We can't remove code after ForceOSRExit until after FixupPhase
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-14  Saam barati  <sbarati@apple.com>
2
3         We can't remove code after ForceOSRExit until after FixupPhase
4         https://bugs.webkit.org/show_bug.cgi?id=186916
5         <rdar://problem/41396612>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
10         (foo):
11         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
12         (foo):
13
14 2019-03-13  Michael Saboff  <msaboff@apple.com>
15
16         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
17         https://bugs.webkit.org/show_bug.cgi?id=195735
18
19         Reviewed by Mark Lam.
20
21         New regression test.
22
23         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
24         (foo):
25         (bar):
26
27 2019-03-14  Saam barati  <sbarati@apple.com>
28
29         Fixup uses KnownInt32 incorrectly in some nodes
30         https://bugs.webkit.org/show_bug.cgi?id=195279
31         <rdar://problem/47915654>
32
33         Reviewed by Yusuke Suzuki.
34
35         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
36         (foo):
37
38 2019-03-14  Keith Miller  <keith_miller@apple.com>
39
40         DFG liveness can't skip tail caller inline frames
41         https://bugs.webkit.org/show_bug.cgi?id=195715
42
43         Reviewed by Saam Barati.
44
45         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
46         (i.foo):
47
48 2019-03-13  Mark Lam  <mark.lam@apple.com>
49
50         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
51         https://bugs.webkit.org/show_bug.cgi?id=195415
52
53         Not reviewed.
54
55         Changed these tests to only run the default configuration.
56         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
57         There's no strong need to run this test on that variant.
58
59         * stress/dfg-to-string-on-int-does-gc.js:
60         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
61
62 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
63
64         String overflow when using StringBuilder in JSC::createError
65         https://bugs.webkit.org/show_bug.cgi?id=194957
66
67         Reviewed by Mark Lam.
68
69         Add test string-overflow-createError-bulder.js that overflows
70         StringBuilder in notAFunctionSourceAppender. The second new test
71         string-overflow-createError-fit.js has an error message that doesn't
72         overflow, it still failed since the String's capacity can't be doubled.
73         Run test string-overflow-createError.js only in the default
74         configuration to reduce memory consumption when running the test
75         in all configurations on multiple CPUs in parallel.
76
77         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
78         (catch):
79         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
80         (catch):
81         * stress/string-overflow-createError.js:
82
83 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
84
85         [JSC] OSR entry should respect abstract values in addition to flush formats
86         https://bugs.webkit.org/show_bug.cgi?id=195653
87
88         Reviewed by Mark Lam.
89
90         * stress/osr-entry-locals-none.js: Added.
91
92 2019-03-12  Michael Saboff  <msaboff@apple.com>
93
94         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
95         https://bugs.webkit.org/show_bug.cgi?id=195613
96
97         Reviewed by Mark Lam.
98
99         New regression test.
100
101         * stress/regexp-backref-inbounds.js: Added.
102         (testRegExp):
103
104 2019-03-12  Mark Lam  <mark.lam@apple.com>
105
106         The HasIndexedProperty node does GC.
107         https://bugs.webkit.org/show_bug.cgi?id=195559
108         <rdar://problem/48767923>
109
110         Reviewed by Yusuke Suzuki.
111
112         * stress/HasIndexedProperty-does-gc.js: Added.
113
114 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
115
116         [ESNext][BigInt] Implement "~" unary operation
117         https://bugs.webkit.org/show_bug.cgi?id=182216
118
119         Reviewed by Keith Miller.
120
121         * stress/big-int-bit-not-general.js: Added.
122         * stress/big-int-bitwise-not-jit.js: Added.
123         * stress/big-int-bitwise-not-wrapped-value.js: Added.
124         * stress/bit-op-with-object-returning-int32.js:
125         * stress/bitwise-not-fixup-rules.js: Added.
126         * stress/value-bit-not-ai-rule.js: Added.
127
128 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
129
130         Invalid flags in a RegExp literal should be an early SyntaxError
131         https://bugs.webkit.org/show_bug.cgi?id=195514
132
133         Reviewed by Darin Adler.
134
135         * test262/expectations.yaml:
136         Mark 4 test cases as passing.
137
138         * stress/regexp-syntax-error-invalid-flags.js:
139         * stress/regress-161995.js: Removed.
140         Update existing test, merging in an older test for the same behavior.
141
142 2019-03-08  Mark Lam  <mark.lam@apple.com>
143
144         Stack overflow crash in JSC::JSObject::hasInstance.
145         https://bugs.webkit.org/show_bug.cgi?id=195458
146         <rdar://problem/48710195>
147
148         Reviewed by Yusuke Suzuki.
149
150         * stress/stack-overflow-in-custom-hasInstance.js: Added.
151
152 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
153
154         op_check_tdz does not def its argument
155         https://bugs.webkit.org/show_bug.cgi?id=192880
156         <rdar://problem/46221598>
157
158         Reviewed by Saam Barati.
159
160         * microbenchmarks/let-for-in.js: Added.
161         (foo):
162
163 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
164
165         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
166         https://bugs.webkit.org/show_bug.cgi?id=195429
167
168         Reviewed by Saam Barati.
169
170         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
171         (foo):
172         * stress/string-from-char-code-255.js: Added.
173
174 2019-03-06  Mark Lam  <mark.lam@apple.com>
175
176         Fix incorrect handling of try-finally completion values.
177         https://bugs.webkit.org/show_bug.cgi?id=195131
178         <rdar://problem/46222079>
179
180         Reviewed by Saam Barati and Yusuke Suzuki.
181
182         Added many permutations of new test case to test-finally.js.  test-finally.js has
183         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
184         tests passes there as well.
185
186         * stress/test-finally.js:
187
188 2019-03-06  Saam Barati  <sbarati@apple.com>
189
190         Air::reportUsedRegisters must padInterference
191         https://bugs.webkit.org/show_bug.cgi?id=195303
192         <rdar://problem/48270343>
193
194         Reviewed by Keith Miller.
195
196         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
197
198 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
199
200         [JSC] AI should not propagate AbstractValue relying on constant folding phase
201         https://bugs.webkit.org/show_bug.cgi?id=195375
202
203         Reviewed by Saam Barati.
204
205         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
206         (let.array):
207
208 2019-03-05  Saam barati  <sbarati@apple.com>
209
210         op_switch_char broken for rope strings after JSRopeString layout rewrite
211         https://bugs.webkit.org/show_bug.cgi?id=195339
212         <rdar://problem/48592545>
213
214         Reviewed by Yusuke Suzuki.
215
216         * stress/switch-on-char-llint-rope.js: Added.
217
218 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
219
220         [JSC] Store bits for JSRopeString in 3 stores
221         https://bugs.webkit.org/show_bug.cgi?id=195234
222
223         Reviewed by Saam Barati.
224
225         * stress/null-rope-and-collectors.js: Added.
226
227 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
228
229         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
230         https://bugs.webkit.org/show_bug.cgi?id=195207
231
232         Unreviewed. After test runtime was reduced in r242213, test can be
233         run again on ARM/MIPS.
234
235         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
236
237 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
238
239         [JSC] sizeof(JSString) should be 16
240         https://bugs.webkit.org/show_bug.cgi?id=194375
241
242         Reviewed by Saam Barati.
243
244         * microbenchmarks/make-rope.js: Added.
245         (makeRope):
246         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
247         (returnRope.helper): Deleted.
248         (returnRope): Deleted.
249
250 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
251
252         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
253         https://bugs.webkit.org/show_bug.cgi?id=195144
254
255         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
256         Change the number from 1e8 to 1e5.
257
258         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
259         (foo):
260
261 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
262
263         Test times out on ARM/MIPS
264         https://bugs.webkit.org/show_bug.cgi?id=195168
265
266         Unreviewed. Skip test on ARM/MIPS.
267
268         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
269
270 2019-02-27  Mark Lam  <mark.lam@apple.com>
271
272         The parser is failing to record the token location of new in new.target.
273         https://bugs.webkit.org/show_bug.cgi?id=195127
274         <rdar://problem/39645578>
275
276         Reviewed by Yusuke Suzuki.
277
278         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
279
280 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
281
282         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
283         https://bugs.webkit.org/show_bug.cgi?id=195144
284         <rdar://problem/47595961>
285
286         Reviewed by Mark Lam.
287
288         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
289         (bar):
290         (foo):
291         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
292         (bar):
293         (foo):
294
295 2019-02-27  Robin Morisset  <rmorisset@apple.com>
296
297         DFG: Loop-invariant code motion (LICM) should not hoist dead code
298         https://bugs.webkit.org/show_bug.cgi?id=194945
299         <rdar://problem/48311657>
300
301         Reviewed by Mark Lam.
302
303         * stress/licm-dead-code.js: Added.
304
305 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
308         https://bugs.webkit.org/show_bug.cgi?id=194677
309         <rdar://problem/48112492>
310
311         Reviewed by Mark Lam.
312
313         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
314         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
315         it immediately fails due the large size.
316
317         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
318         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
319         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
320         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
321
322         This patch changes the test to produce 16bit string from String.fromCharCode.
323
324         * stress/regress-178386.js:
325
326 2019-02-26  Mark Lam  <mark.lam@apple.com>
327
328         wasmToJS() should purify incoming NaNs.
329         https://bugs.webkit.org/show_bug.cgi?id=194807
330         <rdar://problem/48189132>
331
332         Reviewed by Saam Barati.
333
334         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
335
336 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
337
338         [JSC] Repeat string created from Array.prototype.join() take too much memory
339         https://bugs.webkit.org/show_bug.cgi?id=193912
340
341         Reviewed by Saam Barati.
342
343         Added a test and a microbenchmark for corner cases of
344         Array.prototype.join() with an uninitialized array.
345
346         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
347         * stress/array-prototype-join-uninitialized.js: Added.
348         (testArray):
349         (testABC):
350         (B):
351         (C):
352
353 2019-02-22  Robin Morisset  <rmorisset@apple.com>
354
355         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
356         https://bugs.webkit.org/show_bug.cgi?id=194953
357         <rdar://problem/47595253>
358
359         Reviewed by Saam Barati.
360
361         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
362
363         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
364
365 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
366
367         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
368         https://bugs.webkit.org/show_bug.cgi?id=172848
369         <rdar://problem/25709212>
370
371         Reviewed by Mark Lam.
372
373         * typeProfiler/inheritance.js:
374         Rewrite the test slightly for clarity. The hoisting was confusing.
375
376         * heapProfiler/class-names.js: Added.
377         (MyES5Class):
378         (MyES6Class):
379         (MyES6Subclass):
380         Test object types and improved class names.
381
382         * heapProfiler/driver/driver.js:
383         (CheapHeapSnapshotNode):
384         (CheapHeapSnapshot):
385         (createCheapHeapSnapshot):
386         (HeapSnapshot):
387         (createHeapSnapshot):
388         Update snapshot parsing from version 1 to version 2.
389
390 2019-02-19  Truitt Savell  <tsavell@apple.com>
391
392         Unreviewed, rolling out r241784.
393
394         Broke all OpenSource builds.
395
396         Reverted changeset:
397
398         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
399         instances view"
400         https://bugs.webkit.org/show_bug.cgi?id=172848
401         https://trac.webkit.org/changeset/241784
402
403 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
404
405         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
406         https://bugs.webkit.org/show_bug.cgi?id=172848
407         <rdar://problem/25709212>
408
409         Reviewed by Mark Lam.
410
411         * typeProfiler/inheritance.js:
412         Rewrite the test slightly for clarity. The hoisting was confusing.
413
414         * heapProfiler/class-names.js: Added.
415         (MyES5Class):
416         (MyES6Class):
417         (MyES6Subclass):
418         Test object types and improved class names.
419
420         * heapProfiler/driver/driver.js:
421         (CheapHeapSnapshotNode):
422         (CheapHeapSnapshot):
423         (createCheapHeapSnapshot):
424         (HeapSnapshot):
425         (createHeapSnapshot):
426         Update snapshot parsing from version 1 to version 2.
427
428 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
429
430         [ARM] Fix crash with sampling profiler
431         https://bugs.webkit.org/show_bug.cgi?id=194772
432
433         Reviewed by Mark Lam.
434
435         Do not skip test since crash with sampling profiler is now fixed.
436
437         * stress/sampling-profiler-richards.js:
438
439 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
440
441         [JSC] Add LazyClassStructure::getInitializedOnMainThread
442         https://bugs.webkit.org/show_bug.cgi?id=194784
443         <rdar://problem/48154820>
444
445         Reviewed by Mark Lam.
446
447         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
448         (getProperties):
449         (getRandomProperty):
450         (i.catch):
451
452 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
453
454         [ARM] Test gardening: Test running out of executable memory
455         https://bugs.webkit.org/show_bug.cgi?id=194771
456
457         Unreviewed. Do not run test without LLInt, test is running out of executable
458         memory on ARM otherwise.
459
460         * stress/tagged-template-object-collect.js:
461
462 2019-02-18  Tomas Popela  <tpopela@redhat.com>
463
464         Unreviewed, skip the test on platforms without sampling profiler
465
466         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
467         (platformSupportsSamplingProfiler.foo):
468         (platformSupportsSamplingProfiler.test):
469         (platformSupportsSamplingProfiler):
470         (foo): Deleted.
471         (test): Deleted.
472
473 2019-02-17  Saam Barati  <sbarati@apple.com>
474
475         Deadlock when adding a Structure property transition and then doing incremental marking
476         https://bugs.webkit.org/show_bug.cgi?id=194767
477
478         Reviewed by Mark Lam.
479
480         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
481
482 2019-02-15  Michael Saboff  <msaboff@apple.com>
483
484         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
485         https://bugs.webkit.org/show_bug.cgi?id=194558
486
487         Reviewed by Saam Barati.
488
489         New regression test.
490
491         * stress/regexp-unicode-within-string.js: Added.
492
493 2019-02-15  Mark Lam  <mark.lam@apple.com>
494
495         SamplingProfiler::stackTracesAsJSON() should escape strings.
496         https://bugs.webkit.org/show_bug.cgi?id=194649
497         <rdar://problem/48072386>
498
499         Reviewed by Saam Barati.
500
501         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
502         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
503         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
504         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
505
506 2019-02-15  Robin Morisset  <rmorisset@apple.com>
507         CodeBlock::jettison should clear related watchpoints
508         https://bugs.webkit.org/show_bug.cgi?id=194544
509
510         Reviewed by Mark Lam.
511
512         * stress/regexp-replace-double-watchpoint.js: Added.
513         (foo):
514
515 2019-02-15  Saam barati  <sbarati@apple.com>
516
517         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
518         https://bugs.webkit.org/show_bug.cgi?id=194036
519
520         Reviewed by Yusuke Suzuki.
521
522         * stress/tail-call-many-arguments.js: Added.
523         (foo):
524         (bar):
525
526 2019-02-14  Saam Barati  <sbarati@apple.com>
527
528         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
529         https://bugs.webkit.org/show_bug.cgi?id=194583
530         <rdar://problem/48028140>
531
532         Reviewed by Yusuke Suzuki.
533
534         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
535
536 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
537
538         [JSC] String.fromCharCode's slow path always generates 16bit string
539         https://bugs.webkit.org/show_bug.cgi?id=194466
540
541         Reviewed by Keith Miller.
542
543         * stress/string-from-char-code-slow-path.js: Added.
544         (shouldBe):
545         (testWithLength):
546
547 2019-02-08  Saam barati  <sbarati@apple.com>
548
549         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
550         https://bugs.webkit.org/show_bug.cgi?id=194334
551         <rdar://problem/47844327>
552
553         Reviewed by Mark Lam.
554
555         * stress/check-in-bounds-should-be-a-child-use.js: Added.
556         (func):
557
558 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
559
560         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
561         https://bugs.webkit.org/show_bug.cgi?id=194369
562         <rdar://problem/47813087>
563
564         Reviewed by Saam Barati.
565
566         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
567         (A):
568
569 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
570
571         [JSC] PrivateName to PublicName hash table is wasteful
572         https://bugs.webkit.org/show_bug.cgi?id=194277
573
574         Reviewed by Michael Saboff.
575
576         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
577
578         * ChakraCore.yaml:
579
580 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
581
582         [ARM] Test running out of executable memory
583         https://bugs.webkit.org/show_bug.cgi?id=194285
584
585         Unreviewed. Do no execute test with LLInt disabled, test runs out of
586         executable memory otherwise.
587
588         * stress/class-subclassing-function.js:
589
590 2019-02-04  Robin Morisset  <rmorisset@apple.com>
591
592         when lowering AssertNotEmpty, create the value before creating the patchpoint
593         https://bugs.webkit.org/show_bug.cgi?id=194231
594
595         Reviewed by Saam Barati.
596
597         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
598         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
599         So even tiny changes to this test can change the path code taken.
600
601         * stress/assert-not-empty.js: Added.
602         (foo):
603
604 2019-02-01  Mark Lam  <mark.lam@apple.com>
605
606         Remove invalid assertion in DFG's compileDoubleRep().
607         https://bugs.webkit.org/show_bug.cgi?id=194130
608         <rdar://problem/47699474>
609
610         Reviewed by Saam Barati.
611
612         * stress/constant-fold-double-rep-into-double-constant.js: Added.
613
614 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
615
616         Import latest Test262 updates.
617
618         Rubber-stamped by Keith Miller.
619
620         * test262.yaml: Deleted.
621         * test262/config.yaml:
622         * test262/expectations.yaml:
623         * test262/latest-changes-summary.txt:
624         * test262/test/:
625         * test262/test262-Revision.txt:
626
627 2019-01-30  Robin Morisset  <rmorisset@apple.com>
628
629         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
630         https://bugs.webkit.org/show_bug.cgi?id=194050
631         <rdar://problem/47595592>
632
633         Reviewed by Yusuke Suzuki.
634
635         * stress/object-keys-osr-exit.js: Added.
636         (foo):
637         (catch):
638
639 2019-01-29  Mark Lam  <mark.lam@apple.com>
640
641         ValueRecovery::recover() should purify NaN values it recovers.
642         https://bugs.webkit.org/show_bug.cgi?id=193978
643         <rdar://problem/47625488>
644
645         Reviewed by Saam Barati.
646
647         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
648
649 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
650
651         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
652         https://bugs.webkit.org/show_bug.cgi?id=193713
653
654         * stress/try-get-by-id-should-spill-registers-dfg.js:
655         (let.f.createBuiltin):
656
657 2019-01-28  Mark Lam  <mark.lam@apple.com>
658
659         ToString node actually does GC.
660         https://bugs.webkit.org/show_bug.cgi?id=193920
661         <rdar://problem/46695900>
662
663         Reviewed by Yusuke Suzuki.
664
665         * stress/dfg-to-string-on-int-does-gc.js: Added.
666         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
667         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
668
669 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
670
671         [JSC] NativeErrorConstructor should not have own IsoSubspace
672         https://bugs.webkit.org/show_bug.cgi?id=193713
673
674         Reviewed by Saam Barati.
675
676         Remove @Error use.
677
678         * stress/try-get-by-id-should-spill-registers-dfg.js:
679         (let.f.createBuiltin):
680
681 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
682
683         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
684         https://bugs.webkit.org/show_bug.cgi?id=190693
685
686         Reviewed by Michael Saboff.
687
688         * stress/regress-190693.js: Added.
689         (truth):
690         (assert):
691         (shouldThrowInvalidConstAssignment):
692         (taz):
693
694 2019-01-24  Saam Barati  <sbarati@apple.com>
695
696         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
697         https://bugs.webkit.org/show_bug.cgi?id=193751
698         <rdar://problem/47280215>
699
700         Reviewed by Michael Saboff.
701
702         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
703         (let.thing):
704         (foo.let.hello):
705         (foo):
706
707 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
708
709         [JSC] Reenable baseline JIT on mips
710         https://bugs.webkit.org/show_bug.cgi?id=192983
711
712         Reviewed by Mark Lam.
713
714         Added a new test for a case that was triggering a RELEASE_ASSERT when
715         testing.
716         Disable some slow tests that were already disabled for arm and x86.
717
718         * stress/json-parse-big-object.js: Added.
719         * stress/new-largeish-contiguous-array-with-size.js:
720         * stress/op_add.js:
721         * stress/op_bitand.js:
722         * stress/op_bitor.js:
723         * stress/op_bitxor.js:
724         * stress/op_lshift-ConstVar.js:
725         * stress/op_lshift-VarConst.js:
726         * stress/op_lshift-VarVar.js:
727         * stress/op_mod-ConstVar.js:
728         * stress/op_mod-VarConst.js:
729         * stress/op_mod-VarVar.js:
730         * stress/op_mul-ConstVar.js:
731         * stress/op_mul-VarConst.js:
732         * stress/op_mul-VarVar.js:
733         * stress/op_rshift-ConstVar.js:
734         * stress/op_rshift-VarConst.js:
735         * stress/op_rshift-VarVar.js:
736         * stress/op_sub-ConstVar.js:
737         * stress/op_sub-VarConst.js:
738         * stress/op_sub-VarVar.js:
739         * stress/op_urshift-ConstVar.js:
740         * stress/op_urshift-VarConst.js:
741         * stress/op_urshift-VarVar.js:
742         * stress/sampling-profiler-richards.js:
743         * stress/spread-forward-call-varargs-stack-overflow.js:
744
745 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
746
747         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
748         https://bugs.webkit.org/show_bug.cgi?id=193711
749         <rdar://problem/47250262>
750
751         Reviewed by Saam Barati.
752
753         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
754         (shouldBe):
755         (foo):
756         (bar):
757         (baz):
758
759 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
760
761         Unreviewed, fix initial global lexical binding epoch
762         https://bugs.webkit.org/show_bug.cgi?id=193603
763         <rdar://problem/47380869>
764
765         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
766         (f1.f2.f3.f4):
767         (f1.f2.f3):
768         (f1.f2):
769         (f1):
770
771 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
772
773         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
774         https://bugs.webkit.org/show_bug.cgi?id=193709
775         <rdar://problem/47363838>
776
777         Unreviewed, rollout to watch the tests.
778
779         * stress/object-tostring-changed-proto.js: Removed.
780         * stress/object-tostring-changed.js: Removed.
781         * stress/object-tostring-misc.js: Removed.
782         * stress/object-tostring-other.js: Removed.
783         * stress/object-tostring-untyped.js: Removed.
784
785 2019-01-22  Saam Barati  <sbarati@apple.com>
786
787         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
788
789         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
790         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
791         (testUncheckedLessThanZero):
792         (testUncheckedLessThanOrEqualZero):
793         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
794         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
795
796 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
797
798         [JSC] Invalidate old scope operations using global lexical binding epoch
799         https://bugs.webkit.org/show_bug.cgi?id=193603
800         <rdar://problem/47380869>
801
802         Reviewed by Saam Barati.
803
804         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
805         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
806         (shouldThrow):
807         (bar):
808         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
809         (shouldBe):
810         (get1):
811         (get2):
812         (get1If):
813         (get2If):
814         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
815         (shouldThrow):
816         (foo):
817
818 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
819
820         Unreviewed, roll out r240220 due to date-format-xparb regression
821         https://bugs.webkit.org/show_bug.cgi?id=193603
822
823         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
824         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
825         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
826         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
827
828 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
829
830         DoesGC rule is wrong for nodes with BigIntUse
831         https://bugs.webkit.org/show_bug.cgi?id=193652
832
833         Reviewed by Saam Barati.
834
835         * stress/big-int-value-op-update-gc-rules.js: Added.
836         (assert):
837         (doesGCAdd):
838         (doesGCSub):
839         (doesGCDiv):
840         (doesGCMul):
841         (doesGCBitAnd):
842         (doesGCBitOr):
843         (doesGCBitXor):
844
845 2019-01-20  Saam Barati  <sbarati@apple.com>
846
847         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
848         https://bugs.webkit.org/show_bug.cgi?id=193644
849         <rdar://problem/46209745>
850
851         Reviewed by Yusuke Suzuki.
852
853         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
854         (foo):
855         * stress/data-view-set-intrinsic-undefined-result.js: Added.
856         (foo):
857         (bar):
858
859 2019-01-20  Saam Barati  <sbarati@apple.com>
860
861         MovHint must merge NodeBytecodeUsesAsValue for its child
862         https://bugs.webkit.org/show_bug.cgi?id=186916
863         <rdar://problem/41396612>
864
865         Reviewed by Yusuke Suzuki.
866
867         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
868         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
869
870 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [JSC] Invalidate old scope operations using global lexical binding epoch
873         https://bugs.webkit.org/show_bug.cgi?id=193603
874         <rdar://problem/47380869>
875
876         Reviewed by Saam Barati.
877
878         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
879         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
880         (shouldThrow):
881         (bar):
882         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
883         (shouldBe):
884         (get1):
885         (get2):
886         (get1If):
887         (get2If):
888         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
889         (shouldThrow):
890         (foo):
891
892 2019-01-17  Saam barati  <sbarati@apple.com>
893
894         StringObjectUse should not be a structure check for the original string object structure
895         https://bugs.webkit.org/show_bug.cgi?id=193483
896         <rdar://problem/47280522>
897
898         Reviewed by Yusuke Suzuki.
899
900         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
901         (foo):
902         (a.valueOf.0):
903
904 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
905
906         [JSC] ToThis omission in DFGByteCodeParser is wrong
907         https://bugs.webkit.org/show_bug.cgi?id=193513
908         <rdar://problem/45842236>
909
910         Reviewed by Saam Barati.
911
912         * stress/to-this-omission-with-different-strict-modes.js: Added.
913         (thisA):
914         (thisAStrictWrapper):
915
916 2019-01-15  Mark Lam  <mark.lam@apple.com>
917
918         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
919         https://bugs.webkit.org/show_bug.cgi?id=193423
920         <rdar://problem/46209355>
921
922         Reviewed by Saam Barati.
923
924         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
925         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
926         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
927         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
928
929 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
930
931         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
932         https://bugs.webkit.org/show_bug.cgi?id=193438
933         <rdar://problem/45581249>
934
935         Reviewed by Saam Barati and Keith Miller.
936
937         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
938         Then, GetByVal(String) crashed.
939
940         * stress/string-get-by-val-lowering.js: Added.
941         (shouldBe):
942         (test):
943         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
944         (Hello):
945         (foo):
946
947 2019-01-15  Tomas Popela  <tpopela@redhat.com>
948
949         Unreviewed, skip JIT tests if it's not enabled
950
951         * stress/bit-op-with-object-returning-int32.js:
952
953 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
954
955         DFGByteCodeParser rules for bitwise operations should consider type of their operands
956         https://bugs.webkit.org/show_bug.cgi?id=192966
957
958         Reviewed by Yusuke Suzuki.
959
960         * stress/bit-op-with-object-returning-int32.js: Added.
961
962 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
963
964         Skip a slow test and a flakey test on arm
965
966         Unreviewed gardening.
967
968         * typeProfiler/getter-richards.js:
969         this test always times out, it used to be always skipped on arm and
970         mips, but got accidentally enabled by r237919 now that we have DFG on
971         arm. Also skipping on mips as we plan to soon enable DFG for it too.
972
973 2019-01-14  Keith Miller  <keith_miller@apple.com>
974
975         Skip type-check-hoisting-phase-hoist... with no jit
976         https://bugs.webkit.org/show_bug.cgi?id=193421
977
978         Reviewed by Mark Lam.
979
980         It's timing out the 32-bit bots and takes 330 seconds
981         on my machine when run by itself.
982
983         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
984
985 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
986
987         [JSC] AI should check the given constant's array type when folding GetByVal into constant
988         https://bugs.webkit.org/show_bug.cgi?id=193413
989         <rdar://problem/46092389>
990
991         Reviewed by Keith Miller.
992
993         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
994         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
995         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
996         but GetByVal does not have appropriate ArrayModes, JSC crashes.
997
998         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
999         (compareArray):
1000
1001 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1002
1003         [BigInt] Literal parsing is crashing when used inside a Object Literal
1004         https://bugs.webkit.org/show_bug.cgi?id=193404
1005
1006         Reviewed by Yusuke Suzuki.
1007
1008         * stress/big-int-literal-inside-literal-object.js: Added.
1009
1010 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1011
1012         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1013         https://bugs.webkit.org/show_bug.cgi?id=193372
1014
1015         Reviewed by Saam Barati.
1016
1017         * stress/typed-array-array-modes-profile.js: Added.
1018         (foo):
1019
1020 2019-01-14  Mark Lam  <mark.lam@apple.com>
1021
1022         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1023         https://bugs.webkit.org/show_bug.cgi?id=193402
1024         <rdar://problem/46012309>
1025
1026         Reviewed by Keith Miller.
1027
1028         * stress/regexp-compile-oom.js:
1029         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1030           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1031
1032 2019-01-11  Saam barati  <sbarati@apple.com>
1033
1034         DFG combined liveness can be wrong for terminal basic blocks
1035         https://bugs.webkit.org/show_bug.cgi?id=193304
1036         <rdar://problem/45268632>
1037
1038         Reviewed by Yusuke Suzuki.
1039
1040         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1041
1042 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1043
1044         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1045         https://bugs.webkit.org/show_bug.cgi?id=193308
1046         <rdar://problem/45546542>
1047
1048         Reviewed by Saam Barati.
1049
1050         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1051         (shouldThrow):
1052         (shouldBe):
1053         (foo):
1054         (get shouldThrow):
1055         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1056         (shouldThrow):
1057         (shouldBe):
1058         (foo):
1059         (get shouldBe):
1060         (get shouldThrow):
1061         (get return):
1062         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1063         (shouldThrow):
1064         (shouldBe):
1065         (foo):
1066         (get shouldBe):
1067         (get shouldThrow):
1068         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1069         (shouldThrow):
1070         (shouldBe):
1071         (foo):
1072         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1073         (shouldThrow):
1074         (shouldBe):
1075         (foo):
1076         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1077         (shouldThrow):
1078         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1079         (shouldThrow):
1080         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1081         (shouldThrow):
1082         (shouldBe):
1083         (foo):
1084         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1085         (shouldThrow):
1086         (shouldBe):
1087         (foo):
1088         (get shouldBe):
1089         (get shouldThrow):
1090         (get return):
1091         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1092         (shouldThrow):
1093         (shouldBe):
1094         (foo):
1095         (get shouldBe):
1096         (get shouldThrow):
1097         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1098         (shouldThrow):
1099         (shouldBe):
1100         (foo):
1101         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1102         (shouldThrow):
1103         (shouldBe):
1104         (foo):
1105
1106 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1107
1108         Enable DFG on ARM/Linux again
1109         https://bugs.webkit.org/show_bug.cgi?id=192496
1110
1111         Reviewed by Yusuke Suzuki.
1112
1113         Test wasn't really skipped before moving the line with skip
1114         to the top.
1115
1116         * stress/regress-192717.js:
1117
1118 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1119
1120         Unreviewed, rolling out r239825.
1121         https://bugs.webkit.org/show_bug.cgi?id=193330
1122
1123         Broke tests on armv7/linux bots (Requested by guijemont on
1124         #webkit).
1125
1126         Reverted changeset:
1127
1128         "Enable DFG on ARM/Linux again"
1129         https://bugs.webkit.org/show_bug.cgi?id=192496
1130         https://trac.webkit.org/changeset/239825
1131
1132 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1133
1134         Enable DFG on ARM/Linux again
1135         https://bugs.webkit.org/show_bug.cgi?id=192496
1136
1137         Reviewed by Yusuke Suzuki.
1138
1139         Test wasn't really skipped before moving the line with skip
1140         to the top.
1141
1142         * stress/regress-192717.js:
1143
1144 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1145
1146         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1147         https://bugs.webkit.org/show_bug.cgi?id=193127
1148
1149         Reviewed by Saam Barati.
1150
1151         * stress/array-species-create-should-handle-masquerader.js: Added.
1152         (shouldThrow):
1153         * stress/is-undefined-or-null-builtin.js: Added.
1154         (shouldBe):
1155         (isUndefinedOrNull.vm.createBuiltin):
1156
1157 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1158
1159         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1160         https://bugs.webkit.org/show_bug.cgi?id=193221
1161
1162         Reviewed by Mark Lam.
1163
1164         * stress/put-by-id-flags.js: Added.
1165         (f):
1166         (g):
1167         (numberOfDFGCompiles):
1168
1169 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1170
1171         Baseline version of get_by_id may corrupt metadata
1172         https://bugs.webkit.org/show_bug.cgi?id=193085
1173         <rdar://problem/23453006>
1174
1175         Reviewed by Saam Barati.
1176
1177         * stress/get-by-id-change-mode.js: Added.
1178         (forEach):
1179
1180 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1181
1182         [JSC] Optimize Object.prototype.toString
1183         https://bugs.webkit.org/show_bug.cgi?id=193031
1184
1185         Reviewed by Saam Barati.
1186
1187         * stress/object-tostring-changed-proto.js: Added.
1188         (shouldBe):
1189         (test):
1190         * stress/object-tostring-changed.js: Added.
1191         (shouldBe):
1192         (test):
1193         * stress/object-tostring-misc.js: Added.
1194         (shouldBe):
1195         (test):
1196         (i.switch):
1197         * stress/object-tostring-other.js: Added.
1198         (shouldBe):
1199         (test):
1200         * stress/object-tostring-untyped.js: Added.
1201         (shouldBe):
1202         (test):
1203         (i.switch):
1204
1205 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1206
1207         test262-runner misbehaves when test file YAML has a trailing space
1208         https://bugs.webkit.org/show_bug.cgi?id=193053
1209
1210         Reviewed by Yusuke Suzuki.
1211
1212         * test262/expectations.yaml:
1213         Mark two dozen tests as passing (and correct the output of another).
1214
1215 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1216
1217         Unreviewed, JSTests gardening with memoryLimited
1218
1219         * stress/string-overflow-createError.js:
1220
1221 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1222
1223         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1224         https://bugs.webkit.org/show_bug.cgi?id=193050
1225
1226         Reviewed by Yusuke Suzuki.
1227
1228         * test262.yaml:
1229         * test262/expectations.yaml:
1230         Mark 16 tests as passing.
1231
1232 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1233
1234         [BigInt] Support BigInt in JSON.stringify
1235         https://bugs.webkit.org/show_bug.cgi?id=192624
1236
1237         Reviewed by Saam Barati.
1238
1239         * stress/big-int-json-stringify-to-json.js: Added.
1240         (shouldBe):
1241         (shouldThrow):
1242         (BigInt.prototype.toJSON):
1243         (shouldBe.JSON.stringify):
1244         * stress/big-int-json-stringify.js: Added.
1245         (shouldBe):
1246         (shouldThrow):
1247
1248 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1249
1250         [JSC] Implement "well-formed JSON.stringify" proposal
1251         https://bugs.webkit.org/show_bug.cgi?id=191677
1252
1253         Reviewed by Darin Adler.
1254
1255         * stress/json-surrogate-pair.js: Added.
1256         (shouldBe):
1257         * test262/expectations.yaml:
1258
1259 2018-12-20  Keith Miller  <keith_miller@apple.com>
1260
1261         Add support for globalThis
1262         https://bugs.webkit.org/show_bug.cgi?id=165171
1263
1264         Reviewed by Mark Lam.
1265
1266         * test262/config.yaml:
1267
1268 2018-12-19  Keith Miller  <keith_miller@apple.com>
1269
1270         Update test262 configuration to not run tests dependent on ICU version.
1271         https://bugs.webkit.org/show_bug.cgi?id=192920
1272
1273         Reviewed by Saam Barati.
1274
1275         * test262/expectations.yaml:
1276
1277 2018-12-20  Mark Lam  <mark.lam@apple.com>
1278
1279         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1280         https://bugs.webkit.org/show_bug.cgi?id=192939
1281         <rdar://problem/46869516>
1282
1283         Reviewed by Keith Miller.
1284
1285         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1286
1287 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1288
1289         WTF::String and StringImpl overflow MaxLength
1290         https://bugs.webkit.org/show_bug.cgi?id=192853
1291         <rdar://problem/45726906>
1292
1293         Reviewed by Mark Lam.
1294
1295         * stress/string-16bit-repeat-overflow.js: Added.
1296         (catch):
1297
1298 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1299
1300         Unreviewed follow-up to r192914.
1301
1302         * test262/expectations.yaml:
1303         Add the last 20 missing expectations.
1304
1305 2018-12-19  Keith Miller  <keith_miller@apple.com>
1306
1307         Fix test262 expectations
1308         https://bugs.webkit.org/show_bug.cgi?id=192914
1309
1310         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1311
1312         * test262/expectations.yaml:
1313
1314 2018-12-19  Keith Miller  <keith_miller@apple.com>
1315
1316         Update test262 tests.
1317         https://bugs.webkit.org/show_bug.cgi?id=192907
1318
1319         Rubber stamped by Mark Lam.
1320
1321         * test262/*: Omitted because prepare-changelog crashes.
1322
1323 2018-12-19  Mark Lam  <mark.lam@apple.com>
1324
1325         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1326         https://bugs.webkit.org/show_bug.cgi?id=192464
1327         <rdar://problem/46519455>
1328
1329         Reviewed by Saam Barati.
1330
1331         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1332         microbenchmark.
1333
1334         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1335         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1336
1337 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1338
1339         String overflow in JSC::createError results in ASSERT in WTF::makeString
1340         https://bugs.webkit.org/show_bug.cgi?id=192833
1341         <rdar://problem/45706868>
1342
1343         Reviewed by Mark Lam.
1344
1345         * stress/string-overflow-createError.js: Added.
1346
1347 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1348
1349         Error message for `-x ** y` contains a typo.
1350         https://bugs.webkit.org/show_bug.cgi?id=192832
1351
1352         Reviewed by Saam Barati.
1353
1354         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1355         (assert.assert.return.throws):
1356         * stress/pow-expects-update-expression-on-lhs.js:
1357         (throw.new.Error):
1358         Update test expectations which match against the exact error message.
1359
1360 2018-12-18  Mark Lam  <mark.lam@apple.com>
1361
1362         Gardening: test options fix.
1363         https://bugs.webkit.org/show_bug.cgi?id=192822
1364
1365         Unreviewed.
1366
1367         * stress/json-stringify-string-builder-overflow.js:
1368
1369 2018-12-18  Mark Lam  <mark.lam@apple.com>
1370
1371         JSON.stringify() should throw OOM on StringBuilder overflows.
1372         https://bugs.webkit.org/show_bug.cgi?id=192822
1373         <rdar://problem/46670577>
1374
1375         Reviewed by Saam Barati.
1376
1377         * stress/json-stringify-string-builder-overflow.js: Added.
1378
1379 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1380
1381         Redeclaration of var over let/const/class should be a syntax error.
1382         https://bugs.webkit.org/show_bug.cgi?id=192298
1383
1384         Reviewed by Keith Miller.
1385
1386         * test262.yaml:
1387         * test262/expectations.yaml:
1388         Mark 46 tests as passing.
1389
1390         * stress/block-scope-redeclarations.js:
1391         Add some new tests.
1392
1393         * stress/for-in-invalidate-context-weird-assignments.js:
1394         * stress/for-in-tests.js:
1395         Replace tests for outdated behavior with tests for SyntaxError.
1396
1397         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1398         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1399         Update expectations.
1400
1401 2018-12-18  Mark Lam  <mark.lam@apple.com>
1402
1403         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1404         https://bugs.webkit.org/show_bug.cgi?id=191374
1405         <rdar://problem/46525447>
1406
1407         Reviewed by Yusuke Suzuki.
1408
1409         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1410
1411         * stress/elidable-new-object-roflcopter-then-exit.js:
1412
1413 2018-12-17  Mark Lam  <mark.lam@apple.com>
1414
1415         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1416         https://bugs.webkit.org/show_bug.cgi?id=192019
1417         <rdar://problem/46525456>
1418
1419         Reviewed by Yusuke Suzuki.
1420
1421         The test runs too slow on 32-bit.
1422
1423         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1424
1425 2018-12-17  Mark Lam  <mark.lam@apple.com>
1426
1427         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1428         https://bugs.webkit.org/show_bug.cgi?id=191373
1429         <rdar://problem/46525458>
1430
1431         Reviewed by Yusuke Suzuki.
1432
1433         The test is already slow running with a JIT on 64-bit.  It will always timeout
1434         on 32-bit without a JIT.
1435
1436         * stress/materialize-regexp-cyclic-regexp.js:
1437
1438 2018-12-17  Mark Lam  <mark.lam@apple.com>
1439
1440         Array unshift/shift should not race against the AI in the compiler thread.
1441         https://bugs.webkit.org/show_bug.cgi?id=192795
1442         <rdar://problem/46724263>
1443
1444         Reviewed by Saam Barati.
1445
1446         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1447
1448 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1449
1450         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1451         https://bugs.webkit.org/show_bug.cgi?id=190047
1452
1453         Reviewed by Saam Barati.
1454
1455         * stress/object-keys-cached-zero.js: Added.
1456         (shouldBe):
1457         (test):
1458         * stress/object-keys-changed-attribute.js: Added.
1459         (shouldBe):
1460         (test):
1461         * stress/object-keys-changed-index.js: Added.
1462         (shouldBe):
1463         (test):
1464         * stress/object-keys-changed.js: Added.
1465         (shouldBe):
1466         (test):
1467         * stress/object-keys-indexed-non-cache.js: Added.
1468         (shouldBe):
1469         (test):
1470         * stress/object-keys-overrides-get-property-names.js: Added.
1471         (shouldBe):
1472         (test):
1473         (noInline):
1474
1475 2018-12-17  Mark Lam  <mark.lam@apple.com>
1476
1477         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1478         https://bugs.webkit.org/show_bug.cgi?id=192779
1479         <rdar://problem/46775869>
1480
1481         Reviewed by Saam Barati.
1482
1483         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1484
1485 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1486
1487         Unreviewed test gardening, address a syntax error in a new test.
1488
1489         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1490
1491 2018-12-17  Mark Lam  <mark.lam@apple.com>
1492
1493         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1494         https://bugs.webkit.org/show_bug.cgi?id=192776
1495         <rdar://problem/46772368>
1496
1497         Reviewed by Keith Miller.
1498
1499         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1500
1501 2018-12-17  Mark Lam  <mark.lam@apple.com>
1502
1503         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1504         https://bugs.webkit.org/show_bug.cgi?id=192770
1505         <rdar://problem/46449037>
1506
1507         Reviewed by Keith Miller.
1508
1509         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1510
1511 2018-12-14  Mark Lam  <mark.lam@apple.com>
1512
1513         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1514         https://bugs.webkit.org/show_bug.cgi?id=192717
1515         <rdar://problem/46660677>
1516
1517         Reviewed by Saam Barati.
1518
1519         * stress/regress-192717.js: Added.
1520
1521 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1522
1523         Unreviewed, rolling out r239153, r239154, and r239155.
1524         https://bugs.webkit.org/show_bug.cgi?id=192715
1525
1526         Caused flaky GC-related crashes seen with layout tests
1527         (Requested by ryanhaddad on #webkit).
1528
1529         Reverted changesets:
1530
1531         "[JSC] Optimize Object.keys by caching own keys results in
1532         StructureRareData"
1533         https://bugs.webkit.org/show_bug.cgi?id=190047
1534         https://trac.webkit.org/changeset/239153
1535
1536         "Unreviewed, build fix after r239153"
1537         https://bugs.webkit.org/show_bug.cgi?id=190047
1538         https://trac.webkit.org/changeset/239154
1539
1540         "Unreviewed, build fix after r239153, part 2"
1541         https://bugs.webkit.org/show_bug.cgi?id=190047
1542         https://trac.webkit.org/changeset/239155
1543
1544 2018-12-14  Keith Miller  <keith_miller@apple.com>
1545
1546         Callers of JSString::getIndex should check for OOM exceptions
1547         https://bugs.webkit.org/show_bug.cgi?id=192709
1548
1549         Reviewed by Mark Lam.
1550
1551         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1552
1553 2018-12-13  Mark Lam  <mark.lam@apple.com>
1554
1555         Add a missing exception check.
1556         https://bugs.webkit.org/show_bug.cgi?id=192626
1557         <rdar://problem/46662163>
1558
1559         Reviewed by Keith Miller.
1560
1561         * stress/regress-192626.js: Added.
1562
1563 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1564
1565         [BigInt] Add ValueDiv into DFG
1566         https://bugs.webkit.org/show_bug.cgi?id=186178
1567
1568         Reviewed by Yusuke Suzuki.
1569
1570         * stress/big-int-div-jit-osr.js: Added.
1571         * stress/big-int-div-jit-untyped.js: Added.
1572         * stress/value-div-fixup-int32-big-int.js: Added.
1573
1574 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1575
1576         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1577         https://bugs.webkit.org/show_bug.cgi?id=190047
1578
1579         Reviewed by Keith Miller.
1580
1581         * stress/object-keys-cached-zero.js: Added.
1582         (shouldBe):
1583         (test):
1584         * stress/object-keys-changed-attribute.js: Added.
1585         (shouldBe):
1586         (test):
1587         * stress/object-keys-changed-index.js: Added.
1588         (shouldBe):
1589         (test):
1590         * stress/object-keys-changed.js: Added.
1591         (shouldBe):
1592         (test):
1593         * stress/object-keys-indexed-non-cache.js: Added.
1594         (shouldBe):
1595         (test):
1596         * stress/object-keys-overrides-get-property-names.js: Added.
1597         (shouldBe):
1598         (test):
1599         (noInline):
1600
1601 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1602
1603         [DFG][FTL] Add NewSymbol
1604         https://bugs.webkit.org/show_bug.cgi?id=192620
1605
1606         Reviewed by Saam Barati.
1607
1608         * microbenchmarks/symbol-creation.js: Added.
1609         (test):
1610         * stress/symbol-description-identity.js: Added.
1611         (shouldBe):
1612         (test):
1613         * stress/symbol-identity.js: Added.
1614         (shouldBe):
1615         (test):
1616         * stress/symbol-with-description-throw-error.js: Added.
1617         (shouldBe):
1618         (shouldThrow):
1619         (test):
1620         (object.toString):
1621
1622 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1623
1624         [BigInt] Implement DFG/FTL typeof for BigInt
1625         https://bugs.webkit.org/show_bug.cgi?id=192619
1626
1627         Reviewed by Keith Miller.
1628
1629         * stress/big-int-boolean-proven-type.js: Added.
1630         (assert):
1631         (bool):
1632         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1633         (assert):
1634         (typeOf):
1635         (i.switch):
1636         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1637         (assert):
1638         (typeOf):
1639         * stress/big-int-type-of.js:
1640         (typeOf):
1641         (func):
1642
1643 2018-12-10  Mark Lam  <mark.lam@apple.com>
1644
1645         PropertyAttribute needs a CustomValue bit.
1646         https://bugs.webkit.org/show_bug.cgi?id=191993
1647         <rdar://problem/46264467>
1648
1649         Reviewed by Saam Barati.
1650
1651         * stress/regress-191993.js: Added.
1652
1653 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1654
1655         [BigInt] Add ValueMul into DFG
1656         https://bugs.webkit.org/show_bug.cgi?id=186175
1657
1658         Reviewed by Yusuke Suzuki.
1659
1660         * stress/big-int-mul-jit-osr.js: Added.
1661         * stress/big-int-mul-jit-untyped.js: Added.
1662         * stress/value-mul-fixup-int32-big-int.js: Added.
1663
1664 2018-12-06  Keith Miller  <keith_miller@apple.com>
1665
1666         stress/big-wasm-memory tests failing on 32-bit JSC bot
1667         https://bugs.webkit.org/show_bug.cgi?id=192020
1668
1669         Reviewed by Saam Barati.
1670
1671         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1672         the wasm stress tests if the WebAssembly object does not exist.
1673
1674         * stress/big-wasm-memory-grow-no-max.js:
1675         (test.foo):
1676         (test):
1677         (foo): Deleted.
1678         (catch): Deleted.
1679         * stress/big-wasm-memory-grow.js:
1680         (test.foo):
1681         (test):
1682         (foo): Deleted.
1683         (catch): Deleted.
1684         * stress/big-wasm-memory.js:
1685         (test.foo):
1686         (test):
1687         (foo): Deleted.
1688         (catch): Deleted.
1689
1690 2018-12-05  Mark Lam  <mark.lam@apple.com>
1691
1692         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1693         https://bugs.webkit.org/show_bug.cgi?id=192441
1694         <rdar://problem/46480355>
1695
1696         Reviewed by Saam Barati.
1697
1698         * stress/regress-192441.js: Added.
1699
1700 2018-12-04  Mark Lam  <mark.lam@apple.com>
1701
1702         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1703         https://bugs.webkit.org/show_bug.cgi?id=192386
1704         <rdar://problem/46445516>
1705
1706         Reviewed by Saam Barati.
1707
1708         * stress/regress-192386.js: Added.
1709
1710 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1711
1712         [ESNext][BigInt] Support logic operations
1713         https://bugs.webkit.org/show_bug.cgi?id=179903
1714
1715         Reviewed by Yusuke Suzuki.
1716
1717         * stress/big-int-branch-usage.js: Added.
1718         * stress/big-int-logical-and.js: Added.
1719         * stress/big-int-logical-not.js: Added.
1720         * stress/big-int-logical-or.js: Added.
1721
1722 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1723
1724         Unreviewed, rolling out r238833.
1725
1726         Breaks macOS and iOS debug builds.
1727
1728         Reverted changeset:
1729
1730         "[ESNext][BigInt] Support logic operations"
1731         https://bugs.webkit.org/show_bug.cgi?id=179903
1732         https://trac.webkit.org/changeset/238833
1733
1734 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1735
1736         [ESNext][BigInt] Support logic operations
1737         https://bugs.webkit.org/show_bug.cgi?id=179903
1738
1739         Reviewed by Yusuke Suzuki.
1740
1741         * stress/big-int-branch-usage.js: Added.
1742         * stress/big-int-logical-and.js: Added.
1743         * stress/big-int-logical-not.js: Added.
1744         * stress/big-int-logical-or.js: Added.
1745
1746 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1747
1748         [ESNext][BigInt] Implement support for "<<" and ">>"
1749         https://bugs.webkit.org/show_bug.cgi?id=186233
1750
1751         Reviewed by Yusuke Suzuki.
1752
1753         * stress/big-int-left-shift-general.js: Added.
1754         * stress/big-int-left-shift-range-error.js: Added.
1755         * stress/big-int-left-shift-type-error.js: Added.
1756         * stress/big-int-left-shift-wrapped-value.js: Added.
1757         * stress/big-int-right-shift-general.js: Added.
1758         * stress/big-int-right-shift-type-error.js: Added.
1759         * stress/big-int-right-shift-wrapped-value.js: Added.
1760         * stress/left-shift-to-primitive-precedence.js: Added.
1761         * stress/right-shift-to-primitive-precedence.js: Added.
1762
1763 2018-11-30  Dean Jackson  <dino@apple.com>
1764
1765         Add first-class support for .mjs files in jsc binary
1766         https://bugs.webkit.org/show_bug.cgi?id=192190
1767         <rdar://problem/46375715>
1768
1769         Reviewed by Keith Miller.
1770
1771         * stress/simple-module.mjs: Added.
1772         * stress/simple-script.js: Added.
1773
1774 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1775
1776         [BigInt] Implement ValueBitXor into DFG
1777         https://bugs.webkit.org/show_bug.cgi?id=190264
1778
1779         Reviewed by Yusuke Suzuki.
1780
1781         * stress/big-int-bitwise-xor-jit.js: Added.
1782         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1783         * stress/big-int-bitwise-xor-untyped.js: Added.
1784
1785 2018-11-27  Saam barati  <sbarati@apple.com>
1786
1787         r238510 broke scopes of size zero
1788         https://bugs.webkit.org/show_bug.cgi?id=192033
1789         <rdar://problem/46281734>
1790
1791         Reviewed by Keith Miller.
1792
1793         * stress/r238510-bad-loop.js: Added.
1794         (foo):
1795
1796 2018-11-27  Mark Lam  <mark.lam@apple.com>
1797
1798         [Re-landing] NaNs read from Wasm code needs to be be purified.
1799         https://bugs.webkit.org/show_bug.cgi?id=191056
1800         <rdar://problem/45660341>
1801
1802         Reviewed by Filip Pizlo.
1803
1804         * wasm/regress/regress-191056.js: Added.
1805
1806 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1807
1808         Unreviewed, rolling out r238509.
1809
1810         Causes JSC tests to fail on iOS.
1811
1812         Reverted changeset:
1813
1814         "NaNs read from Wasm code needs to be be purified."
1815         https://bugs.webkit.org/show_bug.cgi?id=191056
1816         https://trac.webkit.org/changeset/238509
1817
1818 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1819
1820         Re-introduce op_bitnot
1821         https://bugs.webkit.org/show_bug.cgi?id=190923
1822
1823         Reviewed by Yusuke Suzuki.
1824
1825         * stress/bit-not-must-generate.js: Added.
1826         * stress/bitwise-not-no-int32.js: Added.
1827
1828 2018-11-26  Saam barati  <sbarati@apple.com>
1829
1830         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1831         https://bugs.webkit.org/show_bug.cgi?id=191956
1832         <rdar://problem/45665806>
1833
1834         Reviewed by Yusuke Suzuki.
1835
1836         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1837         (bar):
1838         (foo):
1839
1840 2018-11-26  Saam barati  <sbarati@apple.com>
1841
1842         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1843         https://bugs.webkit.org/show_bug.cgi?id=191958
1844         <rdar://problem/46221877>
1845
1846         Reviewed by Yusuke Suzuki.
1847
1848         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1849         (x):
1850         (foo):
1851
1852 2018-11-26  Mark Lam  <mark.lam@apple.com>
1853
1854         NaNs read from Wasm code needs to be be purified.
1855         https://bugs.webkit.org/show_bug.cgi?id=191056
1856         <rdar://problem/45660341>
1857
1858         Reviewed by Filip Pizlo.
1859
1860         * wasm/regress/regress-191056.js: Added.
1861
1862 2018-11-26  Michael Saboff  <msaboff@apple.com>
1863
1864         32-bit JSC test failure: stress/regexp-compile-oom.js
1865         https://bugs.webkit.org/show_bug.cgi?id=191375
1866
1867         Reviewed by Mark Lam.
1868
1869         Disabled the test for 32 bit platforms.
1870
1871         * stress/regexp-compile-oom.js:
1872
1873 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1874
1875         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1876         https://bugs.webkit.org/show_bug.cgi?id=191716
1877         <rdar://problem/45723878>
1878
1879         Reviewed by Saam Barati.
1880
1881         * stress/regress-187373.js: Added.
1882         (async.fn):
1883
1884 2018-11-21  Saam barati  <sbarati@apple.com>
1885
1886         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1887         https://bugs.webkit.org/show_bug.cgi?id=191897
1888         <rdar://problem/45871998>
1889
1890         Reviewed by Mark Lam.
1891
1892         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1893         (bar):
1894         (foo):
1895
1896 2018-11-21  Saam barati  <sbarati@apple.com>
1897
1898         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1899         https://bugs.webkit.org/show_bug.cgi?id=191895
1900         <rdar://problem/46167406>
1901
1902         Reviewed by Mark Lam.
1903
1904         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1905         (foo):
1906         (bar):
1907
1908 2018-11-21  Mark Lam  <mark.lam@apple.com>
1909
1910         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1911         https://bugs.webkit.org/show_bug.cgi?id=191776
1912         <rdar://problem/46152851>
1913
1914         Reviewed by Saam Barati.
1915
1916         * stress/big-wasm-memory-grow-no-max.js:
1917         * stress/big-wasm-memory-grow.js:
1918         * stress/big-wasm-memory.js:
1919         - updated these to expect an OutOfMemoryError.
1920
1921         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1922         (Binary.prototype.emit_u8):
1923         (Binary.prototype.emit_u32v):
1924         (Binary.prototype.emit_header):
1925         (Binary.prototype.emit_section):
1926         (Binary):
1927         (WasmModuleBuilder):
1928         (WasmModuleBuilder.prototype.addMemory):
1929         (WasmModuleBuilder.prototype.toArray):
1930         (WasmModuleBuilder.prototype.toBuffer):
1931         (WasmModuleBuilder.prototype.instantiate):
1932         (catch):
1933         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1934         (catch):
1935
1936 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1937
1938         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1939         https://bugs.webkit.org/show_bug.cgi?id=190836
1940
1941         Reviewed by Saam Barati and Yusuke Suzuki.
1942
1943         * stress/big-int-out-of-memory-tests.js: Added.
1944
1945 2018-11-20  Mark Lam  <mark.lam@apple.com>
1946
1947         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1948         https://bugs.webkit.org/show_bug.cgi?id=191856
1949         <rdar://problem/46089992>
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         * stress/regress-191856.js: Added.
1954         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1955
1956 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1957
1958         Enable JIT on ARM/Linux
1959         https://bugs.webkit.org/show_bug.cgi?id=191548
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         Disable test on system with limited memory. Program was killed by
1964         the OS before the exception was thrown.
1965
1966         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1967
1968 2018-11-20  Saam barati  <sbarati@apple.com>
1969
1970         Merging an IC variant may lead to the IC status containing overlapping structure sets
1971         https://bugs.webkit.org/show_bug.cgi?id=191869
1972         <rdar://problem/45403453>
1973
1974         Reviewed by Mark Lam.
1975
1976         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1977
1978 2018-11-19  Mark Lam  <mark.lam@apple.com>
1979
1980         globalFuncImportModule() should return a promise when it clears exceptions.
1981         https://bugs.webkit.org/show_bug.cgi?id=191792
1982         <rdar://problem/46090763>
1983
1984         Reviewed by Michael Saboff.
1985
1986         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1987
1988 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1989
1990         Skip new memory-hungry tests on memory limited devices
1991
1992         Unreviewed gardening.
1993
1994         * stress/big-wasm-memory-grow-no-max.js:
1995         * stress/big-wasm-memory-grow.js:
1996         * stress/big-wasm-memory.js:
1997
1998 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1999
2000         Unreviewed, rolling in the rest of r237254
2001         https://bugs.webkit.org/show_bug.cgi?id=190340
2002
2003         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2004         * stress/function-cache-with-parameters-end-position.js: Added.
2005         (shouldBe):
2006         (shouldThrow):
2007         (i.anonymous):
2008         * stress/function-constructor-name.js: Added.
2009         (shouldBe):
2010         (GeneratorFunction):
2011         (AsyncFunction.async):
2012         (AsyncGeneratorFunction.async):
2013         (anonymous):
2014         (async.anonymous):
2015         * test262/expectations.yaml:
2016
2017 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2018
2019         All users of ArrayBuffer should agree on the same max size
2020         https://bugs.webkit.org/show_bug.cgi?id=191771
2021
2022         Reviewed by Mark Lam.
2023
2024         * stress/big-wasm-memory-grow-no-max.js: Added.
2025         (foo):
2026         (catch):
2027         * stress/big-wasm-memory-grow.js: Added.
2028         (foo):
2029         (catch):
2030         * stress/big-wasm-memory.js: Added.
2031         (foo):
2032         (catch):
2033
2034 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2035
2036         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2037         run for each JSC config since they're regression tests for runtime bugs.
2038
2039         * stress/json-stringified-overflow-2.js:
2040         * stress/json-stringified-overflow.js:
2041
2042 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2043
2044         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2045         config since they're regression tests for runtime bugs.
2046
2047         * stress/large-unshift-splice.js:
2048         * stress/regress-185888.js:
2049
2050 2018-11-16  Saam Barati  <sbarati@apple.com>
2051
2052         KnownCellUse should also have SpecCellCheck as its type filter
2053         https://bugs.webkit.org/show_bug.cgi?id=191729
2054         <rdar://problem/45872852>
2055
2056         Reviewed by Filip Pizlo.
2057
2058         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2059         (C):
2060
2061 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2062
2063         Fix assertion failure on BytecodeGenerator::recordOpcode
2064         https://bugs.webkit.org/show_bug.cgi?id=191724
2065         <rdar://problem/45724395>
2066
2067         Reviewed by Saam Barati.
2068
2069         * stress/regress-187373-2.js: Added.
2070         (foo):
2071
2072 2018-11-15  Mark Lam  <mark.lam@apple.com>
2073
2074         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2075         https://bugs.webkit.org/show_bug.cgi?id=191730
2076         <rdar://problem/46048517>
2077
2078         Reviewed by Saam Barati.
2079
2080         * stress/regress-187006.js: Removed.
2081           - this test is invalid because its sole purpose is to test for the non-spec
2082             compliant behavior that we just fixed.
2083
2084         * stress/regress-191730.js: Added.
2085
2086 2018-11-15  Mark Lam  <mark.lam@apple.com>
2087
2088         RegExp operations should not take fast patch if lastIndex is not numeric.
2089         https://bugs.webkit.org/show_bug.cgi?id=191731
2090         <rdar://problem/46017305>
2091
2092         Reviewed by Saam Barati.
2093
2094         * stress/regress-191731.js: Added.
2095
2096 2018-11-13  Saam Barati  <sbarati@apple.com>
2097
2098         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2099         https://bugs.webkit.org/show_bug.cgi?id=191600
2100
2101         Reviewed by Mark Lam.
2102
2103         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2104         (foo):
2105         (test):
2106         (bar):
2107
2108 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2109
2110         Unreviewed, rolling out r238132.
2111
2112         The test added with this change is timing out on Debug JSC
2113         bots.
2114
2115         Reverted changeset:
2116
2117         "[BigInt] JSBigInt::createWithLength should throw when length
2118         is greater than JSBigInt::maxLength"
2119         https://bugs.webkit.org/show_bug.cgi?id=190836
2120         https://trac.webkit.org/changeset/238132
2121
2122 2018-11-13  Mark Lam  <mark.lam@apple.com>
2123
2124         Add OOM detection to StringPrototype's substituteBackreferences().
2125         https://bugs.webkit.org/show_bug.cgi?id=191563
2126         <rdar://problem/45720428>
2127
2128         Reviewed by Saam Barati.
2129
2130         * stress/regress-191563.js: Added.
2131
2132 2018-11-13  Mark Lam  <mark.lam@apple.com>
2133
2134         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2135         https://bugs.webkit.org/show_bug.cgi?id=191579
2136         <rdar://problem/45942472>
2137
2138         Reviewed by Saam Barati.
2139
2140         * stress/regress-191579.js: Added.
2141
2142 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2143
2144         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2145         https://bugs.webkit.org/show_bug.cgi?id=190836
2146
2147         Reviewed by Saam Barati.
2148
2149         * stress/big-int-out-of-memory-tests.js: Added.
2150
2151 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2152
2153         U+180E is no longer a whitespace character
2154         https://bugs.webkit.org/show_bug.cgi?id=191415
2155
2156         Reviewed by Saam Barati.
2157
2158         * ChakraCore/test/es5/regexSpace.baseline:
2159         * ChakraCore/test/es6/unicode_whitespace.js:
2160         Update tests to latest version.
2161         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2162
2163         * test262.yaml:
2164         * test262/config.yaml:
2165         * test262/expectations.yaml:
2166         Update expectations.
2167
2168 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2169
2170         [BigInt] Add support to BigInt into ValueAdd
2171         https://bugs.webkit.org/show_bug.cgi?id=186177
2172
2173         Reviewed by Keith Miller.
2174
2175         * stress/big-int-negate-jit.js:
2176         * stress/value-add-big-int-and-string.js: Added.
2177         * stress/value-add-big-int-prediction-propagation.js: Added.
2178         * stress/value-add-big-int-untyped.js: Added.
2179
2180 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2181
2182         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2183         https://bugs.webkit.org/show_bug.cgi?id=191184
2184
2185         Reviewed by Saam Barati.
2186
2187         Most tests were failing due to timeouts, since they are too slow to
2188         run on CLoop. The exceptions are:
2189
2190         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2191         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2192         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2193         to change the stack size since CLoop requires it to be page aligned.
2194
2195         * microbenchmarks/array-push-1.js:
2196         * microbenchmarks/array-push-2.js:
2197         * microbenchmarks/elidable-new-object-dag.js:
2198         * microbenchmarks/elidable-new-object-roflcopter.js:
2199         * microbenchmarks/elidable-new-object-tree.js:
2200         * microbenchmarks/getter-richards.js:
2201         * microbenchmarks/sinkable-new-object-dag.js:
2202         * microbenchmarks/string-concat-long-convert.js:
2203         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2204         * slowMicrobenchmarks/array-push-3.js:
2205         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2206         * slowMicrobenchmarks/spread-small-array.js:
2207         * slowMicrobenchmarks/undefined-property-access.js:
2208         * stress/activation-sink-default-value-tdz-error.js:
2209         * stress/activation-sink-default-value.js:
2210         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2211         * stress/activation-sink-osrexit-default-value.js:
2212         * stress/activation-sink-osrexit.js:
2213         * stress/activation-sink.js:
2214         * stress/allow-math-ic-b3-code-duplication.js:
2215         * stress/array-push-multiple-int32.js:
2216         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2217         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2218         * stress/arrowfunction-lexical-this-activation-sink.js:
2219         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2220         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2221         * stress/elide-new-object-dag-then-exit.js:
2222         * stress/materialize-regexp-cyclic.js:
2223         * stress/new-regex-inline.js:
2224         * stress/op_add.js:
2225         * stress/op_bitand.js:
2226         * stress/op_bitor.js:
2227         * stress/op_bitxor.js:
2228         * stress/op_div-ConstVar.js:
2229         * stress/op_div-VarConst.js:
2230         * stress/op_div-VarVar.js:
2231         * stress/op_lshift-ConstVar.js:
2232         * stress/op_lshift-VarConst.js:
2233         * stress/op_lshift-VarVar.js:
2234         * stress/op_mod-ConstVar.js:
2235         * stress/op_mod-VarConst.js:
2236         * stress/op_mod-VarVar.js:
2237         * stress/op_mul-ConstVar.js:
2238         * stress/op_mul-VarConst.js:
2239         * stress/op_mul-VarVar.js:
2240         * stress/op_rshift-ConstVar.js:
2241         * stress/op_rshift-VarConst.js:
2242         * stress/op_rshift-VarVar.js:
2243         * stress/op_sub-ConstVar.js:
2244         * stress/op_sub-VarConst.js:
2245         * stress/op_sub-VarVar.js:
2246         * stress/op_urshift-ConstVar.js:
2247         * stress/op_urshift-VarConst.js:
2248         * stress/op_urshift-VarVar.js:
2249         * stress/proxy-get-set-correct-receiver.js:
2250         * stress/regress-179562.js:
2251         * stress/rest-parameter-many-arguments.js:
2252         * stress/sampling-profiler-richards.js:
2253         * stress/splay-flash-access-1ms.js:
2254         * stress/tailCallForwardArguments.js:
2255         * stress/typed-array-get-by-val-profiling.js:
2256         * typeProfiler/getter-richards.js:
2257
2258 2018-11-06  Michael Saboff  <msaboff@apple.com>
2259
2260         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2261         https://bugs.webkit.org/show_bug.cgi?id=191271
2262
2263         Reviewed by Saam Barati.
2264
2265         Added more test cases and made all test cases run with the same deeply recursive stack
2266         instead of finding that same point for each test case.
2267
2268         * stress/regexp-compile-oom.js:
2269         (prototype.runTest):
2270         (recurseAndTest):
2271         (testList.push.new.TestAndExpectedException):
2272
2273 2018-11-05  Michael Saboff  <msaboff@apple.com>
2274
2275         Unreviewed build fix for linux.
2276
2277         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2278
2279 2018-11-02  Michael Saboff  <msaboff@apple.com>
2280
2281         Rolling in r237753 with unreviewed build fix.
2282
2283         Fixed issues with DECLARE_THROW_SCOPE placement.
2284
2285 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2286
2287         Unreviewed, rolling out r237753.
2288
2289         Introduced JSC test failures
2290
2291         Reverted changeset:
2292
2293         "Running out of stack space not properly handled in
2294         RegExp::compile() and its callers"
2295         https://bugs.webkit.org/show_bug.cgi?id=191206
2296         https://trac.webkit.org/changeset/237753
2297
2298 2018-11-02  Michael Saboff  <msaboff@apple.com>
2299
2300         Running out of stack space not properly handled in RegExp::compile() and its callers
2301         https://bugs.webkit.org/show_bug.cgi?id=191206
2302
2303         Reviewed by Filip Pizlo.
2304
2305         New regression test.
2306
2307         * stress/regexp-compile-oom.js: Added.
2308         (recurseAndTest):
2309
2310 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2311
2312         Skip tests on arm/mips that time out now we're running on CLoop
2313
2314         Unreviewed gardening.
2315
2316         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2317         time out on the bots and need to be disabled. There's more tests
2318         disabled on arm because the timeout is longer on the mips bot (as the
2319         device is slower to start with), so many of the tests don't time out
2320         there.
2321
2322         * microbenchmarks/getter-richards.js: disable on arm and mips.
2323         * stress/op_add.js: disable on arm.
2324         * stress/op_bitand.js: disable on arm.
2325         * stress/op_bitor.js: disable on arm.
2326         * stress/op_bitxor.js: disable on arm.
2327         * stress/op_lshift-ConstVar.js: disable on arm.
2328         * stress/op_lshift-VarConst.js: disable on arm.
2329         * stress/op_lshift-VarVar.js: disable on arm.
2330         * stress/op_mod-ConstVar.js: disable on arm.
2331         * stress/op_mod-VarConst.js: disable on arm.
2332         * stress/op_mod-VarVar.js: disable on arm.
2333         * stress/op_mul-ConstVar.js: disable on arm.
2334         * stress/op_mul-VarConst.js: disable on arm.
2335         * stress/op_mul-VarVar.js: disable on arm.
2336         * stress/op_rshift-ConstVar.js: disable on arm.
2337         * stress/op_rshift-VarConst.js: disable on arm.
2338         * stress/op_rshift-VarVar.js: disable on arm.
2339         * stress/op_sub-ConstVar.js: disable on arm.
2340         * stress/op_sub-VarConst.js: disable on arm.
2341         * stress/op_sub-VarVar.js: disable on arm.
2342         * stress/op_urshift-ConstVar.js: disable on arm.
2343         * stress/op_urshift-VarConst.js: disable on arm.
2344         * stress/op_urshift-VarVar.js: disable on arm.
2345         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2346         * stress/value-to-boolean.js: disable on arm and mips.
2347
2348 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2349
2350         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2351         https://bugs.webkit.org/show_bug.cgi?id=191108
2352         <rdar://problem/45690700>
2353
2354         Reviewed by Saam Barati.
2355
2356         * stress/wide-op_catch.js: Added.
2357         (catch):
2358
2359 2018-10-29  Mark Lam  <mark.lam@apple.com>
2360
2361         Correctly detect string overflow when using the 'Function' constructor.
2362         https://bugs.webkit.org/show_bug.cgi?id=184883
2363         <rdar://problem/36320331>
2364
2365         Reviewed by Saam Barati.
2366
2367         I've verified that this passes on 32-bit as well.
2368
2369         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2370
2371 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2372
2373         Add support for GetStack FlushedDouble
2374         https://bugs.webkit.org/show_bug.cgi?id=191012
2375         <rdar://problem/45265141>
2376
2377         Reviewed by Saam Barati.
2378
2379         * stress/get-stack-double.js: Added.
2380         (bar):
2381         (noInline):
2382
2383 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2384
2385         New bytecode format for JSC
2386         https://bugs.webkit.org/show_bug.cgi?id=187373
2387         <rdar://problem/44186758>
2388
2389         Reviewed by Filip Pizlo.
2390
2391         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2392
2393         * stress/maximum-inline-capacity.js: Added.
2394         (test1):
2395         (test3.Foo):
2396         (test3):
2397
2398 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2399
2400         Unreviewed, rolling out r237479 and r237484.
2401         https://bugs.webkit.org/show_bug.cgi?id=190978
2402
2403         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2404
2405         Reverted changesets:
2406
2407         "New bytecode format for JSC"
2408         https://bugs.webkit.org/show_bug.cgi?id=187373
2409         https://trac.webkit.org/changeset/237479
2410
2411         "Gardening: Build fix after r237479."
2412         https://bugs.webkit.org/show_bug.cgi?id=187373
2413         https://trac.webkit.org/changeset/237484
2414
2415 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2416
2417         New bytecode format for JSC
2418         https://bugs.webkit.org/show_bug.cgi?id=187373
2419         <rdar://problem/44186758>
2420
2421         Reviewed by Filip Pizlo.
2422
2423         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2424
2425         * stress/maximum-inline-capacity.js: Added.
2426         (test1):
2427         (test3.Foo):
2428         (test3):
2429
2430 2018-10-26  Mark Lam  <mark.lam@apple.com>
2431
2432         Fix missing edge cases with JSGlobalObjects having a bad time.
2433         https://bugs.webkit.org/show_bug.cgi?id=189028
2434         <rdar://problem/45204939>
2435
2436         Reviewed by Saam Barati.
2437
2438         * stress/regress-189028.js: Added.
2439
2440 2018-10-22  Mark Lam  <mark.lam@apple.com>
2441
2442         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2443         https://bugs.webkit.org/show_bug.cgi?id=190515
2444         <rdar://problem/45222379>
2445
2446         Rubber-stamped by Saam Barati.
2447
2448         Adding another test.
2449
2450         * stress/regress-190515-2.js: Added.
2451
2452 2018-10-22  Mark Lam  <mark.lam@apple.com>
2453
2454         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2455         https://bugs.webkit.org/show_bug.cgi?id=190515
2456         <rdar://problem/45222379>
2457
2458         Reviewed by Saam Barati.
2459
2460         * stress/regress-190515.js: Added.
2461
2462 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2463
2464         Unreviewed, rolling out r237254.
2465         https://bugs.webkit.org/show_bug.cgi?id=190760
2466
2467         "It regresses JetStream 2 by 5% on some iOS devices"
2468         (Requested by saamyjoon on #webkit).
2469
2470         Reverted changeset:
2471
2472         "[JSC] JSC should have "parseFunction" to optimize Function
2473         constructor"
2474         https://bugs.webkit.org/show_bug.cgi?id=190340
2475         https://trac.webkit.org/changeset/237254
2476
2477 2018-10-19  Saam Barati  <sbarati@apple.com>
2478
2479         vmCall should check if we exit before emitting an OSR exit due to exceptions
2480         https://bugs.webkit.org/show_bug.cgi?id=190740
2481         <rdar://problem/45220139>
2482
2483         Reviewed by Mark Lam.
2484
2485         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2486         (foo):
2487
2488 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2489
2490         [ESNext][BigInt] Implement support for "^"
2491         https://bugs.webkit.org/show_bug.cgi?id=186235
2492
2493         Reviewed by Yusuke Suzuki.
2494
2495         * stress/big-int-bitwise-xor-general.js: Added.
2496         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2497         * stress/big-int-bitwise-xor-type-error.js: Added.
2498         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2499
2500 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2501
2502         [BigInt] Add ValueSub into DFG
2503         https://bugs.webkit.org/show_bug.cgi?id=186176
2504
2505         Reviewed by Yusuke Suzuki.
2506
2507         * stress/big-int-subtraction-jit.js:
2508         * stress/value-sub-big-int-prediction-propagation.js: Added.
2509         * stress/value-sub-big-int-untyped.js: Added.
2510         * stress/value-sub-spec-none-case.js: Added.
2511
2512 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2513
2514         [JSC] JSC should have "parseFunction" to optimize Function constructor
2515         https://bugs.webkit.org/show_bug.cgi?id=190340
2516
2517         Reviewed by Mark Lam.
2518
2519         This patch fixes the line number of syntax errors raised by the Function constructor,
2520         since we now parse the final code only once. And we no longer use block statement
2521         for Function constructor's parsing.
2522
2523         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2524         * stress/function-cache-with-parameters-end-position.js: Added.
2525         (shouldBe):
2526         (shouldThrow):
2527         (i.anonymous):
2528         * stress/function-constructor-name.js: Added.
2529         (shouldBe):
2530         (GeneratorFunction):
2531         (AsyncFunction.async):
2532         (AsyncGeneratorFunction.async):
2533         (anonymous):
2534         (async.anonymous):
2535         * test262/expectations.yaml:
2536
2537 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2538
2539         Unreviewed, rolling out r237242.
2540         https://bugs.webkit.org/show_bug.cgi?id=190701
2541
2542         it breaks "stress/sampling-profiler-basic.js" (Requested by
2543         caiolima on #webkit).
2544
2545         Reverted changeset:
2546
2547         "[BigInt] Add ValueSub into DFG"
2548         https://bugs.webkit.org/show_bug.cgi?id=186176
2549         https://trac.webkit.org/changeset/237242
2550
2551 2018-10-17  Keith Miller  <keith_miller@apple.com>
2552
2553         AI does not clear Phantom allocation nodes.
2554         https://bugs.webkit.org/show_bug.cgi?id=190694
2555
2556         Reviewed by Saam Barati.
2557
2558         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2559         (Day):
2560         (DaysInYear):
2561         (TimeInYear):
2562         (TimeFromYear):
2563         (DayFromYear):
2564         (InLeapYear):
2565         (YearFromTime):
2566         (WeekDay):
2567         (DaylightSavingTA):
2568         (GetSecondSundayInMarch):
2569         (TimeInMonth):
2570
2571 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2572
2573         [BigInt] Add ValueSub into DFG
2574         https://bugs.webkit.org/show_bug.cgi?id=186176
2575
2576         Reviewed by Yusuke Suzuki.
2577
2578         * stress/big-int-subtraction-jit.js:
2579         * stress/value-sub-big-int-prediction-propagation.js: Added.
2580         * stress/value-sub-big-int-untyped.js: Added.
2581
2582 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2583
2584         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2585         https://bugs.webkit.org/show_bug.cgi?id=190611
2586
2587         Reviewed by Saam Barati.
2588
2589         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2590         to improve test runtime. On ARM/MIPS this test even timed out when running all
2591         tests.
2592
2593         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2594         (test):
2595
2596 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2597
2598         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2599
2600         Unreviewed gardening.
2601
2602         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2603
2604 2018-10-15  Saam barati  <sbarati@apple.com>
2605
2606         Emit fjcvtzs on ARM64E on Darwin
2607         https://bugs.webkit.org/show_bug.cgi?id=184023
2608
2609         Reviewed by Yusuke Suzuki and Filip Pizlo.
2610
2611         * stress/double-to-int32-NaN.js: Added.
2612         (assert):
2613         (foo):
2614
2615 2018-10-15  Saam Barati  <sbarati@apple.com>
2616
2617         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2618         https://bugs.webkit.org/show_bug.cgi?id=190262
2619         <rdar://problem/44986241>
2620
2621         Reviewed by Mark Lam.
2622
2623         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2624         (test):
2625         * stress/slice-array-storage-with-holes.js: Added.
2626         (main):
2627
2628 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2629
2630         Unreviewed, rolling out r237054.
2631         https://bugs.webkit.org/show_bug.cgi?id=190593
2632
2633         "this regressed JetStream 2 by 6% on iOS" (Requested by
2634         saamyjoon on #webkit).
2635
2636         Reverted changeset:
2637
2638         "[JSC] JSC should have "parseFunction" to optimize Function
2639         constructor"
2640         https://bugs.webkit.org/show_bug.cgi?id=190340
2641         https://trac.webkit.org/changeset/237054
2642
2643 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2644
2645         [JSC] JSON.stringify can accept call-with-no-arguments
2646         https://bugs.webkit.org/show_bug.cgi?id=190343
2647
2648         Reviewed by Mark Lam.
2649
2650         * stress/json-stringify-no-arguments.js: Added.
2651         (shouldBe):
2652
2653 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2654
2655         [JSC] JSC should have "parseFunction" to optimize Function constructor
2656         https://bugs.webkit.org/show_bug.cgi?id=190340
2657
2658         Reviewed by Mark Lam.
2659
2660         This patch fixes the line number of syntax errors raised by the Function constructor,
2661         since we now parse the final code only once. And we no longer use block statement
2662         for Function constructor's parsing.
2663
2664         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2665         * stress/function-cache-with-parameters-end-position.js: Added.
2666         (shouldBe):
2667         (shouldThrow):
2668         (i.anonymous):
2669         * stress/function-constructor-name.js: Added.
2670         (shouldBe):
2671         (GeneratorFunction):
2672         (AsyncFunction.async):
2673         (AsyncGeneratorFunction.async):
2674         (anonymous):
2675         (async.anonymous):
2676         * test262/expectations.yaml:
2677
2678 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2679
2680         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2681         https://bugs.webkit.org/show_bug.cgi?id=190426
2682
2683         Unreviewed gardening.
2684
2685         * stress/sampling-profiler-richards.js:
2686
2687 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2688
2689         [ESNext][BigInt] Implement support for "|"
2690         https://bugs.webkit.org/show_bug.cgi?id=186229
2691
2692         Reviewed by Yusuke Suzuki.
2693
2694         * stress/big-int-bitwise-and-jit.js:
2695         * stress/big-int-bitwise-or-general.js: Added.
2696         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2697         * stress/big-int-bitwise-or-jit.js: Added.
2698         * stress/big-int-bitwise-or-memory-stress.js: Added.
2699         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2700         * stress/big-int-bitwise-or-type-error.js: Added.
2701         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2702
2703 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2704
2705         Skip test on systems with limited memory
2706         https://bugs.webkit.org/show_bug.cgi?id=190310
2707
2708         Invoking runDefault adds test to runlist, skipping the test in the next
2709         line does not prevent the test from executing. Change order of lines such
2710         that runDefault is only executed if test is not executed.
2711
2712         Reviewed by Mark Lam.
2713
2714         * stress/regress-190187.js:
2715
2716 2018-10-03  Saam barati  <sbarati@apple.com>
2717
2718         lowXYZ in FTLLower should always filter the type of the incoming edge
2719         https://bugs.webkit.org/show_bug.cgi?id=189939
2720         <rdar://problem/44407030>
2721
2722         Reviewed by Michael Saboff.
2723
2724         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2725         (foo):
2726         (test):
2727
2728 2018-10-03  Mark Lam  <mark.lam@apple.com>
2729
2730         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2731         https://bugs.webkit.org/show_bug.cgi?id=190187
2732         <rdar://problem/42512909>
2733
2734         Reviewed by Michael Saboff.
2735
2736         * stress/regress-190187.js: Added.
2737
2738 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2739
2740         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2741         https://bugs.webkit.org/show_bug.cgi?id=190033
2742
2743         Reviewed by Yusuke Suzuki.
2744
2745         * stress/big-int-to-string.js:
2746
2747 2018-10-01  Mark Lam  <mark.lam@apple.com>
2748
2749         Function.toString() should also copy the source code Functions that are class definitions.
2750         https://bugs.webkit.org/show_bug.cgi?id=190186
2751         <rdar://problem/44733360>
2752
2753         Reviewed by Saam Barati.
2754
2755         * stress/regress-190186.js: Added.
2756
2757 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2758
2759         Split NaN-check into separate test
2760         https://bugs.webkit.org/show_bug.cgi?id=190010
2761
2762         Reviewed by Saam Barati.
2763
2764         DataView exposes NaN-representation, which is not necessarily the same on each
2765         architecture. Therefore move the check of the NaN-representation into its own
2766         file such that we can disable this test on MIPS where NaN-representation can be
2767         different on older CPUs.
2768
2769         * stress/dataview-jit-set-nan.js: Added.
2770         (assert):
2771         (test.storeLittleEndian):
2772         (test.storeBigEndian):
2773         (test.store):
2774         (test):
2775         * stress/dataview-jit-set.js:
2776         (test5):
2777
2778 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2779
2780         Unreviewed, rolling out r236647.
2781         https://bugs.webkit.org/show_bug.cgi?id=190124
2782
2783         Breaking test stress/big-int-to-string.js (Requested by
2784         caiolima_ on #webkit).
2785
2786         Reverted changeset:
2787
2788         "[BigInt] BigInt.proptotype.toString is broken when radix is
2789         power of 2"
2790         https://bugs.webkit.org/show_bug.cgi?id=190033
2791         https://trac.webkit.org/changeset/236647
2792
2793 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2794
2795         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2796         https://bugs.webkit.org/show_bug.cgi?id=190033
2797
2798         Reviewed by Yusuke Suzuki.
2799
2800         * stress/big-int-to-string.js:
2801
2802 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2803
2804         [ESNext][BigInt] Implement support for "&"
2805         https://bugs.webkit.org/show_bug.cgi?id=186228
2806
2807         Reviewed by Yusuke Suzuki.
2808
2809         * stress/big-int-bitwise-and-general.js: Added.
2810         (assert):
2811         (assert.sameValue):
2812         * stress/big-int-bitwise-and-jit.js: Added.
2813         (let.assert.sameValue):
2814         (bigIntBitAnd):
2815         * stress/big-int-bitwise-and-memory-stress.js: Added.
2816         (assert):
2817         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2818         (assert.sameValue):
2819         (let.o.Symbol.toPrimitive):
2820         (catch):
2821         * stress/big-int-bitwise-and-type-error.js: Added.
2822         (assert):
2823         (assertThrowTypeError):
2824         (let.o.valueOf):
2825         (o.valueOf):
2826         (o.toString):
2827         (o.Symbol.toPrimitive):
2828         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2829         (assert.sameValue):
2830         (testBitAnd):
2831         (let.o.Symbol.toPrimitive):
2832         (o.valueOf):
2833         (o.toString):
2834
2835 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2836
2837         JSC test stress/jsc-read.js doesn't support CRLF
2838         https://bugs.webkit.org/show_bug.cgi?id=190063
2839
2840         Reviewed by Yusuke Suzuki.
2841
2842         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2843
2844         * stress/jsc-read.js:
2845         (test):
2846
2847 2018-09-27  Saam barati  <sbarati@apple.com>
2848
2849         Verify the contents of AssemblerBuffer on arm64e
2850         https://bugs.webkit.org/show_bug.cgi?id=190057
2851         <rdar://problem/38916630>
2852
2853         Reviewed by Mark Lam.
2854
2855         * stress/regress-189132.js:
2856
2857 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2858
2859         Disable test without LLInt on ARMv7
2860         https://bugs.webkit.org/show_bug.cgi?id=190037
2861
2862         Reviewed by Mark Lam.
2863
2864         Test runs out of executable memory on ARMv7, do not run
2865         this test without LLInt enabled.
2866
2867         * stress/regress-169445.js:
2868
2869 2018-09-26  Keith Miller  <keith_miller@apple.com>
2870
2871         We should zero unused property storage when rebalancing array storage.
2872         https://bugs.webkit.org/show_bug.cgi?id=188151
2873
2874         Reviewed by Michael Saboff.
2875
2876         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2877
2878 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2879
2880         [JSC] Optimize Array#lastIndexOf
2881         https://bugs.webkit.org/show_bug.cgi?id=189780
2882
2883         Reviewed by Saam Barati.
2884
2885         * stress/array-lastindexof-array-prototype-trap.js: Added.
2886         (shouldBe):
2887         (AncestorArray.prototype.get 2):
2888         (AncestorArray):
2889         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2890         (shouldBe):
2891         * stress/array-lastindexof-hole-nan.js: Added.
2892         (shouldBe):
2893         (throw.new.Error):
2894         * stress/array-lastindexof-infinity.js: Added.
2895         (shouldBe):
2896         (throw.new.Error):
2897         * stress/array-lastindexof-negative-zero.js: Added.
2898         (shouldBe):
2899         (throw.new.Error):
2900         * stress/array-lastindexof-own-getter.js: Added.
2901         (shouldBe):
2902         (throw.new.Error.get array):
2903         (get array):
2904         * stress/array-lastindexof-prototype-trap.js: Added.
2905         (shouldBe):
2906         (DerivedArray.prototype.get 2):
2907         (DerivedArray):
2908
2909 2018-09-25  Saam Barati  <sbarati@apple.com>
2910
2911         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2912         https://bugs.webkit.org/show_bug.cgi?id=189940
2913         <rdar://problem/43640987>
2914
2915         Reviewed by Mark Lam.
2916
2917         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2918
2919 2018-09-24  Saam Barati  <sbarati@apple.com>
2920
2921         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2922         https://bugs.webkit.org/show_bug.cgi?id=189922
2923         <rdar://problem/44651275>
2924
2925         Reviewed by Mark Lam.
2926
2927         * stress/array-indexof-fast-path-effects.js: Added.
2928         * stress/array-indexof-cached-length.js: Added.
2929
2930 2018-09-24  Saam barati  <sbarati@apple.com>
2931
2932         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2933         https://bugs.webkit.org/show_bug.cgi?id=189682
2934         <rdar://problem/43557315>
2935
2936         Reviewed by Mark Lam.
2937
2938         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2939         (foo):
2940
2941 2018-09-22  Saam barati  <sbarati@apple.com>
2942
2943         The sampling should not use Strong<CodeBlock> in its machineLocation field
2944         https://bugs.webkit.org/show_bug.cgi?id=189319
2945
2946         Reviewed by Filip Pizlo.
2947
2948         * stress/sampling-profiler-richards.js: Added.
2949
2950 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2951
2952         [JSC] Optimize Array#indexOf in C++ runtime
2953         https://bugs.webkit.org/show_bug.cgi?id=189507
2954
2955         Reviewed by Saam Barati.
2956
2957         * stress/array-indexof-array-prototype-trap.js: Added.
2958         (shouldBe):
2959         (AncestorArray.prototype.get 2):
2960         (AncestorArray):
2961         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2962         (shouldBe):
2963         * stress/array-indexof-hole-nan.js: Added.
2964         (shouldBe):
2965         (throw.new.Error):
2966         * stress/array-indexof-infinity.js: Added.
2967         (shouldBe):
2968         (throw.new.Error):
2969         * stress/array-indexof-negative-zero.js: Added.
2970         (shouldBe):
2971         (throw.new.Error):
2972         * stress/array-indexof-own-getter.js: Added.
2973         (shouldBe):
2974         (throw.new.Error.get array):
2975         (get array):
2976         * stress/array-indexof-prototype-trap.js: Added.
2977         (shouldBe):
2978         (DerivedArray.prototype.get 2):
2979         (DerivedArray):
2980
2981 2018-09-19  Saam barati  <sbarati@apple.com>
2982
2983         AI rule for MultiPutByOffset executes its effects in the wrong order
2984         https://bugs.webkit.org/show_bug.cgi?id=189757
2985         <rdar://problem/43535257>
2986
2987         Reviewed by Michael Saboff.
2988
2989         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2990         (foo):
2991         (Foo):
2992         (g):
2993
2994 2018-09-17  Mark Lam  <mark.lam@apple.com>
2995
2996         Ensure that ForInContexts are invalidated if their loop local is over-written.
2997         https://bugs.webkit.org/show_bug.cgi?id=189571
2998         <rdar://problem/44402277>
2999
3000         Reviewed by Saam Barati.
3001
3002         * stress/regress-189571.js: Added.
3003
3004 2018-09-17  Saam barati  <sbarati@apple.com>
3005
3006         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3007         https://bugs.webkit.org/show_bug.cgi?id=189676
3008         <rdar://problem/39682897>
3009
3010         Reviewed by Michael Saboff.
3011
3012         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3013         (A):
3014         (K):
3015         (i.catch):
3016
3017 2018-09-14  Saam barati  <sbarati@apple.com>
3018
3019         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3020         https://bugs.webkit.org/show_bug.cgi?id=189628
3021         <rdar://problem/39481690>
3022
3023         Reviewed by Mark Lam.
3024
3025         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3026         (foo):
3027
3028 2018-09-11  Mark Lam  <mark.lam@apple.com>
3029
3030         Test for array initialization in arrayProtoFuncSplice.
3031         https://bugs.webkit.org/show_bug.cgi?id=170253
3032         <rdar://problem/31328773>
3033
3034         Rubber-stamped by Saam Barati.
3035
3036         * stress/regress-170253.js: Added.
3037
3038 2018-09-11  Mark Lam  <mark.lam@apple.com>
3039
3040         Test for IntlObject initialization.
3041         https://bugs.webkit.org/show_bug.cgi?id=170251
3042         <rdar://problem/31328419>
3043
3044         Rubber-stamped by Saam Barati.
3045
3046         * stress/regress-170251.js: Added.
3047
3048 2018-09-11  Mark Lam  <mark.lam@apple.com>
3049
3050         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3051         https://bugs.webkit.org/show_bug.cgi?id=169889
3052         <rdar://problem/31155607>
3053
3054         Reviewed by Saam Barati.
3055
3056         * stress/regress-169889-array-concat.js: Added.
3057         * stress/regress-169889-array-concat1.js: Added.
3058         * stress/regress-169889-array-slice.js: Added.
3059
3060 2018-09-11  Mark Lam  <mark.lam@apple.com>
3061
3062         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3063         https://bugs.webkit.org/show_bug.cgi?id=169445
3064         <rdar://problem/30957435>
3065
3066         Reviewed by Saam Barati.
3067
3068         * stress/regress-169445.js: Added.
3069         (let.gun.eval.A):
3070         (let.gun.eval.B.C):
3071         (let.gun.eval.B.C.prototype.trigger):
3072         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3073         (let.gun.eval.B):
3074         (let.gun.eval):
3075
3076 == Rolled over to ChangeLog-2018-09-11 ==