wasmToJS() should purify incoming NaNs.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-26  Mark Lam  <mark.lam@apple.com>
2
3         wasmToJS() should purify incoming NaNs.
4         https://bugs.webkit.org/show_bug.cgi?id=194807
5         <rdar://problem/48189132>
6
7         Reviewed by Saam Barati.
8
9         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
10
11 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
12
13         [JSC] Repeat string created from Array.prototype.join() take too much memory
14         https://bugs.webkit.org/show_bug.cgi?id=193912
15
16         Reviewed by Saam Barati.
17
18         Added a test and a microbenchmark for corner cases of
19         Array.prototype.join() with an uninitialized array.
20
21         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
22         * stress/array-prototype-join-uninitialized.js: Added.
23         (testArray):
24         (testABC):
25         (B):
26         (C):
27
28 2019-02-22  Robin Morisset  <rmorisset@apple.com>
29
30         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
31         https://bugs.webkit.org/show_bug.cgi?id=194953
32         <rdar://problem/47595253>
33
34         Reviewed by Saam Barati.
35
36         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
37
38         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
39
40 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
41
42         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
43         https://bugs.webkit.org/show_bug.cgi?id=172848
44         <rdar://problem/25709212>
45
46         Reviewed by Mark Lam.
47
48         * typeProfiler/inheritance.js:
49         Rewrite the test slightly for clarity. The hoisting was confusing.
50
51         * heapProfiler/class-names.js: Added.
52         (MyES5Class):
53         (MyES6Class):
54         (MyES6Subclass):
55         Test object types and improved class names.
56
57         * heapProfiler/driver/driver.js:
58         (CheapHeapSnapshotNode):
59         (CheapHeapSnapshot):
60         (createCheapHeapSnapshot):
61         (HeapSnapshot):
62         (createHeapSnapshot):
63         Update snapshot parsing from version 1 to version 2.
64
65 2019-02-19  Truitt Savell  <tsavell@apple.com>
66
67         Unreviewed, rolling out r241784.
68
69         Broke all OpenSource builds.
70
71         Reverted changeset:
72
73         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
74         instances view"
75         https://bugs.webkit.org/show_bug.cgi?id=172848
76         https://trac.webkit.org/changeset/241784
77
78 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
79
80         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
81         https://bugs.webkit.org/show_bug.cgi?id=172848
82         <rdar://problem/25709212>
83
84         Reviewed by Mark Lam.
85
86         * typeProfiler/inheritance.js:
87         Rewrite the test slightly for clarity. The hoisting was confusing.
88
89         * heapProfiler/class-names.js: Added.
90         (MyES5Class):
91         (MyES6Class):
92         (MyES6Subclass):
93         Test object types and improved class names.
94
95         * heapProfiler/driver/driver.js:
96         (CheapHeapSnapshotNode):
97         (CheapHeapSnapshot):
98         (createCheapHeapSnapshot):
99         (HeapSnapshot):
100         (createHeapSnapshot):
101         Update snapshot parsing from version 1 to version 2.
102
103 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
104
105         [ARM] Fix crash with sampling profiler
106         https://bugs.webkit.org/show_bug.cgi?id=194772
107
108         Reviewed by Mark Lam.
109
110         Do not skip test since crash with sampling profiler is now fixed.
111
112         * stress/sampling-profiler-richards.js:
113
114 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         [JSC] Add LazyClassStructure::getInitializedOnMainThread
117         https://bugs.webkit.org/show_bug.cgi?id=194784
118         <rdar://problem/48154820>
119
120         Reviewed by Mark Lam.
121
122         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
123         (getProperties):
124         (getRandomProperty):
125         (i.catch):
126
127 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
128
129         [ARM] Test gardening: Test running out of executable memory
130         https://bugs.webkit.org/show_bug.cgi?id=194771
131
132         Unreviewed. Do not run test without LLInt, test is running out of executable
133         memory on ARM otherwise.
134
135         * stress/tagged-template-object-collect.js:
136
137 2019-02-18  Tomas Popela  <tpopela@redhat.com>
138
139         Unreviewed, skip the test on platforms without sampling profiler
140
141         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
142         (platformSupportsSamplingProfiler.foo):
143         (platformSupportsSamplingProfiler.test):
144         (platformSupportsSamplingProfiler):
145         (foo): Deleted.
146         (test): Deleted.
147
148 2019-02-17  Saam Barati  <sbarati@apple.com>
149
150         Deadlock when adding a Structure property transition and then doing incremental marking
151         https://bugs.webkit.org/show_bug.cgi?id=194767
152
153         Reviewed by Mark Lam.
154
155         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
156
157 2019-02-15  Michael Saboff  <msaboff@apple.com>
158
159         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
160         https://bugs.webkit.org/show_bug.cgi?id=194558
161
162         Reviewed by Saam Barati.
163
164         New regression test.
165
166         * stress/regexp-unicode-within-string.js: Added.
167
168 2019-02-15  Mark Lam  <mark.lam@apple.com>
169
170         SamplingProfiler::stackTracesAsJSON() should escape strings.
171         https://bugs.webkit.org/show_bug.cgi?id=194649
172         <rdar://problem/48072386>
173
174         Reviewed by Saam Barati.
175
176         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
177         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
178         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
179         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
180
181 2019-02-15  Robin Morisset  <rmorisset@apple.com>
182         CodeBlock::jettison should clear related watchpoints
183         https://bugs.webkit.org/show_bug.cgi?id=194544
184
185         Reviewed by Mark Lam.
186
187         * stress/regexp-replace-double-watchpoint.js: Added.
188         (foo):
189
190 2019-02-15  Saam barati  <sbarati@apple.com>
191
192         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
193         https://bugs.webkit.org/show_bug.cgi?id=194036
194
195         Reviewed by Yusuke Suzuki.
196
197         * stress/tail-call-many-arguments.js: Added.
198         (foo):
199         (bar):
200
201 2019-02-14  Saam Barati  <sbarati@apple.com>
202
203         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
204         https://bugs.webkit.org/show_bug.cgi?id=194583
205         <rdar://problem/48028140>
206
207         Reviewed by Yusuke Suzuki.
208
209         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
210
211 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         [JSC] String.fromCharCode's slow path always generates 16bit string
214         https://bugs.webkit.org/show_bug.cgi?id=194466
215
216         Reviewed by Keith Miller.
217
218         * stress/string-from-char-code-slow-path.js: Added.
219         (shouldBe):
220         (testWithLength):
221
222 2019-02-08  Saam barati  <sbarati@apple.com>
223
224         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
225         https://bugs.webkit.org/show_bug.cgi?id=194334
226         <rdar://problem/47844327>
227
228         Reviewed by Mark Lam.
229
230         * stress/check-in-bounds-should-be-a-child-use.js: Added.
231         (func):
232
233 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
234
235         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
236         https://bugs.webkit.org/show_bug.cgi?id=194369
237         <rdar://problem/47813087>
238
239         Reviewed by Saam Barati.
240
241         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
242         (A):
243
244 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
245
246         [JSC] PrivateName to PublicName hash table is wasteful
247         https://bugs.webkit.org/show_bug.cgi?id=194277
248
249         Reviewed by Michael Saboff.
250
251         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
252
253         * ChakraCore.yaml:
254
255 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
256
257         [ARM] Test running out of executable memory
258         https://bugs.webkit.org/show_bug.cgi?id=194285
259
260         Unreviewed. Do no execute test with LLInt disabled, test runs out of
261         executable memory otherwise.
262
263         * stress/class-subclassing-function.js:
264
265 2019-02-04  Robin Morisset  <rmorisset@apple.com>
266
267         when lowering AssertNotEmpty, create the value before creating the patchpoint
268         https://bugs.webkit.org/show_bug.cgi?id=194231
269
270         Reviewed by Saam Barati.
271
272         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
273         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
274         So even tiny changes to this test can change the path code taken.
275
276         * stress/assert-not-empty.js: Added.
277         (foo):
278
279 2019-02-01  Mark Lam  <mark.lam@apple.com>
280
281         Remove invalid assertion in DFG's compileDoubleRep().
282         https://bugs.webkit.org/show_bug.cgi?id=194130
283         <rdar://problem/47699474>
284
285         Reviewed by Saam Barati.
286
287         * stress/constant-fold-double-rep-into-double-constant.js: Added.
288
289 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
290
291         Import latest Test262 updates.
292
293         Rubber-stamped by Keith Miller.
294
295         * test262.yaml: Deleted.
296         * test262/config.yaml:
297         * test262/expectations.yaml:
298         * test262/latest-changes-summary.txt:
299         * test262/test/:
300         * test262/test262-Revision.txt:
301
302 2019-01-30  Robin Morisset  <rmorisset@apple.com>
303
304         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
305         https://bugs.webkit.org/show_bug.cgi?id=194050
306         <rdar://problem/47595592>
307
308         Reviewed by Yusuke Suzuki.
309
310         * stress/object-keys-osr-exit.js: Added.
311         (foo):
312         (catch):
313
314 2019-01-29  Mark Lam  <mark.lam@apple.com>
315
316         ValueRecovery::recover() should purify NaN values it recovers.
317         https://bugs.webkit.org/show_bug.cgi?id=193978
318         <rdar://problem/47625488>
319
320         Reviewed by Saam Barati.
321
322         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
323
324 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
325
326         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
327         https://bugs.webkit.org/show_bug.cgi?id=193713
328
329         * stress/try-get-by-id-should-spill-registers-dfg.js:
330         (let.f.createBuiltin):
331
332 2019-01-28  Mark Lam  <mark.lam@apple.com>
333
334         ToString node actually does GC.
335         https://bugs.webkit.org/show_bug.cgi?id=193920
336         <rdar://problem/46695900>
337
338         Reviewed by Yusuke Suzuki.
339
340         * stress/dfg-to-string-on-int-does-gc.js: Added.
341         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
342         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
343
344 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
345
346         [JSC] NativeErrorConstructor should not have own IsoSubspace
347         https://bugs.webkit.org/show_bug.cgi?id=193713
348
349         Reviewed by Saam Barati.
350
351         Remove @Error use.
352
353         * stress/try-get-by-id-should-spill-registers-dfg.js:
354         (let.f.createBuiltin):
355
356 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
357
358         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
359         https://bugs.webkit.org/show_bug.cgi?id=190693
360
361         Reviewed by Michael Saboff.
362
363         * stress/regress-190693.js: Added.
364         (truth):
365         (assert):
366         (shouldThrowInvalidConstAssignment):
367         (taz):
368
369 2019-01-24  Saam Barati  <sbarati@apple.com>
370
371         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
372         https://bugs.webkit.org/show_bug.cgi?id=193751
373         <rdar://problem/47280215>
374
375         Reviewed by Michael Saboff.
376
377         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
378         (let.thing):
379         (foo.let.hello):
380         (foo):
381
382 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
383
384         [JSC] Reenable baseline JIT on mips
385         https://bugs.webkit.org/show_bug.cgi?id=192983
386
387         Reviewed by Mark Lam.
388
389         Added a new test for a case that was triggering a RELEASE_ASSERT when
390         testing.
391         Disable some slow tests that were already disabled for arm and x86.
392
393         * stress/json-parse-big-object.js: Added.
394         * stress/new-largeish-contiguous-array-with-size.js:
395         * stress/op_add.js:
396         * stress/op_bitand.js:
397         * stress/op_bitor.js:
398         * stress/op_bitxor.js:
399         * stress/op_lshift-ConstVar.js:
400         * stress/op_lshift-VarConst.js:
401         * stress/op_lshift-VarVar.js:
402         * stress/op_mod-ConstVar.js:
403         * stress/op_mod-VarConst.js:
404         * stress/op_mod-VarVar.js:
405         * stress/op_mul-ConstVar.js:
406         * stress/op_mul-VarConst.js:
407         * stress/op_mul-VarVar.js:
408         * stress/op_rshift-ConstVar.js:
409         * stress/op_rshift-VarConst.js:
410         * stress/op_rshift-VarVar.js:
411         * stress/op_sub-ConstVar.js:
412         * stress/op_sub-VarConst.js:
413         * stress/op_sub-VarVar.js:
414         * stress/op_urshift-ConstVar.js:
415         * stress/op_urshift-VarConst.js:
416         * stress/op_urshift-VarVar.js:
417         * stress/sampling-profiler-richards.js:
418         * stress/spread-forward-call-varargs-stack-overflow.js:
419
420 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
421
422         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
423         https://bugs.webkit.org/show_bug.cgi?id=193711
424         <rdar://problem/47250262>
425
426         Reviewed by Saam Barati.
427
428         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
429         (shouldBe):
430         (foo):
431         (bar):
432         (baz):
433
434 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
435
436         Unreviewed, fix initial global lexical binding epoch
437         https://bugs.webkit.org/show_bug.cgi?id=193603
438         <rdar://problem/47380869>
439
440         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
441         (f1.f2.f3.f4):
442         (f1.f2.f3):
443         (f1.f2):
444         (f1):
445
446 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
447
448         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
449         https://bugs.webkit.org/show_bug.cgi?id=193709
450         <rdar://problem/47363838>
451
452         Unreviewed, rollout to watch the tests.
453
454         * stress/object-tostring-changed-proto.js: Removed.
455         * stress/object-tostring-changed.js: Removed.
456         * stress/object-tostring-misc.js: Removed.
457         * stress/object-tostring-other.js: Removed.
458         * stress/object-tostring-untyped.js: Removed.
459
460 2019-01-22  Saam Barati  <sbarati@apple.com>
461
462         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
463
464         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
465         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
466         (testUncheckedLessThanZero):
467         (testUncheckedLessThanOrEqualZero):
468         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
469         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
470
471 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
472
473         [JSC] Invalidate old scope operations using global lexical binding epoch
474         https://bugs.webkit.org/show_bug.cgi?id=193603
475         <rdar://problem/47380869>
476
477         Reviewed by Saam Barati.
478
479         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
480         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
481         (shouldThrow):
482         (bar):
483         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
484         (shouldBe):
485         (get1):
486         (get2):
487         (get1If):
488         (get2If):
489         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
490         (shouldThrow):
491         (foo):
492
493 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
494
495         Unreviewed, roll out r240220 due to date-format-xparb regression
496         https://bugs.webkit.org/show_bug.cgi?id=193603
497
498         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
499         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
500         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
501         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
502
503 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
504
505         DoesGC rule is wrong for nodes with BigIntUse
506         https://bugs.webkit.org/show_bug.cgi?id=193652
507
508         Reviewed by Saam Barati.
509
510         * stress/big-int-value-op-update-gc-rules.js: Added.
511         (assert):
512         (doesGCAdd):
513         (doesGCSub):
514         (doesGCDiv):
515         (doesGCMul):
516         (doesGCBitAnd):
517         (doesGCBitOr):
518         (doesGCBitXor):
519
520 2019-01-20  Saam Barati  <sbarati@apple.com>
521
522         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
523         https://bugs.webkit.org/show_bug.cgi?id=193644
524         <rdar://problem/46209745>
525
526         Reviewed by Yusuke Suzuki.
527
528         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
529         (foo):
530         * stress/data-view-set-intrinsic-undefined-result.js: Added.
531         (foo):
532         (bar):
533
534 2019-01-20  Saam Barati  <sbarati@apple.com>
535
536         MovHint must merge NodeBytecodeUsesAsValue for its child
537         https://bugs.webkit.org/show_bug.cgi?id=186916
538         <rdar://problem/41396612>
539
540         Reviewed by Yusuke Suzuki.
541
542         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
543         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
544
545 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
546
547         [JSC] Invalidate old scope operations using global lexical binding epoch
548         https://bugs.webkit.org/show_bug.cgi?id=193603
549         <rdar://problem/47380869>
550
551         Reviewed by Saam Barati.
552
553         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
554         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
555         (shouldThrow):
556         (bar):
557         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
558         (shouldBe):
559         (get1):
560         (get2):
561         (get1If):
562         (get2If):
563         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
564         (shouldThrow):
565         (foo):
566
567 2019-01-17  Saam barati  <sbarati@apple.com>
568
569         StringObjectUse should not be a structure check for the original string object structure
570         https://bugs.webkit.org/show_bug.cgi?id=193483
571         <rdar://problem/47280522>
572
573         Reviewed by Yusuke Suzuki.
574
575         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
576         (foo):
577         (a.valueOf.0):
578
579 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
580
581         [JSC] ToThis omission in DFGByteCodeParser is wrong
582         https://bugs.webkit.org/show_bug.cgi?id=193513
583         <rdar://problem/45842236>
584
585         Reviewed by Saam Barati.
586
587         * stress/to-this-omission-with-different-strict-modes.js: Added.
588         (thisA):
589         (thisAStrictWrapper):
590
591 2019-01-15  Mark Lam  <mark.lam@apple.com>
592
593         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
594         https://bugs.webkit.org/show_bug.cgi?id=193423
595         <rdar://problem/46209355>
596
597         Reviewed by Saam Barati.
598
599         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
600         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
601         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
602         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
603
604 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
605
606         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
607         https://bugs.webkit.org/show_bug.cgi?id=193438
608         <rdar://problem/45581249>
609
610         Reviewed by Saam Barati and Keith Miller.
611
612         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
613         Then, GetByVal(String) crashed.
614
615         * stress/string-get-by-val-lowering.js: Added.
616         (shouldBe):
617         (test):
618         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
619         (Hello):
620         (foo):
621
622 2019-01-15  Tomas Popela  <tpopela@redhat.com>
623
624         Unreviewed, skip JIT tests if it's not enabled
625
626         * stress/bit-op-with-object-returning-int32.js:
627
628 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
629
630         DFGByteCodeParser rules for bitwise operations should consider type of their operands
631         https://bugs.webkit.org/show_bug.cgi?id=192966
632
633         Reviewed by Yusuke Suzuki.
634
635         * stress/bit-op-with-object-returning-int32.js: Added.
636
637 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
638
639         Skip a slow test and a flakey test on arm
640
641         Unreviewed gardening.
642
643         * typeProfiler/getter-richards.js:
644         this test always times out, it used to be always skipped on arm and
645         mips, but got accidentally enabled by r237919 now that we have DFG on
646         arm. Also skipping on mips as we plan to soon enable DFG for it too.
647
648 2019-01-14  Keith Miller  <keith_miller@apple.com>
649
650         Skip type-check-hoisting-phase-hoist... with no jit
651         https://bugs.webkit.org/show_bug.cgi?id=193421
652
653         Reviewed by Mark Lam.
654
655         It's timing out the 32-bit bots and takes 330 seconds
656         on my machine when run by itself.
657
658         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
659
660 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
661
662         [JSC] AI should check the given constant's array type when folding GetByVal into constant
663         https://bugs.webkit.org/show_bug.cgi?id=193413
664         <rdar://problem/46092389>
665
666         Reviewed by Keith Miller.
667
668         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
669         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
670         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
671         but GetByVal does not have appropriate ArrayModes, JSC crashes.
672
673         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
674         (compareArray):
675
676 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
677
678         [BigInt] Literal parsing is crashing when used inside a Object Literal
679         https://bugs.webkit.org/show_bug.cgi?id=193404
680
681         Reviewed by Yusuke Suzuki.
682
683         * stress/big-int-literal-inside-literal-object.js: Added.
684
685 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
686
687         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
688         https://bugs.webkit.org/show_bug.cgi?id=193372
689
690         Reviewed by Saam Barati.
691
692         * stress/typed-array-array-modes-profile.js: Added.
693         (foo):
694
695 2019-01-14  Mark Lam  <mark.lam@apple.com>
696
697         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
698         https://bugs.webkit.org/show_bug.cgi?id=193402
699         <rdar://problem/46012309>
700
701         Reviewed by Keith Miller.
702
703         * stress/regexp-compile-oom.js:
704         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
705           is enabled.  As a result, it will fail on cloop builds though there is no bug.
706
707 2019-01-11  Saam barati  <sbarati@apple.com>
708
709         DFG combined liveness can be wrong for terminal basic blocks
710         https://bugs.webkit.org/show_bug.cgi?id=193304
711         <rdar://problem/45268632>
712
713         Reviewed by Yusuke Suzuki.
714
715         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
716
717 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
718
719         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
720         https://bugs.webkit.org/show_bug.cgi?id=193308
721         <rdar://problem/45546542>
722
723         Reviewed by Saam Barati.
724
725         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
726         (shouldThrow):
727         (shouldBe):
728         (foo):
729         (get shouldThrow):
730         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
731         (shouldThrow):
732         (shouldBe):
733         (foo):
734         (get shouldBe):
735         (get shouldThrow):
736         (get return):
737         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
738         (shouldThrow):
739         (shouldBe):
740         (foo):
741         (get shouldBe):
742         (get shouldThrow):
743         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
744         (shouldThrow):
745         (shouldBe):
746         (foo):
747         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
748         (shouldThrow):
749         (shouldBe):
750         (foo):
751         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
752         (shouldThrow):
753         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
754         (shouldThrow):
755         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
756         (shouldThrow):
757         (shouldBe):
758         (foo):
759         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
760         (shouldThrow):
761         (shouldBe):
762         (foo):
763         (get shouldBe):
764         (get shouldThrow):
765         (get return):
766         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
767         (shouldThrow):
768         (shouldBe):
769         (foo):
770         (get shouldBe):
771         (get shouldThrow):
772         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
773         (shouldThrow):
774         (shouldBe):
775         (foo):
776         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
777         (shouldThrow):
778         (shouldBe):
779         (foo):
780
781 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
782
783         Enable DFG on ARM/Linux again
784         https://bugs.webkit.org/show_bug.cgi?id=192496
785
786         Reviewed by Yusuke Suzuki.
787
788         Test wasn't really skipped before moving the line with skip
789         to the top.
790
791         * stress/regress-192717.js:
792
793 2019-01-10  Commit Queue  <commit-queue@webkit.org>
794
795         Unreviewed, rolling out r239825.
796         https://bugs.webkit.org/show_bug.cgi?id=193330
797
798         Broke tests on armv7/linux bots (Requested by guijemont on
799         #webkit).
800
801         Reverted changeset:
802
803         "Enable DFG on ARM/Linux again"
804         https://bugs.webkit.org/show_bug.cgi?id=192496
805         https://trac.webkit.org/changeset/239825
806
807 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
808
809         Enable DFG on ARM/Linux again
810         https://bugs.webkit.org/show_bug.cgi?id=192496
811
812         Reviewed by Yusuke Suzuki.
813
814         Test wasn't really skipped before moving the line with skip
815         to the top.
816
817         * stress/regress-192717.js:
818
819 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
820
821         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
822         https://bugs.webkit.org/show_bug.cgi?id=193127
823
824         Reviewed by Saam Barati.
825
826         * stress/array-species-create-should-handle-masquerader.js: Added.
827         (shouldThrow):
828         * stress/is-undefined-or-null-builtin.js: Added.
829         (shouldBe):
830         (isUndefinedOrNull.vm.createBuiltin):
831
832 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
833
834         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
835         https://bugs.webkit.org/show_bug.cgi?id=193221
836
837         Reviewed by Mark Lam.
838
839         * stress/put-by-id-flags.js: Added.
840         (f):
841         (g):
842         (numberOfDFGCompiles):
843
844 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
845
846         Baseline version of get_by_id may corrupt metadata
847         https://bugs.webkit.org/show_bug.cgi?id=193085
848         <rdar://problem/23453006>
849
850         Reviewed by Saam Barati.
851
852         * stress/get-by-id-change-mode.js: Added.
853         (forEach):
854
855 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
856
857         [JSC] Optimize Object.prototype.toString
858         https://bugs.webkit.org/show_bug.cgi?id=193031
859
860         Reviewed by Saam Barati.
861
862         * stress/object-tostring-changed-proto.js: Added.
863         (shouldBe):
864         (test):
865         * stress/object-tostring-changed.js: Added.
866         (shouldBe):
867         (test):
868         * stress/object-tostring-misc.js: Added.
869         (shouldBe):
870         (test):
871         (i.switch):
872         * stress/object-tostring-other.js: Added.
873         (shouldBe):
874         (test):
875         * stress/object-tostring-untyped.js: Added.
876         (shouldBe):
877         (test):
878         (i.switch):
879
880 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
881
882         test262-runner misbehaves when test file YAML has a trailing space
883         https://bugs.webkit.org/show_bug.cgi?id=193053
884
885         Reviewed by Yusuke Suzuki.
886
887         * test262/expectations.yaml:
888         Mark two dozen tests as passing (and correct the output of another).
889
890 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
891
892         Unreviewed, JSTests gardening with memoryLimited
893
894         * stress/string-overflow-createError.js:
895
896 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
897
898         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
899         https://bugs.webkit.org/show_bug.cgi?id=193050
900
901         Reviewed by Yusuke Suzuki.
902
903         * test262.yaml:
904         * test262/expectations.yaml:
905         Mark 16 tests as passing.
906
907 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
908
909         [BigInt] Support BigInt in JSON.stringify
910         https://bugs.webkit.org/show_bug.cgi?id=192624
911
912         Reviewed by Saam Barati.
913
914         * stress/big-int-json-stringify-to-json.js: Added.
915         (shouldBe):
916         (shouldThrow):
917         (BigInt.prototype.toJSON):
918         (shouldBe.JSON.stringify):
919         * stress/big-int-json-stringify.js: Added.
920         (shouldBe):
921         (shouldThrow):
922
923 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
924
925         [JSC] Implement "well-formed JSON.stringify" proposal
926         https://bugs.webkit.org/show_bug.cgi?id=191677
927
928         Reviewed by Darin Adler.
929
930         * stress/json-surrogate-pair.js: Added.
931         (shouldBe):
932         * test262/expectations.yaml:
933
934 2018-12-20  Keith Miller  <keith_miller@apple.com>
935
936         Add support for globalThis
937         https://bugs.webkit.org/show_bug.cgi?id=165171
938
939         Reviewed by Mark Lam.
940
941         * test262/config.yaml:
942
943 2018-12-19  Keith Miller  <keith_miller@apple.com>
944
945         Update test262 configuration to not run tests dependent on ICU version.
946         https://bugs.webkit.org/show_bug.cgi?id=192920
947
948         Reviewed by Saam Barati.
949
950         * test262/expectations.yaml:
951
952 2018-12-20  Mark Lam  <mark.lam@apple.com>
953
954         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
955         https://bugs.webkit.org/show_bug.cgi?id=192939
956         <rdar://problem/46869516>
957
958         Reviewed by Keith Miller.
959
960         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
961
962 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
963
964         WTF::String and StringImpl overflow MaxLength
965         https://bugs.webkit.org/show_bug.cgi?id=192853
966         <rdar://problem/45726906>
967
968         Reviewed by Mark Lam.
969
970         * stress/string-16bit-repeat-overflow.js: Added.
971         (catch):
972
973 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
974
975         Unreviewed follow-up to r192914.
976
977         * test262/expectations.yaml:
978         Add the last 20 missing expectations.
979
980 2018-12-19  Keith Miller  <keith_miller@apple.com>
981
982         Fix test262 expectations
983         https://bugs.webkit.org/show_bug.cgi?id=192914
984
985         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
986
987         * test262/expectations.yaml:
988
989 2018-12-19  Keith Miller  <keith_miller@apple.com>
990
991         Update test262 tests.
992         https://bugs.webkit.org/show_bug.cgi?id=192907
993
994         Rubber stamped by Mark Lam.
995
996         * test262/*: Omitted because prepare-changelog crashes.
997
998 2018-12-19  Mark Lam  <mark.lam@apple.com>
999
1000         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1001         https://bugs.webkit.org/show_bug.cgi?id=192464
1002         <rdar://problem/46519455>
1003
1004         Reviewed by Saam Barati.
1005
1006         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1007         microbenchmark.
1008
1009         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1010         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1011
1012 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1013
1014         String overflow in JSC::createError results in ASSERT in WTF::makeString
1015         https://bugs.webkit.org/show_bug.cgi?id=192833
1016         <rdar://problem/45706868>
1017
1018         Reviewed by Mark Lam.
1019
1020         * stress/string-overflow-createError.js: Added.
1021
1022 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1023
1024         Error message for `-x ** y` contains a typo.
1025         https://bugs.webkit.org/show_bug.cgi?id=192832
1026
1027         Reviewed by Saam Barati.
1028
1029         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1030         (assert.assert.return.throws):
1031         * stress/pow-expects-update-expression-on-lhs.js:
1032         (throw.new.Error):
1033         Update test expectations which match against the exact error message.
1034
1035 2018-12-18  Mark Lam  <mark.lam@apple.com>
1036
1037         Gardening: test options fix.
1038         https://bugs.webkit.org/show_bug.cgi?id=192822
1039
1040         Unreviewed.
1041
1042         * stress/json-stringify-string-builder-overflow.js:
1043
1044 2018-12-18  Mark Lam  <mark.lam@apple.com>
1045
1046         JSON.stringify() should throw OOM on StringBuilder overflows.
1047         https://bugs.webkit.org/show_bug.cgi?id=192822
1048         <rdar://problem/46670577>
1049
1050         Reviewed by Saam Barati.
1051
1052         * stress/json-stringify-string-builder-overflow.js: Added.
1053
1054 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1055
1056         Redeclaration of var over let/const/class should be a syntax error.
1057         https://bugs.webkit.org/show_bug.cgi?id=192298
1058
1059         Reviewed by Keith Miller.
1060
1061         * test262.yaml:
1062         * test262/expectations.yaml:
1063         Mark 46 tests as passing.
1064
1065         * stress/block-scope-redeclarations.js:
1066         Add some new tests.
1067
1068         * stress/for-in-invalidate-context-weird-assignments.js:
1069         * stress/for-in-tests.js:
1070         Replace tests for outdated behavior with tests for SyntaxError.
1071
1072         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1073         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1074         Update expectations.
1075
1076 2018-12-18  Mark Lam  <mark.lam@apple.com>
1077
1078         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1079         https://bugs.webkit.org/show_bug.cgi?id=191374
1080         <rdar://problem/46525447>
1081
1082         Reviewed by Yusuke Suzuki.
1083
1084         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1085
1086         * stress/elidable-new-object-roflcopter-then-exit.js:
1087
1088 2018-12-17  Mark Lam  <mark.lam@apple.com>
1089
1090         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1091         https://bugs.webkit.org/show_bug.cgi?id=192019
1092         <rdar://problem/46525456>
1093
1094         Reviewed by Yusuke Suzuki.
1095
1096         The test runs too slow on 32-bit.
1097
1098         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1099
1100 2018-12-17  Mark Lam  <mark.lam@apple.com>
1101
1102         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1103         https://bugs.webkit.org/show_bug.cgi?id=191373
1104         <rdar://problem/46525458>
1105
1106         Reviewed by Yusuke Suzuki.
1107
1108         The test is already slow running with a JIT on 64-bit.  It will always timeout
1109         on 32-bit without a JIT.
1110
1111         * stress/materialize-regexp-cyclic-regexp.js:
1112
1113 2018-12-17  Mark Lam  <mark.lam@apple.com>
1114
1115         Array unshift/shift should not race against the AI in the compiler thread.
1116         https://bugs.webkit.org/show_bug.cgi?id=192795
1117         <rdar://problem/46724263>
1118
1119         Reviewed by Saam Barati.
1120
1121         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1122
1123 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1124
1125         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1126         https://bugs.webkit.org/show_bug.cgi?id=190047
1127
1128         Reviewed by Saam Barati.
1129
1130         * stress/object-keys-cached-zero.js: Added.
1131         (shouldBe):
1132         (test):
1133         * stress/object-keys-changed-attribute.js: Added.
1134         (shouldBe):
1135         (test):
1136         * stress/object-keys-changed-index.js: Added.
1137         (shouldBe):
1138         (test):
1139         * stress/object-keys-changed.js: Added.
1140         (shouldBe):
1141         (test):
1142         * stress/object-keys-indexed-non-cache.js: Added.
1143         (shouldBe):
1144         (test):
1145         * stress/object-keys-overrides-get-property-names.js: Added.
1146         (shouldBe):
1147         (test):
1148         (noInline):
1149
1150 2018-12-17  Mark Lam  <mark.lam@apple.com>
1151
1152         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1153         https://bugs.webkit.org/show_bug.cgi?id=192779
1154         <rdar://problem/46775869>
1155
1156         Reviewed by Saam Barati.
1157
1158         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1159
1160 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1161
1162         Unreviewed test gardening, address a syntax error in a new test.
1163
1164         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1165
1166 2018-12-17  Mark Lam  <mark.lam@apple.com>
1167
1168         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1169         https://bugs.webkit.org/show_bug.cgi?id=192776
1170         <rdar://problem/46772368>
1171
1172         Reviewed by Keith Miller.
1173
1174         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1175
1176 2018-12-17  Mark Lam  <mark.lam@apple.com>
1177
1178         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1179         https://bugs.webkit.org/show_bug.cgi?id=192770
1180         <rdar://problem/46449037>
1181
1182         Reviewed by Keith Miller.
1183
1184         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1185
1186 2018-12-14  Mark Lam  <mark.lam@apple.com>
1187
1188         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1189         https://bugs.webkit.org/show_bug.cgi?id=192717
1190         <rdar://problem/46660677>
1191
1192         Reviewed by Saam Barati.
1193
1194         * stress/regress-192717.js: Added.
1195
1196 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1197
1198         Unreviewed, rolling out r239153, r239154, and r239155.
1199         https://bugs.webkit.org/show_bug.cgi?id=192715
1200
1201         Caused flaky GC-related crashes seen with layout tests
1202         (Requested by ryanhaddad on #webkit).
1203
1204         Reverted changesets:
1205
1206         "[JSC] Optimize Object.keys by caching own keys results in
1207         StructureRareData"
1208         https://bugs.webkit.org/show_bug.cgi?id=190047
1209         https://trac.webkit.org/changeset/239153
1210
1211         "Unreviewed, build fix after r239153"
1212         https://bugs.webkit.org/show_bug.cgi?id=190047
1213         https://trac.webkit.org/changeset/239154
1214
1215         "Unreviewed, build fix after r239153, part 2"
1216         https://bugs.webkit.org/show_bug.cgi?id=190047
1217         https://trac.webkit.org/changeset/239155
1218
1219 2018-12-14  Keith Miller  <keith_miller@apple.com>
1220
1221         Callers of JSString::getIndex should check for OOM exceptions
1222         https://bugs.webkit.org/show_bug.cgi?id=192709
1223
1224         Reviewed by Mark Lam.
1225
1226         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1227
1228 2018-12-13  Mark Lam  <mark.lam@apple.com>
1229
1230         Add a missing exception check.
1231         https://bugs.webkit.org/show_bug.cgi?id=192626
1232         <rdar://problem/46662163>
1233
1234         Reviewed by Keith Miller.
1235
1236         * stress/regress-192626.js: Added.
1237
1238 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1239
1240         [BigInt] Add ValueDiv into DFG
1241         https://bugs.webkit.org/show_bug.cgi?id=186178
1242
1243         Reviewed by Yusuke Suzuki.
1244
1245         * stress/big-int-div-jit-osr.js: Added.
1246         * stress/big-int-div-jit-untyped.js: Added.
1247         * stress/value-div-fixup-int32-big-int.js: Added.
1248
1249 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1250
1251         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1252         https://bugs.webkit.org/show_bug.cgi?id=190047
1253
1254         Reviewed by Keith Miller.
1255
1256         * stress/object-keys-cached-zero.js: Added.
1257         (shouldBe):
1258         (test):
1259         * stress/object-keys-changed-attribute.js: Added.
1260         (shouldBe):
1261         (test):
1262         * stress/object-keys-changed-index.js: Added.
1263         (shouldBe):
1264         (test):
1265         * stress/object-keys-changed.js: Added.
1266         (shouldBe):
1267         (test):
1268         * stress/object-keys-indexed-non-cache.js: Added.
1269         (shouldBe):
1270         (test):
1271         * stress/object-keys-overrides-get-property-names.js: Added.
1272         (shouldBe):
1273         (test):
1274         (noInline):
1275
1276 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1277
1278         [DFG][FTL] Add NewSymbol
1279         https://bugs.webkit.org/show_bug.cgi?id=192620
1280
1281         Reviewed by Saam Barati.
1282
1283         * microbenchmarks/symbol-creation.js: Added.
1284         (test):
1285         * stress/symbol-description-identity.js: Added.
1286         (shouldBe):
1287         (test):
1288         * stress/symbol-identity.js: Added.
1289         (shouldBe):
1290         (test):
1291         * stress/symbol-with-description-throw-error.js: Added.
1292         (shouldBe):
1293         (shouldThrow):
1294         (test):
1295         (object.toString):
1296
1297 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1298
1299         [BigInt] Implement DFG/FTL typeof for BigInt
1300         https://bugs.webkit.org/show_bug.cgi?id=192619
1301
1302         Reviewed by Keith Miller.
1303
1304         * stress/big-int-boolean-proven-type.js: Added.
1305         (assert):
1306         (bool):
1307         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1308         (assert):
1309         (typeOf):
1310         (i.switch):
1311         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1312         (assert):
1313         (typeOf):
1314         * stress/big-int-type-of.js:
1315         (typeOf):
1316         (func):
1317
1318 2018-12-10  Mark Lam  <mark.lam@apple.com>
1319
1320         PropertyAttribute needs a CustomValue bit.
1321         https://bugs.webkit.org/show_bug.cgi?id=191993
1322         <rdar://problem/46264467>
1323
1324         Reviewed by Saam Barati.
1325
1326         * stress/regress-191993.js: Added.
1327
1328 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1329
1330         [BigInt] Add ValueMul into DFG
1331         https://bugs.webkit.org/show_bug.cgi?id=186175
1332
1333         Reviewed by Yusuke Suzuki.
1334
1335         * stress/big-int-mul-jit-osr.js: Added.
1336         * stress/big-int-mul-jit-untyped.js: Added.
1337         * stress/value-mul-fixup-int32-big-int.js: Added.
1338
1339 2018-12-06  Keith Miller  <keith_miller@apple.com>
1340
1341         stress/big-wasm-memory tests failing on 32-bit JSC bot
1342         https://bugs.webkit.org/show_bug.cgi?id=192020
1343
1344         Reviewed by Saam Barati.
1345
1346         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1347         the wasm stress tests if the WebAssembly object does not exist.
1348
1349         * stress/big-wasm-memory-grow-no-max.js:
1350         (test.foo):
1351         (test):
1352         (foo): Deleted.
1353         (catch): Deleted.
1354         * stress/big-wasm-memory-grow.js:
1355         (test.foo):
1356         (test):
1357         (foo): Deleted.
1358         (catch): Deleted.
1359         * stress/big-wasm-memory.js:
1360         (test.foo):
1361         (test):
1362         (foo): Deleted.
1363         (catch): Deleted.
1364
1365 2018-12-05  Mark Lam  <mark.lam@apple.com>
1366
1367         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1368         https://bugs.webkit.org/show_bug.cgi?id=192441
1369         <rdar://problem/46480355>
1370
1371         Reviewed by Saam Barati.
1372
1373         * stress/regress-192441.js: Added.
1374
1375 2018-12-04  Mark Lam  <mark.lam@apple.com>
1376
1377         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1378         https://bugs.webkit.org/show_bug.cgi?id=192386
1379         <rdar://problem/46445516>
1380
1381         Reviewed by Saam Barati.
1382
1383         * stress/regress-192386.js: Added.
1384
1385 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1386
1387         [ESNext][BigInt] Support logic operations
1388         https://bugs.webkit.org/show_bug.cgi?id=179903
1389
1390         Reviewed by Yusuke Suzuki.
1391
1392         * stress/big-int-branch-usage.js: Added.
1393         * stress/big-int-logical-and.js: Added.
1394         * stress/big-int-logical-not.js: Added.
1395         * stress/big-int-logical-or.js: Added.
1396
1397 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1398
1399         Unreviewed, rolling out r238833.
1400
1401         Breaks macOS and iOS debug builds.
1402
1403         Reverted changeset:
1404
1405         "[ESNext][BigInt] Support logic operations"
1406         https://bugs.webkit.org/show_bug.cgi?id=179903
1407         https://trac.webkit.org/changeset/238833
1408
1409 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1410
1411         [ESNext][BigInt] Support logic operations
1412         https://bugs.webkit.org/show_bug.cgi?id=179903
1413
1414         Reviewed by Yusuke Suzuki.
1415
1416         * stress/big-int-branch-usage.js: Added.
1417         * stress/big-int-logical-and.js: Added.
1418         * stress/big-int-logical-not.js: Added.
1419         * stress/big-int-logical-or.js: Added.
1420
1421 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1422
1423         [ESNext][BigInt] Implement support for "<<" and ">>"
1424         https://bugs.webkit.org/show_bug.cgi?id=186233
1425
1426         Reviewed by Yusuke Suzuki.
1427
1428         * stress/big-int-left-shift-general.js: Added.
1429         * stress/big-int-left-shift-range-error.js: Added.
1430         * stress/big-int-left-shift-type-error.js: Added.
1431         * stress/big-int-left-shift-wrapped-value.js: Added.
1432         * stress/big-int-right-shift-general.js: Added.
1433         * stress/big-int-right-shift-type-error.js: Added.
1434         * stress/big-int-right-shift-wrapped-value.js: Added.
1435         * stress/left-shift-to-primitive-precedence.js: Added.
1436         * stress/right-shift-to-primitive-precedence.js: Added.
1437
1438 2018-11-30  Dean Jackson  <dino@apple.com>
1439
1440         Add first-class support for .mjs files in jsc binary
1441         https://bugs.webkit.org/show_bug.cgi?id=192190
1442         <rdar://problem/46375715>
1443
1444         Reviewed by Keith Miller.
1445
1446         * stress/simple-module.mjs: Added.
1447         * stress/simple-script.js: Added.
1448
1449 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1450
1451         [BigInt] Implement ValueBitXor into DFG
1452         https://bugs.webkit.org/show_bug.cgi?id=190264
1453
1454         Reviewed by Yusuke Suzuki.
1455
1456         * stress/big-int-bitwise-xor-jit.js: Added.
1457         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1458         * stress/big-int-bitwise-xor-untyped.js: Added.
1459
1460 2018-11-27  Saam barati  <sbarati@apple.com>
1461
1462         r238510 broke scopes of size zero
1463         https://bugs.webkit.org/show_bug.cgi?id=192033
1464         <rdar://problem/46281734>
1465
1466         Reviewed by Keith Miller.
1467
1468         * stress/r238510-bad-loop.js: Added.
1469         (foo):
1470
1471 2018-11-27  Mark Lam  <mark.lam@apple.com>
1472
1473         [Re-landing] NaNs read from Wasm code needs to be be purified.
1474         https://bugs.webkit.org/show_bug.cgi?id=191056
1475         <rdar://problem/45660341>
1476
1477         Reviewed by Filip Pizlo.
1478
1479         * wasm/regress/regress-191056.js: Added.
1480
1481 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1482
1483         Unreviewed, rolling out r238509.
1484
1485         Causes JSC tests to fail on iOS.
1486
1487         Reverted changeset:
1488
1489         "NaNs read from Wasm code needs to be be purified."
1490         https://bugs.webkit.org/show_bug.cgi?id=191056
1491         https://trac.webkit.org/changeset/238509
1492
1493 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1494
1495         Re-introduce op_bitnot
1496         https://bugs.webkit.org/show_bug.cgi?id=190923
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         * stress/bit-not-must-generate.js: Added.
1501         * stress/bitwise-not-no-int32.js: Added.
1502
1503 2018-11-26  Saam barati  <sbarati@apple.com>
1504
1505         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1506         https://bugs.webkit.org/show_bug.cgi?id=191956
1507         <rdar://problem/45665806>
1508
1509         Reviewed by Yusuke Suzuki.
1510
1511         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1512         (bar):
1513         (foo):
1514
1515 2018-11-26  Saam barati  <sbarati@apple.com>
1516
1517         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1518         https://bugs.webkit.org/show_bug.cgi?id=191958
1519         <rdar://problem/46221877>
1520
1521         Reviewed by Yusuke Suzuki.
1522
1523         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1524         (x):
1525         (foo):
1526
1527 2018-11-26  Mark Lam  <mark.lam@apple.com>
1528
1529         NaNs read from Wasm code needs to be be purified.
1530         https://bugs.webkit.org/show_bug.cgi?id=191056
1531         <rdar://problem/45660341>
1532
1533         Reviewed by Filip Pizlo.
1534
1535         * wasm/regress/regress-191056.js: Added.
1536
1537 2018-11-26  Michael Saboff  <msaboff@apple.com>
1538
1539         32-bit JSC test failure: stress/regexp-compile-oom.js
1540         https://bugs.webkit.org/show_bug.cgi?id=191375
1541
1542         Reviewed by Mark Lam.
1543
1544         Disabled the test for 32 bit platforms.
1545
1546         * stress/regexp-compile-oom.js:
1547
1548 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1549
1550         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1551         https://bugs.webkit.org/show_bug.cgi?id=191716
1552         <rdar://problem/45723878>
1553
1554         Reviewed by Saam Barati.
1555
1556         * stress/regress-187373.js: Added.
1557         (async.fn):
1558
1559 2018-11-21  Saam barati  <sbarati@apple.com>
1560
1561         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1562         https://bugs.webkit.org/show_bug.cgi?id=191897
1563         <rdar://problem/45871998>
1564
1565         Reviewed by Mark Lam.
1566
1567         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1568         (bar):
1569         (foo):
1570
1571 2018-11-21  Saam barati  <sbarati@apple.com>
1572
1573         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1574         https://bugs.webkit.org/show_bug.cgi?id=191895
1575         <rdar://problem/46167406>
1576
1577         Reviewed by Mark Lam.
1578
1579         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1580         (foo):
1581         (bar):
1582
1583 2018-11-21  Mark Lam  <mark.lam@apple.com>
1584
1585         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1586         https://bugs.webkit.org/show_bug.cgi?id=191776
1587         <rdar://problem/46152851>
1588
1589         Reviewed by Saam Barati.
1590
1591         * stress/big-wasm-memory-grow-no-max.js:
1592         * stress/big-wasm-memory-grow.js:
1593         * stress/big-wasm-memory.js:
1594         - updated these to expect an OutOfMemoryError.
1595
1596         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1597         (Binary.prototype.emit_u8):
1598         (Binary.prototype.emit_u32v):
1599         (Binary.prototype.emit_header):
1600         (Binary.prototype.emit_section):
1601         (Binary):
1602         (WasmModuleBuilder):
1603         (WasmModuleBuilder.prototype.addMemory):
1604         (WasmModuleBuilder.prototype.toArray):
1605         (WasmModuleBuilder.prototype.toBuffer):
1606         (WasmModuleBuilder.prototype.instantiate):
1607         (catch):
1608         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1609         (catch):
1610
1611 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1612
1613         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1614         https://bugs.webkit.org/show_bug.cgi?id=190836
1615
1616         Reviewed by Saam Barati and Yusuke Suzuki.
1617
1618         * stress/big-int-out-of-memory-tests.js: Added.
1619
1620 2018-11-20  Mark Lam  <mark.lam@apple.com>
1621
1622         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1623         https://bugs.webkit.org/show_bug.cgi?id=191856
1624         <rdar://problem/46089992>
1625
1626         Reviewed by Yusuke Suzuki.
1627
1628         * stress/regress-191856.js: Added.
1629         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1630
1631 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1632
1633         Enable JIT on ARM/Linux
1634         https://bugs.webkit.org/show_bug.cgi?id=191548
1635
1636         Reviewed by Yusuke Suzuki.
1637
1638         Disable test on system with limited memory. Program was killed by
1639         the OS before the exception was thrown.
1640
1641         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1642
1643 2018-11-20  Saam barati  <sbarati@apple.com>
1644
1645         Merging an IC variant may lead to the IC status containing overlapping structure sets
1646         https://bugs.webkit.org/show_bug.cgi?id=191869
1647         <rdar://problem/45403453>
1648
1649         Reviewed by Mark Lam.
1650
1651         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1652
1653 2018-11-19  Mark Lam  <mark.lam@apple.com>
1654
1655         globalFuncImportModule() should return a promise when it clears exceptions.
1656         https://bugs.webkit.org/show_bug.cgi?id=191792
1657         <rdar://problem/46090763>
1658
1659         Reviewed by Michael Saboff.
1660
1661         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1662
1663 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1664
1665         Skip new memory-hungry tests on memory limited devices
1666
1667         Unreviewed gardening.
1668
1669         * stress/big-wasm-memory-grow-no-max.js:
1670         * stress/big-wasm-memory-grow.js:
1671         * stress/big-wasm-memory.js:
1672
1673 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1674
1675         Unreviewed, rolling in the rest of r237254
1676         https://bugs.webkit.org/show_bug.cgi?id=190340
1677
1678         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1679         * stress/function-cache-with-parameters-end-position.js: Added.
1680         (shouldBe):
1681         (shouldThrow):
1682         (i.anonymous):
1683         * stress/function-constructor-name.js: Added.
1684         (shouldBe):
1685         (GeneratorFunction):
1686         (AsyncFunction.async):
1687         (AsyncGeneratorFunction.async):
1688         (anonymous):
1689         (async.anonymous):
1690         * test262/expectations.yaml:
1691
1692 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1693
1694         All users of ArrayBuffer should agree on the same max size
1695         https://bugs.webkit.org/show_bug.cgi?id=191771
1696
1697         Reviewed by Mark Lam.
1698
1699         * stress/big-wasm-memory-grow-no-max.js: Added.
1700         (foo):
1701         (catch):
1702         * stress/big-wasm-memory-grow.js: Added.
1703         (foo):
1704         (catch):
1705         * stress/big-wasm-memory.js: Added.
1706         (foo):
1707         (catch):
1708
1709 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1710
1711         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1712         run for each JSC config since they're regression tests for runtime bugs.
1713
1714         * stress/json-stringified-overflow-2.js:
1715         * stress/json-stringified-overflow.js:
1716
1717 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1718
1719         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1720         config since they're regression tests for runtime bugs.
1721
1722         * stress/large-unshift-splice.js:
1723         * stress/regress-185888.js:
1724
1725 2018-11-16  Saam Barati  <sbarati@apple.com>
1726
1727         KnownCellUse should also have SpecCellCheck as its type filter
1728         https://bugs.webkit.org/show_bug.cgi?id=191729
1729         <rdar://problem/45872852>
1730
1731         Reviewed by Filip Pizlo.
1732
1733         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1734         (C):
1735
1736 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1737
1738         Fix assertion failure on BytecodeGenerator::recordOpcode
1739         https://bugs.webkit.org/show_bug.cgi?id=191724
1740         <rdar://problem/45724395>
1741
1742         Reviewed by Saam Barati.
1743
1744         * stress/regress-187373-2.js: Added.
1745         (foo):
1746
1747 2018-11-15  Mark Lam  <mark.lam@apple.com>
1748
1749         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1750         https://bugs.webkit.org/show_bug.cgi?id=191730
1751         <rdar://problem/46048517>
1752
1753         Reviewed by Saam Barati.
1754
1755         * stress/regress-187006.js: Removed.
1756           - this test is invalid because its sole purpose is to test for the non-spec
1757             compliant behavior that we just fixed.
1758
1759         * stress/regress-191730.js: Added.
1760
1761 2018-11-15  Mark Lam  <mark.lam@apple.com>
1762
1763         RegExp operations should not take fast patch if lastIndex is not numeric.
1764         https://bugs.webkit.org/show_bug.cgi?id=191731
1765         <rdar://problem/46017305>
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/regress-191731.js: Added.
1770
1771 2018-11-13  Saam Barati  <sbarati@apple.com>
1772
1773         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1774         https://bugs.webkit.org/show_bug.cgi?id=191600
1775
1776         Reviewed by Mark Lam.
1777
1778         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1779         (foo):
1780         (test):
1781         (bar):
1782
1783 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1784
1785         Unreviewed, rolling out r238132.
1786
1787         The test added with this change is timing out on Debug JSC
1788         bots.
1789
1790         Reverted changeset:
1791
1792         "[BigInt] JSBigInt::createWithLength should throw when length
1793         is greater than JSBigInt::maxLength"
1794         https://bugs.webkit.org/show_bug.cgi?id=190836
1795         https://trac.webkit.org/changeset/238132
1796
1797 2018-11-13  Mark Lam  <mark.lam@apple.com>
1798
1799         Add OOM detection to StringPrototype's substituteBackreferences().
1800         https://bugs.webkit.org/show_bug.cgi?id=191563
1801         <rdar://problem/45720428>
1802
1803         Reviewed by Saam Barati.
1804
1805         * stress/regress-191563.js: Added.
1806
1807 2018-11-13  Mark Lam  <mark.lam@apple.com>
1808
1809         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1810         https://bugs.webkit.org/show_bug.cgi?id=191579
1811         <rdar://problem/45942472>
1812
1813         Reviewed by Saam Barati.
1814
1815         * stress/regress-191579.js: Added.
1816
1817 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1818
1819         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1820         https://bugs.webkit.org/show_bug.cgi?id=190836
1821
1822         Reviewed by Saam Barati.
1823
1824         * stress/big-int-out-of-memory-tests.js: Added.
1825
1826 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1827
1828         U+180E is no longer a whitespace character
1829         https://bugs.webkit.org/show_bug.cgi?id=191415
1830
1831         Reviewed by Saam Barati.
1832
1833         * ChakraCore/test/es5/regexSpace.baseline:
1834         * ChakraCore/test/es6/unicode_whitespace.js:
1835         Update tests to latest version.
1836         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1837
1838         * test262.yaml:
1839         * test262/config.yaml:
1840         * test262/expectations.yaml:
1841         Update expectations.
1842
1843 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1844
1845         [BigInt] Add support to BigInt into ValueAdd
1846         https://bugs.webkit.org/show_bug.cgi?id=186177
1847
1848         Reviewed by Keith Miller.
1849
1850         * stress/big-int-negate-jit.js:
1851         * stress/value-add-big-int-and-string.js: Added.
1852         * stress/value-add-big-int-prediction-propagation.js: Added.
1853         * stress/value-add-big-int-untyped.js: Added.
1854
1855 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1856
1857         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1858         https://bugs.webkit.org/show_bug.cgi?id=191184
1859
1860         Reviewed by Saam Barati.
1861
1862         Most tests were failing due to timeouts, since they are too slow to
1863         run on CLoop. The exceptions are:
1864
1865         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1866         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1867         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1868         to change the stack size since CLoop requires it to be page aligned.
1869
1870         * microbenchmarks/array-push-1.js:
1871         * microbenchmarks/array-push-2.js:
1872         * microbenchmarks/elidable-new-object-dag.js:
1873         * microbenchmarks/elidable-new-object-roflcopter.js:
1874         * microbenchmarks/elidable-new-object-tree.js:
1875         * microbenchmarks/getter-richards.js:
1876         * microbenchmarks/sinkable-new-object-dag.js:
1877         * microbenchmarks/string-concat-long-convert.js:
1878         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1879         * slowMicrobenchmarks/array-push-3.js:
1880         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1881         * slowMicrobenchmarks/spread-small-array.js:
1882         * slowMicrobenchmarks/undefined-property-access.js:
1883         * stress/activation-sink-default-value-tdz-error.js:
1884         * stress/activation-sink-default-value.js:
1885         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1886         * stress/activation-sink-osrexit-default-value.js:
1887         * stress/activation-sink-osrexit.js:
1888         * stress/activation-sink.js:
1889         * stress/allow-math-ic-b3-code-duplication.js:
1890         * stress/array-push-multiple-int32.js:
1891         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1892         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1893         * stress/arrowfunction-lexical-this-activation-sink.js:
1894         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1895         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1896         * stress/elide-new-object-dag-then-exit.js:
1897         * stress/materialize-regexp-cyclic.js:
1898         * stress/new-regex-inline.js:
1899         * stress/op_add.js:
1900         * stress/op_bitand.js:
1901         * stress/op_bitor.js:
1902         * stress/op_bitxor.js:
1903         * stress/op_div-ConstVar.js:
1904         * stress/op_div-VarConst.js:
1905         * stress/op_div-VarVar.js:
1906         * stress/op_lshift-ConstVar.js:
1907         * stress/op_lshift-VarConst.js:
1908         * stress/op_lshift-VarVar.js:
1909         * stress/op_mod-ConstVar.js:
1910         * stress/op_mod-VarConst.js:
1911         * stress/op_mod-VarVar.js:
1912         * stress/op_mul-ConstVar.js:
1913         * stress/op_mul-VarConst.js:
1914         * stress/op_mul-VarVar.js:
1915         * stress/op_rshift-ConstVar.js:
1916         * stress/op_rshift-VarConst.js:
1917         * stress/op_rshift-VarVar.js:
1918         * stress/op_sub-ConstVar.js:
1919         * stress/op_sub-VarConst.js:
1920         * stress/op_sub-VarVar.js:
1921         * stress/op_urshift-ConstVar.js:
1922         * stress/op_urshift-VarConst.js:
1923         * stress/op_urshift-VarVar.js:
1924         * stress/proxy-get-set-correct-receiver.js:
1925         * stress/regress-179562.js:
1926         * stress/rest-parameter-many-arguments.js:
1927         * stress/sampling-profiler-richards.js:
1928         * stress/splay-flash-access-1ms.js:
1929         * stress/tailCallForwardArguments.js:
1930         * stress/typed-array-get-by-val-profiling.js:
1931         * typeProfiler/getter-richards.js:
1932
1933 2018-11-06  Michael Saboff  <msaboff@apple.com>
1934
1935         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1936         https://bugs.webkit.org/show_bug.cgi?id=191271
1937
1938         Reviewed by Saam Barati.
1939
1940         Added more test cases and made all test cases run with the same deeply recursive stack
1941         instead of finding that same point for each test case.
1942
1943         * stress/regexp-compile-oom.js:
1944         (prototype.runTest):
1945         (recurseAndTest):
1946         (testList.push.new.TestAndExpectedException):
1947
1948 2018-11-05  Michael Saboff  <msaboff@apple.com>
1949
1950         Unreviewed build fix for linux.
1951
1952         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1953
1954 2018-11-02  Michael Saboff  <msaboff@apple.com>
1955
1956         Rolling in r237753 with unreviewed build fix.
1957
1958         Fixed issues with DECLARE_THROW_SCOPE placement.
1959
1960 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1961
1962         Unreviewed, rolling out r237753.
1963
1964         Introduced JSC test failures
1965
1966         Reverted changeset:
1967
1968         "Running out of stack space not properly handled in
1969         RegExp::compile() and its callers"
1970         https://bugs.webkit.org/show_bug.cgi?id=191206
1971         https://trac.webkit.org/changeset/237753
1972
1973 2018-11-02  Michael Saboff  <msaboff@apple.com>
1974
1975         Running out of stack space not properly handled in RegExp::compile() and its callers
1976         https://bugs.webkit.org/show_bug.cgi?id=191206
1977
1978         Reviewed by Filip Pizlo.
1979
1980         New regression test.
1981
1982         * stress/regexp-compile-oom.js: Added.
1983         (recurseAndTest):
1984
1985 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1986
1987         Skip tests on arm/mips that time out now we're running on CLoop
1988
1989         Unreviewed gardening.
1990
1991         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1992         time out on the bots and need to be disabled. There's more tests
1993         disabled on arm because the timeout is longer on the mips bot (as the
1994         device is slower to start with), so many of the tests don't time out
1995         there.
1996
1997         * microbenchmarks/getter-richards.js: disable on arm and mips.
1998         * stress/op_add.js: disable on arm.
1999         * stress/op_bitand.js: disable on arm.
2000         * stress/op_bitor.js: disable on arm.
2001         * stress/op_bitxor.js: disable on arm.
2002         * stress/op_lshift-ConstVar.js: disable on arm.
2003         * stress/op_lshift-VarConst.js: disable on arm.
2004         * stress/op_lshift-VarVar.js: disable on arm.
2005         * stress/op_mod-ConstVar.js: disable on arm.
2006         * stress/op_mod-VarConst.js: disable on arm.
2007         * stress/op_mod-VarVar.js: disable on arm.
2008         * stress/op_mul-ConstVar.js: disable on arm.
2009         * stress/op_mul-VarConst.js: disable on arm.
2010         * stress/op_mul-VarVar.js: disable on arm.
2011         * stress/op_rshift-ConstVar.js: disable on arm.
2012         * stress/op_rshift-VarConst.js: disable on arm.
2013         * stress/op_rshift-VarVar.js: disable on arm.
2014         * stress/op_sub-ConstVar.js: disable on arm.
2015         * stress/op_sub-VarConst.js: disable on arm.
2016         * stress/op_sub-VarVar.js: disable on arm.
2017         * stress/op_urshift-ConstVar.js: disable on arm.
2018         * stress/op_urshift-VarConst.js: disable on arm.
2019         * stress/op_urshift-VarVar.js: disable on arm.
2020         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2021         * stress/value-to-boolean.js: disable on arm and mips.
2022
2023 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2024
2025         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2026         https://bugs.webkit.org/show_bug.cgi?id=191108
2027         <rdar://problem/45690700>
2028
2029         Reviewed by Saam Barati.
2030
2031         * stress/wide-op_catch.js: Added.
2032         (catch):
2033
2034 2018-10-29  Mark Lam  <mark.lam@apple.com>
2035
2036         Correctly detect string overflow when using the 'Function' constructor.
2037         https://bugs.webkit.org/show_bug.cgi?id=184883
2038         <rdar://problem/36320331>
2039
2040         Reviewed by Saam Barati.
2041
2042         I've verified that this passes on 32-bit as well.
2043
2044         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2045
2046 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2047
2048         Add support for GetStack FlushedDouble
2049         https://bugs.webkit.org/show_bug.cgi?id=191012
2050         <rdar://problem/45265141>
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/get-stack-double.js: Added.
2055         (bar):
2056         (noInline):
2057
2058 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2059
2060         New bytecode format for JSC
2061         https://bugs.webkit.org/show_bug.cgi?id=187373
2062         <rdar://problem/44186758>
2063
2064         Reviewed by Filip Pizlo.
2065
2066         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2067
2068         * stress/maximum-inline-capacity.js: Added.
2069         (test1):
2070         (test3.Foo):
2071         (test3):
2072
2073 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2074
2075         Unreviewed, rolling out r237479 and r237484.
2076         https://bugs.webkit.org/show_bug.cgi?id=190978
2077
2078         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2079
2080         Reverted changesets:
2081
2082         "New bytecode format for JSC"
2083         https://bugs.webkit.org/show_bug.cgi?id=187373
2084         https://trac.webkit.org/changeset/237479
2085
2086         "Gardening: Build fix after r237479."
2087         https://bugs.webkit.org/show_bug.cgi?id=187373
2088         https://trac.webkit.org/changeset/237484
2089
2090 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2091
2092         New bytecode format for JSC
2093         https://bugs.webkit.org/show_bug.cgi?id=187373
2094         <rdar://problem/44186758>
2095
2096         Reviewed by Filip Pizlo.
2097
2098         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2099
2100         * stress/maximum-inline-capacity.js: Added.
2101         (test1):
2102         (test3.Foo):
2103         (test3):
2104
2105 2018-10-26  Mark Lam  <mark.lam@apple.com>
2106
2107         Fix missing edge cases with JSGlobalObjects having a bad time.
2108         https://bugs.webkit.org/show_bug.cgi?id=189028
2109         <rdar://problem/45204939>
2110
2111         Reviewed by Saam Barati.
2112
2113         * stress/regress-189028.js: Added.
2114
2115 2018-10-22  Mark Lam  <mark.lam@apple.com>
2116
2117         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2118         https://bugs.webkit.org/show_bug.cgi?id=190515
2119         <rdar://problem/45222379>
2120
2121         Rubber-stamped by Saam Barati.
2122
2123         Adding another test.
2124
2125         * stress/regress-190515-2.js: Added.
2126
2127 2018-10-22  Mark Lam  <mark.lam@apple.com>
2128
2129         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2130         https://bugs.webkit.org/show_bug.cgi?id=190515
2131         <rdar://problem/45222379>
2132
2133         Reviewed by Saam Barati.
2134
2135         * stress/regress-190515.js: Added.
2136
2137 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2138
2139         Unreviewed, rolling out r237254.
2140         https://bugs.webkit.org/show_bug.cgi?id=190760
2141
2142         "It regresses JetStream 2 by 5% on some iOS devices"
2143         (Requested by saamyjoon on #webkit).
2144
2145         Reverted changeset:
2146
2147         "[JSC] JSC should have "parseFunction" to optimize Function
2148         constructor"
2149         https://bugs.webkit.org/show_bug.cgi?id=190340
2150         https://trac.webkit.org/changeset/237254
2151
2152 2018-10-19  Saam Barati  <sbarati@apple.com>
2153
2154         vmCall should check if we exit before emitting an OSR exit due to exceptions
2155         https://bugs.webkit.org/show_bug.cgi?id=190740
2156         <rdar://problem/45220139>
2157
2158         Reviewed by Mark Lam.
2159
2160         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2161         (foo):
2162
2163 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2164
2165         [ESNext][BigInt] Implement support for "^"
2166         https://bugs.webkit.org/show_bug.cgi?id=186235
2167
2168         Reviewed by Yusuke Suzuki.
2169
2170         * stress/big-int-bitwise-xor-general.js: Added.
2171         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2172         * stress/big-int-bitwise-xor-type-error.js: Added.
2173         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2174
2175 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2176
2177         [BigInt] Add ValueSub into DFG
2178         https://bugs.webkit.org/show_bug.cgi?id=186176
2179
2180         Reviewed by Yusuke Suzuki.
2181
2182         * stress/big-int-subtraction-jit.js:
2183         * stress/value-sub-big-int-prediction-propagation.js: Added.
2184         * stress/value-sub-big-int-untyped.js: Added.
2185         * stress/value-sub-spec-none-case.js: Added.
2186
2187 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2188
2189         [JSC] JSC should have "parseFunction" to optimize Function constructor
2190         https://bugs.webkit.org/show_bug.cgi?id=190340
2191
2192         Reviewed by Mark Lam.
2193
2194         This patch fixes the line number of syntax errors raised by the Function constructor,
2195         since we now parse the final code only once. And we no longer use block statement
2196         for Function constructor's parsing.
2197
2198         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2199         * stress/function-cache-with-parameters-end-position.js: Added.
2200         (shouldBe):
2201         (shouldThrow):
2202         (i.anonymous):
2203         * stress/function-constructor-name.js: Added.
2204         (shouldBe):
2205         (GeneratorFunction):
2206         (AsyncFunction.async):
2207         (AsyncGeneratorFunction.async):
2208         (anonymous):
2209         (async.anonymous):
2210         * test262/expectations.yaml:
2211
2212 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2213
2214         Unreviewed, rolling out r237242.
2215         https://bugs.webkit.org/show_bug.cgi?id=190701
2216
2217         it breaks "stress/sampling-profiler-basic.js" (Requested by
2218         caiolima on #webkit).
2219
2220         Reverted changeset:
2221
2222         "[BigInt] Add ValueSub into DFG"
2223         https://bugs.webkit.org/show_bug.cgi?id=186176
2224         https://trac.webkit.org/changeset/237242
2225
2226 2018-10-17  Keith Miller  <keith_miller@apple.com>
2227
2228         AI does not clear Phantom allocation nodes.
2229         https://bugs.webkit.org/show_bug.cgi?id=190694
2230
2231         Reviewed by Saam Barati.
2232
2233         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2234         (Day):
2235         (DaysInYear):
2236         (TimeInYear):
2237         (TimeFromYear):
2238         (DayFromYear):
2239         (InLeapYear):
2240         (YearFromTime):
2241         (WeekDay):
2242         (DaylightSavingTA):
2243         (GetSecondSundayInMarch):
2244         (TimeInMonth):
2245
2246 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2247
2248         [BigInt] Add ValueSub into DFG
2249         https://bugs.webkit.org/show_bug.cgi?id=186176
2250
2251         Reviewed by Yusuke Suzuki.
2252
2253         * stress/big-int-subtraction-jit.js:
2254         * stress/value-sub-big-int-prediction-propagation.js: Added.
2255         * stress/value-sub-big-int-untyped.js: Added.
2256
2257 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2258
2259         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2260         https://bugs.webkit.org/show_bug.cgi?id=190611
2261
2262         Reviewed by Saam Barati.
2263
2264         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2265         to improve test runtime. On ARM/MIPS this test even timed out when running all
2266         tests.
2267
2268         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2269         (test):
2270
2271 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2272
2273         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2274
2275         Unreviewed gardening.
2276
2277         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2278
2279 2018-10-15  Saam barati  <sbarati@apple.com>
2280
2281         Emit fjcvtzs on ARM64E on Darwin
2282         https://bugs.webkit.org/show_bug.cgi?id=184023
2283
2284         Reviewed by Yusuke Suzuki and Filip Pizlo.
2285
2286         * stress/double-to-int32-NaN.js: Added.
2287         (assert):
2288         (foo):
2289
2290 2018-10-15  Saam Barati  <sbarati@apple.com>
2291
2292         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2293         https://bugs.webkit.org/show_bug.cgi?id=190262
2294         <rdar://problem/44986241>
2295
2296         Reviewed by Mark Lam.
2297
2298         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2299         (test):
2300         * stress/slice-array-storage-with-holes.js: Added.
2301         (main):
2302
2303 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2304
2305         Unreviewed, rolling out r237054.
2306         https://bugs.webkit.org/show_bug.cgi?id=190593
2307
2308         "this regressed JetStream 2 by 6% on iOS" (Requested by
2309         saamyjoon on #webkit).
2310
2311         Reverted changeset:
2312
2313         "[JSC] JSC should have "parseFunction" to optimize Function
2314         constructor"
2315         https://bugs.webkit.org/show_bug.cgi?id=190340
2316         https://trac.webkit.org/changeset/237054
2317
2318 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2319
2320         [JSC] JSON.stringify can accept call-with-no-arguments
2321         https://bugs.webkit.org/show_bug.cgi?id=190343
2322
2323         Reviewed by Mark Lam.
2324
2325         * stress/json-stringify-no-arguments.js: Added.
2326         (shouldBe):
2327
2328 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2329
2330         [JSC] JSC should have "parseFunction" to optimize Function constructor
2331         https://bugs.webkit.org/show_bug.cgi?id=190340
2332
2333         Reviewed by Mark Lam.
2334
2335         This patch fixes the line number of syntax errors raised by the Function constructor,
2336         since we now parse the final code only once. And we no longer use block statement
2337         for Function constructor's parsing.
2338
2339         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2340         * stress/function-cache-with-parameters-end-position.js: Added.
2341         (shouldBe):
2342         (shouldThrow):
2343         (i.anonymous):
2344         * stress/function-constructor-name.js: Added.
2345         (shouldBe):
2346         (GeneratorFunction):
2347         (AsyncFunction.async):
2348         (AsyncGeneratorFunction.async):
2349         (anonymous):
2350         (async.anonymous):
2351         * test262/expectations.yaml:
2352
2353 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2354
2355         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2356         https://bugs.webkit.org/show_bug.cgi?id=190426
2357
2358         Unreviewed gardening.
2359
2360         * stress/sampling-profiler-richards.js:
2361
2362 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2363
2364         [ESNext][BigInt] Implement support for "|"
2365         https://bugs.webkit.org/show_bug.cgi?id=186229
2366
2367         Reviewed by Yusuke Suzuki.
2368
2369         * stress/big-int-bitwise-and-jit.js:
2370         * stress/big-int-bitwise-or-general.js: Added.
2371         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2372         * stress/big-int-bitwise-or-jit.js: Added.
2373         * stress/big-int-bitwise-or-memory-stress.js: Added.
2374         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2375         * stress/big-int-bitwise-or-type-error.js: Added.
2376         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2377
2378 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2379
2380         Skip test on systems with limited memory
2381         https://bugs.webkit.org/show_bug.cgi?id=190310
2382
2383         Invoking runDefault adds test to runlist, skipping the test in the next
2384         line does not prevent the test from executing. Change order of lines such
2385         that runDefault is only executed if test is not executed.
2386
2387         Reviewed by Mark Lam.
2388
2389         * stress/regress-190187.js:
2390
2391 2018-10-03  Saam barati  <sbarati@apple.com>
2392
2393         lowXYZ in FTLLower should always filter the type of the incoming edge
2394         https://bugs.webkit.org/show_bug.cgi?id=189939
2395         <rdar://problem/44407030>
2396
2397         Reviewed by Michael Saboff.
2398
2399         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2400         (foo):
2401         (test):
2402
2403 2018-10-03  Mark Lam  <mark.lam@apple.com>
2404
2405         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2406         https://bugs.webkit.org/show_bug.cgi?id=190187
2407         <rdar://problem/42512909>
2408
2409         Reviewed by Michael Saboff.
2410
2411         * stress/regress-190187.js: Added.
2412
2413 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2414
2415         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2416         https://bugs.webkit.org/show_bug.cgi?id=190033
2417
2418         Reviewed by Yusuke Suzuki.
2419
2420         * stress/big-int-to-string.js:
2421
2422 2018-10-01  Mark Lam  <mark.lam@apple.com>
2423
2424         Function.toString() should also copy the source code Functions that are class definitions.
2425         https://bugs.webkit.org/show_bug.cgi?id=190186
2426         <rdar://problem/44733360>
2427
2428         Reviewed by Saam Barati.
2429
2430         * stress/regress-190186.js: Added.
2431
2432 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2433
2434         Split NaN-check into separate test
2435         https://bugs.webkit.org/show_bug.cgi?id=190010
2436
2437         Reviewed by Saam Barati.
2438
2439         DataView exposes NaN-representation, which is not necessarily the same on each
2440         architecture. Therefore move the check of the NaN-representation into its own
2441         file such that we can disable this test on MIPS where NaN-representation can be
2442         different on older CPUs.
2443
2444         * stress/dataview-jit-set-nan.js: Added.
2445         (assert):
2446         (test.storeLittleEndian):
2447         (test.storeBigEndian):
2448         (test.store):
2449         (test):
2450         * stress/dataview-jit-set.js:
2451         (test5):
2452
2453 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2454
2455         Unreviewed, rolling out r236647.
2456         https://bugs.webkit.org/show_bug.cgi?id=190124
2457
2458         Breaking test stress/big-int-to-string.js (Requested by
2459         caiolima_ on #webkit).
2460
2461         Reverted changeset:
2462
2463         "[BigInt] BigInt.proptotype.toString is broken when radix is
2464         power of 2"
2465         https://bugs.webkit.org/show_bug.cgi?id=190033
2466         https://trac.webkit.org/changeset/236647
2467
2468 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2469
2470         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2471         https://bugs.webkit.org/show_bug.cgi?id=190033
2472
2473         Reviewed by Yusuke Suzuki.
2474
2475         * stress/big-int-to-string.js:
2476
2477 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2478
2479         [ESNext][BigInt] Implement support for "&"
2480         https://bugs.webkit.org/show_bug.cgi?id=186228
2481
2482         Reviewed by Yusuke Suzuki.
2483
2484         * stress/big-int-bitwise-and-general.js: Added.
2485         (assert):
2486         (assert.sameValue):
2487         * stress/big-int-bitwise-and-jit.js: Added.
2488         (let.assert.sameValue):
2489         (bigIntBitAnd):
2490         * stress/big-int-bitwise-and-memory-stress.js: Added.
2491         (assert):
2492         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2493         (assert.sameValue):
2494         (let.o.Symbol.toPrimitive):
2495         (catch):
2496         * stress/big-int-bitwise-and-type-error.js: Added.
2497         (assert):
2498         (assertThrowTypeError):
2499         (let.o.valueOf):
2500         (o.valueOf):
2501         (o.toString):
2502         (o.Symbol.toPrimitive):
2503         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2504         (assert.sameValue):
2505         (testBitAnd):
2506         (let.o.Symbol.toPrimitive):
2507         (o.valueOf):
2508         (o.toString):
2509
2510 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2511
2512         JSC test stress/jsc-read.js doesn't support CRLF
2513         https://bugs.webkit.org/show_bug.cgi?id=190063
2514
2515         Reviewed by Yusuke Suzuki.
2516
2517         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2518
2519         * stress/jsc-read.js:
2520         (test):
2521
2522 2018-09-27  Saam barati  <sbarati@apple.com>
2523
2524         Verify the contents of AssemblerBuffer on arm64e
2525         https://bugs.webkit.org/show_bug.cgi?id=190057
2526         <rdar://problem/38916630>
2527
2528         Reviewed by Mark Lam.
2529
2530         * stress/regress-189132.js:
2531
2532 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2533
2534         Disable test without LLInt on ARMv7
2535         https://bugs.webkit.org/show_bug.cgi?id=190037
2536
2537         Reviewed by Mark Lam.
2538
2539         Test runs out of executable memory on ARMv7, do not run
2540         this test without LLInt enabled.
2541
2542         * stress/regress-169445.js:
2543
2544 2018-09-26  Keith Miller  <keith_miller@apple.com>
2545
2546         We should zero unused property storage when rebalancing array storage.
2547         https://bugs.webkit.org/show_bug.cgi?id=188151
2548
2549         Reviewed by Michael Saboff.
2550
2551         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2552
2553 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2554
2555         [JSC] Optimize Array#lastIndexOf
2556         https://bugs.webkit.org/show_bug.cgi?id=189780
2557
2558         Reviewed by Saam Barati.
2559
2560         * stress/array-lastindexof-array-prototype-trap.js: Added.
2561         (shouldBe):
2562         (AncestorArray.prototype.get 2):
2563         (AncestorArray):
2564         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2565         (shouldBe):
2566         * stress/array-lastindexof-hole-nan.js: Added.
2567         (shouldBe):
2568         (throw.new.Error):
2569         * stress/array-lastindexof-infinity.js: Added.
2570         (shouldBe):
2571         (throw.new.Error):
2572         * stress/array-lastindexof-negative-zero.js: Added.
2573         (shouldBe):
2574         (throw.new.Error):
2575         * stress/array-lastindexof-own-getter.js: Added.
2576         (shouldBe):
2577         (throw.new.Error.get array):
2578         (get array):
2579         * stress/array-lastindexof-prototype-trap.js: Added.
2580         (shouldBe):
2581         (DerivedArray.prototype.get 2):
2582         (DerivedArray):
2583
2584 2018-09-25  Saam Barati  <sbarati@apple.com>
2585
2586         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2587         https://bugs.webkit.org/show_bug.cgi?id=189940
2588         <rdar://problem/43640987>
2589
2590         Reviewed by Mark Lam.
2591
2592         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2593
2594 2018-09-24  Saam Barati  <sbarati@apple.com>
2595
2596         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2597         https://bugs.webkit.org/show_bug.cgi?id=189922
2598         <rdar://problem/44651275>
2599
2600         Reviewed by Mark Lam.
2601
2602         * stress/array-indexof-fast-path-effects.js: Added.
2603         * stress/array-indexof-cached-length.js: Added.
2604
2605 2018-09-24  Saam barati  <sbarati@apple.com>
2606
2607         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2608         https://bugs.webkit.org/show_bug.cgi?id=189682
2609         <rdar://problem/43557315>
2610
2611         Reviewed by Mark Lam.
2612
2613         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2614         (foo):
2615
2616 2018-09-22  Saam barati  <sbarati@apple.com>
2617
2618         The sampling should not use Strong<CodeBlock> in its machineLocation field
2619         https://bugs.webkit.org/show_bug.cgi?id=189319
2620
2621         Reviewed by Filip Pizlo.
2622
2623         * stress/sampling-profiler-richards.js: Added.
2624
2625 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2626
2627         [JSC] Optimize Array#indexOf in C++ runtime
2628         https://bugs.webkit.org/show_bug.cgi?id=189507
2629
2630         Reviewed by Saam Barati.
2631
2632         * stress/array-indexof-array-prototype-trap.js: Added.
2633         (shouldBe):
2634         (AncestorArray.prototype.get 2):
2635         (AncestorArray):
2636         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2637         (shouldBe):
2638         * stress/array-indexof-hole-nan.js: Added.
2639         (shouldBe):
2640         (throw.new.Error):
2641         * stress/array-indexof-infinity.js: Added.
2642         (shouldBe):
2643         (throw.new.Error):
2644         * stress/array-indexof-negative-zero.js: Added.
2645         (shouldBe):
2646         (throw.new.Error):
2647         * stress/array-indexof-own-getter.js: Added.
2648         (shouldBe):
2649         (throw.new.Error.get array):
2650         (get array):
2651         * stress/array-indexof-prototype-trap.js: Added.
2652         (shouldBe):
2653         (DerivedArray.prototype.get 2):
2654         (DerivedArray):
2655
2656 2018-09-19  Saam barati  <sbarati@apple.com>
2657
2658         AI rule for MultiPutByOffset executes its effects in the wrong order
2659         https://bugs.webkit.org/show_bug.cgi?id=189757
2660         <rdar://problem/43535257>
2661
2662         Reviewed by Michael Saboff.
2663
2664         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2665         (foo):
2666         (Foo):
2667         (g):
2668
2669 2018-09-17  Mark Lam  <mark.lam@apple.com>
2670
2671         Ensure that ForInContexts are invalidated if their loop local is over-written.
2672         https://bugs.webkit.org/show_bug.cgi?id=189571
2673         <rdar://problem/44402277>
2674
2675         Reviewed by Saam Barati.
2676
2677         * stress/regress-189571.js: Added.
2678
2679 2018-09-17  Saam barati  <sbarati@apple.com>
2680
2681         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2682         https://bugs.webkit.org/show_bug.cgi?id=189676
2683         <rdar://problem/39682897>
2684
2685         Reviewed by Michael Saboff.
2686
2687         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2688         (A):
2689         (K):
2690         (i.catch):
2691
2692 2018-09-14  Saam barati  <sbarati@apple.com>
2693
2694         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2695         https://bugs.webkit.org/show_bug.cgi?id=189628
2696         <rdar://problem/39481690>
2697
2698         Reviewed by Mark Lam.
2699
2700         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2701         (foo):
2702
2703 2018-09-11  Mark Lam  <mark.lam@apple.com>
2704
2705         Test for array initialization in arrayProtoFuncSplice.
2706         https://bugs.webkit.org/show_bug.cgi?id=170253
2707         <rdar://problem/31328773>
2708
2709         Rubber-stamped by Saam Barati.
2710
2711         * stress/regress-170253.js: Added.
2712
2713 2018-09-11  Mark Lam  <mark.lam@apple.com>
2714
2715         Test for IntlObject initialization.
2716         https://bugs.webkit.org/show_bug.cgi?id=170251
2717         <rdar://problem/31328419>
2718
2719         Rubber-stamped by Saam Barati.
2720
2721         * stress/regress-170251.js: Added.
2722
2723 2018-09-11  Mark Lam  <mark.lam@apple.com>
2724
2725         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2726         https://bugs.webkit.org/show_bug.cgi?id=169889
2727         <rdar://problem/31155607>
2728
2729         Reviewed by Saam Barati.
2730
2731         * stress/regress-169889-array-concat.js: Added.
2732         * stress/regress-169889-array-concat1.js: Added.
2733         * stress/regress-169889-array-slice.js: Added.
2734
2735 2018-09-11  Mark Lam  <mark.lam@apple.com>
2736
2737         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2738         https://bugs.webkit.org/show_bug.cgi?id=169445
2739         <rdar://problem/30957435>
2740
2741         Reviewed by Saam Barati.
2742
2743         * stress/regress-169445.js: Added.
2744         (let.gun.eval.A):
2745         (let.gun.eval.B.C):
2746         (let.gun.eval.B.C.prototype.trigger):
2747         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2748         (let.gun.eval.B):
2749         (let.gun.eval):
2750
2751 == Rolled over to ChangeLog-2018-09-11 ==