ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2
3         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
4         https://bugs.webkit.org/show_bug.cgi?id=196708
5         <rdar://problem/49556803>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/proxy-getter-stack-overflow.js: Added.
10         (const.handler.get target):
11         (const.handler.has):
12         (try.with):
13         (catch):
14
15 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
16
17         [JSC] DFG should respect node's strict flag
18         https://bugs.webkit.org/show_bug.cgi?id=196617
19
20         Reviewed by Saam Barati.
21
22         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
23         (shouldEqual):
24         (makeUnwriteableUnconfigurableObject):
25         (runTest):
26         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
27         (shouldBe):
28         (shouldThrow):
29         (with.result):
30         (with.putValueStrict):
31         (with.putValueSloppy):
32
33 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
34
35         [JSC] isRope jump in StringSlice should not jump over register allocations
36         https://bugs.webkit.org/show_bug.cgi?id=196716
37
38         Reviewed by Saam Barati.
39
40         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
41         (foo.bar):
42         (foo):
43
44 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
45
46         [JSC] to_index_string should not assume incoming value is Uint32
47         https://bugs.webkit.org/show_bug.cgi?id=196713
48
49         Reviewed by Saam Barati.
50
51         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
52         (foo):
53
54 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
55
56         [JSC] Add more tests for r243966
57         https://bugs.webkit.org/show_bug.cgi?id=196711
58
59         Reviewed by Saam Barati.
60
61         Adding one more test for r243966 fix. The added test will not crash after r243966.
62
63         * stress/stress-cleared-calllinkinfo.js: Added.
64         (runNearStackLimit.t):
65         (runNearStackLimit):
66         (repeat):
67         (cls):
68         (let.item.of.array.runNearStackLimit):
69
70 2019-04-08  Saam Barati  <sbarati@apple.com>
71
72         WebAssembly.RuntimeError missing exception check
73         https://bugs.webkit.org/show_bug.cgi?id=196700
74         <rdar://problem/49693932>
75
76         Reviewed by Yusuke Suzuki.
77
78         * wasm/js-api/runtime-error-should-exception-check.js: Added.
79
80 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
81
82         Unreviewed, rolling in r243948 with test fix
83         https://bugs.webkit.org/show_bug.cgi?id=196486
84
85         * stress/arrow-function-and-use-strict-directive.js: Added.
86         * stress/arrow-function-syntax.js: Added.
87         (checkSyntax):
88         (checkSyntaxError):
89
90 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
91
92         Unreviewed, rolling out r243948.
93
94         Caused inspector/runtime/parse.html to fail
95
96         Reverted changeset:
97
98         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
99         https://bugs.webkit.org/show_bug.cgi?id=196486
100         https://trac.webkit.org/changeset/243948
101
102 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
103
104         Unreviewed, rolling out r243943.
105
106         Caused test262 failures.
107
108         Reverted changeset:
109
110         "[JSC] Filter DontEnum properties in
111         ProxyObject::getOwnPropertyNames()"
112         https://bugs.webkit.org/show_bug.cgi?id=176810
113         https://trac.webkit.org/changeset/243943
114
115 2019-04-07  Michael Saboff  <msaboff@apple.com>
116
117         REGRESSION (r243642): Crash in reddit.com page
118         https://bugs.webkit.org/show_bug.cgi?id=196684
119
120         Reviewed by Geoffrey Garen.
121
122         New regression test.
123
124         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
125
126 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
127
128         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
129         https://bugs.webkit.org/show_bug.cgi?id=196683
130
131         Reviewed by Saam Barati.
132
133         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
134         (foo):
135
136 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
137
138         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
139         https://bugs.webkit.org/show_bug.cgi?id=196582
140
141         Reviewed by Saam Barati.
142
143         * stress/add-overflow-check-with-three-same-registers.js: Added.
144         (foo):
145         (Number.prototype.valueOf):
146         (runWithNumber):
147
148 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
149
150         Unreviewed, rolling out r243665.
151
152         Caused iOS JSC tests to exit with an exception.
153
154         Reverted changeset:
155
156         "Assertion failed in JSC::createError"
157         https://bugs.webkit.org/show_bug.cgi?id=196305
158         https://trac.webkit.org/changeset/243665
159
160 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
161
162         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
163         https://bugs.webkit.org/show_bug.cgi?id=196486
164
165         Reviewed by Saam Barati.
166
167         * stress/arrow-function-and-use-strict-directive.js: Added.
168         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
169         (checkSyntax):
170         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
171
172 2019-04-05  Caitlin Potter  <caitp@igalia.com>
173
174         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
175         https://bugs.webkit.org/show_bug.cgi?id=176810
176
177         Reviewed by Saam Barati.
178
179         Add tests for the DontEnum filtering, and variations of other tests
180         take the DontEnum-filtering path.
181
182         * stress/proxy-own-keys.js:
183         (i.catch):
184         (set assert):
185         (set add):
186         (let.set new):
187         (get let):
188
189 2019-04-05  Caitlin Potter  <caitp@igalia.com>
190
191         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
192         https://bugs.webkit.org/show_bug.cgi?id=185211
193
194         Reviewed by Saam Barati.
195
196         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
197
198         This changes several assertions to expect a TypeError to be thrown (in some cases,
199         changing thee expected message).
200
201         * es6/Proxy_ownKeys_duplicates.js:
202         (handler):
203         (shouldThrow):
204         (test):
205         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
206         (shouldThrow):
207         * stress/proxy-own-keys.js:
208         (i.catch):
209         (assert):
210
211 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
214         https://bugs.webkit.org/show_bug.cgi?id=196631
215
216         Reviewed by Saam Barati.
217
218         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
219         (assert):
220         (test):
221         (foo):
222
223 2019-04-04  Saam Barati  <sbarati@apple.com>
224
225         Unreviewed. Make the test from r243906 catch the thrown exceptions.
226
227         * stress/inferred-types-regex-matches-array.js:
228
229 2019-04-04  Saam Barati  <sbarati@apple.com>
230
231         createRegExpMatchesArray does not respect inferred types
232         https://bugs.webkit.org/show_bug.cgi?id=193287
233
234         Reviewed by Yusuke Suzuki.
235
236         This checks in the test case for 193287. This issue was discovered by
237         Samuel GroƟ of Google Project Zero.
238
239         * stress/inferred-types-regex-matches-array.js: Added.
240
241 2019-04-04  Saam barati  <sbarati@apple.com>
242
243         Teach Call ICs how to call Wasm
244         https://bugs.webkit.org/show_bug.cgi?id=196387
245
246         Reviewed by Filip Pizlo.
247
248         * wasm/function-tests/stack-trace.js:
249
250 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
251
252         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
253         https://bugs.webkit.org/show_bug.cgi?id=194944
254
255         Reviewed by Keith Miller.
256
257         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
258
259 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
260
261         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
262         https://bugs.webkit.org/show_bug.cgi?id=196409
263
264         Reviewed by Saam Barati.
265
266         * stress/bytecode-cache-cached-string-impl.js: Added.
267         (f):
268         (g):
269         * stress/bytecode-cache-run-string.js: Added.
270
271 2019-04-03  Robin Morisset  <rmorisset@apple.com>
272
273         B3 should use associativity to optimize expression trees
274         https://bugs.webkit.org/show_bug.cgi?id=194081
275
276         Reviewed by Filip Pizlo.
277
278         Added three microbenchmarks:
279         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
280         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
281           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
282         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
283
284         * microbenchmarks/add-tree.js: Added.
285         * microbenchmarks/bit-or-tree.js: Added.
286         * microbenchmarks/bit-xor-tree.js: Added.
287
288 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
289
290         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
291         https://bugs.webkit.org/show_bug.cgi?id=196574
292
293         Reviewed by Saam Barati.
294
295         * stress/string-index-of-exception-check.js: Added.
296         (blurType):
297         (1.forEach):
298
299 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
300
301         Assertion failed in JSC::createError
302         https://bugs.webkit.org/show_bug.cgi?id=196305
303         <rdar://problem/49387382>
304
305         Reviewed by Saam Barati.
306
307         * stress/create-error-out-of-memory-rope-string-2.js: Added.
308         (assert):
309         (catch):
310
311 2019-03-28  Saam Barati  <sbarati@apple.com>
312
313         BackwardsGraph needs to consider back edges as the backward's root successor
314         https://bugs.webkit.org/show_bug.cgi?id=195991
315
316         Reviewed by Filip Pizlo.
317
318         * stress/map-b3-licm-infinite-loop.js: Added.
319
320 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
321
322         CodeBlock::jettison() should disallow repatching its own calls
323         https://bugs.webkit.org/show_bug.cgi?id=196359
324         <rdar://problem/48973663>
325
326         Reviewed by Saam Barati.
327
328         * stress/call-link-info-osrexit-repatch.js: Added.
329         (foo):
330
331 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
332
333         [JSC] imports-oom.js intermittently fails
334         https://bugs.webkit.org/show_bug.cgi?id=196373
335
336         Reviewed by Saam Barati.
337
338         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
339         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
340         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
341         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
342         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
343
344         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
345         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
346
347         * wasm/lowExecutableMemory/imports-oom.js:
348
349 2019-03-27  Saam Barati  <sbarati@apple.com>
350
351         validateOSREntryValue with Int52 should box the value being checked into double format
352         https://bugs.webkit.org/show_bug.cgi?id=196313
353         <rdar://problem/49306703>
354
355         Reviewed by Yusuke Suzuki.
356
357         * stress/validate-int-52-ai-state.js: Added.
358
359 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
360
361         [JSC] Owner of watchpoints should validate at GC finalizing phase
362         https://bugs.webkit.org/show_bug.cgi?id=195827
363
364         Reviewed by Filip Pizlo.
365
366         * stress/gc-should-reap-dead-watchpoints.js: Added.
367         (foo):
368         (A.prototype.y):
369         (A):
370
371 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
372
373         Skip WebAssembly test on 32-bit systems
374         https://bugs.webkit.org/show_bug.cgi?id=196206
375
376         Reviewed by Saam Barati.
377
378         Invoking runDefault executes test immediately even though
379         that test should be skipped due to missing WASM support.
380         Therefore remove runDefault.
381
382         * wasm/regress/web-assembly-link-error-exception-check.js:
383
384 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
385
386         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
387         https://bugs.webkit.org/show_bug.cgi?id=196217
388
389         Reviewed by Saam Barati.
390
391         Re-enable all NaN tests for f32.min, f64.min and f64.max.
392
393         * wasm/spec-tests/f32.wast.js:
394         * wasm/spec-tests/f64.wast.js:
395         * wasm/wasm.json:
396
397 2019-03-25  Keith Miller  <keith_miller@apple.com>
398
399         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
400         https://bugs.webkit.org/show_bug.cgi?id=196176
401
402         Reviewed by Saam Barati.
403
404         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
405         (main.v10):
406         (main):
407
408 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
409
410         WebAssembly: f32.max with NaN generates incorrect result
411         https://bugs.webkit.org/show_bug.cgi?id=175691
412         <rdar://problem/33952228>
413
414         Reviewed by Saam Barati.
415
416         Enable all f32.max NaN tests
417
418         * wasm/spec-tests/f32.wast.js:
419         * wasm/wasm.json:
420
421 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
422
423         [JSC] Move test into directory for WASM tests
424         https://bugs.webkit.org/show_bug.cgi?id=196187
425
426         Reviewed by Mark Lam.
427
428         Move Test into wasm-directory. Otherwise this test
429         is also executed on systems without WASM support.
430
431         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
432
433 2019-03-23  Mark Lam  <mark.lam@apple.com>
434
435         Rolling out r243032 and r243071 because the fix is incorrect.
436         https://bugs.webkit.org/show_bug.cgi?id=195892
437         <rdar://problem/48981239>
438
439         Not reviewed.
440
441         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
442
443 2019-03-22  Mark Lam  <mark.lam@apple.com>
444
445         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
446         https://bugs.webkit.org/show_bug.cgi?id=196154
447         <rdar://problem/49145307>
448
449         Reviewed by Filip Pizlo.
450
451         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
452         There's no need to run this test on more than 1 test configuration.
453
454         * stress/typed-array-lastIndexOf-exception-check.js: Added.
455         * stress/web-assembly-link-error-exception-check.js:
456
457 2019-03-22  Mark Lam  <mark.lam@apple.com>
458
459         Placate exception check validation in constructJSWebAssemblyLinkError().
460         https://bugs.webkit.org/show_bug.cgi?id=196152
461         <rdar://problem/49145257>
462
463         Reviewed by Michael Saboff.
464
465         * stress/web-assembly-link-error-exception-check.js: Added.
466
467 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
468
469         Skip tests running out of memory on ARM/MIPS
470         https://bugs.webkit.org/show_bug.cgi?id=196131
471
472         Unreviewed. Skip test if memory is limited.
473
474         * microbenchmarks/put-by-val-direct-large-index.js:
475
476 2019-03-21  Mark Lam  <mark.lam@apple.com>
477
478         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
479         https://bugs.webkit.org/show_bug.cgi?id=196116
480         <rdar://problem/48976951>
481
482         Reviewed by Filip Pizlo.
483
484         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
485
486 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
487
488         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
489         https://bugs.webkit.org/show_bug.cgi?id=196078
490         <rdar://problem/35925380>
491
492         Reviewed by Mark Lam.
493
494         Add a new benchmark that allocates several objects and invokes put_by_val_direct
495         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
496
497         * microbenchmarks/put-by-val-direct-large-index.js: Added.
498
499 2019-03-21  Mark Lam  <mark.lam@apple.com>
500
501         Placate exception check validation in operationArrayIndexOfString().
502         https://bugs.webkit.org/show_bug.cgi?id=196067
503         <rdar://problem/49056572>
504
505         Reviewed by Michael Saboff.
506
507         * stress/string-equal-exception-check.js: Added.
508
509 2019-03-21  Mark Lam  <mark.lam@apple.com>
510
511         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
512         https://bugs.webkit.org/show_bug.cgi?id=196055
513         <rdar://problem/49067448>
514
515         Reviewed by Yusuke Suzuki.
516
517         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
518
519 2019-03-20  Saam Barati  <sbarati@apple.com>
520
521         typeOfDoubleSum is wrong for when NaN can be produced
522         https://bugs.webkit.org/show_bug.cgi?id=196030
523
524         Reviewed by Filip Pizlo.
525
526         * stress/double-add-sub-mul-can-produce-nan.js: Added.
527         (assert):
528         (noInline.sub):
529         (noInline):
530         (assert.mul):
531         (assert.add):
532
533 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
534
535         Update the test to ensure OutOfMemoryError is thrown as intended
536         https://bugs.webkit.org/show_bug.cgi?id=196032
537         <rdar://problem/46842740>
538
539         Rubber stamped by Saam Barati.
540
541         * stress/create-error-out-of-memory-rope-string.js:
542         (assert):
543         (catch):
544
545 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
546
547         JSC::createError needs to check for OOM in errorDescriptionForValue
548         https://bugs.webkit.org/show_bug.cgi?id=196032
549         <rdar://problem/46842740>
550
551         Reviewed by Mark Lam.
552
553         * stress/create-error-out-of-memory-rope-string.js: Added.
554
555 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
556
557         Unreviewed, reduce # of iterations to avoid timing out after r242991
558         https://bugs.webkit.org/show_bug.cgi?id=195791
559
560         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
561
562         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
563
564 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
565
566         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
567         https://bugs.webkit.org/show_bug.cgi?id=195950
568
569         Unreviewed, reducing the amount of memory used on this test to avoid
570         OOM on devices with memory restrictions.
571
572         * microbenchmarks/generate-multiple-llint-entrypoints.js:
573
574 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
575
576         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
577         https://bugs.webkit.org/show_bug.cgi?id=194648
578
579         Reviewed by Keith Miller.
580
581         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
582
583 2019-03-18  Mark Lam  <mark.lam@apple.com>
584
585         Missing a ThrowScope release in JSObject::toString().
586         https://bugs.webkit.org/show_bug.cgi?id=195893
587         <rdar://problem/48970986>
588
589         Reviewed by Michael Saboff.
590
591         * stress/to-string-exception-check-release.js: Added.
592
593 2019-03-18  Mark Lam  <mark.lam@apple.com>
594
595         Structure::flattenDictionary() should clear unused property slots.
596         https://bugs.webkit.org/show_bug.cgi?id=195871
597         <rdar://problem/48959497>
598
599         Reviewed by Michael Saboff.
600
601         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
602
603 2019-03-15  Mark Lam  <mark.lam@apple.com>
604
605         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
606         https://bugs.webkit.org/show_bug.cgi?id=195827
607         <rdar://problem/48845513>
608
609         Reviewed by Filip Pizlo.
610
611         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
612
613 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
614
615         [ARM,MIPS] Skip slow tests
616         https://bugs.webkit.org/show_bug.cgi?id=195799
617
618         Unreviewed, test does not finish on ARM and MIPS within the
619         timeout limit.
620
621         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
622
623 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
624
625         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
626         https://bugs.webkit.org/show_bug.cgi?id=195791
627         <rdar://problem/48806130>
628
629         Reviewed by Mark Lam.
630
631         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
632         (foo):
633
634 2019-03-14  Saam barati  <sbarati@apple.com>
635
636         We can't remove code after ForceOSRExit until after FixupPhase
637         https://bugs.webkit.org/show_bug.cgi?id=186916
638         <rdar://problem/41396612>
639
640         Reviewed by Yusuke Suzuki.
641
642         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
643         (foo):
644         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
645         (foo):
646
647 2019-03-13  Michael Saboff  <msaboff@apple.com>
648
649         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
650         https://bugs.webkit.org/show_bug.cgi?id=195735
651
652         Reviewed by Mark Lam.
653
654         New regression test.
655
656         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
657         (foo):
658         (bar):
659
660 2019-03-14  Saam barati  <sbarati@apple.com>
661
662         Fixup uses KnownInt32 incorrectly in some nodes
663         https://bugs.webkit.org/show_bug.cgi?id=195279
664         <rdar://problem/47915654>
665
666         Reviewed by Yusuke Suzuki.
667
668         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
669         (foo):
670
671 2019-03-14  Keith Miller  <keith_miller@apple.com>
672
673         DFG liveness can't skip tail caller inline frames
674         https://bugs.webkit.org/show_bug.cgi?id=195715
675
676         Reviewed by Saam Barati.
677
678         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
679         (i.foo):
680
681 2019-03-13  Mark Lam  <mark.lam@apple.com>
682
683         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
684         https://bugs.webkit.org/show_bug.cgi?id=195415
685
686         Not reviewed.
687
688         Changed these tests to only run the default configuration.
689         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
690         There's no strong need to run this test on that variant.
691
692         * stress/dfg-to-string-on-int-does-gc.js:
693         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
694
695 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
696
697         String overflow when using StringBuilder in JSC::createError
698         https://bugs.webkit.org/show_bug.cgi?id=194957
699
700         Reviewed by Mark Lam.
701
702         Add test string-overflow-createError-bulder.js that overflows
703         StringBuilder in notAFunctionSourceAppender. The second new test
704         string-overflow-createError-fit.js has an error message that doesn't
705         overflow, it still failed since the String's capacity can't be doubled.
706         Run test string-overflow-createError.js only in the default
707         configuration to reduce memory consumption when running the test
708         in all configurations on multiple CPUs in parallel.
709
710         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
711         (catch):
712         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
713         (catch):
714         * stress/string-overflow-createError.js:
715
716 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
717
718         [JSC] OSR entry should respect abstract values in addition to flush formats
719         https://bugs.webkit.org/show_bug.cgi?id=195653
720
721         Reviewed by Mark Lam.
722
723         * stress/osr-entry-locals-none.js: Added.
724
725 2019-03-12  Michael Saboff  <msaboff@apple.com>
726
727         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
728         https://bugs.webkit.org/show_bug.cgi?id=195613
729
730         Reviewed by Mark Lam.
731
732         New regression test.
733
734         * stress/regexp-backref-inbounds.js: Added.
735         (testRegExp):
736
737 2019-03-12  Mark Lam  <mark.lam@apple.com>
738
739         The HasIndexedProperty node does GC.
740         https://bugs.webkit.org/show_bug.cgi?id=195559
741         <rdar://problem/48767923>
742
743         Reviewed by Yusuke Suzuki.
744
745         * stress/HasIndexedProperty-does-gc.js: Added.
746
747 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
748
749         [ESNext][BigInt] Implement "~" unary operation
750         https://bugs.webkit.org/show_bug.cgi?id=182216
751
752         Reviewed by Keith Miller.
753
754         * stress/big-int-bit-not-general.js: Added.
755         * stress/big-int-bitwise-not-jit.js: Added.
756         * stress/big-int-bitwise-not-wrapped-value.js: Added.
757         * stress/bit-op-with-object-returning-int32.js:
758         * stress/bitwise-not-fixup-rules.js: Added.
759         * stress/value-bit-not-ai-rule.js: Added.
760
761 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
762
763         Invalid flags in a RegExp literal should be an early SyntaxError
764         https://bugs.webkit.org/show_bug.cgi?id=195514
765
766         Reviewed by Darin Adler.
767
768         * test262/expectations.yaml:
769         Mark 4 test cases as passing.
770
771         * stress/regexp-syntax-error-invalid-flags.js:
772         * stress/regress-161995.js: Removed.
773         Update existing test, merging in an older test for the same behavior.
774
775 2019-03-08  Mark Lam  <mark.lam@apple.com>
776
777         Stack overflow crash in JSC::JSObject::hasInstance.
778         https://bugs.webkit.org/show_bug.cgi?id=195458
779         <rdar://problem/48710195>
780
781         Reviewed by Yusuke Suzuki.
782
783         * stress/stack-overflow-in-custom-hasInstance.js: Added.
784
785 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
786
787         op_check_tdz does not def its argument
788         https://bugs.webkit.org/show_bug.cgi?id=192880
789         <rdar://problem/46221598>
790
791         Reviewed by Saam Barati.
792
793         * microbenchmarks/let-for-in.js: Added.
794         (foo):
795
796 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
797
798         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
799         https://bugs.webkit.org/show_bug.cgi?id=195429
800
801         Reviewed by Saam Barati.
802
803         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
804         (foo):
805         * stress/string-from-char-code-255.js: Added.
806
807 2019-03-06  Mark Lam  <mark.lam@apple.com>
808
809         Fix incorrect handling of try-finally completion values.
810         https://bugs.webkit.org/show_bug.cgi?id=195131
811         <rdar://problem/46222079>
812
813         Reviewed by Saam Barati and Yusuke Suzuki.
814
815         Added many permutations of new test case to test-finally.js.  test-finally.js has
816         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
817         tests passes there as well.
818
819         * stress/test-finally.js:
820
821 2019-03-06  Saam Barati  <sbarati@apple.com>
822
823         Air::reportUsedRegisters must padInterference
824         https://bugs.webkit.org/show_bug.cgi?id=195303
825         <rdar://problem/48270343>
826
827         Reviewed by Keith Miller.
828
829         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
830
831 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
832
833         [JSC] AI should not propagate AbstractValue relying on constant folding phase
834         https://bugs.webkit.org/show_bug.cgi?id=195375
835
836         Reviewed by Saam Barati.
837
838         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
839         (let.array):
840
841 2019-03-05  Saam barati  <sbarati@apple.com>
842
843         op_switch_char broken for rope strings after JSRopeString layout rewrite
844         https://bugs.webkit.org/show_bug.cgi?id=195339
845         <rdar://problem/48592545>
846
847         Reviewed by Yusuke Suzuki.
848
849         * stress/switch-on-char-llint-rope.js: Added.
850
851 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
852
853         [JSC] Store bits for JSRopeString in 3 stores
854         https://bugs.webkit.org/show_bug.cgi?id=195234
855
856         Reviewed by Saam Barati.
857
858         * stress/null-rope-and-collectors.js: Added.
859
860 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
861
862         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
863         https://bugs.webkit.org/show_bug.cgi?id=195207
864
865         Unreviewed. After test runtime was reduced in r242213, test can be
866         run again on ARM/MIPS.
867
868         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
869
870 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [JSC] sizeof(JSString) should be 16
873         https://bugs.webkit.org/show_bug.cgi?id=194375
874
875         Reviewed by Saam Barati.
876
877         * microbenchmarks/make-rope.js: Added.
878         (makeRope):
879         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
880         (returnRope.helper): Deleted.
881         (returnRope): Deleted.
882
883 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
884
885         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
886         https://bugs.webkit.org/show_bug.cgi?id=195144
887
888         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
889         Change the number from 1e8 to 1e5.
890
891         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
892         (foo):
893
894 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
895
896         Test times out on ARM/MIPS
897         https://bugs.webkit.org/show_bug.cgi?id=195168
898
899         Unreviewed. Skip test on ARM/MIPS.
900
901         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
902
903 2019-02-27  Mark Lam  <mark.lam@apple.com>
904
905         The parser is failing to record the token location of new in new.target.
906         https://bugs.webkit.org/show_bug.cgi?id=195127
907         <rdar://problem/39645578>
908
909         Reviewed by Yusuke Suzuki.
910
911         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
912
913 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
914
915         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
916         https://bugs.webkit.org/show_bug.cgi?id=195144
917         <rdar://problem/47595961>
918
919         Reviewed by Mark Lam.
920
921         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
922         (bar):
923         (foo):
924         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
925         (bar):
926         (foo):
927
928 2019-02-27  Robin Morisset  <rmorisset@apple.com>
929
930         DFG: Loop-invariant code motion (LICM) should not hoist dead code
931         https://bugs.webkit.org/show_bug.cgi?id=194945
932         <rdar://problem/48311657>
933
934         Reviewed by Mark Lam.
935
936         * stress/licm-dead-code.js: Added.
937
938 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
939
940         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
941         https://bugs.webkit.org/show_bug.cgi?id=194677
942         <rdar://problem/48112492>
943
944         Reviewed by Mark Lam.
945
946         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
947         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
948         it immediately fails due the large size.
949
950         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
951         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
952         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
953         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
954
955         This patch changes the test to produce 16bit string from String.fromCharCode.
956
957         * stress/regress-178386.js:
958
959 2019-02-26  Mark Lam  <mark.lam@apple.com>
960
961         wasmToJS() should purify incoming NaNs.
962         https://bugs.webkit.org/show_bug.cgi?id=194807
963         <rdar://problem/48189132>
964
965         Reviewed by Saam Barati.
966
967         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
968
969 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
970
971         [JSC] Repeat string created from Array.prototype.join() take too much memory
972         https://bugs.webkit.org/show_bug.cgi?id=193912
973
974         Reviewed by Saam Barati.
975
976         Added a test and a microbenchmark for corner cases of
977         Array.prototype.join() with an uninitialized array.
978
979         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
980         * stress/array-prototype-join-uninitialized.js: Added.
981         (testArray):
982         (testABC):
983         (B):
984         (C):
985
986 2019-02-22  Robin Morisset  <rmorisset@apple.com>
987
988         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
989         https://bugs.webkit.org/show_bug.cgi?id=194953
990         <rdar://problem/47595253>
991
992         Reviewed by Saam Barati.
993
994         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
995
996         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
997
998 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
999
1000         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1001         https://bugs.webkit.org/show_bug.cgi?id=172848
1002         <rdar://problem/25709212>
1003
1004         Reviewed by Mark Lam.
1005
1006         * typeProfiler/inheritance.js:
1007         Rewrite the test slightly for clarity. The hoisting was confusing.
1008
1009         * heapProfiler/class-names.js: Added.
1010         (MyES5Class):
1011         (MyES6Class):
1012         (MyES6Subclass):
1013         Test object types and improved class names.
1014
1015         * heapProfiler/driver/driver.js:
1016         (CheapHeapSnapshotNode):
1017         (CheapHeapSnapshot):
1018         (createCheapHeapSnapshot):
1019         (HeapSnapshot):
1020         (createHeapSnapshot):
1021         Update snapshot parsing from version 1 to version 2.
1022
1023 2019-02-19  Truitt Savell  <tsavell@apple.com>
1024
1025         Unreviewed, rolling out r241784.
1026
1027         Broke all OpenSource builds.
1028
1029         Reverted changeset:
1030
1031         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1032         instances view"
1033         https://bugs.webkit.org/show_bug.cgi?id=172848
1034         https://trac.webkit.org/changeset/241784
1035
1036 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1037
1038         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1039         https://bugs.webkit.org/show_bug.cgi?id=172848
1040         <rdar://problem/25709212>
1041
1042         Reviewed by Mark Lam.
1043
1044         * typeProfiler/inheritance.js:
1045         Rewrite the test slightly for clarity. The hoisting was confusing.
1046
1047         * heapProfiler/class-names.js: Added.
1048         (MyES5Class):
1049         (MyES6Class):
1050         (MyES6Subclass):
1051         Test object types and improved class names.
1052
1053         * heapProfiler/driver/driver.js:
1054         (CheapHeapSnapshotNode):
1055         (CheapHeapSnapshot):
1056         (createCheapHeapSnapshot):
1057         (HeapSnapshot):
1058         (createHeapSnapshot):
1059         Update snapshot parsing from version 1 to version 2.
1060
1061 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1062
1063         [ARM] Fix crash with sampling profiler
1064         https://bugs.webkit.org/show_bug.cgi?id=194772
1065
1066         Reviewed by Mark Lam.
1067
1068         Do not skip test since crash with sampling profiler is now fixed.
1069
1070         * stress/sampling-profiler-richards.js:
1071
1072 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1073
1074         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1075         https://bugs.webkit.org/show_bug.cgi?id=194784
1076         <rdar://problem/48154820>
1077
1078         Reviewed by Mark Lam.
1079
1080         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1081         (getProperties):
1082         (getRandomProperty):
1083         (i.catch):
1084
1085 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1086
1087         [ARM] Test gardening: Test running out of executable memory
1088         https://bugs.webkit.org/show_bug.cgi?id=194771
1089
1090         Unreviewed. Do not run test without LLInt, test is running out of executable
1091         memory on ARM otherwise.
1092
1093         * stress/tagged-template-object-collect.js:
1094
1095 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1096
1097         Unreviewed, skip the test on platforms without sampling profiler
1098
1099         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1100         (platformSupportsSamplingProfiler.foo):
1101         (platformSupportsSamplingProfiler.test):
1102         (platformSupportsSamplingProfiler):
1103         (foo): Deleted.
1104         (test): Deleted.
1105
1106 2019-02-17  Saam Barati  <sbarati@apple.com>
1107
1108         Deadlock when adding a Structure property transition and then doing incremental marking
1109         https://bugs.webkit.org/show_bug.cgi?id=194767
1110
1111         Reviewed by Mark Lam.
1112
1113         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1114
1115 2019-02-15  Michael Saboff  <msaboff@apple.com>
1116
1117         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1118         https://bugs.webkit.org/show_bug.cgi?id=194558
1119
1120         Reviewed by Saam Barati.
1121
1122         New regression test.
1123
1124         * stress/regexp-unicode-within-string.js: Added.
1125
1126 2019-02-15  Mark Lam  <mark.lam@apple.com>
1127
1128         SamplingProfiler::stackTracesAsJSON() should escape strings.
1129         https://bugs.webkit.org/show_bug.cgi?id=194649
1130         <rdar://problem/48072386>
1131
1132         Reviewed by Saam Barati.
1133
1134         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1135         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1136         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1137         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1138
1139 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1140         CodeBlock::jettison should clear related watchpoints
1141         https://bugs.webkit.org/show_bug.cgi?id=194544
1142
1143         Reviewed by Mark Lam.
1144
1145         * stress/regexp-replace-double-watchpoint.js: Added.
1146         (foo):
1147
1148 2019-02-15  Saam barati  <sbarati@apple.com>
1149
1150         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1151         https://bugs.webkit.org/show_bug.cgi?id=194036
1152
1153         Reviewed by Yusuke Suzuki.
1154
1155         * stress/tail-call-many-arguments.js: Added.
1156         (foo):
1157         (bar):
1158
1159 2019-02-14  Saam Barati  <sbarati@apple.com>
1160
1161         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1162         https://bugs.webkit.org/show_bug.cgi?id=194583
1163         <rdar://problem/48028140>
1164
1165         Reviewed by Yusuke Suzuki.
1166
1167         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1168
1169 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1170
1171         [JSC] String.fromCharCode's slow path always generates 16bit string
1172         https://bugs.webkit.org/show_bug.cgi?id=194466
1173
1174         Reviewed by Keith Miller.
1175
1176         * stress/string-from-char-code-slow-path.js: Added.
1177         (shouldBe):
1178         (testWithLength):
1179
1180 2019-02-08  Saam barati  <sbarati@apple.com>
1181
1182         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1183         https://bugs.webkit.org/show_bug.cgi?id=194334
1184         <rdar://problem/47844327>
1185
1186         Reviewed by Mark Lam.
1187
1188         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1189         (func):
1190
1191 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1192
1193         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1194         https://bugs.webkit.org/show_bug.cgi?id=194369
1195         <rdar://problem/47813087>
1196
1197         Reviewed by Saam Barati.
1198
1199         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1200         (A):
1201
1202 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1203
1204         [JSC] PrivateName to PublicName hash table is wasteful
1205         https://bugs.webkit.org/show_bug.cgi?id=194277
1206
1207         Reviewed by Michael Saboff.
1208
1209         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1210
1211         * ChakraCore.yaml:
1212
1213 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1214
1215         [ARM] Test running out of executable memory
1216         https://bugs.webkit.org/show_bug.cgi?id=194285
1217
1218         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1219         executable memory otherwise.
1220
1221         * stress/class-subclassing-function.js:
1222
1223 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1224
1225         when lowering AssertNotEmpty, create the value before creating the patchpoint
1226         https://bugs.webkit.org/show_bug.cgi?id=194231
1227
1228         Reviewed by Saam Barati.
1229
1230         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1231         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1232         So even tiny changes to this test can change the path code taken.
1233
1234         * stress/assert-not-empty.js: Added.
1235         (foo):
1236
1237 2019-02-01  Mark Lam  <mark.lam@apple.com>
1238
1239         Remove invalid assertion in DFG's compileDoubleRep().
1240         https://bugs.webkit.org/show_bug.cgi?id=194130
1241         <rdar://problem/47699474>
1242
1243         Reviewed by Saam Barati.
1244
1245         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1246
1247 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1248
1249         Import latest Test262 updates.
1250
1251         Rubber-stamped by Keith Miller.
1252
1253         * test262.yaml: Deleted.
1254         * test262/config.yaml:
1255         * test262/expectations.yaml:
1256         * test262/latest-changes-summary.txt:
1257         * test262/test/:
1258         * test262/test262-Revision.txt:
1259
1260 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1261
1262         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1263         https://bugs.webkit.org/show_bug.cgi?id=194050
1264         <rdar://problem/47595592>
1265
1266         Reviewed by Yusuke Suzuki.
1267
1268         * stress/object-keys-osr-exit.js: Added.
1269         (foo):
1270         (catch):
1271
1272 2019-01-29  Mark Lam  <mark.lam@apple.com>
1273
1274         ValueRecovery::recover() should purify NaN values it recovers.
1275         https://bugs.webkit.org/show_bug.cgi?id=193978
1276         <rdar://problem/47625488>
1277
1278         Reviewed by Saam Barati.
1279
1280         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1281
1282 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1283
1284         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1285         https://bugs.webkit.org/show_bug.cgi?id=193713
1286
1287         * stress/try-get-by-id-should-spill-registers-dfg.js:
1288         (let.f.createBuiltin):
1289
1290 2019-01-28  Mark Lam  <mark.lam@apple.com>
1291
1292         ToString node actually does GC.
1293         https://bugs.webkit.org/show_bug.cgi?id=193920
1294         <rdar://problem/46695900>
1295
1296         Reviewed by Yusuke Suzuki.
1297
1298         * stress/dfg-to-string-on-int-does-gc.js: Added.
1299         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1300         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1301
1302 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1303
1304         [JSC] NativeErrorConstructor should not have own IsoSubspace
1305         https://bugs.webkit.org/show_bug.cgi?id=193713
1306
1307         Reviewed by Saam Barati.
1308
1309         Remove @Error use.
1310
1311         * stress/try-get-by-id-should-spill-registers-dfg.js:
1312         (let.f.createBuiltin):
1313
1314 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1315
1316         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1317         https://bugs.webkit.org/show_bug.cgi?id=190693
1318
1319         Reviewed by Michael Saboff.
1320
1321         * stress/regress-190693.js: Added.
1322         (truth):
1323         (assert):
1324         (shouldThrowInvalidConstAssignment):
1325         (taz):
1326
1327 2019-01-24  Saam Barati  <sbarati@apple.com>
1328
1329         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1330         https://bugs.webkit.org/show_bug.cgi?id=193751
1331         <rdar://problem/47280215>
1332
1333         Reviewed by Michael Saboff.
1334
1335         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1336         (let.thing):
1337         (foo.let.hello):
1338         (foo):
1339
1340 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1341
1342         [JSC] Reenable baseline JIT on mips
1343         https://bugs.webkit.org/show_bug.cgi?id=192983
1344
1345         Reviewed by Mark Lam.
1346
1347         Added a new test for a case that was triggering a RELEASE_ASSERT when
1348         testing.
1349         Disable some slow tests that were already disabled for arm and x86.
1350
1351         * stress/json-parse-big-object.js: Added.
1352         * stress/new-largeish-contiguous-array-with-size.js:
1353         * stress/op_add.js:
1354         * stress/op_bitand.js:
1355         * stress/op_bitor.js:
1356         * stress/op_bitxor.js:
1357         * stress/op_lshift-ConstVar.js:
1358         * stress/op_lshift-VarConst.js:
1359         * stress/op_lshift-VarVar.js:
1360         * stress/op_mod-ConstVar.js:
1361         * stress/op_mod-VarConst.js:
1362         * stress/op_mod-VarVar.js:
1363         * stress/op_mul-ConstVar.js:
1364         * stress/op_mul-VarConst.js:
1365         * stress/op_mul-VarVar.js:
1366         * stress/op_rshift-ConstVar.js:
1367         * stress/op_rshift-VarConst.js:
1368         * stress/op_rshift-VarVar.js:
1369         * stress/op_sub-ConstVar.js:
1370         * stress/op_sub-VarConst.js:
1371         * stress/op_sub-VarVar.js:
1372         * stress/op_urshift-ConstVar.js:
1373         * stress/op_urshift-VarConst.js:
1374         * stress/op_urshift-VarVar.js:
1375         * stress/sampling-profiler-richards.js:
1376         * stress/spread-forward-call-varargs-stack-overflow.js:
1377
1378 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1381         https://bugs.webkit.org/show_bug.cgi?id=193711
1382         <rdar://problem/47250262>
1383
1384         Reviewed by Saam Barati.
1385
1386         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1387         (shouldBe):
1388         (foo):
1389         (bar):
1390         (baz):
1391
1392 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1393
1394         Unreviewed, fix initial global lexical binding epoch
1395         https://bugs.webkit.org/show_bug.cgi?id=193603
1396         <rdar://problem/47380869>
1397
1398         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1399         (f1.f2.f3.f4):
1400         (f1.f2.f3):
1401         (f1.f2):
1402         (f1):
1403
1404 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1405
1406         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1407         https://bugs.webkit.org/show_bug.cgi?id=193709
1408         <rdar://problem/47363838>
1409
1410         Unreviewed, rollout to watch the tests.
1411
1412         * stress/object-tostring-changed-proto.js: Removed.
1413         * stress/object-tostring-changed.js: Removed.
1414         * stress/object-tostring-misc.js: Removed.
1415         * stress/object-tostring-other.js: Removed.
1416         * stress/object-tostring-untyped.js: Removed.
1417
1418 2019-01-22  Saam Barati  <sbarati@apple.com>
1419
1420         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1421
1422         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1423         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1424         (testUncheckedLessThanZero):
1425         (testUncheckedLessThanOrEqualZero):
1426         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1427         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1428
1429 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1430
1431         [JSC] Invalidate old scope operations using global lexical binding epoch
1432         https://bugs.webkit.org/show_bug.cgi?id=193603
1433         <rdar://problem/47380869>
1434
1435         Reviewed by Saam Barati.
1436
1437         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1438         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1439         (shouldThrow):
1440         (bar):
1441         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1442         (shouldBe):
1443         (get1):
1444         (get2):
1445         (get1If):
1446         (get2If):
1447         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1448         (shouldThrow):
1449         (foo):
1450
1451 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1452
1453         Unreviewed, roll out r240220 due to date-format-xparb regression
1454         https://bugs.webkit.org/show_bug.cgi?id=193603
1455
1456         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1457         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1458         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1459         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1460
1461 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1462
1463         DoesGC rule is wrong for nodes with BigIntUse
1464         https://bugs.webkit.org/show_bug.cgi?id=193652
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/big-int-value-op-update-gc-rules.js: Added.
1469         (assert):
1470         (doesGCAdd):
1471         (doesGCSub):
1472         (doesGCDiv):
1473         (doesGCMul):
1474         (doesGCBitAnd):
1475         (doesGCBitOr):
1476         (doesGCBitXor):
1477
1478 2019-01-20  Saam Barati  <sbarati@apple.com>
1479
1480         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1481         https://bugs.webkit.org/show_bug.cgi?id=193644
1482         <rdar://problem/46209745>
1483
1484         Reviewed by Yusuke Suzuki.
1485
1486         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1487         (foo):
1488         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1489         (foo):
1490         (bar):
1491
1492 2019-01-20  Saam Barati  <sbarati@apple.com>
1493
1494         MovHint must merge NodeBytecodeUsesAsValue for its child
1495         https://bugs.webkit.org/show_bug.cgi?id=186916
1496         <rdar://problem/41396612>
1497
1498         Reviewed by Yusuke Suzuki.
1499
1500         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1501         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1502
1503 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1504
1505         [JSC] Invalidate old scope operations using global lexical binding epoch
1506         https://bugs.webkit.org/show_bug.cgi?id=193603
1507         <rdar://problem/47380869>
1508
1509         Reviewed by Saam Barati.
1510
1511         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1512         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1513         (shouldThrow):
1514         (bar):
1515         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1516         (shouldBe):
1517         (get1):
1518         (get2):
1519         (get1If):
1520         (get2If):
1521         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1522         (shouldThrow):
1523         (foo):
1524
1525 2019-01-17  Saam barati  <sbarati@apple.com>
1526
1527         StringObjectUse should not be a structure check for the original string object structure
1528         https://bugs.webkit.org/show_bug.cgi?id=193483
1529         <rdar://problem/47280522>
1530
1531         Reviewed by Yusuke Suzuki.
1532
1533         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1534         (foo):
1535         (a.valueOf.0):
1536
1537 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1538
1539         [JSC] ToThis omission in DFGByteCodeParser is wrong
1540         https://bugs.webkit.org/show_bug.cgi?id=193513
1541         <rdar://problem/45842236>
1542
1543         Reviewed by Saam Barati.
1544
1545         * stress/to-this-omission-with-different-strict-modes.js: Added.
1546         (thisA):
1547         (thisAStrictWrapper):
1548
1549 2019-01-15  Mark Lam  <mark.lam@apple.com>
1550
1551         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1552         https://bugs.webkit.org/show_bug.cgi?id=193423
1553         <rdar://problem/46209355>
1554
1555         Reviewed by Saam Barati.
1556
1557         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1558         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1559         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1560         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1561
1562 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1563
1564         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1565         https://bugs.webkit.org/show_bug.cgi?id=193438
1566         <rdar://problem/45581249>
1567
1568         Reviewed by Saam Barati and Keith Miller.
1569
1570         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1571         Then, GetByVal(String) crashed.
1572
1573         * stress/string-get-by-val-lowering.js: Added.
1574         (shouldBe):
1575         (test):
1576         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1577         (Hello):
1578         (foo):
1579
1580 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1581
1582         Unreviewed, skip JIT tests if it's not enabled
1583
1584         * stress/bit-op-with-object-returning-int32.js:
1585
1586 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1587
1588         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1589         https://bugs.webkit.org/show_bug.cgi?id=192966
1590
1591         Reviewed by Yusuke Suzuki.
1592
1593         * stress/bit-op-with-object-returning-int32.js: Added.
1594
1595 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1596
1597         Skip a slow test and a flakey test on arm
1598
1599         Unreviewed gardening.
1600
1601         * typeProfiler/getter-richards.js:
1602         this test always times out, it used to be always skipped on arm and
1603         mips, but got accidentally enabled by r237919 now that we have DFG on
1604         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1605
1606 2019-01-14  Keith Miller  <keith_miller@apple.com>
1607
1608         Skip type-check-hoisting-phase-hoist... with no jit
1609         https://bugs.webkit.org/show_bug.cgi?id=193421
1610
1611         Reviewed by Mark Lam.
1612
1613         It's timing out the 32-bit bots and takes 330 seconds
1614         on my machine when run by itself.
1615
1616         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1617
1618 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1619
1620         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1621         https://bugs.webkit.org/show_bug.cgi?id=193413
1622         <rdar://problem/46092389>
1623
1624         Reviewed by Keith Miller.
1625
1626         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1627         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1628         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1629         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1630
1631         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1632         (compareArray):
1633
1634 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1635
1636         [BigInt] Literal parsing is crashing when used inside a Object Literal
1637         https://bugs.webkit.org/show_bug.cgi?id=193404
1638
1639         Reviewed by Yusuke Suzuki.
1640
1641         * stress/big-int-literal-inside-literal-object.js: Added.
1642
1643 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1644
1645         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1646         https://bugs.webkit.org/show_bug.cgi?id=193372
1647
1648         Reviewed by Saam Barati.
1649
1650         * stress/typed-array-array-modes-profile.js: Added.
1651         (foo):
1652
1653 2019-01-14  Mark Lam  <mark.lam@apple.com>
1654
1655         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1656         https://bugs.webkit.org/show_bug.cgi?id=193402
1657         <rdar://problem/46012309>
1658
1659         Reviewed by Keith Miller.
1660
1661         * stress/regexp-compile-oom.js:
1662         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1663           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1664
1665 2019-01-11  Saam barati  <sbarati@apple.com>
1666
1667         DFG combined liveness can be wrong for terminal basic blocks
1668         https://bugs.webkit.org/show_bug.cgi?id=193304
1669         <rdar://problem/45268632>
1670
1671         Reviewed by Yusuke Suzuki.
1672
1673         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1674
1675 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1676
1677         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1678         https://bugs.webkit.org/show_bug.cgi?id=193308
1679         <rdar://problem/45546542>
1680
1681         Reviewed by Saam Barati.
1682
1683         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1684         (shouldThrow):
1685         (shouldBe):
1686         (foo):
1687         (get shouldThrow):
1688         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1689         (shouldThrow):
1690         (shouldBe):
1691         (foo):
1692         (get shouldBe):
1693         (get shouldThrow):
1694         (get return):
1695         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1696         (shouldThrow):
1697         (shouldBe):
1698         (foo):
1699         (get shouldBe):
1700         (get shouldThrow):
1701         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1702         (shouldThrow):
1703         (shouldBe):
1704         (foo):
1705         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1706         (shouldThrow):
1707         (shouldBe):
1708         (foo):
1709         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1710         (shouldThrow):
1711         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1712         (shouldThrow):
1713         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1714         (shouldThrow):
1715         (shouldBe):
1716         (foo):
1717         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1718         (shouldThrow):
1719         (shouldBe):
1720         (foo):
1721         (get shouldBe):
1722         (get shouldThrow):
1723         (get return):
1724         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1725         (shouldThrow):
1726         (shouldBe):
1727         (foo):
1728         (get shouldBe):
1729         (get shouldThrow):
1730         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1731         (shouldThrow):
1732         (shouldBe):
1733         (foo):
1734         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1735         (shouldThrow):
1736         (shouldBe):
1737         (foo):
1738
1739 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1740
1741         Enable DFG on ARM/Linux again
1742         https://bugs.webkit.org/show_bug.cgi?id=192496
1743
1744         Reviewed by Yusuke Suzuki.
1745
1746         Test wasn't really skipped before moving the line with skip
1747         to the top.
1748
1749         * stress/regress-192717.js:
1750
1751 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1752
1753         Unreviewed, rolling out r239825.
1754         https://bugs.webkit.org/show_bug.cgi?id=193330
1755
1756         Broke tests on armv7/linux bots (Requested by guijemont on
1757         #webkit).
1758
1759         Reverted changeset:
1760
1761         "Enable DFG on ARM/Linux again"
1762         https://bugs.webkit.org/show_bug.cgi?id=192496
1763         https://trac.webkit.org/changeset/239825
1764
1765 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1766
1767         Enable DFG on ARM/Linux again
1768         https://bugs.webkit.org/show_bug.cgi?id=192496
1769
1770         Reviewed by Yusuke Suzuki.
1771
1772         Test wasn't really skipped before moving the line with skip
1773         to the top.
1774
1775         * stress/regress-192717.js:
1776
1777 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1778
1779         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1780         https://bugs.webkit.org/show_bug.cgi?id=193127
1781
1782         Reviewed by Saam Barati.
1783
1784         * stress/array-species-create-should-handle-masquerader.js: Added.
1785         (shouldThrow):
1786         * stress/is-undefined-or-null-builtin.js: Added.
1787         (shouldBe):
1788         (isUndefinedOrNull.vm.createBuiltin):
1789
1790 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1791
1792         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1793         https://bugs.webkit.org/show_bug.cgi?id=193221
1794
1795         Reviewed by Mark Lam.
1796
1797         * stress/put-by-id-flags.js: Added.
1798         (f):
1799         (g):
1800         (numberOfDFGCompiles):
1801
1802 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1803
1804         Baseline version of get_by_id may corrupt metadata
1805         https://bugs.webkit.org/show_bug.cgi?id=193085
1806         <rdar://problem/23453006>
1807
1808         Reviewed by Saam Barati.
1809
1810         * stress/get-by-id-change-mode.js: Added.
1811         (forEach):
1812
1813 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1814
1815         [JSC] Optimize Object.prototype.toString
1816         https://bugs.webkit.org/show_bug.cgi?id=193031
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/object-tostring-changed-proto.js: Added.
1821         (shouldBe):
1822         (test):
1823         * stress/object-tostring-changed.js: Added.
1824         (shouldBe):
1825         (test):
1826         * stress/object-tostring-misc.js: Added.
1827         (shouldBe):
1828         (test):
1829         (i.switch):
1830         * stress/object-tostring-other.js: Added.
1831         (shouldBe):
1832         (test):
1833         * stress/object-tostring-untyped.js: Added.
1834         (shouldBe):
1835         (test):
1836         (i.switch):
1837
1838 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1839
1840         test262-runner misbehaves when test file YAML has a trailing space
1841         https://bugs.webkit.org/show_bug.cgi?id=193053
1842
1843         Reviewed by Yusuke Suzuki.
1844
1845         * test262/expectations.yaml:
1846         Mark two dozen tests as passing (and correct the output of another).
1847
1848 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1849
1850         Unreviewed, JSTests gardening with memoryLimited
1851
1852         * stress/string-overflow-createError.js:
1853
1854 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1855
1856         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1857         https://bugs.webkit.org/show_bug.cgi?id=193050
1858
1859         Reviewed by Yusuke Suzuki.
1860
1861         * test262.yaml:
1862         * test262/expectations.yaml:
1863         Mark 16 tests as passing.
1864
1865 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1866
1867         [BigInt] Support BigInt in JSON.stringify
1868         https://bugs.webkit.org/show_bug.cgi?id=192624
1869
1870         Reviewed by Saam Barati.
1871
1872         * stress/big-int-json-stringify-to-json.js: Added.
1873         (shouldBe):
1874         (shouldThrow):
1875         (BigInt.prototype.toJSON):
1876         (shouldBe.JSON.stringify):
1877         * stress/big-int-json-stringify.js: Added.
1878         (shouldBe):
1879         (shouldThrow):
1880
1881 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1882
1883         [JSC] Implement "well-formed JSON.stringify" proposal
1884         https://bugs.webkit.org/show_bug.cgi?id=191677
1885
1886         Reviewed by Darin Adler.
1887
1888         * stress/json-surrogate-pair.js: Added.
1889         (shouldBe):
1890         * test262/expectations.yaml:
1891
1892 2018-12-20  Keith Miller  <keith_miller@apple.com>
1893
1894         Add support for globalThis
1895         https://bugs.webkit.org/show_bug.cgi?id=165171
1896
1897         Reviewed by Mark Lam.
1898
1899         * test262/config.yaml:
1900
1901 2018-12-19  Keith Miller  <keith_miller@apple.com>
1902
1903         Update test262 configuration to not run tests dependent on ICU version.
1904         https://bugs.webkit.org/show_bug.cgi?id=192920
1905
1906         Reviewed by Saam Barati.
1907
1908         * test262/expectations.yaml:
1909
1910 2018-12-20  Mark Lam  <mark.lam@apple.com>
1911
1912         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1913         https://bugs.webkit.org/show_bug.cgi?id=192939
1914         <rdar://problem/46869516>
1915
1916         Reviewed by Keith Miller.
1917
1918         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1919
1920 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1921
1922         WTF::String and StringImpl overflow MaxLength
1923         https://bugs.webkit.org/show_bug.cgi?id=192853
1924         <rdar://problem/45726906>
1925
1926         Reviewed by Mark Lam.
1927
1928         * stress/string-16bit-repeat-overflow.js: Added.
1929         (catch):
1930
1931 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1932
1933         Unreviewed follow-up to r192914.
1934
1935         * test262/expectations.yaml:
1936         Add the last 20 missing expectations.
1937
1938 2018-12-19  Keith Miller  <keith_miller@apple.com>
1939
1940         Fix test262 expectations
1941         https://bugs.webkit.org/show_bug.cgi?id=192914
1942
1943         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1944
1945         * test262/expectations.yaml:
1946
1947 2018-12-19  Keith Miller  <keith_miller@apple.com>
1948
1949         Update test262 tests.
1950         https://bugs.webkit.org/show_bug.cgi?id=192907
1951
1952         Rubber stamped by Mark Lam.
1953
1954         * test262/*: Omitted because prepare-changelog crashes.
1955
1956 2018-12-19  Mark Lam  <mark.lam@apple.com>
1957
1958         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1959         https://bugs.webkit.org/show_bug.cgi?id=192464
1960         <rdar://problem/46519455>
1961
1962         Reviewed by Saam Barati.
1963
1964         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1965         microbenchmark.
1966
1967         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1968         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1969
1970 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1971
1972         String overflow in JSC::createError results in ASSERT in WTF::makeString
1973         https://bugs.webkit.org/show_bug.cgi?id=192833
1974         <rdar://problem/45706868>
1975
1976         Reviewed by Mark Lam.
1977
1978         * stress/string-overflow-createError.js: Added.
1979
1980 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1981
1982         Error message for `-x ** y` contains a typo.
1983         https://bugs.webkit.org/show_bug.cgi?id=192832
1984
1985         Reviewed by Saam Barati.
1986
1987         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1988         (assert.assert.return.throws):
1989         * stress/pow-expects-update-expression-on-lhs.js:
1990         (throw.new.Error):
1991         Update test expectations which match against the exact error message.
1992
1993 2018-12-18  Mark Lam  <mark.lam@apple.com>
1994
1995         Gardening: test options fix.
1996         https://bugs.webkit.org/show_bug.cgi?id=192822
1997
1998         Unreviewed.
1999
2000         * stress/json-stringify-string-builder-overflow.js:
2001
2002 2018-12-18  Mark Lam  <mark.lam@apple.com>
2003
2004         JSON.stringify() should throw OOM on StringBuilder overflows.
2005         https://bugs.webkit.org/show_bug.cgi?id=192822
2006         <rdar://problem/46670577>
2007
2008         Reviewed by Saam Barati.
2009
2010         * stress/json-stringify-string-builder-overflow.js: Added.
2011
2012 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2013
2014         Redeclaration of var over let/const/class should be a syntax error.
2015         https://bugs.webkit.org/show_bug.cgi?id=192298
2016
2017         Reviewed by Keith Miller.
2018
2019         * test262.yaml:
2020         * test262/expectations.yaml:
2021         Mark 46 tests as passing.
2022
2023         * stress/block-scope-redeclarations.js:
2024         Add some new tests.
2025
2026         * stress/for-in-invalidate-context-weird-assignments.js:
2027         * stress/for-in-tests.js:
2028         Replace tests for outdated behavior with tests for SyntaxError.
2029
2030         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2031         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2032         Update expectations.
2033
2034 2018-12-18  Mark Lam  <mark.lam@apple.com>
2035
2036         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2037         https://bugs.webkit.org/show_bug.cgi?id=191374
2038         <rdar://problem/46525447>
2039
2040         Reviewed by Yusuke Suzuki.
2041
2042         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2043
2044         * stress/elidable-new-object-roflcopter-then-exit.js:
2045
2046 2018-12-17  Mark Lam  <mark.lam@apple.com>
2047
2048         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2049         https://bugs.webkit.org/show_bug.cgi?id=192019
2050         <rdar://problem/46525456>
2051
2052         Reviewed by Yusuke Suzuki.
2053
2054         The test runs too slow on 32-bit.
2055
2056         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2057
2058 2018-12-17  Mark Lam  <mark.lam@apple.com>
2059
2060         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2061         https://bugs.webkit.org/show_bug.cgi?id=191373
2062         <rdar://problem/46525458>
2063
2064         Reviewed by Yusuke Suzuki.
2065
2066         The test is already slow running with a JIT on 64-bit.  It will always timeout
2067         on 32-bit without a JIT.
2068
2069         * stress/materialize-regexp-cyclic-regexp.js:
2070
2071 2018-12-17  Mark Lam  <mark.lam@apple.com>
2072
2073         Array unshift/shift should not race against the AI in the compiler thread.
2074         https://bugs.webkit.org/show_bug.cgi?id=192795
2075         <rdar://problem/46724263>
2076
2077         Reviewed by Saam Barati.
2078
2079         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2080
2081 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2082
2083         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2084         https://bugs.webkit.org/show_bug.cgi?id=190047
2085
2086         Reviewed by Saam Barati.
2087
2088         * stress/object-keys-cached-zero.js: Added.
2089         (shouldBe):
2090         (test):
2091         * stress/object-keys-changed-attribute.js: Added.
2092         (shouldBe):
2093         (test):
2094         * stress/object-keys-changed-index.js: Added.
2095         (shouldBe):
2096         (test):
2097         * stress/object-keys-changed.js: Added.
2098         (shouldBe):
2099         (test):
2100         * stress/object-keys-indexed-non-cache.js: Added.
2101         (shouldBe):
2102         (test):
2103         * stress/object-keys-overrides-get-property-names.js: Added.
2104         (shouldBe):
2105         (test):
2106         (noInline):
2107
2108 2018-12-17  Mark Lam  <mark.lam@apple.com>
2109
2110         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2111         https://bugs.webkit.org/show_bug.cgi?id=192779
2112         <rdar://problem/46775869>
2113
2114         Reviewed by Saam Barati.
2115
2116         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2117
2118 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2119
2120         Unreviewed test gardening, address a syntax error in a new test.
2121
2122         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2123
2124 2018-12-17  Mark Lam  <mark.lam@apple.com>
2125
2126         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2127         https://bugs.webkit.org/show_bug.cgi?id=192776
2128         <rdar://problem/46772368>
2129
2130         Reviewed by Keith Miller.
2131
2132         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2133
2134 2018-12-17  Mark Lam  <mark.lam@apple.com>
2135
2136         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2137         https://bugs.webkit.org/show_bug.cgi?id=192770
2138         <rdar://problem/46449037>
2139
2140         Reviewed by Keith Miller.
2141
2142         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2143
2144 2018-12-14  Mark Lam  <mark.lam@apple.com>
2145
2146         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2147         https://bugs.webkit.org/show_bug.cgi?id=192717
2148         <rdar://problem/46660677>
2149
2150         Reviewed by Saam Barati.
2151
2152         * stress/regress-192717.js: Added.
2153
2154 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2155
2156         Unreviewed, rolling out r239153, r239154, and r239155.
2157         https://bugs.webkit.org/show_bug.cgi?id=192715
2158
2159         Caused flaky GC-related crashes seen with layout tests
2160         (Requested by ryanhaddad on #webkit).
2161
2162         Reverted changesets:
2163
2164         "[JSC] Optimize Object.keys by caching own keys results in
2165         StructureRareData"
2166         https://bugs.webkit.org/show_bug.cgi?id=190047
2167         https://trac.webkit.org/changeset/239153
2168
2169         "Unreviewed, build fix after r239153"
2170         https://bugs.webkit.org/show_bug.cgi?id=190047
2171         https://trac.webkit.org/changeset/239154
2172
2173         "Unreviewed, build fix after r239153, part 2"
2174         https://bugs.webkit.org/show_bug.cgi?id=190047
2175         https://trac.webkit.org/changeset/239155
2176
2177 2018-12-14  Keith Miller  <keith_miller@apple.com>
2178
2179         Callers of JSString::getIndex should check for OOM exceptions
2180         https://bugs.webkit.org/show_bug.cgi?id=192709
2181
2182         Reviewed by Mark Lam.
2183
2184         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2185
2186 2018-12-13  Mark Lam  <mark.lam@apple.com>
2187
2188         Add a missing exception check.
2189         https://bugs.webkit.org/show_bug.cgi?id=192626
2190         <rdar://problem/46662163>
2191
2192         Reviewed by Keith Miller.
2193
2194         * stress/regress-192626.js: Added.
2195
2196 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2197
2198         [BigInt] Add ValueDiv into DFG
2199         https://bugs.webkit.org/show_bug.cgi?id=186178
2200
2201         Reviewed by Yusuke Suzuki.
2202
2203         * stress/big-int-div-jit-osr.js: Added.
2204         * stress/big-int-div-jit-untyped.js: Added.
2205         * stress/value-div-fixup-int32-big-int.js: Added.
2206
2207 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2208
2209         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2210         https://bugs.webkit.org/show_bug.cgi?id=190047
2211
2212         Reviewed by Keith Miller.
2213
2214         * stress/object-keys-cached-zero.js: Added.
2215         (shouldBe):
2216         (test):
2217         * stress/object-keys-changed-attribute.js: Added.
2218         (shouldBe):
2219         (test):
2220         * stress/object-keys-changed-index.js: Added.
2221         (shouldBe):
2222         (test):
2223         * stress/object-keys-changed.js: Added.
2224         (shouldBe):
2225         (test):
2226         * stress/object-keys-indexed-non-cache.js: Added.
2227         (shouldBe):
2228         (test):
2229         * stress/object-keys-overrides-get-property-names.js: Added.
2230         (shouldBe):
2231         (test):
2232         (noInline):
2233
2234 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2235
2236         [DFG][FTL] Add NewSymbol
2237         https://bugs.webkit.org/show_bug.cgi?id=192620
2238
2239         Reviewed by Saam Barati.
2240
2241         * microbenchmarks/symbol-creation.js: Added.
2242         (test):
2243         * stress/symbol-description-identity.js: Added.
2244         (shouldBe):
2245         (test):
2246         * stress/symbol-identity.js: Added.
2247         (shouldBe):
2248         (test):
2249         * stress/symbol-with-description-throw-error.js: Added.
2250         (shouldBe):
2251         (shouldThrow):
2252         (test):
2253         (object.toString):
2254
2255 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2256
2257         [BigInt] Implement DFG/FTL typeof for BigInt
2258         https://bugs.webkit.org/show_bug.cgi?id=192619
2259
2260         Reviewed by Keith Miller.
2261
2262         * stress/big-int-boolean-proven-type.js: Added.
2263         (assert):
2264         (bool):
2265         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2266         (assert):
2267         (typeOf):
2268         (i.switch):
2269         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2270         (assert):
2271         (typeOf):
2272         * stress/big-int-type-of.js:
2273         (typeOf):
2274         (func):
2275
2276 2018-12-10  Mark Lam  <mark.lam@apple.com>
2277
2278         PropertyAttribute needs a CustomValue bit.
2279         https://bugs.webkit.org/show_bug.cgi?id=191993
2280         <rdar://problem/46264467>
2281
2282         Reviewed by Saam Barati.
2283
2284         * stress/regress-191993.js: Added.
2285
2286 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2287
2288         [BigInt] Add ValueMul into DFG
2289         https://bugs.webkit.org/show_bug.cgi?id=186175
2290
2291         Reviewed by Yusuke Suzuki.
2292
2293         * stress/big-int-mul-jit-osr.js: Added.
2294         * stress/big-int-mul-jit-untyped.js: Added.
2295         * stress/value-mul-fixup-int32-big-int.js: Added.
2296
2297 2018-12-06  Keith Miller  <keith_miller@apple.com>
2298
2299         stress/big-wasm-memory tests failing on 32-bit JSC bot
2300         https://bugs.webkit.org/show_bug.cgi?id=192020
2301
2302         Reviewed by Saam Barati.
2303
2304         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2305         the wasm stress tests if the WebAssembly object does not exist.
2306
2307         * stress/big-wasm-memory-grow-no-max.js:
2308         (test.foo):
2309         (test):
2310         (foo): Deleted.
2311         (catch): Deleted.
2312         * stress/big-wasm-memory-grow.js:
2313         (test.foo):
2314         (test):
2315         (foo): Deleted.
2316         (catch): Deleted.
2317         * stress/big-wasm-memory.js:
2318         (test.foo):
2319         (test):
2320         (foo): Deleted.
2321         (catch): Deleted.
2322
2323 2018-12-05  Mark Lam  <mark.lam@apple.com>
2324
2325         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2326         https://bugs.webkit.org/show_bug.cgi?id=192441
2327         <rdar://problem/46480355>
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/regress-192441.js: Added.
2332
2333 2018-12-04  Mark Lam  <mark.lam@apple.com>
2334
2335         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2336         https://bugs.webkit.org/show_bug.cgi?id=192386
2337         <rdar://problem/46445516>
2338
2339         Reviewed by Saam Barati.
2340
2341         * stress/regress-192386.js: Added.
2342
2343 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2344
2345         [ESNext][BigInt] Support logic operations
2346         https://bugs.webkit.org/show_bug.cgi?id=179903
2347
2348         Reviewed by Yusuke Suzuki.
2349
2350         * stress/big-int-branch-usage.js: Added.
2351         * stress/big-int-logical-and.js: Added.
2352         * stress/big-int-logical-not.js: Added.
2353         * stress/big-int-logical-or.js: Added.
2354
2355 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2356
2357         Unreviewed, rolling out r238833.
2358
2359         Breaks macOS and iOS debug builds.
2360
2361         Reverted changeset:
2362
2363         "[ESNext][BigInt] Support logic operations"
2364         https://bugs.webkit.org/show_bug.cgi?id=179903
2365         https://trac.webkit.org/changeset/238833
2366
2367 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2368
2369         [ESNext][BigInt] Support logic operations
2370         https://bugs.webkit.org/show_bug.cgi?id=179903
2371
2372         Reviewed by Yusuke Suzuki.
2373
2374         * stress/big-int-branch-usage.js: Added.
2375         * stress/big-int-logical-and.js: Added.
2376         * stress/big-int-logical-not.js: Added.
2377         * stress/big-int-logical-or.js: Added.
2378
2379 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2380
2381         [ESNext][BigInt] Implement support for "<<" and ">>"
2382         https://bugs.webkit.org/show_bug.cgi?id=186233
2383
2384         Reviewed by Yusuke Suzuki.
2385
2386         * stress/big-int-left-shift-general.js: Added.
2387         * stress/big-int-left-shift-range-error.js: Added.
2388         * stress/big-int-left-shift-type-error.js: Added.
2389         * stress/big-int-left-shift-wrapped-value.js: Added.
2390         * stress/big-int-right-shift-general.js: Added.
2391         * stress/big-int-right-shift-type-error.js: Added.
2392         * stress/big-int-right-shift-wrapped-value.js: Added.
2393         * stress/left-shift-to-primitive-precedence.js: Added.
2394         * stress/right-shift-to-primitive-precedence.js: Added.
2395
2396 2018-11-30  Dean Jackson  <dino@apple.com>
2397
2398         Add first-class support for .mjs files in jsc binary
2399         https://bugs.webkit.org/show_bug.cgi?id=192190
2400         <rdar://problem/46375715>
2401
2402         Reviewed by Keith Miller.
2403
2404         * stress/simple-module.mjs: Added.
2405         * stress/simple-script.js: Added.
2406
2407 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2408
2409         [BigInt] Implement ValueBitXor into DFG
2410         https://bugs.webkit.org/show_bug.cgi?id=190264
2411
2412         Reviewed by Yusuke Suzuki.
2413
2414         * stress/big-int-bitwise-xor-jit.js: Added.
2415         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2416         * stress/big-int-bitwise-xor-untyped.js: Added.
2417
2418 2018-11-27  Saam barati  <sbarati@apple.com>
2419
2420         r238510 broke scopes of size zero
2421         https://bugs.webkit.org/show_bug.cgi?id=192033
2422         <rdar://problem/46281734>
2423
2424         Reviewed by Keith Miller.
2425
2426         * stress/r238510-bad-loop.js: Added.
2427         (foo):
2428
2429 2018-11-27  Mark Lam  <mark.lam@apple.com>
2430
2431         [Re-landing] NaNs read from Wasm code needs to be be purified.
2432         https://bugs.webkit.org/show_bug.cgi?id=191056
2433         <rdar://problem/45660341>
2434
2435         Reviewed by Filip Pizlo.
2436
2437         * wasm/regress/regress-191056.js: Added.
2438
2439 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2440
2441         Unreviewed, rolling out r238509.
2442
2443         Causes JSC tests to fail on iOS.
2444
2445         Reverted changeset:
2446
2447         "NaNs read from Wasm code needs to be be purified."
2448         https://bugs.webkit.org/show_bug.cgi?id=191056
2449         https://trac.webkit.org/changeset/238509
2450
2451 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2452
2453         Re-introduce op_bitnot
2454         https://bugs.webkit.org/show_bug.cgi?id=190923
2455
2456         Reviewed by Yusuke Suzuki.
2457
2458         * stress/bit-not-must-generate.js: Added.
2459         * stress/bitwise-not-no-int32.js: Added.
2460
2461 2018-11-26  Saam barati  <sbarati@apple.com>
2462
2463         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2464         https://bugs.webkit.org/show_bug.cgi?id=191956
2465         <rdar://problem/45665806>
2466
2467         Reviewed by Yusuke Suzuki.
2468
2469         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2470         (bar):
2471         (foo):
2472
2473 2018-11-26  Saam barati  <sbarati@apple.com>
2474
2475         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2476         https://bugs.webkit.org/show_bug.cgi?id=191958
2477         <rdar://problem/46221877>
2478
2479         Reviewed by Yusuke Suzuki.
2480
2481         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2482         (x):
2483         (foo):
2484
2485 2018-11-26  Mark Lam  <mark.lam@apple.com>
2486
2487         NaNs read from Wasm code needs to be be purified.
2488         https://bugs.webkit.org/show_bug.cgi?id=191056
2489         <rdar://problem/45660341>
2490
2491         Reviewed by Filip Pizlo.
2492
2493         * wasm/regress/regress-191056.js: Added.
2494
2495 2018-11-26  Michael Saboff  <msaboff@apple.com>
2496
2497         32-bit JSC test failure: stress/regexp-compile-oom.js
2498         https://bugs.webkit.org/show_bug.cgi?id=191375
2499
2500         Reviewed by Mark Lam.
2501
2502         Disabled the test for 32 bit platforms.
2503
2504         * stress/regexp-compile-oom.js:
2505
2506 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2507
2508         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2509         https://bugs.webkit.org/show_bug.cgi?id=191716
2510         <rdar://problem/45723878>
2511
2512         Reviewed by Saam Barati.
2513
2514         * stress/regress-187373.js: Added.
2515         (async.fn):
2516
2517 2018-11-21  Saam barati  <sbarati@apple.com>
2518
2519         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2520         https://bugs.webkit.org/show_bug.cgi?id=191897
2521         <rdar://problem/45871998>
2522
2523         Reviewed by Mark Lam.
2524
2525         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2526         (bar):
2527         (foo):
2528
2529 2018-11-21  Saam barati  <sbarati@apple.com>
2530
2531         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2532         https://bugs.webkit.org/show_bug.cgi?id=191895
2533         <rdar://problem/46167406>
2534
2535         Reviewed by Mark Lam.
2536
2537         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2538         (foo):
2539         (bar):
2540
2541 2018-11-21  Mark Lam  <mark.lam@apple.com>
2542
2543         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2544         https://bugs.webkit.org/show_bug.cgi?id=191776
2545         <rdar://problem/46152851>
2546
2547         Reviewed by Saam Barati.
2548
2549         * stress/big-wasm-memory-grow-no-max.js:
2550         * stress/big-wasm-memory-grow.js:
2551         * stress/big-wasm-memory.js:
2552         - updated these to expect an OutOfMemoryError.
2553
2554         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2555         (Binary.prototype.emit_u8):
2556         (Binary.prototype.emit_u32v):
2557         (Binary.prototype.emit_header):
2558         (Binary.prototype.emit_section):
2559         (Binary):
2560         (WasmModuleBuilder):
2561         (WasmModuleBuilder.prototype.addMemory):
2562         (WasmModuleBuilder.prototype.toArray):
2563         (WasmModuleBuilder.prototype.toBuffer):
2564         (WasmModuleBuilder.prototype.instantiate):
2565         (catch):
2566         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2567         (catch):
2568
2569 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2570
2571         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2572         https://bugs.webkit.org/show_bug.cgi?id=190836
2573
2574         Reviewed by Saam Barati and Yusuke Suzuki.
2575
2576         * stress/big-int-out-of-memory-tests.js: Added.
2577
2578 2018-11-20  Mark Lam  <mark.lam@apple.com>
2579
2580         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2581         https://bugs.webkit.org/show_bug.cgi?id=191856
2582         <rdar://problem/46089992>
2583
2584         Reviewed by Yusuke Suzuki.
2585
2586         * stress/regress-191856.js: Added.
2587         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2588
2589 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2590
2591         Enable JIT on ARM/Linux
2592         https://bugs.webkit.org/show_bug.cgi?id=191548
2593
2594         Reviewed by Yusuke Suzuki.
2595
2596         Disable test on system with limited memory. Program was killed by
2597         the OS before the exception was thrown.
2598
2599         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2600
2601 2018-11-20  Saam barati  <sbarati@apple.com>
2602
2603         Merging an IC variant may lead to the IC status containing overlapping structure sets
2604         https://bugs.webkit.org/show_bug.cgi?id=191869
2605         <rdar://problem/45403453>
2606
2607         Reviewed by Mark Lam.
2608
2609         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2610
2611 2018-11-19  Mark Lam  <mark.lam@apple.com>
2612
2613         globalFuncImportModule() should return a promise when it clears exceptions.
2614         https://bugs.webkit.org/show_bug.cgi?id=191792
2615         <rdar://problem/46090763>
2616
2617         Reviewed by Michael Saboff.
2618
2619         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2620
2621 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2622
2623         Skip new memory-hungry tests on memory limited devices
2624
2625         Unreviewed gardening.
2626
2627         * stress/big-wasm-memory-grow-no-max.js:
2628         * stress/big-wasm-memory-grow.js:
2629         * stress/big-wasm-memory.js:
2630
2631 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2632
2633         Unreviewed, rolling in the rest of r237254
2634         https://bugs.webkit.org/show_bug.cgi?id=190340
2635
2636         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2637         * stress/function-cache-with-parameters-end-position.js: Added.
2638         (shouldBe):
2639         (shouldThrow):
2640         (i.anonymous):
2641         * stress/function-constructor-name.js: Added.
2642         (shouldBe):
2643         (GeneratorFunction):
2644         (AsyncFunction.async):
2645         (AsyncGeneratorFunction.async):
2646         (anonymous):
2647         (async.anonymous):
2648         * test262/expectations.yaml:
2649
2650 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2651
2652         All users of ArrayBuffer should agree on the same max size
2653         https://bugs.webkit.org/show_bug.cgi?id=191771
2654
2655         Reviewed by Mark Lam.
2656
2657         * stress/big-wasm-memory-grow-no-max.js: Added.
2658         (foo):
2659         (catch):
2660         * stress/big-wasm-memory-grow.js: Added.
2661         (foo):
2662         (catch):
2663         * stress/big-wasm-memory.js: Added.
2664         (foo):
2665         (catch):
2666
2667 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2668
2669         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2670         run for each JSC config since they're regression tests for runtime bugs.
2671
2672         * stress/json-stringified-overflow-2.js:
2673         * stress/json-stringified-overflow.js:
2674
2675 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2676
2677         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2678         config since they're regression tests for runtime bugs.
2679
2680         * stress/large-unshift-splice.js:
2681         * stress/regress-185888.js:
2682
2683 2018-11-16  Saam Barati  <sbarati@apple.com>
2684
2685         KnownCellUse should also have SpecCellCheck as its type filter
2686         https://bugs.webkit.org/show_bug.cgi?id=191729
2687         <rdar://problem/45872852>
2688
2689         Reviewed by Filip Pizlo.
2690
2691         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2692         (C):
2693
2694 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2695
2696         Fix assertion failure on BytecodeGenerator::recordOpcode
2697         https://bugs.webkit.org/show_bug.cgi?id=191724
2698         <rdar://problem/45724395>
2699
2700         Reviewed by Saam Barati.
2701
2702         * stress/regress-187373-2.js: Added.
2703         (foo):
2704
2705 2018-11-15  Mark Lam  <mark.lam@apple.com>
2706
2707         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2708         https://bugs.webkit.org/show_bug.cgi?id=191730
2709         <rdar://problem/46048517>
2710
2711         Reviewed by Saam Barati.
2712
2713         * stress/regress-187006.js: Removed.
2714           - this test is invalid because its sole purpose is to test for the non-spec
2715             compliant behavior that we just fixed.
2716
2717         * stress/regress-191730.js: Added.
2718
2719 2018-11-15  Mark Lam  <mark.lam@apple.com>
2720
2721         RegExp operations should not take fast patch if lastIndex is not numeric.
2722         https://bugs.webkit.org/show_bug.cgi?id=191731
2723         <rdar://problem/46017305>
2724
2725         Reviewed by Saam Barati.
2726
2727         * stress/regress-191731.js: Added.
2728
2729 2018-11-13  Saam Barati  <sbarati@apple.com>
2730
2731         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2732         https://bugs.webkit.org/show_bug.cgi?id=191600
2733
2734         Reviewed by Mark Lam.
2735
2736         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2737         (foo):
2738         (test):
2739         (bar):
2740
2741 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2742
2743         Unreviewed, rolling out r238132.
2744
2745         The test added with this change is timing out on Debug JSC
2746         bots.
2747
2748         Reverted changeset:
2749
2750         "[BigInt] JSBigInt::createWithLength should throw when length
2751         is greater than JSBigInt::maxLength"
2752         https://bugs.webkit.org/show_bug.cgi?id=190836
2753         https://trac.webkit.org/changeset/238132
2754
2755 2018-11-13  Mark Lam  <mark.lam@apple.com>
2756
2757         Add OOM detection to StringPrototype's substituteBackreferences().
2758         https://bugs.webkit.org/show_bug.cgi?id=191563
2759         <rdar://problem/45720428>
2760
2761         Reviewed by Saam Barati.
2762
2763         * stress/regress-191563.js: Added.
2764
2765 2018-11-13  Mark Lam  <mark.lam@apple.com>
2766
2767         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2768         https://bugs.webkit.org/show_bug.cgi?id=191579
2769         <rdar://problem/45942472>
2770
2771         Reviewed by Saam Barati.
2772
2773         * stress/regress-191579.js: Added.
2774
2775 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2776
2777         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2778         https://bugs.webkit.org/show_bug.cgi?id=190836
2779
2780         Reviewed by Saam Barati.
2781
2782         * stress/big-int-out-of-memory-tests.js: Added.
2783
2784 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2785
2786         U+180E is no longer a whitespace character
2787         https://bugs.webkit.org/show_bug.cgi?id=191415
2788
2789         Reviewed by Saam Barati.
2790
2791         * ChakraCore/test/es5/regexSpace.baseline:
2792         * ChakraCore/test/es6/unicode_whitespace.js:
2793         Update tests to latest version.
2794         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2795
2796         * test262.yaml:
2797         * test262/config.yaml:
2798         * test262/expectations.yaml:
2799         Update expectations.
2800
2801 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2802
2803         [BigInt] Add support to BigInt into ValueAdd
2804         https://bugs.webkit.org/show_bug.cgi?id=186177
2805
2806         Reviewed by Keith Miller.
2807
2808         * stress/big-int-negate-jit.js:
2809         * stress/value-add-big-int-and-string.js: Added.
2810         * stress/value-add-big-int-prediction-propagation.js: Added.
2811         * stress/value-add-big-int-untyped.js: Added.
2812
2813 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2814
2815         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2816         https://bugs.webkit.org/show_bug.cgi?id=191184
2817
2818         Reviewed by Saam Barati.
2819
2820         Most tests were failing due to timeouts, since they are too slow to
2821         run on CLoop. The exceptions are:
2822
2823         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2824         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2825         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2826         to change the stack size since CLoop requires it to be page aligned.
2827
2828         * microbenchmarks/array-push-1.js:
2829         * microbenchmarks/array-push-2.js:
2830         * microbenchmarks/elidable-new-object-dag.js:
2831         * microbenchmarks/elidable-new-object-roflcopter.js:
2832         * microbenchmarks/elidable-new-object-tree.js:
2833         * microbenchmarks/getter-richards.js:
2834         * microbenchmarks/sinkable-new-object-dag.js:
2835         * microbenchmarks/string-concat-long-convert.js:
2836         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2837         * slowMicrobenchmarks/array-push-3.js:
2838         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2839         * slowMicrobenchmarks/spread-small-array.js:
2840         * slowMicrobenchmarks/undefined-property-access.js:
2841         * stress/activation-sink-default-value-tdz-error.js:
2842         * stress/activation-sink-default-value.js:
2843         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2844         * stress/activation-sink-osrexit-default-value.js:
2845         * stress/activation-sink-osrexit.js:
2846         * stress/activation-sink.js:
2847         * stress/allow-math-ic-b3-code-duplication.js:
2848         * stress/array-push-multiple-int32.js:
2849         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2850         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2851         * stress/arrowfunction-lexical-this-activation-sink.js:
2852         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2853         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2854         * stress/elide-new-object-dag-then-exit.js:
2855         * stress/materialize-regexp-cyclic.js:
2856         * stress/new-regex-inline.js:
2857         * stress/op_add.js:
2858         * stress/op_bitand.js:
2859         * stress/op_bitor.js:
2860         * stress/op_bitxor.js:
2861         * stress/op_div-ConstVar.js:
2862         * stress/op_div-VarConst.js:
2863         * stress/op_div-VarVar.js:
2864         * stress/op_lshift-ConstVar.js:
2865         * stress/op_lshift-VarConst.js:
2866         * stress/op_lshift-VarVar.js:
2867         * stress/op_mod-ConstVar.js:
2868         * stress/op_mod-VarConst.js:
2869         * stress/op_mod-VarVar.js:
2870         * stress/op_mul-ConstVar.js:
2871         * stress/op_mul-VarConst.js:
2872         * stress/op_mul-VarVar.js:
2873         * stress/op_rshift-ConstVar.js:
2874         * stress/op_rshift-VarConst.js:
2875         * stress/op_rshift-VarVar.js:
2876         * stress/op_sub-ConstVar.js:
2877         * stress/op_sub-VarConst.js:
2878         * stress/op_sub-VarVar.js:
2879         * stress/op_urshift-ConstVar.js:
2880         * stress/op_urshift-VarConst.js:
2881         * stress/op_urshift-VarVar.js:
2882         * stress/proxy-get-set-correct-receiver.js:
2883         * stress/regress-179562.js:
2884         * stress/rest-parameter-many-arguments.js:
2885         * stress/sampling-profiler-richards.js:
2886         * stress/splay-flash-access-1ms.js:
2887         * stress/tailCallForwardArguments.js:
2888         * stress/typed-array-get-by-val-profiling.js:
2889         * typeProfiler/getter-richards.js:
2890
2891 2018-11-06  Michael Saboff  <msaboff@apple.com>
2892
2893         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2894         https://bugs.webkit.org/show_bug.cgi?id=191271
2895
2896         Reviewed by Saam Barati.
2897
2898         Added more test cases and made all test cases run with the same deeply recursive stack
2899         instead of finding that same point for each test case.
2900
2901         * stress/regexp-compile-oom.js:
2902         (prototype.runTest):
2903         (recurseAndTest):
2904         (testList.push.new.TestAndExpectedException):
2905
2906 2018-11-05  Michael Saboff  <msaboff@apple.com>
2907
2908         Unreviewed build fix for linux.
2909
2910         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2911
2912 2018-11-02  Michael Saboff  <msaboff@apple.com>
2913
2914         Rolling in r237753 with unreviewed build fix.
2915
2916         Fixed issues with DECLARE_THROW_SCOPE placement.
2917
2918 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2919
2920         Unreviewed, rolling out r237753.
2921
2922         Introduced JSC test failures
2923
2924         Reverted changeset:
2925
2926         "Running out of stack space not properly handled in
2927         RegExp::compile() and its callers"
2928         https://bugs.webkit.org/show_bug.cgi?id=191206
2929         https://trac.webkit.org/changeset/237753
2930
2931 2018-11-02  Michael Saboff  <msaboff@apple.com>
2932
2933         Running out of stack space not properly handled in RegExp::compile() and its callers
2934         https://bugs.webkit.org/show_bug.cgi?id=191206
2935
2936         Reviewed by Filip Pizlo.
2937
2938         New regression test.
2939
2940         * stress/regexp-compile-oom.js: Added.
2941         (recurseAndTest):
2942
2943 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2944
2945         Skip tests on arm/mips that time out now we're running on CLoop
2946
2947         Unreviewed gardening.
2948
2949         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2950         time out on the bots and need to be disabled. There's more tests
2951         disabled on arm because the timeout is longer on the mips bot (as the
2952         device is slower to start with), so many of the tests don't time out
2953         there.
2954
2955         * microbenchmarks/getter-richards.js: disable on arm and mips.
2956         * stress/op_add.js: disable on arm.
2957         * stress/op_bitand.js: disable on arm.
2958         * stress/op_bitor.js: disable on arm.
2959         * stress/op_bitxor.js: disable on arm.
2960         * stress/op_lshift-ConstVar.js: disable on arm.
2961         * stress/op_lshift-VarConst.js: disable on arm.
2962         * stress/op_lshift-VarVar.js: disable on arm.
2963         * stress/op_mod-ConstVar.js: disable on arm.
2964         * stress/op_mod-VarConst.js: disable on arm.
2965         * stress/op_mod-VarVar.js: disable on arm.
2966         * stress/op_mul-ConstVar.js: disable on arm.
2967         * stress/op_mul-VarConst.js: disable on arm.
2968         * stress/op_mul-VarVar.js: disable on arm.
2969         * stress/op_rshift-ConstVar.js: disable on arm.
2970         * stress/op_rshift-VarConst.js: disable on arm.
2971         * stress/op_rshift-VarVar.js: disable on arm.
2972         * stress/op_sub-ConstVar.js: disable on arm.
2973         * stress/op_sub-VarConst.js: disable on arm.
2974         * stress/op_sub-VarVar.js: disable on arm.
2975         * stress/op_urshift-ConstVar.js: disable on arm.
2976         * stress/op_urshift-VarConst.js: disable on arm.
2977         * stress/op_urshift-VarVar.js: disable on arm.
2978         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2979         * stress/value-to-boolean.js: disable on arm and mips.
2980
2981 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2982
2983         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2984         https://bugs.webkit.org/show_bug.cgi?id=191108
2985         <rdar://problem/45690700>
2986
2987         Reviewed by Saam Barati.
2988
2989         * stress/wide-op_catch.js: Added.
2990         (catch):
2991
2992 2018-10-29  Mark Lam  <mark.lam@apple.com>
2993
2994         Correctly detect string overflow when using the 'Function' constructor.
2995         https://bugs.webkit.org/show_bug.cgi?id=184883
2996         <rdar://problem/36320331>
2997
2998         Reviewed by Saam Barati.
2999
3000         I've verified that this passes on 32-bit as well.
3001
3002         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3003
3004 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3005
3006         Add support for GetStack FlushedDouble
3007         https://bugs.webkit.org/show_bug.cgi?id=191012
3008         <rdar://problem/45265141>
3009
3010         Reviewed by Saam Barati.
3011
3012         * stress/get-stack-double.js: Added.
3013         (bar):
3014         (noInline):
3015
3016 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3017
3018         New bytecode format for JSC
3019         https://bugs.webkit.org/show_bug.cgi?id=187373
3020         <rdar://problem/44186758>
3021
3022         Reviewed by Filip Pizlo.
3023
3024         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3025
3026         * stress/maximum-inline-capacity.js: Added.
3027         (test1):
3028         (test3.Foo):
3029         (test3):
3030
3031 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3032
3033         Unreviewed, rolling out r237479 and r237484.
3034         https://bugs.webkit.org/show_bug.cgi?id=190978
3035
3036         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3037
3038         Reverted changesets:
3039
3040         "New bytecode format for JSC"
3041         https://bugs.webkit.org/show_bug.cgi?id=187373
3042         https://trac.webkit.org/changeset/237479
3043
3044         "Gardening: Build fix after r237479."
3045         https://bugs.webkit.org/show_bug.cgi?id=187373
3046         https://trac.webkit.org/changeset/237484
3047
3048 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3049
3050         New bytecode format for JSC
3051         https://bugs.webkit.org/show_bug.cgi?id=187373
3052         <rdar://problem/44186758>
3053
3054         Reviewed by Filip Pizlo.
3055
3056         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3057
3058         * stress/maximum-inline-capacity.js: Added.
3059         (test1):
3060         (test3.Foo):
3061         (test3):
3062
3063 2018-10-26  Mark Lam  <mark.lam@apple.com>
3064
3065         Fix missing edge cases with JSGlobalObjects having a bad time.
3066         https://bugs.webkit.org/show_bug.cgi?id=189028
3067         <rdar://problem/45204939>
3068
3069         Reviewed by Saam Barati.
3070
3071         * stress/regress-189028.js: Added.
3072
3073 2018-10-22  Mark Lam  <mark.lam@apple.com>
3074
3075         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3076         https://bugs.webkit.org/show_bug.cgi?id=190515
3077         <rdar://problem/45222379>
3078
3079         Rubber-stamped by Saam Barati.
3080
3081         Adding another test.
3082
3083         * stress/regress-190515-2.js: Added.
3084
3085 2018-10-22  Mark Lam  <mark.lam@apple.com>
3086
3087         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3088         https://bugs.webkit.org/show_bug.cgi?id=190515
3089         <rdar://problem/45222379>
3090
3091         Reviewed by Saam Barati.
3092
3093         * stress/regress-190515.js: Added.
3094
3095 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3096
3097         Unreviewed, rolling out r237254.
3098         https://bugs.webkit.org/show_bug.cgi?id=190760
3099
3100         "It regresses JetStream 2 by 5% on some iOS devices"
3101         (Requested by saamyjoon on #webkit).
3102
3103         Reverted changeset:
3104
3105         "[JSC] JSC should have "parseFunction" to optimize Function
3106         constructor"
3107         https://bugs.webkit.org/show_bug.cgi?id=190340
3108         https://trac.webkit.org/changeset/237254
3109
3110 2018-10-19  Saam Barati  <sbarati@apple.com>
3111
3112         vmCall should check if we exit before emitting an OSR exit due to exceptions
3113         https://bugs.webkit.org/show_bug.cgi?id=190740
3114         <rdar://problem/45220139>
3115
3116         Reviewed by Mark Lam.
3117
3118         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3119         (foo):
3120
3121 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3122
3123         [ESNext][BigInt] Implement support for "^"
3124         https://bugs.webkit.org/show_bug.cgi?id=186235
3125
3126         Reviewed by Yusuke Suzuki.
3127
3128         * stress/big-int-bitwise-xor-general.js: Added.
3129         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3130         * stress/big-int-bitwise-xor-type-error.js: Added.
3131         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3132
3133 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3134
3135         [BigInt] Add ValueSub into DFG
3136         https://bugs.webkit.org/show_bug.cgi?id=186176
3137
3138         Reviewed by Yusuke Suzuki.
3139
3140         * stress/big-int-subtraction-jit.js:
3141         * stress/value-sub-big-int-prediction-propagation.js: Added.
3142         * stress/value-sub-big-int-untyped.js: Added.
3143         * stress/value-sub-spec-none-case.js: Added.
3144
3145 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3146
3147         [JSC] JSC should have "parseFunction" to optimize Function constructor
3148         https://bugs.webkit.org/show_bug.cgi?id=190340
3149
3150         Reviewed by Mark Lam.
3151
3152         This patch fixes the line number of syntax errors raised by the Function constructor,
3153         since we now parse the final code only once. And we no longer use block statement
3154         for Function constructor's parsing.
3155
3156         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3157         * stress/function-cache-with-parameters-end-position.js: Added.
3158         (shouldBe):
3159         (shouldThrow):
3160         (i.anonymous):
3161         * stress/function-constructor-name.js: Added.
3162         (shouldBe):
3163         (GeneratorFunction):
3164         (AsyncFunction.async):
3165         (AsyncGeneratorFunction.async):
3166         (anonymous):
3167         (async.anonymous):
3168         * test262/expectations.yaml:
3169
3170 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3171
3172         Unreviewed, rolling out r237242.
3173         https://bugs.webkit.org/show_bug.cgi?id=190701
3174
3175         it breaks "stress/sampling-profiler-basic.js" (Requested by
3176         caiolima on #webkit).
3177
3178         Reverted changeset:
3179
3180         "[BigInt] Add ValueSub into DFG"
3181         https://bugs.webkit.org/show_bug.cgi?id=186176
3182         https://trac.webkit.org/changeset/237242
3183
3184 2018-10-17  Keith Miller  <keith_miller@apple.com>
3185
3186         AI does not clear Phantom allocation nodes.
3187         https://bugs.webkit.org/show_bug.cgi?id=190694
3188
3189         Reviewed by Saam Barati.
3190
3191         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3192         (Day):
3193         (DaysInYear):
3194         (TimeInYear):
3195         (TimeFromYear):
3196         (DayFromYear):
3197         (InLeapYear):
3198         (YearFromTime):
3199         (WeekDay):
3200         (DaylightSavingTA):
3201         (GetSecondSundayInMarch):
3202         (TimeInMonth):
3203
3204 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3205
3206         [BigInt] Add ValueSub into DFG
3207         https://bugs.webkit.org/show_bug.cgi?id=186176
3208
3209         Reviewed by Yusuke Suzuki.
3210
3211         * stress/big-int-subtraction-jit.js:
3212         * stress/value-sub-big-int-prediction-propagation.js: Added.
3213         * stress/value-sub-big-int-untyped.js: Added.
3214
3215 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3216
3217         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3218         https://bugs.webkit.org/show_bug.cgi?id=190611
3219
3220         Reviewed by Saam Barati.
3221
3222         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3223         to improve test runtime. On ARM/MIPS this test even timed out when running all
3224         tests.
3225
3226         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3227         (test):
3228
3229 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3230
3231         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3232
3233         Unreviewed gardening.
3234
3235         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3236
3237 2018-10-15  Saam barati  <sbarati@apple.com>
3238
3239         Emit fjcvtzs on ARM64E on Darwin
3240         https://bugs.webkit.org/show_bug.cgi?id=184023
3241
3242         Reviewed by Yusuke Suzuki and Filip Pizlo.
3243
3244         * stress/double-to-int32-NaN.js: Added.
3245         (assert):
3246         (foo):
3247
3248 2018-10-15  Saam Barati  <sbarati@apple.com>
3249
3250         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3251         https://bugs.webkit.org/show_bug.cgi?id=190262
3252         <rdar://problem/44986241>
3253
3254         Reviewed by Mark Lam.
3255
3256         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3257         (test):
3258         * stress/slice-array-storage-with-holes.js: Added.
3259         (main):
3260
3261 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3262
3263         Unreviewed, rolling out r237054.
3264         https://bugs.webkit.org/show_bug.cgi?id=190593
3265
3266         "this regressed JetStream 2 by 6% on iOS" (Requested by
3267         saamyjoon on #webkit).
3268
3269         Reverted changeset:
3270
3271         "[JSC] JSC should have "parseFunction" to optimize Function
3272         constructor"
3273         https://bugs.webkit.org/show_bug.cgi?id=190340
3274         https://trac.webkit.org/changeset/237054
3275
3276 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3277
3278         [JSC] JSON.stringify can accept call-with-no-arguments
3279         https://bugs.webkit.org/show_bug.cgi?id=190343
3280
3281         Reviewed by Mark Lam.
3282
3283         * stress/json-stringify-no-arguments.js: Added.
3284         (shouldBe):
3285
3286 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3287
3288         [JSC] JSC should have "parseFunction" to optimize Function constructor
3289         https://bugs.webkit.org/show_bug.cgi?id=190340
3290
3291         Reviewed by Mark Lam.
3292
3293         This patch fixes the line number of syntax errors raised by the Function constructor,
3294         since we now parse the final code only once. And we no longer use block statement
3295         for Function constructor's parsing.
3296
3297         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3298         * stress/function-cache-with-parameters-end-position.js: Added.
3299         (shouldBe):
3300         (shouldThrow):
3301         (i.anonymous):
3302         * stress/function-constructor-name.js: Added.
3303         (shouldBe):
3304         (GeneratorFunction):
3305         (AsyncFunction.async):
3306         (AsyncGeneratorFunction.async):
3307         (anonymous):
3308         (async.anonymous):
3309         * test262/expectations.yaml:
3310
3311 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3312
3313         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3314         https://bugs.webkit.org/show_bug.cgi?id=190426
3315
3316         Unreviewed gardening.
3317
3318         * stress/sampling-profiler-richards.js:
3319
3320 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3321
3322         [ESNext][BigInt] Implement support for "|"
3323         https://bugs.webkit.org/show_bug.cgi?id=186229
3324
3325         Reviewed by Yusuke Suzuki.
3326
3327         * stress/big-int-bitwise-and-jit.js:
3328         * stress/big-int-bitwise-or-general.js: Added.
3329         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3330         * stress/big-int-bitwise-or-jit.js: Added.
3331         * stress/big-int-bitwise-or-memory-stress.js: Added.
3332         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3333         * stress/big-int-bitwise-or-type-error.js: Added.
3334         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3335
3336 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3337
3338         Skip test on systems with limited memory
3339         https://bugs.webkit.org/show_bug.cgi?id=190310
3340
3341         Invoking runDefault adds test to runlist, skipping the test in the next
3342         line does not prevent the test from executing. Change order of lines such
3343         that runDefault is only executed if test is not executed.
3344
3345         Reviewed by Mark Lam.
3346
3347         * stress/regress-190187.js:
3348
3349 2018-10-03  Saam barati  <sbarati@apple.com>
3350
3351         lowXYZ in FTLLower should always filter the type of the incoming edge
3352         https://bugs.webkit.org/show_bug.cgi?id=189939
3353         <rdar://problem/44407030>
3354
3355         Reviewed by Michael Saboff.
3356
3357         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3358         (foo):
3359         (test):
3360
3361 2018-10-03  Mark Lam  <mark.lam@apple.com>
3362
3363         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3364         https://bugs.webkit.org/show_bug.cgi?id=190187
3365         <rdar://problem/42512909>
3366
3367         Reviewed by Michael Saboff.
3368
3369         * stress/regress-190187.js: Added.
3370
3371 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3372
3373         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3374         https://bugs.webkit.org/show_bug.cgi?id=190033
3375
3376         Reviewed by Yusuke Suzuki.
3377
3378         * stress/big-int-to-string.js:
3379
3380 2018-10-01  Mark Lam  <mark.lam@apple.com>
3381
3382         Function.toString() should also copy the source code Functions that are class definitions.
3383         https://bugs.webkit.org/show_bug.cgi?id=190186
3384         <rdar://problem/44733360>
3385
3386         Reviewed by Saam Barati.
3387
3388         * stress/regress-190186.js: Added.
3389
3390 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3391
3392         Split NaN-check into separate test
3393         https://bugs.webkit.org/show_bug.cgi?id=190010
3394
3395         Reviewed by Saam Barati.
3396
3397         DataView exposes NaN-representation, which is not necessarily the same on each
3398         architecture. Therefore move the check of the NaN-representation into its own
3399         file such that we can disable this test on MIPS where NaN-representation can be
3400         different on older CPUs.
3401
3402         * stress/dataview-jit-set-nan.js: Added.
3403         (assert):
3404         (test.storeLittleEndian):
3405         (test.storeBigEndian):
3406         (test.store):
3407         (test):
3408         * stress/dataview-jit-set.js:
3409         (test5):
3410
3411 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3412
3413         Unreviewed, rolling out r236647.
3414         https://bugs.webkit.org/show_bug.cgi?id=190124
3415
3416         Breaking test stress/big-int-to-string.js (Requested by
3417         caiolima_ on #webkit).
3418
3419         Reverted changeset:
3420
3421         "[BigInt] BigInt.proptotype.toString is broken when radix is
3422         power of 2"
3423         https://bugs.webkit.org/show_bug.cgi?id=190033
3424         https://trac.webkit.org/changeset/236647
3425
3426 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3427
3428         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3429         https://bugs.webkit.org/show_bug.cgi?id=190033
3430
3431         Reviewed by Yusuke Suzuki.
3432
3433         * stress/big-int-to-string.js:
3434
3435 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3436
3437         [ESNext][BigInt] Implement support for "&"
3438         https://bugs.webkit.org/show_bug.cgi?id=186228
3439
3440         Reviewed by Yusuke Suzuki.
3441
3442         * stress/big-int-bitwise-and-general.js: Added.
3443         (assert):
3444         (assert.sameValue):
3445         * stress/big-int-bitwise-and-jit.js: Added.
3446         (let.assert.sameValue):
3447         (bigIntBitAnd):
3448         * stress/big-int-bitwise-and-memory-stress.js: Added.
3449         (assert):
3450         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3451         (assert.sameValue):
3452         (let.o.Symbol.toPrimitive):
3453         (catch):
3454         * stress/big-int-bitwise-and-type-error.js: Added.
3455         (assert):
3456         (assertThrowTypeError):
3457         (let.o.valueOf):
3458         (o.valueOf):
3459         (o.toString):
3460         (o.Symbol.toPrimitive):
3461         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3462         (assert.sameValue):
3463         (testBitAnd):
3464         (let.o.Symbol.toPrimitive):
3465         (o.valueOf):
3466         (o.toString):
3467
3468 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3469
3470         JSC test stress/jsc-read.js doesn't support CRLF
3471         https://bugs.webkit.org/show_bug.cgi?id=190063
3472
3473         Reviewed by Yusuke Suzuki.
3474
3475         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3476
3477         * stress/jsc-read.js:
3478         (test):
3479
3480 2018-09-27  Saam barati  <sbarati@apple.com>
3481
3482         Verify the contents of AssemblerBuffer on arm64e
3483         https://bugs.webkit.org/show_bug.cgi?id=190057
3484         <rdar://problem/38916630>
3485
3486         Reviewed by Mark Lam.
3487
3488         * stress/regress-189132.js:
3489
3490 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3491
3492         Disable test without LLInt on ARMv7
3493         https://bugs.webkit.org/show_bug.cgi?id=190037
3494
3495         Reviewed by Mark Lam.
3496
3497         Test runs out of executable memory on ARMv7, do not run
3498         this test without LLInt enabled.
3499
3500         * stress/regress-169445.js:
3501
3502 2018-09-26  Keith Miller  <keith_miller@apple.com>
3503
3504         We should zero unused property storage when rebalancing array storage.
3505         https://bugs.webkit.org/show_bug.cgi?id=188151
3506
3507         Reviewed by Michael Saboff.
3508
3509         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3510
3511 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3512
3513         [JSC] Optimize Array#lastIndexOf
3514         https://bugs.webkit.org/show_bug.cgi?id=189780
3515
3516         Reviewed by Saam Barati.
3517
3518         * stress/array-lastindexof-array-prototype-trap.js: Added.
3519         (shouldBe):
3520         (AncestorArray.prototype.get 2):
3521         (AncestorArray):
3522         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3523         (shouldBe):
3524         * stress/array-lastindexof-hole-nan.js: Added.
3525         (shouldBe):
3526         (throw.new.Error):
3527         * stress/array-lastindexof-infinity.js: Added.
3528         (shouldBe):
3529         (throw.new.Error):
3530         * stress/array-lastindexof-negative-zero.js: Added.
3531         (shouldBe):
3532         (throw.new.Error):
3533         * stress/array-lastindexof-own-getter.js: Added.
3534         (shouldBe):
3535         (throw.new.Error.get array):
3536         (get array):
3537         * stress/array-lastindexof-prototype-trap.js: Added.
3538         (shouldBe):
3539         (DerivedArray.prototype.get 2):
3540         (DerivedArray):
3541
3542 2018-09-25  Saam Barati  <sbarati@apple.com>
3543
3544         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3545         https://bugs.webkit.org/show_bug.cgi?id=189940
3546         <rdar://problem/43640987>
3547
3548         Reviewed by Mark Lam.
3549
3550         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3551
3552 2018-09-24  Saam Barati  <sbarati@apple.com>
3553
3554         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3555         https://bugs.webkit.org/show_bug.cgi?id=189922
3556         <rdar://problem/44651275>
3557
3558         Reviewed by Mark Lam.
3559
3560         * stress/array-indexof-fast-path-effects.js: Added.
3561         * stress/array-indexof-cached-length.js: Added.
3562
3563 2018-09-24  Saam barati  <sbarati@apple.com>
3564
3565         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3566         https://bugs.webkit.org/show_bug.cgi?id=189682
3567         <rdar://problem/43557315>
3568
3569         Reviewed by Mark Lam.
3570
3571         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3572         (foo):
3573
3574 2018-09-22  Saam barati  <sbarati@apple.com>
3575
3576         The sampling should not use Strong<CodeBlock> in its machineLocation field
3577         https://bugs.webkit.org/show_bug.cgi?id=189319
3578
3579         Reviewed by Filip Pizlo.
3580
3581         * stress/sampling-profiler-richards.js: Added.
3582
3583 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3584
3585         [JSC] Optimize Array#indexOf in C++ runtime
3586         https://bugs.webkit.org/show_bug.cgi?id=189507
3587
3588         Reviewed by Saam Barati.
3589
3590         * stress/array-indexof-array-prototype-trap.js: Added.
3591         (shouldBe):
3592         (AncestorArray.prototype.get 2):
3593         (AncestorArray):
3594         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3595         (shouldBe):
3596         * stress/array-indexof-hole-nan.js: Added.
3597         (shouldBe):
3598         (throw.new.Error):
3599         * stress/array-indexof-infinity.js: Added.
3600         (shouldBe):
3601         (throw.new.Error):
3602         * stress/array-indexof-negative-zero.js: Added.
3603         (shouldBe):
3604         (throw.new.Error):
3605         * stress/array-indexof-own-getter.js: Added.
3606         (shouldBe):
3607         (throw.new.Error.get array):
3608         (get array):
3609         * stress/array-indexof-prototype-trap.js: Added.
3610         (shouldBe):
3611         (DerivedArray.prototype.get 2):
3612         (DerivedArray):
3613
3614 2018-09-19  Saam barati  <sbarati@apple.com>
3615
3616         AI rule for MultiPutByOffset executes its effects in the wrong order
3617         https://bugs.webkit.org/show_bug.cgi?id=189757
3618         <rdar://problem/43535257>
3619
3620         Reviewed by Michael Saboff.
3621
3622         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3623         (foo):
3624         (Foo):
3625         (g):
3626
3627 2018-09-17  Mark Lam  <mark.lam@apple.com>
3628
3629         Ensure that ForInContexts are invalidated if their loop local is over-written.
3630         https://bugs.webkit.org/show_bug.cgi?id=189571
3631         <rdar://problem/44402277>
3632
3633         Reviewed by Saam Barati.
3634
3635         * stress/regress-189571.js: Added.
3636
3637 2018-09-17  Saam barati  <sbarati@apple.com>
3638
3639         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3640         https://bugs.webkit.org/show_bug.cgi?id=189676
3641         <rdar://problem/39682897>
3642
3643         Reviewed by Michael Saboff.
3644
3645         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3646         (A):
3647         (K):
3648         (i.catch):
3649
3650 2018-09-14  Saam barati  <sbarati@apple.com>
3651
3652         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3653         https://bugs.webkit.org/show_bug.cgi?id=189628
3654         <rdar://problem/39481690>
3655
3656         Reviewed by Mark Lam.
3657
3658         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3659         (foo):
3660
3661 2018-09-11  Mark Lam  <mark.lam@apple.com>
3662
3663         Test for array initialization in arrayProtoFuncSplice.
3664         https://bugs.webkit.org/show_bug.cgi?id=170253
3665         <rdar://problem/31328773>
3666
3667         Rubber-stamped by Saam Barati.
3668
3669         * stress/regress-170253.js: Added.
3670
3671 2018-09-11  Mark Lam  <mark.lam@apple.com>
3672
3673         Test for IntlObject initialization.
3674         https://bugs.webkit.org/show_bug.cgi?id=170251
3675         <rdar://problem/31328419>
3676
3677         Rubber-stamped by Saam Barati.
3678
3679         * stress/regress-170251.js: Added.
3680
3681 2018-09-11  Mark Lam  <mark.lam@apple.com>
3682
3683         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3684         https://bugs.webkit.org/show_bug.cgi?id=169889
3685         <rdar://problem/31155607>
3686
3687         Reviewed by Saam Barati.
3688
3689         * stress/regress-169889-array-concat.js: Added.
3690         * stress/regress-169889-array-concat1.js: Added.
3691         * stress/regress-169889-array-slice.js: Added.
3692
3693 2018-09-11  Mark Lam  <mark.lam@apple.com>
3694
3695         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3696         https://bugs.webkit.org/show_bug.cgi?id=169445
3697         <rdar://problem/30957435>
3698
3699         Reviewed by Saam Barati.
3700
3701         * stress/regress-169445.js: Added.
3702         (let.gun.eval.A):
3703         (let.gun.eval.B.C):
3704         (let.gun.eval.B.C.prototype.trigger):
3705         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3706         (let.gun.eval.B):
3707         (let.gun.eval):
3708
3709 == Rolled over to ChangeLog-2018-09-11 ==