626.js: Added.
1173
1174 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1175
1176         [BigInt] Add ValueDiv into DFG
1177         https://bugs.webkit.org/show_bug.cgi?id=186178
1178
1179         Reviewed by Yusuke Suzuki.
1180
1181         * stress/big-int-div-jit-osr.js: Added.
1182         * stress/big-int-div-jit-untyped.js: Added.
1183         * stress/value-div-fixup-int32-big-int.js: Added.
1184
1185 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1186
1187         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1188         https://bugs.webkit.org/show_bug.cgi?id=190047
1189
1190         Reviewed by Keith Miller.
1191
1192         * stress/object-keys-cached-zero.js: Added.
1193         (shouldBe):
1194         (test):
1195         * stress/object-keys-changed-attribute.js: Added.
1196         (shouldBe):
1197         (test):
1198         * stress/object-keys-changed-index.js: Added.
1199         (shouldBe):
1200         (test):
1201         * stress/object-keys-changed.js: Added.
1202         (shouldBe):
1203         (test):
1204         * stress/object-keys-indexed-non-cache.js: Added.
1205         (shouldBe):
1206         (test):
1207         * stress/object-keys-overrides-get-property-names.js: Added.
1208         (shouldBe):
1209         (test):
1210         (noInline):
1211
1212 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1213
1214         [DFG][FTL] Add NewSymbol
1215         https://bugs.webkit.org/show_bug.cgi?id=192620
1216
1217         Reviewed by Saam Barati.
1218
1219         * microbenchmarks/symbol-creation.js: Added.
1220         (test):
1221         * stress/symbol-description-identity.js: Added.
1222         (shouldBe):
1223         (test):
1224         * stress/symbol-identity.js: Added.
1225         (shouldBe):
1226         (test):
1227         * stress/symbol-with-description-throw-error.js: Added.
1228         (shouldBe):
1229         (shouldThrow):
1230         (test):
1231         (object.toString):
1232
1233 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1234
1235         [BigInt] Implement DFG/FTL typeof for BigInt
1236         https://bugs.webkit.org/show_bug.cgi?id=192619
1237
1238         Reviewed by Keith Miller.
1239
1240         * stress/big-int-boolean-proven-type.js: Added.
1241         (assert):
1242         (bool):
1243         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1244         (assert):
1245         (typeOf):
1246         (i.switch):
1247         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1248         (assert):
1249         (typeOf):
1250         * stress/big-int-type-of.js:
1251         (typeOf):
1252         (func):
1253
1254 2018-12-10  Mark Lam  <mark.lam@apple.com>
1255
1256         PropertyAttribute needs a CustomValue bit.
1257         https://bugs.webkit.org/show_bug.cgi?id=191993
1258         <rdar://problem/46264467>
1259
1260         Reviewed by Saam Barati.
1261
1262         * stress/regress-191993.js: Added.
1263
1264 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1265
1266         [BigInt] Add ValueMul into DFG
1267         https://bugs.webkit.org/show_bug.cgi?id=186175
1268
1269         Reviewed by Yusuke Suzuki.
1270
1271         * stress/big-int-mul-jit-osr.js: Added.
1272         * stress/big-int-mul-jit-untyped.js: Added.
1273         * stress/value-mul-fixup-int32-big-int.js: Added.
1274
1275 2018-12-06  Keith Miller  <keith_miller@apple.com>
1276
1277         stress/big-wasm-memory tests failing on 32-bit JSC bot
1278         https://bugs.webkit.org/show_bug.cgi?id=192020
1279
1280         Reviewed by Saam Barati.
1281
1282         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1283         the wasm stress tests if the WebAssembly object does not exist.
1284
1285         * stress/big-wasm-memory-grow-no-max.js:
1286         (test.foo):
1287         (test):
1288         (foo): Deleted.
1289         (catch): Deleted.
1290         * stress/big-wasm-memory-grow.js:
1291         (test.foo):
1292         (test):
1293         (foo): Deleted.
1294         (catch): Deleted.
1295         * stress/big-wasm-memory.js:
1296         (test.foo):
1297         (test):
1298         (foo): Deleted.
1299         (catch): Deleted.
1300
1301 2018-12-05  Mark Lam  <mark.lam@apple.com>
1302
1303         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1304         https://bugs.webkit.org/show_bug.cgi?id=192441
1305         <rdar://problem/46480355>
1306
1307         Reviewed by Saam Barati.
1308
1309         * stress/regress-192441.js: Added.
1310
1311 2018-12-04  Mark Lam  <mark.lam@apple.com>
1312
1313         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1314         https://bugs.webkit.org/show_bug.cgi?id=192386
1315         <rdar://problem/46445516>
1316
1317         Reviewed by Saam Barati.
1318
1319         * stress/regress-192386.js: Added.
1320
1321 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1322
1323         [ESNext][BigInt] Support logic operations
1324         https://bugs.webkit.org/show_bug.cgi?id=179903
1325
1326         Reviewed by Yusuke Suzuki.
1327
1328         * stress/big-int-branch-usage.js: Added.
1329         * stress/big-int-logical-and.js: Added.
1330         * stress/big-int-logical-not.js: Added.
1331         * stress/big-int-logical-or.js: Added.
1332
1333 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1334
1335         Unreviewed, rolling out r238833.
1336
1337         Breaks macOS and iOS debug builds.
1338
1339         Reverted changeset:
1340
1341         "[ESNext][BigInt] Support logic operations"
1342         https://bugs.webkit.org/show_bug.cgi?id=179903
1343         https://trac.webkit.org/changeset/238833
1344
1345 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1346
1347         [ESNext][BigInt] Support logic operations
1348         https://bugs.webkit.org/show_bug.cgi?id=179903
1349
1350         Reviewed by Yusuke Suzuki.
1351
1352         * stress/big-int-branch-usage.js: Added.
1353         * stress/big-int-logical-and.js: Added.
1354         * stress/big-int-logical-not.js: Added.
1355         * stress/big-int-logical-or.js: Added.
1356
1357 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1358
1359         [ESNext][BigInt] Implement support for "<<" and ">>"
1360         https://bugs.webkit.org/show_bug.cgi?id=186233
1361
1362         Reviewed by Yusuke Suzuki.
1363
1364         * stress/big-int-left-shift-general.js: Added.
1365         * stress/big-int-left-shift-range-error.js: Added.
1366         * stress/big-int-left-shift-type-error.js: Added.
1367         * stress/big-int-left-shift-wrapped-value.js: Added.
1368         * stress/big-int-right-shift-general.js: Added.
1369         * stress/big-int-right-shift-type-error.js: Added.
1370         * stress/big-int-right-shift-wrapped-value.js: Added.
1371         * stress/left-shift-to-primitive-precedence.js: Added.
1372         * stress/right-shift-to-primitive-precedence.js: Added.
1373
1374 2018-11-30  Dean Jackson  <dino@apple.com>
1375
1376         Add first-class support for .mjs files in jsc binary
1377         https://bugs.webkit.org/show_bug.cgi?id=192190
1378         <rdar://problem/46375715>
1379
1380         Reviewed by Keith Miller.
1381
1382         * stress/simple-module.mjs: Added.
1383         * stress/simple-script.js: Added.
1384
1385 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1386
1387         [BigInt] Implement ValueBitXor into DFG
1388         https://bugs.webkit.org/show_bug.cgi?id=190264
1389
1390         Reviewed by Yusuke Suzuki.
1391
1392         * stress/big-int-bitwise-xor-jit.js: Added.
1393         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1394         * stress/big-int-bitwise-xor-untyped.js: Added.
1395
1396 2018-11-27  Saam barati  <sbarati@apple.com>
1397
1398         r238510 broke scopes of size zero
1399         https://bugs.webkit.org/show_bug.cgi?id=192033
1400         <rdar://problem/46281734>
1401
1402         Reviewed by Keith Miller.
1403
1404         * stress/r238510-bad-loop.js: Added.
1405         (foo):
1406
1407 2018-11-27  Mark Lam  <mark.lam@apple.com>
1408
1409         [Re-landing] NaNs read from Wasm code needs to be be purified.
1410         https://bugs.webkit.org/show_bug.cgi?id=191056
1411         <rdar://problem/45660341>
1412
1413         Reviewed by Filip Pizlo.
1414
1415         * wasm/regress/regress-191056.js: Added.
1416
1417 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1418
1419         Unreviewed, rolling out r238509.
1420
1421         Causes JSC tests to fail on iOS.
1422
1423         Reverted changeset:
1424
1425         "NaNs read from Wasm code needs to be be purified."
1426         https://bugs.webkit.org/show_bug.cgi?id=191056
1427         https://trac.webkit.org/changeset/238509
1428
1429 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1430
1431         Re-introduce op_bitnot
1432         https://bugs.webkit.org/show_bug.cgi?id=190923
1433
1434         Reviewed by Yusuke Suzuki.
1435
1436         * stress/bit-not-must-generate.js: Added.
1437         * stress/bitwise-not-no-int32.js: Added.
1438
1439 2018-11-26  Saam barati  <sbarati@apple.com>
1440
1441         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1442         https://bugs.webkit.org/show_bug.cgi?id=191956
1443         <rdar://problem/45665806>
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1448         (bar):
1449         (foo):
1450
1451 2018-11-26  Saam barati  <sbarati@apple.com>
1452
1453         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1454         https://bugs.webkit.org/show_bug.cgi?id=191958
1455         <rdar://problem/46221877>
1456
1457         Reviewed by Yusuke Suzuki.
1458
1459         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1460         (x):
1461         (foo):
1462
1463 2018-11-26  Mark Lam  <mark.lam@apple.com>
1464
1465         NaNs read from Wasm code needs to be be purified.
1466         https://bugs.webkit.org/show_bug.cgi?id=191056
1467         <rdar://problem/45660341>
1468
1469         Reviewed by Filip Pizlo.
1470
1471         * wasm/regress/regress-191056.js: Added.
1472
1473 2018-11-26  Michael Saboff  <msaboff@apple.com>
1474
1475         32-bit JSC test failure: stress/regexp-compile-oom.js
1476         https://bugs.webkit.org/show_bug.cgi?id=191375
1477
1478         Reviewed by Mark Lam.
1479
1480         Disabled the test for 32 bit platforms.
1481
1482         * stress/regexp-compile-oom.js:
1483
1484 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1485
1486         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1487         https://bugs.webkit.org/show_bug.cgi?id=191716
1488         <rdar://problem/45723878>
1489
1490         Reviewed by Saam Barati.
1491
1492         * stress/regress-187373.js: Added.
1493         (async.fn):
1494
1495 2018-11-21  Saam barati  <sbarati@apple.com>
1496
1497         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1498         https://bugs.webkit.org/show_bug.cgi?id=191897
1499         <rdar://problem/45871998>
1500
1501         Reviewed by Mark Lam.
1502
1503         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1504         (bar):
1505         (foo):
1506
1507 2018-11-21  Saam barati  <sbarati@apple.com>
1508
1509         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1510         https://bugs.webkit.org/show_bug.cgi?id=191895
1511         <rdar://problem/46167406>
1512
1513         Reviewed by Mark Lam.
1514
1515         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1516         (foo):
1517         (bar):
1518
1519 2018-11-21  Mark Lam  <mark.lam@apple.com>
1520
1521         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1522         https://bugs.webkit.org/show_bug.cgi?id=191776
1523         <rdar://problem/46152851>
1524
1525         Reviewed by Saam Barati.
1526
1527         * stress/big-wasm-memory-grow-no-max.js:
1528         * stress/big-wasm-memory-grow.js:
1529         * stress/big-wasm-memory.js:
1530         - updated these to expect an OutOfMemoryError.
1531
1532         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1533         (Binary.prototype.emit_u8):
1534         (Binary.prototype.emit_u32v):
1535         (Binary.prototype.emit_header):
1536         (Binary.prototype.emit_section):
1537         (Binary):
1538         (WasmModuleBuilder):
1539         (WasmModuleBuilder.prototype.addMemory):
1540         (WasmModuleBuilder.prototype.toArray):
1541         (WasmModuleBuilder.prototype.toBuffer):
1542         (WasmModuleBuilder.prototype.instantiate):
1543         (catch):
1544         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1545         (catch):
1546
1547 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1548
1549         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1550         https://bugs.webkit.org/show_bug.cgi?id=190836
1551
1552         Reviewed by Saam Barati and Yusuke Suzuki.
1553
1554         * stress/big-int-out-of-memory-tests.js: Added.
1555
1556 2018-11-20  Mark Lam  <mark.lam@apple.com>
1557
1558         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1559         https://bugs.webkit.org/show_bug.cgi?id=191856
1560         <rdar://problem/46089992>
1561
1562         Reviewed by Yusuke Suzuki.
1563
1564         * stress/regress-191856.js: Added.
1565         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1566
1567 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1568
1569         Enable JIT on ARM/Linux
1570         https://bugs.webkit.org/show_bug.cgi?id=191548
1571
1572         Reviewed by Yusuke Suzuki.
1573
1574         Disable test on system with limited memory. Program was killed by
1575         the OS before the exception was thrown.
1576
1577         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1578
1579 2018-11-20  Saam barati  <sbarati@apple.com>
1580
1581         Merging an IC variant may lead to the IC status containing overlapping structure sets
1582         https://bugs.webkit.org/show_bug.cgi?id=191869
1583         <rdar://problem/45403453>
1584
1585         Reviewed by Mark Lam.
1586
1587         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1588
1589 2018-11-19  Mark Lam  <mark.lam@apple.com>
1590
1591         globalFuncImportModule() should return a promise when it clears exceptions.
1592         https://bugs.webkit.org/show_bug.cgi?id=191792
1593         <rdar://problem/46090763>
1594
1595         Reviewed by Michael Saboff.
1596
1597         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1598
1599 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1600
1601         Skip new memory-hungry tests on memory limited devices
1602
1603         Unreviewed gardening.
1604
1605         * stress/big-wasm-memory-grow-no-max.js:
1606         * stress/big-wasm-memory-grow.js:
1607         * stress/big-wasm-memory.js:
1608
1609 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1610
1611         Unreviewed, rolling in the rest of r237254
1612         https://bugs.webkit.org/show_bug.cgi?id=190340
1613
1614         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1615         * stress/function-cache-with-parameters-end-position.js: Added.
1616         (shouldBe):
1617         (shouldThrow):
1618         (i.anonymous):
1619         * stress/function-constructor-name.js: Added.
1620         (shouldBe):
1621         (GeneratorFunction):
1622         (AsyncFunction.async):
1623         (AsyncGeneratorFunction.async):
1624         (anonymous):
1625         (async.anonymous):
1626         * test262/expectations.yaml:
1627
1628 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1629
1630         All users of ArrayBuffer should agree on the same max size
1631         https://bugs.webkit.org/show_bug.cgi?id=191771
1632
1633         Reviewed by Mark Lam.
1634
1635         * stress/big-wasm-memory-grow-no-max.js: Added.
1636         (foo):
1637         (catch):
1638         * stress/big-wasm-memory-grow.js: Added.
1639         (foo):
1640         (catch):
1641         * stress/big-wasm-memory.js: Added.
1642         (foo):
1643         (catch):
1644
1645 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1646
1647         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1648         run for each JSC config since they're regression tests for runtime bugs.
1649
1650         * stress/json-stringified-overflow-2.js:
1651         * stress/json-stringified-overflow.js:
1652
1653 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1654
1655         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1656         config since they're regression tests for runtime bugs.
1657
1658         * stress/large-unshift-splice.js:
1659         * stress/regress-185888.js:
1660
1661 2018-11-16  Saam Barati  <sbarati@apple.com>
1662
1663         KnownCellUse should also have SpecCellCheck as its type filter
1664         https://bugs.webkit.org/show_bug.cgi?id=191729
1665         <rdar://problem/45872852>
1666
1667         Reviewed by Filip Pizlo.
1668
1669         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1670         (C):
1671
1672 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1673
1674         Fix assertion failure on BytecodeGenerator::recordOpcode
1675         https://bugs.webkit.org/show_bug.cgi?id=191724
1676         <rdar://problem/45724395>
1677
1678         Reviewed by Saam Barati.
1679
1680         * stress/regress-187373-2.js: Added.
1681         (foo):
1682
1683 2018-11-15  Mark Lam  <mark.lam@apple.com>
1684
1685         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1686         https://bugs.webkit.org/show_bug.cgi?id=191730
1687         <rdar://problem/46048517>
1688
1689         Reviewed by Saam Barati.
1690
1691         * stress/regress-187006.js: Removed.
1692           - this test is invalid because its sole purpose is to test for the non-spec
1693             compliant behavior that we just fixed.
1694
1695         * stress/regress-191730.js: Added.
1696
1697 2018-11-15  Mark Lam  <mark.lam@apple.com>
1698
1699         RegExp operations should not take fast patch if lastIndex is not numeric.
1700         https://bugs.webkit.org/show_bug.cgi?id=191731
1701         <rdar://problem/46017305>
1702
1703         Reviewed by Saam Barati.
1704
1705         * stress/regress-191731.js: Added.
1706
1707 2018-11-13  Saam Barati  <sbarati@apple.com>
1708
1709         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1710         https://bugs.webkit.org/show_bug.cgi?id=191600
1711
1712         Reviewed by Mark Lam.
1713
1714         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1715         (foo):
1716         (test):
1717         (bar):
1718
1719 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1720
1721         Unreviewed, rolling out r238132.
1722
1723         The test added with this change is timing out on Debug JSC
1724         bots.
1725
1726         Reverted changeset:
1727
1728         "[BigInt] JSBigInt::createWithLength should throw when length
1729         is greater than JSBigInt::maxLength"
1730         https://bugs.webkit.org/show_bug.cgi?id=190836
1731         https://trac.webkit.org/changeset/238132
1732
1733 2018-11-13  Mark Lam  <mark.lam@apple.com>
1734
1735         Add OOM detection to StringPrototype's substituteBackreferences().
1736         https://bugs.webkit.org/show_bug.cgi?id=191563
1737         <rdar://problem/45720428>
1738
1739         Reviewed by Saam Barati.
1740
1741         * stress/regress-191563.js: Added.
1742
1743 2018-11-13  Mark Lam  <mark.lam@apple.com>
1744
1745         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1746         https://bugs.webkit.org/show_bug.cgi?id=191579
1747         <rdar://problem/45942472>
1748
1749         Reviewed by Saam Barati.
1750
1751         * stress/regress-191579.js: Added.
1752
1753 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1754
1755         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1756         https://bugs.webkit.org/show_bug.cgi?id=190836
1757
1758         Reviewed by Saam Barati.
1759
1760         * stress/big-int-out-of-memory-tests.js: Added.
1761
1762 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1763
1764         U+180E is no longer a whitespace character
1765         https://bugs.webkit.org/show_bug.cgi?id=191415
1766
1767         Reviewed by Saam Barati.
1768
1769         * ChakraCore/test/es5/regexSpace.baseline:
1770         * ChakraCore/test/es6/unicode_whitespace.js:
1771         Update tests to latest version.
1772         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1773
1774         * test262.yaml:
1775         * test262/config.yaml:
1776         * test262/expectations.yaml:
1777         Update expectations.
1778
1779 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1780
1781         [BigInt] Add support to BigInt into ValueAdd
1782         https://bugs.webkit.org/show_bug.cgi?id=186177
1783
1784         Reviewed by Keith Miller.
1785
1786         * stress/big-int-negate-jit.js:
1787         * stress/value-add-big-int-and-string.js: Added.
1788         * stress/value-add-big-int-prediction-propagation.js: Added.
1789         * stress/value-add-big-int-untyped.js: Added.
1790
1791 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1792
1793         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1794         https://bugs.webkit.org/show_bug.cgi?id=191184
1795
1796         Reviewed by Saam Barati.
1797
1798         Most tests were failing due to timeouts, since they are too slow to
1799         run on CLoop. The exceptions are:
1800
1801         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1802         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1803         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1804         to change the stack size since CLoop requires it to be page aligned.
1805
1806         * microbenchmarks/array-push-1.js:
1807         * microbenchmarks/array-push-2.js:
1808         * microbenchmarks/elidable-new-object-dag.js:
1809         * microbenchmarks/elidable-new-object-roflcopter.js:
1810         * microbenchmarks/elidable-new-object-tree.js:
1811         * microbenchmarks/getter-richards.js:
1812         * microbenchmarks/sinkable-new-object-dag.js:
1813         * microbenchmarks/string-concat-long-convert.js:
1814         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1815         * slowMicrobenchmarks/array-push-3.js:
1816         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1817         * slowMicrobenchmarks/spread-small-array.js:
1818         * slowMicrobenchmarks/undefined-property-access.js:
1819         * stress/activation-sink-default-value-tdz-error.js:
1820         * stress/activation-sink-default-value.js:
1821         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1822         * stress/activation-sink-osrexit-default-value.js:
1823         * stress/activation-sink-osrexit.js:
1824         * stress/activation-sink.js:
1825         * stress/allow-math-ic-b3-code-duplication.js:
1826         * stress/array-push-multiple-int32.js:
1827         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1828         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1829         * stress/arrowfunction-lexical-this-activation-sink.js:
1830         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1831         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1832         * stress/elide-new-object-dag-then-exit.js:
1833         * stress/materialize-regexp-cyclic.js:
1834         * stress/new-regex-inline.js:
1835         * stress/op_add.js:
1836         * stress/op_bitand.js:
1837         * stress/op_bitor.js:
1838         * stress/op_bitxor.js:
1839         * stress/op_div-ConstVar.js:
1840         * stress/op_div-VarConst.js:
1841         * stress/op_div-VarVar.js:
1842         * stress/op_lshift-ConstVar.js:
1843         * stress/op_lshift-VarConst.js:
1844         * stress/op_lshift-VarVar.js:
1845         * stress/op_mod-ConstVar.js:
1846         * stress/op_mod-VarConst.js:
1847         * stress/op_mod-VarVar.js:
1848         * stress/op_mul-ConstVar.js:
1849         * stress/op_mul-VarConst.js:
1850         * stress/op_mul-VarVar.js:
1851         * stress/op_rshift-ConstVar.js:
1852         * stress/op_rshift-VarConst.js:
1853         * stress/op_rshift-VarVar.js:
1854         * stress/op_sub-ConstVar.js:
1855         * stress/op_sub-VarConst.js:
1856         * stress/op_sub-VarVar.js:
1857         * stress/op_urshift-ConstVar.js:
1858         * stress/op_urshift-VarConst.js:
1859         * stress/op_urshift-VarVar.js:
1860         * stress/proxy-get-set-correct-receiver.js:
1861         * stress/regress-179562.js:
1862         * stress/rest-parameter-many-arguments.js:
1863         * stress/sampling-profiler-richards.js:
1864         * stress/splay-flash-access-1ms.js:
1865         * stress/tailCallForwardArguments.js:
1866         * stress/typed-array-get-by-val-profiling.js:
1867         * typeProfiler/getter-richards.js:
1868
1869 2018-11-06  Michael Saboff  <msaboff@apple.com>
1870
1871         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1872         https://bugs.webkit.org/show_bug.cgi?id=191271
1873
1874         Reviewed by Saam Barati.
1875
1876         Added more test cases and made all test cases run with the same deeply recursive stack
1877         instead of finding that same point for each test case.
1878
1879         * stress/regexp-compile-oom.js:
1880         (prototype.runTest):
1881         (recurseAndTest):
1882         (testList.push.new.TestAndExpectedException):
1883
1884 2018-11-05  Michael Saboff  <msaboff@apple.com>
1885
1886         Unreviewed build fix for linux.
1887
1888         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1889
1890 2018-11-02  Michael Saboff  <msaboff@apple.com>
1891
1892         Rolling in r237753 with unreviewed build fix.
1893
1894         Fixed issues with DECLARE_THROW_SCOPE placement.
1895
1896 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1897
1898         Unreviewed, rolling out r237753.
1899
1900         Introduced JSC test failures
1901
1902         Reverted changeset:
1903
1904         "Running out of stack space not properly handled in
1905         RegExp::compile() and its callers"
1906         https://bugs.webkit.org/show_bug.cgi?id=191206
1907         https://trac.webkit.org/changeset/237753
1908
1909 2018-11-02  Michael Saboff  <msaboff@apple.com>
1910
1911         Running out of stack space not properly handled in RegExp::compile() and its callers
1912         https://bugs.webkit.org/show_bug.cgi?id=191206
1913
1914         Reviewed by Filip Pizlo.
1915
1916         New regression test.
1917
1918         * stress/regexp-compile-oom.js: Added.
1919         (recurseAndTest):
1920
1921 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1922
1923         Skip tests on arm/mips that time out now we're running on CLoop
1924
1925         Unreviewed gardening.
1926
1927         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1928         time out on the bots and need to be disabled. There's more tests
1929         disabled on arm because the timeout is longer on the mips bot (as the
1930         device is slower to start with), so many of the tests don't time out
1931         there.
1932
1933         * microbenchmarks/getter-richards.js: disable on arm and mips.
1934         * stress/op_add.js: disable on arm.
1935         * stress/op_bitand.js: disable on arm.
1936         * stress/op_bitor.js: disable on arm.
1937         * stress/op_bitxor.js: disable on arm.
1938         * stress/op_lshift-ConstVar.js: disable on arm.
1939         * stress/op_lshift-VarConst.js: disable on arm.
1940         * stress/op_lshift-VarVar.js: disable on arm.
1941         * stress/op_mod-ConstVar.js: disable on arm.
1942         * stress/op_mod-VarConst.js: disable on arm.
1943         * stress/op_mod-VarVar.js: disable on arm.
1944         * stress/op_mul-ConstVar.js: disable on arm.
1945         * stress/op_mul-VarConst.js: disable on arm.
1946         * stress/op_mul-VarVar.js: disable on arm.
1947         * stress/op_rshift-ConstVar.js: disable on arm.
1948         * stress/op_rshift-VarConst.js: disable on arm.
1949         * stress/op_rshift-VarVar.js: disable on arm.
1950         * stress/op_sub-ConstVar.js: disable on arm.
1951         * stress/op_sub-VarConst.js: disable on arm.
1952         * stress/op_sub-VarVar.js: disable on arm.
1953         * stress/op_urshift-ConstVar.js: disable on arm.
1954         * stress/op_urshift-VarConst.js: disable on arm.
1955         * stress/op_urshift-VarVar.js: disable on arm.
1956         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1957         * stress/value-to-boolean.js: disable on arm and mips.
1958
1959 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1960
1961         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1962         https://bugs.webkit.org/show_bug.cgi?id=191108
1963         <rdar://problem/45690700>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/wide-op_catch.js: Added.
1968         (catch):
1969
1970 2018-10-29  Mark Lam  <mark.lam@apple.com>
1971
1972         Correctly detect string overflow when using the 'Function' constructor.
1973         https://bugs.webkit.org/show_bug.cgi?id=184883
1974         <rdar://problem/36320331>
1975
1976         Reviewed by Saam Barati.
1977
1978         I've verified that this passes on 32-bit as well.
1979
1980         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1981
1982 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1983
1984         Add support for GetStack FlushedDouble
1985         https://bugs.webkit.org/show_bug.cgi?id=191012
1986         <rdar://problem/45265141>
1987
1988         Reviewed by Saam Barati.
1989
1990         * stress/get-stack-double.js: Added.
1991         (bar):
1992         (noInline):
1993
1994 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1995
1996         New bytecode format for JSC
1997         https://bugs.webkit.org/show_bug.cgi?id=187373
1998         <rdar://problem/44186758>
1999
2000         Reviewed by Filip Pizlo.
2001
2002         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2003
2004         * stress/maximum-inline-capacity.js: Added.
2005         (test1):
2006         (test3.Foo):
2007         (test3):
2008
2009 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2010
2011         Unreviewed, rolling out r237479 and r237484.
2012         https://bugs.webkit.org/show_bug.cgi?id=190978
2013
2014         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2015
2016         Reverted changesets:
2017
2018         "New bytecode format for JSC"
2019         https://bugs.webkit.org/show_bug.cgi?id=187373
2020         https://trac.webkit.org/changeset/237479
2021
2022         "Gardening: Build fix after r237479."
2023         https://bugs.webkit.org/show_bug.cgi?id=187373
2024         https://trac.webkit.org/changeset/237484
2025
2026 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2027
2028         New bytecode format for JSC
2029         https://bugs.webkit.org/show_bug.cgi?id=187373
2030         <rdar://problem/44186758>
2031
2032         Reviewed by Filip Pizlo.
2033
2034         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2035
2036         * stress/maximum-inline-capacity.js: Added.
2037         (test1):
2038         (test3.Foo):
2039         (test3):
2040
2041 2018-10-26  Mark Lam  <mark.lam@apple.com>
2042
2043         Fix missing edge cases with JSGlobalObjects having a bad time.
2044         https://bugs.webkit.org/show_bug.cgi?id=189028
2045         <rdar://problem/45204939>
2046
2047         Reviewed by Saam Barati.
2048
2049         * stress/regress-189028.js: Added.
2050
2051 2018-10-22  Mark Lam  <mark.lam@apple.com>
2052
2053         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2054         https://bugs.webkit.org/show_bug.cgi?id=190515
2055         <rdar://problem/45222379>
2056
2057         Rubber-stamped by Saam Barati.
2058
2059         Adding another test.
2060
2061         * stress/regress-190515-2.js: Added.
2062
2063 2018-10-22  Mark Lam  <mark.lam@apple.com>
2064
2065         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2066         https://bugs.webkit.org/show_bug.cgi?id=190515
2067         <rdar://problem/45222379>
2068
2069         Reviewed by Saam Barati.
2070
2071         * stress/regress-190515.js: Added.
2072
2073 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2074
2075         Unreviewed, rolling out r237254.
2076         https://bugs.webkit.org/show_bug.cgi?id=190760
2077
2078         "It regresses JetStream 2 by 5% on some iOS devices"
2079         (Requested by saamyjoon on #webkit).
2080
2081         Reverted changeset:
2082
2083         "[JSC] JSC should have "parseFunction" to optimize Function
2084         constructor"
2085         https://bugs.webkit.org/show_bug.cgi?id=190340
2086         https://trac.webkit.org/changeset/237254
2087
2088 2018-10-19  Saam Barati  <sbarati@apple.com>
2089
2090         vmCall should check if we exit before emitting an OSR exit due to exceptions
2091         https://bugs.webkit.org/show_bug.cgi?id=190740
2092         <rdar://problem/45220139>
2093
2094         Reviewed by Mark Lam.
2095
2096         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2097         (foo):
2098
2099 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2100
2101         [ESNext][BigInt] Implement support for "^"
2102         https://bugs.webkit.org/show_bug.cgi?id=186235
2103
2104         Reviewed by Yusuke Suzuki.
2105
2106         * stress/big-int-bitwise-xor-general.js: Added.
2107         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2108         * stress/big-int-bitwise-xor-type-error.js: Added.
2109         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2110
2111 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2112
2113         [BigInt] Add ValueSub into DFG
2114         https://bugs.webkit.org/show_bug.cgi?id=186176
2115
2116         Reviewed by Yusuke Suzuki.
2117
2118         * stress/big-int-subtraction-jit.js:
2119         * stress/value-sub-big-int-prediction-propagation.js: Added.
2120         * stress/value-sub-big-int-untyped.js: Added.
2121         * stress/value-sub-spec-none-case.js: Added.
2122
2123 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2124
2125         [JSC] JSC should have "parseFunction" to optimize Function constructor
2126         https://bugs.webkit.org/show_bug.cgi?id=190340
2127
2128         Reviewed by Mark Lam.
2129
2130         This patch fixes the line number of syntax errors raised by the Function constructor,
2131         since we now parse the final code only once. And we no longer use block statement
2132         for Function constructor's parsing.
2133
2134         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2135         * stress/function-cache-with-parameters-end-position.js: Added.
2136         (shouldBe):
2137         (shouldThrow):
2138         (i.anonymous):
2139         * stress/function-constructor-name.js: Added.
2140         (shouldBe):
2141         (GeneratorFunction):
2142         (AsyncFunction.async):
2143         (AsyncGeneratorFunction.async):
2144         (anonymous):
2145         (async.anonymous):
2146         * test262/expectations.yaml:
2147
2148 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2149
2150         Unreviewed, rolling out r237242.
2151         https://bugs.webkit.org/show_bug.cgi?id=190701
2152
2153         it breaks "stress/sampling-profiler-basic.js" (Requested by
2154         caiolima on #webkit).
2155
2156         Reverted changeset:
2157
2158         "[BigInt] Add ValueSub into DFG"
2159         https://bugs.webkit.org/show_bug.cgi?id=186176
2160         https://trac.webkit.org/changeset/237242
2161
2162 2018-10-17  Keith Miller  <keith_miller@apple.com>
2163
2164         AI does not clear Phantom allocation nodes.
2165         https://bugs.webkit.org/show_bug.cgi?id=190694
2166
2167         Reviewed by Saam Barati.
2168
2169         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2170         (Day):
2171         (DaysInYear):
2172         (TimeInYear):
2173         (TimeFromYear):
2174         (DayFromYear):
2175         (InLeapYear):
2176         (YearFromTime):
2177         (WeekDay):
2178         (DaylightSavingTA):
2179         (GetSecondSundayInMarch):
2180         (TimeInMonth):
2181
2182 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2183
2184         [BigInt] Add ValueSub into DFG
2185         https://bugs.webkit.org/show_bug.cgi?id=186176
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         * stress/big-int-subtraction-jit.js:
2190         * stress/value-sub-big-int-prediction-propagation.js: Added.
2191         * stress/value-sub-big-int-untyped.js: Added.
2192
2193 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2194
2195         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2196         https://bugs.webkit.org/show_bug.cgi?id=190611
2197
2198         Reviewed by Saam Barati.
2199
2200         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2201         to improve test runtime. On ARM/MIPS this test even timed out when running all
2202         tests.
2203
2204         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2205         (test):
2206
2207 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2208
2209         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2210
2211         Unreviewed gardening.
2212
2213         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2214
2215 2018-10-15  Saam barati  <sbarati@apple.com>
2216
2217         Emit fjcvtzs on ARM64E on Darwin
2218         https://bugs.webkit.org/show_bug.cgi?id=184023
2219
2220         Reviewed by Yusuke Suzuki and Filip Pizlo.
2221
2222         * stress/double-to-int32-NaN.js: Added.
2223         (assert):
2224         (foo):
2225
2226 2018-10-15  Saam Barati  <sbarati@apple.com>
2227
2228         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2229         https://bugs.webkit.org/show_bug.cgi?id=190262
2230         <rdar://problem/44986241>
2231
2232         Reviewed by Mark Lam.
2233
2234         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2235         (test):
2236         * stress/slice-array-storage-with-holes.js: Added.
2237         (main):
2238
2239 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2240
2241         Unreviewed, rolling out r237054.
2242         https://bugs.webkit.org/show_bug.cgi?id=190593
2243
2244         "this regressed JetStream 2 by 6% on iOS" (Requested by
2245         saamyjoon on #webkit).
2246
2247         Reverted changeset:
2248
2249         "[JSC] JSC should have "parseFunction" to optimize Function
2250         constructor"
2251         https://bugs.webkit.org/show_bug.cgi?id=190340
2252         https://trac.webkit.org/changeset/237054
2253
2254 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2255
2256         [JSC] JSON.stringify can accept call-with-no-arguments
2257         https://bugs.webkit.org/show_bug.cgi?id=190343
2258
2259         Reviewed by Mark Lam.
2260
2261         * stress/json-stringify-no-arguments.js: Added.
2262         (shouldBe):
2263
2264 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2265
2266         [JSC] JSC should have "parseFunction" to optimize Function constructor
2267         https://bugs.webkit.org/show_bug.cgi?id=190340
2268
2269         Reviewed by Mark Lam.
2270
2271         This patch fixes the line number of syntax errors raised by the Function constructor,
2272         since we now parse the final code only once. And we no longer use block statement
2273         for Function constructor's parsing.
2274
2275         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2276         * stress/function-cache-with-parameters-end-position.js: Added.
2277         (shouldBe):
2278         (shouldThrow):
2279         (i.anonymous):
2280         * stress/function-constructor-name.js: Added.
2281         (shouldBe):
2282         (GeneratorFunction):
2283         (AsyncFunction.async):
2284         (AsyncGeneratorFunction.async):
2285         (anonymous):
2286         (async.anonymous):
2287         * test262/expectations.yaml:
2288
2289 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2290
2291         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2292         https://bugs.webkit.org/show_bug.cgi?id=190426
2293
2294         Unreviewed gardening.
2295
2296         * stress/sampling-profiler-richards.js:
2297
2298 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2299
2300         [ESNext][BigInt] Implement support for "|"
2301         https://bugs.webkit.org/show_bug.cgi?id=186229
2302
2303         Reviewed by Yusuke Suzuki.
2304
2305         * stress/big-int-bitwise-and-jit.js:
2306         * stress/big-int-bitwise-or-general.js: Added.
2307         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2308         * stress/big-int-bitwise-or-jit.js: Added.
2309         * stress/big-int-bitwise-or-memory-stress.js: Added.
2310         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2311         * stress/big-int-bitwise-or-type-error.js: Added.
2312         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2313
2314 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2315
2316         Skip test on systems with limited memory
2317         https://bugs.webkit.org/show_bug.cgi?id=190310
2318
2319         Invoking runDefault adds test to runlist, skipping the test in the next
2320         line does not prevent the test from executing. Change order of lines such
2321         that runDefault is only executed if test is not executed.
2322
2323         Reviewed by Mark Lam.
2324
2325         * stress/regress-190187.js:
2326
2327 2018-10-03  Saam barati  <sbarati@apple.com>
2328
2329         lowXYZ in FTLLower should always filter the type of the incoming edge
2330         https://bugs.webkit.org/show_bug.cgi?id=189939
2331         <rdar://problem/44407030>
2332
2333         Reviewed by Michael Saboff.
2334
2335         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2336         (foo):
2337         (test):
2338
2339 2018-10-03  Mark Lam  <mark.lam@apple.com>
2340
2341         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2342         https://bugs.webkit.org/show_bug.cgi?id=190187
2343         <rdar://problem/42512909>
2344
2345         Reviewed by Michael Saboff.
2346
2347         * stress/regress-190187.js: Added.
2348
2349 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2350
2351         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2352         https://bugs.webkit.org/show_bug.cgi?id=190033
2353
2354         Reviewed by Yusuke Suzuki.
2355
2356         * stress/big-int-to-string.js:
2357
2358 2018-10-01  Mark Lam  <mark.lam@apple.com>
2359
2360         Function.toString() should also copy the source code Functions that are class definitions.
2361         https://bugs.webkit.org/show_bug.cgi?id=190186
2362         <rdar://problem/44733360>
2363
2364         Reviewed by Saam Barati.
2365
2366         * stress/regress-190186.js: Added.
2367
2368 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2369
2370         Split NaN-check into separate test
2371         https://bugs.webkit.org/show_bug.cgi?id=190010
2372
2373         Reviewed by Saam Barati.
2374
2375         DataView exposes NaN-representation, which is not necessarily the same on each
2376         architecture. Therefore move the check of the NaN-representation into its own
2377         file such that we can disable this test on MIPS where NaN-representation can be
2378         different on older CPUs.
2379
2380         * stress/dataview-jit-set-nan.js: Added.
2381         (assert):
2382         (test.storeLittleEndian):
2383         (test.storeBigEndian):
2384         (test.store):
2385         (test):
2386         * stress/dataview-jit-set.js:
2387         (test5):
2388
2389 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2390
2391         Unreviewed, rolling out r236647.
2392         https://bugs.webkit.org/show_bug.cgi?id=190124
2393
2394         Breaking test stress/big-int-to-string.js (Requested by
2395         caiolima_ on #webkit).
2396
2397         Reverted changeset:
2398
2399         "[BigInt] BigInt.proptotype.toString is broken when radix is
2400         power of 2"
2401         https://bugs.webkit.org/show_bug.cgi?id=190033
2402         https://trac.webkit.org/changeset/236647
2403
2404 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2405
2406         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2407         https://bugs.webkit.org/show_bug.cgi?id=190033
2408
2409         Reviewed by Yusuke Suzuki.
2410
2411         * stress/big-int-to-string.js:
2412
2413 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2414
2415         [ESNext][BigInt] Implement support for "&"
2416         https://bugs.webkit.org/show_bug.cgi?id=186228
2417
2418         Reviewed by Yusuke Suzuki.
2419
2420         * stress/big-int-bitwise-and-general.js: Added.
2421         (assert):
2422         (assert.sameValue):
2423         * stress/big-int-bitwise-and-jit.js: Added.
2424         (let.assert.sameValue):
2425         (bigIntBitAnd):
2426         * stress/big-int-bitwise-and-memory-stress.js: Added.
2427         (assert):
2428         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2429         (assert.sameValue):
2430         (let.o.Symbol.toPrimitive):
2431         (catch):
2432         * stress/big-int-bitwise-and-type-error.js: Added.
2433         (assert):
2434         (assertThrowTypeError):
2435         (let.o.valueOf):
2436         (o.valueOf):
2437         (o.toString):
2438         (o.Symbol.toPrimitive):
2439         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2440         (assert.sameValue):
2441         (testBitAnd):
2442         (let.o.Symbol.toPrimitive):
2443         (o.valueOf):
2444         (o.toString):
2445
2446 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2447
2448         JSC test stress/jsc-read.js doesn't support CRLF
2449         https://bugs.webkit.org/show_bug.cgi?id=190063
2450
2451         Reviewed by Yusuke Suzuki.
2452
2453         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2454
2455         * stress/jsc-read.js:
2456         (test):
2457
2458 2018-09-27  Saam barati  <sbarati@apple.com>
2459
2460         Verify the contents of AssemblerBuffer on arm64e
2461         https://bugs.webkit.org/show_bug.cgi?id=190057
2462         <rdar://problem/38916630>
2463
2464         Reviewed by Mark Lam.
2465
2466         * stress/regress-189132.js:
2467
2468 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2469
2470         Disable test without LLInt on ARMv7
2471         https://bugs.webkit.org/show_bug.cgi?id=190037
2472
2473         Reviewed by Mark Lam.
2474
2475         Test runs out of executable memory on ARMv7, do not run
2476         this test without LLInt enabled.
2477
2478         * stress/regress-169445.js:
2479
2480 2018-09-26  Keith Miller  <keith_miller@apple.com>
2481
2482         We should zero unused property storage when rebalancing array storage.
2483         https://bugs.webkit.org/show_bug.cgi?id=188151
2484
2485         Reviewed by Michael Saboff.
2486
2487         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2488
2489 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2490
2491         [JSC] Optimize Array#lastIndexOf
2492         https://bugs.webkit.org/show_bug.cgi?id=189780
2493
2494         Reviewed by Saam Barati.
2495
2496         * stress/array-lastindexof-array-prototype-trap.js: Added.
2497         (shouldBe):
2498         (AncestorArray.prototype.get 2):
2499         (AncestorArray):
2500         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2501         (shouldBe):
2502         * stress/array-lastindexof-hole-nan.js: Added.
2503         (shouldBe):
2504         (throw.new.Error):
2505         * stress/array-lastindexof-infinity.js: Added.
2506         (shouldBe):
2507         (throw.new.Error):
2508         * stress/array-lastindexof-negative-zero.js: Added.
2509         (shouldBe):
2510         (throw.new.Error):
2511         * stress/array-lastindexof-own-getter.js: Added.
2512         (shouldBe):
2513         (throw.new.Error.get array):
2514         (get array):
2515         * stress/array-lastindexof-prototype-trap.js: Added.
2516         (shouldBe):
2517         (DerivedArray.prototype.get 2):
2518         (DerivedArray):
2519
2520 2018-09-25  Saam Barati  <sbarati@apple.com>
2521
2522         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2523         https://bugs.webkit.org/show_bug.cgi?id=189940
2524         <rdar://problem/43640987>
2525
2526         Reviewed by Mark Lam.
2527
2528         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2529
2530 2018-09-24  Saam Barati  <sbarati@apple.com>
2531
2532         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2533         https://bugs.webkit.org/show_bug.cgi?id=189922
2534         <rdar://problem/44651275>
2535
2536         Reviewed by Mark Lam.
2537
2538         * stress/array-indexof-fast-path-effects.js: Added.
2539         * stress/array-indexof-cached-length.js: Added.
2540
2541 2018-09-24  Saam barati  <sbarati@apple.com>
2542
2543         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2544         https://bugs.webkit.org/show_bug.cgi?id=189682
2545         <rdar://problem/43557315>
2546
2547         Reviewed by Mark Lam.
2548
2549         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2550         (foo):
2551
2552 2018-09-22  Saam barati  <sbarati@apple.com>
2553
2554         The sampling should not use Strong<CodeBlock> in its machineLocation field
2555         https://bugs.webkit.org/show_bug.cgi?id=189319
2556
2557         Reviewed by Filip Pizlo.
2558
2559         * stress/sampling-profiler-richards.js: Added.
2560
2561 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2562
2563         [JSC] Optimize Array#indexOf in C++ runtime
2564         https://bugs.webkit.org/show_bug.cgi?id=189507
2565
2566         Reviewed by Saam Barati.
2567
2568         * stress/array-indexof-array-prototype-trap.js: Added.
2569         (shouldBe):
2570         (AncestorArray.prototype.get 2):
2571         (AncestorArray):
2572         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2573         (shouldBe):
2574         * stress/array-indexof-hole-nan.js: Added.
2575         (shouldBe):
2576         (throw.new.Error):
2577         * stress/array-indexof-infinity.js: Added.
2578         (shouldBe):
2579         (throw.new.Error):
2580         * stress/array-indexof-negative-zero.js: Added.
2581         (shouldBe):
2582         (throw.new.Error):
2583         * stress/array-indexof-own-getter.js: Added.
2584         (shouldBe):
2585         (throw.new.Error.get array):
2586         (get array):
2587         * stress/array-indexof-prototype-trap.js: Added.
2588         (shouldBe):
2589         (DerivedArray.prototype.get 2):
2590         (DerivedArray):
2591
2592 2018-09-19  Saam barati  <sbarati@apple.com>
2593
2594         AI rule for MultiPutByOffset executes its effects in the wrong order
2595         https://bugs.webkit.org/show_bug.cgi?id=189757
2596         <rdar://problem/43535257>
2597
2598         Reviewed by Michael Saboff.
2599
2600         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2601         (foo):
2602         (Foo):
2603         (g):
2604
2605 2018-09-17  Mark Lam  <mark.lam@apple.com>
2606
2607         Ensure that ForInContexts are invalidated if their loop local is over-written.
2608         https://bugs.webkit.org/show_bug.cgi?id=189571
2609         <rdar://problem/44402277>
2610
2611         Reviewed by Saam Barati.
2612
2613         * stress/regress-189571.js: Added.
2614
2615 2018-09-17  Saam barati  <sbarati@apple.com>
2616
2617         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2618         https://bugs.webkit.org/show_bug.cgi?id=189676
2619         <rdar://problem/39682897>
2620
2621         Reviewed by Michael Saboff.
2622
2623         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2624         (A):
2625         (K):
2626         (i.catch):
2627
2628 2018-09-14  Saam barati  <sbarati@apple.com>
2629
2630         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2631         https://bugs.webkit.org/show_bug.cgi?id=189628
2632         <rdar://problem/39481690>
2633
2634         Reviewed by Mark Lam.
2635
2636         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2637         (foo):
2638
2639 2018-09-11  Mark Lam  <mark.lam@apple.com>
2640
2641         Test for array initialization in arrayProtoFuncSplice.
2642         https://bugs.webkit.org/show_bug.cgi?id=170253
2643         <rdar://problem/31328773>
2644
2645         Rubber-stamped by Saam Barati.
2646
2647         * stress/regress-170253.js: Added.
2648
2649 2018-09-11  Mark Lam  <mark.lam@apple.com>
2650
2651         Test for IntlObject initialization.
2652         https://bugs.webkit.org/show_bug.cgi?id=170251
2653         <rdar://problem/31328419>
2654
2655         Rubber-stamped by Saam Barati.
2656
2657         * stress/regress-170251.js: Added.
2658
2659 2018-09-11  Mark Lam  <mark.lam@apple.com>
2660
2661         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2662         https://bugs.webkit.org/show_bug.cgi?id=169889
2663         <rdar://problem/31155607>
2664
2665         Reviewed by Saam Barati.
2666
2667         * stress/regress-169889-array-concat.js: Added.
2668         * stress/regress-169889-array-concat1.js: Added.
2669         * stress/regress-169889-array-slice.js: Added.
2670
2671 2018-09-11  Mark Lam  <mark.lam@apple.com>
2672
2673         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2674         https://bugs.webkit.org/show_bug.cgi?id=169445
2675         <rdar://problem/30957435>
2676
2677         Reviewed by Saam Barati.
2678
2679         * stress/regress-169445.js: Added.
2680         (let.gun.eval.A):
2681         (let.gun.eval.B.C):
2682         (let.gun.eval.B.C.prototype.trigger):
2683         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2684         (let.gun.eval.B):
2685         (let.gun.eval):
2686
2687 == Rolled over to ChangeLog-2018-09-11 ==