Unreviewed, rolling out r243943.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r243943.
4
5         Caused test262 failures.
6
7         Reverted changeset:
8
9         "[JSC] Filter DontEnum properties in
10         ProxyObject::getOwnPropertyNames()"
11         https://bugs.webkit.org/show_bug.cgi?id=176810
12         https://trac.webkit.org/changeset/243943
13
14 2019-04-07  Michael Saboff  <msaboff@apple.com>
15
16         REGRESSION (r243642): Crash in reddit.com page
17         https://bugs.webkit.org/show_bug.cgi?id=196684
18
19         Reviewed by Geoffrey Garen.
20
21         New regression test.
22
23         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
24
25 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
26
27         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
28         https://bugs.webkit.org/show_bug.cgi?id=196683
29
30         Reviewed by Saam Barati.
31
32         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
33         (foo):
34
35 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
36
37         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
38         https://bugs.webkit.org/show_bug.cgi?id=196582
39
40         Reviewed by Saam Barati.
41
42         * stress/add-overflow-check-with-three-same-registers.js: Added.
43         (foo):
44         (Number.prototype.valueOf):
45         (runWithNumber):
46
47 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
48
49         Unreviewed, rolling out r243665.
50
51         Caused iOS JSC tests to exit with an exception.
52
53         Reverted changeset:
54
55         "Assertion failed in JSC::createError"
56         https://bugs.webkit.org/show_bug.cgi?id=196305
57         https://trac.webkit.org/changeset/243665
58
59 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
60
61         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
62         https://bugs.webkit.org/show_bug.cgi?id=196486
63
64         Reviewed by Saam Barati.
65
66         * stress/arrow-function-and-use-strict-directive.js: Added.
67         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
68         (checkSyntax):
69         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
70
71 2019-04-05  Caitlin Potter  <caitp@igalia.com>
72
73         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
74         https://bugs.webkit.org/show_bug.cgi?id=176810
75
76         Reviewed by Saam Barati.
77
78         Add tests for the DontEnum filtering, and variations of other tests
79         take the DontEnum-filtering path.
80
81         * stress/proxy-own-keys.js:
82         (i.catch):
83         (set assert):
84         (set add):
85         (let.set new):
86         (get let):
87
88 2019-04-05  Caitlin Potter  <caitp@igalia.com>
89
90         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
91         https://bugs.webkit.org/show_bug.cgi?id=185211
92
93         Reviewed by Saam Barati.
94
95         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
96
97         This changes several assertions to expect a TypeError to be thrown (in some cases,
98         changing thee expected message).
99
100         * es6/Proxy_ownKeys_duplicates.js:
101         (handler):
102         (shouldThrow):
103         (test):
104         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
105         (shouldThrow):
106         * stress/proxy-own-keys.js:
107         (i.catch):
108         (assert):
109
110 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
113         https://bugs.webkit.org/show_bug.cgi?id=196631
114
115         Reviewed by Saam Barati.
116
117         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
118         (assert):
119         (test):
120         (foo):
121
122 2019-04-04  Saam Barati  <sbarati@apple.com>
123
124         Unreviewed. Make the test from r243906 catch the thrown exceptions.
125
126         * stress/inferred-types-regex-matches-array.js:
127
128 2019-04-04  Saam Barati  <sbarati@apple.com>
129
130         createRegExpMatchesArray does not respect inferred types
131         https://bugs.webkit.org/show_bug.cgi?id=193287
132
133         Reviewed by Yusuke Suzuki.
134
135         This checks in the test case for 193287. This issue was discovered by
136         Samuel GroƟ of Google Project Zero.
137
138         * stress/inferred-types-regex-matches-array.js: Added.
139
140 2019-04-04  Saam barati  <sbarati@apple.com>
141
142         Teach Call ICs how to call Wasm
143         https://bugs.webkit.org/show_bug.cgi?id=196387
144
145         Reviewed by Filip Pizlo.
146
147         * wasm/function-tests/stack-trace.js:
148
149 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
150
151         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
152         https://bugs.webkit.org/show_bug.cgi?id=194944
153
154         Reviewed by Keith Miller.
155
156         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
157
158 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
159
160         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
161         https://bugs.webkit.org/show_bug.cgi?id=196409
162
163         Reviewed by Saam Barati.
164
165         * stress/bytecode-cache-cached-string-impl.js: Added.
166         (f):
167         (g):
168         * stress/bytecode-cache-run-string.js: Added.
169
170 2019-04-03  Robin Morisset  <rmorisset@apple.com>
171
172         B3 should use associativity to optimize expression trees
173         https://bugs.webkit.org/show_bug.cgi?id=194081
174
175         Reviewed by Filip Pizlo.
176
177         Added three microbenchmarks:
178         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
179         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
180           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
181         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
182
183         * microbenchmarks/add-tree.js: Added.
184         * microbenchmarks/bit-or-tree.js: Added.
185         * microbenchmarks/bit-xor-tree.js: Added.
186
187 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
188
189         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
190         https://bugs.webkit.org/show_bug.cgi?id=196574
191
192         Reviewed by Saam Barati.
193
194         * stress/string-index-of-exception-check.js: Added.
195         (blurType):
196         (1.forEach):
197
198 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
199
200         Assertion failed in JSC::createError
201         https://bugs.webkit.org/show_bug.cgi?id=196305
202         <rdar://problem/49387382>
203
204         Reviewed by Saam Barati.
205
206         * stress/create-error-out-of-memory-rope-string-2.js: Added.
207         (assert):
208         (catch):
209
210 2019-03-28  Saam Barati  <sbarati@apple.com>
211
212         BackwardsGraph needs to consider back edges as the backward's root successor
213         https://bugs.webkit.org/show_bug.cgi?id=195991
214
215         Reviewed by Filip Pizlo.
216
217         * stress/map-b3-licm-infinite-loop.js: Added.
218
219 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
220
221         CodeBlock::jettison() should disallow repatching its own calls
222         https://bugs.webkit.org/show_bug.cgi?id=196359
223         <rdar://problem/48973663>
224
225         Reviewed by Saam Barati.
226
227         * stress/call-link-info-osrexit-repatch.js: Added.
228         (foo):
229
230 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
231
232         [JSC] imports-oom.js intermittently fails
233         https://bugs.webkit.org/show_bug.cgi?id=196373
234
235         Reviewed by Saam Barati.
236
237         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
238         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
239         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
240         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
241         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
242
243         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
244         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
245
246         * wasm/lowExecutableMemory/imports-oom.js:
247
248 2019-03-27  Saam Barati  <sbarati@apple.com>
249
250         validateOSREntryValue with Int52 should box the value being checked into double format
251         https://bugs.webkit.org/show_bug.cgi?id=196313
252         <rdar://problem/49306703>
253
254         Reviewed by Yusuke Suzuki.
255
256         * stress/validate-int-52-ai-state.js: Added.
257
258 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
259
260         [JSC] Owner of watchpoints should validate at GC finalizing phase
261         https://bugs.webkit.org/show_bug.cgi?id=195827
262
263         Reviewed by Filip Pizlo.
264
265         * stress/gc-should-reap-dead-watchpoints.js: Added.
266         (foo):
267         (A.prototype.y):
268         (A):
269
270 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
271
272         Skip WebAssembly test on 32-bit systems
273         https://bugs.webkit.org/show_bug.cgi?id=196206
274
275         Reviewed by Saam Barati.
276
277         Invoking runDefault executes test immediately even though
278         that test should be skipped due to missing WASM support.
279         Therefore remove runDefault.
280
281         * wasm/regress/web-assembly-link-error-exception-check.js:
282
283 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
284
285         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
286         https://bugs.webkit.org/show_bug.cgi?id=196217
287
288         Reviewed by Saam Barati.
289
290         Re-enable all NaN tests for f32.min, f64.min and f64.max.
291
292         * wasm/spec-tests/f32.wast.js:
293         * wasm/spec-tests/f64.wast.js:
294         * wasm/wasm.json:
295
296 2019-03-25  Keith Miller  <keith_miller@apple.com>
297
298         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
299         https://bugs.webkit.org/show_bug.cgi?id=196176
300
301         Reviewed by Saam Barati.
302
303         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
304         (main.v10):
305         (main):
306
307 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
308
309         WebAssembly: f32.max with NaN generates incorrect result
310         https://bugs.webkit.org/show_bug.cgi?id=175691
311         <rdar://problem/33952228>
312
313         Reviewed by Saam Barati.
314
315         Enable all f32.max NaN tests
316
317         * wasm/spec-tests/f32.wast.js:
318         * wasm/wasm.json:
319
320 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
321
322         [JSC] Move test into directory for WASM tests
323         https://bugs.webkit.org/show_bug.cgi?id=196187
324
325         Reviewed by Mark Lam.
326
327         Move Test into wasm-directory. Otherwise this test
328         is also executed on systems without WASM support.
329
330         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
331
332 2019-03-23  Mark Lam  <mark.lam@apple.com>
333
334         Rolling out r243032 and r243071 because the fix is incorrect.
335         https://bugs.webkit.org/show_bug.cgi?id=195892
336         <rdar://problem/48981239>
337
338         Not reviewed.
339
340         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
341
342 2019-03-22  Mark Lam  <mark.lam@apple.com>
343
344         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
345         https://bugs.webkit.org/show_bug.cgi?id=196154
346         <rdar://problem/49145307>
347
348         Reviewed by Filip Pizlo.
349
350         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
351         There's no need to run this test on more than 1 test configuration.
352
353         * stress/typed-array-lastIndexOf-exception-check.js: Added.
354         * stress/web-assembly-link-error-exception-check.js:
355
356 2019-03-22  Mark Lam  <mark.lam@apple.com>
357
358         Placate exception check validation in constructJSWebAssemblyLinkError().
359         https://bugs.webkit.org/show_bug.cgi?id=196152
360         <rdar://problem/49145257>
361
362         Reviewed by Michael Saboff.
363
364         * stress/web-assembly-link-error-exception-check.js: Added.
365
366 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
367
368         Skip tests running out of memory on ARM/MIPS
369         https://bugs.webkit.org/show_bug.cgi?id=196131
370
371         Unreviewed. Skip test if memory is limited.
372
373         * microbenchmarks/put-by-val-direct-large-index.js:
374
375 2019-03-21  Mark Lam  <mark.lam@apple.com>
376
377         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
378         https://bugs.webkit.org/show_bug.cgi?id=196116
379         <rdar://problem/48976951>
380
381         Reviewed by Filip Pizlo.
382
383         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
384
385 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
386
387         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
388         https://bugs.webkit.org/show_bug.cgi?id=196078
389         <rdar://problem/35925380>
390
391         Reviewed by Mark Lam.
392
393         Add a new benchmark that allocates several objects and invokes put_by_val_direct
394         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
395
396         * microbenchmarks/put-by-val-direct-large-index.js: Added.
397
398 2019-03-21  Mark Lam  <mark.lam@apple.com>
399
400         Placate exception check validation in operationArrayIndexOfString().
401         https://bugs.webkit.org/show_bug.cgi?id=196067
402         <rdar://problem/49056572>
403
404         Reviewed by Michael Saboff.
405
406         * stress/string-equal-exception-check.js: Added.
407
408 2019-03-21  Mark Lam  <mark.lam@apple.com>
409
410         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
411         https://bugs.webkit.org/show_bug.cgi?id=196055
412         <rdar://problem/49067448>
413
414         Reviewed by Yusuke Suzuki.
415
416         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
417
418 2019-03-20  Saam Barati  <sbarati@apple.com>
419
420         typeOfDoubleSum is wrong for when NaN can be produced
421         https://bugs.webkit.org/show_bug.cgi?id=196030
422
423         Reviewed by Filip Pizlo.
424
425         * stress/double-add-sub-mul-can-produce-nan.js: Added.
426         (assert):
427         (noInline.sub):
428         (noInline):
429         (assert.mul):
430         (assert.add):
431
432 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         Update the test to ensure OutOfMemoryError is thrown as intended
435         https://bugs.webkit.org/show_bug.cgi?id=196032
436         <rdar://problem/46842740>
437
438         Rubber stamped by Saam Barati.
439
440         * stress/create-error-out-of-memory-rope-string.js:
441         (assert):
442         (catch):
443
444 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
445
446         JSC::createError needs to check for OOM in errorDescriptionForValue
447         https://bugs.webkit.org/show_bug.cgi?id=196032
448         <rdar://problem/46842740>
449
450         Reviewed by Mark Lam.
451
452         * stress/create-error-out-of-memory-rope-string.js: Added.
453
454 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
455
456         Unreviewed, reduce # of iterations to avoid timing out after r242991
457         https://bugs.webkit.org/show_bug.cgi?id=195791
458
459         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
460
461         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
462
463 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
464
465         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
466         https://bugs.webkit.org/show_bug.cgi?id=195950
467
468         Unreviewed, reducing the amount of memory used on this test to avoid
469         OOM on devices with memory restrictions.
470
471         * microbenchmarks/generate-multiple-llint-entrypoints.js:
472
473 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
474
475         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
476         https://bugs.webkit.org/show_bug.cgi?id=194648
477
478         Reviewed by Keith Miller.
479
480         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
481
482 2019-03-18  Mark Lam  <mark.lam@apple.com>
483
484         Missing a ThrowScope release in JSObject::toString().
485         https://bugs.webkit.org/show_bug.cgi?id=195893
486         <rdar://problem/48970986>
487
488         Reviewed by Michael Saboff.
489
490         * stress/to-string-exception-check-release.js: Added.
491
492 2019-03-18  Mark Lam  <mark.lam@apple.com>
493
494         Structure::flattenDictionary() should clear unused property slots.
495         https://bugs.webkit.org/show_bug.cgi?id=195871
496         <rdar://problem/48959497>
497
498         Reviewed by Michael Saboff.
499
500         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
501
502 2019-03-15  Mark Lam  <mark.lam@apple.com>
503
504         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
505         https://bugs.webkit.org/show_bug.cgi?id=195827
506         <rdar://problem/48845513>
507
508         Reviewed by Filip Pizlo.
509
510         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
511
512 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
513
514         [ARM,MIPS] Skip slow tests
515         https://bugs.webkit.org/show_bug.cgi?id=195799
516
517         Unreviewed, test does not finish on ARM and MIPS within the
518         timeout limit.
519
520         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
521
522 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
523
524         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
525         https://bugs.webkit.org/show_bug.cgi?id=195791
526         <rdar://problem/48806130>
527
528         Reviewed by Mark Lam.
529
530         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
531         (foo):
532
533 2019-03-14  Saam barati  <sbarati@apple.com>
534
535         We can't remove code after ForceOSRExit until after FixupPhase
536         https://bugs.webkit.org/show_bug.cgi?id=186916
537         <rdar://problem/41396612>
538
539         Reviewed by Yusuke Suzuki.
540
541         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
542         (foo):
543         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
544         (foo):
545
546 2019-03-13  Michael Saboff  <msaboff@apple.com>
547
548         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
549         https://bugs.webkit.org/show_bug.cgi?id=195735
550
551         Reviewed by Mark Lam.
552
553         New regression test.
554
555         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
556         (foo):
557         (bar):
558
559 2019-03-14  Saam barati  <sbarati@apple.com>
560
561         Fixup uses KnownInt32 incorrectly in some nodes
562         https://bugs.webkit.org/show_bug.cgi?id=195279
563         <rdar://problem/47915654>
564
565         Reviewed by Yusuke Suzuki.
566
567         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
568         (foo):
569
570 2019-03-14  Keith Miller  <keith_miller@apple.com>
571
572         DFG liveness can't skip tail caller inline frames
573         https://bugs.webkit.org/show_bug.cgi?id=195715
574
575         Reviewed by Saam Barati.
576
577         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
578         (i.foo):
579
580 2019-03-13  Mark Lam  <mark.lam@apple.com>
581
582         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
583         https://bugs.webkit.org/show_bug.cgi?id=195415
584
585         Not reviewed.
586
587         Changed these tests to only run the default configuration.
588         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
589         There's no strong need to run this test on that variant.
590
591         * stress/dfg-to-string-on-int-does-gc.js:
592         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
593
594 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
595
596         String overflow when using StringBuilder in JSC::createError
597         https://bugs.webkit.org/show_bug.cgi?id=194957
598
599         Reviewed by Mark Lam.
600
601         Add test string-overflow-createError-bulder.js that overflows
602         StringBuilder in notAFunctionSourceAppender. The second new test
603         string-overflow-createError-fit.js has an error message that doesn't
604         overflow, it still failed since the String's capacity can't be doubled.
605         Run test string-overflow-createError.js only in the default
606         configuration to reduce memory consumption when running the test
607         in all configurations on multiple CPUs in parallel.
608
609         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
610         (catch):
611         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
612         (catch):
613         * stress/string-overflow-createError.js:
614
615 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
616
617         [JSC] OSR entry should respect abstract values in addition to flush formats
618         https://bugs.webkit.org/show_bug.cgi?id=195653
619
620         Reviewed by Mark Lam.
621
622         * stress/osr-entry-locals-none.js: Added.
623
624 2019-03-12  Michael Saboff  <msaboff@apple.com>
625
626         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
627         https://bugs.webkit.org/show_bug.cgi?id=195613
628
629         Reviewed by Mark Lam.
630
631         New regression test.
632
633         * stress/regexp-backref-inbounds.js: Added.
634         (testRegExp):
635
636 2019-03-12  Mark Lam  <mark.lam@apple.com>
637
638         The HasIndexedProperty node does GC.
639         https://bugs.webkit.org/show_bug.cgi?id=195559
640         <rdar://problem/48767923>
641
642         Reviewed by Yusuke Suzuki.
643
644         * stress/HasIndexedProperty-does-gc.js: Added.
645
646 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
647
648         [ESNext][BigInt] Implement "~" unary operation
649         https://bugs.webkit.org/show_bug.cgi?id=182216
650
651         Reviewed by Keith Miller.
652
653         * stress/big-int-bit-not-general.js: Added.
654         * stress/big-int-bitwise-not-jit.js: Added.
655         * stress/big-int-bitwise-not-wrapped-value.js: Added.
656         * stress/bit-op-with-object-returning-int32.js:
657         * stress/bitwise-not-fixup-rules.js: Added.
658         * stress/value-bit-not-ai-rule.js: Added.
659
660 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
661
662         Invalid flags in a RegExp literal should be an early SyntaxError
663         https://bugs.webkit.org/show_bug.cgi?id=195514
664
665         Reviewed by Darin Adler.
666
667         * test262/expectations.yaml:
668         Mark 4 test cases as passing.
669
670         * stress/regexp-syntax-error-invalid-flags.js:
671         * stress/regress-161995.js: Removed.
672         Update existing test, merging in an older test for the same behavior.
673
674 2019-03-08  Mark Lam  <mark.lam@apple.com>
675
676         Stack overflow crash in JSC::JSObject::hasInstance.
677         https://bugs.webkit.org/show_bug.cgi?id=195458
678         <rdar://problem/48710195>
679
680         Reviewed by Yusuke Suzuki.
681
682         * stress/stack-overflow-in-custom-hasInstance.js: Added.
683
684 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
685
686         op_check_tdz does not def its argument
687         https://bugs.webkit.org/show_bug.cgi?id=192880
688         <rdar://problem/46221598>
689
690         Reviewed by Saam Barati.
691
692         * microbenchmarks/let-for-in.js: Added.
693         (foo):
694
695 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
696
697         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
698         https://bugs.webkit.org/show_bug.cgi?id=195429
699
700         Reviewed by Saam Barati.
701
702         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
703         (foo):
704         * stress/string-from-char-code-255.js: Added.
705
706 2019-03-06  Mark Lam  <mark.lam@apple.com>
707
708         Fix incorrect handling of try-finally completion values.
709         https://bugs.webkit.org/show_bug.cgi?id=195131
710         <rdar://problem/46222079>
711
712         Reviewed by Saam Barati and Yusuke Suzuki.
713
714         Added many permutations of new test case to test-finally.js.  test-finally.js has
715         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
716         tests passes there as well.
717
718         * stress/test-finally.js:
719
720 2019-03-06  Saam Barati  <sbarati@apple.com>
721
722         Air::reportUsedRegisters must padInterference
723         https://bugs.webkit.org/show_bug.cgi?id=195303
724         <rdar://problem/48270343>
725
726         Reviewed by Keith Miller.
727
728         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
729
730 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
731
732         [JSC] AI should not propagate AbstractValue relying on constant folding phase
733         https://bugs.webkit.org/show_bug.cgi?id=195375
734
735         Reviewed by Saam Barati.
736
737         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
738         (let.array):
739
740 2019-03-05  Saam barati  <sbarati@apple.com>
741
742         op_switch_char broken for rope strings after JSRopeString layout rewrite
743         https://bugs.webkit.org/show_bug.cgi?id=195339
744         <rdar://problem/48592545>
745
746         Reviewed by Yusuke Suzuki.
747
748         * stress/switch-on-char-llint-rope.js: Added.
749
750 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
751
752         [JSC] Store bits for JSRopeString in 3 stores
753         https://bugs.webkit.org/show_bug.cgi?id=195234
754
755         Reviewed by Saam Barati.
756
757         * stress/null-rope-and-collectors.js: Added.
758
759 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
760
761         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
762         https://bugs.webkit.org/show_bug.cgi?id=195207
763
764         Unreviewed. After test runtime was reduced in r242213, test can be
765         run again on ARM/MIPS.
766
767         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
768
769 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
770
771         [JSC] sizeof(JSString) should be 16
772         https://bugs.webkit.org/show_bug.cgi?id=194375
773
774         Reviewed by Saam Barati.
775
776         * microbenchmarks/make-rope.js: Added.
777         (makeRope):
778         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
779         (returnRope.helper): Deleted.
780         (returnRope): Deleted.
781
782 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
783
784         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
785         https://bugs.webkit.org/show_bug.cgi?id=195144
786
787         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
788         Change the number from 1e8 to 1e5.
789
790         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
791         (foo):
792
793 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
794
795         Test times out on ARM/MIPS
796         https://bugs.webkit.org/show_bug.cgi?id=195168
797
798         Unreviewed. Skip test on ARM/MIPS.
799
800         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
801
802 2019-02-27  Mark Lam  <mark.lam@apple.com>
803
804         The parser is failing to record the token location of new in new.target.
805         https://bugs.webkit.org/show_bug.cgi?id=195127
806         <rdar://problem/39645578>
807
808         Reviewed by Yusuke Suzuki.
809
810         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
811
812 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
813
814         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
815         https://bugs.webkit.org/show_bug.cgi?id=195144
816         <rdar://problem/47595961>
817
818         Reviewed by Mark Lam.
819
820         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
821         (bar):
822         (foo):
823         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
824         (bar):
825         (foo):
826
827 2019-02-27  Robin Morisset  <rmorisset@apple.com>
828
829         DFG: Loop-invariant code motion (LICM) should not hoist dead code
830         https://bugs.webkit.org/show_bug.cgi?id=194945
831         <rdar://problem/48311657>
832
833         Reviewed by Mark Lam.
834
835         * stress/licm-dead-code.js: Added.
836
837 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
838
839         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
840         https://bugs.webkit.org/show_bug.cgi?id=194677
841         <rdar://problem/48112492>
842
843         Reviewed by Mark Lam.
844
845         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
846         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
847         it immediately fails due the large size.
848
849         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
850         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
851         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
852         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
853
854         This patch changes the test to produce 16bit string from String.fromCharCode.
855
856         * stress/regress-178386.js:
857
858 2019-02-26  Mark Lam  <mark.lam@apple.com>
859
860         wasmToJS() should purify incoming NaNs.
861         https://bugs.webkit.org/show_bug.cgi?id=194807
862         <rdar://problem/48189132>
863
864         Reviewed by Saam Barati.
865
866         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
867
868 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
869
870         [JSC] Repeat string created from Array.prototype.join() take too much memory
871         https://bugs.webkit.org/show_bug.cgi?id=193912
872
873         Reviewed by Saam Barati.
874
875         Added a test and a microbenchmark for corner cases of
876         Array.prototype.join() with an uninitialized array.
877
878         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
879         * stress/array-prototype-join-uninitialized.js: Added.
880         (testArray):
881         (testABC):
882         (B):
883         (C):
884
885 2019-02-22  Robin Morisset  <rmorisset@apple.com>
886
887         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
888         https://bugs.webkit.org/show_bug.cgi?id=194953
889         <rdar://problem/47595253>
890
891         Reviewed by Saam Barati.
892
893         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
894
895         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
896
897 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
898
899         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
900         https://bugs.webkit.org/show_bug.cgi?id=172848
901         <rdar://problem/25709212>
902
903         Reviewed by Mark Lam.
904
905         * typeProfiler/inheritance.js:
906         Rewrite the test slightly for clarity. The hoisting was confusing.
907
908         * heapProfiler/class-names.js: Added.
909         (MyES5Class):
910         (MyES6Class):
911         (MyES6Subclass):
912         Test object types and improved class names.
913
914         * heapProfiler/driver/driver.js:
915         (CheapHeapSnapshotNode):
916         (CheapHeapSnapshot):
917         (createCheapHeapSnapshot):
918         (HeapSnapshot):
919         (createHeapSnapshot):
920         Update snapshot parsing from version 1 to version 2.
921
922 2019-02-19  Truitt Savell  <tsavell@apple.com>
923
924         Unreviewed, rolling out r241784.
925
926         Broke all OpenSource builds.
927
928         Reverted changeset:
929
930         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
931         instances view"
932         https://bugs.webkit.org/show_bug.cgi?id=172848
933         https://trac.webkit.org/changeset/241784
934
935 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
936
937         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
938         https://bugs.webkit.org/show_bug.cgi?id=172848
939         <rdar://problem/25709212>
940
941         Reviewed by Mark Lam.
942
943         * typeProfiler/inheritance.js:
944         Rewrite the test slightly for clarity. The hoisting was confusing.
945
946         * heapProfiler/class-names.js: Added.
947         (MyES5Class):
948         (MyES6Class):
949         (MyES6Subclass):
950         Test object types and improved class names.
951
952         * heapProfiler/driver/driver.js:
953         (CheapHeapSnapshotNode):
954         (CheapHeapSnapshot):
955         (createCheapHeapSnapshot):
956         (HeapSnapshot):
957         (createHeapSnapshot):
958         Update snapshot parsing from version 1 to version 2.
959
960 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
961
962         [ARM] Fix crash with sampling profiler
963         https://bugs.webkit.org/show_bug.cgi?id=194772
964
965         Reviewed by Mark Lam.
966
967         Do not skip test since crash with sampling profiler is now fixed.
968
969         * stress/sampling-profiler-richards.js:
970
971 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
972
973         [JSC] Add LazyClassStructure::getInitializedOnMainThread
974         https://bugs.webkit.org/show_bug.cgi?id=194784
975         <rdar://problem/48154820>
976
977         Reviewed by Mark Lam.
978
979         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
980         (getProperties):
981         (getRandomProperty):
982         (i.catch):
983
984 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
985
986         [ARM] Test gardening: Test running out of executable memory
987         https://bugs.webkit.org/show_bug.cgi?id=194771
988
989         Unreviewed. Do not run test without LLInt, test is running out of executable
990         memory on ARM otherwise.
991
992         * stress/tagged-template-object-collect.js:
993
994 2019-02-18  Tomas Popela  <tpopela@redhat.com>
995
996         Unreviewed, skip the test on platforms without sampling profiler
997
998         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
999         (platformSupportsSamplingProfiler.foo):
1000         (platformSupportsSamplingProfiler.test):
1001         (platformSupportsSamplingProfiler):
1002         (foo): Deleted.
1003         (test): Deleted.
1004
1005 2019-02-17  Saam Barati  <sbarati@apple.com>
1006
1007         Deadlock when adding a Structure property transition and then doing incremental marking
1008         https://bugs.webkit.org/show_bug.cgi?id=194767
1009
1010         Reviewed by Mark Lam.
1011
1012         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1013
1014 2019-02-15  Michael Saboff  <msaboff@apple.com>
1015
1016         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1017         https://bugs.webkit.org/show_bug.cgi?id=194558
1018
1019         Reviewed by Saam Barati.
1020
1021         New regression test.
1022
1023         * stress/regexp-unicode-within-string.js: Added.
1024
1025 2019-02-15  Mark Lam  <mark.lam@apple.com>
1026
1027         SamplingProfiler::stackTracesAsJSON() should escape strings.
1028         https://bugs.webkit.org/show_bug.cgi?id=194649
1029         <rdar://problem/48072386>
1030
1031         Reviewed by Saam Barati.
1032
1033         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1034         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1035         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1036         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1037
1038 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1039         CodeBlock::jettison should clear related watchpoints
1040         https://bugs.webkit.org/show_bug.cgi?id=194544
1041
1042         Reviewed by Mark Lam.
1043
1044         * stress/regexp-replace-double-watchpoint.js: Added.
1045         (foo):
1046
1047 2019-02-15  Saam barati  <sbarati@apple.com>
1048
1049         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1050         https://bugs.webkit.org/show_bug.cgi?id=194036
1051
1052         Reviewed by Yusuke Suzuki.
1053
1054         * stress/tail-call-many-arguments.js: Added.
1055         (foo):
1056         (bar):
1057
1058 2019-02-14  Saam Barati  <sbarati@apple.com>
1059
1060         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1061         https://bugs.webkit.org/show_bug.cgi?id=194583
1062         <rdar://problem/48028140>
1063
1064         Reviewed by Yusuke Suzuki.
1065
1066         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1067
1068 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1069
1070         [JSC] String.fromCharCode's slow path always generates 16bit string
1071         https://bugs.webkit.org/show_bug.cgi?id=194466
1072
1073         Reviewed by Keith Miller.
1074
1075         * stress/string-from-char-code-slow-path.js: Added.
1076         (shouldBe):
1077         (testWithLength):
1078
1079 2019-02-08  Saam barati  <sbarati@apple.com>
1080
1081         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1082         https://bugs.webkit.org/show_bug.cgi?id=194334
1083         <rdar://problem/47844327>
1084
1085         Reviewed by Mark Lam.
1086
1087         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1088         (func):
1089
1090 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1091
1092         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1093         https://bugs.webkit.org/show_bug.cgi?id=194369
1094         <rdar://problem/47813087>
1095
1096         Reviewed by Saam Barati.
1097
1098         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1099         (A):
1100
1101 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1102
1103         [JSC] PrivateName to PublicName hash table is wasteful
1104         https://bugs.webkit.org/show_bug.cgi?id=194277
1105
1106         Reviewed by Michael Saboff.
1107
1108         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1109
1110         * ChakraCore.yaml:
1111
1112 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1113
1114         [ARM] Test running out of executable memory
1115         https://bugs.webkit.org/show_bug.cgi?id=194285
1116
1117         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1118         executable memory otherwise.
1119
1120         * stress/class-subclassing-function.js:
1121
1122 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1123
1124         when lowering AssertNotEmpty, create the value before creating the patchpoint
1125         https://bugs.webkit.org/show_bug.cgi?id=194231
1126
1127         Reviewed by Saam Barati.
1128
1129         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1130         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1131         So even tiny changes to this test can change the path code taken.
1132
1133         * stress/assert-not-empty.js: Added.
1134         (foo):
1135
1136 2019-02-01  Mark Lam  <mark.lam@apple.com>
1137
1138         Remove invalid assertion in DFG's compileDoubleRep().
1139         https://bugs.webkit.org/show_bug.cgi?id=194130
1140         <rdar://problem/47699474>
1141
1142         Reviewed by Saam Barati.
1143
1144         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1145
1146 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1147
1148         Import latest Test262 updates.
1149
1150         Rubber-stamped by Keith Miller.
1151
1152         * test262.yaml: Deleted.
1153         * test262/config.yaml:
1154         * test262/expectations.yaml:
1155         * test262/latest-changes-summary.txt:
1156         * test262/test/:
1157         * test262/test262-Revision.txt:
1158
1159 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1160
1161         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1162         https://bugs.webkit.org/show_bug.cgi?id=194050
1163         <rdar://problem/47595592>
1164
1165         Reviewed by Yusuke Suzuki.
1166
1167         * stress/object-keys-osr-exit.js: Added.
1168         (foo):
1169         (catch):
1170
1171 2019-01-29  Mark Lam  <mark.lam@apple.com>
1172
1173         ValueRecovery::recover() should purify NaN values it recovers.
1174         https://bugs.webkit.org/show_bug.cgi?id=193978
1175         <rdar://problem/47625488>
1176
1177         Reviewed by Saam Barati.
1178
1179         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1180
1181 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1182
1183         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1184         https://bugs.webkit.org/show_bug.cgi?id=193713
1185
1186         * stress/try-get-by-id-should-spill-registers-dfg.js:
1187         (let.f.createBuiltin):
1188
1189 2019-01-28  Mark Lam  <mark.lam@apple.com>
1190
1191         ToString node actually does GC.
1192         https://bugs.webkit.org/show_bug.cgi?id=193920
1193         <rdar://problem/46695900>
1194
1195         Reviewed by Yusuke Suzuki.
1196
1197         * stress/dfg-to-string-on-int-does-gc.js: Added.
1198         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1199         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1200
1201 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1202
1203         [JSC] NativeErrorConstructor should not have own IsoSubspace
1204         https://bugs.webkit.org/show_bug.cgi?id=193713
1205
1206         Reviewed by Saam Barati.
1207
1208         Remove @Error use.
1209
1210         * stress/try-get-by-id-should-spill-registers-dfg.js:
1211         (let.f.createBuiltin):
1212
1213 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1214
1215         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1216         https://bugs.webkit.org/show_bug.cgi?id=190693
1217
1218         Reviewed by Michael Saboff.
1219
1220         * stress/regress-190693.js: Added.
1221         (truth):
1222         (assert):
1223         (shouldThrowInvalidConstAssignment):
1224         (taz):
1225
1226 2019-01-24  Saam Barati  <sbarati@apple.com>
1227
1228         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1229         https://bugs.webkit.org/show_bug.cgi?id=193751
1230         <rdar://problem/47280215>
1231
1232         Reviewed by Michael Saboff.
1233
1234         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1235         (let.thing):
1236         (foo.let.hello):
1237         (foo):
1238
1239 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1240
1241         [JSC] Reenable baseline JIT on mips
1242         https://bugs.webkit.org/show_bug.cgi?id=192983
1243
1244         Reviewed by Mark Lam.
1245
1246         Added a new test for a case that was triggering a RELEASE_ASSERT when
1247         testing.
1248         Disable some slow tests that were already disabled for arm and x86.
1249
1250         * stress/json-parse-big-object.js: Added.
1251         * stress/new-largeish-contiguous-array-with-size.js:
1252         * stress/op_add.js:
1253         * stress/op_bitand.js:
1254         * stress/op_bitor.js:
1255         * stress/op_bitxor.js:
1256         * stress/op_lshift-ConstVar.js:
1257         * stress/op_lshift-VarConst.js:
1258         * stress/op_lshift-VarVar.js:
1259         * stress/op_mod-ConstVar.js:
1260         * stress/op_mod-VarConst.js:
1261         * stress/op_mod-VarVar.js:
1262         * stress/op_mul-ConstVar.js:
1263         * stress/op_mul-VarConst.js:
1264         * stress/op_mul-VarVar.js:
1265         * stress/op_rshift-ConstVar.js:
1266         * stress/op_rshift-VarConst.js:
1267         * stress/op_rshift-VarVar.js:
1268         * stress/op_sub-ConstVar.js:
1269         * stress/op_sub-VarConst.js:
1270         * stress/op_sub-VarVar.js:
1271         * stress/op_urshift-ConstVar.js:
1272         * stress/op_urshift-VarConst.js:
1273         * stress/op_urshift-VarVar.js:
1274         * stress/sampling-profiler-richards.js:
1275         * stress/spread-forward-call-varargs-stack-overflow.js:
1276
1277 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1278
1279         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1280         https://bugs.webkit.org/show_bug.cgi?id=193711
1281         <rdar://problem/47250262>
1282
1283         Reviewed by Saam Barati.
1284
1285         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1286         (shouldBe):
1287         (foo):
1288         (bar):
1289         (baz):
1290
1291 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1292
1293         Unreviewed, fix initial global lexical binding epoch
1294         https://bugs.webkit.org/show_bug.cgi?id=193603
1295         <rdar://problem/47380869>
1296
1297         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1298         (f1.f2.f3.f4):
1299         (f1.f2.f3):
1300         (f1.f2):
1301         (f1):
1302
1303 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1304
1305         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1306         https://bugs.webkit.org/show_bug.cgi?id=193709
1307         <rdar://problem/47363838>
1308
1309         Unreviewed, rollout to watch the tests.
1310
1311         * stress/object-tostring-changed-proto.js: Removed.
1312         * stress/object-tostring-changed.js: Removed.
1313         * stress/object-tostring-misc.js: Removed.
1314         * stress/object-tostring-other.js: Removed.
1315         * stress/object-tostring-untyped.js: Removed.
1316
1317 2019-01-22  Saam Barati  <sbarati@apple.com>
1318
1319         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1320
1321         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1322         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1323         (testUncheckedLessThanZero):
1324         (testUncheckedLessThanOrEqualZero):
1325         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1326         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1327
1328 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1329
1330         [JSC] Invalidate old scope operations using global lexical binding epoch
1331         https://bugs.webkit.org/show_bug.cgi?id=193603
1332         <rdar://problem/47380869>
1333
1334         Reviewed by Saam Barati.
1335
1336         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1337         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1338         (shouldThrow):
1339         (bar):
1340         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1341         (shouldBe):
1342         (get1):
1343         (get2):
1344         (get1If):
1345         (get2If):
1346         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1347         (shouldThrow):
1348         (foo):
1349
1350 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1351
1352         Unreviewed, roll out r240220 due to date-format-xparb regression
1353         https://bugs.webkit.org/show_bug.cgi?id=193603
1354
1355         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1356         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1357         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1358         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1359
1360 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1361
1362         DoesGC rule is wrong for nodes with BigIntUse
1363         https://bugs.webkit.org/show_bug.cgi?id=193652
1364
1365         Reviewed by Saam Barati.
1366
1367         * stress/big-int-value-op-update-gc-rules.js: Added.
1368         (assert):
1369         (doesGCAdd):
1370         (doesGCSub):
1371         (doesGCDiv):
1372         (doesGCMul):
1373         (doesGCBitAnd):
1374         (doesGCBitOr):
1375         (doesGCBitXor):
1376
1377 2019-01-20  Saam Barati  <sbarati@apple.com>
1378
1379         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1380         https://bugs.webkit.org/show_bug.cgi?id=193644
1381         <rdar://problem/46209745>
1382
1383         Reviewed by Yusuke Suzuki.
1384
1385         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1386         (foo):
1387         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1388         (foo):
1389         (bar):
1390
1391 2019-01-20  Saam Barati  <sbarati@apple.com>
1392
1393         MovHint must merge NodeBytecodeUsesAsValue for its child
1394         https://bugs.webkit.org/show_bug.cgi?id=186916
1395         <rdar://problem/41396612>
1396
1397         Reviewed by Yusuke Suzuki.
1398
1399         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1400         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1401
1402 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1403
1404         [JSC] Invalidate old scope operations using global lexical binding epoch
1405         https://bugs.webkit.org/show_bug.cgi?id=193603
1406         <rdar://problem/47380869>
1407
1408         Reviewed by Saam Barati.
1409
1410         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1411         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1412         (shouldThrow):
1413         (bar):
1414         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1415         (shouldBe):
1416         (get1):
1417         (get2):
1418         (get1If):
1419         (get2If):
1420         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1421         (shouldThrow):
1422         (foo):
1423
1424 2019-01-17  Saam barati  <sbarati@apple.com>
1425
1426         StringObjectUse should not be a structure check for the original string object structure
1427         https://bugs.webkit.org/show_bug.cgi?id=193483
1428         <rdar://problem/47280522>
1429
1430         Reviewed by Yusuke Suzuki.
1431
1432         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1433         (foo):
1434         (a.valueOf.0):
1435
1436 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1437
1438         [JSC] ToThis omission in DFGByteCodeParser is wrong
1439         https://bugs.webkit.org/show_bug.cgi?id=193513
1440         <rdar://problem/45842236>
1441
1442         Reviewed by Saam Barati.
1443
1444         * stress/to-this-omission-with-different-strict-modes.js: Added.
1445         (thisA):
1446         (thisAStrictWrapper):
1447
1448 2019-01-15  Mark Lam  <mark.lam@apple.com>
1449
1450         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1451         https://bugs.webkit.org/show_bug.cgi?id=193423
1452         <rdar://problem/46209355>
1453
1454         Reviewed by Saam Barati.
1455
1456         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1457         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1458         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1459         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1460
1461 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1462
1463         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1464         https://bugs.webkit.org/show_bug.cgi?id=193438
1465         <rdar://problem/45581249>
1466
1467         Reviewed by Saam Barati and Keith Miller.
1468
1469         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1470         Then, GetByVal(String) crashed.
1471
1472         * stress/string-get-by-val-lowering.js: Added.
1473         (shouldBe):
1474         (test):
1475         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1476         (Hello):
1477         (foo):
1478
1479 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1480
1481         Unreviewed, skip JIT tests if it's not enabled
1482
1483         * stress/bit-op-with-object-returning-int32.js:
1484
1485 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1486
1487         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1488         https://bugs.webkit.org/show_bug.cgi?id=192966
1489
1490         Reviewed by Yusuke Suzuki.
1491
1492         * stress/bit-op-with-object-returning-int32.js: Added.
1493
1494 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1495
1496         Skip a slow test and a flakey test on arm
1497
1498         Unreviewed gardening.
1499
1500         * typeProfiler/getter-richards.js:
1501         this test always times out, it used to be always skipped on arm and
1502         mips, but got accidentally enabled by r237919 now that we have DFG on
1503         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1504
1505 2019-01-14  Keith Miller  <keith_miller@apple.com>
1506
1507         Skip type-check-hoisting-phase-hoist... with no jit
1508         https://bugs.webkit.org/show_bug.cgi?id=193421
1509
1510         Reviewed by Mark Lam.
1511
1512         It's timing out the 32-bit bots and takes 330 seconds
1513         on my machine when run by itself.
1514
1515         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1516
1517 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1518
1519         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1520         https://bugs.webkit.org/show_bug.cgi?id=193413
1521         <rdar://problem/46092389>
1522
1523         Reviewed by Keith Miller.
1524
1525         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1526         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1527         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1528         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1529
1530         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1531         (compareArray):
1532
1533 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1534
1535         [BigInt] Literal parsing is crashing when used inside a Object Literal
1536         https://bugs.webkit.org/show_bug.cgi?id=193404
1537
1538         Reviewed by Yusuke Suzuki.
1539
1540         * stress/big-int-literal-inside-literal-object.js: Added.
1541
1542 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1543
1544         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1545         https://bugs.webkit.org/show_bug.cgi?id=193372
1546
1547         Reviewed by Saam Barati.
1548
1549         * stress/typed-array-array-modes-profile.js: Added.
1550         (foo):
1551
1552 2019-01-14  Mark Lam  <mark.lam@apple.com>
1553
1554         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1555         https://bugs.webkit.org/show_bug.cgi?id=193402
1556         <rdar://problem/46012309>
1557
1558         Reviewed by Keith Miller.
1559
1560         * stress/regexp-compile-oom.js:
1561         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1562           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1563
1564 2019-01-11  Saam barati  <sbarati@apple.com>
1565
1566         DFG combined liveness can be wrong for terminal basic blocks
1567         https://bugs.webkit.org/show_bug.cgi?id=193304
1568         <rdar://problem/45268632>
1569
1570         Reviewed by Yusuke Suzuki.
1571
1572         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1573
1574 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1575
1576         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1577         https://bugs.webkit.org/show_bug.cgi?id=193308
1578         <rdar://problem/45546542>
1579
1580         Reviewed by Saam Barati.
1581
1582         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1583         (shouldThrow):
1584         (shouldBe):
1585         (foo):
1586         (get shouldThrow):
1587         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1588         (shouldThrow):
1589         (shouldBe):
1590         (foo):
1591         (get shouldBe):
1592         (get shouldThrow):
1593         (get return):
1594         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1595         (shouldThrow):
1596         (shouldBe):
1597         (foo):
1598         (get shouldBe):
1599         (get shouldThrow):
1600         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1601         (shouldThrow):
1602         (shouldBe):
1603         (foo):
1604         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1605         (shouldThrow):
1606         (shouldBe):
1607         (foo):
1608         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1609         (shouldThrow):
1610         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1611         (shouldThrow):
1612         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1613         (shouldThrow):
1614         (shouldBe):
1615         (foo):
1616         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1617         (shouldThrow):
1618         (shouldBe):
1619         (foo):
1620         (get shouldBe):
1621         (get shouldThrow):
1622         (get return):
1623         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1624         (shouldThrow):
1625         (shouldBe):
1626         (foo):
1627         (get shouldBe):
1628         (get shouldThrow):
1629         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1630         (shouldThrow):
1631         (shouldBe):
1632         (foo):
1633         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1634         (shouldThrow):
1635         (shouldBe):
1636         (foo):
1637
1638 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1639
1640         Enable DFG on ARM/Linux again
1641         https://bugs.webkit.org/show_bug.cgi?id=192496
1642
1643         Reviewed by Yusuke Suzuki.
1644
1645         Test wasn't really skipped before moving the line with skip
1646         to the top.
1647
1648         * stress/regress-192717.js:
1649
1650 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1651
1652         Unreviewed, rolling out r239825.
1653         https://bugs.webkit.org/show_bug.cgi?id=193330
1654
1655         Broke tests on armv7/linux bots (Requested by guijemont on
1656         #webkit).
1657
1658         Reverted changeset:
1659
1660         "Enable DFG on ARM/Linux again"
1661         https://bugs.webkit.org/show_bug.cgi?id=192496
1662         https://trac.webkit.org/changeset/239825
1663
1664 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1665
1666         Enable DFG on ARM/Linux again
1667         https://bugs.webkit.org/show_bug.cgi?id=192496
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         Test wasn't really skipped before moving the line with skip
1672         to the top.
1673
1674         * stress/regress-192717.js:
1675
1676 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1677
1678         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1679         https://bugs.webkit.org/show_bug.cgi?id=193127
1680
1681         Reviewed by Saam Barati.
1682
1683         * stress/array-species-create-should-handle-masquerader.js: Added.
1684         (shouldThrow):
1685         * stress/is-undefined-or-null-builtin.js: Added.
1686         (shouldBe):
1687         (isUndefinedOrNull.vm.createBuiltin):
1688
1689 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1690
1691         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1692         https://bugs.webkit.org/show_bug.cgi?id=193221
1693
1694         Reviewed by Mark Lam.
1695
1696         * stress/put-by-id-flags.js: Added.
1697         (f):
1698         (g):
1699         (numberOfDFGCompiles):
1700
1701 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1702
1703         Baseline version of get_by_id may corrupt metadata
1704         https://bugs.webkit.org/show_bug.cgi?id=193085
1705         <rdar://problem/23453006>
1706
1707         Reviewed by Saam Barati.
1708
1709         * stress/get-by-id-change-mode.js: Added.
1710         (forEach):
1711
1712 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1713
1714         [JSC] Optimize Object.prototype.toString
1715         https://bugs.webkit.org/show_bug.cgi?id=193031
1716
1717         Reviewed by Saam Barati.
1718
1719         * stress/object-tostring-changed-proto.js: Added.
1720         (shouldBe):
1721         (test):
1722         * stress/object-tostring-changed.js: Added.
1723         (shouldBe):
1724         (test):
1725         * stress/object-tostring-misc.js: Added.
1726         (shouldBe):
1727         (test):
1728         (i.switch):
1729         * stress/object-tostring-other.js: Added.
1730         (shouldBe):
1731         (test):
1732         * stress/object-tostring-untyped.js: Added.
1733         (shouldBe):
1734         (test):
1735         (i.switch):
1736
1737 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1738
1739         test262-runner misbehaves when test file YAML has a trailing space
1740         https://bugs.webkit.org/show_bug.cgi?id=193053
1741
1742         Reviewed by Yusuke Suzuki.
1743
1744         * test262/expectations.yaml:
1745         Mark two dozen tests as passing (and correct the output of another).
1746
1747 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1748
1749         Unreviewed, JSTests gardening with memoryLimited
1750
1751         * stress/string-overflow-createError.js:
1752
1753 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1754
1755         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1756         https://bugs.webkit.org/show_bug.cgi?id=193050
1757
1758         Reviewed by Yusuke Suzuki.
1759
1760         * test262.yaml:
1761         * test262/expectations.yaml:
1762         Mark 16 tests as passing.
1763
1764 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1765
1766         [BigInt] Support BigInt in JSON.stringify
1767         https://bugs.webkit.org/show_bug.cgi?id=192624
1768
1769         Reviewed by Saam Barati.
1770
1771         * stress/big-int-json-stringify-to-json.js: Added.
1772         (shouldBe):
1773         (shouldThrow):
1774         (BigInt.prototype.toJSON):
1775         (shouldBe.JSON.stringify):
1776         * stress/big-int-json-stringify.js: Added.
1777         (shouldBe):
1778         (shouldThrow):
1779
1780 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1781
1782         [JSC] Implement "well-formed JSON.stringify" proposal
1783         https://bugs.webkit.org/show_bug.cgi?id=191677
1784
1785         Reviewed by Darin Adler.
1786
1787         * stress/json-surrogate-pair.js: Added.
1788         (shouldBe):
1789         * test262/expectations.yaml:
1790
1791 2018-12-20  Keith Miller  <keith_miller@apple.com>
1792
1793         Add support for globalThis
1794         https://bugs.webkit.org/show_bug.cgi?id=165171
1795
1796         Reviewed by Mark Lam.
1797
1798         * test262/config.yaml:
1799
1800 2018-12-19  Keith Miller  <keith_miller@apple.com>
1801
1802         Update test262 configuration to not run tests dependent on ICU version.
1803         https://bugs.webkit.org/show_bug.cgi?id=192920
1804
1805         Reviewed by Saam Barati.
1806
1807         * test262/expectations.yaml:
1808
1809 2018-12-20  Mark Lam  <mark.lam@apple.com>
1810
1811         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1812         https://bugs.webkit.org/show_bug.cgi?id=192939
1813         <rdar://problem/46869516>
1814
1815         Reviewed by Keith Miller.
1816
1817         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1818
1819 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1820
1821         WTF::String and StringImpl overflow MaxLength
1822         https://bugs.webkit.org/show_bug.cgi?id=192853
1823         <rdar://problem/45726906>
1824
1825         Reviewed by Mark Lam.
1826
1827         * stress/string-16bit-repeat-overflow.js: Added.
1828         (catch):
1829
1830 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1831
1832         Unreviewed follow-up to r192914.
1833
1834         * test262/expectations.yaml:
1835         Add the last 20 missing expectations.
1836
1837 2018-12-19  Keith Miller  <keith_miller@apple.com>
1838
1839         Fix test262 expectations
1840         https://bugs.webkit.org/show_bug.cgi?id=192914
1841
1842         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1843
1844         * test262/expectations.yaml:
1845
1846 2018-12-19  Keith Miller  <keith_miller@apple.com>
1847
1848         Update test262 tests.
1849         https://bugs.webkit.org/show_bug.cgi?id=192907
1850
1851         Rubber stamped by Mark Lam.
1852
1853         * test262/*: Omitted because prepare-changelog crashes.
1854
1855 2018-12-19  Mark Lam  <mark.lam@apple.com>
1856
1857         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1858         https://bugs.webkit.org/show_bug.cgi?id=192464
1859         <rdar://problem/46519455>
1860
1861         Reviewed by Saam Barati.
1862
1863         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1864         microbenchmark.
1865
1866         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1867         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1868
1869 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1870
1871         String overflow in JSC::createError results in ASSERT in WTF::makeString
1872         https://bugs.webkit.org/show_bug.cgi?id=192833
1873         <rdar://problem/45706868>
1874
1875         Reviewed by Mark Lam.
1876
1877         * stress/string-overflow-createError.js: Added.
1878
1879 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1880
1881         Error message for `-x ** y` contains a typo.
1882         https://bugs.webkit.org/show_bug.cgi?id=192832
1883
1884         Reviewed by Saam Barati.
1885
1886         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1887         (assert.assert.return.throws):
1888         * stress/pow-expects-update-expression-on-lhs.js:
1889         (throw.new.Error):
1890         Update test expectations which match against the exact error message.
1891
1892 2018-12-18  Mark Lam  <mark.lam@apple.com>
1893
1894         Gardening: test options fix.
1895         https://bugs.webkit.org/show_bug.cgi?id=192822
1896
1897         Unreviewed.
1898
1899         * stress/json-stringify-string-builder-overflow.js:
1900
1901 2018-12-18  Mark Lam  <mark.lam@apple.com>
1902
1903         JSON.stringify() should throw OOM on StringBuilder overflows.
1904         https://bugs.webkit.org/show_bug.cgi?id=192822
1905         <rdar://problem/46670577>
1906
1907         Reviewed by Saam Barati.
1908
1909         * stress/json-stringify-string-builder-overflow.js: Added.
1910
1911 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1912
1913         Redeclaration of var over let/const/class should be a syntax error.
1914         https://bugs.webkit.org/show_bug.cgi?id=192298
1915
1916         Reviewed by Keith Miller.
1917
1918         * test262.yaml:
1919         * test262/expectations.yaml:
1920         Mark 46 tests as passing.
1921
1922         * stress/block-scope-redeclarations.js:
1923         Add some new tests.
1924
1925         * stress/for-in-invalidate-context-weird-assignments.js:
1926         * stress/for-in-tests.js:
1927         Replace tests for outdated behavior with tests for SyntaxError.
1928
1929         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1930         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1931         Update expectations.
1932
1933 2018-12-18  Mark Lam  <mark.lam@apple.com>
1934
1935         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1936         https://bugs.webkit.org/show_bug.cgi?id=191374
1937         <rdar://problem/46525447>
1938
1939         Reviewed by Yusuke Suzuki.
1940
1941         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1942
1943         * stress/elidable-new-object-roflcopter-then-exit.js:
1944
1945 2018-12-17  Mark Lam  <mark.lam@apple.com>
1946
1947         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1948         https://bugs.webkit.org/show_bug.cgi?id=192019
1949         <rdar://problem/46525456>
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         The test runs too slow on 32-bit.
1954
1955         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1956
1957 2018-12-17  Mark Lam  <mark.lam@apple.com>
1958
1959         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1960         https://bugs.webkit.org/show_bug.cgi?id=191373
1961         <rdar://problem/46525458>
1962
1963         Reviewed by Yusuke Suzuki.
1964
1965         The test is already slow running with a JIT on 64-bit.  It will always timeout
1966         on 32-bit without a JIT.
1967
1968         * stress/materialize-regexp-cyclic-regexp.js:
1969
1970 2018-12-17  Mark Lam  <mark.lam@apple.com>
1971
1972         Array unshift/shift should not race against the AI in the compiler thread.
1973         https://bugs.webkit.org/show_bug.cgi?id=192795
1974         <rdar://problem/46724263>
1975
1976         Reviewed by Saam Barati.
1977
1978         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1979
1980 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1981
1982         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1983         https://bugs.webkit.org/show_bug.cgi?id=190047
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/object-keys-cached-zero.js: Added.
1988         (shouldBe):
1989         (test):
1990         * stress/object-keys-changed-attribute.js: Added.
1991         (shouldBe):
1992         (test):
1993         * stress/object-keys-changed-index.js: Added.
1994         (shouldBe):
1995         (test):
1996         * stress/object-keys-changed.js: Added.
1997         (shouldBe):
1998         (test):
1999         * stress/object-keys-indexed-non-cache.js: Added.
2000         (shouldBe):
2001         (test):
2002         * stress/object-keys-overrides-get-property-names.js: Added.
2003         (shouldBe):
2004         (test):
2005         (noInline):
2006
2007 2018-12-17  Mark Lam  <mark.lam@apple.com>
2008
2009         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2010         https://bugs.webkit.org/show_bug.cgi?id=192779
2011         <rdar://problem/46775869>
2012
2013         Reviewed by Saam Barati.
2014
2015         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2016
2017 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2018
2019         Unreviewed test gardening, address a syntax error in a new test.
2020
2021         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2022
2023 2018-12-17  Mark Lam  <mark.lam@apple.com>
2024
2025         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2026         https://bugs.webkit.org/show_bug.cgi?id=192776
2027         <rdar://problem/46772368>
2028
2029         Reviewed by Keith Miller.
2030
2031         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2032
2033 2018-12-17  Mark Lam  <mark.lam@apple.com>
2034
2035         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2036         https://bugs.webkit.org/show_bug.cgi?id=192770
2037         <rdar://problem/46449037>
2038
2039         Reviewed by Keith Miller.
2040
2041         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2042
2043 2018-12-14  Mark Lam  <mark.lam@apple.com>
2044
2045         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2046         https://bugs.webkit.org/show_bug.cgi?id=192717
2047         <rdar://problem/46660677>
2048
2049         Reviewed by Saam Barati.
2050
2051         * stress/regress-192717.js: Added.
2052
2053 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2054
2055         Unreviewed, rolling out r239153, r239154, and r239155.
2056         https://bugs.webkit.org/show_bug.cgi?id=192715
2057
2058         Caused flaky GC-related crashes seen with layout tests
2059         (Requested by ryanhaddad on #webkit).
2060
2061         Reverted changesets:
2062
2063         "[JSC] Optimize Object.keys by caching own keys results in
2064         StructureRareData"
2065         https://bugs.webkit.org/show_bug.cgi?id=190047
2066         https://trac.webkit.org/changeset/239153
2067
2068         "Unreviewed, build fix after r239153"
2069         https://bugs.webkit.org/show_bug.cgi?id=190047
2070         https://trac.webkit.org/changeset/239154
2071
2072         "Unreviewed, build fix after r239153, part 2"
2073         https://bugs.webkit.org/show_bug.cgi?id=190047
2074         https://trac.webkit.org/changeset/239155
2075
2076 2018-12-14  Keith Miller  <keith_miller@apple.com>
2077
2078         Callers of JSString::getIndex should check for OOM exceptions
2079         https://bugs.webkit.org/show_bug.cgi?id=192709
2080
2081         Reviewed by Mark Lam.
2082
2083         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2084
2085 2018-12-13  Mark Lam  <mark.lam@apple.com>
2086
2087         Add a missing exception check.
2088         https://bugs.webkit.org/show_bug.cgi?id=192626
2089         <rdar://problem/46662163>
2090
2091         Reviewed by Keith Miller.
2092
2093         * stress/regress-192626.js: Added.
2094
2095 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2096
2097         [BigInt] Add ValueDiv into DFG
2098         https://bugs.webkit.org/show_bug.cgi?id=186178
2099
2100         Reviewed by Yusuke Suzuki.
2101
2102         * stress/big-int-div-jit-osr.js: Added.
2103         * stress/big-int-div-jit-untyped.js: Added.
2104         * stress/value-div-fixup-int32-big-int.js: Added.
2105
2106 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2107
2108         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2109         https://bugs.webkit.org/show_bug.cgi?id=190047
2110
2111         Reviewed by Keith Miller.
2112
2113         * stress/object-keys-cached-zero.js: Added.
2114         (shouldBe):
2115         (test):
2116         * stress/object-keys-changed-attribute.js: Added.
2117         (shouldBe):
2118         (test):
2119         * stress/object-keys-changed-index.js: Added.
2120         (shouldBe):
2121         (test):
2122         * stress/object-keys-changed.js: Added.
2123         (shouldBe):
2124         (test):
2125         * stress/object-keys-indexed-non-cache.js: Added.
2126         (shouldBe):
2127         (test):
2128         * stress/object-keys-overrides-get-property-names.js: Added.
2129         (shouldBe):
2130         (test):
2131         (noInline):
2132
2133 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2134
2135         [DFG][FTL] Add NewSymbol
2136         https://bugs.webkit.org/show_bug.cgi?id=192620
2137
2138         Reviewed by Saam Barati.
2139
2140         * microbenchmarks/symbol-creation.js: Added.
2141         (test):
2142         * stress/symbol-description-identity.js: Added.
2143         (shouldBe):
2144         (test):
2145         * stress/symbol-identity.js: Added.
2146         (shouldBe):
2147         (test):
2148         * stress/symbol-with-description-throw-error.js: Added.
2149         (shouldBe):
2150         (shouldThrow):
2151         (test):
2152         (object.toString):
2153
2154 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2155
2156         [BigInt] Implement DFG/FTL typeof for BigInt
2157         https://bugs.webkit.org/show_bug.cgi?id=192619
2158
2159         Reviewed by Keith Miller.
2160
2161         * stress/big-int-boolean-proven-type.js: Added.
2162         (assert):
2163         (bool):
2164         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2165         (assert):
2166         (typeOf):
2167         (i.switch):
2168         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2169         (assert):
2170         (typeOf):
2171         * stress/big-int-type-of.js:
2172         (typeOf):
2173         (func):
2174
2175 2018-12-10  Mark Lam  <mark.lam@apple.com>
2176
2177         PropertyAttribute needs a CustomValue bit.
2178         https://bugs.webkit.org/show_bug.cgi?id=191993
2179         <rdar://problem/46264467>
2180
2181         Reviewed by Saam Barati.
2182
2183         * stress/regress-191993.js: Added.
2184
2185 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2186
2187         [BigInt] Add ValueMul into DFG
2188         https://bugs.webkit.org/show_bug.cgi?id=186175
2189
2190         Reviewed by Yusuke Suzuki.
2191
2192         * stress/big-int-mul-jit-osr.js: Added.
2193         * stress/big-int-mul-jit-untyped.js: Added.
2194         * stress/value-mul-fixup-int32-big-int.js: Added.
2195
2196 2018-12-06  Keith Miller  <keith_miller@apple.com>
2197
2198         stress/big-wasm-memory tests failing on 32-bit JSC bot
2199         https://bugs.webkit.org/show_bug.cgi?id=192020
2200
2201         Reviewed by Saam Barati.
2202
2203         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2204         the wasm stress tests if the WebAssembly object does not exist.
2205
2206         * stress/big-wasm-memory-grow-no-max.js:
2207         (test.foo):
2208         (test):
2209         (foo): Deleted.
2210         (catch): Deleted.
2211         * stress/big-wasm-memory-grow.js:
2212         (test.foo):
2213         (test):
2214         (foo): Deleted.
2215         (catch): Deleted.
2216         * stress/big-wasm-memory.js:
2217         (test.foo):
2218         (test):
2219         (foo): Deleted.
2220         (catch): Deleted.
2221
2222 2018-12-05  Mark Lam  <mark.lam@apple.com>
2223
2224         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2225         https://bugs.webkit.org/show_bug.cgi?id=192441
2226         <rdar://problem/46480355>
2227
2228         Reviewed by Saam Barati.
2229
2230         * stress/regress-192441.js: Added.
2231
2232 2018-12-04  Mark Lam  <mark.lam@apple.com>
2233
2234         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2235         https://bugs.webkit.org/show_bug.cgi?id=192386
2236         <rdar://problem/46445516>
2237
2238         Reviewed by Saam Barati.
2239
2240         * stress/regress-192386.js: Added.
2241
2242 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2243
2244         [ESNext][BigInt] Support logic operations
2245         https://bugs.webkit.org/show_bug.cgi?id=179903
2246
2247         Reviewed by Yusuke Suzuki.
2248
2249         * stress/big-int-branch-usage.js: Added.
2250         * stress/big-int-logical-and.js: Added.
2251         * stress/big-int-logical-not.js: Added.
2252         * stress/big-int-logical-or.js: Added.
2253
2254 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2255
2256         Unreviewed, rolling out r238833.
2257
2258         Breaks macOS and iOS debug builds.
2259
2260         Reverted changeset:
2261
2262         "[ESNext][BigInt] Support logic operations"
2263         https://bugs.webkit.org/show_bug.cgi?id=179903
2264         https://trac.webkit.org/changeset/238833
2265
2266 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2267
2268         [ESNext][BigInt] Support logic operations
2269         https://bugs.webkit.org/show_bug.cgi?id=179903
2270
2271         Reviewed by Yusuke Suzuki.
2272
2273         * stress/big-int-branch-usage.js: Added.
2274         * stress/big-int-logical-and.js: Added.
2275         * stress/big-int-logical-not.js: Added.
2276         * stress/big-int-logical-or.js: Added.
2277
2278 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2279
2280         [ESNext][BigInt] Implement support for "<<" and ">>"
2281         https://bugs.webkit.org/show_bug.cgi?id=186233
2282
2283         Reviewed by Yusuke Suzuki.
2284
2285         * stress/big-int-left-shift-general.js: Added.
2286         * stress/big-int-left-shift-range-error.js: Added.
2287         * stress/big-int-left-shift-type-error.js: Added.
2288         * stress/big-int-left-shift-wrapped-value.js: Added.
2289         * stress/big-int-right-shift-general.js: Added.
2290         * stress/big-int-right-shift-type-error.js: Added.
2291         * stress/big-int-right-shift-wrapped-value.js: Added.
2292         * stress/left-shift-to-primitive-precedence.js: Added.
2293         * stress/right-shift-to-primitive-precedence.js: Added.
2294
2295 2018-11-30  Dean Jackson  <dino@apple.com>
2296
2297         Add first-class support for .mjs files in jsc binary
2298         https://bugs.webkit.org/show_bug.cgi?id=192190
2299         <rdar://problem/46375715>
2300
2301         Reviewed by Keith Miller.
2302
2303         * stress/simple-module.mjs: Added.
2304         * stress/simple-script.js: Added.
2305
2306 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2307
2308         [BigInt] Implement ValueBitXor into DFG
2309         https://bugs.webkit.org/show_bug.cgi?id=190264
2310
2311         Reviewed by Yusuke Suzuki.
2312
2313         * stress/big-int-bitwise-xor-jit.js: Added.
2314         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2315         * stress/big-int-bitwise-xor-untyped.js: Added.
2316
2317 2018-11-27  Saam barati  <sbarati@apple.com>
2318
2319         r238510 broke scopes of size zero
2320         https://bugs.webkit.org/show_bug.cgi?id=192033
2321         <rdar://problem/46281734>
2322
2323         Reviewed by Keith Miller.
2324
2325         * stress/r238510-bad-loop.js: Added.
2326         (foo):
2327
2328 2018-11-27  Mark Lam  <mark.lam@apple.com>
2329
2330         [Re-landing] NaNs read from Wasm code needs to be be purified.
2331         https://bugs.webkit.org/show_bug.cgi?id=191056
2332         <rdar://problem/45660341>
2333
2334         Reviewed by Filip Pizlo.
2335
2336         * wasm/regress/regress-191056.js: Added.
2337
2338 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2339
2340         Unreviewed, rolling out r238509.
2341
2342         Causes JSC tests to fail on iOS.
2343
2344         Reverted changeset:
2345
2346         "NaNs read from Wasm code needs to be be purified."
2347         https://bugs.webkit.org/show_bug.cgi?id=191056
2348         https://trac.webkit.org/changeset/238509
2349
2350 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2351
2352         Re-introduce op_bitnot
2353         https://bugs.webkit.org/show_bug.cgi?id=190923
2354
2355         Reviewed by Yusuke Suzuki.
2356
2357         * stress/bit-not-must-generate.js: Added.
2358         * stress/bitwise-not-no-int32.js: Added.
2359
2360 2018-11-26  Saam barati  <sbarati@apple.com>
2361
2362         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2363         https://bugs.webkit.org/show_bug.cgi?id=191956
2364         <rdar://problem/45665806>
2365
2366         Reviewed by Yusuke Suzuki.
2367
2368         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2369         (bar):
2370         (foo):
2371
2372 2018-11-26  Saam barati  <sbarati@apple.com>
2373
2374         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2375         https://bugs.webkit.org/show_bug.cgi?id=191958
2376         <rdar://problem/46221877>
2377
2378         Reviewed by Yusuke Suzuki.
2379
2380         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2381         (x):
2382         (foo):
2383
2384 2018-11-26  Mark Lam  <mark.lam@apple.com>
2385
2386         NaNs read from Wasm code needs to be be purified.
2387         https://bugs.webkit.org/show_bug.cgi?id=191056
2388         <rdar://problem/45660341>
2389
2390         Reviewed by Filip Pizlo.
2391
2392         * wasm/regress/regress-191056.js: Added.
2393
2394 2018-11-26  Michael Saboff  <msaboff@apple.com>
2395
2396         32-bit JSC test failure: stress/regexp-compile-oom.js
2397         https://bugs.webkit.org/show_bug.cgi?id=191375
2398
2399         Reviewed by Mark Lam.
2400
2401         Disabled the test for 32 bit platforms.
2402
2403         * stress/regexp-compile-oom.js:
2404
2405 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2406
2407         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2408         https://bugs.webkit.org/show_bug.cgi?id=191716
2409         <rdar://problem/45723878>
2410
2411         Reviewed by Saam Barati.
2412
2413         * stress/regress-187373.js: Added.
2414         (async.fn):
2415
2416 2018-11-21  Saam barati  <sbarati@apple.com>
2417
2418         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2419         https://bugs.webkit.org/show_bug.cgi?id=191897
2420         <rdar://problem/45871998>
2421
2422         Reviewed by Mark Lam.
2423
2424         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2425         (bar):
2426         (foo):
2427
2428 2018-11-21  Saam barati  <sbarati@apple.com>
2429
2430         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2431         https://bugs.webkit.org/show_bug.cgi?id=191895
2432         <rdar://problem/46167406>
2433
2434         Reviewed by Mark Lam.
2435
2436         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2437         (foo):
2438         (bar):
2439
2440 2018-11-21  Mark Lam  <mark.lam@apple.com>
2441
2442         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2443         https://bugs.webkit.org/show_bug.cgi?id=191776
2444         <rdar://problem/46152851>
2445
2446         Reviewed by Saam Barati.
2447
2448         * stress/big-wasm-memory-grow-no-max.js:
2449         * stress/big-wasm-memory-grow.js:
2450         * stress/big-wasm-memory.js:
2451         - updated these to expect an OutOfMemoryError.
2452
2453         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2454         (Binary.prototype.emit_u8):
2455         (Binary.prototype.emit_u32v):
2456         (Binary.prototype.emit_header):
2457         (Binary.prototype.emit_section):
2458         (Binary):
2459         (WasmModuleBuilder):
2460         (WasmModuleBuilder.prototype.addMemory):
2461         (WasmModuleBuilder.prototype.toArray):
2462         (WasmModuleBuilder.prototype.toBuffer):
2463         (WasmModuleBuilder.prototype.instantiate):
2464         (catch):
2465         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2466         (catch):
2467
2468 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2469
2470         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2471         https://bugs.webkit.org/show_bug.cgi?id=190836
2472
2473         Reviewed by Saam Barati and Yusuke Suzuki.
2474
2475         * stress/big-int-out-of-memory-tests.js: Added.
2476
2477 2018-11-20  Mark Lam  <mark.lam@apple.com>
2478
2479         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2480         https://bugs.webkit.org/show_bug.cgi?id=191856
2481         <rdar://problem/46089992>
2482
2483         Reviewed by Yusuke Suzuki.
2484
2485         * stress/regress-191856.js: Added.
2486         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2487
2488 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2489
2490         Enable JIT on ARM/Linux
2491         https://bugs.webkit.org/show_bug.cgi?id=191548
2492
2493         Reviewed by Yusuke Suzuki.
2494
2495         Disable test on system with limited memory. Program was killed by
2496         the OS before the exception was thrown.
2497
2498         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2499
2500 2018-11-20  Saam barati  <sbarati@apple.com>
2501
2502         Merging an IC variant may lead to the IC status containing overlapping structure sets
2503         https://bugs.webkit.org/show_bug.cgi?id=191869
2504         <rdar://problem/45403453>
2505
2506         Reviewed by Mark Lam.
2507
2508         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2509
2510 2018-11-19  Mark Lam  <mark.lam@apple.com>
2511
2512         globalFuncImportModule() should return a promise when it clears exceptions.
2513         https://bugs.webkit.org/show_bug.cgi?id=191792
2514         <rdar://problem/46090763>
2515
2516         Reviewed by Michael Saboff.
2517
2518         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2519
2520 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2521
2522         Skip new memory-hungry tests on memory limited devices
2523
2524         Unreviewed gardening.
2525
2526         * stress/big-wasm-memory-grow-no-max.js:
2527         * stress/big-wasm-memory-grow.js:
2528         * stress/big-wasm-memory.js:
2529
2530 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2531
2532         Unreviewed, rolling in the rest of r237254
2533         https://bugs.webkit.org/show_bug.cgi?id=190340
2534
2535         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2536         * stress/function-cache-with-parameters-end-position.js: Added.
2537         (shouldBe):
2538         (shouldThrow):
2539         (i.anonymous):
2540         * stress/function-constructor-name.js: Added.
2541         (shouldBe):
2542         (GeneratorFunction):
2543         (AsyncFunction.async):
2544         (AsyncGeneratorFunction.async):
2545         (anonymous):
2546         (async.anonymous):
2547         * test262/expectations.yaml:
2548
2549 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2550
2551         All users of ArrayBuffer should agree on the same max size
2552         https://bugs.webkit.org/show_bug.cgi?id=191771
2553
2554         Reviewed by Mark Lam.
2555
2556         * stress/big-wasm-memory-grow-no-max.js: Added.
2557         (foo):
2558         (catch):
2559         * stress/big-wasm-memory-grow.js: Added.
2560         (foo):
2561         (catch):
2562         * stress/big-wasm-memory.js: Added.
2563         (foo):
2564         (catch):
2565
2566 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2567
2568         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2569         run for each JSC config since they're regression tests for runtime bugs.
2570
2571         * stress/json-stringified-overflow-2.js:
2572         * stress/json-stringified-overflow.js:
2573
2574 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2575
2576         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2577         config since they're regression tests for runtime bugs.
2578
2579         * stress/large-unshift-splice.js:
2580         * stress/regress-185888.js:
2581
2582 2018-11-16  Saam Barati  <sbarati@apple.com>
2583
2584         KnownCellUse should also have SpecCellCheck as its type filter
2585         https://bugs.webkit.org/show_bug.cgi?id=191729
2586         <rdar://problem/45872852>
2587
2588         Reviewed by Filip Pizlo.
2589
2590         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2591         (C):
2592
2593 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2594
2595         Fix assertion failure on BytecodeGenerator::recordOpcode
2596         https://bugs.webkit.org/show_bug.cgi?id=191724
2597         <rdar://problem/45724395>
2598
2599         Reviewed by Saam Barati.
2600
2601         * stress/regress-187373-2.js: Added.
2602         (foo):
2603
2604 2018-11-15  Mark Lam  <mark.lam@apple.com>
2605
2606         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2607         https://bugs.webkit.org/show_bug.cgi?id=191730
2608         <rdar://problem/46048517>
2609
2610         Reviewed by Saam Barati.
2611
2612         * stress/regress-187006.js: Removed.
2613           - this test is invalid because its sole purpose is to test for the non-spec
2614             compliant behavior that we just fixed.
2615
2616         * stress/regress-191730.js: Added.
2617
2618 2018-11-15  Mark Lam  <mark.lam@apple.com>
2619
2620         RegExp operations should not take fast patch if lastIndex is not numeric.
2621         https://bugs.webkit.org/show_bug.cgi?id=191731
2622         <rdar://problem/46017305>
2623
2624         Reviewed by Saam Barati.
2625
2626         * stress/regress-191731.js: Added.
2627
2628 2018-11-13  Saam Barati  <sbarati@apple.com>
2629
2630         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2631         https://bugs.webkit.org/show_bug.cgi?id=191600
2632
2633         Reviewed by Mark Lam.
2634
2635         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2636         (foo):
2637         (test):
2638         (bar):
2639
2640 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2641
2642         Unreviewed, rolling out r238132.
2643
2644         The test added with this change is timing out on Debug JSC
2645         bots.
2646
2647         Reverted changeset:
2648
2649         "[BigInt] JSBigInt::createWithLength should throw when length
2650         is greater than JSBigInt::maxLength"
2651         https://bugs.webkit.org/show_bug.cgi?id=190836
2652         https://trac.webkit.org/changeset/238132
2653
2654 2018-11-13  Mark Lam  <mark.lam@apple.com>
2655
2656         Add OOM detection to StringPrototype's substituteBackreferences().
2657         https://bugs.webkit.org/show_bug.cgi?id=191563
2658         <rdar://problem/45720428>
2659
2660         Reviewed by Saam Barati.
2661
2662         * stress/regress-191563.js: Added.
2663
2664 2018-11-13  Mark Lam  <mark.lam@apple.com>
2665
2666         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2667         https://bugs.webkit.org/show_bug.cgi?id=191579
2668         <rdar://problem/45942472>
2669
2670         Reviewed by Saam Barati.
2671
2672         * stress/regress-191579.js: Added.
2673
2674 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2675
2676         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2677         https://bugs.webkit.org/show_bug.cgi?id=190836
2678
2679         Reviewed by Saam Barati.
2680
2681         * stress/big-int-out-of-memory-tests.js: Added.
2682
2683 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2684
2685         U+180E is no longer a whitespace character
2686         https://bugs.webkit.org/show_bug.cgi?id=191415
2687
2688         Reviewed by Saam Barati.
2689
2690         * ChakraCore/test/es5/regexSpace.baseline:
2691         * ChakraCore/test/es6/unicode_whitespace.js:
2692         Update tests to latest version.
2693         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2694
2695         * test262.yaml:
2696         * test262/config.yaml:
2697         * test262/expectations.yaml:
2698         Update expectations.
2699
2700 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2701
2702         [BigInt] Add support to BigInt into ValueAdd
2703         https://bugs.webkit.org/show_bug.cgi?id=186177
2704
2705         Reviewed by Keith Miller.
2706
2707         * stress/big-int-negate-jit.js:
2708         * stress/value-add-big-int-and-string.js: Added.
2709         * stress/value-add-big-int-prediction-propagation.js: Added.
2710         * stress/value-add-big-int-untyped.js: Added.
2711
2712 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2713
2714         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2715         https://bugs.webkit.org/show_bug.cgi?id=191184
2716
2717         Reviewed by Saam Barati.
2718
2719         Most tests were failing due to timeouts, since they are too slow to
2720         run on CLoop. The exceptions are:
2721
2722         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2723         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2724         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2725         to change the stack size since CLoop requires it to be page aligned.
2726
2727         * microbenchmarks/array-push-1.js:
2728         * microbenchmarks/array-push-2.js:
2729         * microbenchmarks/elidable-new-object-dag.js:
2730         * microbenchmarks/elidable-new-object-roflcopter.js:
2731         * microbenchmarks/elidable-new-object-tree.js:
2732         * microbenchmarks/getter-richards.js:
2733         * microbenchmarks/sinkable-new-object-dag.js:
2734         * microbenchmarks/string-concat-long-convert.js:
2735         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2736         * slowMicrobenchmarks/array-push-3.js:
2737         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2738         * slowMicrobenchmarks/spread-small-array.js:
2739         * slowMicrobenchmarks/undefined-property-access.js:
2740         * stress/activation-sink-default-value-tdz-error.js:
2741         * stress/activation-sink-default-value.js:
2742         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2743         * stress/activation-sink-osrexit-default-value.js:
2744         * stress/activation-sink-osrexit.js:
2745         * stress/activation-sink.js:
2746         * stress/allow-math-ic-b3-code-duplication.js:
2747         * stress/array-push-multiple-int32.js:
2748         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2749         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2750         * stress/arrowfunction-lexical-this-activation-sink.js:
2751         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2752         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2753         * stress/elide-new-object-dag-then-exit.js:
2754         * stress/materialize-regexp-cyclic.js:
2755         * stress/new-regex-inline.js:
2756         * stress/op_add.js:
2757         * stress/op_bitand.js:
2758         * stress/op_bitor.js:
2759         * stress/op_bitxor.js:
2760         * stress/op_div-ConstVar.js:
2761         * stress/op_div-VarConst.js:
2762         * stress/op_div-VarVar.js:
2763         * stress/op_lshift-ConstVar.js:
2764         * stress/op_lshift-VarConst.js:
2765         * stress/op_lshift-VarVar.js:
2766         * stress/op_mod-ConstVar.js:
2767         * stress/op_mod-VarConst.js:
2768         * stress/op_mod-VarVar.js:
2769         * stress/op_mul-ConstVar.js:
2770         * stress/op_mul-VarConst.js:
2771         * stress/op_mul-VarVar.js:
2772         * stress/op_rshift-ConstVar.js:
2773         * stress/op_rshift-VarConst.js:
2774         * stress/op_rshift-VarVar.js:
2775         * stress/op_sub-ConstVar.js:
2776         * stress/op_sub-VarConst.js:
2777         * stress/op_sub-VarVar.js:
2778         * stress/op_urshift-ConstVar.js:
2779         * stress/op_urshift-VarConst.js:
2780         * stress/op_urshift-VarVar.js:
2781         * stress/proxy-get-set-correct-receiver.js:
2782         * stress/regress-179562.js:
2783         * stress/rest-parameter-many-arguments.js:
2784         * stress/sampling-profiler-richards.js:
2785         * stress/splay-flash-access-1ms.js:
2786         * stress/tailCallForwardArguments.js:
2787         * stress/typed-array-get-by-val-profiling.js:
2788         * typeProfiler/getter-richards.js:
2789
2790 2018-11-06  Michael Saboff  <msaboff@apple.com>
2791
2792         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2793         https://bugs.webkit.org/show_bug.cgi?id=191271
2794
2795         Reviewed by Saam Barati.
2796
2797         Added more test cases and made all test cases run with the same deeply recursive stack
2798         instead of finding that same point for each test case.
2799
2800         * stress/regexp-compile-oom.js:
2801         (prototype.runTest):
2802         (recurseAndTest):
2803         (testList.push.new.TestAndExpectedException):
2804
2805 2018-11-05  Michael Saboff  <msaboff@apple.com>
2806
2807         Unreviewed build fix for linux.
2808
2809         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2810
2811 2018-11-02  Michael Saboff  <msaboff@apple.com>
2812
2813         Rolling in r237753 with unreviewed build fix.
2814
2815         Fixed issues with DECLARE_THROW_SCOPE placement.
2816
2817 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2818
2819         Unreviewed, rolling out r237753.
2820
2821         Introduced JSC test failures
2822
2823         Reverted changeset:
2824
2825         "Running out of stack space not properly handled in
2826         RegExp::compile() and its callers"
2827         https://bugs.webkit.org/show_bug.cgi?id=191206
2828         https://trac.webkit.org/changeset/237753
2829
2830 2018-11-02  Michael Saboff  <msaboff@apple.com>
2831
2832         Running out of stack space not properly handled in RegExp::compile() and its callers
2833         https://bugs.webkit.org/show_bug.cgi?id=191206
2834
2835         Reviewed by Filip Pizlo.
2836
2837         New regression test.
2838
2839         * stress/regexp-compile-oom.js: Added.
2840         (recurseAndTest):
2841
2842 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2843
2844         Skip tests on arm/mips that time out now we're running on CLoop
2845
2846         Unreviewed gardening.
2847
2848         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2849         time out on the bots and need to be disabled. There's more tests
2850         disabled on arm because the timeout is longer on the mips bot (as the
2851         device is slower to start with), so many of the tests don't time out
2852         there.
2853
2854         * microbenchmarks/getter-richards.js: disable on arm and mips.
2855         * stress/op_add.js: disable on arm.
2856         * stress/op_bitand.js: disable on arm.
2857         * stress/op_bitor.js: disable on arm.
2858         * stress/op_bitxor.js: disable on arm.
2859         * stress/op_lshift-ConstVar.js: disable on arm.
2860         * stress/op_lshift-VarConst.js: disable on arm.
2861         * stress/op_lshift-VarVar.js: disable on arm.
2862         * stress/op_mod-ConstVar.js: disable on arm.
2863         * stress/op_mod-VarConst.js: disable on arm.
2864         * stress/op_mod-VarVar.js: disable on arm.
2865         * stress/op_mul-ConstVar.js: disable on arm.
2866         * stress/op_mul-VarConst.js: disable on arm.
2867         * stress/op_mul-VarVar.js: disable on arm.
2868         * stress/op_rshift-ConstVar.js: disable on arm.
2869         * stress/op_rshift-VarConst.js: disable on arm.
2870         * stress/op_rshift-VarVar.js: disable on arm.
2871         * stress/op_sub-ConstVar.js: disable on arm.
2872         * stress/op_sub-VarConst.js: disable on arm.
2873         * stress/op_sub-VarVar.js: disable on arm.
2874         * stress/op_urshift-ConstVar.js: disable on arm.
2875         * stress/op_urshift-VarConst.js: disable on arm.
2876         * stress/op_urshift-VarVar.js: disable on arm.
2877         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2878         * stress/value-to-boolean.js: disable on arm and mips.
2879
2880 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2881
2882         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2883         https://bugs.webkit.org/show_bug.cgi?id=191108
2884         <rdar://problem/45690700>
2885
2886         Reviewed by Saam Barati.
2887
2888         * stress/wide-op_catch.js: Added.
2889         (catch):
2890
2891 2018-10-29  Mark Lam  <mark.lam@apple.com>
2892
2893         Correctly detect string overflow when using the 'Function' constructor.
2894         https://bugs.webkit.org/show_bug.cgi?id=184883
2895         <rdar://problem/36320331>
2896
2897         Reviewed by Saam Barati.
2898
2899         I've verified that this passes on 32-bit as well.
2900
2901         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2902
2903 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2904
2905         Add support for GetStack FlushedDouble
2906         https://bugs.webkit.org/show_bug.cgi?id=191012
2907         <rdar://problem/45265141>
2908
2909         Reviewed by Saam Barati.
2910
2911         * stress/get-stack-double.js: Added.
2912         (bar):
2913         (noInline):
2914
2915 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2916
2917         New bytecode format for JSC
2918         https://bugs.webkit.org/show_bug.cgi?id=187373
2919         <rdar://problem/44186758>
2920
2921         Reviewed by Filip Pizlo.
2922
2923         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2924
2925         * stress/maximum-inline-capacity.js: Added.
2926         (test1):
2927         (test3.Foo):
2928         (test3):
2929
2930 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2931
2932         Unreviewed, rolling out r237479 and r237484.
2933         https://bugs.webkit.org/show_bug.cgi?id=190978
2934
2935         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2936
2937         Reverted changesets:
2938
2939         "New bytecode format for JSC"
2940         https://bugs.webkit.org/show_bug.cgi?id=187373
2941         https://trac.webkit.org/changeset/237479
2942
2943         "Gardening: Build fix after r237479."
2944         https://bugs.webkit.org/show_bug.cgi?id=187373
2945         https://trac.webkit.org/changeset/237484
2946
2947 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2948
2949         New bytecode format for JSC
2950         https://bugs.webkit.org/show_bug.cgi?id=187373
2951         <rdar://problem/44186758>
2952
2953         Reviewed by Filip Pizlo.
2954
2955         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2956
2957         * stress/maximum-inline-capacity.js: Added.
2958         (test1):
2959         (test3.Foo):
2960         (test3):
2961
2962 2018-10-26  Mark Lam  <mark.lam@apple.com>
2963
2964         Fix missing edge cases with JSGlobalObjects having a bad time.
2965         https://bugs.webkit.org/show_bug.cgi?id=189028
2966         <rdar://problem/45204939>
2967
2968         Reviewed by Saam Barati.
2969
2970         * stress/regress-189028.js: Added.
2971
2972 2018-10-22  Mark Lam  <mark.lam@apple.com>
2973
2974         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2975         https://bugs.webkit.org/show_bug.cgi?id=190515
2976         <rdar://problem/45222379>
2977
2978         Rubber-stamped by Saam Barati.
2979
2980         Adding another test.
2981
2982         * stress/regress-190515-2.js: Added.
2983
2984 2018-10-22  Mark Lam  <mark.lam@apple.com>
2985
2986         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2987         https://bugs.webkit.org/show_bug.cgi?id=190515
2988         <rdar://problem/45222379>
2989
2990         Reviewed by Saam Barati.
2991
2992         * stress/regress-190515.js: Added.
2993
2994 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2995
2996         Unreviewed, rolling out r237254.
2997         https://bugs.webkit.org/show_bug.cgi?id=190760
2998
2999         "It regresses JetStream 2 by 5% on some iOS devices"
3000         (Requested by saamyjoon on #webkit).
3001
3002         Reverted changeset:
3003
3004         "[JSC] JSC should have "parseFunction" to optimize Function
3005         constructor"
3006         https://bugs.webkit.org/show_bug.cgi?id=190340
3007         https://trac.webkit.org/changeset/237254
3008
3009 2018-10-19  Saam Barati  <sbarati@apple.com>
3010
3011         vmCall should check if we exit before emitting an OSR exit due to exceptions
3012         https://bugs.webkit.org/show_bug.cgi?id=190740
3013         <rdar://problem/45220139>
3014
3015         Reviewed by Mark Lam.
3016
3017         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3018         (foo):
3019
3020 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3021
3022         [ESNext][BigInt] Implement support for "^"
3023         https://bugs.webkit.org/show_bug.cgi?id=186235
3024
3025         Reviewed by Yusuke Suzuki.
3026
3027         * stress/big-int-bitwise-xor-general.js: Added.
3028         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3029         * stress/big-int-bitwise-xor-type-error.js: Added.
3030         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3031
3032 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3033
3034         [BigInt] Add ValueSub into DFG
3035         https://bugs.webkit.org/show_bug.cgi?id=186176
3036
3037         Reviewed by Yusuke Suzuki.
3038
3039         * stress/big-int-subtraction-jit.js:
3040         * stress/value-sub-big-int-prediction-propagation.js: Added.
3041         * stress/value-sub-big-int-untyped.js: Added.
3042         * stress/value-sub-spec-none-case.js: Added.
3043
3044 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3045
3046         [JSC] JSC should have "parseFunction" to optimize Function constructor
3047         https://bugs.webkit.org/show_bug.cgi?id=190340
3048
3049         Reviewed by Mark Lam.
3050
3051         This patch fixes the line number of syntax errors raised by the Function constructor,
3052         since we now parse the final code only once. And we no longer use block statement
3053         for Function constructor's parsing.
3054
3055         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3056         * stress/function-cache-with-parameters-end-position.js: Added.
3057         (shouldBe):
3058         (shouldThrow):
3059         (i.anonymous):
3060         * stress/function-constructor-name.js: Added.
3061         (shouldBe):
3062         (GeneratorFunction):
3063         (AsyncFunction.async):
3064         (AsyncGeneratorFunction.async):
3065         (anonymous):
3066         (async.anonymous):
3067         * test262/expectations.yaml:
3068
3069 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3070
3071         Unreviewed, rolling out r237242.
3072         https://bugs.webkit.org/show_bug.cgi?id=190701
3073
3074         it breaks "stress/sampling-profiler-basic.js" (Requested by
3075         caiolima on #webkit).
3076
3077         Reverted changeset:
3078
3079         "[BigInt] Add ValueSub into DFG"
3080         https://bugs.webkit.org/show_bug.cgi?id=186176
3081         https://trac.webkit.org/changeset/237242
3082
3083 2018-10-17  Keith Miller  <keith_miller@apple.com>
3084
3085         AI does not clear Phantom allocation nodes.
3086         https://bugs.webkit.org/show_bug.cgi?id=190694
3087
3088         Reviewed by Saam Barati.
3089
3090         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3091         (Day):
3092         (DaysInYear):
3093         (TimeInYear):
3094         (TimeFromYear):
3095         (DayFromYear):
3096         (InLeapYear):
3097         (YearFromTime):
3098         (WeekDay):
3099         (DaylightSavingTA):
3100         (GetSecondSundayInMarch):
3101         (TimeInMonth):
3102
3103 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3104
3105         [BigInt] Add ValueSub into DFG
3106         https://bugs.webkit.org/show_bug.cgi?id=186176
3107
3108         Reviewed by Yusuke Suzuki.
3109
3110         * stress/big-int-subtraction-jit.js:
3111         * stress/value-sub-big-int-prediction-propagation.js: Added.
3112         * stress/value-sub-big-int-untyped.js: Added.
3113
3114 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3115
3116         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3117         https://bugs.webkit.org/show_bug.cgi?id=190611
3118
3119         Reviewed by Saam Barati.
3120
3121         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3122         to improve test runtime. On ARM/MIPS this test even timed out when running all
3123         tests.
3124
3125         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3126         (test):
3127
3128 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3129
3130         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3131
3132         Unreviewed gardening.
3133
3134         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3135
3136 2018-10-15  Saam barati  <sbarati@apple.com>
3137
3138         Emit fjcvtzs on ARM64E on Darwin
3139         https://bugs.webkit.org/show_bug.cgi?id=184023
3140
3141         Reviewed by Yusuke Suzuki and Filip Pizlo.
3142
3143         * stress/double-to-int32-NaN.js: Added.
3144         (assert):
3145         (foo):
3146
3147 2018-10-15  Saam Barati  <sbarati@apple.com>
3148
3149         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3150         https://bugs.webkit.org/show_bug.cgi?id=190262
3151         <rdar://problem/44986241>
3152
3153         Reviewed by Mark Lam.
3154
3155         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3156         (test):
3157         * stress/slice-array-storage-with-holes.js: Added.
3158         (main):
3159
3160 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3161
3162         Unreviewed, rolling out r237054.
3163         https://bugs.webkit.org/show_bug.cgi?id=190593
3164
3165         "this regressed JetStream 2 by 6% on iOS" (Requested by
3166         saamyjoon on #webkit).
3167
3168         Reverted changeset:
3169
3170         "[JSC] JSC should have "parseFunction" to optimize Function
3171         constructor"
3172         https://bugs.webkit.org/show_bug.cgi?id=190340
3173         https://trac.webkit.org/changeset/237054
3174
3175 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3176
3177         [JSC] JSON.stringify can accept call-with-no-arguments
3178         https://bugs.webkit.org/show_bug.cgi?id=190343
3179
3180         Reviewed by Mark Lam.
3181
3182         * stress/json-stringify-no-arguments.js: Added.
3183         (shouldBe):
3184
3185 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3186
3187         [JSC] JSC should have "parseFunction" to optimize Function constructor
3188         https://bugs.webkit.org/show_bug.cgi?id=190340
3189
3190         Reviewed by Mark Lam.
3191
3192         This patch fixes the line number of syntax errors raised by the Function constructor,
3193         since we now parse the final code only once. And we no longer use block statement
3194         for Function constructor's parsing.
3195
3196         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3197         * stress/function-cache-with-parameters-end-position.js: Added.
3198         (shouldBe):
3199         (shouldThrow):
3200         (i.anonymous):
3201         * stress/function-constructor-name.js: Added.
3202         (shouldBe):
3203         (GeneratorFunction):
3204         (AsyncFunction.async):
3205         (AsyncGeneratorFunction.async):
3206         (anonymous):
3207         (async.anonymous):
3208         * test262/expectations.yaml:
3209
3210 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3211
3212         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3213         https://bugs.webkit.org/show_bug.cgi?id=190426
3214
3215         Unreviewed gardening.
3216
3217         * stress/sampling-profiler-richards.js:
3218
3219 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3220
3221         [ESNext][BigInt] Implement support for "|"
3222         https://bugs.webkit.org/show_bug.cgi?id=186229
3223
3224         Reviewed by Yusuke Suzuki.
3225
3226         * stress/big-int-bitwise-and-jit.js:
3227         * stress/big-int-bitwise-or-general.js: Added.
3228         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3229         * stress/big-int-bitwise-or-jit.js: Added.
3230         * stress/big-int-bitwise-or-memory-stress.js: Added.
3231         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3232         * stress/big-int-bitwise-or-type-error.js: Added.
3233         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3234
3235 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3236
3237         Skip test on systems with limited memory
3238         https://bugs.webkit.org/show_bug.cgi?id=190310
3239
3240         Invoking runDefault adds test to runlist, skipping the test in the next
3241         line does not prevent the test from executing. Change order of lines such
3242         that runDefault is only executed if test is not executed.
3243
3244         Reviewed by Mark Lam.
3245
3246         * stress/regress-190187.js:
3247
3248 2018-10-03  Saam barati  <sbarati@apple.com>
3249
3250         lowXYZ in FTLLower should always filter the type of the incoming edge
3251         https://bugs.webkit.org/show_bug.cgi?id=189939
3252         <rdar://problem/44407030>
3253
3254         Reviewed by Michael Saboff.
3255
3256         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3257         (foo):
3258         (test):
3259
3260 2018-10-03  Mark Lam  <mark.lam@apple.com>
3261
3262         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3263         https://bugs.webkit.org/show_bug.cgi?id=190187
3264         <rdar://problem/42512909>
3265
3266         Reviewed by Michael Saboff.
3267
3268         * stress/regress-190187.js: Added.
3269
3270 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3271
3272         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3273         https://bugs.webkit.org/show_bug.cgi?id=190033
3274
3275         Reviewed by Yusuke Suzuki.
3276
3277         * stress/big-int-to-string.js:
3278
3279 2018-10-01  Mark Lam  <mark.lam@apple.com>
3280
3281         Function.toString() should also copy the source code Functions that are class definitions.
3282         https://bugs.webkit.org/show_bug.cgi?id=190186
3283         <rdar://problem/44733360>
3284
3285         Reviewed by Saam Barati.
3286
3287         * stress/regress-190186.js: Added.
3288
3289 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3290
3291         Split NaN-check into separate test
3292         https://bugs.webkit.org/show_bug.cgi?id=190010
3293
3294         Reviewed by Saam Barati.
3295
3296         DataView exposes NaN-representation, which is not necessarily the same on each
3297         architecture. Therefore move the check of the NaN-representation into its own
3298         file such that we can disable this test on MIPS where NaN-representation can be
3299         different on older CPUs.
3300
3301         * stress/dataview-jit-set-nan.js: Added.
3302         (assert):
3303         (test.storeLittleEndian):
3304         (test.storeBigEndian):
3305         (test.store):
3306         (test):
3307         * stress/dataview-jit-set.js:
3308         (test5):
3309
3310 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3311
3312         Unreviewed, rolling out r236647.
3313         https://bugs.webkit.org/show_bug.cgi?id=190124
3314
3315         Breaking test stress/big-int-to-string.js (Requested by
3316         caiolima_ on #webkit).
3317
3318         Reverted changeset:
3319
3320         "[BigInt] BigInt.proptotype.toString is broken when radix is
3321         power of 2"
3322         https://bugs.webkit.org/show_bug.cgi?id=190033
3323         https://trac.webkit.org/changeset/236647
3324
3325 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3326
3327         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3328         https://bugs.webkit.org/show_bug.cgi?id=190033
3329
3330         Reviewed by Yusuke Suzuki.
3331
3332         * stress/big-int-to-string.js:
3333
3334 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3335
3336         [ESNext][BigInt] Implement support for "&"
3337         https://bugs.webkit.org/show_bug.cgi?id=186228
3338
3339         Reviewed by Yusuke Suzuki.
3340
3341         * stress/big-int-bitwise-and-general.js: Added.
3342         (assert):
3343         (assert.sameValue):
3344         * stress/big-int-bitwise-and-jit.js: Added.
3345         (let.assert.sameValue):
3346         (bigIntBitAnd):
3347         * stress/big-int-bitwise-and-memory-stress.js: Added.
3348         (assert):
3349         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3350         (assert.sameValue):
3351         (let.o.Symbol.toPrimitive):
3352         (catch):
3353         * stress/big-int-bitwise-and-type-error.js: Added.
3354         (assert):
3355         (assertThrowTypeError):
3356         (let.o.valueOf):
3357         (o.valueOf):
3358         (o.toString):
3359         (o.Symbol.toPrimitive):
3360         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3361         (assert.sameValue):
3362         (testBitAnd):
3363         (let.o.Symbol.toPrimitive):
3364         (o.valueOf):
3365         (o.toString):
3366
3367 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3368
3369         JSC test stress/jsc-read.js doesn't support CRLF
3370         https://bugs.webkit.org/show_bug.cgi?id=190063
3371
3372         Reviewed by Yusuke Suzuki.
3373
3374         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3375
3376         * stress/jsc-read.js:
3377         (test):
3378
3379 2018-09-27  Saam barati  <sbarati@apple.com>
3380
3381         Verify the contents of AssemblerBuffer on arm64e
3382         https://bugs.webkit.org/show_bug.cgi?id=190057
3383         <rdar://problem/38916630>
3384
3385         Reviewed by Mark Lam.
3386
3387         * stress/regress-189132.js:
3388
3389 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3390
3391         Disable test without LLInt on ARMv7
3392         https://bugs.webkit.org/show_bug.cgi?id=190037
3393
3394         Reviewed by Mark Lam.
3395
3396         Test runs out of executable memory on ARMv7, do not run
3397         this test without LLInt enabled.
3398
3399         * stress/regress-169445.js:
3400
3401 2018-09-26  Keith Miller  <keith_miller@apple.com>
3402
3403         We should zero unused property storage when rebalancing array storage.
3404         https://bugs.webkit.org/show_bug.cgi?id=188151
3405
3406         Reviewed by Michael Saboff.
3407
3408         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3409
3410 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3411
3412         [JSC] Optimize Array#lastIndexOf
3413         https://bugs.webkit.org/show_bug.cgi?id=189780
3414
3415         Reviewed by Saam Barati.
3416
3417         * stress/array-lastindexof-array-prototype-trap.js: Added.
3418         (shouldBe):
3419         (AncestorArray.prototype.get 2):
3420         (AncestorArray):
3421         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3422         (shouldBe):
3423         * stress/array-lastindexof-hole-nan.js: Added.
3424         (shouldBe):
3425         (throw.new.Error):
3426         * stress/array-lastindexof-infinity.js: Added.
3427         (shouldBe):
3428         (throw.new.Error):
3429         * stress/array-lastindexof-negative-zero.js: Added.
3430         (shouldBe):
3431         (throw.new.Error):
3432         * stress/array-lastindexof-own-getter.js: Added.
3433         (shouldBe):
3434         (throw.new.Error.get array):
3435         (get array):
3436         * stress/array-lastindexof-prototype-trap.js: Added.
3437         (shouldBe):
3438         (DerivedArray.prototype.get 2):
3439         (DerivedArray):
3440
3441 2018-09-25  Saam Barati  <sbarati@apple.com>
3442
3443         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3444         https://bugs.webkit.org/show_bug.cgi?id=189940
3445         <rdar://problem/43640987>
3446
3447         Reviewed by Mark Lam.
3448
3449         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3450
3451 2018-09-24  Saam Barati  <sbarati@apple.com>
3452
3453         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3454         https://bugs.webkit.org/show_bug.cgi?id=189922
3455         <rdar://problem/44651275>
3456
3457         Reviewed by Mark Lam.
3458
3459         * stress/array-indexof-fast-path-effects.js: Added.
3460         * stress/array-indexof-cached-length.js: Added.
3461
3462 2018-09-24  Saam barati  <sbarati@apple.com>
3463
3464         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3465         https://bugs.webkit.org/show_bug.cgi?id=189682
3466         <rdar://problem/43557315>
3467
3468         Reviewed by Mark Lam.
3469
3470         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3471         (foo):
3472
3473 2018-09-22  Saam barati  <sbarati@apple.com>
3474
3475         The sampling should not use Strong<CodeBlock> in its machineLocation field
3476         https://bugs.webkit.org/show_bug.cgi?id=189319
3477
3478         Reviewed by Filip Pizlo.
3479
3480         * stress/sampling-profiler-richards.js: Added.
3481
3482 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3483
3484         [JSC] Optimize Array#indexOf in C++ runtime
3485         https://bugs.webkit.org/show_bug.cgi?id=189507
3486
3487         Reviewed by Saam Barati.
3488
3489         * stress/array-indexof-array-prototype-trap.js: Added.
3490         (shouldBe):
3491         (AncestorArray.prototype.get 2):
3492         (AncestorArray):
3493         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3494         (shouldBe):
3495         * stress/array-indexof-hole-nan.js: Added.
3496         (shouldBe):
3497         (throw.new.Error):
3498         * stress/array-indexof-infinity.js: Added.
3499         (shouldBe):
3500         (throw.new.Error):
3501         * stress/array-indexof-negative-zero.js: Added.
3502         (shouldBe):
3503         (throw.new.Error):
3504         * stress/array-indexof-own-getter.js: Added.
3505         (shouldBe):
3506         (throw.new.Error.get array):
3507         (get array):
3508         * stress/array-indexof-prototype-trap.js: Added.
3509         (shouldBe):
3510         (DerivedArray.prototype.get 2):
3511         (DerivedArray):
3512
3513 2018-09-19  Saam barati  <sbarati@apple.com>
3514
3515         AI rule for MultiPutByOffset executes its effects in the wrong order
3516         https://bugs.webkit.org/show_bug.cgi?id=189757
3517         <rdar://problem/43535257>
3518
3519         Reviewed by Michael Saboff.
3520
3521         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3522         (foo):
3523         (Foo):
3524         (g):
3525
3526 2018-09-17  Mark Lam  <mark.lam@apple.com>
3527
3528         Ensure that ForInContexts are invalidated if their loop local is over-written.
3529         https://bugs.webkit.org/show_bug.cgi?id=189571
3530         <rdar://problem/44402277>
3531
3532         Reviewed by Saam Barati.
3533
3534         * stress/regress-189571.js: Added.
3535
3536 2018-09-17  Saam barati  <sbarati@apple.com>
3537
3538         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3539         https://bugs.webkit.org/show_bug.cgi?id=189676
3540         <rdar://problem/39682897>
3541
3542         Reviewed by Michael Saboff.
3543
3544         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3545         (A):
3546         (K):
3547         (i.catch):
3548
3549 2018-09-14  Saam barati  <sbarati@apple.com>
3550
3551         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3552         https://bugs.webkit.org/show_bug.cgi?id=189628
3553         <rdar://problem/39481690>
3554
3555         Reviewed by Mark Lam.
3556
3557         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3558         (foo):
3559
3560 2018-09-11  Mark Lam  <mark.lam@apple.com>
3561
3562         Test for array initialization in arrayProtoFuncSplice.
3563         https://bugs.webkit.org/show_bug.cgi?id=170253
3564         <rdar://problem/31328773>
3565
3566         Rubber-stamped by Saam Barati.
3567
3568         * stress/regress-170253.js: Added.
3569
3570 2018-09-11  Mark Lam  <mark.lam@apple.com>
3571
3572         Test for IntlObject initialization.
3573         https://bugs.webkit.org/show_bug.cgi?id=170251
3574         <rdar://problem/31328419>
3575
3576         Rubber-stamped by Saam Barati.
3577
3578         * stress/regress-170251.js: Added.
3579
3580 2018-09-11  Mark Lam  <mark.lam@apple.com>
3581
3582         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3583         https://bugs.webkit.org/show_bug.cgi?id=169889
3584         <rdar://problem/31155607>
3585
3586         Reviewed by Saam Barati.
3587
3588         * stress/regress-169889-array-concat.js: Added.
3589         * stress/regress-169889-array-concat1.js: Added.
3590         * stress/regress-169889-array-slice.js: Added.
3591
3592 2018-09-11  Mark Lam  <mark.lam@apple.com>
3593
3594         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3595         https://bugs.webkit.org/show_bug.cgi?id=169445
3596         <rdar://problem/30957435>
3597
3598         Reviewed by Saam Barati.
3599
3600         * stress/regress-169445.js: Added.
3601         (let.gun.eval.A):
3602         (let.gun.eval.B.C):
3603         (let.gun.eval.B.C.prototype.trigger):
3604         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3605         (let.gun.eval.B):
3606         (let.gun.eval):
3607
3608 == Rolled over to ChangeLog-2018-09-11 ==