Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
4         https://bugs.webkit.org/show_bug.cgi?id=172848
5         <rdar://problem/25709212>
6
7         Reviewed by Mark Lam.
8
9         * typeProfiler/inheritance.js:
10         Rewrite the test slightly for clarity. The hoisting was confusing.
11
12         * heapProfiler/class-names.js: Added.
13         (MyES5Class):
14         (MyES6Class):
15         (MyES6Subclass):
16         Test object types and improved class names.
17
18         * heapProfiler/driver/driver.js:
19         (CheapHeapSnapshotNode):
20         (CheapHeapSnapshot):
21         (createCheapHeapSnapshot):
22         (HeapSnapshot):
23         (createHeapSnapshot):
24         Update snapshot parsing from version 1 to version 2.
25
26 2019-02-19  Truitt Savell  <tsavell@apple.com>
27
28         Unreviewed, rolling out r241784.
29
30         Broke all OpenSource builds.
31
32         Reverted changeset:
33
34         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
35         instances view"
36         https://bugs.webkit.org/show_bug.cgi?id=172848
37         https://trac.webkit.org/changeset/241784
38
39 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
40
41         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
42         https://bugs.webkit.org/show_bug.cgi?id=172848
43         <rdar://problem/25709212>
44
45         Reviewed by Mark Lam.
46
47         * typeProfiler/inheritance.js:
48         Rewrite the test slightly for clarity. The hoisting was confusing.
49
50         * heapProfiler/class-names.js: Added.
51         (MyES5Class):
52         (MyES6Class):
53         (MyES6Subclass):
54         Test object types and improved class names.
55
56         * heapProfiler/driver/driver.js:
57         (CheapHeapSnapshotNode):
58         (CheapHeapSnapshot):
59         (createCheapHeapSnapshot):
60         (HeapSnapshot):
61         (createHeapSnapshot):
62         Update snapshot parsing from version 1 to version 2.
63
64 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
65
66         [ARM] Fix crash with sampling profiler
67         https://bugs.webkit.org/show_bug.cgi?id=194772
68
69         Reviewed by Mark Lam.
70
71         Do not skip test since crash with sampling profiler is now fixed.
72
73         * stress/sampling-profiler-richards.js:
74
75 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
76
77         [JSC] Add LazyClassStructure::getInitializedOnMainThread
78         https://bugs.webkit.org/show_bug.cgi?id=194784
79         <rdar://problem/48154820>
80
81         Reviewed by Mark Lam.
82
83         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
84         (getProperties):
85         (getRandomProperty):
86         (i.catch):
87
88 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
89
90         [ARM] Test gardening: Test running out of executable memory
91         https://bugs.webkit.org/show_bug.cgi?id=194771
92
93         Unreviewed. Do not run test without LLInt, test is running out of executable
94         memory on ARM otherwise.
95
96         * stress/tagged-template-object-collect.js:
97
98 2019-02-18  Tomas Popela  <tpopela@redhat.com>
99
100         Unreviewed, skip the test on platforms without sampling profiler
101
102         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
103         (platformSupportsSamplingProfiler.foo):
104         (platformSupportsSamplingProfiler.test):
105         (platformSupportsSamplingProfiler):
106         (foo): Deleted.
107         (test): Deleted.
108
109 2019-02-17  Saam Barati  <sbarati@apple.com>
110
111         Deadlock when adding a Structure property transition and then doing incremental marking
112         https://bugs.webkit.org/show_bug.cgi?id=194767
113
114         Reviewed by Mark Lam.
115
116         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
117
118 2019-02-15  Michael Saboff  <msaboff@apple.com>
119
120         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
121         https://bugs.webkit.org/show_bug.cgi?id=194558
122
123         Reviewed by Saam Barati.
124
125         New regression test.
126
127         * stress/regexp-unicode-within-string.js: Added.
128
129 2019-02-15  Mark Lam  <mark.lam@apple.com>
130
131         SamplingProfiler::stackTracesAsJSON() should escape strings.
132         https://bugs.webkit.org/show_bug.cgi?id=194649
133         <rdar://problem/48072386>
134
135         Reviewed by Saam Barati.
136
137         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
138         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
139         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
140         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
141
142 2019-02-15  Robin Morisset  <rmorisset@apple.com>
143         CodeBlock::jettison should clear related watchpoints
144         https://bugs.webkit.org/show_bug.cgi?id=194544
145
146         Reviewed by Mark Lam.
147
148         * stress/regexp-replace-double-watchpoint.js: Added.
149         (foo):
150
151 2019-02-15  Saam barati  <sbarati@apple.com>
152
153         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
154         https://bugs.webkit.org/show_bug.cgi?id=194036
155
156         Reviewed by Yusuke Suzuki.
157
158         * stress/tail-call-many-arguments.js: Added.
159         (foo):
160         (bar):
161
162 2019-02-14  Saam Barati  <sbarati@apple.com>
163
164         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
165         https://bugs.webkit.org/show_bug.cgi?id=194583
166         <rdar://problem/48028140>
167
168         Reviewed by Yusuke Suzuki.
169
170         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
171
172 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         [JSC] String.fromCharCode's slow path always generates 16bit string
175         https://bugs.webkit.org/show_bug.cgi?id=194466
176
177         Reviewed by Keith Miller.
178
179         * stress/string-from-char-code-slow-path.js: Added.
180         (shouldBe):
181         (testWithLength):
182
183 2019-02-08  Saam barati  <sbarati@apple.com>
184
185         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
186         https://bugs.webkit.org/show_bug.cgi?id=194334
187         <rdar://problem/47844327>
188
189         Reviewed by Mark Lam.
190
191         * stress/check-in-bounds-should-be-a-child-use.js: Added.
192         (func):
193
194 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
195
196         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
197         https://bugs.webkit.org/show_bug.cgi?id=194369
198         <rdar://problem/47813087>
199
200         Reviewed by Saam Barati.
201
202         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
203         (A):
204
205 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
206
207         [JSC] PrivateName to PublicName hash table is wasteful
208         https://bugs.webkit.org/show_bug.cgi?id=194277
209
210         Reviewed by Michael Saboff.
211
212         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
213
214         * ChakraCore.yaml:
215
216 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
217
218         [ARM] Test running out of executable memory
219         https://bugs.webkit.org/show_bug.cgi?id=194285
220
221         Unreviewed. Do no execute test with LLInt disabled, test runs out of
222         executable memory otherwise.
223
224         * stress/class-subclassing-function.js:
225
226 2019-02-04  Robin Morisset  <rmorisset@apple.com>
227
228         when lowering AssertNotEmpty, create the value before creating the patchpoint
229         https://bugs.webkit.org/show_bug.cgi?id=194231
230
231         Reviewed by Saam Barati.
232
233         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
234         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
235         So even tiny changes to this test can change the path code taken.
236
237         * stress/assert-not-empty.js: Added.
238         (foo):
239
240 2019-02-01  Mark Lam  <mark.lam@apple.com>
241
242         Remove invalid assertion in DFG's compileDoubleRep().
243         https://bugs.webkit.org/show_bug.cgi?id=194130
244         <rdar://problem/47699474>
245
246         Reviewed by Saam Barati.
247
248         * stress/constant-fold-double-rep-into-double-constant.js: Added.
249
250 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
251
252         Import latest Test262 updates.
253
254         Rubber-stamped by Keith Miller.
255
256         * test262.yaml: Deleted.
257         * test262/config.yaml:
258         * test262/expectations.yaml:
259         * test262/latest-changes-summary.txt:
260         * test262/test/:
261         * test262/test262-Revision.txt:
262
263 2019-01-30  Robin Morisset  <rmorisset@apple.com>
264
265         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
266         https://bugs.webkit.org/show_bug.cgi?id=194050
267         <rdar://problem/47595592>
268
269         Reviewed by Yusuke Suzuki.
270
271         * stress/object-keys-osr-exit.js: Added.
272         (foo):
273         (catch):
274
275 2019-01-29  Mark Lam  <mark.lam@apple.com>
276
277         ValueRecovery::recover() should purify NaN values it recovers.
278         https://bugs.webkit.org/show_bug.cgi?id=193978
279         <rdar://problem/47625488>
280
281         Reviewed by Saam Barati.
282
283         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
284
285 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
286
287         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
288         https://bugs.webkit.org/show_bug.cgi?id=193713
289
290         * stress/try-get-by-id-should-spill-registers-dfg.js:
291         (let.f.createBuiltin):
292
293 2019-01-28  Mark Lam  <mark.lam@apple.com>
294
295         ToString node actually does GC.
296         https://bugs.webkit.org/show_bug.cgi?id=193920
297         <rdar://problem/46695900>
298
299         Reviewed by Yusuke Suzuki.
300
301         * stress/dfg-to-string-on-int-does-gc.js: Added.
302         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
303         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
304
305 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         [JSC] NativeErrorConstructor should not have own IsoSubspace
308         https://bugs.webkit.org/show_bug.cgi?id=193713
309
310         Reviewed by Saam Barati.
311
312         Remove @Error use.
313
314         * stress/try-get-by-id-should-spill-registers-dfg.js:
315         (let.f.createBuiltin):
316
317 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
318
319         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
320         https://bugs.webkit.org/show_bug.cgi?id=190693
321
322         Reviewed by Michael Saboff.
323
324         * stress/regress-190693.js: Added.
325         (truth):
326         (assert):
327         (shouldThrowInvalidConstAssignment):
328         (taz):
329
330 2019-01-24  Saam Barati  <sbarati@apple.com>
331
332         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
333         https://bugs.webkit.org/show_bug.cgi?id=193751
334         <rdar://problem/47280215>
335
336         Reviewed by Michael Saboff.
337
338         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
339         (let.thing):
340         (foo.let.hello):
341         (foo):
342
343 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
344
345         [JSC] Reenable baseline JIT on mips
346         https://bugs.webkit.org/show_bug.cgi?id=192983
347
348         Reviewed by Mark Lam.
349
350         Added a new test for a case that was triggering a RELEASE_ASSERT when
351         testing.
352         Disable some slow tests that were already disabled for arm and x86.
353
354         * stress/json-parse-big-object.js: Added.
355         * stress/new-largeish-contiguous-array-with-size.js:
356         * stress/op_add.js:
357         * stress/op_bitand.js:
358         * stress/op_bitor.js:
359         * stress/op_bitxor.js:
360         * stress/op_lshift-ConstVar.js:
361         * stress/op_lshift-VarConst.js:
362         * stress/op_lshift-VarVar.js:
363         * stress/op_mod-ConstVar.js:
364         * stress/op_mod-VarConst.js:
365         * stress/op_mod-VarVar.js:
366         * stress/op_mul-ConstVar.js:
367         * stress/op_mul-VarConst.js:
368         * stress/op_mul-VarVar.js:
369         * stress/op_rshift-ConstVar.js:
370         * stress/op_rshift-VarConst.js:
371         * stress/op_rshift-VarVar.js:
372         * stress/op_sub-ConstVar.js:
373         * stress/op_sub-VarConst.js:
374         * stress/op_sub-VarVar.js:
375         * stress/op_urshift-ConstVar.js:
376         * stress/op_urshift-VarConst.js:
377         * stress/op_urshift-VarVar.js:
378         * stress/sampling-profiler-richards.js:
379         * stress/spread-forward-call-varargs-stack-overflow.js:
380
381 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
382
383         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
384         https://bugs.webkit.org/show_bug.cgi?id=193711
385         <rdar://problem/47250262>
386
387         Reviewed by Saam Barati.
388
389         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
390         (shouldBe):
391         (foo):
392         (bar):
393         (baz):
394
395 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         Unreviewed, fix initial global lexical binding epoch
398         https://bugs.webkit.org/show_bug.cgi?id=193603
399         <rdar://problem/47380869>
400
401         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
402         (f1.f2.f3.f4):
403         (f1.f2.f3):
404         (f1.f2):
405         (f1):
406
407 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
408
409         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
410         https://bugs.webkit.org/show_bug.cgi?id=193709
411         <rdar://problem/47363838>
412
413         Unreviewed, rollout to watch the tests.
414
415         * stress/object-tostring-changed-proto.js: Removed.
416         * stress/object-tostring-changed.js: Removed.
417         * stress/object-tostring-misc.js: Removed.
418         * stress/object-tostring-other.js: Removed.
419         * stress/object-tostring-untyped.js: Removed.
420
421 2019-01-22  Saam Barati  <sbarati@apple.com>
422
423         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
424
425         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
426         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
427         (testUncheckedLessThanZero):
428         (testUncheckedLessThanOrEqualZero):
429         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
430         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
431
432 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         [JSC] Invalidate old scope operations using global lexical binding epoch
435         https://bugs.webkit.org/show_bug.cgi?id=193603
436         <rdar://problem/47380869>
437
438         Reviewed by Saam Barati.
439
440         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
441         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
442         (shouldThrow):
443         (bar):
444         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
445         (shouldBe):
446         (get1):
447         (get2):
448         (get1If):
449         (get2If):
450         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
451         (shouldThrow):
452         (foo):
453
454 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
455
456         Unreviewed, roll out r240220 due to date-format-xparb regression
457         https://bugs.webkit.org/show_bug.cgi?id=193603
458
459         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
460         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
461         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
462         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
463
464 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
465
466         DoesGC rule is wrong for nodes with BigIntUse
467         https://bugs.webkit.org/show_bug.cgi?id=193652
468
469         Reviewed by Saam Barati.
470
471         * stress/big-int-value-op-update-gc-rules.js: Added.
472         (assert):
473         (doesGCAdd):
474         (doesGCSub):
475         (doesGCDiv):
476         (doesGCMul):
477         (doesGCBitAnd):
478         (doesGCBitOr):
479         (doesGCBitXor):
480
481 2019-01-20  Saam Barati  <sbarati@apple.com>
482
483         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
484         https://bugs.webkit.org/show_bug.cgi?id=193644
485         <rdar://problem/46209745>
486
487         Reviewed by Yusuke Suzuki.
488
489         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
490         (foo):
491         * stress/data-view-set-intrinsic-undefined-result.js: Added.
492         (foo):
493         (bar):
494
495 2019-01-20  Saam Barati  <sbarati@apple.com>
496
497         MovHint must merge NodeBytecodeUsesAsValue for its child
498         https://bugs.webkit.org/show_bug.cgi?id=186916
499         <rdar://problem/41396612>
500
501         Reviewed by Yusuke Suzuki.
502
503         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
504         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
505
506 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
507
508         [JSC] Invalidate old scope operations using global lexical binding epoch
509         https://bugs.webkit.org/show_bug.cgi?id=193603
510         <rdar://problem/47380869>
511
512         Reviewed by Saam Barati.
513
514         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
515         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
516         (shouldThrow):
517         (bar):
518         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
519         (shouldBe):
520         (get1):
521         (get2):
522         (get1If):
523         (get2If):
524         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
525         (shouldThrow):
526         (foo):
527
528 2019-01-17  Saam barati  <sbarati@apple.com>
529
530         StringObjectUse should not be a structure check for the original string object structure
531         https://bugs.webkit.org/show_bug.cgi?id=193483
532         <rdar://problem/47280522>
533
534         Reviewed by Yusuke Suzuki.
535
536         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
537         (foo):
538         (a.valueOf.0):
539
540 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
541
542         [JSC] ToThis omission in DFGByteCodeParser is wrong
543         https://bugs.webkit.org/show_bug.cgi?id=193513
544         <rdar://problem/45842236>
545
546         Reviewed by Saam Barati.
547
548         * stress/to-this-omission-with-different-strict-modes.js: Added.
549         (thisA):
550         (thisAStrictWrapper):
551
552 2019-01-15  Mark Lam  <mark.lam@apple.com>
553
554         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
555         https://bugs.webkit.org/show_bug.cgi?id=193423
556         <rdar://problem/46209355>
557
558         Reviewed by Saam Barati.
559
560         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
561         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
562         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
563         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
564
565 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
566
567         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
568         https://bugs.webkit.org/show_bug.cgi?id=193438
569         <rdar://problem/45581249>
570
571         Reviewed by Saam Barati and Keith Miller.
572
573         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
574         Then, GetByVal(String) crashed.
575
576         * stress/string-get-by-val-lowering.js: Added.
577         (shouldBe):
578         (test):
579         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
580         (Hello):
581         (foo):
582
583 2019-01-15  Tomas Popela  <tpopela@redhat.com>
584
585         Unreviewed, skip JIT tests if it's not enabled
586
587         * stress/bit-op-with-object-returning-int32.js:
588
589 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
590
591         DFGByteCodeParser rules for bitwise operations should consider type of their operands
592         https://bugs.webkit.org/show_bug.cgi?id=192966
593
594         Reviewed by Yusuke Suzuki.
595
596         * stress/bit-op-with-object-returning-int32.js: Added.
597
598 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
599
600         Skip a slow test and a flakey test on arm
601
602         Unreviewed gardening.
603
604         * typeProfiler/getter-richards.js:
605         this test always times out, it used to be always skipped on arm and
606         mips, but got accidentally enabled by r237919 now that we have DFG on
607         arm. Also skipping on mips as we plan to soon enable DFG for it too.
608
609 2019-01-14  Keith Miller  <keith_miller@apple.com>
610
611         Skip type-check-hoisting-phase-hoist... with no jit
612         https://bugs.webkit.org/show_bug.cgi?id=193421
613
614         Reviewed by Mark Lam.
615
616         It's timing out the 32-bit bots and takes 330 seconds
617         on my machine when run by itself.
618
619         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
620
621 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
622
623         [JSC] AI should check the given constant's array type when folding GetByVal into constant
624         https://bugs.webkit.org/show_bug.cgi?id=193413
625         <rdar://problem/46092389>
626
627         Reviewed by Keith Miller.
628
629         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
630         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
631         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
632         but GetByVal does not have appropriate ArrayModes, JSC crashes.
633
634         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
635         (compareArray):
636
637 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
638
639         [BigInt] Literal parsing is crashing when used inside a Object Literal
640         https://bugs.webkit.org/show_bug.cgi?id=193404
641
642         Reviewed by Yusuke Suzuki.
643
644         * stress/big-int-literal-inside-literal-object.js: Added.
645
646 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
647
648         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
649         https://bugs.webkit.org/show_bug.cgi?id=193372
650
651         Reviewed by Saam Barati.
652
653         * stress/typed-array-array-modes-profile.js: Added.
654         (foo):
655
656 2019-01-14  Mark Lam  <mark.lam@apple.com>
657
658         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
659         https://bugs.webkit.org/show_bug.cgi?id=193402
660         <rdar://problem/46012309>
661
662         Reviewed by Keith Miller.
663
664         * stress/regexp-compile-oom.js:
665         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
666           is enabled.  As a result, it will fail on cloop builds though there is no bug.
667
668 2019-01-11  Saam barati  <sbarati@apple.com>
669
670         DFG combined liveness can be wrong for terminal basic blocks
671         https://bugs.webkit.org/show_bug.cgi?id=193304
672         <rdar://problem/45268632>
673
674         Reviewed by Yusuke Suzuki.
675
676         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
677
678 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
679
680         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
681         https://bugs.webkit.org/show_bug.cgi?id=193308
682         <rdar://problem/45546542>
683
684         Reviewed by Saam Barati.
685
686         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
687         (shouldThrow):
688         (shouldBe):
689         (foo):
690         (get shouldThrow):
691         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
692         (shouldThrow):
693         (shouldBe):
694         (foo):
695         (get shouldBe):
696         (get shouldThrow):
697         (get return):
698         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
699         (shouldThrow):
700         (shouldBe):
701         (foo):
702         (get shouldBe):
703         (get shouldThrow):
704         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
705         (shouldThrow):
706         (shouldBe):
707         (foo):
708         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
709         (shouldThrow):
710         (shouldBe):
711         (foo):
712         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
713         (shouldThrow):
714         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
715         (shouldThrow):
716         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
717         (shouldThrow):
718         (shouldBe):
719         (foo):
720         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
721         (shouldThrow):
722         (shouldBe):
723         (foo):
724         (get shouldBe):
725         (get shouldThrow):
726         (get return):
727         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
728         (shouldThrow):
729         (shouldBe):
730         (foo):
731         (get shouldBe):
732         (get shouldThrow):
733         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
734         (shouldThrow):
735         (shouldBe):
736         (foo):
737         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
738         (shouldThrow):
739         (shouldBe):
740         (foo):
741
742 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
743
744         Enable DFG on ARM/Linux again
745         https://bugs.webkit.org/show_bug.cgi?id=192496
746
747         Reviewed by Yusuke Suzuki.
748
749         Test wasn't really skipped before moving the line with skip
750         to the top.
751
752         * stress/regress-192717.js:
753
754 2019-01-10  Commit Queue  <commit-queue@webkit.org>
755
756         Unreviewed, rolling out r239825.
757         https://bugs.webkit.org/show_bug.cgi?id=193330
758
759         Broke tests on armv7/linux bots (Requested by guijemont on
760         #webkit).
761
762         Reverted changeset:
763
764         "Enable DFG on ARM/Linux again"
765         https://bugs.webkit.org/show_bug.cgi?id=192496
766         https://trac.webkit.org/changeset/239825
767
768 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
769
770         Enable DFG on ARM/Linux again
771         https://bugs.webkit.org/show_bug.cgi?id=192496
772
773         Reviewed by Yusuke Suzuki.
774
775         Test wasn't really skipped before moving the line with skip
776         to the top.
777
778         * stress/regress-192717.js:
779
780 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
781
782         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
783         https://bugs.webkit.org/show_bug.cgi?id=193127
784
785         Reviewed by Saam Barati.
786
787         * stress/array-species-create-should-handle-masquerader.js: Added.
788         (shouldThrow):
789         * stress/is-undefined-or-null-builtin.js: Added.
790         (shouldBe):
791         (isUndefinedOrNull.vm.createBuiltin):
792
793 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
794
795         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
796         https://bugs.webkit.org/show_bug.cgi?id=193221
797
798         Reviewed by Mark Lam.
799
800         * stress/put-by-id-flags.js: Added.
801         (f):
802         (g):
803         (numberOfDFGCompiles):
804
805 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
806
807         Baseline version of get_by_id may corrupt metadata
808         https://bugs.webkit.org/show_bug.cgi?id=193085
809         <rdar://problem/23453006>
810
811         Reviewed by Saam Barati.
812
813         * stress/get-by-id-change-mode.js: Added.
814         (forEach):
815
816 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
817
818         [JSC] Optimize Object.prototype.toString
819         https://bugs.webkit.org/show_bug.cgi?id=193031
820
821         Reviewed by Saam Barati.
822
823         * stress/object-tostring-changed-proto.js: Added.
824         (shouldBe):
825         (test):
826         * stress/object-tostring-changed.js: Added.
827         (shouldBe):
828         (test):
829         * stress/object-tostring-misc.js: Added.
830         (shouldBe):
831         (test):
832         (i.switch):
833         * stress/object-tostring-other.js: Added.
834         (shouldBe):
835         (test):
836         * stress/object-tostring-untyped.js: Added.
837         (shouldBe):
838         (test):
839         (i.switch):
840
841 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
842
843         test262-runner misbehaves when test file YAML has a trailing space
844         https://bugs.webkit.org/show_bug.cgi?id=193053
845
846         Reviewed by Yusuke Suzuki.
847
848         * test262/expectations.yaml:
849         Mark two dozen tests as passing (and correct the output of another).
850
851 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
852
853         Unreviewed, JSTests gardening with memoryLimited
854
855         * stress/string-overflow-createError.js:
856
857 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
858
859         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
860         https://bugs.webkit.org/show_bug.cgi?id=193050
861
862         Reviewed by Yusuke Suzuki.
863
864         * test262.yaml:
865         * test262/expectations.yaml:
866         Mark 16 tests as passing.
867
868 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
869
870         [BigInt] Support BigInt in JSON.stringify
871         https://bugs.webkit.org/show_bug.cgi?id=192624
872
873         Reviewed by Saam Barati.
874
875         * stress/big-int-json-stringify-to-json.js: Added.
876         (shouldBe):
877         (shouldThrow):
878         (BigInt.prototype.toJSON):
879         (shouldBe.JSON.stringify):
880         * stress/big-int-json-stringify.js: Added.
881         (shouldBe):
882         (shouldThrow):
883
884 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
885
886         [JSC] Implement "well-formed JSON.stringify" proposal
887         https://bugs.webkit.org/show_bug.cgi?id=191677
888
889         Reviewed by Darin Adler.
890
891         * stress/json-surrogate-pair.js: Added.
892         (shouldBe):
893         * test262/expectations.yaml:
894
895 2018-12-20  Keith Miller  <keith_miller@apple.com>
896
897         Add support for globalThis
898         https://bugs.webkit.org/show_bug.cgi?id=165171
899
900         Reviewed by Mark Lam.
901
902         * test262/config.yaml:
903
904 2018-12-19  Keith Miller  <keith_miller@apple.com>
905
906         Update test262 configuration to not run tests dependent on ICU version.
907         https://bugs.webkit.org/show_bug.cgi?id=192920
908
909         Reviewed by Saam Barati.
910
911         * test262/expectations.yaml:
912
913 2018-12-20  Mark Lam  <mark.lam@apple.com>
914
915         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
916         https://bugs.webkit.org/show_bug.cgi?id=192939
917         <rdar://problem/46869516>
918
919         Reviewed by Keith Miller.
920
921         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
922
923 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
924
925         WTF::String and StringImpl overflow MaxLength
926         https://bugs.webkit.org/show_bug.cgi?id=192853
927         <rdar://problem/45726906>
928
929         Reviewed by Mark Lam.
930
931         * stress/string-16bit-repeat-overflow.js: Added.
932         (catch):
933
934 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
935
936         Unreviewed follow-up to r192914.
937
938         * test262/expectations.yaml:
939         Add the last 20 missing expectations.
940
941 2018-12-19  Keith Miller  <keith_miller@apple.com>
942
943         Fix test262 expectations
944         https://bugs.webkit.org/show_bug.cgi?id=192914
945
946         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
947
948         * test262/expectations.yaml:
949
950 2018-12-19  Keith Miller  <keith_miller@apple.com>
951
952         Update test262 tests.
953         https://bugs.webkit.org/show_bug.cgi?id=192907
954
955         Rubber stamped by Mark Lam.
956
957         * test262/*: Omitted because prepare-changelog crashes.
958
959 2018-12-19  Mark Lam  <mark.lam@apple.com>
960
961         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
962         https://bugs.webkit.org/show_bug.cgi?id=192464
963         <rdar://problem/46519455>
964
965         Reviewed by Saam Barati.
966
967         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
968         microbenchmark.
969
970         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
971         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
972
973 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
974
975         String overflow in JSC::createError results in ASSERT in WTF::makeString
976         https://bugs.webkit.org/show_bug.cgi?id=192833
977         <rdar://problem/45706868>
978
979         Reviewed by Mark Lam.
980
981         * stress/string-overflow-createError.js: Added.
982
983 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
984
985         Error message for `-x ** y` contains a typo.
986         https://bugs.webkit.org/show_bug.cgi?id=192832
987
988         Reviewed by Saam Barati.
989
990         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
991         (assert.assert.return.throws):
992         * stress/pow-expects-update-expression-on-lhs.js:
993         (throw.new.Error):
994         Update test expectations which match against the exact error message.
995
996 2018-12-18  Mark Lam  <mark.lam@apple.com>
997
998         Gardening: test options fix.
999         https://bugs.webkit.org/show_bug.cgi?id=192822
1000
1001         Unreviewed.
1002
1003         * stress/json-stringify-string-builder-overflow.js:
1004
1005 2018-12-18  Mark Lam  <mark.lam@apple.com>
1006
1007         JSON.stringify() should throw OOM on StringBuilder overflows.
1008         https://bugs.webkit.org/show_bug.cgi?id=192822
1009         <rdar://problem/46670577>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/json-stringify-string-builder-overflow.js: Added.
1014
1015 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1016
1017         Redeclaration of var over let/const/class should be a syntax error.
1018         https://bugs.webkit.org/show_bug.cgi?id=192298
1019
1020         Reviewed by Keith Miller.
1021
1022         * test262.yaml:
1023         * test262/expectations.yaml:
1024         Mark 46 tests as passing.
1025
1026         * stress/block-scope-redeclarations.js:
1027         Add some new tests.
1028
1029         * stress/for-in-invalidate-context-weird-assignments.js:
1030         * stress/for-in-tests.js:
1031         Replace tests for outdated behavior with tests for SyntaxError.
1032
1033         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1034         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1035         Update expectations.
1036
1037 2018-12-18  Mark Lam  <mark.lam@apple.com>
1038
1039         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1040         https://bugs.webkit.org/show_bug.cgi?id=191374
1041         <rdar://problem/46525447>
1042
1043         Reviewed by Yusuke Suzuki.
1044
1045         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1046
1047         * stress/elidable-new-object-roflcopter-then-exit.js:
1048
1049 2018-12-17  Mark Lam  <mark.lam@apple.com>
1050
1051         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1052         https://bugs.webkit.org/show_bug.cgi?id=192019
1053         <rdar://problem/46525456>
1054
1055         Reviewed by Yusuke Suzuki.
1056
1057         The test runs too slow on 32-bit.
1058
1059         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1060
1061 2018-12-17  Mark Lam  <mark.lam@apple.com>
1062
1063         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1064         https://bugs.webkit.org/show_bug.cgi?id=191373
1065         <rdar://problem/46525458>
1066
1067         Reviewed by Yusuke Suzuki.
1068
1069         The test is already slow running with a JIT on 64-bit.  It will always timeout
1070         on 32-bit without a JIT.
1071
1072         * stress/materialize-regexp-cyclic-regexp.js:
1073
1074 2018-12-17  Mark Lam  <mark.lam@apple.com>
1075
1076         Array unshift/shift should not race against the AI in the compiler thread.
1077         https://bugs.webkit.org/show_bug.cgi?id=192795
1078         <rdar://problem/46724263>
1079
1080         Reviewed by Saam Barati.
1081
1082         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1083
1084 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1085
1086         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1087         https://bugs.webkit.org/show_bug.cgi?id=190047
1088
1089         Reviewed by Saam Barati.
1090
1091         * stress/object-keys-cached-zero.js: Added.
1092         (shouldBe):
1093         (test):
1094         * stress/object-keys-changed-attribute.js: Added.
1095         (shouldBe):
1096         (test):
1097         * stress/object-keys-changed-index.js: Added.
1098         (shouldBe):
1099         (test):
1100         * stress/object-keys-changed.js: Added.
1101         (shouldBe):
1102         (test):
1103         * stress/object-keys-indexed-non-cache.js: Added.
1104         (shouldBe):
1105         (test):
1106         * stress/object-keys-overrides-get-property-names.js: Added.
1107         (shouldBe):
1108         (test):
1109         (noInline):
1110
1111 2018-12-17  Mark Lam  <mark.lam@apple.com>
1112
1113         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1114         https://bugs.webkit.org/show_bug.cgi?id=192779
1115         <rdar://problem/46775869>
1116
1117         Reviewed by Saam Barati.
1118
1119         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1120
1121 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1122
1123         Unreviewed test gardening, address a syntax error in a new test.
1124
1125         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1126
1127 2018-12-17  Mark Lam  <mark.lam@apple.com>
1128
1129         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1130         https://bugs.webkit.org/show_bug.cgi?id=192776
1131         <rdar://problem/46772368>
1132
1133         Reviewed by Keith Miller.
1134
1135         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1136
1137 2018-12-17  Mark Lam  <mark.lam@apple.com>
1138
1139         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1140         https://bugs.webkit.org/show_bug.cgi?id=192770
1141         <rdar://problem/46449037>
1142
1143         Reviewed by Keith Miller.
1144
1145         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1146
1147 2018-12-14  Mark Lam  <mark.lam@apple.com>
1148
1149         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1150         https://bugs.webkit.org/show_bug.cgi?id=192717
1151         <rdar://problem/46660677>
1152
1153         Reviewed by Saam Barati.
1154
1155         * stress/regress-192717.js: Added.
1156
1157 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1158
1159         Unreviewed, rolling out r239153, r239154, and r239155.
1160         https://bugs.webkit.org/show_bug.cgi?id=192715
1161
1162         Caused flaky GC-related crashes seen with layout tests
1163         (Requested by ryanhaddad on #webkit).
1164
1165         Reverted changesets:
1166
1167         "[JSC] Optimize Object.keys by caching own keys results in
1168         StructureRareData"
1169         https://bugs.webkit.org/show_bug.cgi?id=190047
1170         https://trac.webkit.org/changeset/239153
1171
1172         "Unreviewed, build fix after r239153"
1173         https://bugs.webkit.org/show_bug.cgi?id=190047
1174         https://trac.webkit.org/changeset/239154
1175
1176         "Unreviewed, build fix after r239153, part 2"
1177         https://bugs.webkit.org/show_bug.cgi?id=190047
1178         https://trac.webkit.org/changeset/239155
1179
1180 2018-12-14  Keith Miller  <keith_miller@apple.com>
1181
1182         Callers of JSString::getIndex should check for OOM exceptions
1183         https://bugs.webkit.org/show_bug.cgi?id=192709
1184
1185         Reviewed by Mark Lam.
1186
1187         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1188
1189 2018-12-13  Mark Lam  <mark.lam@apple.com>
1190
1191         Add a missing exception check.
1192         https://bugs.webkit.org/show_bug.cgi?id=192626
1193         <rdar://problem/46662163>
1194
1195         Reviewed by Keith Miller.
1196
1197         * stress/regress-192626.js: Added.
1198
1199 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1200
1201         [BigInt] Add ValueDiv into DFG
1202         https://bugs.webkit.org/show_bug.cgi?id=186178
1203
1204         Reviewed by Yusuke Suzuki.
1205
1206         * stress/big-int-div-jit-osr.js: Added.
1207         * stress/big-int-div-jit-untyped.js: Added.
1208         * stress/value-div-fixup-int32-big-int.js: Added.
1209
1210 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1211
1212         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1213         https://bugs.webkit.org/show_bug.cgi?id=190047
1214
1215         Reviewed by Keith Miller.
1216
1217         * stress/object-keys-cached-zero.js: Added.
1218         (shouldBe):
1219         (test):
1220         * stress/object-keys-changed-attribute.js: Added.
1221         (shouldBe):
1222         (test):
1223         * stress/object-keys-changed-index.js: Added.
1224         (shouldBe):
1225         (test):
1226         * stress/object-keys-changed.js: Added.
1227         (shouldBe):
1228         (test):
1229         * stress/object-keys-indexed-non-cache.js: Added.
1230         (shouldBe):
1231         (test):
1232         * stress/object-keys-overrides-get-property-names.js: Added.
1233         (shouldBe):
1234         (test):
1235         (noInline):
1236
1237 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1238
1239         [DFG][FTL] Add NewSymbol
1240         https://bugs.webkit.org/show_bug.cgi?id=192620
1241
1242         Reviewed by Saam Barati.
1243
1244         * microbenchmarks/symbol-creation.js: Added.
1245         (test):
1246         * stress/symbol-description-identity.js: Added.
1247         (shouldBe):
1248         (test):
1249         * stress/symbol-identity.js: Added.
1250         (shouldBe):
1251         (test):
1252         * stress/symbol-with-description-throw-error.js: Added.
1253         (shouldBe):
1254         (shouldThrow):
1255         (test):
1256         (object.toString):
1257
1258 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1259
1260         [BigInt] Implement DFG/FTL typeof for BigInt
1261         https://bugs.webkit.org/show_bug.cgi?id=192619
1262
1263         Reviewed by Keith Miller.
1264
1265         * stress/big-int-boolean-proven-type.js: Added.
1266         (assert):
1267         (bool):
1268         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1269         (assert):
1270         (typeOf):
1271         (i.switch):
1272         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1273         (assert):
1274         (typeOf):
1275         * stress/big-int-type-of.js:
1276         (typeOf):
1277         (func):
1278
1279 2018-12-10  Mark Lam  <mark.lam@apple.com>
1280
1281         PropertyAttribute needs a CustomValue bit.
1282         https://bugs.webkit.org/show_bug.cgi?id=191993
1283         <rdar://problem/46264467>
1284
1285         Reviewed by Saam Barati.
1286
1287         * stress/regress-191993.js: Added.
1288
1289 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1290
1291         [BigInt] Add ValueMul into DFG
1292         https://bugs.webkit.org/show_bug.cgi?id=186175
1293
1294         Reviewed by Yusuke Suzuki.
1295
1296         * stress/big-int-mul-jit-osr.js: Added.
1297         * stress/big-int-mul-jit-untyped.js: Added.
1298         * stress/value-mul-fixup-int32-big-int.js: Added.
1299
1300 2018-12-06  Keith Miller  <keith_miller@apple.com>
1301
1302         stress/big-wasm-memory tests failing on 32-bit JSC bot
1303         https://bugs.webkit.org/show_bug.cgi?id=192020
1304
1305         Reviewed by Saam Barati.
1306
1307         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1308         the wasm stress tests if the WebAssembly object does not exist.
1309
1310         * stress/big-wasm-memory-grow-no-max.js:
1311         (test.foo):
1312         (test):
1313         (foo): Deleted.
1314         (catch): Deleted.
1315         * stress/big-wasm-memory-grow.js:
1316         (test.foo):
1317         (test):
1318         (foo): Deleted.
1319         (catch): Deleted.
1320         * stress/big-wasm-memory.js:
1321         (test.foo):
1322         (test):
1323         (foo): Deleted.
1324         (catch): Deleted.
1325
1326 2018-12-05  Mark Lam  <mark.lam@apple.com>
1327
1328         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1329         https://bugs.webkit.org/show_bug.cgi?id=192441
1330         <rdar://problem/46480355>
1331
1332         Reviewed by Saam Barati.
1333
1334         * stress/regress-192441.js: Added.
1335
1336 2018-12-04  Mark Lam  <mark.lam@apple.com>
1337
1338         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1339         https://bugs.webkit.org/show_bug.cgi?id=192386
1340         <rdar://problem/46445516>
1341
1342         Reviewed by Saam Barati.
1343
1344         * stress/regress-192386.js: Added.
1345
1346 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1347
1348         [ESNext][BigInt] Support logic operations
1349         https://bugs.webkit.org/show_bug.cgi?id=179903
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/big-int-branch-usage.js: Added.
1354         * stress/big-int-logical-and.js: Added.
1355         * stress/big-int-logical-not.js: Added.
1356         * stress/big-int-logical-or.js: Added.
1357
1358 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1359
1360         Unreviewed, rolling out r238833.
1361
1362         Breaks macOS and iOS debug builds.
1363
1364         Reverted changeset:
1365
1366         "[ESNext][BigInt] Support logic operations"
1367         https://bugs.webkit.org/show_bug.cgi?id=179903
1368         https://trac.webkit.org/changeset/238833
1369
1370 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1371
1372         [ESNext][BigInt] Support logic operations
1373         https://bugs.webkit.org/show_bug.cgi?id=179903
1374
1375         Reviewed by Yusuke Suzuki.
1376
1377         * stress/big-int-branch-usage.js: Added.
1378         * stress/big-int-logical-and.js: Added.
1379         * stress/big-int-logical-not.js: Added.
1380         * stress/big-int-logical-or.js: Added.
1381
1382 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1383
1384         [ESNext][BigInt] Implement support for "<<" and ">>"
1385         https://bugs.webkit.org/show_bug.cgi?id=186233
1386
1387         Reviewed by Yusuke Suzuki.
1388
1389         * stress/big-int-left-shift-general.js: Added.
1390         * stress/big-int-left-shift-range-error.js: Added.
1391         * stress/big-int-left-shift-type-error.js: Added.
1392         * stress/big-int-left-shift-wrapped-value.js: Added.
1393         * stress/big-int-right-shift-general.js: Added.
1394         * stress/big-int-right-shift-type-error.js: Added.
1395         * stress/big-int-right-shift-wrapped-value.js: Added.
1396         * stress/left-shift-to-primitive-precedence.js: Added.
1397         * stress/right-shift-to-primitive-precedence.js: Added.
1398
1399 2018-11-30  Dean Jackson  <dino@apple.com>
1400
1401         Add first-class support for .mjs files in jsc binary
1402         https://bugs.webkit.org/show_bug.cgi?id=192190
1403         <rdar://problem/46375715>
1404
1405         Reviewed by Keith Miller.
1406
1407         * stress/simple-module.mjs: Added.
1408         * stress/simple-script.js: Added.
1409
1410 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1411
1412         [BigInt] Implement ValueBitXor into DFG
1413         https://bugs.webkit.org/show_bug.cgi?id=190264
1414
1415         Reviewed by Yusuke Suzuki.
1416
1417         * stress/big-int-bitwise-xor-jit.js: Added.
1418         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1419         * stress/big-int-bitwise-xor-untyped.js: Added.
1420
1421 2018-11-27  Saam barati  <sbarati@apple.com>
1422
1423         r238510 broke scopes of size zero
1424         https://bugs.webkit.org/show_bug.cgi?id=192033
1425         <rdar://problem/46281734>
1426
1427         Reviewed by Keith Miller.
1428
1429         * stress/r238510-bad-loop.js: Added.
1430         (foo):
1431
1432 2018-11-27  Mark Lam  <mark.lam@apple.com>
1433
1434         [Re-landing] NaNs read from Wasm code needs to be be purified.
1435         https://bugs.webkit.org/show_bug.cgi?id=191056
1436         <rdar://problem/45660341>
1437
1438         Reviewed by Filip Pizlo.
1439
1440         * wasm/regress/regress-191056.js: Added.
1441
1442 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1443
1444         Unreviewed, rolling out r238509.
1445
1446         Causes JSC tests to fail on iOS.
1447
1448         Reverted changeset:
1449
1450         "NaNs read from Wasm code needs to be be purified."
1451         https://bugs.webkit.org/show_bug.cgi?id=191056
1452         https://trac.webkit.org/changeset/238509
1453
1454 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1455
1456         Re-introduce op_bitnot
1457         https://bugs.webkit.org/show_bug.cgi?id=190923
1458
1459         Reviewed by Yusuke Suzuki.
1460
1461         * stress/bit-not-must-generate.js: Added.
1462         * stress/bitwise-not-no-int32.js: Added.
1463
1464 2018-11-26  Saam barati  <sbarati@apple.com>
1465
1466         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1467         https://bugs.webkit.org/show_bug.cgi?id=191956
1468         <rdar://problem/45665806>
1469
1470         Reviewed by Yusuke Suzuki.
1471
1472         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1473         (bar):
1474         (foo):
1475
1476 2018-11-26  Saam barati  <sbarati@apple.com>
1477
1478         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1479         https://bugs.webkit.org/show_bug.cgi?id=191958
1480         <rdar://problem/46221877>
1481
1482         Reviewed by Yusuke Suzuki.
1483
1484         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1485         (x):
1486         (foo):
1487
1488 2018-11-26  Mark Lam  <mark.lam@apple.com>
1489
1490         NaNs read from Wasm code needs to be be purified.
1491         https://bugs.webkit.org/show_bug.cgi?id=191056
1492         <rdar://problem/45660341>
1493
1494         Reviewed by Filip Pizlo.
1495
1496         * wasm/regress/regress-191056.js: Added.
1497
1498 2018-11-26  Michael Saboff  <msaboff@apple.com>
1499
1500         32-bit JSC test failure: stress/regexp-compile-oom.js
1501         https://bugs.webkit.org/show_bug.cgi?id=191375
1502
1503         Reviewed by Mark Lam.
1504
1505         Disabled the test for 32 bit platforms.
1506
1507         * stress/regexp-compile-oom.js:
1508
1509 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1510
1511         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1512         https://bugs.webkit.org/show_bug.cgi?id=191716
1513         <rdar://problem/45723878>
1514
1515         Reviewed by Saam Barati.
1516
1517         * stress/regress-187373.js: Added.
1518         (async.fn):
1519
1520 2018-11-21  Saam barati  <sbarati@apple.com>
1521
1522         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1523         https://bugs.webkit.org/show_bug.cgi?id=191897
1524         <rdar://problem/45871998>
1525
1526         Reviewed by Mark Lam.
1527
1528         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1529         (bar):
1530         (foo):
1531
1532 2018-11-21  Saam barati  <sbarati@apple.com>
1533
1534         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1535         https://bugs.webkit.org/show_bug.cgi?id=191895
1536         <rdar://problem/46167406>
1537
1538         Reviewed by Mark Lam.
1539
1540         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1541         (foo):
1542         (bar):
1543
1544 2018-11-21  Mark Lam  <mark.lam@apple.com>
1545
1546         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1547         https://bugs.webkit.org/show_bug.cgi?id=191776
1548         <rdar://problem/46152851>
1549
1550         Reviewed by Saam Barati.
1551
1552         * stress/big-wasm-memory-grow-no-max.js:
1553         * stress/big-wasm-memory-grow.js:
1554         * stress/big-wasm-memory.js:
1555         - updated these to expect an OutOfMemoryError.
1556
1557         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1558         (Binary.prototype.emit_u8):
1559         (Binary.prototype.emit_u32v):
1560         (Binary.prototype.emit_header):
1561         (Binary.prototype.emit_section):
1562         (Binary):
1563         (WasmModuleBuilder):
1564         (WasmModuleBuilder.prototype.addMemory):
1565         (WasmModuleBuilder.prototype.toArray):
1566         (WasmModuleBuilder.prototype.toBuffer):
1567         (WasmModuleBuilder.prototype.instantiate):
1568         (catch):
1569         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1570         (catch):
1571
1572 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1573
1574         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1575         https://bugs.webkit.org/show_bug.cgi?id=190836
1576
1577         Reviewed by Saam Barati and Yusuke Suzuki.
1578
1579         * stress/big-int-out-of-memory-tests.js: Added.
1580
1581 2018-11-20  Mark Lam  <mark.lam@apple.com>
1582
1583         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1584         https://bugs.webkit.org/show_bug.cgi?id=191856
1585         <rdar://problem/46089992>
1586
1587         Reviewed by Yusuke Suzuki.
1588
1589         * stress/regress-191856.js: Added.
1590         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1591
1592 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1593
1594         Enable JIT on ARM/Linux
1595         https://bugs.webkit.org/show_bug.cgi?id=191548
1596
1597         Reviewed by Yusuke Suzuki.
1598
1599         Disable test on system with limited memory. Program was killed by
1600         the OS before the exception was thrown.
1601
1602         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1603
1604 2018-11-20  Saam barati  <sbarati@apple.com>
1605
1606         Merging an IC variant may lead to the IC status containing overlapping structure sets
1607         https://bugs.webkit.org/show_bug.cgi?id=191869
1608         <rdar://problem/45403453>
1609
1610         Reviewed by Mark Lam.
1611
1612         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1613
1614 2018-11-19  Mark Lam  <mark.lam@apple.com>
1615
1616         globalFuncImportModule() should return a promise when it clears exceptions.
1617         https://bugs.webkit.org/show_bug.cgi?id=191792
1618         <rdar://problem/46090763>
1619
1620         Reviewed by Michael Saboff.
1621
1622         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1623
1624 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1625
1626         Skip new memory-hungry tests on memory limited devices
1627
1628         Unreviewed gardening.
1629
1630         * stress/big-wasm-memory-grow-no-max.js:
1631         * stress/big-wasm-memory-grow.js:
1632         * stress/big-wasm-memory.js:
1633
1634 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1635
1636         Unreviewed, rolling in the rest of r237254
1637         https://bugs.webkit.org/show_bug.cgi?id=190340
1638
1639         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1640         * stress/function-cache-with-parameters-end-position.js: Added.
1641         (shouldBe):
1642         (shouldThrow):
1643         (i.anonymous):
1644         * stress/function-constructor-name.js: Added.
1645         (shouldBe):
1646         (GeneratorFunction):
1647         (AsyncFunction.async):
1648         (AsyncGeneratorFunction.async):
1649         (anonymous):
1650         (async.anonymous):
1651         * test262/expectations.yaml:
1652
1653 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1654
1655         All users of ArrayBuffer should agree on the same max size
1656         https://bugs.webkit.org/show_bug.cgi?id=191771
1657
1658         Reviewed by Mark Lam.
1659
1660         * stress/big-wasm-memory-grow-no-max.js: Added.
1661         (foo):
1662         (catch):
1663         * stress/big-wasm-memory-grow.js: Added.
1664         (foo):
1665         (catch):
1666         * stress/big-wasm-memory.js: Added.
1667         (foo):
1668         (catch):
1669
1670 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1671
1672         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1673         run for each JSC config since they're regression tests for runtime bugs.
1674
1675         * stress/json-stringified-overflow-2.js:
1676         * stress/json-stringified-overflow.js:
1677
1678 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1679
1680         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1681         config since they're regression tests for runtime bugs.
1682
1683         * stress/large-unshift-splice.js:
1684         * stress/regress-185888.js:
1685
1686 2018-11-16  Saam Barati  <sbarati@apple.com>
1687
1688         KnownCellUse should also have SpecCellCheck as its type filter
1689         https://bugs.webkit.org/show_bug.cgi?id=191729
1690         <rdar://problem/45872852>
1691
1692         Reviewed by Filip Pizlo.
1693
1694         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1695         (C):
1696
1697 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1698
1699         Fix assertion failure on BytecodeGenerator::recordOpcode
1700         https://bugs.webkit.org/show_bug.cgi?id=191724
1701         <rdar://problem/45724395>
1702
1703         Reviewed by Saam Barati.
1704
1705         * stress/regress-187373-2.js: Added.
1706         (foo):
1707
1708 2018-11-15  Mark Lam  <mark.lam@apple.com>
1709
1710         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1711         https://bugs.webkit.org/show_bug.cgi?id=191730
1712         <rdar://problem/46048517>
1713
1714         Reviewed by Saam Barati.
1715
1716         * stress/regress-187006.js: Removed.
1717           - this test is invalid because its sole purpose is to test for the non-spec
1718             compliant behavior that we just fixed.
1719
1720         * stress/regress-191730.js: Added.
1721
1722 2018-11-15  Mark Lam  <mark.lam@apple.com>
1723
1724         RegExp operations should not take fast patch if lastIndex is not numeric.
1725         https://bugs.webkit.org/show_bug.cgi?id=191731
1726         <rdar://problem/46017305>
1727
1728         Reviewed by Saam Barati.
1729
1730         * stress/regress-191731.js: Added.
1731
1732 2018-11-13  Saam Barati  <sbarati@apple.com>
1733
1734         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1735         https://bugs.webkit.org/show_bug.cgi?id=191600
1736
1737         Reviewed by Mark Lam.
1738
1739         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1740         (foo):
1741         (test):
1742         (bar):
1743
1744 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1745
1746         Unreviewed, rolling out r238132.
1747
1748         The test added with this change is timing out on Debug JSC
1749         bots.
1750
1751         Reverted changeset:
1752
1753         "[BigInt] JSBigInt::createWithLength should throw when length
1754         is greater than JSBigInt::maxLength"
1755         https://bugs.webkit.org/show_bug.cgi?id=190836
1756         https://trac.webkit.org/changeset/238132
1757
1758 2018-11-13  Mark Lam  <mark.lam@apple.com>
1759
1760         Add OOM detection to StringPrototype's substituteBackreferences().
1761         https://bugs.webkit.org/show_bug.cgi?id=191563
1762         <rdar://problem/45720428>
1763
1764         Reviewed by Saam Barati.
1765
1766         * stress/regress-191563.js: Added.
1767
1768 2018-11-13  Mark Lam  <mark.lam@apple.com>
1769
1770         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1771         https://bugs.webkit.org/show_bug.cgi?id=191579
1772         <rdar://problem/45942472>
1773
1774         Reviewed by Saam Barati.
1775
1776         * stress/regress-191579.js: Added.
1777
1778 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1779
1780         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1781         https://bugs.webkit.org/show_bug.cgi?id=190836
1782
1783         Reviewed by Saam Barati.
1784
1785         * stress/big-int-out-of-memory-tests.js: Added.
1786
1787 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1788
1789         U+180E is no longer a whitespace character
1790         https://bugs.webkit.org/show_bug.cgi?id=191415
1791
1792         Reviewed by Saam Barati.
1793
1794         * ChakraCore/test/es5/regexSpace.baseline:
1795         * ChakraCore/test/es6/unicode_whitespace.js:
1796         Update tests to latest version.
1797         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1798
1799         * test262.yaml:
1800         * test262/config.yaml:
1801         * test262/expectations.yaml:
1802         Update expectations.
1803
1804 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1805
1806         [BigInt] Add support to BigInt into ValueAdd
1807         https://bugs.webkit.org/show_bug.cgi?id=186177
1808
1809         Reviewed by Keith Miller.
1810
1811         * stress/big-int-negate-jit.js:
1812         * stress/value-add-big-int-and-string.js: Added.
1813         * stress/value-add-big-int-prediction-propagation.js: Added.
1814         * stress/value-add-big-int-untyped.js: Added.
1815
1816 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1817
1818         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1819         https://bugs.webkit.org/show_bug.cgi?id=191184
1820
1821         Reviewed by Saam Barati.
1822
1823         Most tests were failing due to timeouts, since they are too slow to
1824         run on CLoop. The exceptions are:
1825
1826         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1827         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1828         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1829         to change the stack size since CLoop requires it to be page aligned.
1830
1831         * microbenchmarks/array-push-1.js:
1832         * microbenchmarks/array-push-2.js:
1833         * microbenchmarks/elidable-new-object-dag.js:
1834         * microbenchmarks/elidable-new-object-roflcopter.js:
1835         * microbenchmarks/elidable-new-object-tree.js:
1836         * microbenchmarks/getter-richards.js:
1837         * microbenchmarks/sinkable-new-object-dag.js:
1838         * microbenchmarks/string-concat-long-convert.js:
1839         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1840         * slowMicrobenchmarks/array-push-3.js:
1841         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1842         * slowMicrobenchmarks/spread-small-array.js:
1843         * slowMicrobenchmarks/undefined-property-access.js:
1844         * stress/activation-sink-default-value-tdz-error.js:
1845         * stress/activation-sink-default-value.js:
1846         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1847         * stress/activation-sink-osrexit-default-value.js:
1848         * stress/activation-sink-osrexit.js:
1849         * stress/activation-sink.js:
1850         * stress/allow-math-ic-b3-code-duplication.js:
1851         * stress/array-push-multiple-int32.js:
1852         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1853         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1854         * stress/arrowfunction-lexical-this-activation-sink.js:
1855         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1856         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1857         * stress/elide-new-object-dag-then-exit.js:
1858         * stress/materialize-regexp-cyclic.js:
1859         * stress/new-regex-inline.js:
1860         * stress/op_add.js:
1861         * stress/op_bitand.js:
1862         * stress/op_bitor.js:
1863         * stress/op_bitxor.js:
1864         * stress/op_div-ConstVar.js:
1865         * stress/op_div-VarConst.js:
1866         * stress/op_div-VarVar.js:
1867         * stress/op_lshift-ConstVar.js:
1868         * stress/op_lshift-VarConst.js:
1869         * stress/op_lshift-VarVar.js:
1870         * stress/op_mod-ConstVar.js:
1871         * stress/op_mod-VarConst.js:
1872         * stress/op_mod-VarVar.js:
1873         * stress/op_mul-ConstVar.js:
1874         * stress/op_mul-VarConst.js:
1875         * stress/op_mul-VarVar.js:
1876         * stress/op_rshift-ConstVar.js:
1877         * stress/op_rshift-VarConst.js:
1878         * stress/op_rshift-VarVar.js:
1879         * stress/op_sub-ConstVar.js:
1880         * stress/op_sub-VarConst.js:
1881         * stress/op_sub-VarVar.js:
1882         * stress/op_urshift-ConstVar.js:
1883         * stress/op_urshift-VarConst.js:
1884         * stress/op_urshift-VarVar.js:
1885         * stress/proxy-get-set-correct-receiver.js:
1886         * stress/regress-179562.js:
1887         * stress/rest-parameter-many-arguments.js:
1888         * stress/sampling-profiler-richards.js:
1889         * stress/splay-flash-access-1ms.js:
1890         * stress/tailCallForwardArguments.js:
1891         * stress/typed-array-get-by-val-profiling.js:
1892         * typeProfiler/getter-richards.js:
1893
1894 2018-11-06  Michael Saboff  <msaboff@apple.com>
1895
1896         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1897         https://bugs.webkit.org/show_bug.cgi?id=191271
1898
1899         Reviewed by Saam Barati.
1900
1901         Added more test cases and made all test cases run with the same deeply recursive stack
1902         instead of finding that same point for each test case.
1903
1904         * stress/regexp-compile-oom.js:
1905         (prototype.runTest):
1906         (recurseAndTest):
1907         (testList.push.new.TestAndExpectedException):
1908
1909 2018-11-05  Michael Saboff  <msaboff@apple.com>
1910
1911         Unreviewed build fix for linux.
1912
1913         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1914
1915 2018-11-02  Michael Saboff  <msaboff@apple.com>
1916
1917         Rolling in r237753 with unreviewed build fix.
1918
1919         Fixed issues with DECLARE_THROW_SCOPE placement.
1920
1921 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1922
1923         Unreviewed, rolling out r237753.
1924
1925         Introduced JSC test failures
1926
1927         Reverted changeset:
1928
1929         "Running out of stack space not properly handled in
1930         RegExp::compile() and its callers"
1931         https://bugs.webkit.org/show_bug.cgi?id=191206
1932         https://trac.webkit.org/changeset/237753
1933
1934 2018-11-02  Michael Saboff  <msaboff@apple.com>
1935
1936         Running out of stack space not properly handled in RegExp::compile() and its callers
1937         https://bugs.webkit.org/show_bug.cgi?id=191206
1938
1939         Reviewed by Filip Pizlo.
1940
1941         New regression test.
1942
1943         * stress/regexp-compile-oom.js: Added.
1944         (recurseAndTest):
1945
1946 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1947
1948         Skip tests on arm/mips that time out now we're running on CLoop
1949
1950         Unreviewed gardening.
1951
1952         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1953         time out on the bots and need to be disabled. There's more tests
1954         disabled on arm because the timeout is longer on the mips bot (as the
1955         device is slower to start with), so many of the tests don't time out
1956         there.
1957
1958         * microbenchmarks/getter-richards.js: disable on arm and mips.
1959         * stress/op_add.js: disable on arm.
1960         * stress/op_bitand.js: disable on arm.
1961         * stress/op_bitor.js: disable on arm.
1962         * stress/op_bitxor.js: disable on arm.
1963         * stress/op_lshift-ConstVar.js: disable on arm.
1964         * stress/op_lshift-VarConst.js: disable on arm.
1965         * stress/op_lshift-VarVar.js: disable on arm.
1966         * stress/op_mod-ConstVar.js: disable on arm.
1967         * stress/op_mod-VarConst.js: disable on arm.
1968         * stress/op_mod-VarVar.js: disable on arm.
1969         * stress/op_mul-ConstVar.js: disable on arm.
1970         * stress/op_mul-VarConst.js: disable on arm.
1971         * stress/op_mul-VarVar.js: disable on arm.
1972         * stress/op_rshift-ConstVar.js: disable on arm.
1973         * stress/op_rshift-VarConst.js: disable on arm.
1974         * stress/op_rshift-VarVar.js: disable on arm.
1975         * stress/op_sub-ConstVar.js: disable on arm.
1976         * stress/op_sub-VarConst.js: disable on arm.
1977         * stress/op_sub-VarVar.js: disable on arm.
1978         * stress/op_urshift-ConstVar.js: disable on arm.
1979         * stress/op_urshift-VarConst.js: disable on arm.
1980         * stress/op_urshift-VarVar.js: disable on arm.
1981         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1982         * stress/value-to-boolean.js: disable on arm and mips.
1983
1984 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1985
1986         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1987         https://bugs.webkit.org/show_bug.cgi?id=191108
1988         <rdar://problem/45690700>
1989
1990         Reviewed by Saam Barati.
1991
1992         * stress/wide-op_catch.js: Added.
1993         (catch):
1994
1995 2018-10-29  Mark Lam  <mark.lam@apple.com>
1996
1997         Correctly detect string overflow when using the 'Function' constructor.
1998         https://bugs.webkit.org/show_bug.cgi?id=184883
1999         <rdar://problem/36320331>
2000
2001         Reviewed by Saam Barati.
2002
2003         I've verified that this passes on 32-bit as well.
2004
2005         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2006
2007 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2008
2009         Add support for GetStack FlushedDouble
2010         https://bugs.webkit.org/show_bug.cgi?id=191012
2011         <rdar://problem/45265141>
2012
2013         Reviewed by Saam Barati.
2014
2015         * stress/get-stack-double.js: Added.
2016         (bar):
2017         (noInline):
2018
2019 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2020
2021         New bytecode format for JSC
2022         https://bugs.webkit.org/show_bug.cgi?id=187373
2023         <rdar://problem/44186758>
2024
2025         Reviewed by Filip Pizlo.
2026
2027         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2028
2029         * stress/maximum-inline-capacity.js: Added.
2030         (test1):
2031         (test3.Foo):
2032         (test3):
2033
2034 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2035
2036         Unreviewed, rolling out r237479 and r237484.
2037         https://bugs.webkit.org/show_bug.cgi?id=190978
2038
2039         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2040
2041         Reverted changesets:
2042
2043         "New bytecode format for JSC"
2044         https://bugs.webkit.org/show_bug.cgi?id=187373
2045         https://trac.webkit.org/changeset/237479
2046
2047         "Gardening: Build fix after r237479."
2048         https://bugs.webkit.org/show_bug.cgi?id=187373
2049         https://trac.webkit.org/changeset/237484
2050
2051 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2052
2053         New bytecode format for JSC
2054         https://bugs.webkit.org/show_bug.cgi?id=187373
2055         <rdar://problem/44186758>
2056
2057         Reviewed by Filip Pizlo.
2058
2059         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2060
2061         * stress/maximum-inline-capacity.js: Added.
2062         (test1):
2063         (test3.Foo):
2064         (test3):
2065
2066 2018-10-26  Mark Lam  <mark.lam@apple.com>
2067
2068         Fix missing edge cases with JSGlobalObjects having a bad time.
2069         https://bugs.webkit.org/show_bug.cgi?id=189028
2070         <rdar://problem/45204939>
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/regress-189028.js: Added.
2075
2076 2018-10-22  Mark Lam  <mark.lam@apple.com>
2077
2078         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2079         https://bugs.webkit.org/show_bug.cgi?id=190515
2080         <rdar://problem/45222379>
2081
2082         Rubber-stamped by Saam Barati.
2083
2084         Adding another test.
2085
2086         * stress/regress-190515-2.js: Added.
2087
2088 2018-10-22  Mark Lam  <mark.lam@apple.com>
2089
2090         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2091         https://bugs.webkit.org/show_bug.cgi?id=190515
2092         <rdar://problem/45222379>
2093
2094         Reviewed by Saam Barati.
2095
2096         * stress/regress-190515.js: Added.
2097
2098 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2099
2100         Unreviewed, rolling out r237254.
2101         https://bugs.webkit.org/show_bug.cgi?id=190760
2102
2103         "It regresses JetStream 2 by 5% on some iOS devices"
2104         (Requested by saamyjoon on #webkit).
2105
2106         Reverted changeset:
2107
2108         "[JSC] JSC should have "parseFunction" to optimize Function
2109         constructor"
2110         https://bugs.webkit.org/show_bug.cgi?id=190340
2111         https://trac.webkit.org/changeset/237254
2112
2113 2018-10-19  Saam Barati  <sbarati@apple.com>
2114
2115         vmCall should check if we exit before emitting an OSR exit due to exceptions
2116         https://bugs.webkit.org/show_bug.cgi?id=190740
2117         <rdar://problem/45220139>
2118
2119         Reviewed by Mark Lam.
2120
2121         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2122         (foo):
2123
2124 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2125
2126         [ESNext][BigInt] Implement support for "^"
2127         https://bugs.webkit.org/show_bug.cgi?id=186235
2128
2129         Reviewed by Yusuke Suzuki.
2130
2131         * stress/big-int-bitwise-xor-general.js: Added.
2132         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2133         * stress/big-int-bitwise-xor-type-error.js: Added.
2134         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2135
2136 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2137
2138         [BigInt] Add ValueSub into DFG
2139         https://bugs.webkit.org/show_bug.cgi?id=186176
2140
2141         Reviewed by Yusuke Suzuki.
2142
2143         * stress/big-int-subtraction-jit.js:
2144         * stress/value-sub-big-int-prediction-propagation.js: Added.
2145         * stress/value-sub-big-int-untyped.js: Added.
2146         * stress/value-sub-spec-none-case.js: Added.
2147
2148 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2149
2150         [JSC] JSC should have "parseFunction" to optimize Function constructor
2151         https://bugs.webkit.org/show_bug.cgi?id=190340
2152
2153         Reviewed by Mark Lam.
2154
2155         This patch fixes the line number of syntax errors raised by the Function constructor,
2156         since we now parse the final code only once. And we no longer use block statement
2157         for Function constructor's parsing.
2158
2159         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2160         * stress/function-cache-with-parameters-end-position.js: Added.
2161         (shouldBe):
2162         (shouldThrow):
2163         (i.anonymous):
2164         * stress/function-constructor-name.js: Added.
2165         (shouldBe):
2166         (GeneratorFunction):
2167         (AsyncFunction.async):
2168         (AsyncGeneratorFunction.async):
2169         (anonymous):
2170         (async.anonymous):
2171         * test262/expectations.yaml:
2172
2173 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2174
2175         Unreviewed, rolling out r237242.
2176         https://bugs.webkit.org/show_bug.cgi?id=190701
2177
2178         it breaks "stress/sampling-profiler-basic.js" (Requested by
2179         caiolima on #webkit).
2180
2181         Reverted changeset:
2182
2183         "[BigInt] Add ValueSub into DFG"
2184         https://bugs.webkit.org/show_bug.cgi?id=186176
2185         https://trac.webkit.org/changeset/237242
2186
2187 2018-10-17  Keith Miller  <keith_miller@apple.com>
2188
2189         AI does not clear Phantom allocation nodes.
2190         https://bugs.webkit.org/show_bug.cgi?id=190694
2191
2192         Reviewed by Saam Barati.
2193
2194         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2195         (Day):
2196         (DaysInYear):
2197         (TimeInYear):
2198         (TimeFromYear):
2199         (DayFromYear):
2200         (InLeapYear):
2201         (YearFromTime):
2202         (WeekDay):
2203         (DaylightSavingTA):
2204         (GetSecondSundayInMarch):
2205         (TimeInMonth):
2206
2207 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2208
2209         [BigInt] Add ValueSub into DFG
2210         https://bugs.webkit.org/show_bug.cgi?id=186176
2211
2212         Reviewed by Yusuke Suzuki.
2213
2214         * stress/big-int-subtraction-jit.js:
2215         * stress/value-sub-big-int-prediction-propagation.js: Added.
2216         * stress/value-sub-big-int-untyped.js: Added.
2217
2218 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2219
2220         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2221         https://bugs.webkit.org/show_bug.cgi?id=190611
2222
2223         Reviewed by Saam Barati.
2224
2225         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2226         to improve test runtime. On ARM/MIPS this test even timed out when running all
2227         tests.
2228
2229         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2230         (test):
2231
2232 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2233
2234         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2235
2236         Unreviewed gardening.
2237
2238         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2239
2240 2018-10-15  Saam barati  <sbarati@apple.com>
2241
2242         Emit fjcvtzs on ARM64E on Darwin
2243         https://bugs.webkit.org/show_bug.cgi?id=184023
2244
2245         Reviewed by Yusuke Suzuki and Filip Pizlo.
2246
2247         * stress/double-to-int32-NaN.js: Added.
2248         (assert):
2249         (foo):
2250
2251 2018-10-15  Saam Barati  <sbarati@apple.com>
2252
2253         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2254         https://bugs.webkit.org/show_bug.cgi?id=190262
2255         <rdar://problem/44986241>
2256
2257         Reviewed by Mark Lam.
2258
2259         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2260         (test):
2261         * stress/slice-array-storage-with-holes.js: Added.
2262         (main):
2263
2264 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2265
2266         Unreviewed, rolling out r237054.
2267         https://bugs.webkit.org/show_bug.cgi?id=190593
2268
2269         "this regressed JetStream 2 by 6% on iOS" (Requested by
2270         saamyjoon on #webkit).
2271
2272         Reverted changeset:
2273
2274         "[JSC] JSC should have "parseFunction" to optimize Function
2275         constructor"
2276         https://bugs.webkit.org/show_bug.cgi?id=190340
2277         https://trac.webkit.org/changeset/237054
2278
2279 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2280
2281         [JSC] JSON.stringify can accept call-with-no-arguments
2282         https://bugs.webkit.org/show_bug.cgi?id=190343
2283
2284         Reviewed by Mark Lam.
2285
2286         * stress/json-stringify-no-arguments.js: Added.
2287         (shouldBe):
2288
2289 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2290
2291         [JSC] JSC should have "parseFunction" to optimize Function constructor
2292         https://bugs.webkit.org/show_bug.cgi?id=190340
2293
2294         Reviewed by Mark Lam.
2295
2296         This patch fixes the line number of syntax errors raised by the Function constructor,
2297         since we now parse the final code only once. And we no longer use block statement
2298         for Function constructor's parsing.
2299
2300         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2301         * stress/function-cache-with-parameters-end-position.js: Added.
2302         (shouldBe):
2303         (shouldThrow):
2304         (i.anonymous):
2305         * stress/function-constructor-name.js: Added.
2306         (shouldBe):
2307         (GeneratorFunction):
2308         (AsyncFunction.async):
2309         (AsyncGeneratorFunction.async):
2310         (anonymous):
2311         (async.anonymous):
2312         * test262/expectations.yaml:
2313
2314 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2315
2316         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2317         https://bugs.webkit.org/show_bug.cgi?id=190426
2318
2319         Unreviewed gardening.
2320
2321         * stress/sampling-profiler-richards.js:
2322
2323 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2324
2325         [ESNext][BigInt] Implement support for "|"
2326         https://bugs.webkit.org/show_bug.cgi?id=186229
2327
2328         Reviewed by Yusuke Suzuki.
2329
2330         * stress/big-int-bitwise-and-jit.js:
2331         * stress/big-int-bitwise-or-general.js: Added.
2332         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2333         * stress/big-int-bitwise-or-jit.js: Added.
2334         * stress/big-int-bitwise-or-memory-stress.js: Added.
2335         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2336         * stress/big-int-bitwise-or-type-error.js: Added.
2337         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2338
2339 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2340
2341         Skip test on systems with limited memory
2342         https://bugs.webkit.org/show_bug.cgi?id=190310
2343
2344         Invoking runDefault adds test to runlist, skipping the test in the next
2345         line does not prevent the test from executing. Change order of lines such
2346         that runDefault is only executed if test is not executed.
2347
2348         Reviewed by Mark Lam.
2349
2350         * stress/regress-190187.js:
2351
2352 2018-10-03  Saam barati  <sbarati@apple.com>
2353
2354         lowXYZ in FTLLower should always filter the type of the incoming edge
2355         https://bugs.webkit.org/show_bug.cgi?id=189939
2356         <rdar://problem/44407030>
2357
2358         Reviewed by Michael Saboff.
2359
2360         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2361         (foo):
2362         (test):
2363
2364 2018-10-03  Mark Lam  <mark.lam@apple.com>
2365
2366         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2367         https://bugs.webkit.org/show_bug.cgi?id=190187
2368         <rdar://problem/42512909>
2369
2370         Reviewed by Michael Saboff.
2371
2372         * stress/regress-190187.js: Added.
2373
2374 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2375
2376         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2377         https://bugs.webkit.org/show_bug.cgi?id=190033
2378
2379         Reviewed by Yusuke Suzuki.
2380
2381         * stress/big-int-to-string.js:
2382
2383 2018-10-01  Mark Lam  <mark.lam@apple.com>
2384
2385         Function.toString() should also copy the source code Functions that are class definitions.
2386         https://bugs.webkit.org/show_bug.cgi?id=190186
2387         <rdar://problem/44733360>
2388
2389         Reviewed by Saam Barati.
2390
2391         * stress/regress-190186.js: Added.
2392
2393 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2394
2395         Split NaN-check into separate test
2396         https://bugs.webkit.org/show_bug.cgi?id=190010
2397
2398         Reviewed by Saam Barati.
2399
2400         DataView exposes NaN-representation, which is not necessarily the same on each
2401         architecture. Therefore move the check of the NaN-representation into its own
2402         file such that we can disable this test on MIPS where NaN-representation can be
2403         different on older CPUs.
2404
2405         * stress/dataview-jit-set-nan.js: Added.
2406         (assert):
2407         (test.storeLittleEndian):
2408         (test.storeBigEndian):
2409         (test.store):
2410         (test):
2411         * stress/dataview-jit-set.js:
2412         (test5):
2413
2414 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2415
2416         Unreviewed, rolling out r236647.
2417         https://bugs.webkit.org/show_bug.cgi?id=190124
2418
2419         Breaking test stress/big-int-to-string.js (Requested by
2420         caiolima_ on #webkit).
2421
2422         Reverted changeset:
2423
2424         "[BigInt] BigInt.proptotype.toString is broken when radix is
2425         power of 2"
2426         https://bugs.webkit.org/show_bug.cgi?id=190033
2427         https://trac.webkit.org/changeset/236647
2428
2429 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2430
2431         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2432         https://bugs.webkit.org/show_bug.cgi?id=190033
2433
2434         Reviewed by Yusuke Suzuki.
2435
2436         * stress/big-int-to-string.js:
2437
2438 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2439
2440         [ESNext][BigInt] Implement support for "&"
2441         https://bugs.webkit.org/show_bug.cgi?id=186228
2442
2443         Reviewed by Yusuke Suzuki.
2444
2445         * stress/big-int-bitwise-and-general.js: Added.
2446         (assert):
2447         (assert.sameValue):
2448         * stress/big-int-bitwise-and-jit.js: Added.
2449         (let.assert.sameValue):
2450         (bigIntBitAnd):
2451         * stress/big-int-bitwise-and-memory-stress.js: Added.
2452         (assert):
2453         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2454         (assert.sameValue):
2455         (let.o.Symbol.toPrimitive):
2456         (catch):
2457         * stress/big-int-bitwise-and-type-error.js: Added.
2458         (assert):
2459         (assertThrowTypeError):
2460         (let.o.valueOf):
2461         (o.valueOf):
2462         (o.toString):
2463         (o.Symbol.toPrimitive):
2464         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2465         (assert.sameValue):
2466         (testBitAnd):
2467         (let.o.Symbol.toPrimitive):
2468         (o.valueOf):
2469         (o.toString):
2470
2471 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2472
2473         JSC test stress/jsc-read.js doesn't support CRLF
2474         https://bugs.webkit.org/show_bug.cgi?id=190063
2475
2476         Reviewed by Yusuke Suzuki.
2477
2478         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2479
2480         * stress/jsc-read.js:
2481         (test):
2482
2483 2018-09-27  Saam barati  <sbarati@apple.com>
2484
2485         Verify the contents of AssemblerBuffer on arm64e
2486         https://bugs.webkit.org/show_bug.cgi?id=190057
2487         <rdar://problem/38916630>
2488
2489         Reviewed by Mark Lam.
2490
2491         * stress/regress-189132.js:
2492
2493 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2494
2495         Disable test without LLInt on ARMv7
2496         https://bugs.webkit.org/show_bug.cgi?id=190037
2497
2498         Reviewed by Mark Lam.
2499
2500         Test runs out of executable memory on ARMv7, do not run
2501         this test without LLInt enabled.
2502
2503         * stress/regress-169445.js:
2504
2505 2018-09-26  Keith Miller  <keith_miller@apple.com>
2506
2507         We should zero unused property storage when rebalancing array storage.
2508         https://bugs.webkit.org/show_bug.cgi?id=188151
2509
2510         Reviewed by Michael Saboff.
2511
2512         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2513
2514 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2515
2516         [JSC] Optimize Array#lastIndexOf
2517         https://bugs.webkit.org/show_bug.cgi?id=189780
2518
2519         Reviewed by Saam Barati.
2520
2521         * stress/array-lastindexof-array-prototype-trap.js: Added.
2522         (shouldBe):
2523         (AncestorArray.prototype.get 2):
2524         (AncestorArray):
2525         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2526         (shouldBe):
2527         * stress/array-lastindexof-hole-nan.js: Added.
2528         (shouldBe):
2529         (throw.new.Error):
2530         * stress/array-lastindexof-infinity.js: Added.
2531         (shouldBe):
2532         (throw.new.Error):
2533         * stress/array-lastindexof-negative-zero.js: Added.
2534         (shouldBe):
2535         (throw.new.Error):
2536         * stress/array-lastindexof-own-getter.js: Added.
2537         (shouldBe):
2538         (throw.new.Error.get array):
2539         (get array):
2540         * stress/array-lastindexof-prototype-trap.js: Added.
2541         (shouldBe):
2542         (DerivedArray.prototype.get 2):
2543         (DerivedArray):
2544
2545 2018-09-25  Saam Barati  <sbarati@apple.com>
2546
2547         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2548         https://bugs.webkit.org/show_bug.cgi?id=189940
2549         <rdar://problem/43640987>
2550
2551         Reviewed by Mark Lam.
2552
2553         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2554
2555 2018-09-24  Saam Barati  <sbarati@apple.com>
2556
2557         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2558         https://bugs.webkit.org/show_bug.cgi?id=189922
2559         <rdar://problem/44651275>
2560
2561         Reviewed by Mark Lam.
2562
2563         * stress/array-indexof-fast-path-effects.js: Added.
2564         * stress/array-indexof-cached-length.js: Added.
2565
2566 2018-09-24  Saam barati  <sbarati@apple.com>
2567
2568         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2569         https://bugs.webkit.org/show_bug.cgi?id=189682
2570         <rdar://problem/43557315>
2571
2572         Reviewed by Mark Lam.
2573
2574         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2575         (foo):
2576
2577 2018-09-22  Saam barati  <sbarati@apple.com>
2578
2579         The sampling should not use Strong<CodeBlock> in its machineLocation field
2580         https://bugs.webkit.org/show_bug.cgi?id=189319
2581
2582         Reviewed by Filip Pizlo.
2583
2584         * stress/sampling-profiler-richards.js: Added.
2585
2586 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2587
2588         [JSC] Optimize Array#indexOf in C++ runtime
2589         https://bugs.webkit.org/show_bug.cgi?id=189507
2590
2591         Reviewed by Saam Barati.
2592
2593         * stress/array-indexof-array-prototype-trap.js: Added.
2594         (shouldBe):
2595         (AncestorArray.prototype.get 2):
2596         (AncestorArray):
2597         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2598         (shouldBe):
2599         * stress/array-indexof-hole-nan.js: Added.
2600         (shouldBe):
2601         (throw.new.Error):
2602         * stress/array-indexof-infinity.js: Added.
2603         (shouldBe):
2604         (throw.new.Error):
2605         * stress/array-indexof-negative-zero.js: Added.
2606         (shouldBe):
2607         (throw.new.Error):
2608         * stress/array-indexof-own-getter.js: Added.
2609         (shouldBe):
2610         (throw.new.Error.get array):
2611         (get array):
2612         * stress/array-indexof-prototype-trap.js: Added.
2613         (shouldBe):
2614         (DerivedArray.prototype.get 2):
2615         (DerivedArray):
2616
2617 2018-09-19  Saam barati  <sbarati@apple.com>
2618
2619         AI rule for MultiPutByOffset executes its effects in the wrong order
2620         https://bugs.webkit.org/show_bug.cgi?id=189757
2621         <rdar://problem/43535257>
2622
2623         Reviewed by Michael Saboff.
2624
2625         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2626         (foo):
2627         (Foo):
2628         (g):
2629
2630 2018-09-17  Mark Lam  <mark.lam@apple.com>
2631
2632         Ensure that ForInContexts are invalidated if their loop local is over-written.
2633         https://bugs.webkit.org/show_bug.cgi?id=189571
2634         <rdar://problem/44402277>
2635
2636         Reviewed by Saam Barati.
2637
2638         * stress/regress-189571.js: Added.
2639
2640 2018-09-17  Saam barati  <sbarati@apple.com>
2641
2642         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2643         https://bugs.webkit.org/show_bug.cgi?id=189676
2644         <rdar://problem/39682897>
2645
2646         Reviewed by Michael Saboff.
2647
2648         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2649         (A):
2650         (K):
2651         (i.catch):
2652
2653 2018-09-14  Saam barati  <sbarati@apple.com>
2654
2655         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2656         https://bugs.webkit.org/show_bug.cgi?id=189628
2657         <rdar://problem/39481690>
2658
2659         Reviewed by Mark Lam.
2660
2661         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2662         (foo):
2663
2664 2018-09-11  Mark Lam  <mark.lam@apple.com>
2665
2666         Test for array initialization in arrayProtoFuncSplice.
2667         https://bugs.webkit.org/show_bug.cgi?id=170253
2668         <rdar://problem/31328773>
2669
2670         Rubber-stamped by Saam Barati.
2671
2672         * stress/regress-170253.js: Added.
2673
2674 2018-09-11  Mark Lam  <mark.lam@apple.com>
2675
2676         Test for IntlObject initialization.
2677         https://bugs.webkit.org/show_bug.cgi?id=170251
2678         <rdar://problem/31328419>
2679
2680         Rubber-stamped by Saam Barati.
2681
2682         * stress/regress-170251.js: Added.
2683
2684 2018-09-11  Mark Lam  <mark.lam@apple.com>
2685
2686         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2687         https://bugs.webkit.org/show_bug.cgi?id=169889
2688         <rdar://problem/31155607>
2689
2690         Reviewed by Saam Barati.
2691
2692         * stress/regress-169889-array-concat.js: Added.
2693         * stress/regress-169889-array-concat1.js: Added.
2694         * stress/regress-169889-array-slice.js: Added.
2695
2696 2018-09-11  Mark Lam  <mark.lam@apple.com>
2697
2698         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2699         https://bugs.webkit.org/show_bug.cgi?id=169445
2700         <rdar://problem/30957435>
2701
2702         Reviewed by Saam Barati.
2703
2704         * stress/regress-169445.js: Added.
2705         (let.gun.eval.A):
2706         (let.gun.eval.B.C):
2707         (let.gun.eval.B.C.prototype.trigger):
2708         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2709         (let.gun.eval.B):
2710         (let.gun.eval):
2711
2712 == Rolled over to ChangeLog-2018-09-11 ==