ToString node actually does GC.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-28  Mark Lam  <mark.lam@apple.com>
2
3         ToString node actually does GC.
4         https://bugs.webkit.org/show_bug.cgi?id=193920
5         <rdar://problem/46695900>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/dfg-to-string-on-int-does-gc.js: Added.
10         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
11         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
12
13 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
14
15         [JSC] NativeErrorConstructor should not have own IsoSubspace
16         https://bugs.webkit.org/show_bug.cgi?id=193713
17
18         Reviewed by Saam Barati.
19
20         Remove @Error use.
21
22         * stress/try-get-by-id-should-spill-registers-dfg.js:
23         (let.f.createBuiltin):
24
25 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
28         https://bugs.webkit.org/show_bug.cgi?id=190693
29
30         Reviewed by Michael Saboff.
31
32         * stress/regress-190693.js: Added.
33         (truth):
34         (assert):
35         (shouldThrowInvalidConstAssignment):
36         (taz):
37
38 2019-01-24  Saam Barati  <sbarati@apple.com>
39
40         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
41         https://bugs.webkit.org/show_bug.cgi?id=193751
42         <rdar://problem/47280215>
43
44         Reviewed by Michael Saboff.
45
46         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
47         (let.thing):
48         (foo.let.hello):
49         (foo):
50
51 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
52
53         [JSC] Reenable baseline JIT on mips
54         https://bugs.webkit.org/show_bug.cgi?id=192983
55
56         Reviewed by Mark Lam.
57
58         Added a new test for a case that was triggering a RELEASE_ASSERT when
59         testing.
60         Disable some slow tests that were already disabled for arm and x86.
61
62         * stress/json-parse-big-object.js: Added.
63         * stress/new-largeish-contiguous-array-with-size.js:
64         * stress/op_add.js:
65         * stress/op_bitand.js:
66         * stress/op_bitor.js:
67         * stress/op_bitxor.js:
68         * stress/op_lshift-ConstVar.js:
69         * stress/op_lshift-VarConst.js:
70         * stress/op_lshift-VarVar.js:
71         * stress/op_mod-ConstVar.js:
72         * stress/op_mod-VarConst.js:
73         * stress/op_mod-VarVar.js:
74         * stress/op_mul-ConstVar.js:
75         * stress/op_mul-VarConst.js:
76         * stress/op_mul-VarVar.js:
77         * stress/op_rshift-ConstVar.js:
78         * stress/op_rshift-VarConst.js:
79         * stress/op_rshift-VarVar.js:
80         * stress/op_sub-ConstVar.js:
81         * stress/op_sub-VarConst.js:
82         * stress/op_sub-VarVar.js:
83         * stress/op_urshift-ConstVar.js:
84         * stress/op_urshift-VarConst.js:
85         * stress/op_urshift-VarVar.js:
86         * stress/sampling-profiler-richards.js:
87         * stress/spread-forward-call-varargs-stack-overflow.js:
88
89 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
90
91         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
92         https://bugs.webkit.org/show_bug.cgi?id=193711
93         <rdar://problem/47250262>
94
95         Reviewed by Saam Barati.
96
97         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
98         (shouldBe):
99         (foo):
100         (bar):
101         (baz):
102
103 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
104
105         Unreviewed, fix initial global lexical binding epoch
106         https://bugs.webkit.org/show_bug.cgi?id=193603
107         <rdar://problem/47380869>
108
109         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
110         (f1.f2.f3.f4):
111         (f1.f2.f3):
112         (f1.f2):
113         (f1):
114
115 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
116
117         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
118         https://bugs.webkit.org/show_bug.cgi?id=193709
119         <rdar://problem/47363838>
120
121         Unreviewed, rollout to watch the tests.
122
123         * stress/object-tostring-changed-proto.js: Removed.
124         * stress/object-tostring-changed.js: Removed.
125         * stress/object-tostring-misc.js: Removed.
126         * stress/object-tostring-other.js: Removed.
127         * stress/object-tostring-untyped.js: Removed.
128
129 2019-01-22  Saam Barati  <sbarati@apple.com>
130
131         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
132
133         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
134         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
135         (testUncheckedLessThanZero):
136         (testUncheckedLessThanOrEqualZero):
137         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
138         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
139
140 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         [JSC] Invalidate old scope operations using global lexical binding epoch
143         https://bugs.webkit.org/show_bug.cgi?id=193603
144         <rdar://problem/47380869>
145
146         Reviewed by Saam Barati.
147
148         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
149         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
150         (shouldThrow):
151         (bar):
152         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
153         (shouldBe):
154         (get1):
155         (get2):
156         (get1If):
157         (get2If):
158         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
159         (shouldThrow):
160         (foo):
161
162 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
163
164         Unreviewed, roll out r240220 due to date-format-xparb regression
165         https://bugs.webkit.org/show_bug.cgi?id=193603
166
167         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
168         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
169         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
170         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
171
172 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
173
174         DoesGC rule is wrong for nodes with BigIntUse
175         https://bugs.webkit.org/show_bug.cgi?id=193652
176
177         Reviewed by Saam Barati.
178
179         * stress/big-int-value-op-update-gc-rules.js: Added.
180         (assert):
181         (doesGCAdd):
182         (doesGCSub):
183         (doesGCDiv):
184         (doesGCMul):
185         (doesGCBitAnd):
186         (doesGCBitOr):
187         (doesGCBitXor):
188
189 2019-01-20  Saam Barati  <sbarati@apple.com>
190
191         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
192         https://bugs.webkit.org/show_bug.cgi?id=193644
193         <rdar://problem/46209745>
194
195         Reviewed by Yusuke Suzuki.
196
197         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
198         (foo):
199         * stress/data-view-set-intrinsic-undefined-result.js: Added.
200         (foo):
201         (bar):
202
203 2019-01-20  Saam Barati  <sbarati@apple.com>
204
205         MovHint must merge NodeBytecodeUsesAsValue for its child
206         https://bugs.webkit.org/show_bug.cgi?id=186916
207         <rdar://problem/41396612>
208
209         Reviewed by Yusuke Suzuki.
210
211         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
212         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
213
214 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         [JSC] Invalidate old scope operations using global lexical binding epoch
217         https://bugs.webkit.org/show_bug.cgi?id=193603
218         <rdar://problem/47380869>
219
220         Reviewed by Saam Barati.
221
222         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
223         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
224         (shouldThrow):
225         (bar):
226         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
227         (shouldBe):
228         (get1):
229         (get2):
230         (get1If):
231         (get2If):
232         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
233         (shouldThrow):
234         (foo):
235
236 2019-01-17  Saam barati  <sbarati@apple.com>
237
238         StringObjectUse should not be a structure check for the original string object structure
239         https://bugs.webkit.org/show_bug.cgi?id=193483
240         <rdar://problem/47280522>
241
242         Reviewed by Yusuke Suzuki.
243
244         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
245         (foo):
246         (a.valueOf.0):
247
248 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
249
250         [JSC] ToThis omission in DFGByteCodeParser is wrong
251         https://bugs.webkit.org/show_bug.cgi?id=193513
252         <rdar://problem/45842236>
253
254         Reviewed by Saam Barati.
255
256         * stress/to-this-omission-with-different-strict-modes.js: Added.
257         (thisA):
258         (thisAStrictWrapper):
259
260 2019-01-15  Mark Lam  <mark.lam@apple.com>
261
262         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
263         https://bugs.webkit.org/show_bug.cgi?id=193423
264         <rdar://problem/46209355>
265
266         Reviewed by Saam Barati.
267
268         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
269         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
270         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
271         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
272
273 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
274
275         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
276         https://bugs.webkit.org/show_bug.cgi?id=193438
277         <rdar://problem/45581249>
278
279         Reviewed by Saam Barati and Keith Miller.
280
281         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
282         Then, GetByVal(String) crashed.
283
284         * stress/string-get-by-val-lowering.js: Added.
285         (shouldBe):
286         (test):
287         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
288         (Hello):
289         (foo):
290
291 2019-01-15  Tomas Popela  <tpopela@redhat.com>
292
293         Unreviewed, skip JIT tests if it's not enabled
294
295         * stress/bit-op-with-object-returning-int32.js:
296
297 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
298
299         DFGByteCodeParser rules for bitwise operations should consider type of their operands
300         https://bugs.webkit.org/show_bug.cgi?id=192966
301
302         Reviewed by Yusuke Suzuki.
303
304         * stress/bit-op-with-object-returning-int32.js: Added.
305
306 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
307
308         Skip a slow test and a flakey test on arm
309
310         Unreviewed gardening.
311
312         * typeProfiler/getter-richards.js:
313         this test always times out, it used to be always skipped on arm and
314         mips, but got accidentally enabled by r237919 now that we have DFG on
315         arm. Also skipping on mips as we plan to soon enable DFG for it too.
316
317 2019-01-14  Keith Miller  <keith_miller@apple.com>
318
319         Skip type-check-hoisting-phase-hoist... with no jit
320         https://bugs.webkit.org/show_bug.cgi?id=193421
321
322         Reviewed by Mark Lam.
323
324         It's timing out the 32-bit bots and takes 330 seconds
325         on my machine when run by itself.
326
327         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
328
329 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
330
331         [JSC] AI should check the given constant's array type when folding GetByVal into constant
332         https://bugs.webkit.org/show_bug.cgi?id=193413
333         <rdar://problem/46092389>
334
335         Reviewed by Keith Miller.
336
337         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
338         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
339         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
340         but GetByVal does not have appropriate ArrayModes, JSC crashes.
341
342         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
343         (compareArray):
344
345 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
346
347         [BigInt] Literal parsing is crashing when used inside a Object Literal
348         https://bugs.webkit.org/show_bug.cgi?id=193404
349
350         Reviewed by Yusuke Suzuki.
351
352         * stress/big-int-literal-inside-literal-object.js: Added.
353
354 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
355
356         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
357         https://bugs.webkit.org/show_bug.cgi?id=193372
358
359         Reviewed by Saam Barati.
360
361         * stress/typed-array-array-modes-profile.js: Added.
362         (foo):
363
364 2019-01-14  Mark Lam  <mark.lam@apple.com>
365
366         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
367         https://bugs.webkit.org/show_bug.cgi?id=193402
368         <rdar://problem/46012309>
369
370         Reviewed by Keith Miller.
371
372         * stress/regexp-compile-oom.js:
373         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
374           is enabled.  As a result, it will fail on cloop builds though there is no bug.
375
376 2019-01-11  Saam barati  <sbarati@apple.com>
377
378         DFG combined liveness can be wrong for terminal basic blocks
379         https://bugs.webkit.org/show_bug.cgi?id=193304
380         <rdar://problem/45268632>
381
382         Reviewed by Yusuke Suzuki.
383
384         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
385
386 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
387
388         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
389         https://bugs.webkit.org/show_bug.cgi?id=193308
390         <rdar://problem/45546542>
391
392         Reviewed by Saam Barati.
393
394         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
395         (shouldThrow):
396         (shouldBe):
397         (foo):
398         (get shouldThrow):
399         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
400         (shouldThrow):
401         (shouldBe):
402         (foo):
403         (get shouldBe):
404         (get shouldThrow):
405         (get return):
406         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
407         (shouldThrow):
408         (shouldBe):
409         (foo):
410         (get shouldBe):
411         (get shouldThrow):
412         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
413         (shouldThrow):
414         (shouldBe):
415         (foo):
416         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
417         (shouldThrow):
418         (shouldBe):
419         (foo):
420         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
421         (shouldThrow):
422         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
423         (shouldThrow):
424         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
425         (shouldThrow):
426         (shouldBe):
427         (foo):
428         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
429         (shouldThrow):
430         (shouldBe):
431         (foo):
432         (get shouldBe):
433         (get shouldThrow):
434         (get return):
435         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
436         (shouldThrow):
437         (shouldBe):
438         (foo):
439         (get shouldBe):
440         (get shouldThrow):
441         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
442         (shouldThrow):
443         (shouldBe):
444         (foo):
445         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
446         (shouldThrow):
447         (shouldBe):
448         (foo):
449
450 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
451
452         Enable DFG on ARM/Linux again
453         https://bugs.webkit.org/show_bug.cgi?id=192496
454
455         Reviewed by Yusuke Suzuki.
456
457         Test wasn't really skipped before moving the line with skip
458         to the top.
459
460         * stress/regress-192717.js:
461
462 2019-01-10  Commit Queue  <commit-queue@webkit.org>
463
464         Unreviewed, rolling out r239825.
465         https://bugs.webkit.org/show_bug.cgi?id=193330
466
467         Broke tests on armv7/linux bots (Requested by guijemont on
468         #webkit).
469
470         Reverted changeset:
471
472         "Enable DFG on ARM/Linux again"
473         https://bugs.webkit.org/show_bug.cgi?id=192496
474         https://trac.webkit.org/changeset/239825
475
476 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
477
478         Enable DFG on ARM/Linux again
479         https://bugs.webkit.org/show_bug.cgi?id=192496
480
481         Reviewed by Yusuke Suzuki.
482
483         Test wasn't really skipped before moving the line with skip
484         to the top.
485
486         * stress/regress-192717.js:
487
488 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
489
490         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
491         https://bugs.webkit.org/show_bug.cgi?id=193127
492
493         Reviewed by Saam Barati.
494
495         * stress/array-species-create-should-handle-masquerader.js: Added.
496         (shouldThrow):
497         * stress/is-undefined-or-null-builtin.js: Added.
498         (shouldBe):
499         (isUndefinedOrNull.vm.createBuiltin):
500
501 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
502
503         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
504         https://bugs.webkit.org/show_bug.cgi?id=193221
505
506         Reviewed by Mark Lam.
507
508         * stress/put-by-id-flags.js: Added.
509         (f):
510         (g):
511         (numberOfDFGCompiles):
512
513 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
514
515         Baseline version of get_by_id may corrupt metadata
516         https://bugs.webkit.org/show_bug.cgi?id=193085
517         <rdar://problem/23453006>
518
519         Reviewed by Saam Barati.
520
521         * stress/get-by-id-change-mode.js: Added.
522         (forEach):
523
524 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
525
526         [JSC] Optimize Object.prototype.toString
527         https://bugs.webkit.org/show_bug.cgi?id=193031
528
529         Reviewed by Saam Barati.
530
531         * stress/object-tostring-changed-proto.js: Added.
532         (shouldBe):
533         (test):
534         * stress/object-tostring-changed.js: Added.
535         (shouldBe):
536         (test):
537         * stress/object-tostring-misc.js: Added.
538         (shouldBe):
539         (test):
540         (i.switch):
541         * stress/object-tostring-other.js: Added.
542         (shouldBe):
543         (test):
544         * stress/object-tostring-untyped.js: Added.
545         (shouldBe):
546         (test):
547         (i.switch):
548
549 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
550
551         test262-runner misbehaves when test file YAML has a trailing space
552         https://bugs.webkit.org/show_bug.cgi?id=193053
553
554         Reviewed by Yusuke Suzuki.
555
556         * test262/expectations.yaml:
557         Mark two dozen tests as passing (and correct the output of another).
558
559 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
560
561         Unreviewed, JSTests gardening with memoryLimited
562
563         * stress/string-overflow-createError.js:
564
565 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
566
567         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
568         https://bugs.webkit.org/show_bug.cgi?id=193050
569
570         Reviewed by Yusuke Suzuki.
571
572         * test262.yaml:
573         * test262/expectations.yaml:
574         Mark 16 tests as passing.
575
576 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
577
578         [BigInt] Support BigInt in JSON.stringify
579         https://bugs.webkit.org/show_bug.cgi?id=192624
580
581         Reviewed by Saam Barati.
582
583         * stress/big-int-json-stringify-to-json.js: Added.
584         (shouldBe):
585         (shouldThrow):
586         (BigInt.prototype.toJSON):
587         (shouldBe.JSON.stringify):
588         * stress/big-int-json-stringify.js: Added.
589         (shouldBe):
590         (shouldThrow):
591
592 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
593
594         [JSC] Implement "well-formed JSON.stringify" proposal
595         https://bugs.webkit.org/show_bug.cgi?id=191677
596
597         Reviewed by Darin Adler.
598
599         * stress/json-surrogate-pair.js: Added.
600         (shouldBe):
601         * test262/expectations.yaml:
602
603 2018-12-20  Keith Miller  <keith_miller@apple.com>
604
605         Add support for globalThis
606         https://bugs.webkit.org/show_bug.cgi?id=165171
607
608         Reviewed by Mark Lam.
609
610         * test262/config.yaml:
611
612 2018-12-19  Keith Miller  <keith_miller@apple.com>
613
614         Update test262 configuration to not run tests dependent on ICU version.
615         https://bugs.webkit.org/show_bug.cgi?id=192920
616
617         Reviewed by Saam Barati.
618
619         * test262/expectations.yaml:
620
621 2018-12-20  Mark Lam  <mark.lam@apple.com>
622
623         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
624         https://bugs.webkit.org/show_bug.cgi?id=192939
625         <rdar://problem/46869516>
626
627         Reviewed by Keith Miller.
628
629         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
630
631 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
632
633         WTF::String and StringImpl overflow MaxLength
634         https://bugs.webkit.org/show_bug.cgi?id=192853
635         <rdar://problem/45726906>
636
637         Reviewed by Mark Lam.
638
639         * stress/string-16bit-repeat-overflow.js: Added.
640         (catch):
641
642 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
643
644         Unreviewed follow-up to r192914.
645
646         * test262/expectations.yaml:
647         Add the last 20 missing expectations.
648
649 2018-12-19  Keith Miller  <keith_miller@apple.com>
650
651         Fix test262 expectations
652         https://bugs.webkit.org/show_bug.cgi?id=192914
653
654         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
655
656         * test262/expectations.yaml:
657
658 2018-12-19  Keith Miller  <keith_miller@apple.com>
659
660         Update test262 tests.
661         https://bugs.webkit.org/show_bug.cgi?id=192907
662
663         Rubber stamped by Mark Lam.
664
665         * test262/*: Omitted because prepare-changelog crashes.
666
667 2018-12-19  Mark Lam  <mark.lam@apple.com>
668
669         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
670         https://bugs.webkit.org/show_bug.cgi?id=192464
671         <rdar://problem/46519455>
672
673         Reviewed by Saam Barati.
674
675         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
676         microbenchmark.
677
678         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
679         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
680
681 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
682
683         String overflow in JSC::createError results in ASSERT in WTF::makeString
684         https://bugs.webkit.org/show_bug.cgi?id=192833
685         <rdar://problem/45706868>
686
687         Reviewed by Mark Lam.
688
689         * stress/string-overflow-createError.js: Added.
690
691 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
692
693         Error message for `-x ** y` contains a typo.
694         https://bugs.webkit.org/show_bug.cgi?id=192832
695
696         Reviewed by Saam Barati.
697
698         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
699         (assert.assert.return.throws):
700         * stress/pow-expects-update-expression-on-lhs.js:
701         (throw.new.Error):
702         Update test expectations which match against the exact error message.
703
704 2018-12-18  Mark Lam  <mark.lam@apple.com>
705
706         Gardening: test options fix.
707         https://bugs.webkit.org/show_bug.cgi?id=192822
708
709         Unreviewed.
710
711         * stress/json-stringify-string-builder-overflow.js:
712
713 2018-12-18  Mark Lam  <mark.lam@apple.com>
714
715         JSON.stringify() should throw OOM on StringBuilder overflows.
716         https://bugs.webkit.org/show_bug.cgi?id=192822
717         <rdar://problem/46670577>
718
719         Reviewed by Saam Barati.
720
721         * stress/json-stringify-string-builder-overflow.js: Added.
722
723 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
724
725         Redeclaration of var over let/const/class should be a syntax error.
726         https://bugs.webkit.org/show_bug.cgi?id=192298
727
728         Reviewed by Keith Miller.
729
730         * test262.yaml:
731         * test262/expectations.yaml:
732         Mark 46 tests as passing.
733
734         * stress/block-scope-redeclarations.js:
735         Add some new tests.
736
737         * stress/for-in-invalidate-context-weird-assignments.js:
738         * stress/for-in-tests.js:
739         Replace tests for outdated behavior with tests for SyntaxError.
740
741         * ChakraCore/test/LetConst/defer3.baseline-jsc:
742         * ChakraCore/test/LetConst/letvar.baseline-jsc:
743         Update expectations.
744
745 2018-12-18  Mark Lam  <mark.lam@apple.com>
746
747         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
748         https://bugs.webkit.org/show_bug.cgi?id=191374
749         <rdar://problem/46525447>
750
751         Reviewed by Yusuke Suzuki.
752
753         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
754
755         * stress/elidable-new-object-roflcopter-then-exit.js:
756
757 2018-12-17  Mark Lam  <mark.lam@apple.com>
758
759         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
760         https://bugs.webkit.org/show_bug.cgi?id=192019
761         <rdar://problem/46525456>
762
763         Reviewed by Yusuke Suzuki.
764
765         The test runs too slow on 32-bit.
766
767         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
768
769 2018-12-17  Mark Lam  <mark.lam@apple.com>
770
771         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
772         https://bugs.webkit.org/show_bug.cgi?id=191373
773         <rdar://problem/46525458>
774
775         Reviewed by Yusuke Suzuki.
776
777         The test is already slow running with a JIT on 64-bit.  It will always timeout
778         on 32-bit without a JIT.
779
780         * stress/materialize-regexp-cyclic-regexp.js:
781
782 2018-12-17  Mark Lam  <mark.lam@apple.com>
783
784         Array unshift/shift should not race against the AI in the compiler thread.
785         https://bugs.webkit.org/show_bug.cgi?id=192795
786         <rdar://problem/46724263>
787
788         Reviewed by Saam Barati.
789
790         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
791
792 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
793
794         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
795         https://bugs.webkit.org/show_bug.cgi?id=190047
796
797         Reviewed by Saam Barati.
798
799         * stress/object-keys-cached-zero.js: Added.
800         (shouldBe):
801         (test):
802         * stress/object-keys-changed-attribute.js: Added.
803         (shouldBe):
804         (test):
805         * stress/object-keys-changed-index.js: Added.
806         (shouldBe):
807         (test):
808         * stress/object-keys-changed.js: Added.
809         (shouldBe):
810         (test):
811         * stress/object-keys-indexed-non-cache.js: Added.
812         (shouldBe):
813         (test):
814         * stress/object-keys-overrides-get-property-names.js: Added.
815         (shouldBe):
816         (test):
817         (noInline):
818
819 2018-12-17  Mark Lam  <mark.lam@apple.com>
820
821         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
822         https://bugs.webkit.org/show_bug.cgi?id=192779
823         <rdar://problem/46775869>
824
825         Reviewed by Saam Barati.
826
827         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
828
829 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
830
831         Unreviewed test gardening, address a syntax error in a new test.
832
833         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
834
835 2018-12-17  Mark Lam  <mark.lam@apple.com>
836
837         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
838         https://bugs.webkit.org/show_bug.cgi?id=192776
839         <rdar://problem/46772368>
840
841         Reviewed by Keith Miller.
842
843         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
844
845 2018-12-17  Mark Lam  <mark.lam@apple.com>
846
847         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
848         https://bugs.webkit.org/show_bug.cgi?id=192770
849         <rdar://problem/46449037>
850
851         Reviewed by Keith Miller.
852
853         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
854
855 2018-12-14  Mark Lam  <mark.lam@apple.com>
856
857         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
858         https://bugs.webkit.org/show_bug.cgi?id=192717
859         <rdar://problem/46660677>
860
861         Reviewed by Saam Barati.
862
863         * stress/regress-192717.js: Added.
864
865 2018-12-14  Commit Queue  <commit-queue@webkit.org>
866
867         Unreviewed, rolling out r239153, r239154, and r239155.
868         https://bugs.webkit.org/show_bug.cgi?id=192715
869
870         Caused flaky GC-related crashes seen with layout tests
871         (Requested by ryanhaddad on #webkit).
872
873         Reverted changesets:
874
875         "[JSC] Optimize Object.keys by caching own keys results in
876         StructureRareData"
877         https://bugs.webkit.org/show_bug.cgi?id=190047
878         https://trac.webkit.org/changeset/239153
879
880         "Unreviewed, build fix after r239153"
881         https://bugs.webkit.org/show_bug.cgi?id=190047
882         https://trac.webkit.org/changeset/239154
883
884         "Unreviewed, build fix after r239153, part 2"
885         https://bugs.webkit.org/show_bug.cgi?id=190047
886         https://trac.webkit.org/changeset/239155
887
888 2018-12-14  Keith Miller  <keith_miller@apple.com>
889
890         Callers of JSString::getIndex should check for OOM exceptions
891         https://bugs.webkit.org/show_bug.cgi?id=192709
892
893         Reviewed by Mark Lam.
894
895         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
896
897 2018-12-13  Mark Lam  <mark.lam@apple.com>
898
899         Add a missing exception check.
900         https://bugs.webkit.org/show_bug.cgi?id=192626
901         <rdar://problem/46662163>
902
903         Reviewed by Keith Miller.
904
905         * stress/regress-192626.js: Added.
906
907 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
908
909         [BigInt] Add ValueDiv into DFG
910         https://bugs.webkit.org/show_bug.cgi?id=186178
911
912         Reviewed by Yusuke Suzuki.
913
914         * stress/big-int-div-jit-osr.js: Added.
915         * stress/big-int-div-jit-untyped.js: Added.
916         * stress/value-div-fixup-int32-big-int.js: Added.
917
918 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
919
920         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
921         https://bugs.webkit.org/show_bug.cgi?id=190047
922
923         Reviewed by Keith Miller.
924
925         * stress/object-keys-cached-zero.js: Added.
926         (shouldBe):
927         (test):
928         * stress/object-keys-changed-attribute.js: Added.
929         (shouldBe):
930         (test):
931         * stress/object-keys-changed-index.js: Added.
932         (shouldBe):
933         (test):
934         * stress/object-keys-changed.js: Added.
935         (shouldBe):
936         (test):
937         * stress/object-keys-indexed-non-cache.js: Added.
938         (shouldBe):
939         (test):
940         * stress/object-keys-overrides-get-property-names.js: Added.
941         (shouldBe):
942         (test):
943         (noInline):
944
945 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
946
947         [DFG][FTL] Add NewSymbol
948         https://bugs.webkit.org/show_bug.cgi?id=192620
949
950         Reviewed by Saam Barati.
951
952         * microbenchmarks/symbol-creation.js: Added.
953         (test):
954         * stress/symbol-description-identity.js: Added.
955         (shouldBe):
956         (test):
957         * stress/symbol-identity.js: Added.
958         (shouldBe):
959         (test):
960         * stress/symbol-with-description-throw-error.js: Added.
961         (shouldBe):
962         (shouldThrow):
963         (test):
964         (object.toString):
965
966 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
967
968         [BigInt] Implement DFG/FTL typeof for BigInt
969         https://bugs.webkit.org/show_bug.cgi?id=192619
970
971         Reviewed by Keith Miller.
972
973         * stress/big-int-boolean-proven-type.js: Added.
974         (assert):
975         (bool):
976         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
977         (assert):
978         (typeOf):
979         (i.switch):
980         * stress/big-int-type-of-proven-type-non-constant.js: Added.
981         (assert):
982         (typeOf):
983         * stress/big-int-type-of.js:
984         (typeOf):
985         (func):
986
987 2018-12-10  Mark Lam  <mark.lam@apple.com>
988
989         PropertyAttribute needs a CustomValue bit.
990         https://bugs.webkit.org/show_bug.cgi?id=191993
991         <rdar://problem/46264467>
992
993         Reviewed by Saam Barati.
994
995         * stress/regress-191993.js: Added.
996
997 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
998
999         [BigInt] Add ValueMul into DFG
1000         https://bugs.webkit.org/show_bug.cgi?id=186175
1001
1002         Reviewed by Yusuke Suzuki.
1003
1004         * stress/big-int-mul-jit-osr.js: Added.
1005         * stress/big-int-mul-jit-untyped.js: Added.
1006         * stress/value-mul-fixup-int32-big-int.js: Added.
1007
1008 2018-12-06  Keith Miller  <keith_miller@apple.com>
1009
1010         stress/big-wasm-memory tests failing on 32-bit JSC bot
1011         https://bugs.webkit.org/show_bug.cgi?id=192020
1012
1013         Reviewed by Saam Barati.
1014
1015         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1016         the wasm stress tests if the WebAssembly object does not exist.
1017
1018         * stress/big-wasm-memory-grow-no-max.js:
1019         (test.foo):
1020         (test):
1021         (foo): Deleted.
1022         (catch): Deleted.
1023         * stress/big-wasm-memory-grow.js:
1024         (test.foo):
1025         (test):
1026         (foo): Deleted.
1027         (catch): Deleted.
1028         * stress/big-wasm-memory.js:
1029         (test.foo):
1030         (test):
1031         (foo): Deleted.
1032         (catch): Deleted.
1033
1034 2018-12-05  Mark Lam  <mark.lam@apple.com>
1035
1036         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1037         https://bugs.webkit.org/show_bug.cgi?id=192441
1038         <rdar://problem/46480355>
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/regress-192441.js: Added.
1043
1044 2018-12-04  Mark Lam  <mark.lam@apple.com>
1045
1046         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1047         https://bugs.webkit.org/show_bug.cgi?id=192386
1048         <rdar://problem/46445516>
1049
1050         Reviewed by Saam Barati.
1051
1052         * stress/regress-192386.js: Added.
1053
1054 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1055
1056         [ESNext][BigInt] Support logic operations
1057         https://bugs.webkit.org/show_bug.cgi?id=179903
1058
1059         Reviewed by Yusuke Suzuki.
1060
1061         * stress/big-int-branch-usage.js: Added.
1062         * stress/big-int-logical-and.js: Added.
1063         * stress/big-int-logical-not.js: Added.
1064         * stress/big-int-logical-or.js: Added.
1065
1066 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1067
1068         Unreviewed, rolling out r238833.
1069
1070         Breaks macOS and iOS debug builds.
1071
1072         Reverted changeset:
1073
1074         "[ESNext][BigInt] Support logic operations"
1075         https://bugs.webkit.org/show_bug.cgi?id=179903
1076         https://trac.webkit.org/changeset/238833
1077
1078 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1079
1080         [ESNext][BigInt] Support logic operations
1081         https://bugs.webkit.org/show_bug.cgi?id=179903
1082
1083         Reviewed by Yusuke Suzuki.
1084
1085         * stress/big-int-branch-usage.js: Added.
1086         * stress/big-int-logical-and.js: Added.
1087         * stress/big-int-logical-not.js: Added.
1088         * stress/big-int-logical-or.js: Added.
1089
1090 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1091
1092         [ESNext][BigInt] Implement support for "<<" and ">>"
1093         https://bugs.webkit.org/show_bug.cgi?id=186233
1094
1095         Reviewed by Yusuke Suzuki.
1096
1097         * stress/big-int-left-shift-general.js: Added.
1098         * stress/big-int-left-shift-range-error.js: Added.
1099         * stress/big-int-left-shift-type-error.js: Added.
1100         * stress/big-int-left-shift-wrapped-value.js: Added.
1101         * stress/big-int-right-shift-general.js: Added.
1102         * stress/big-int-right-shift-type-error.js: Added.
1103         * stress/big-int-right-shift-wrapped-value.js: Added.
1104         * stress/left-shift-to-primitive-precedence.js: Added.
1105         * stress/right-shift-to-primitive-precedence.js: Added.
1106
1107 2018-11-30  Dean Jackson  <dino@apple.com>
1108
1109         Add first-class support for .mjs files in jsc binary
1110         https://bugs.webkit.org/show_bug.cgi?id=192190
1111         <rdar://problem/46375715>
1112
1113         Reviewed by Keith Miller.
1114
1115         * stress/simple-module.mjs: Added.
1116         * stress/simple-script.js: Added.
1117
1118 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1119
1120         [BigInt] Implement ValueBitXor into DFG
1121         https://bugs.webkit.org/show_bug.cgi?id=190264
1122
1123         Reviewed by Yusuke Suzuki.
1124
1125         * stress/big-int-bitwise-xor-jit.js: Added.
1126         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1127         * stress/big-int-bitwise-xor-untyped.js: Added.
1128
1129 2018-11-27  Saam barati  <sbarati@apple.com>
1130
1131         r238510 broke scopes of size zero
1132         https://bugs.webkit.org/show_bug.cgi?id=192033
1133         <rdar://problem/46281734>
1134
1135         Reviewed by Keith Miller.
1136
1137         * stress/r238510-bad-loop.js: Added.
1138         (foo):
1139
1140 2018-11-27  Mark Lam  <mark.lam@apple.com>
1141
1142         [Re-landing] NaNs read from Wasm code needs to be be purified.
1143         https://bugs.webkit.org/show_bug.cgi?id=191056
1144         <rdar://problem/45660341>
1145
1146         Reviewed by Filip Pizlo.
1147
1148         * wasm/regress/regress-191056.js: Added.
1149
1150 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1151
1152         Unreviewed, rolling out r238509.
1153
1154         Causes JSC tests to fail on iOS.
1155
1156         Reverted changeset:
1157
1158         "NaNs read from Wasm code needs to be be purified."
1159         https://bugs.webkit.org/show_bug.cgi?id=191056
1160         https://trac.webkit.org/changeset/238509
1161
1162 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1163
1164         Re-introduce op_bitnot
1165         https://bugs.webkit.org/show_bug.cgi?id=190923
1166
1167         Reviewed by Yusuke Suzuki.
1168
1169         * stress/bit-not-must-generate.js: Added.
1170         * stress/bitwise-not-no-int32.js: Added.
1171
1172 2018-11-26  Saam barati  <sbarati@apple.com>
1173
1174         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1175         https://bugs.webkit.org/show_bug.cgi?id=191956
1176         <rdar://problem/45665806>
1177
1178         Reviewed by Yusuke Suzuki.
1179
1180         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1181         (bar):
1182         (foo):
1183
1184 2018-11-26  Saam barati  <sbarati@apple.com>
1185
1186         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1187         https://bugs.webkit.org/show_bug.cgi?id=191958
1188         <rdar://problem/46221877>
1189
1190         Reviewed by Yusuke Suzuki.
1191
1192         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1193         (x):
1194         (foo):
1195
1196 2018-11-26  Mark Lam  <mark.lam@apple.com>
1197
1198         NaNs read from Wasm code needs to be be purified.
1199         https://bugs.webkit.org/show_bug.cgi?id=191056
1200         <rdar://problem/45660341>
1201
1202         Reviewed by Filip Pizlo.
1203
1204         * wasm/regress/regress-191056.js: Added.
1205
1206 2018-11-26  Michael Saboff  <msaboff@apple.com>
1207
1208         32-bit JSC test failure: stress/regexp-compile-oom.js
1209         https://bugs.webkit.org/show_bug.cgi?id=191375
1210
1211         Reviewed by Mark Lam.
1212
1213         Disabled the test for 32 bit platforms.
1214
1215         * stress/regexp-compile-oom.js:
1216
1217 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1218
1219         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1220         https://bugs.webkit.org/show_bug.cgi?id=191716
1221         <rdar://problem/45723878>
1222
1223         Reviewed by Saam Barati.
1224
1225         * stress/regress-187373.js: Added.
1226         (async.fn):
1227
1228 2018-11-21  Saam barati  <sbarati@apple.com>
1229
1230         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1231         https://bugs.webkit.org/show_bug.cgi?id=191897
1232         <rdar://problem/45871998>
1233
1234         Reviewed by Mark Lam.
1235
1236         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1237         (bar):
1238         (foo):
1239
1240 2018-11-21  Saam barati  <sbarati@apple.com>
1241
1242         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1243         https://bugs.webkit.org/show_bug.cgi?id=191895
1244         <rdar://problem/46167406>
1245
1246         Reviewed by Mark Lam.
1247
1248         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1249         (foo):
1250         (bar):
1251
1252 2018-11-21  Mark Lam  <mark.lam@apple.com>
1253
1254         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1255         https://bugs.webkit.org/show_bug.cgi?id=191776
1256         <rdar://problem/46152851>
1257
1258         Reviewed by Saam Barati.
1259
1260         * stress/big-wasm-memory-grow-no-max.js:
1261         * stress/big-wasm-memory-grow.js:
1262         * stress/big-wasm-memory.js:
1263         - updated these to expect an OutOfMemoryError.
1264
1265         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1266         (Binary.prototype.emit_u8):
1267         (Binary.prototype.emit_u32v):
1268         (Binary.prototype.emit_header):
1269         (Binary.prototype.emit_section):
1270         (Binary):
1271         (WasmModuleBuilder):
1272         (WasmModuleBuilder.prototype.addMemory):
1273         (WasmModuleBuilder.prototype.toArray):
1274         (WasmModuleBuilder.prototype.toBuffer):
1275         (WasmModuleBuilder.prototype.instantiate):
1276         (catch):
1277         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1278         (catch):
1279
1280 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1281
1282         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1283         https://bugs.webkit.org/show_bug.cgi?id=190836
1284
1285         Reviewed by Saam Barati and Yusuke Suzuki.
1286
1287         * stress/big-int-out-of-memory-tests.js: Added.
1288
1289 2018-11-20  Mark Lam  <mark.lam@apple.com>
1290
1291         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1292         https://bugs.webkit.org/show_bug.cgi?id=191856
1293         <rdar://problem/46089992>
1294
1295         Reviewed by Yusuke Suzuki.
1296
1297         * stress/regress-191856.js: Added.
1298         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1299
1300 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1301
1302         Enable JIT on ARM/Linux
1303         https://bugs.webkit.org/show_bug.cgi?id=191548
1304
1305         Reviewed by Yusuke Suzuki.
1306
1307         Disable test on system with limited memory. Program was killed by
1308         the OS before the exception was thrown.
1309
1310         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1311
1312 2018-11-20  Saam barati  <sbarati@apple.com>
1313
1314         Merging an IC variant may lead to the IC status containing overlapping structure sets
1315         https://bugs.webkit.org/show_bug.cgi?id=191869
1316         <rdar://problem/45403453>
1317
1318         Reviewed by Mark Lam.
1319
1320         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1321
1322 2018-11-19  Mark Lam  <mark.lam@apple.com>
1323
1324         globalFuncImportModule() should return a promise when it clears exceptions.
1325         https://bugs.webkit.org/show_bug.cgi?id=191792
1326         <rdar://problem/46090763>
1327
1328         Reviewed by Michael Saboff.
1329
1330         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1331
1332 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1333
1334         Skip new memory-hungry tests on memory limited devices
1335
1336         Unreviewed gardening.
1337
1338         * stress/big-wasm-memory-grow-no-max.js:
1339         * stress/big-wasm-memory-grow.js:
1340         * stress/big-wasm-memory.js:
1341
1342 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1343
1344         Unreviewed, rolling in the rest of r237254
1345         https://bugs.webkit.org/show_bug.cgi?id=190340
1346
1347         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1348         * stress/function-cache-with-parameters-end-position.js: Added.
1349         (shouldBe):
1350         (shouldThrow):
1351         (i.anonymous):
1352         * stress/function-constructor-name.js: Added.
1353         (shouldBe):
1354         (GeneratorFunction):
1355         (AsyncFunction.async):
1356         (AsyncGeneratorFunction.async):
1357         (anonymous):
1358         (async.anonymous):
1359         * test262/expectations.yaml:
1360
1361 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1362
1363         All users of ArrayBuffer should agree on the same max size
1364         https://bugs.webkit.org/show_bug.cgi?id=191771
1365
1366         Reviewed by Mark Lam.
1367
1368         * stress/big-wasm-memory-grow-no-max.js: Added.
1369         (foo):
1370         (catch):
1371         * stress/big-wasm-memory-grow.js: Added.
1372         (foo):
1373         (catch):
1374         * stress/big-wasm-memory.js: Added.
1375         (foo):
1376         (catch):
1377
1378 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1379
1380         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1381         run for each JSC config since they're regression tests for runtime bugs.
1382
1383         * stress/json-stringified-overflow-2.js:
1384         * stress/json-stringified-overflow.js:
1385
1386 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1387
1388         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1389         config since they're regression tests for runtime bugs.
1390
1391         * stress/large-unshift-splice.js:
1392         * stress/regress-185888.js:
1393
1394 2018-11-16  Saam Barati  <sbarati@apple.com>
1395
1396         KnownCellUse should also have SpecCellCheck as its type filter
1397         https://bugs.webkit.org/show_bug.cgi?id=191729
1398         <rdar://problem/45872852>
1399
1400         Reviewed by Filip Pizlo.
1401
1402         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1403         (C):
1404
1405 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1406
1407         Fix assertion failure on BytecodeGenerator::recordOpcode
1408         https://bugs.webkit.org/show_bug.cgi?id=191724
1409         <rdar://problem/45724395>
1410
1411         Reviewed by Saam Barati.
1412
1413         * stress/regress-187373-2.js: Added.
1414         (foo):
1415
1416 2018-11-15  Mark Lam  <mark.lam@apple.com>
1417
1418         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1419         https://bugs.webkit.org/show_bug.cgi?id=191730
1420         <rdar://problem/46048517>
1421
1422         Reviewed by Saam Barati.
1423
1424         * stress/regress-187006.js: Removed.
1425           - this test is invalid because its sole purpose is to test for the non-spec
1426             compliant behavior that we just fixed.
1427
1428         * stress/regress-191730.js: Added.
1429
1430 2018-11-15  Mark Lam  <mark.lam@apple.com>
1431
1432         RegExp operations should not take fast patch if lastIndex is not numeric.
1433         https://bugs.webkit.org/show_bug.cgi?id=191731
1434         <rdar://problem/46017305>
1435
1436         Reviewed by Saam Barati.
1437
1438         * stress/regress-191731.js: Added.
1439
1440 2018-11-13  Saam Barati  <sbarati@apple.com>
1441
1442         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1443         https://bugs.webkit.org/show_bug.cgi?id=191600
1444
1445         Reviewed by Mark Lam.
1446
1447         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1448         (foo):
1449         (test):
1450         (bar):
1451
1452 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1453
1454         Unreviewed, rolling out r238132.
1455
1456         The test added with this change is timing out on Debug JSC
1457         bots.
1458
1459         Reverted changeset:
1460
1461         "[BigInt] JSBigInt::createWithLength should throw when length
1462         is greater than JSBigInt::maxLength"
1463         https://bugs.webkit.org/show_bug.cgi?id=190836
1464         https://trac.webkit.org/changeset/238132
1465
1466 2018-11-13  Mark Lam  <mark.lam@apple.com>
1467
1468         Add OOM detection to StringPrototype's substituteBackreferences().
1469         https://bugs.webkit.org/show_bug.cgi?id=191563
1470         <rdar://problem/45720428>
1471
1472         Reviewed by Saam Barati.
1473
1474         * stress/regress-191563.js: Added.
1475
1476 2018-11-13  Mark Lam  <mark.lam@apple.com>
1477
1478         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1479         https://bugs.webkit.org/show_bug.cgi?id=191579
1480         <rdar://problem/45942472>
1481
1482         Reviewed by Saam Barati.
1483
1484         * stress/regress-191579.js: Added.
1485
1486 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1487
1488         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1489         https://bugs.webkit.org/show_bug.cgi?id=190836
1490
1491         Reviewed by Saam Barati.
1492
1493         * stress/big-int-out-of-memory-tests.js: Added.
1494
1495 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1496
1497         U+180E is no longer a whitespace character
1498         https://bugs.webkit.org/show_bug.cgi?id=191415
1499
1500         Reviewed by Saam Barati.
1501
1502         * ChakraCore/test/es5/regexSpace.baseline:
1503         * ChakraCore/test/es6/unicode_whitespace.js:
1504         Update tests to latest version.
1505         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1506
1507         * test262.yaml:
1508         * test262/config.yaml:
1509         * test262/expectations.yaml:
1510         Update expectations.
1511
1512 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1513
1514         [BigInt] Add support to BigInt into ValueAdd
1515         https://bugs.webkit.org/show_bug.cgi?id=186177
1516
1517         Reviewed by Keith Miller.
1518
1519         * stress/big-int-negate-jit.js:
1520         * stress/value-add-big-int-and-string.js: Added.
1521         * stress/value-add-big-int-prediction-propagation.js: Added.
1522         * stress/value-add-big-int-untyped.js: Added.
1523
1524 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1525
1526         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1527         https://bugs.webkit.org/show_bug.cgi?id=191184
1528
1529         Reviewed by Saam Barati.
1530
1531         Most tests were failing due to timeouts, since they are too slow to
1532         run on CLoop. The exceptions are:
1533
1534         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1535         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1536         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1537         to change the stack size since CLoop requires it to be page aligned.
1538
1539         * microbenchmarks/array-push-1.js:
1540         * microbenchmarks/array-push-2.js:
1541         * microbenchmarks/elidable-new-object-dag.js:
1542         * microbenchmarks/elidable-new-object-roflcopter.js:
1543         * microbenchmarks/elidable-new-object-tree.js:
1544         * microbenchmarks/getter-richards.js:
1545         * microbenchmarks/sinkable-new-object-dag.js:
1546         * microbenchmarks/string-concat-long-convert.js:
1547         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1548         * slowMicrobenchmarks/array-push-3.js:
1549         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1550         * slowMicrobenchmarks/spread-small-array.js:
1551         * slowMicrobenchmarks/undefined-property-access.js:
1552         * stress/activation-sink-default-value-tdz-error.js:
1553         * stress/activation-sink-default-value.js:
1554         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1555         * stress/activation-sink-osrexit-default-value.js:
1556         * stress/activation-sink-osrexit.js:
1557         * stress/activation-sink.js:
1558         * stress/allow-math-ic-b3-code-duplication.js:
1559         * stress/array-push-multiple-int32.js:
1560         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1561         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1562         * stress/arrowfunction-lexical-this-activation-sink.js:
1563         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1564         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1565         * stress/elide-new-object-dag-then-exit.js:
1566         * stress/materialize-regexp-cyclic.js:
1567         * stress/new-regex-inline.js:
1568         * stress/op_add.js:
1569         * stress/op_bitand.js:
1570         * stress/op_bitor.js:
1571         * stress/op_bitxor.js:
1572         * stress/op_div-ConstVar.js:
1573         * stress/op_div-VarConst.js:
1574         * stress/op_div-VarVar.js:
1575         * stress/op_lshift-ConstVar.js:
1576         * stress/op_lshift-VarConst.js:
1577         * stress/op_lshift-VarVar.js:
1578         * stress/op_mod-ConstVar.js:
1579         * stress/op_mod-VarConst.js:
1580         * stress/op_mod-VarVar.js:
1581         * stress/op_mul-ConstVar.js:
1582         * stress/op_mul-VarConst.js:
1583         * stress/op_mul-VarVar.js:
1584         * stress/op_rshift-ConstVar.js:
1585         * stress/op_rshift-VarConst.js:
1586         * stress/op_rshift-VarVar.js:
1587         * stress/op_sub-ConstVar.js:
1588         * stress/op_sub-VarConst.js:
1589         * stress/op_sub-VarVar.js:
1590         * stress/op_urshift-ConstVar.js:
1591         * stress/op_urshift-VarConst.js:
1592         * stress/op_urshift-VarVar.js:
1593         * stress/proxy-get-set-correct-receiver.js:
1594         * stress/regress-179562.js:
1595         * stress/rest-parameter-many-arguments.js:
1596         * stress/sampling-profiler-richards.js:
1597         * stress/splay-flash-access-1ms.js:
1598         * stress/tailCallForwardArguments.js:
1599         * stress/typed-array-get-by-val-profiling.js:
1600         * typeProfiler/getter-richards.js:
1601
1602 2018-11-06  Michael Saboff  <msaboff@apple.com>
1603
1604         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1605         https://bugs.webkit.org/show_bug.cgi?id=191271
1606
1607         Reviewed by Saam Barati.
1608
1609         Added more test cases and made all test cases run with the same deeply recursive stack
1610         instead of finding that same point for each test case.
1611
1612         * stress/regexp-compile-oom.js:
1613         (prototype.runTest):
1614         (recurseAndTest):
1615         (testList.push.new.TestAndExpectedException):
1616
1617 2018-11-05  Michael Saboff  <msaboff@apple.com>
1618
1619         Unreviewed build fix for linux.
1620
1621         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1622
1623 2018-11-02  Michael Saboff  <msaboff@apple.com>
1624
1625         Rolling in r237753 with unreviewed build fix.
1626
1627         Fixed issues with DECLARE_THROW_SCOPE placement.
1628
1629 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1630
1631         Unreviewed, rolling out r237753.
1632
1633         Introduced JSC test failures
1634
1635         Reverted changeset:
1636
1637         "Running out of stack space not properly handled in
1638         RegExp::compile() and its callers"
1639         https://bugs.webkit.org/show_bug.cgi?id=191206
1640         https://trac.webkit.org/changeset/237753
1641
1642 2018-11-02  Michael Saboff  <msaboff@apple.com>
1643
1644         Running out of stack space not properly handled in RegExp::compile() and its callers
1645         https://bugs.webkit.org/show_bug.cgi?id=191206
1646
1647         Reviewed by Filip Pizlo.
1648
1649         New regression test.
1650
1651         * stress/regexp-compile-oom.js: Added.
1652         (recurseAndTest):
1653
1654 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1655
1656         Skip tests on arm/mips that time out now we're running on CLoop
1657
1658         Unreviewed gardening.
1659
1660         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1661         time out on the bots and need to be disabled. There's more tests
1662         disabled on arm because the timeout is longer on the mips bot (as the
1663         device is slower to start with), so many of the tests don't time out
1664         there.
1665
1666         * microbenchmarks/getter-richards.js: disable on arm and mips.
1667         * stress/op_add.js: disable on arm.
1668         * stress/op_bitand.js: disable on arm.
1669         * stress/op_bitor.js: disable on arm.
1670         * stress/op_bitxor.js: disable on arm.
1671         * stress/op_lshift-ConstVar.js: disable on arm.
1672         * stress/op_lshift-VarConst.js: disable on arm.
1673         * stress/op_lshift-VarVar.js: disable on arm.
1674         * stress/op_mod-ConstVar.js: disable on arm.
1675         * stress/op_mod-VarConst.js: disable on arm.
1676         * stress/op_mod-VarVar.js: disable on arm.
1677         * stress/op_mul-ConstVar.js: disable on arm.
1678         * stress/op_mul-VarConst.js: disable on arm.
1679         * stress/op_mul-VarVar.js: disable on arm.
1680         * stress/op_rshift-ConstVar.js: disable on arm.
1681         * stress/op_rshift-VarConst.js: disable on arm.
1682         * stress/op_rshift-VarVar.js: disable on arm.
1683         * stress/op_sub-ConstVar.js: disable on arm.
1684         * stress/op_sub-VarConst.js: disable on arm.
1685         * stress/op_sub-VarVar.js: disable on arm.
1686         * stress/op_urshift-ConstVar.js: disable on arm.
1687         * stress/op_urshift-VarConst.js: disable on arm.
1688         * stress/op_urshift-VarVar.js: disable on arm.
1689         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1690         * stress/value-to-boolean.js: disable on arm and mips.
1691
1692 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1693
1694         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1695         https://bugs.webkit.org/show_bug.cgi?id=191108
1696         <rdar://problem/45690700>
1697
1698         Reviewed by Saam Barati.
1699
1700         * stress/wide-op_catch.js: Added.
1701         (catch):
1702
1703 2018-10-29  Mark Lam  <mark.lam@apple.com>
1704
1705         Correctly detect string overflow when using the 'Function' constructor.
1706         https://bugs.webkit.org/show_bug.cgi?id=184883
1707         <rdar://problem/36320331>
1708
1709         Reviewed by Saam Barati.
1710
1711         I've verified that this passes on 32-bit as well.
1712
1713         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1714
1715 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1716
1717         Add support for GetStack FlushedDouble
1718         https://bugs.webkit.org/show_bug.cgi?id=191012
1719         <rdar://problem/45265141>
1720
1721         Reviewed by Saam Barati.
1722
1723         * stress/get-stack-double.js: Added.
1724         (bar):
1725         (noInline):
1726
1727 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1728
1729         New bytecode format for JSC
1730         https://bugs.webkit.org/show_bug.cgi?id=187373
1731         <rdar://problem/44186758>
1732
1733         Reviewed by Filip Pizlo.
1734
1735         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1736
1737         * stress/maximum-inline-capacity.js: Added.
1738         (test1):
1739         (test3.Foo):
1740         (test3):
1741
1742 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1743
1744         Unreviewed, rolling out r237479 and r237484.
1745         https://bugs.webkit.org/show_bug.cgi?id=190978
1746
1747         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1748
1749         Reverted changesets:
1750
1751         "New bytecode format for JSC"
1752         https://bugs.webkit.org/show_bug.cgi?id=187373
1753         https://trac.webkit.org/changeset/237479
1754
1755         "Gardening: Build fix after r237479."
1756         https://bugs.webkit.org/show_bug.cgi?id=187373
1757         https://trac.webkit.org/changeset/237484
1758
1759 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1760
1761         New bytecode format for JSC
1762         https://bugs.webkit.org/show_bug.cgi?id=187373
1763         <rdar://problem/44186758>
1764
1765         Reviewed by Filip Pizlo.
1766
1767         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1768
1769         * stress/maximum-inline-capacity.js: Added.
1770         (test1):
1771         (test3.Foo):
1772         (test3):
1773
1774 2018-10-26  Mark Lam  <mark.lam@apple.com>
1775
1776         Fix missing edge cases with JSGlobalObjects having a bad time.
1777         https://bugs.webkit.org/show_bug.cgi?id=189028
1778         <rdar://problem/45204939>
1779
1780         Reviewed by Saam Barati.
1781
1782         * stress/regress-189028.js: Added.
1783
1784 2018-10-22  Mark Lam  <mark.lam@apple.com>
1785
1786         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1787         https://bugs.webkit.org/show_bug.cgi?id=190515
1788         <rdar://problem/45222379>
1789
1790         Rubber-stamped by Saam Barati.
1791
1792         Adding another test.
1793
1794         * stress/regress-190515-2.js: Added.
1795
1796 2018-10-22  Mark Lam  <mark.lam@apple.com>
1797
1798         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1799         https://bugs.webkit.org/show_bug.cgi?id=190515
1800         <rdar://problem/45222379>
1801
1802         Reviewed by Saam Barati.
1803
1804         * stress/regress-190515.js: Added.
1805
1806 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1807
1808         Unreviewed, rolling out r237254.
1809         https://bugs.webkit.org/show_bug.cgi?id=190760
1810
1811         "It regresses JetStream 2 by 5% on some iOS devices"
1812         (Requested by saamyjoon on #webkit).
1813
1814         Reverted changeset:
1815
1816         "[JSC] JSC should have "parseFunction" to optimize Function
1817         constructor"
1818         https://bugs.webkit.org/show_bug.cgi?id=190340
1819         https://trac.webkit.org/changeset/237254
1820
1821 2018-10-19  Saam Barati  <sbarati@apple.com>
1822
1823         vmCall should check if we exit before emitting an OSR exit due to exceptions
1824         https://bugs.webkit.org/show_bug.cgi?id=190740
1825         <rdar://problem/45220139>
1826
1827         Reviewed by Mark Lam.
1828
1829         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1830         (foo):
1831
1832 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1833
1834         [ESNext][BigInt] Implement support for "^"
1835         https://bugs.webkit.org/show_bug.cgi?id=186235
1836
1837         Reviewed by Yusuke Suzuki.
1838
1839         * stress/big-int-bitwise-xor-general.js: Added.
1840         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1841         * stress/big-int-bitwise-xor-type-error.js: Added.
1842         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1843
1844 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1845
1846         [BigInt] Add ValueSub into DFG
1847         https://bugs.webkit.org/show_bug.cgi?id=186176
1848
1849         Reviewed by Yusuke Suzuki.
1850
1851         * stress/big-int-subtraction-jit.js:
1852         * stress/value-sub-big-int-prediction-propagation.js: Added.
1853         * stress/value-sub-big-int-untyped.js: Added.
1854         * stress/value-sub-spec-none-case.js: Added.
1855
1856 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1857
1858         [JSC] JSC should have "parseFunction" to optimize Function constructor
1859         https://bugs.webkit.org/show_bug.cgi?id=190340
1860
1861         Reviewed by Mark Lam.
1862
1863         This patch fixes the line number of syntax errors raised by the Function constructor,
1864         since we now parse the final code only once. And we no longer use block statement
1865         for Function constructor's parsing.
1866
1867         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1868         * stress/function-cache-with-parameters-end-position.js: Added.
1869         (shouldBe):
1870         (shouldThrow):
1871         (i.anonymous):
1872         * stress/function-constructor-name.js: Added.
1873         (shouldBe):
1874         (GeneratorFunction):
1875         (AsyncFunction.async):
1876         (AsyncGeneratorFunction.async):
1877         (anonymous):
1878         (async.anonymous):
1879         * test262/expectations.yaml:
1880
1881 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1882
1883         Unreviewed, rolling out r237242.
1884         https://bugs.webkit.org/show_bug.cgi?id=190701
1885
1886         it breaks "stress/sampling-profiler-basic.js" (Requested by
1887         caiolima on #webkit).
1888
1889         Reverted changeset:
1890
1891         "[BigInt] Add ValueSub into DFG"
1892         https://bugs.webkit.org/show_bug.cgi?id=186176
1893         https://trac.webkit.org/changeset/237242
1894
1895 2018-10-17  Keith Miller  <keith_miller@apple.com>
1896
1897         AI does not clear Phantom allocation nodes.
1898         https://bugs.webkit.org/show_bug.cgi?id=190694
1899
1900         Reviewed by Saam Barati.
1901
1902         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1903         (Day):
1904         (DaysInYear):
1905         (TimeInYear):
1906         (TimeFromYear):
1907         (DayFromYear):
1908         (InLeapYear):
1909         (YearFromTime):
1910         (WeekDay):
1911         (DaylightSavingTA):
1912         (GetSecondSundayInMarch):
1913         (TimeInMonth):
1914
1915 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1916
1917         [BigInt] Add ValueSub into DFG
1918         https://bugs.webkit.org/show_bug.cgi?id=186176
1919
1920         Reviewed by Yusuke Suzuki.
1921
1922         * stress/big-int-subtraction-jit.js:
1923         * stress/value-sub-big-int-prediction-propagation.js: Added.
1924         * stress/value-sub-big-int-untyped.js: Added.
1925
1926 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1927
1928         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1929         https://bugs.webkit.org/show_bug.cgi?id=190611
1930
1931         Reviewed by Saam Barati.
1932
1933         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1934         to improve test runtime. On ARM/MIPS this test even timed out when running all
1935         tests.
1936
1937         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1938         (test):
1939
1940 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1941
1942         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1943
1944         Unreviewed gardening.
1945
1946         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1947
1948 2018-10-15  Saam barati  <sbarati@apple.com>
1949
1950         Emit fjcvtzs on ARM64E on Darwin
1951         https://bugs.webkit.org/show_bug.cgi?id=184023
1952
1953         Reviewed by Yusuke Suzuki and Filip Pizlo.
1954
1955         * stress/double-to-int32-NaN.js: Added.
1956         (assert):
1957         (foo):
1958
1959 2018-10-15  Saam Barati  <sbarati@apple.com>
1960
1961         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1962         https://bugs.webkit.org/show_bug.cgi?id=190262
1963         <rdar://problem/44986241>
1964
1965         Reviewed by Mark Lam.
1966
1967         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1968         (test):
1969         * stress/slice-array-storage-with-holes.js: Added.
1970         (main):
1971
1972 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1973
1974         Unreviewed, rolling out r237054.
1975         https://bugs.webkit.org/show_bug.cgi?id=190593
1976
1977         "this regressed JetStream 2 by 6% on iOS" (Requested by
1978         saamyjoon on #webkit).
1979
1980         Reverted changeset:
1981
1982         "[JSC] JSC should have "parseFunction" to optimize Function
1983         constructor"
1984         https://bugs.webkit.org/show_bug.cgi?id=190340
1985         https://trac.webkit.org/changeset/237054
1986
1987 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1988
1989         [JSC] JSON.stringify can accept call-with-no-arguments
1990         https://bugs.webkit.org/show_bug.cgi?id=190343
1991
1992         Reviewed by Mark Lam.
1993
1994         * stress/json-stringify-no-arguments.js: Added.
1995         (shouldBe):
1996
1997 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1998
1999         [JSC] JSC should have "parseFunction" to optimize Function constructor
2000         https://bugs.webkit.org/show_bug.cgi?id=190340
2001
2002         Reviewed by Mark Lam.
2003
2004         This patch fixes the line number of syntax errors raised by the Function constructor,
2005         since we now parse the final code only once. And we no longer use block statement
2006         for Function constructor's parsing.
2007
2008         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2009         * stress/function-cache-with-parameters-end-position.js: Added.
2010         (shouldBe):
2011         (shouldThrow):
2012         (i.anonymous):
2013         * stress/function-constructor-name.js: Added.
2014         (shouldBe):
2015         (GeneratorFunction):
2016         (AsyncFunction.async):
2017         (AsyncGeneratorFunction.async):
2018         (anonymous):
2019         (async.anonymous):
2020         * test262/expectations.yaml:
2021
2022 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2023
2024         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2025         https://bugs.webkit.org/show_bug.cgi?id=190426
2026
2027         Unreviewed gardening.
2028
2029         * stress/sampling-profiler-richards.js:
2030
2031 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2032
2033         [ESNext][BigInt] Implement support for "|"
2034         https://bugs.webkit.org/show_bug.cgi?id=186229
2035
2036         Reviewed by Yusuke Suzuki.
2037
2038         * stress/big-int-bitwise-and-jit.js:
2039         * stress/big-int-bitwise-or-general.js: Added.
2040         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2041         * stress/big-int-bitwise-or-jit.js: Added.
2042         * stress/big-int-bitwise-or-memory-stress.js: Added.
2043         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2044         * stress/big-int-bitwise-or-type-error.js: Added.
2045         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2046
2047 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2048
2049         Skip test on systems with limited memory
2050         https://bugs.webkit.org/show_bug.cgi?id=190310
2051
2052         Invoking runDefault adds test to runlist, skipping the test in the next
2053         line does not prevent the test from executing. Change order of lines such
2054         that runDefault is only executed if test is not executed.
2055
2056         Reviewed by Mark Lam.
2057
2058         * stress/regress-190187.js:
2059
2060 2018-10-03  Saam barati  <sbarati@apple.com>
2061
2062         lowXYZ in FTLLower should always filter the type of the incoming edge
2063         https://bugs.webkit.org/show_bug.cgi?id=189939
2064         <rdar://problem/44407030>
2065
2066         Reviewed by Michael Saboff.
2067
2068         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2069         (foo):
2070         (test):
2071
2072 2018-10-03  Mark Lam  <mark.lam@apple.com>
2073
2074         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2075         https://bugs.webkit.org/show_bug.cgi?id=190187
2076         <rdar://problem/42512909>
2077
2078         Reviewed by Michael Saboff.
2079
2080         * stress/regress-190187.js: Added.
2081
2082 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2083
2084         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2085         https://bugs.webkit.org/show_bug.cgi?id=190033
2086
2087         Reviewed by Yusuke Suzuki.
2088
2089         * stress/big-int-to-string.js:
2090
2091 2018-10-01  Mark Lam  <mark.lam@apple.com>
2092
2093         Function.toString() should also copy the source code Functions that are class definitions.
2094         https://bugs.webkit.org/show_bug.cgi?id=190186
2095         <rdar://problem/44733360>
2096
2097         Reviewed by Saam Barati.
2098
2099         * stress/regress-190186.js: Added.
2100
2101 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2102
2103         Split NaN-check into separate test
2104         https://bugs.webkit.org/show_bug.cgi?id=190010
2105
2106         Reviewed by Saam Barati.
2107
2108         DataView exposes NaN-representation, which is not necessarily the same on each
2109         architecture. Therefore move the check of the NaN-representation into its own
2110         file such that we can disable this test on MIPS where NaN-representation can be
2111         different on older CPUs.
2112
2113         * stress/dataview-jit-set-nan.js: Added.
2114         (assert):
2115         (test.storeLittleEndian):
2116         (test.storeBigEndian):
2117         (test.store):
2118         (test):
2119         * stress/dataview-jit-set.js:
2120         (test5):
2121
2122 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2123
2124         Unreviewed, rolling out r236647.
2125         https://bugs.webkit.org/show_bug.cgi?id=190124
2126
2127         Breaking test stress/big-int-to-string.js (Requested by
2128         caiolima_ on #webkit).
2129
2130         Reverted changeset:
2131
2132         "[BigInt] BigInt.proptotype.toString is broken when radix is
2133         power of 2"
2134         https://bugs.webkit.org/show_bug.cgi?id=190033
2135         https://trac.webkit.org/changeset/236647
2136
2137 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2138
2139         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2140         https://bugs.webkit.org/show_bug.cgi?id=190033
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         * stress/big-int-to-string.js:
2145
2146 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2147
2148         [ESNext][BigInt] Implement support for "&"
2149         https://bugs.webkit.org/show_bug.cgi?id=186228
2150
2151         Reviewed by Yusuke Suzuki.
2152
2153         * stress/big-int-bitwise-and-general.js: Added.
2154         (assert):
2155         (assert.sameValue):
2156         * stress/big-int-bitwise-and-jit.js: Added.
2157         (let.assert.sameValue):
2158         (bigIntBitAnd):
2159         * stress/big-int-bitwise-and-memory-stress.js: Added.
2160         (assert):
2161         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2162         (assert.sameValue):
2163         (let.o.Symbol.toPrimitive):
2164         (catch):
2165         * stress/big-int-bitwise-and-type-error.js: Added.
2166         (assert):
2167         (assertThrowTypeError):
2168         (let.o.valueOf):
2169         (o.valueOf):
2170         (o.toString):
2171         (o.Symbol.toPrimitive):
2172         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2173         (assert.sameValue):
2174         (testBitAnd):
2175         (let.o.Symbol.toPrimitive):
2176         (o.valueOf):
2177         (o.toString):
2178
2179 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2180
2181         JSC test stress/jsc-read.js doesn't support CRLF
2182         https://bugs.webkit.org/show_bug.cgi?id=190063
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2187
2188         * stress/jsc-read.js:
2189         (test):
2190
2191 2018-09-27  Saam barati  <sbarati@apple.com>
2192
2193         Verify the contents of AssemblerBuffer on arm64e
2194         https://bugs.webkit.org/show_bug.cgi?id=190057
2195         <rdar://problem/38916630>
2196
2197         Reviewed by Mark Lam.
2198
2199         * stress/regress-189132.js:
2200
2201 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2202
2203         Disable test without LLInt on ARMv7
2204         https://bugs.webkit.org/show_bug.cgi?id=190037
2205
2206         Reviewed by Mark Lam.
2207
2208         Test runs out of executable memory on ARMv7, do not run
2209         this test without LLInt enabled.
2210
2211         * stress/regress-169445.js:
2212
2213 2018-09-26  Keith Miller  <keith_miller@apple.com>
2214
2215         We should zero unused property storage when rebalancing array storage.
2216         https://bugs.webkit.org/show_bug.cgi?id=188151
2217
2218         Reviewed by Michael Saboff.
2219
2220         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2221
2222 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2223
2224         [JSC] Optimize Array#lastIndexOf
2225         https://bugs.webkit.org/show_bug.cgi?id=189780
2226
2227         Reviewed by Saam Barati.
2228
2229         * stress/array-lastindexof-array-prototype-trap.js: Added.
2230         (shouldBe):
2231         (AncestorArray.prototype.get 2):
2232         (AncestorArray):
2233         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2234         (shouldBe):
2235         * stress/array-lastindexof-hole-nan.js: Added.
2236         (shouldBe):
2237         (throw.new.Error):
2238         * stress/array-lastindexof-infinity.js: Added.
2239         (shouldBe):
2240         (throw.new.Error):
2241         * stress/array-lastindexof-negative-zero.js: Added.
2242         (shouldBe):
2243         (throw.new.Error):
2244         * stress/array-lastindexof-own-getter.js: Added.
2245         (shouldBe):
2246         (throw.new.Error.get array):
2247         (get array):
2248         * stress/array-lastindexof-prototype-trap.js: Added.
2249         (shouldBe):
2250         (DerivedArray.prototype.get 2):
2251         (DerivedArray):
2252
2253 2018-09-25  Saam Barati  <sbarati@apple.com>
2254
2255         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2256         https://bugs.webkit.org/show_bug.cgi?id=189940
2257         <rdar://problem/43640987>
2258
2259         Reviewed by Mark Lam.
2260
2261         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2262
2263 2018-09-24  Saam Barati  <sbarati@apple.com>
2264
2265         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2266         https://bugs.webkit.org/show_bug.cgi?id=189922
2267         <rdar://problem/44651275>
2268
2269         Reviewed by Mark Lam.
2270
2271         * stress/array-indexof-fast-path-effects.js: Added.
2272         * stress/array-indexof-cached-length.js: Added.
2273
2274 2018-09-24  Saam barati  <sbarati@apple.com>
2275
2276         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2277         https://bugs.webkit.org/show_bug.cgi?id=189682
2278         <rdar://problem/43557315>
2279
2280         Reviewed by Mark Lam.
2281
2282         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2283         (foo):
2284
2285 2018-09-22  Saam barati  <sbarati@apple.com>
2286
2287         The sampling should not use Strong<CodeBlock> in its machineLocation field
2288         https://bugs.webkit.org/show_bug.cgi?id=189319
2289
2290         Reviewed by Filip Pizlo.
2291
2292         * stress/sampling-profiler-richards.js: Added.
2293
2294 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2295
2296         [JSC] Optimize Array#indexOf in C++ runtime
2297         https://bugs.webkit.org/show_bug.cgi?id=189507
2298
2299         Reviewed by Saam Barati.
2300
2301         * stress/array-indexof-array-prototype-trap.js: Added.
2302         (shouldBe):
2303         (AncestorArray.prototype.get 2):
2304         (AncestorArray):
2305         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2306         (shouldBe):
2307         * stress/array-indexof-hole-nan.js: Added.
2308         (shouldBe):
2309         (throw.new.Error):
2310         * stress/array-indexof-infinity.js: Added.
2311         (shouldBe):
2312         (throw.new.Error):
2313         * stress/array-indexof-negative-zero.js: Added.
2314         (shouldBe):
2315         (throw.new.Error):
2316         * stress/array-indexof-own-getter.js: Added.
2317         (shouldBe):
2318         (throw.new.Error.get array):
2319         (get array):
2320         * stress/array-indexof-prototype-trap.js: Added.
2321         (shouldBe):
2322         (DerivedArray.prototype.get 2):
2323         (DerivedArray):
2324
2325 2018-09-19  Saam barati  <sbarati@apple.com>
2326
2327         AI rule for MultiPutByOffset executes its effects in the wrong order
2328         https://bugs.webkit.org/show_bug.cgi?id=189757
2329         <rdar://problem/43535257>
2330
2331         Reviewed by Michael Saboff.
2332
2333         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2334         (foo):
2335         (Foo):
2336         (g):
2337
2338 2018-09-17  Mark Lam  <mark.lam@apple.com>
2339
2340         Ensure that ForInContexts are invalidated if their loop local is over-written.
2341         https://bugs.webkit.org/show_bug.cgi?id=189571
2342         <rdar://problem/44402277>
2343
2344         Reviewed by Saam Barati.
2345
2346         * stress/regress-189571.js: Added.
2347
2348 2018-09-17  Saam barati  <sbarati@apple.com>
2349
2350         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2351         https://bugs.webkit.org/show_bug.cgi?id=189676
2352         <rdar://problem/39682897>
2353
2354         Reviewed by Michael Saboff.
2355
2356         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2357         (A):
2358         (K):
2359         (i.catch):
2360
2361 2018-09-14  Saam barati  <sbarati@apple.com>
2362
2363         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2364         https://bugs.webkit.org/show_bug.cgi?id=189628
2365         <rdar://problem/39481690>
2366
2367         Reviewed by Mark Lam.
2368
2369         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2370         (foo):
2371
2372 2018-09-11  Mark Lam  <mark.lam@apple.com>
2373
2374         Test for array initialization in arrayProtoFuncSplice.
2375         https://bugs.webkit.org/show_bug.cgi?id=170253
2376         <rdar://problem/31328773>
2377
2378         Rubber-stamped by Saam Barati.
2379
2380         * stress/regress-170253.js: Added.
2381
2382 2018-09-11  Mark Lam  <mark.lam@apple.com>
2383
2384         Test for IntlObject initialization.
2385         https://bugs.webkit.org/show_bug.cgi?id=170251
2386         <rdar://problem/31328419>
2387
2388         Rubber-stamped by Saam Barati.
2389
2390         * stress/regress-170251.js: Added.
2391
2392 2018-09-11  Mark Lam  <mark.lam@apple.com>
2393
2394         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2395         https://bugs.webkit.org/show_bug.cgi?id=169889
2396         <rdar://problem/31155607>
2397
2398         Reviewed by Saam Barati.
2399
2400         * stress/regress-169889-array-concat.js: Added.
2401         * stress/regress-169889-array-concat1.js: Added.
2402         * stress/regress-169889-array-slice.js: Added.
2403
2404 2018-09-11  Mark Lam  <mark.lam@apple.com>
2405
2406         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2407         https://bugs.webkit.org/show_bug.cgi?id=169445
2408         <rdar://problem/30957435>
2409
2410         Reviewed by Saam Barati.
2411
2412         * stress/regress-169445.js: Added.
2413         (let.gun.eval.A):
2414         (let.gun.eval.B.C):
2415         (let.gun.eval.B.C.prototype.trigger):
2416         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2417         (let.gun.eval.B):
2418         (let.gun.eval):
2419
2420 == Rolled over to ChangeLog-2018-09-11 ==