[JSC] Owner of watchpoints should validate at GC finalizing phase
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Owner of watchpoints should validate at GC finalizing phase
4         https://bugs.webkit.org/show_bug.cgi?id=195827
5
6         Reviewed by Filip Pizlo.
7
8         * stress/gc-should-reap-dead-watchpoints.js: Added.
9         (foo):
10         (A.prototype.y):
11         (A):
12
13 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
14
15         Skip WebAssembly test on 32-bit systems
16         https://bugs.webkit.org/show_bug.cgi?id=196206
17
18         Reviewed by Saam Barati.
19
20         Invoking runDefault executes test immediately even though
21         that test should be skipped due to missing WASM support.
22         Therefore remove runDefault.
23
24         * wasm/regress/web-assembly-link-error-exception-check.js:
25
26 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
27
28         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
29         https://bugs.webkit.org/show_bug.cgi?id=196217
30
31         Reviewed by Saam Barati.
32
33         Re-enable all NaN tests for f32.min, f64.min and f64.max.
34
35         * wasm/spec-tests/f32.wast.js:
36         * wasm/spec-tests/f64.wast.js:
37         * wasm/wasm.json:
38
39 2019-03-25  Keith Miller  <keith_miller@apple.com>
40
41         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
42         https://bugs.webkit.org/show_bug.cgi?id=196176
43
44         Reviewed by Saam Barati.
45
46         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
47         (main.v10):
48         (main):
49
50 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
51
52         WebAssembly: f32.max with NaN generates incorrect result
53         https://bugs.webkit.org/show_bug.cgi?id=175691
54         <rdar://problem/33952228>
55
56         Reviewed by Saam Barati.
57
58         Enable all f32.max NaN tests
59
60         * wasm/spec-tests/f32.wast.js:
61         * wasm/wasm.json:
62
63 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
64
65         [JSC] Move test into directory for WASM tests
66         https://bugs.webkit.org/show_bug.cgi?id=196187
67
68         Reviewed by Mark Lam.
69
70         Move Test into wasm-directory. Otherwise this test
71         is also executed on systems without WASM support.
72
73         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
74
75 2019-03-23  Mark Lam  <mark.lam@apple.com>
76
77         Rolling out r243032 and r243071 because the fix is incorrect.
78         https://bugs.webkit.org/show_bug.cgi?id=195892
79         <rdar://problem/48981239>
80
81         Not reviewed.
82
83         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
84
85 2019-03-22  Mark Lam  <mark.lam@apple.com>
86
87         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
88         https://bugs.webkit.org/show_bug.cgi?id=196154
89         <rdar://problem/49145307>
90
91         Reviewed by Filip Pizlo.
92
93         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
94         There's no need to run this test on more than 1 test configuration.
95
96         * stress/typed-array-lastIndexOf-exception-check.js: Added.
97         * stress/web-assembly-link-error-exception-check.js:
98
99 2019-03-22  Mark Lam  <mark.lam@apple.com>
100
101         Placate exception check validation in constructJSWebAssemblyLinkError().
102         https://bugs.webkit.org/show_bug.cgi?id=196152
103         <rdar://problem/49145257>
104
105         Reviewed by Michael Saboff.
106
107         * stress/web-assembly-link-error-exception-check.js: Added.
108
109 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
110
111         Skip tests running out of memory on ARM/MIPS
112         https://bugs.webkit.org/show_bug.cgi?id=196131
113
114         Unreviewed. Skip test if memory is limited.
115
116         * microbenchmarks/put-by-val-direct-large-index.js:
117
118 2019-03-21  Mark Lam  <mark.lam@apple.com>
119
120         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
121         https://bugs.webkit.org/show_bug.cgi?id=196116
122         <rdar://problem/48976951>
123
124         Reviewed by Filip Pizlo.
125
126         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
127
128 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
129
130         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
131         https://bugs.webkit.org/show_bug.cgi?id=196078
132         <rdar://problem/35925380>
133
134         Reviewed by Mark Lam.
135
136         Add a new benchmark that allocates several objects and invokes put_by_val_direct
137         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
138
139         * microbenchmarks/put-by-val-direct-large-index.js: Added.
140
141 2019-03-21  Mark Lam  <mark.lam@apple.com>
142
143         Placate exception check validation in operationArrayIndexOfString().
144         https://bugs.webkit.org/show_bug.cgi?id=196067
145         <rdar://problem/49056572>
146
147         Reviewed by Michael Saboff.
148
149         * stress/string-equal-exception-check.js: Added.
150
151 2019-03-21  Mark Lam  <mark.lam@apple.com>
152
153         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
154         https://bugs.webkit.org/show_bug.cgi?id=196055
155         <rdar://problem/49067448>
156
157         Reviewed by Yusuke Suzuki.
158
159         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
160
161 2019-03-20  Saam Barati  <sbarati@apple.com>
162
163         typeOfDoubleSum is wrong for when NaN can be produced
164         https://bugs.webkit.org/show_bug.cgi?id=196030
165
166         Reviewed by Filip Pizlo.
167
168         * stress/double-add-sub-mul-can-produce-nan.js: Added.
169         (assert):
170         (noInline.sub):
171         (noInline):
172         (assert.mul):
173         (assert.add):
174
175 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
176
177         Update the test to ensure OutOfMemoryError is thrown as intended
178         https://bugs.webkit.org/show_bug.cgi?id=196032
179         <rdar://problem/46842740>
180
181         Rubber stamped by Saam Barati.
182
183         * stress/create-error-out-of-memory-rope-string.js:
184         (assert):
185         (catch):
186
187 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
188
189         JSC::createError needs to check for OOM in errorDescriptionForValue
190         https://bugs.webkit.org/show_bug.cgi?id=196032
191         <rdar://problem/46842740>
192
193         Reviewed by Mark Lam.
194
195         * stress/create-error-out-of-memory-rope-string.js: Added.
196
197 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
198
199         Unreviewed, reduce # of iterations to avoid timing out after r242991
200         https://bugs.webkit.org/show_bug.cgi?id=195791
201
202         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
203
204         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
205
206 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
207
208         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
209         https://bugs.webkit.org/show_bug.cgi?id=195950
210
211         Unreviewed, reducing the amount of memory used on this test to avoid
212         OOM on devices with memory restrictions.
213
214         * microbenchmarks/generate-multiple-llint-entrypoints.js:
215
216 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
217
218         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
219         https://bugs.webkit.org/show_bug.cgi?id=194648
220
221         Reviewed by Keith Miller.
222
223         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
224
225 2019-03-18  Mark Lam  <mark.lam@apple.com>
226
227         Missing a ThrowScope release in JSObject::toString().
228         https://bugs.webkit.org/show_bug.cgi?id=195893
229         <rdar://problem/48970986>
230
231         Reviewed by Michael Saboff.
232
233         * stress/to-string-exception-check-release.js: Added.
234
235 2019-03-18  Mark Lam  <mark.lam@apple.com>
236
237         Structure::flattenDictionary() should clear unused property slots.
238         https://bugs.webkit.org/show_bug.cgi?id=195871
239         <rdar://problem/48959497>
240
241         Reviewed by Michael Saboff.
242
243         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
244
245 2019-03-15  Mark Lam  <mark.lam@apple.com>
246
247         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
248         https://bugs.webkit.org/show_bug.cgi?id=195827
249         <rdar://problem/48845513>
250
251         Reviewed by Filip Pizlo.
252
253         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
254
255 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
256
257         [ARM,MIPS] Skip slow tests
258         https://bugs.webkit.org/show_bug.cgi?id=195799
259
260         Unreviewed, test does not finish on ARM and MIPS within the
261         timeout limit.
262
263         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
264
265 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
266
267         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
268         https://bugs.webkit.org/show_bug.cgi?id=195791
269         <rdar://problem/48806130>
270
271         Reviewed by Mark Lam.
272
273         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
274         (foo):
275
276 2019-03-14  Saam barati  <sbarati@apple.com>
277
278         We can't remove code after ForceOSRExit until after FixupPhase
279         https://bugs.webkit.org/show_bug.cgi?id=186916
280         <rdar://problem/41396612>
281
282         Reviewed by Yusuke Suzuki.
283
284         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
285         (foo):
286         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
287         (foo):
288
289 2019-03-13  Michael Saboff  <msaboff@apple.com>
290
291         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
292         https://bugs.webkit.org/show_bug.cgi?id=195735
293
294         Reviewed by Mark Lam.
295
296         New regression test.
297
298         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
299         (foo):
300         (bar):
301
302 2019-03-14  Saam barati  <sbarati@apple.com>
303
304         Fixup uses KnownInt32 incorrectly in some nodes
305         https://bugs.webkit.org/show_bug.cgi?id=195279
306         <rdar://problem/47915654>
307
308         Reviewed by Yusuke Suzuki.
309
310         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
311         (foo):
312
313 2019-03-14  Keith Miller  <keith_miller@apple.com>
314
315         DFG liveness can't skip tail caller inline frames
316         https://bugs.webkit.org/show_bug.cgi?id=195715
317
318         Reviewed by Saam Barati.
319
320         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
321         (i.foo):
322
323 2019-03-13  Mark Lam  <mark.lam@apple.com>
324
325         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
326         https://bugs.webkit.org/show_bug.cgi?id=195415
327
328         Not reviewed.
329
330         Changed these tests to only run the default configuration.
331         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
332         There's no strong need to run this test on that variant.
333
334         * stress/dfg-to-string-on-int-does-gc.js:
335         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
336
337 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
338
339         String overflow when using StringBuilder in JSC::createError
340         https://bugs.webkit.org/show_bug.cgi?id=194957
341
342         Reviewed by Mark Lam.
343
344         Add test string-overflow-createError-bulder.js that overflows
345         StringBuilder in notAFunctionSourceAppender. The second new test
346         string-overflow-createError-fit.js has an error message that doesn't
347         overflow, it still failed since the String's capacity can't be doubled.
348         Run test string-overflow-createError.js only in the default
349         configuration to reduce memory consumption when running the test
350         in all configurations on multiple CPUs in parallel.
351
352         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
353         (catch):
354         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
355         (catch):
356         * stress/string-overflow-createError.js:
357
358 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
359
360         [JSC] OSR entry should respect abstract values in addition to flush formats
361         https://bugs.webkit.org/show_bug.cgi?id=195653
362
363         Reviewed by Mark Lam.
364
365         * stress/osr-entry-locals-none.js: Added.
366
367 2019-03-12  Michael Saboff  <msaboff@apple.com>
368
369         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
370         https://bugs.webkit.org/show_bug.cgi?id=195613
371
372         Reviewed by Mark Lam.
373
374         New regression test.
375
376         * stress/regexp-backref-inbounds.js: Added.
377         (testRegExp):
378
379 2019-03-12  Mark Lam  <mark.lam@apple.com>
380
381         The HasIndexedProperty node does GC.
382         https://bugs.webkit.org/show_bug.cgi?id=195559
383         <rdar://problem/48767923>
384
385         Reviewed by Yusuke Suzuki.
386
387         * stress/HasIndexedProperty-does-gc.js: Added.
388
389 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
390
391         [ESNext][BigInt] Implement "~" unary operation
392         https://bugs.webkit.org/show_bug.cgi?id=182216
393
394         Reviewed by Keith Miller.
395
396         * stress/big-int-bit-not-general.js: Added.
397         * stress/big-int-bitwise-not-jit.js: Added.
398         * stress/big-int-bitwise-not-wrapped-value.js: Added.
399         * stress/bit-op-with-object-returning-int32.js:
400         * stress/bitwise-not-fixup-rules.js: Added.
401         * stress/value-bit-not-ai-rule.js: Added.
402
403 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
404
405         Invalid flags in a RegExp literal should be an early SyntaxError
406         https://bugs.webkit.org/show_bug.cgi?id=195514
407
408         Reviewed by Darin Adler.
409
410         * test262/expectations.yaml:
411         Mark 4 test cases as passing.
412
413         * stress/regexp-syntax-error-invalid-flags.js:
414         * stress/regress-161995.js: Removed.
415         Update existing test, merging in an older test for the same behavior.
416
417 2019-03-08  Mark Lam  <mark.lam@apple.com>
418
419         Stack overflow crash in JSC::JSObject::hasInstance.
420         https://bugs.webkit.org/show_bug.cgi?id=195458
421         <rdar://problem/48710195>
422
423         Reviewed by Yusuke Suzuki.
424
425         * stress/stack-overflow-in-custom-hasInstance.js: Added.
426
427 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
428
429         op_check_tdz does not def its argument
430         https://bugs.webkit.org/show_bug.cgi?id=192880
431         <rdar://problem/46221598>
432
433         Reviewed by Saam Barati.
434
435         * microbenchmarks/let-for-in.js: Added.
436         (foo):
437
438 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
439
440         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
441         https://bugs.webkit.org/show_bug.cgi?id=195429
442
443         Reviewed by Saam Barati.
444
445         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
446         (foo):
447         * stress/string-from-char-code-255.js: Added.
448
449 2019-03-06  Mark Lam  <mark.lam@apple.com>
450
451         Fix incorrect handling of try-finally completion values.
452         https://bugs.webkit.org/show_bug.cgi?id=195131
453         <rdar://problem/46222079>
454
455         Reviewed by Saam Barati and Yusuke Suzuki.
456
457         Added many permutations of new test case to test-finally.js.  test-finally.js has
458         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
459         tests passes there as well.
460
461         * stress/test-finally.js:
462
463 2019-03-06  Saam Barati  <sbarati@apple.com>
464
465         Air::reportUsedRegisters must padInterference
466         https://bugs.webkit.org/show_bug.cgi?id=195303
467         <rdar://problem/48270343>
468
469         Reviewed by Keith Miller.
470
471         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
472
473 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
474
475         [JSC] AI should not propagate AbstractValue relying on constant folding phase
476         https://bugs.webkit.org/show_bug.cgi?id=195375
477
478         Reviewed by Saam Barati.
479
480         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
481         (let.array):
482
483 2019-03-05  Saam barati  <sbarati@apple.com>
484
485         op_switch_char broken for rope strings after JSRopeString layout rewrite
486         https://bugs.webkit.org/show_bug.cgi?id=195339
487         <rdar://problem/48592545>
488
489         Reviewed by Yusuke Suzuki.
490
491         * stress/switch-on-char-llint-rope.js: Added.
492
493 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
494
495         [JSC] Store bits for JSRopeString in 3 stores
496         https://bugs.webkit.org/show_bug.cgi?id=195234
497
498         Reviewed by Saam Barati.
499
500         * stress/null-rope-and-collectors.js: Added.
501
502 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
503
504         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
505         https://bugs.webkit.org/show_bug.cgi?id=195207
506
507         Unreviewed. After test runtime was reduced in r242213, test can be
508         run again on ARM/MIPS.
509
510         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
511
512 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
513
514         [JSC] sizeof(JSString) should be 16
515         https://bugs.webkit.org/show_bug.cgi?id=194375
516
517         Reviewed by Saam Barati.
518
519         * microbenchmarks/make-rope.js: Added.
520         (makeRope):
521         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
522         (returnRope.helper): Deleted.
523         (returnRope): Deleted.
524
525 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
526
527         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
528         https://bugs.webkit.org/show_bug.cgi?id=195144
529
530         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
531         Change the number from 1e8 to 1e5.
532
533         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
534         (foo):
535
536 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
537
538         Test times out on ARM/MIPS
539         https://bugs.webkit.org/show_bug.cgi?id=195168
540
541         Unreviewed. Skip test on ARM/MIPS.
542
543         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
544
545 2019-02-27  Mark Lam  <mark.lam@apple.com>
546
547         The parser is failing to record the token location of new in new.target.
548         https://bugs.webkit.org/show_bug.cgi?id=195127
549         <rdar://problem/39645578>
550
551         Reviewed by Yusuke Suzuki.
552
553         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
554
555 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
556
557         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
558         https://bugs.webkit.org/show_bug.cgi?id=195144
559         <rdar://problem/47595961>
560
561         Reviewed by Mark Lam.
562
563         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
564         (bar):
565         (foo):
566         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
567         (bar):
568         (foo):
569
570 2019-02-27  Robin Morisset  <rmorisset@apple.com>
571
572         DFG: Loop-invariant code motion (LICM) should not hoist dead code
573         https://bugs.webkit.org/show_bug.cgi?id=194945
574         <rdar://problem/48311657>
575
576         Reviewed by Mark Lam.
577
578         * stress/licm-dead-code.js: Added.
579
580 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
581
582         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
583         https://bugs.webkit.org/show_bug.cgi?id=194677
584         <rdar://problem/48112492>
585
586         Reviewed by Mark Lam.
587
588         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
589         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
590         it immediately fails due the large size.
591
592         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
593         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
594         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
595         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
596
597         This patch changes the test to produce 16bit string from String.fromCharCode.
598
599         * stress/regress-178386.js:
600
601 2019-02-26  Mark Lam  <mark.lam@apple.com>
602
603         wasmToJS() should purify incoming NaNs.
604         https://bugs.webkit.org/show_bug.cgi?id=194807
605         <rdar://problem/48189132>
606
607         Reviewed by Saam Barati.
608
609         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
610
611 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
612
613         [JSC] Repeat string created from Array.prototype.join() take too much memory
614         https://bugs.webkit.org/show_bug.cgi?id=193912
615
616         Reviewed by Saam Barati.
617
618         Added a test and a microbenchmark for corner cases of
619         Array.prototype.join() with an uninitialized array.
620
621         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
622         * stress/array-prototype-join-uninitialized.js: Added.
623         (testArray):
624         (testABC):
625         (B):
626         (C):
627
628 2019-02-22  Robin Morisset  <rmorisset@apple.com>
629
630         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
631         https://bugs.webkit.org/show_bug.cgi?id=194953
632         <rdar://problem/47595253>
633
634         Reviewed by Saam Barati.
635
636         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
637
638         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
639
640 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
641
642         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
643         https://bugs.webkit.org/show_bug.cgi?id=172848
644         <rdar://problem/25709212>
645
646         Reviewed by Mark Lam.
647
648         * typeProfiler/inheritance.js:
649         Rewrite the test slightly for clarity. The hoisting was confusing.
650
651         * heapProfiler/class-names.js: Added.
652         (MyES5Class):
653         (MyES6Class):
654         (MyES6Subclass):
655         Test object types and improved class names.
656
657         * heapProfiler/driver/driver.js:
658         (CheapHeapSnapshotNode):
659         (CheapHeapSnapshot):
660         (createCheapHeapSnapshot):
661         (HeapSnapshot):
662         (createHeapSnapshot):
663         Update snapshot parsing from version 1 to version 2.
664
665 2019-02-19  Truitt Savell  <tsavell@apple.com>
666
667         Unreviewed, rolling out r241784.
668
669         Broke all OpenSource builds.
670
671         Reverted changeset:
672
673         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
674         instances view"
675         https://bugs.webkit.org/show_bug.cgi?id=172848
676         https://trac.webkit.org/changeset/241784
677
678 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
679
680         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
681         https://bugs.webkit.org/show_bug.cgi?id=172848
682         <rdar://problem/25709212>
683
684         Reviewed by Mark Lam.
685
686         * typeProfiler/inheritance.js:
687         Rewrite the test slightly for clarity. The hoisting was confusing.
688
689         * heapProfiler/class-names.js: Added.
690         (MyES5Class):
691         (MyES6Class):
692         (MyES6Subclass):
693         Test object types and improved class names.
694
695         * heapProfiler/driver/driver.js:
696         (CheapHeapSnapshotNode):
697         (CheapHeapSnapshot):
698         (createCheapHeapSnapshot):
699         (HeapSnapshot):
700         (createHeapSnapshot):
701         Update snapshot parsing from version 1 to version 2.
702
703 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
704
705         [ARM] Fix crash with sampling profiler
706         https://bugs.webkit.org/show_bug.cgi?id=194772
707
708         Reviewed by Mark Lam.
709
710         Do not skip test since crash with sampling profiler is now fixed.
711
712         * stress/sampling-profiler-richards.js:
713
714 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
715
716         [JSC] Add LazyClassStructure::getInitializedOnMainThread
717         https://bugs.webkit.org/show_bug.cgi?id=194784
718         <rdar://problem/48154820>
719
720         Reviewed by Mark Lam.
721
722         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
723         (getProperties):
724         (getRandomProperty):
725         (i.catch):
726
727 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
728
729         [ARM] Test gardening: Test running out of executable memory
730         https://bugs.webkit.org/show_bug.cgi?id=194771
731
732         Unreviewed. Do not run test without LLInt, test is running out of executable
733         memory on ARM otherwise.
734
735         * stress/tagged-template-object-collect.js:
736
737 2019-02-18  Tomas Popela  <tpopela@redhat.com>
738
739         Unreviewed, skip the test on platforms without sampling profiler
740
741         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
742         (platformSupportsSamplingProfiler.foo):
743         (platformSupportsSamplingProfiler.test):
744         (platformSupportsSamplingProfiler):
745         (foo): Deleted.
746         (test): Deleted.
747
748 2019-02-17  Saam Barati  <sbarati@apple.com>
749
750         Deadlock when adding a Structure property transition and then doing incremental marking
751         https://bugs.webkit.org/show_bug.cgi?id=194767
752
753         Reviewed by Mark Lam.
754
755         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
756
757 2019-02-15  Michael Saboff  <msaboff@apple.com>
758
759         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
760         https://bugs.webkit.org/show_bug.cgi?id=194558
761
762         Reviewed by Saam Barati.
763
764         New regression test.
765
766         * stress/regexp-unicode-within-string.js: Added.
767
768 2019-02-15  Mark Lam  <mark.lam@apple.com>
769
770         SamplingProfiler::stackTracesAsJSON() should escape strings.
771         https://bugs.webkit.org/show_bug.cgi?id=194649
772         <rdar://problem/48072386>
773
774         Reviewed by Saam Barati.
775
776         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
777         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
778         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
779         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
780
781 2019-02-15  Robin Morisset  <rmorisset@apple.com>
782         CodeBlock::jettison should clear related watchpoints
783         https://bugs.webkit.org/show_bug.cgi?id=194544
784
785         Reviewed by Mark Lam.
786
787         * stress/regexp-replace-double-watchpoint.js: Added.
788         (foo):
789
790 2019-02-15  Saam barati  <sbarati@apple.com>
791
792         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
793         https://bugs.webkit.org/show_bug.cgi?id=194036
794
795         Reviewed by Yusuke Suzuki.
796
797         * stress/tail-call-many-arguments.js: Added.
798         (foo):
799         (bar):
800
801 2019-02-14  Saam Barati  <sbarati@apple.com>
802
803         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
804         https://bugs.webkit.org/show_bug.cgi?id=194583
805         <rdar://problem/48028140>
806
807         Reviewed by Yusuke Suzuki.
808
809         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
810
811 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
812
813         [JSC] String.fromCharCode's slow path always generates 16bit string
814         https://bugs.webkit.org/show_bug.cgi?id=194466
815
816         Reviewed by Keith Miller.
817
818         * stress/string-from-char-code-slow-path.js: Added.
819         (shouldBe):
820         (testWithLength):
821
822 2019-02-08  Saam barati  <sbarati@apple.com>
823
824         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
825         https://bugs.webkit.org/show_bug.cgi?id=194334
826         <rdar://problem/47844327>
827
828         Reviewed by Mark Lam.
829
830         * stress/check-in-bounds-should-be-a-child-use.js: Added.
831         (func):
832
833 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
834
835         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
836         https://bugs.webkit.org/show_bug.cgi?id=194369
837         <rdar://problem/47813087>
838
839         Reviewed by Saam Barati.
840
841         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
842         (A):
843
844 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] PrivateName to PublicName hash table is wasteful
847         https://bugs.webkit.org/show_bug.cgi?id=194277
848
849         Reviewed by Michael Saboff.
850
851         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
852
853         * ChakraCore.yaml:
854
855 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
856
857         [ARM] Test running out of executable memory
858         https://bugs.webkit.org/show_bug.cgi?id=194285
859
860         Unreviewed. Do no execute test with LLInt disabled, test runs out of
861         executable memory otherwise.
862
863         * stress/class-subclassing-function.js:
864
865 2019-02-04  Robin Morisset  <rmorisset@apple.com>
866
867         when lowering AssertNotEmpty, create the value before creating the patchpoint
868         https://bugs.webkit.org/show_bug.cgi?id=194231
869
870         Reviewed by Saam Barati.
871
872         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
873         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
874         So even tiny changes to this test can change the path code taken.
875
876         * stress/assert-not-empty.js: Added.
877         (foo):
878
879 2019-02-01  Mark Lam  <mark.lam@apple.com>
880
881         Remove invalid assertion in DFG's compileDoubleRep().
882         https://bugs.webkit.org/show_bug.cgi?id=194130
883         <rdar://problem/47699474>
884
885         Reviewed by Saam Barati.
886
887         * stress/constant-fold-double-rep-into-double-constant.js: Added.
888
889 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
890
891         Import latest Test262 updates.
892
893         Rubber-stamped by Keith Miller.
894
895         * test262.yaml: Deleted.
896         * test262/config.yaml:
897         * test262/expectations.yaml:
898         * test262/latest-changes-summary.txt:
899         * test262/test/:
900         * test262/test262-Revision.txt:
901
902 2019-01-30  Robin Morisset  <rmorisset@apple.com>
903
904         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
905         https://bugs.webkit.org/show_bug.cgi?id=194050
906         <rdar://problem/47595592>
907
908         Reviewed by Yusuke Suzuki.
909
910         * stress/object-keys-osr-exit.js: Added.
911         (foo):
912         (catch):
913
914 2019-01-29  Mark Lam  <mark.lam@apple.com>
915
916         ValueRecovery::recover() should purify NaN values it recovers.
917         https://bugs.webkit.org/show_bug.cgi?id=193978
918         <rdar://problem/47625488>
919
920         Reviewed by Saam Barati.
921
922         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
923
924 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
925
926         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
927         https://bugs.webkit.org/show_bug.cgi?id=193713
928
929         * stress/try-get-by-id-should-spill-registers-dfg.js:
930         (let.f.createBuiltin):
931
932 2019-01-28  Mark Lam  <mark.lam@apple.com>
933
934         ToString node actually does GC.
935         https://bugs.webkit.org/show_bug.cgi?id=193920
936         <rdar://problem/46695900>
937
938         Reviewed by Yusuke Suzuki.
939
940         * stress/dfg-to-string-on-int-does-gc.js: Added.
941         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
942         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
943
944 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
945
946         [JSC] NativeErrorConstructor should not have own IsoSubspace
947         https://bugs.webkit.org/show_bug.cgi?id=193713
948
949         Reviewed by Saam Barati.
950
951         Remove @Error use.
952
953         * stress/try-get-by-id-should-spill-registers-dfg.js:
954         (let.f.createBuiltin):
955
956 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
957
958         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
959         https://bugs.webkit.org/show_bug.cgi?id=190693
960
961         Reviewed by Michael Saboff.
962
963         * stress/regress-190693.js: Added.
964         (truth):
965         (assert):
966         (shouldThrowInvalidConstAssignment):
967         (taz):
968
969 2019-01-24  Saam Barati  <sbarati@apple.com>
970
971         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
972         https://bugs.webkit.org/show_bug.cgi?id=193751
973         <rdar://problem/47280215>
974
975         Reviewed by Michael Saboff.
976
977         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
978         (let.thing):
979         (foo.let.hello):
980         (foo):
981
982 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
983
984         [JSC] Reenable baseline JIT on mips
985         https://bugs.webkit.org/show_bug.cgi?id=192983
986
987         Reviewed by Mark Lam.
988
989         Added a new test for a case that was triggering a RELEASE_ASSERT when
990         testing.
991         Disable some slow tests that were already disabled for arm and x86.
992
993         * stress/json-parse-big-object.js: Added.
994         * stress/new-largeish-contiguous-array-with-size.js:
995         * stress/op_add.js:
996         * stress/op_bitand.js:
997         * stress/op_bitor.js:
998         * stress/op_bitxor.js:
999         * stress/op_lshift-ConstVar.js:
1000         * stress/op_lshift-VarConst.js:
1001         * stress/op_lshift-VarVar.js:
1002         * stress/op_mod-ConstVar.js:
1003         * stress/op_mod-VarConst.js:
1004         * stress/op_mod-VarVar.js:
1005         * stress/op_mul-ConstVar.js:
1006         * stress/op_mul-VarConst.js:
1007         * stress/op_mul-VarVar.js:
1008         * stress/op_rshift-ConstVar.js:
1009         * stress/op_rshift-VarConst.js:
1010         * stress/op_rshift-VarVar.js:
1011         * stress/op_sub-ConstVar.js:
1012         * stress/op_sub-VarConst.js:
1013         * stress/op_sub-VarVar.js:
1014         * stress/op_urshift-ConstVar.js:
1015         * stress/op_urshift-VarConst.js:
1016         * stress/op_urshift-VarVar.js:
1017         * stress/sampling-profiler-richards.js:
1018         * stress/spread-forward-call-varargs-stack-overflow.js:
1019
1020 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1021
1022         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1023         https://bugs.webkit.org/show_bug.cgi?id=193711
1024         <rdar://problem/47250262>
1025
1026         Reviewed by Saam Barati.
1027
1028         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1029         (shouldBe):
1030         (foo):
1031         (bar):
1032         (baz):
1033
1034 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1035
1036         Unreviewed, fix initial global lexical binding epoch
1037         https://bugs.webkit.org/show_bug.cgi?id=193603
1038         <rdar://problem/47380869>
1039
1040         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1041         (f1.f2.f3.f4):
1042         (f1.f2.f3):
1043         (f1.f2):
1044         (f1):
1045
1046 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1047
1048         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1049         https://bugs.webkit.org/show_bug.cgi?id=193709
1050         <rdar://problem/47363838>
1051
1052         Unreviewed, rollout to watch the tests.
1053
1054         * stress/object-tostring-changed-proto.js: Removed.
1055         * stress/object-tostring-changed.js: Removed.
1056         * stress/object-tostring-misc.js: Removed.
1057         * stress/object-tostring-other.js: Removed.
1058         * stress/object-tostring-untyped.js: Removed.
1059
1060 2019-01-22  Saam Barati  <sbarati@apple.com>
1061
1062         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1063
1064         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1065         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1066         (testUncheckedLessThanZero):
1067         (testUncheckedLessThanOrEqualZero):
1068         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1069         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1070
1071 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1072
1073         [JSC] Invalidate old scope operations using global lexical binding epoch
1074         https://bugs.webkit.org/show_bug.cgi?id=193603
1075         <rdar://problem/47380869>
1076
1077         Reviewed by Saam Barati.
1078
1079         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1080         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1081         (shouldThrow):
1082         (bar):
1083         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1084         (shouldBe):
1085         (get1):
1086         (get2):
1087         (get1If):
1088         (get2If):
1089         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1090         (shouldThrow):
1091         (foo):
1092
1093 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1094
1095         Unreviewed, roll out r240220 due to date-format-xparb regression
1096         https://bugs.webkit.org/show_bug.cgi?id=193603
1097
1098         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1099         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1100         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1101         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1102
1103 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1104
1105         DoesGC rule is wrong for nodes with BigIntUse
1106         https://bugs.webkit.org/show_bug.cgi?id=193652
1107
1108         Reviewed by Saam Barati.
1109
1110         * stress/big-int-value-op-update-gc-rules.js: Added.
1111         (assert):
1112         (doesGCAdd):
1113         (doesGCSub):
1114         (doesGCDiv):
1115         (doesGCMul):
1116         (doesGCBitAnd):
1117         (doesGCBitOr):
1118         (doesGCBitXor):
1119
1120 2019-01-20  Saam Barati  <sbarati@apple.com>
1121
1122         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1123         https://bugs.webkit.org/show_bug.cgi?id=193644
1124         <rdar://problem/46209745>
1125
1126         Reviewed by Yusuke Suzuki.
1127
1128         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1129         (foo):
1130         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1131         (foo):
1132         (bar):
1133
1134 2019-01-20  Saam Barati  <sbarati@apple.com>
1135
1136         MovHint must merge NodeBytecodeUsesAsValue for its child
1137         https://bugs.webkit.org/show_bug.cgi?id=186916
1138         <rdar://problem/41396612>
1139
1140         Reviewed by Yusuke Suzuki.
1141
1142         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1143         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1144
1145 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1146
1147         [JSC] Invalidate old scope operations using global lexical binding epoch
1148         https://bugs.webkit.org/show_bug.cgi?id=193603
1149         <rdar://problem/47380869>
1150
1151         Reviewed by Saam Barati.
1152
1153         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1154         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1155         (shouldThrow):
1156         (bar):
1157         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1158         (shouldBe):
1159         (get1):
1160         (get2):
1161         (get1If):
1162         (get2If):
1163         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1164         (shouldThrow):
1165         (foo):
1166
1167 2019-01-17  Saam barati  <sbarati@apple.com>
1168
1169         StringObjectUse should not be a structure check for the original string object structure
1170         https://bugs.webkit.org/show_bug.cgi?id=193483
1171         <rdar://problem/47280522>
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1176         (foo):
1177         (a.valueOf.0):
1178
1179 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1180
1181         [JSC] ToThis omission in DFGByteCodeParser is wrong
1182         https://bugs.webkit.org/show_bug.cgi?id=193513
1183         <rdar://problem/45842236>
1184
1185         Reviewed by Saam Barati.
1186
1187         * stress/to-this-omission-with-different-strict-modes.js: Added.
1188         (thisA):
1189         (thisAStrictWrapper):
1190
1191 2019-01-15  Mark Lam  <mark.lam@apple.com>
1192
1193         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1194         https://bugs.webkit.org/show_bug.cgi?id=193423
1195         <rdar://problem/46209355>
1196
1197         Reviewed by Saam Barati.
1198
1199         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1200         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1201         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1202         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1203
1204 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1205
1206         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1207         https://bugs.webkit.org/show_bug.cgi?id=193438
1208         <rdar://problem/45581249>
1209
1210         Reviewed by Saam Barati and Keith Miller.
1211
1212         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1213         Then, GetByVal(String) crashed.
1214
1215         * stress/string-get-by-val-lowering.js: Added.
1216         (shouldBe):
1217         (test):
1218         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1219         (Hello):
1220         (foo):
1221
1222 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1223
1224         Unreviewed, skip JIT tests if it's not enabled
1225
1226         * stress/bit-op-with-object-returning-int32.js:
1227
1228 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1229
1230         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1231         https://bugs.webkit.org/show_bug.cgi?id=192966
1232
1233         Reviewed by Yusuke Suzuki.
1234
1235         * stress/bit-op-with-object-returning-int32.js: Added.
1236
1237 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1238
1239         Skip a slow test and a flakey test on arm
1240
1241         Unreviewed gardening.
1242
1243         * typeProfiler/getter-richards.js:
1244         this test always times out, it used to be always skipped on arm and
1245         mips, but got accidentally enabled by r237919 now that we have DFG on
1246         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1247
1248 2019-01-14  Keith Miller  <keith_miller@apple.com>
1249
1250         Skip type-check-hoisting-phase-hoist... with no jit
1251         https://bugs.webkit.org/show_bug.cgi?id=193421
1252
1253         Reviewed by Mark Lam.
1254
1255         It's timing out the 32-bit bots and takes 330 seconds
1256         on my machine when run by itself.
1257
1258         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1259
1260 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1261
1262         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1263         https://bugs.webkit.org/show_bug.cgi?id=193413
1264         <rdar://problem/46092389>
1265
1266         Reviewed by Keith Miller.
1267
1268         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1269         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1270         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1271         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1272
1273         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1274         (compareArray):
1275
1276 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1277
1278         [BigInt] Literal parsing is crashing when used inside a Object Literal
1279         https://bugs.webkit.org/show_bug.cgi?id=193404
1280
1281         Reviewed by Yusuke Suzuki.
1282
1283         * stress/big-int-literal-inside-literal-object.js: Added.
1284
1285 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1286
1287         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1288         https://bugs.webkit.org/show_bug.cgi?id=193372
1289
1290         Reviewed by Saam Barati.
1291
1292         * stress/typed-array-array-modes-profile.js: Added.
1293         (foo):
1294
1295 2019-01-14  Mark Lam  <mark.lam@apple.com>
1296
1297         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1298         https://bugs.webkit.org/show_bug.cgi?id=193402
1299         <rdar://problem/46012309>
1300
1301         Reviewed by Keith Miller.
1302
1303         * stress/regexp-compile-oom.js:
1304         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1305           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1306
1307 2019-01-11  Saam barati  <sbarati@apple.com>
1308
1309         DFG combined liveness can be wrong for terminal basic blocks
1310         https://bugs.webkit.org/show_bug.cgi?id=193304
1311         <rdar://problem/45268632>
1312
1313         Reviewed by Yusuke Suzuki.
1314
1315         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1316
1317 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1318
1319         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1320         https://bugs.webkit.org/show_bug.cgi?id=193308
1321         <rdar://problem/45546542>
1322
1323         Reviewed by Saam Barati.
1324
1325         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1326         (shouldThrow):
1327         (shouldBe):
1328         (foo):
1329         (get shouldThrow):
1330         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1331         (shouldThrow):
1332         (shouldBe):
1333         (foo):
1334         (get shouldBe):
1335         (get shouldThrow):
1336         (get return):
1337         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1338         (shouldThrow):
1339         (shouldBe):
1340         (foo):
1341         (get shouldBe):
1342         (get shouldThrow):
1343         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1344         (shouldThrow):
1345         (shouldBe):
1346         (foo):
1347         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1348         (shouldThrow):
1349         (shouldBe):
1350         (foo):
1351         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1352         (shouldThrow):
1353         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1354         (shouldThrow):
1355         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1356         (shouldThrow):
1357         (shouldBe):
1358         (foo):
1359         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1360         (shouldThrow):
1361         (shouldBe):
1362         (foo):
1363         (get shouldBe):
1364         (get shouldThrow):
1365         (get return):
1366         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1367         (shouldThrow):
1368         (shouldBe):
1369         (foo):
1370         (get shouldBe):
1371         (get shouldThrow):
1372         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1373         (shouldThrow):
1374         (shouldBe):
1375         (foo):
1376         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1377         (shouldThrow):
1378         (shouldBe):
1379         (foo):
1380
1381 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1382
1383         Enable DFG on ARM/Linux again
1384         https://bugs.webkit.org/show_bug.cgi?id=192496
1385
1386         Reviewed by Yusuke Suzuki.
1387
1388         Test wasn't really skipped before moving the line with skip
1389         to the top.
1390
1391         * stress/regress-192717.js:
1392
1393 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1394
1395         Unreviewed, rolling out r239825.
1396         https://bugs.webkit.org/show_bug.cgi?id=193330
1397
1398         Broke tests on armv7/linux bots (Requested by guijemont on
1399         #webkit).
1400
1401         Reverted changeset:
1402
1403         "Enable DFG on ARM/Linux again"
1404         https://bugs.webkit.org/show_bug.cgi?id=192496
1405         https://trac.webkit.org/changeset/239825
1406
1407 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1408
1409         Enable DFG on ARM/Linux again
1410         https://bugs.webkit.org/show_bug.cgi?id=192496
1411
1412         Reviewed by Yusuke Suzuki.
1413
1414         Test wasn't really skipped before moving the line with skip
1415         to the top.
1416
1417         * stress/regress-192717.js:
1418
1419 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1420
1421         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1422         https://bugs.webkit.org/show_bug.cgi?id=193127
1423
1424         Reviewed by Saam Barati.
1425
1426         * stress/array-species-create-should-handle-masquerader.js: Added.
1427         (shouldThrow):
1428         * stress/is-undefined-or-null-builtin.js: Added.
1429         (shouldBe):
1430         (isUndefinedOrNull.vm.createBuiltin):
1431
1432 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1433
1434         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1435         https://bugs.webkit.org/show_bug.cgi?id=193221
1436
1437         Reviewed by Mark Lam.
1438
1439         * stress/put-by-id-flags.js: Added.
1440         (f):
1441         (g):
1442         (numberOfDFGCompiles):
1443
1444 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1445
1446         Baseline version of get_by_id may corrupt metadata
1447         https://bugs.webkit.org/show_bug.cgi?id=193085
1448         <rdar://problem/23453006>
1449
1450         Reviewed by Saam Barati.
1451
1452         * stress/get-by-id-change-mode.js: Added.
1453         (forEach):
1454
1455 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1456
1457         [JSC] Optimize Object.prototype.toString
1458         https://bugs.webkit.org/show_bug.cgi?id=193031
1459
1460         Reviewed by Saam Barati.
1461
1462         * stress/object-tostring-changed-proto.js: Added.
1463         (shouldBe):
1464         (test):
1465         * stress/object-tostring-changed.js: Added.
1466         (shouldBe):
1467         (test):
1468         * stress/object-tostring-misc.js: Added.
1469         (shouldBe):
1470         (test):
1471         (i.switch):
1472         * stress/object-tostring-other.js: Added.
1473         (shouldBe):
1474         (test):
1475         * stress/object-tostring-untyped.js: Added.
1476         (shouldBe):
1477         (test):
1478         (i.switch):
1479
1480 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1481
1482         test262-runner misbehaves when test file YAML has a trailing space
1483         https://bugs.webkit.org/show_bug.cgi?id=193053
1484
1485         Reviewed by Yusuke Suzuki.
1486
1487         * test262/expectations.yaml:
1488         Mark two dozen tests as passing (and correct the output of another).
1489
1490 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1491
1492         Unreviewed, JSTests gardening with memoryLimited
1493
1494         * stress/string-overflow-createError.js:
1495
1496 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1497
1498         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1499         https://bugs.webkit.org/show_bug.cgi?id=193050
1500
1501         Reviewed by Yusuke Suzuki.
1502
1503         * test262.yaml:
1504         * test262/expectations.yaml:
1505         Mark 16 tests as passing.
1506
1507 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1508
1509         [BigInt] Support BigInt in JSON.stringify
1510         https://bugs.webkit.org/show_bug.cgi?id=192624
1511
1512         Reviewed by Saam Barati.
1513
1514         * stress/big-int-json-stringify-to-json.js: Added.
1515         (shouldBe):
1516         (shouldThrow):
1517         (BigInt.prototype.toJSON):
1518         (shouldBe.JSON.stringify):
1519         * stress/big-int-json-stringify.js: Added.
1520         (shouldBe):
1521         (shouldThrow):
1522
1523 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1524
1525         [JSC] Implement "well-formed JSON.stringify" proposal
1526         https://bugs.webkit.org/show_bug.cgi?id=191677
1527
1528         Reviewed by Darin Adler.
1529
1530         * stress/json-surrogate-pair.js: Added.
1531         (shouldBe):
1532         * test262/expectations.yaml:
1533
1534 2018-12-20  Keith Miller  <keith_miller@apple.com>
1535
1536         Add support for globalThis
1537         https://bugs.webkit.org/show_bug.cgi?id=165171
1538
1539         Reviewed by Mark Lam.
1540
1541         * test262/config.yaml:
1542
1543 2018-12-19  Keith Miller  <keith_miller@apple.com>
1544
1545         Update test262 configuration to not run tests dependent on ICU version.
1546         https://bugs.webkit.org/show_bug.cgi?id=192920
1547
1548         Reviewed by Saam Barati.
1549
1550         * test262/expectations.yaml:
1551
1552 2018-12-20  Mark Lam  <mark.lam@apple.com>
1553
1554         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1555         https://bugs.webkit.org/show_bug.cgi?id=192939
1556         <rdar://problem/46869516>
1557
1558         Reviewed by Keith Miller.
1559
1560         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1561
1562 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1563
1564         WTF::String and StringImpl overflow MaxLength
1565         https://bugs.webkit.org/show_bug.cgi?id=192853
1566         <rdar://problem/45726906>
1567
1568         Reviewed by Mark Lam.
1569
1570         * stress/string-16bit-repeat-overflow.js: Added.
1571         (catch):
1572
1573 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1574
1575         Unreviewed follow-up to r192914.
1576
1577         * test262/expectations.yaml:
1578         Add the last 20 missing expectations.
1579
1580 2018-12-19  Keith Miller  <keith_miller@apple.com>
1581
1582         Fix test262 expectations
1583         https://bugs.webkit.org/show_bug.cgi?id=192914
1584
1585         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1586
1587         * test262/expectations.yaml:
1588
1589 2018-12-19  Keith Miller  <keith_miller@apple.com>
1590
1591         Update test262 tests.
1592         https://bugs.webkit.org/show_bug.cgi?id=192907
1593
1594         Rubber stamped by Mark Lam.
1595
1596         * test262/*: Omitted because prepare-changelog crashes.
1597
1598 2018-12-19  Mark Lam  <mark.lam@apple.com>
1599
1600         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1601         https://bugs.webkit.org/show_bug.cgi?id=192464
1602         <rdar://problem/46519455>
1603
1604         Reviewed by Saam Barati.
1605
1606         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1607         microbenchmark.
1608
1609         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1610         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1611
1612 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1613
1614         String overflow in JSC::createError results in ASSERT in WTF::makeString
1615         https://bugs.webkit.org/show_bug.cgi?id=192833
1616         <rdar://problem/45706868>
1617
1618         Reviewed by Mark Lam.
1619
1620         * stress/string-overflow-createError.js: Added.
1621
1622 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1623
1624         Error message for `-x ** y` contains a typo.
1625         https://bugs.webkit.org/show_bug.cgi?id=192832
1626
1627         Reviewed by Saam Barati.
1628
1629         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1630         (assert.assert.return.throws):
1631         * stress/pow-expects-update-expression-on-lhs.js:
1632         (throw.new.Error):
1633         Update test expectations which match against the exact error message.
1634
1635 2018-12-18  Mark Lam  <mark.lam@apple.com>
1636
1637         Gardening: test options fix.
1638         https://bugs.webkit.org/show_bug.cgi?id=192822
1639
1640         Unreviewed.
1641
1642         * stress/json-stringify-string-builder-overflow.js:
1643
1644 2018-12-18  Mark Lam  <mark.lam@apple.com>
1645
1646         JSON.stringify() should throw OOM on StringBuilder overflows.
1647         https://bugs.webkit.org/show_bug.cgi?id=192822
1648         <rdar://problem/46670577>
1649
1650         Reviewed by Saam Barati.
1651
1652         * stress/json-stringify-string-builder-overflow.js: Added.
1653
1654 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1655
1656         Redeclaration of var over let/const/class should be a syntax error.
1657         https://bugs.webkit.org/show_bug.cgi?id=192298
1658
1659         Reviewed by Keith Miller.
1660
1661         * test262.yaml:
1662         * test262/expectations.yaml:
1663         Mark 46 tests as passing.
1664
1665         * stress/block-scope-redeclarations.js:
1666         Add some new tests.
1667
1668         * stress/for-in-invalidate-context-weird-assignments.js:
1669         * stress/for-in-tests.js:
1670         Replace tests for outdated behavior with tests for SyntaxError.
1671
1672         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1673         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1674         Update expectations.
1675
1676 2018-12-18  Mark Lam  <mark.lam@apple.com>
1677
1678         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1679         https://bugs.webkit.org/show_bug.cgi?id=191374
1680         <rdar://problem/46525447>
1681
1682         Reviewed by Yusuke Suzuki.
1683
1684         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1685
1686         * stress/elidable-new-object-roflcopter-then-exit.js:
1687
1688 2018-12-17  Mark Lam  <mark.lam@apple.com>
1689
1690         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1691         https://bugs.webkit.org/show_bug.cgi?id=192019
1692         <rdar://problem/46525456>
1693
1694         Reviewed by Yusuke Suzuki.
1695
1696         The test runs too slow on 32-bit.
1697
1698         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1699
1700 2018-12-17  Mark Lam  <mark.lam@apple.com>
1701
1702         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1703         https://bugs.webkit.org/show_bug.cgi?id=191373
1704         <rdar://problem/46525458>
1705
1706         Reviewed by Yusuke Suzuki.
1707
1708         The test is already slow running with a JIT on 64-bit.  It will always timeout
1709         on 32-bit without a JIT.
1710
1711         * stress/materialize-regexp-cyclic-regexp.js:
1712
1713 2018-12-17  Mark Lam  <mark.lam@apple.com>
1714
1715         Array unshift/shift should not race against the AI in the compiler thread.
1716         https://bugs.webkit.org/show_bug.cgi?id=192795
1717         <rdar://problem/46724263>
1718
1719         Reviewed by Saam Barati.
1720
1721         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1722
1723 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1724
1725         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1726         https://bugs.webkit.org/show_bug.cgi?id=190047
1727
1728         Reviewed by Saam Barati.
1729
1730         * stress/object-keys-cached-zero.js: Added.
1731         (shouldBe):
1732         (test):
1733         * stress/object-keys-changed-attribute.js: Added.
1734         (shouldBe):
1735         (test):
1736         * stress/object-keys-changed-index.js: Added.
1737         (shouldBe):
1738         (test):
1739         * stress/object-keys-changed.js: Added.
1740         (shouldBe):
1741         (test):
1742         * stress/object-keys-indexed-non-cache.js: Added.
1743         (shouldBe):
1744         (test):
1745         * stress/object-keys-overrides-get-property-names.js: Added.
1746         (shouldBe):
1747         (test):
1748         (noInline):
1749
1750 2018-12-17  Mark Lam  <mark.lam@apple.com>
1751
1752         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1753         https://bugs.webkit.org/show_bug.cgi?id=192779
1754         <rdar://problem/46775869>
1755
1756         Reviewed by Saam Barati.
1757
1758         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1759
1760 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1761
1762         Unreviewed test gardening, address a syntax error in a new test.
1763
1764         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1765
1766 2018-12-17  Mark Lam  <mark.lam@apple.com>
1767
1768         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1769         https://bugs.webkit.org/show_bug.cgi?id=192776
1770         <rdar://problem/46772368>
1771
1772         Reviewed by Keith Miller.
1773
1774         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1775
1776 2018-12-17  Mark Lam  <mark.lam@apple.com>
1777
1778         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1779         https://bugs.webkit.org/show_bug.cgi?id=192770
1780         <rdar://problem/46449037>
1781
1782         Reviewed by Keith Miller.
1783
1784         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1785
1786 2018-12-14  Mark Lam  <mark.lam@apple.com>
1787
1788         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1789         https://bugs.webkit.org/show_bug.cgi?id=192717
1790         <rdar://problem/46660677>
1791
1792         Reviewed by Saam Barati.
1793
1794         * stress/regress-192717.js: Added.
1795
1796 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1797
1798         Unreviewed, rolling out r239153, r239154, and r239155.
1799         https://bugs.webkit.org/show_bug.cgi?id=192715
1800
1801         Caused flaky GC-related crashes seen with layout tests
1802         (Requested by ryanhaddad on #webkit).
1803
1804         Reverted changesets:
1805
1806         "[JSC] Optimize Object.keys by caching own keys results in
1807         StructureRareData"
1808         https://bugs.webkit.org/show_bug.cgi?id=190047
1809         https://trac.webkit.org/changeset/239153
1810
1811         "Unreviewed, build fix after r239153"
1812         https://bugs.webkit.org/show_bug.cgi?id=190047
1813         https://trac.webkit.org/changeset/239154
1814
1815         "Unreviewed, build fix after r239153, part 2"
1816         https://bugs.webkit.org/show_bug.cgi?id=190047
1817         https://trac.webkit.org/changeset/239155
1818
1819 2018-12-14  Keith Miller  <keith_miller@apple.com>
1820
1821         Callers of JSString::getIndex should check for OOM exceptions
1822         https://bugs.webkit.org/show_bug.cgi?id=192709
1823
1824         Reviewed by Mark Lam.
1825
1826         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1827
1828 2018-12-13  Mark Lam  <mark.lam@apple.com>
1829
1830         Add a missing exception check.
1831         https://bugs.webkit.org/show_bug.cgi?id=192626
1832         <rdar://problem/46662163>
1833
1834         Reviewed by Keith Miller.
1835
1836         * stress/regress-192626.js: Added.
1837
1838 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1839
1840         [BigInt] Add ValueDiv into DFG
1841         https://bugs.webkit.org/show_bug.cgi?id=186178
1842
1843         Reviewed by Yusuke Suzuki.
1844
1845         * stress/big-int-div-jit-osr.js: Added.
1846         * stress/big-int-div-jit-untyped.js: Added.
1847         * stress/value-div-fixup-int32-big-int.js: Added.
1848
1849 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1850
1851         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1852         https://bugs.webkit.org/show_bug.cgi?id=190047
1853
1854         Reviewed by Keith Miller.
1855
1856         * stress/object-keys-cached-zero.js: Added.
1857         (shouldBe):
1858         (test):
1859         * stress/object-keys-changed-attribute.js: Added.
1860         (shouldBe):
1861         (test):
1862         * stress/object-keys-changed-index.js: Added.
1863         (shouldBe):
1864         (test):
1865         * stress/object-keys-changed.js: Added.
1866         (shouldBe):
1867         (test):
1868         * stress/object-keys-indexed-non-cache.js: Added.
1869         (shouldBe):
1870         (test):
1871         * stress/object-keys-overrides-get-property-names.js: Added.
1872         (shouldBe):
1873         (test):
1874         (noInline):
1875
1876 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1877
1878         [DFG][FTL] Add NewSymbol
1879         https://bugs.webkit.org/show_bug.cgi?id=192620
1880
1881         Reviewed by Saam Barati.
1882
1883         * microbenchmarks/symbol-creation.js: Added.
1884         (test):
1885         * stress/symbol-description-identity.js: Added.
1886         (shouldBe):
1887         (test):
1888         * stress/symbol-identity.js: Added.
1889         (shouldBe):
1890         (test):
1891         * stress/symbol-with-description-throw-error.js: Added.
1892         (shouldBe):
1893         (shouldThrow):
1894         (test):
1895         (object.toString):
1896
1897 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1898
1899         [BigInt] Implement DFG/FTL typeof for BigInt
1900         https://bugs.webkit.org/show_bug.cgi?id=192619
1901
1902         Reviewed by Keith Miller.
1903
1904         * stress/big-int-boolean-proven-type.js: Added.
1905         (assert):
1906         (bool):
1907         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1908         (assert):
1909         (typeOf):
1910         (i.switch):
1911         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1912         (assert):
1913         (typeOf):
1914         * stress/big-int-type-of.js:
1915         (typeOf):
1916         (func):
1917
1918 2018-12-10  Mark Lam  <mark.lam@apple.com>
1919
1920         PropertyAttribute needs a CustomValue bit.
1921         https://bugs.webkit.org/show_bug.cgi?id=191993
1922         <rdar://problem/46264467>
1923
1924         Reviewed by Saam Barati.
1925
1926         * stress/regress-191993.js: Added.
1927
1928 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1929
1930         [BigInt] Add ValueMul into DFG
1931         https://bugs.webkit.org/show_bug.cgi?id=186175
1932
1933         Reviewed by Yusuke Suzuki.
1934
1935         * stress/big-int-mul-jit-osr.js: Added.
1936         * stress/big-int-mul-jit-untyped.js: Added.
1937         * stress/value-mul-fixup-int32-big-int.js: Added.
1938
1939 2018-12-06  Keith Miller  <keith_miller@apple.com>
1940
1941         stress/big-wasm-memory tests failing on 32-bit JSC bot
1942         https://bugs.webkit.org/show_bug.cgi?id=192020
1943
1944         Reviewed by Saam Barati.
1945
1946         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1947         the wasm stress tests if the WebAssembly object does not exist.
1948
1949         * stress/big-wasm-memory-grow-no-max.js:
1950         (test.foo):
1951         (test):
1952         (foo): Deleted.
1953         (catch): Deleted.
1954         * stress/big-wasm-memory-grow.js:
1955         (test.foo):
1956         (test):
1957         (foo): Deleted.
1958         (catch): Deleted.
1959         * stress/big-wasm-memory.js:
1960         (test.foo):
1961         (test):
1962         (foo): Deleted.
1963         (catch): Deleted.
1964
1965 2018-12-05  Mark Lam  <mark.lam@apple.com>
1966
1967         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1968         https://bugs.webkit.org/show_bug.cgi?id=192441
1969         <rdar://problem/46480355>
1970
1971         Reviewed by Saam Barati.
1972
1973         * stress/regress-192441.js: Added.
1974
1975 2018-12-04  Mark Lam  <mark.lam@apple.com>
1976
1977         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1978         https://bugs.webkit.org/show_bug.cgi?id=192386
1979         <rdar://problem/46445516>
1980
1981         Reviewed by Saam Barati.
1982
1983         * stress/regress-192386.js: Added.
1984
1985 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1986
1987         [ESNext][BigInt] Support logic operations
1988         https://bugs.webkit.org/show_bug.cgi?id=179903
1989
1990         Reviewed by Yusuke Suzuki.
1991
1992         * stress/big-int-branch-usage.js: Added.
1993         * stress/big-int-logical-and.js: Added.
1994         * stress/big-int-logical-not.js: Added.
1995         * stress/big-int-logical-or.js: Added.
1996
1997 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1998
1999         Unreviewed, rolling out r238833.
2000
2001         Breaks macOS and iOS debug builds.
2002
2003         Reverted changeset:
2004
2005         "[ESNext][BigInt] Support logic operations"
2006         https://bugs.webkit.org/show_bug.cgi?id=179903
2007         https://trac.webkit.org/changeset/238833
2008
2009 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2010
2011         [ESNext][BigInt] Support logic operations
2012         https://bugs.webkit.org/show_bug.cgi?id=179903
2013
2014         Reviewed by Yusuke Suzuki.
2015
2016         * stress/big-int-branch-usage.js: Added.
2017         * stress/big-int-logical-and.js: Added.
2018         * stress/big-int-logical-not.js: Added.
2019         * stress/big-int-logical-or.js: Added.
2020
2021 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2022
2023         [ESNext][BigInt] Implement support for "<<" and ">>"
2024         https://bugs.webkit.org/show_bug.cgi?id=186233
2025
2026         Reviewed by Yusuke Suzuki.
2027
2028         * stress/big-int-left-shift-general.js: Added.
2029         * stress/big-int-left-shift-range-error.js: Added.
2030         * stress/big-int-left-shift-type-error.js: Added.
2031         * stress/big-int-left-shift-wrapped-value.js: Added.
2032         * stress/big-int-right-shift-general.js: Added.
2033         * stress/big-int-right-shift-type-error.js: Added.
2034         * stress/big-int-right-shift-wrapped-value.js: Added.
2035         * stress/left-shift-to-primitive-precedence.js: Added.
2036         * stress/right-shift-to-primitive-precedence.js: Added.
2037
2038 2018-11-30  Dean Jackson  <dino@apple.com>
2039
2040         Add first-class support for .mjs files in jsc binary
2041         https://bugs.webkit.org/show_bug.cgi?id=192190
2042         <rdar://problem/46375715>
2043
2044         Reviewed by Keith Miller.
2045
2046         * stress/simple-module.mjs: Added.
2047         * stress/simple-script.js: Added.
2048
2049 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2050
2051         [BigInt] Implement ValueBitXor into DFG
2052         https://bugs.webkit.org/show_bug.cgi?id=190264
2053
2054         Reviewed by Yusuke Suzuki.
2055
2056         * stress/big-int-bitwise-xor-jit.js: Added.
2057         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2058         * stress/big-int-bitwise-xor-untyped.js: Added.
2059
2060 2018-11-27  Saam barati  <sbarati@apple.com>
2061
2062         r238510 broke scopes of size zero
2063         https://bugs.webkit.org/show_bug.cgi?id=192033
2064         <rdar://problem/46281734>
2065
2066         Reviewed by Keith Miller.
2067
2068         * stress/r238510-bad-loop.js: Added.
2069         (foo):
2070
2071 2018-11-27  Mark Lam  <mark.lam@apple.com>
2072
2073         [Re-landing] NaNs read from Wasm code needs to be be purified.
2074         https://bugs.webkit.org/show_bug.cgi?id=191056
2075         <rdar://problem/45660341>
2076
2077         Reviewed by Filip Pizlo.
2078
2079         * wasm/regress/regress-191056.js: Added.
2080
2081 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2082
2083         Unreviewed, rolling out r238509.
2084
2085         Causes JSC tests to fail on iOS.
2086
2087         Reverted changeset:
2088
2089         "NaNs read from Wasm code needs to be be purified."
2090         https://bugs.webkit.org/show_bug.cgi?id=191056
2091         https://trac.webkit.org/changeset/238509
2092
2093 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2094
2095         Re-introduce op_bitnot
2096         https://bugs.webkit.org/show_bug.cgi?id=190923
2097
2098         Reviewed by Yusuke Suzuki.
2099
2100         * stress/bit-not-must-generate.js: Added.
2101         * stress/bitwise-not-no-int32.js: Added.
2102
2103 2018-11-26  Saam barati  <sbarati@apple.com>
2104
2105         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2106         https://bugs.webkit.org/show_bug.cgi?id=191956
2107         <rdar://problem/45665806>
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2112         (bar):
2113         (foo):
2114
2115 2018-11-26  Saam barati  <sbarati@apple.com>
2116
2117         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2118         https://bugs.webkit.org/show_bug.cgi?id=191958
2119         <rdar://problem/46221877>
2120
2121         Reviewed by Yusuke Suzuki.
2122
2123         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2124         (x):
2125         (foo):
2126
2127 2018-11-26  Mark Lam  <mark.lam@apple.com>
2128
2129         NaNs read from Wasm code needs to be be purified.
2130         https://bugs.webkit.org/show_bug.cgi?id=191056
2131         <rdar://problem/45660341>
2132
2133         Reviewed by Filip Pizlo.
2134
2135         * wasm/regress/regress-191056.js: Added.
2136
2137 2018-11-26  Michael Saboff  <msaboff@apple.com>
2138
2139         32-bit JSC test failure: stress/regexp-compile-oom.js
2140         https://bugs.webkit.org/show_bug.cgi?id=191375
2141
2142         Reviewed by Mark Lam.
2143
2144         Disabled the test for 32 bit platforms.
2145
2146         * stress/regexp-compile-oom.js:
2147
2148 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2149
2150         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2151         https://bugs.webkit.org/show_bug.cgi?id=191716
2152         <rdar://problem/45723878>
2153
2154         Reviewed by Saam Barati.
2155
2156         * stress/regress-187373.js: Added.
2157         (async.fn):
2158
2159 2018-11-21  Saam barati  <sbarati@apple.com>
2160
2161         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2162         https://bugs.webkit.org/show_bug.cgi?id=191897
2163         <rdar://problem/45871998>
2164
2165         Reviewed by Mark Lam.
2166
2167         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2168         (bar):
2169         (foo):
2170
2171 2018-11-21  Saam barati  <sbarati@apple.com>
2172
2173         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2174         https://bugs.webkit.org/show_bug.cgi?id=191895
2175         <rdar://problem/46167406>
2176
2177         Reviewed by Mark Lam.
2178
2179         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2180         (foo):
2181         (bar):
2182
2183 2018-11-21  Mark Lam  <mark.lam@apple.com>
2184
2185         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2186         https://bugs.webkit.org/show_bug.cgi?id=191776
2187         <rdar://problem/46152851>
2188
2189         Reviewed by Saam Barati.
2190
2191         * stress/big-wasm-memory-grow-no-max.js:
2192         * stress/big-wasm-memory-grow.js:
2193         * stress/big-wasm-memory.js:
2194         - updated these to expect an OutOfMemoryError.
2195
2196         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2197         (Binary.prototype.emit_u8):
2198         (Binary.prototype.emit_u32v):
2199         (Binary.prototype.emit_header):
2200         (Binary.prototype.emit_section):
2201         (Binary):
2202         (WasmModuleBuilder):
2203         (WasmModuleBuilder.prototype.addMemory):
2204         (WasmModuleBuilder.prototype.toArray):
2205         (WasmModuleBuilder.prototype.toBuffer):
2206         (WasmModuleBuilder.prototype.instantiate):
2207         (catch):
2208         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2209         (catch):
2210
2211 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2212
2213         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2214         https://bugs.webkit.org/show_bug.cgi?id=190836
2215
2216         Reviewed by Saam Barati and Yusuke Suzuki.
2217
2218         * stress/big-int-out-of-memory-tests.js: Added.
2219
2220 2018-11-20  Mark Lam  <mark.lam@apple.com>
2221
2222         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2223         https://bugs.webkit.org/show_bug.cgi?id=191856
2224         <rdar://problem/46089992>
2225
2226         Reviewed by Yusuke Suzuki.
2227
2228         * stress/regress-191856.js: Added.
2229         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2230
2231 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2232
2233         Enable JIT on ARM/Linux
2234         https://bugs.webkit.org/show_bug.cgi?id=191548
2235
2236         Reviewed by Yusuke Suzuki.
2237
2238         Disable test on system with limited memory. Program was killed by
2239         the OS before the exception was thrown.
2240
2241         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2242
2243 2018-11-20  Saam barati  <sbarati@apple.com>
2244
2245         Merging an IC variant may lead to the IC status containing overlapping structure sets
2246         https://bugs.webkit.org/show_bug.cgi?id=191869
2247         <rdar://problem/45403453>
2248
2249         Reviewed by Mark Lam.
2250
2251         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2252
2253 2018-11-19  Mark Lam  <mark.lam@apple.com>
2254
2255         globalFuncImportModule() should return a promise when it clears exceptions.
2256         https://bugs.webkit.org/show_bug.cgi?id=191792
2257         <rdar://problem/46090763>
2258
2259         Reviewed by Michael Saboff.
2260
2261         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2262
2263 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2264
2265         Skip new memory-hungry tests on memory limited devices
2266
2267         Unreviewed gardening.
2268
2269         * stress/big-wasm-memory-grow-no-max.js:
2270         * stress/big-wasm-memory-grow.js:
2271         * stress/big-wasm-memory.js:
2272
2273 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2274
2275         Unreviewed, rolling in the rest of r237254
2276         https://bugs.webkit.org/show_bug.cgi?id=190340
2277
2278         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2279         * stress/function-cache-with-parameters-end-position.js: Added.
2280         (shouldBe):
2281         (shouldThrow):
2282         (i.anonymous):
2283         * stress/function-constructor-name.js: Added.
2284         (shouldBe):
2285         (GeneratorFunction):
2286         (AsyncFunction.async):
2287         (AsyncGeneratorFunction.async):
2288         (anonymous):
2289         (async.anonymous):
2290         * test262/expectations.yaml:
2291
2292 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2293
2294         All users of ArrayBuffer should agree on the same max size
2295         https://bugs.webkit.org/show_bug.cgi?id=191771
2296
2297         Reviewed by Mark Lam.
2298
2299         * stress/big-wasm-memory-grow-no-max.js: Added.
2300         (foo):
2301         (catch):
2302         * stress/big-wasm-memory-grow.js: Added.
2303         (foo):
2304         (catch):
2305         * stress/big-wasm-memory.js: Added.
2306         (foo):
2307         (catch):
2308
2309 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2310
2311         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2312         run for each JSC config since they're regression tests for runtime bugs.
2313
2314         * stress/json-stringified-overflow-2.js:
2315         * stress/json-stringified-overflow.js:
2316
2317 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2318
2319         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2320         config since they're regression tests for runtime bugs.
2321
2322         * stress/large-unshift-splice.js:
2323         * stress/regress-185888.js:
2324
2325 2018-11-16  Saam Barati  <sbarati@apple.com>
2326
2327         KnownCellUse should also have SpecCellCheck as its type filter
2328         https://bugs.webkit.org/show_bug.cgi?id=191729
2329         <rdar://problem/45872852>
2330
2331         Reviewed by Filip Pizlo.
2332
2333         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2334         (C):
2335
2336 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2337
2338         Fix assertion failure on BytecodeGenerator::recordOpcode
2339         https://bugs.webkit.org/show_bug.cgi?id=191724
2340         <rdar://problem/45724395>
2341
2342         Reviewed by Saam Barati.
2343
2344         * stress/regress-187373-2.js: Added.
2345         (foo):
2346
2347 2018-11-15  Mark Lam  <mark.lam@apple.com>
2348
2349         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2350         https://bugs.webkit.org/show_bug.cgi?id=191730
2351         <rdar://problem/46048517>
2352
2353         Reviewed by Saam Barati.
2354
2355         * stress/regress-187006.js: Removed.
2356           - this test is invalid because its sole purpose is to test for the non-spec
2357             compliant behavior that we just fixed.
2358
2359         * stress/regress-191730.js: Added.
2360
2361 2018-11-15  Mark Lam  <mark.lam@apple.com>
2362
2363         RegExp operations should not take fast patch if lastIndex is not numeric.
2364         https://bugs.webkit.org/show_bug.cgi?id=191731
2365         <rdar://problem/46017305>
2366
2367         Reviewed by Saam Barati.
2368
2369         * stress/regress-191731.js: Added.
2370
2371 2018-11-13  Saam Barati  <sbarati@apple.com>
2372
2373         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2374         https://bugs.webkit.org/show_bug.cgi?id=191600
2375
2376         Reviewed by Mark Lam.
2377
2378         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2379         (foo):
2380         (test):
2381         (bar):
2382
2383 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2384
2385         Unreviewed, rolling out r238132.
2386
2387         The test added with this change is timing out on Debug JSC
2388         bots.
2389
2390         Reverted changeset:
2391
2392         "[BigInt] JSBigInt::createWithLength should throw when length
2393         is greater than JSBigInt::maxLength"
2394         https://bugs.webkit.org/show_bug.cgi?id=190836
2395         https://trac.webkit.org/changeset/238132
2396
2397 2018-11-13  Mark Lam  <mark.lam@apple.com>
2398
2399         Add OOM detection to StringPrototype's substituteBackreferences().
2400         https://bugs.webkit.org/show_bug.cgi?id=191563
2401         <rdar://problem/45720428>
2402
2403         Reviewed by Saam Barati.
2404
2405         * stress/regress-191563.js: Added.
2406
2407 2018-11-13  Mark Lam  <mark.lam@apple.com>
2408
2409         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2410         https://bugs.webkit.org/show_bug.cgi?id=191579
2411         <rdar://problem/45942472>
2412
2413         Reviewed by Saam Barati.
2414
2415         * stress/regress-191579.js: Added.
2416
2417 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2418
2419         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2420         https://bugs.webkit.org/show_bug.cgi?id=190836
2421
2422         Reviewed by Saam Barati.
2423
2424         * stress/big-int-out-of-memory-tests.js: Added.
2425
2426 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2427
2428         U+180E is no longer a whitespace character
2429         https://bugs.webkit.org/show_bug.cgi?id=191415
2430
2431         Reviewed by Saam Barati.
2432
2433         * ChakraCore/test/es5/regexSpace.baseline:
2434         * ChakraCore/test/es6/unicode_whitespace.js:
2435         Update tests to latest version.
2436         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2437
2438         * test262.yaml:
2439         * test262/config.yaml:
2440         * test262/expectations.yaml:
2441         Update expectations.
2442
2443 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2444
2445         [BigInt] Add support to BigInt into ValueAdd
2446         https://bugs.webkit.org/show_bug.cgi?id=186177
2447
2448         Reviewed by Keith Miller.
2449
2450         * stress/big-int-negate-jit.js:
2451         * stress/value-add-big-int-and-string.js: Added.
2452         * stress/value-add-big-int-prediction-propagation.js: Added.
2453         * stress/value-add-big-int-untyped.js: Added.
2454
2455 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2456
2457         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2458         https://bugs.webkit.org/show_bug.cgi?id=191184
2459
2460         Reviewed by Saam Barati.
2461
2462         Most tests were failing due to timeouts, since they are too slow to
2463         run on CLoop. The exceptions are:
2464
2465         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2466         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2467         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2468         to change the stack size since CLoop requires it to be page aligned.
2469
2470         * microbenchmarks/array-push-1.js:
2471         * microbenchmarks/array-push-2.js:
2472         * microbenchmarks/elidable-new-object-dag.js:
2473         * microbenchmarks/elidable-new-object-roflcopter.js:
2474         * microbenchmarks/elidable-new-object-tree.js:
2475         * microbenchmarks/getter-richards.js:
2476         * microbenchmarks/sinkable-new-object-dag.js:
2477         * microbenchmarks/string-concat-long-convert.js:
2478         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2479         * slowMicrobenchmarks/array-push-3.js:
2480         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2481         * slowMicrobenchmarks/spread-small-array.js:
2482         * slowMicrobenchmarks/undefined-property-access.js:
2483         * stress/activation-sink-default-value-tdz-error.js:
2484         * stress/activation-sink-default-value.js:
2485         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2486         * stress/activation-sink-osrexit-default-value.js:
2487         * stress/activation-sink-osrexit.js:
2488         * stress/activation-sink.js:
2489         * stress/allow-math-ic-b3-code-duplication.js:
2490         * stress/array-push-multiple-int32.js:
2491         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2492         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2493         * stress/arrowfunction-lexical-this-activation-sink.js:
2494         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2495         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2496         * stress/elide-new-object-dag-then-exit.js:
2497         * stress/materialize-regexp-cyclic.js:
2498         * stress/new-regex-inline.js:
2499         * stress/op_add.js:
2500         * stress/op_bitand.js:
2501         * stress/op_bitor.js:
2502         * stress/op_bitxor.js:
2503         * stress/op_div-ConstVar.js:
2504         * stress/op_div-VarConst.js:
2505         * stress/op_div-VarVar.js:
2506         * stress/op_lshift-ConstVar.js:
2507         * stress/op_lshift-VarConst.js:
2508         * stress/op_lshift-VarVar.js:
2509         * stress/op_mod-ConstVar.js:
2510         * stress/op_mod-VarConst.js:
2511         * stress/op_mod-VarVar.js:
2512         * stress/op_mul-ConstVar.js:
2513         * stress/op_mul-VarConst.js:
2514         * stress/op_mul-VarVar.js:
2515         * stress/op_rshift-ConstVar.js:
2516         * stress/op_rshift-VarConst.js:
2517         * stress/op_rshift-VarVar.js:
2518         * stress/op_sub-ConstVar.js:
2519         * stress/op_sub-VarConst.js:
2520         * stress/op_sub-VarVar.js:
2521         * stress/op_urshift-ConstVar.js:
2522         * stress/op_urshift-VarConst.js:
2523         * stress/op_urshift-VarVar.js:
2524         * stress/proxy-get-set-correct-receiver.js:
2525         * stress/regress-179562.js:
2526         * stress/rest-parameter-many-arguments.js:
2527         * stress/sampling-profiler-richards.js:
2528         * stress/splay-flash-access-1ms.js:
2529         * stress/tailCallForwardArguments.js:
2530         * stress/typed-array-get-by-val-profiling.js:
2531         * typeProfiler/getter-richards.js:
2532
2533 2018-11-06  Michael Saboff  <msaboff@apple.com>
2534
2535         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2536         https://bugs.webkit.org/show_bug.cgi?id=191271
2537
2538         Reviewed by Saam Barati.
2539
2540         Added more test cases and made all test cases run with the same deeply recursive stack
2541         instead of finding that same point for each test case.
2542
2543         * stress/regexp-compile-oom.js:
2544         (prototype.runTest):
2545         (recurseAndTest):
2546         (testList.push.new.TestAndExpectedException):
2547
2548 2018-11-05  Michael Saboff  <msaboff@apple.com>
2549
2550         Unreviewed build fix for linux.
2551
2552         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2553
2554 2018-11-02  Michael Saboff  <msaboff@apple.com>
2555
2556         Rolling in r237753 with unreviewed build fix.
2557
2558         Fixed issues with DECLARE_THROW_SCOPE placement.
2559
2560 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2561
2562         Unreviewed, rolling out r237753.
2563
2564         Introduced JSC test failures
2565
2566         Reverted changeset:
2567
2568         "Running out of stack space not properly handled in
2569         RegExp::compile() and its callers"
2570         https://bugs.webkit.org/show_bug.cgi?id=191206
2571         https://trac.webkit.org/changeset/237753
2572
2573 2018-11-02  Michael Saboff  <msaboff@apple.com>
2574
2575         Running out of stack space not properly handled in RegExp::compile() and its callers
2576         https://bugs.webkit.org/show_bug.cgi?id=191206
2577
2578         Reviewed by Filip Pizlo.
2579
2580         New regression test.
2581
2582         * stress/regexp-compile-oom.js: Added.
2583         (recurseAndTest):
2584
2585 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2586
2587         Skip tests on arm/mips that time out now we're running on CLoop
2588
2589         Unreviewed gardening.
2590
2591         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2592         time out on the bots and need to be disabled. There's more tests
2593         disabled on arm because the timeout is longer on the mips bot (as the
2594         device is slower to start with), so many of the tests don't time out
2595         there.
2596
2597         * microbenchmarks/getter-richards.js: disable on arm and mips.
2598         * stress/op_add.js: disable on arm.
2599         * stress/op_bitand.js: disable on arm.
2600         * stress/op_bitor.js: disable on arm.
2601         * stress/op_bitxor.js: disable on arm.
2602         * stress/op_lshift-ConstVar.js: disable on arm.
2603         * stress/op_lshift-VarConst.js: disable on arm.
2604         * stress/op_lshift-VarVar.js: disable on arm.
2605         * stress/op_mod-ConstVar.js: disable on arm.
2606         * stress/op_mod-VarConst.js: disable on arm.
2607         * stress/op_mod-VarVar.js: disable on arm.
2608         * stress/op_mul-ConstVar.js: disable on arm.
2609         * stress/op_mul-VarConst.js: disable on arm.
2610         * stress/op_mul-VarVar.js: disable on arm.
2611         * stress/op_rshift-ConstVar.js: disable on arm.
2612         * stress/op_rshift-VarConst.js: disable on arm.
2613         * stress/op_rshift-VarVar.js: disable on arm.
2614         * stress/op_sub-ConstVar.js: disable on arm.
2615         * stress/op_sub-VarConst.js: disable on arm.
2616         * stress/op_sub-VarVar.js: disable on arm.
2617         * stress/op_urshift-ConstVar.js: disable on arm.
2618         * stress/op_urshift-VarConst.js: disable on arm.
2619         * stress/op_urshift-VarVar.js: disable on arm.
2620         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2621         * stress/value-to-boolean.js: disable on arm and mips.
2622
2623 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2624
2625         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2626         https://bugs.webkit.org/show_bug.cgi?id=191108
2627         <rdar://problem/45690700>
2628
2629         Reviewed by Saam Barati.
2630
2631         * stress/wide-op_catch.js: Added.
2632         (catch):
2633
2634 2018-10-29  Mark Lam  <mark.lam@apple.com>
2635
2636         Correctly detect string overflow when using the 'Function' constructor.
2637         https://bugs.webkit.org/show_bug.cgi?id=184883
2638         <rdar://problem/36320331>
2639
2640         Reviewed by Saam Barati.
2641
2642         I've verified that this passes on 32-bit as well.
2643
2644         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2645
2646 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2647
2648         Add support for GetStack FlushedDouble
2649         https://bugs.webkit.org/show_bug.cgi?id=191012
2650         <rdar://problem/45265141>
2651
2652         Reviewed by Saam Barati.
2653
2654         * stress/get-stack-double.js: Added.
2655         (bar):
2656         (noInline):
2657
2658 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2659
2660         New bytecode format for JSC
2661         https://bugs.webkit.org/show_bug.cgi?id=187373
2662         <rdar://problem/44186758>
2663
2664         Reviewed by Filip Pizlo.
2665
2666         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2667
2668         * stress/maximum-inline-capacity.js: Added.
2669         (test1):
2670         (test3.Foo):
2671         (test3):
2672
2673 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2674
2675         Unreviewed, rolling out r237479 and r237484.
2676         https://bugs.webkit.org/show_bug.cgi?id=190978
2677
2678         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2679
2680         Reverted changesets:
2681
2682         "New bytecode format for JSC"
2683         https://bugs.webkit.org/show_bug.cgi?id=187373
2684         https://trac.webkit.org/changeset/237479
2685
2686         "Gardening: Build fix after r237479."
2687         https://bugs.webkit.org/show_bug.cgi?id=187373
2688         https://trac.webkit.org/changeset/237484
2689
2690 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2691
2692         New bytecode format for JSC
2693         https://bugs.webkit.org/show_bug.cgi?id=187373
2694         <rdar://problem/44186758>
2695
2696         Reviewed by Filip Pizlo.
2697
2698         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2699
2700         * stress/maximum-inline-capacity.js: Added.
2701         (test1):
2702         (test3.Foo):
2703         (test3):
2704
2705 2018-10-26  Mark Lam  <mark.lam@apple.com>
2706
2707         Fix missing edge cases with JSGlobalObjects having a bad time.
2708         https://bugs.webkit.org/show_bug.cgi?id=189028
2709         <rdar://problem/45204939>
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/regress-189028.js: Added.
2714
2715 2018-10-22  Mark Lam  <mark.lam@apple.com>
2716
2717         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2718         https://bugs.webkit.org/show_bug.cgi?id=190515
2719         <rdar://problem/45222379>
2720
2721         Rubber-stamped by Saam Barati.
2722
2723         Adding another test.
2724
2725         * stress/regress-190515-2.js: Added.
2726
2727 2018-10-22  Mark Lam  <mark.lam@apple.com>
2728
2729         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2730         https://bugs.webkit.org/show_bug.cgi?id=190515
2731         <rdar://problem/45222379>
2732
2733         Reviewed by Saam Barati.
2734
2735         * stress/regress-190515.js: Added.
2736
2737 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2738
2739         Unreviewed, rolling out r237254.
2740         https://bugs.webkit.org/show_bug.cgi?id=190760
2741
2742         "It regresses JetStream 2 by 5% on some iOS devices"
2743         (Requested by saamyjoon on #webkit).
2744
2745         Reverted changeset:
2746
2747         "[JSC] JSC should have "parseFunction" to optimize Function
2748         constructor"
2749         https://bugs.webkit.org/show_bug.cgi?id=190340
2750         https://trac.webkit.org/changeset/237254
2751
2752 2018-10-19  Saam Barati  <sbarati@apple.com>
2753
2754         vmCall should check if we exit before emitting an OSR exit due to exceptions
2755         https://bugs.webkit.org/show_bug.cgi?id=190740
2756         <rdar://problem/45220139>
2757
2758         Reviewed by Mark Lam.
2759
2760         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2761         (foo):
2762
2763 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2764
2765         [ESNext][BigInt] Implement support for "^"
2766         https://bugs.webkit.org/show_bug.cgi?id=186235
2767
2768         Reviewed by Yusuke Suzuki.
2769
2770         * stress/big-int-bitwise-xor-general.js: Added.
2771         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2772         * stress/big-int-bitwise-xor-type-error.js: Added.
2773         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2774
2775 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2776
2777         [BigInt] Add ValueSub into DFG
2778         https://bugs.webkit.org/show_bug.cgi?id=186176
2779
2780         Reviewed by Yusuke Suzuki.
2781
2782         * stress/big-int-subtraction-jit.js:
2783         * stress/value-sub-big-int-prediction-propagation.js: Added.
2784         * stress/value-sub-big-int-untyped.js: Added.
2785         * stress/value-sub-spec-none-case.js: Added.
2786
2787 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2788
2789         [JSC] JSC should have "parseFunction" to optimize Function constructor
2790         https://bugs.webkit.org/show_bug.cgi?id=190340
2791
2792         Reviewed by Mark Lam.
2793
2794         This patch fixes the line number of syntax errors raised by the Function constructor,
2795         since we now parse the final code only once. And we no longer use block statement
2796         for Function constructor's parsing.
2797
2798         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2799         * stress/function-cache-with-parameters-end-position.js: Added.
2800         (shouldBe):
2801         (shouldThrow):
2802         (i.anonymous):
2803         * stress/function-constructor-name.js: Added.
2804         (shouldBe):
2805         (GeneratorFunction):
2806         (AsyncFunction.async):
2807         (AsyncGeneratorFunction.async):
2808         (anonymous):
2809         (async.anonymous):
2810         * test262/expectations.yaml:
2811
2812 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2813
2814         Unreviewed, rolling out r237242.
2815         https://bugs.webkit.org/show_bug.cgi?id=190701
2816
2817         it breaks "stress/sampling-profiler-basic.js" (Requested by
2818         caiolima on #webkit).
2819
2820         Reverted changeset:
2821
2822         "[BigInt] Add ValueSub into DFG"
2823         https://bugs.webkit.org/show_bug.cgi?id=186176
2824         https://trac.webkit.org/changeset/237242
2825
2826 2018-10-17  Keith Miller  <keith_miller@apple.com>
2827
2828         AI does not clear Phantom allocation nodes.
2829         https://bugs.webkit.org/show_bug.cgi?id=190694
2830
2831         Reviewed by Saam Barati.
2832
2833         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2834         (Day):
2835         (DaysInYear):
2836         (TimeInYear):
2837         (TimeFromYear):
2838         (DayFromYear):
2839         (InLeapYear):
2840         (YearFromTime):
2841         (WeekDay):
2842         (DaylightSavingTA):
2843         (GetSecondSundayInMarch):
2844         (TimeInMonth):
2845
2846 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2847
2848         [BigInt] Add ValueSub into DFG
2849         https://bugs.webkit.org/show_bug.cgi?id=186176
2850
2851         Reviewed by Yusuke Suzuki.
2852
2853         * stress/big-int-subtraction-jit.js:
2854         * stress/value-sub-big-int-prediction-propagation.js: Added.
2855         * stress/value-sub-big-int-untyped.js: Added.
2856
2857 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2858
2859         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2860         https://bugs.webkit.org/show_bug.cgi?id=190611
2861
2862         Reviewed by Saam Barati.
2863
2864         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2865         to improve test runtime. On ARM/MIPS this test even timed out when running all
2866         tests.
2867
2868         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2869         (test):
2870
2871 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2872
2873         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2874
2875         Unreviewed gardening.
2876
2877         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2878
2879 2018-10-15  Saam barati  <sbarati@apple.com>
2880
2881         Emit fjcvtzs on ARM64E on Darwin
2882         https://bugs.webkit.org/show_bug.cgi?id=184023
2883
2884         Reviewed by Yusuke Suzuki and Filip Pizlo.
2885
2886         * stress/double-to-int32-NaN.js: Added.
2887         (assert):
2888         (foo):
2889
2890 2018-10-15  Saam Barati  <sbarati@apple.com>
2891
2892         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2893         https://bugs.webkit.org/show_bug.cgi?id=190262
2894         <rdar://problem/44986241>
2895
2896         Reviewed by Mark Lam.
2897
2898         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2899         (test):
2900         * stress/slice-array-storage-with-holes.js: Added.
2901         (main):
2902
2903 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2904
2905         Unreviewed, rolling out r237054.
2906         https://bugs.webkit.org/show_bug.cgi?id=190593
2907
2908         "this regressed JetStream 2 by 6% on iOS" (Requested by
2909         saamyjoon on #webkit).
2910
2911         Reverted changeset:
2912
2913         "[JSC] JSC should have "parseFunction" to optimize Function
2914         constructor"
2915         https://bugs.webkit.org/show_bug.cgi?id=190340
2916         https://trac.webkit.org/changeset/237054
2917
2918 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2919
2920         [JSC] JSON.stringify can accept call-with-no-arguments
2921         https://bugs.webkit.org/show_bug.cgi?id=190343
2922
2923         Reviewed by Mark Lam.
2924
2925         * stress/json-stringify-no-arguments.js: Added.
2926         (shouldBe):
2927
2928 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2929
2930         [JSC] JSC should have "parseFunction" to optimize Function constructor
2931         https://bugs.webkit.org/show_bug.cgi?id=190340
2932
2933         Reviewed by Mark Lam.
2934
2935         This patch fixes the line number of syntax errors raised by the Function constructor,
2936         since we now parse the final code only once. And we no longer use block statement
2937         for Function constructor's parsing.
2938
2939         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2940         * stress/function-cache-with-parameters-end-position.js: Added.
2941         (shouldBe):
2942         (shouldThrow):
2943         (i.anonymous):
2944         * stress/function-constructor-name.js: Added.
2945         (shouldBe):
2946         (GeneratorFunction):
2947         (AsyncFunction.async):
2948         (AsyncGeneratorFunction.async):
2949         (anonymous):
2950         (async.anonymous):
2951         * test262/expectations.yaml:
2952
2953 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2954
2955         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2956         https://bugs.webkit.org/show_bug.cgi?id=190426
2957
2958         Unreviewed gardening.
2959
2960         * stress/sampling-profiler-richards.js:
2961
2962 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2963
2964         [ESNext][BigInt] Implement support for "|"
2965         https://bugs.webkit.org/show_bug.cgi?id=186229
2966
2967         Reviewed by Yusuke Suzuki.
2968
2969         * stress/big-int-bitwise-and-jit.js:
2970         * stress/big-int-bitwise-or-general.js: Added.
2971         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2972         * stress/big-int-bitwise-or-jit.js: Added.
2973         * stress/big-int-bitwise-or-memory-stress.js: Added.
2974         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2975         * stress/big-int-bitwise-or-type-error.js: Added.
2976         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2977
2978 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2979
2980         Skip test on systems with limited memory
2981         https://bugs.webkit.org/show_bug.cgi?id=190310
2982
2983         Invoking runDefault adds test to runlist, skipping the test in the next
2984         line does not prevent the test from executing. Change order of lines such
2985         that runDefault is only executed if test is not executed.
2986
2987         Reviewed by Mark Lam.
2988
2989         * stress/regress-190187.js:
2990
2991 2018-10-03  Saam barati  <sbarati@apple.com>
2992
2993         lowXYZ in FTLLower should always filter the type of the incoming edge
2994         https://bugs.webkit.org/show_bug.cgi?id=189939
2995         <rdar://problem/44407030>
2996
2997         Reviewed by Michael Saboff.
2998
2999         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3000         (foo):
3001         (test):
3002
3003 2018-10-03  Mark Lam  <mark.lam@apple.com>
3004
3005         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3006         https://bugs.webkit.org/show_bug.cgi?id=190187
3007         <rdar://problem/42512909>
3008
3009         Reviewed by Michael Saboff.
3010
3011         * stress/regress-190187.js: Added.
3012
3013 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3014
3015         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3016         https://bugs.webkit.org/show_bug.cgi?id=190033
3017
3018         Reviewed by Yusuke Suzuki.
3019
3020         * stress/big-int-to-string.js:
3021
3022 2018-10-01  Mark Lam  <mark.lam@apple.com>
3023
3024         Function.toString() should also copy the source code Functions that are class definitions.
3025         https://bugs.webkit.org/show_bug.cgi?id=190186
3026         <rdar://problem/44733360>
3027
3028         Reviewed by Saam Barati.
3029
3030         * stress/regress-190186.js: Added.
3031
3032 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3033
3034         Split NaN-check into separate test
3035         https://bugs.webkit.org/show_bug.cgi?id=190010
3036
3037         Reviewed by Saam Barati.
3038
3039         DataView exposes NaN-representation, which is not necessarily the same on each
3040         architecture. Therefore move the check of the NaN-representation into its own
3041         file such that we can disable this test on MIPS where NaN-representation can be
3042         different on older CPUs.
3043
3044         * stress/dataview-jit-set-nan.js: Added.
3045         (assert):
3046         (test.storeLittleEndian):
3047         (test.storeBigEndian):
3048         (test.store):
3049         (test):
3050         * stress/dataview-jit-set.js:
3051         (test5):
3052
3053 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3054
3055         Unreviewed, rolling out r236647.
3056         https://bugs.webkit.org/show_bug.cgi?id=190124
3057
3058         Breaking test stress/big-int-to-string.js (Requested by
3059         caiolima_ on #webkit).
3060
3061         Reverted changeset:
3062
3063         "[BigInt] BigInt.proptotype.toString is broken when radix is
3064         power of 2"
3065         https://bugs.webkit.org/show_bug.cgi?id=190033
3066         https://trac.webkit.org/changeset/236647
3067
3068 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3069
3070         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3071         https://bugs.webkit.org/show_bug.cgi?id=190033
3072
3073         Reviewed by Yusuke Suzuki.
3074
3075         * stress/big-int-to-string.js:
3076
3077 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3078
3079         [ESNext][BigInt] Implement support for "&"
3080         https://bugs.webkit.org/show_bug.cgi?id=186228
3081
3082         Reviewed by Yusuke Suzuki.
3083
3084         * stress/big-int-bitwise-and-general.js: Added.
3085         (assert):
3086         (assert.sameValue):
3087         * stress/big-int-bitwise-and-jit.js: Added.
3088         (let.assert.sameValue):
3089         (bigIntBitAnd):
3090         * stress/big-int-bitwise-and-memory-stress.js: Added.
3091         (assert):
3092         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3093         (assert.sameValue):
3094         (let.o.Symbol.toPrimitive):
3095         (catch):
3096         * stress/big-int-bitwise-and-type-error.js: Added.
3097         (assert):
3098         (assertThrowTypeError):
3099         (let.o.valueOf):
3100         (o.valueOf):
3101         (o.toString):
3102         (o.Symbol.toPrimitive):
3103         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3104         (assert.sameValue):
3105         (testBitAnd):
3106         (let.o.Symbol.toPrimitive):
3107         (o.valueOf):
3108         (o.toString):
3109
3110 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3111
3112         JSC test stress/jsc-read.js doesn't support CRLF
3113         https://bugs.webkit.org/show_bug.cgi?id=190063
3114
3115         Reviewed by Yusuke Suzuki.
3116
3117         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3118
3119         * stress/jsc-read.js:
3120         (test):
3121
3122 2018-09-27  Saam barati  <sbarati@apple.com>
3123
3124         Verify the contents of AssemblerBuffer on arm64e
3125         https://bugs.webkit.org/show_bug.cgi?id=190057
3126         <rdar://problem/38916630>
3127
3128         Reviewed by Mark Lam.
3129
3130         * stress/regress-189132.js:
3131
3132 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3133
3134         Disable test without LLInt on ARMv7
3135         https://bugs.webkit.org/show_bug.cgi?id=190037
3136
3137         Reviewed by Mark Lam.
3138
3139         Test runs out of executable memory on ARMv7, do not run
3140         this test without LLInt enabled.
3141
3142         * stress/regress-169445.js:
3143
3144 2018-09-26  Keith Miller  <keith_miller@apple.com>
3145
3146         We should zero unused property storage when rebalancing array storage.
3147         https://bugs.webkit.org/show_bug.cgi?id=188151
3148
3149         Reviewed by Michael Saboff.
3150
3151         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3152
3153 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3154
3155         [JSC] Optimize Array#lastIndexOf
3156         https://bugs.webkit.org/show_bug.cgi?id=189780
3157
3158         Reviewed by Saam Barati.
3159
3160         * stress/array-lastindexof-array-prototype-trap.js: Added.
3161         (shouldBe):
3162         (AncestorArray.prototype.get 2):
3163         (AncestorArray):
3164         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3165         (shouldBe):
3166         * stress/array-lastindexof-hole-nan.js: Added.
3167         (shouldBe):
3168         (throw.new.Error):
3169         * stress/array-lastindexof-infinity.js: Added.
3170         (shouldBe):
3171         (throw.new.Error):
3172         * stress/array-lastindexof-negative-zero.js: Added.
3173         (shouldBe):
3174         (throw.new.Error):
3175         * stress/array-lastindexof-own-getter.js: Added.
3176         (shouldBe):
3177         (throw.new.Error.get array):
3178         (get array):
3179         * stress/array-lastindexof-prototype-trap.js: Added.
3180         (shouldBe):
3181         (DerivedArray.prototype.get 2):
3182         (DerivedArray):
3183
3184 2018-09-25  Saam Barati  <sbarati@apple.com>
3185
3186         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3187         https://bugs.webkit.org/show_bug.cgi?id=189940
3188         <rdar://problem/43640987>
3189
3190         Reviewed by Mark Lam.
3191
3192         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3193
3194 2018-09-24  Saam Barati  <sbarati@apple.com>
3195
3196         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3197         https://bugs.webkit.org/show_bug.cgi?id=189922
3198         <rdar://problem/44651275>
3199
3200         Reviewed by Mark Lam.
3201
3202         * stress/array-indexof-fast-path-effects.js: Added.
3203         * stress/array-indexof-cached-length.js: Added.
3204
3205 2018-09-24  Saam barati  <sbarati@apple.com>
3206
3207         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3208         https://bugs.webkit.org/show_bug.cgi?id=189682
3209         <rdar://problem/43557315>
3210
3211         Reviewed by Mark Lam.
3212
3213         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3214         (foo):
3215
3216 2018-09-22  Saam barati  <sbarati@apple.com>
3217
3218         The sampling should not use Strong<CodeBlock> in its machineLocation field
3219         https://bugs.webkit.org/show_bug.cgi?id=189319
3220
3221         Reviewed by Filip Pizlo.
3222
3223         * stress/sampling-profiler-richards.js: Added.
3224
3225 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3226
3227         [JSC] Optimize Array#indexOf in C++ runtime
3228         https://bugs.webkit.org/show_bug.cgi?id=189507
3229
3230         Reviewed by Saam Barati.
3231
3232         * stress/array-indexof-array-prototype-trap.js: Added.
3233         (shouldBe):
3234         (AncestorArray.prototype.get 2):
3235         (AncestorArray):
3236         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3237         (shouldBe):
3238         * stress/array-indexof-hole-nan.js: Added.
3239         (shouldBe):
3240         (throw.new.Error):
3241         * stress/array-indexof-infinity.js: Added.
3242         (shouldBe):
3243         (throw.new.Error):
3244         * stress/array-indexof-negative-zero.js: Added.
3245         (shouldBe):
3246         (throw.new.Error):
3247         * stress/array-indexof-own-getter.js: Added.
3248         (shouldBe):
3249         (throw.new.Error.get array):
3250         (get array):
3251         * stress/array-indexof-prototype-trap.js: Added.
3252         (shouldBe):
3253         (DerivedArray.prototype.get 2):
3254         (DerivedArray):
3255
3256 2018-09-19  Saam barati  <sbarati@apple.com>
3257
3258         AI rule for MultiPutByOffset executes its effects in the wrong order
3259         https://bugs.webkit.org/show_bug.cgi?id=189757
3260         <rdar://problem/43535257>
3261
3262         Reviewed by Michael Saboff.
3263
3264         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3265         (foo):
3266         (Foo):
3267         (g):
3268
3269 2018-09-17  Mark Lam  <mark.lam@apple.com>
3270
3271         Ensure that ForInContexts are invalidated if their loop local is over-written.
3272         https://bugs.webkit.org/show_bug.cgi?id=189571
3273         <rdar://problem/44402277>
3274
3275         Reviewed by Saam Barati.
3276
3277         * stress/regress-189571.js: Added.
3278
3279 2018-09-17  Saam barati  <sbarati@apple.com>
3280
3281         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3282         https://bugs.webkit.org/show_bug.cgi?id=189676
3283         <rdar://problem/39682897>
3284
3285         Reviewed by Michael Saboff.
3286
3287         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3288         (A):
3289         (K):
3290         (i.catch):
3291
3292 2018-09-14  Saam barati  <sbarati@apple.com>
3293
3294         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3295         https://bugs.webkit.org/show_bug.cgi?id=189628
3296         <rdar://problem/39481690>
3297
3298         Reviewed by Mark Lam.
3299
3300         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3301         (foo):
3302
3303 2018-09-11  Mark Lam  <mark.lam@apple.com>
3304
3305         Test for array initialization in arrayProtoFuncSplice.
3306         https://bugs.webkit.org/show_bug.cgi?id=170253
3307         <rdar://problem/31328773>
3308
3309         Rubber-stamped by Saam Barati.
3310
3311         * stress/regress-170253.js: Added.
3312
3313 2018-09-11  Mark Lam  <mark.lam@apple.com>
3314
3315         Test for IntlObject initialization.
3316         https://bugs.webkit.org/show_bug.cgi?id=170251
3317         <rdar://problem/31328419>
3318
3319         Rubber-stamped by Saam Barati.
3320
3321         * stress/regress-170251.js: Added.
3322
3323 2018-09-11  Mark Lam  <mark.lam@apple.com>
3324
3325         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3326         https://bugs.webkit.org/show_bug.cgi?id=169889
3327         <rdar://problem/31155607>
3328
3329         Reviewed by Saam Barati.
3330
3331         * stress/regress-169889-array-concat.js: Added.
3332         * stress/regress-169889-array-concat1.js: Added.
3333         * stress/regress-169889-array-slice.js: Added.
3334
3335 2018-09-11  Mark Lam  <mark.lam@apple.com>
3336
3337         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3338         https://bugs.webkit.org/show_bug.cgi?id=169445
3339         <rdar://problem/30957435>
3340
3341         Reviewed by Saam Barati.
3342
3343         * stress/regress-169445.js: Added.
3344         (let.gun.eval.A):
3345         (let.gun.eval.B.C):
3346         (let.gun.eval.B.C.prototype.trigger):
3347         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3348         (let.gun.eval.B):
3349         (let.gun.eval):
3350
3351 == Rolled over to ChangeLog-2018-09-11 ==