The parser is failing to record the token location of new in new.target.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-27  Mark Lam  <mark.lam@apple.com>
2
3         The parser is failing to record the token location of new in new.target.
4         https://bugs.webkit.org/show_bug.cgi?id=195127
5         <rdar://problem/39645578>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
10
11 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
14         https://bugs.webkit.org/show_bug.cgi?id=195144
15         <rdar://problem/47595961>
16
17         Reviewed by Mark Lam.
18
19         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
20         (bar):
21         (foo):
22         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
23         (bar):
24         (foo):
25
26 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
27
28         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
29         https://bugs.webkit.org/show_bug.cgi?id=194677
30         <rdar://problem/48112492>
31
32         Reviewed by Mark Lam.
33
34         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
35         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
36         it immediately fails due the large size.
37
38         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
39         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
40         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
41         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
42
43         This patch changes the test to produce 16bit string from String.fromCharCode.
44
45         * stress/regress-178386.js:
46
47 2019-02-26  Mark Lam  <mark.lam@apple.com>
48
49         wasmToJS() should purify incoming NaNs.
50         https://bugs.webkit.org/show_bug.cgi?id=194807
51         <rdar://problem/48189132>
52
53         Reviewed by Saam Barati.
54
55         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
56
57 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
58
59         [JSC] Repeat string created from Array.prototype.join() take too much memory
60         https://bugs.webkit.org/show_bug.cgi?id=193912
61
62         Reviewed by Saam Barati.
63
64         Added a test and a microbenchmark for corner cases of
65         Array.prototype.join() with an uninitialized array.
66
67         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
68         * stress/array-prototype-join-uninitialized.js: Added.
69         (testArray):
70         (testABC):
71         (B):
72         (C):
73
74 2019-02-22  Robin Morisset  <rmorisset@apple.com>
75
76         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
77         https://bugs.webkit.org/show_bug.cgi?id=194953
78         <rdar://problem/47595253>
79
80         Reviewed by Saam Barati.
81
82         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
83
84         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
85
86 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
87
88         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
89         https://bugs.webkit.org/show_bug.cgi?id=172848
90         <rdar://problem/25709212>
91
92         Reviewed by Mark Lam.
93
94         * typeProfiler/inheritance.js:
95         Rewrite the test slightly for clarity. The hoisting was confusing.
96
97         * heapProfiler/class-names.js: Added.
98         (MyES5Class):
99         (MyES6Class):
100         (MyES6Subclass):
101         Test object types and improved class names.
102
103         * heapProfiler/driver/driver.js:
104         (CheapHeapSnapshotNode):
105         (CheapHeapSnapshot):
106         (createCheapHeapSnapshot):
107         (HeapSnapshot):
108         (createHeapSnapshot):
109         Update snapshot parsing from version 1 to version 2.
110
111 2019-02-19  Truitt Savell  <tsavell@apple.com>
112
113         Unreviewed, rolling out r241784.
114
115         Broke all OpenSource builds.
116
117         Reverted changeset:
118
119         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
120         instances view"
121         https://bugs.webkit.org/show_bug.cgi?id=172848
122         https://trac.webkit.org/changeset/241784
123
124 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
125
126         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
127         https://bugs.webkit.org/show_bug.cgi?id=172848
128         <rdar://problem/25709212>
129
130         Reviewed by Mark Lam.
131
132         * typeProfiler/inheritance.js:
133         Rewrite the test slightly for clarity. The hoisting was confusing.
134
135         * heapProfiler/class-names.js: Added.
136         (MyES5Class):
137         (MyES6Class):
138         (MyES6Subclass):
139         Test object types and improved class names.
140
141         * heapProfiler/driver/driver.js:
142         (CheapHeapSnapshotNode):
143         (CheapHeapSnapshot):
144         (createCheapHeapSnapshot):
145         (HeapSnapshot):
146         (createHeapSnapshot):
147         Update snapshot parsing from version 1 to version 2.
148
149 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
150
151         [ARM] Fix crash with sampling profiler
152         https://bugs.webkit.org/show_bug.cgi?id=194772
153
154         Reviewed by Mark Lam.
155
156         Do not skip test since crash with sampling profiler is now fixed.
157
158         * stress/sampling-profiler-richards.js:
159
160 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
161
162         [JSC] Add LazyClassStructure::getInitializedOnMainThread
163         https://bugs.webkit.org/show_bug.cgi?id=194784
164         <rdar://problem/48154820>
165
166         Reviewed by Mark Lam.
167
168         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
169         (getProperties):
170         (getRandomProperty):
171         (i.catch):
172
173 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
174
175         [ARM] Test gardening: Test running out of executable memory
176         https://bugs.webkit.org/show_bug.cgi?id=194771
177
178         Unreviewed. Do not run test without LLInt, test is running out of executable
179         memory on ARM otherwise.
180
181         * stress/tagged-template-object-collect.js:
182
183 2019-02-18  Tomas Popela  <tpopela@redhat.com>
184
185         Unreviewed, skip the test on platforms without sampling profiler
186
187         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
188         (platformSupportsSamplingProfiler.foo):
189         (platformSupportsSamplingProfiler.test):
190         (platformSupportsSamplingProfiler):
191         (foo): Deleted.
192         (test): Deleted.
193
194 2019-02-17  Saam Barati  <sbarati@apple.com>
195
196         Deadlock when adding a Structure property transition and then doing incremental marking
197         https://bugs.webkit.org/show_bug.cgi?id=194767
198
199         Reviewed by Mark Lam.
200
201         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
202
203 2019-02-15  Michael Saboff  <msaboff@apple.com>
204
205         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
206         https://bugs.webkit.org/show_bug.cgi?id=194558
207
208         Reviewed by Saam Barati.
209
210         New regression test.
211
212         * stress/regexp-unicode-within-string.js: Added.
213
214 2019-02-15  Mark Lam  <mark.lam@apple.com>
215
216         SamplingProfiler::stackTracesAsJSON() should escape strings.
217         https://bugs.webkit.org/show_bug.cgi?id=194649
218         <rdar://problem/48072386>
219
220         Reviewed by Saam Barati.
221
222         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
223         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
224         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
225         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
226
227 2019-02-15  Robin Morisset  <rmorisset@apple.com>
228         CodeBlock::jettison should clear related watchpoints
229         https://bugs.webkit.org/show_bug.cgi?id=194544
230
231         Reviewed by Mark Lam.
232
233         * stress/regexp-replace-double-watchpoint.js: Added.
234         (foo):
235
236 2019-02-15  Saam barati  <sbarati@apple.com>
237
238         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
239         https://bugs.webkit.org/show_bug.cgi?id=194036
240
241         Reviewed by Yusuke Suzuki.
242
243         * stress/tail-call-many-arguments.js: Added.
244         (foo):
245         (bar):
246
247 2019-02-14  Saam Barati  <sbarati@apple.com>
248
249         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
250         https://bugs.webkit.org/show_bug.cgi?id=194583
251         <rdar://problem/48028140>
252
253         Reviewed by Yusuke Suzuki.
254
255         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
256
257 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
258
259         [JSC] String.fromCharCode's slow path always generates 16bit string
260         https://bugs.webkit.org/show_bug.cgi?id=194466
261
262         Reviewed by Keith Miller.
263
264         * stress/string-from-char-code-slow-path.js: Added.
265         (shouldBe):
266         (testWithLength):
267
268 2019-02-08  Saam barati  <sbarati@apple.com>
269
270         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
271         https://bugs.webkit.org/show_bug.cgi?id=194334
272         <rdar://problem/47844327>
273
274         Reviewed by Mark Lam.
275
276         * stress/check-in-bounds-should-be-a-child-use.js: Added.
277         (func):
278
279 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
280
281         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
282         https://bugs.webkit.org/show_bug.cgi?id=194369
283         <rdar://problem/47813087>
284
285         Reviewed by Saam Barati.
286
287         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
288         (A):
289
290 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
291
292         [JSC] PrivateName to PublicName hash table is wasteful
293         https://bugs.webkit.org/show_bug.cgi?id=194277
294
295         Reviewed by Michael Saboff.
296
297         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
298
299         * ChakraCore.yaml:
300
301 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
302
303         [ARM] Test running out of executable memory
304         https://bugs.webkit.org/show_bug.cgi?id=194285
305
306         Unreviewed. Do no execute test with LLInt disabled, test runs out of
307         executable memory otherwise.
308
309         * stress/class-subclassing-function.js:
310
311 2019-02-04  Robin Morisset  <rmorisset@apple.com>
312
313         when lowering AssertNotEmpty, create the value before creating the patchpoint
314         https://bugs.webkit.org/show_bug.cgi?id=194231
315
316         Reviewed by Saam Barati.
317
318         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
319         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
320         So even tiny changes to this test can change the path code taken.
321
322         * stress/assert-not-empty.js: Added.
323         (foo):
324
325 2019-02-01  Mark Lam  <mark.lam@apple.com>
326
327         Remove invalid assertion in DFG's compileDoubleRep().
328         https://bugs.webkit.org/show_bug.cgi?id=194130
329         <rdar://problem/47699474>
330
331         Reviewed by Saam Barati.
332
333         * stress/constant-fold-double-rep-into-double-constant.js: Added.
334
335 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
336
337         Import latest Test262 updates.
338
339         Rubber-stamped by Keith Miller.
340
341         * test262.yaml: Deleted.
342         * test262/config.yaml:
343         * test262/expectations.yaml:
344         * test262/latest-changes-summary.txt:
345         * test262/test/:
346         * test262/test262-Revision.txt:
347
348 2019-01-30  Robin Morisset  <rmorisset@apple.com>
349
350         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
351         https://bugs.webkit.org/show_bug.cgi?id=194050
352         <rdar://problem/47595592>
353
354         Reviewed by Yusuke Suzuki.
355
356         * stress/object-keys-osr-exit.js: Added.
357         (foo):
358         (catch):
359
360 2019-01-29  Mark Lam  <mark.lam@apple.com>
361
362         ValueRecovery::recover() should purify NaN values it recovers.
363         https://bugs.webkit.org/show_bug.cgi?id=193978
364         <rdar://problem/47625488>
365
366         Reviewed by Saam Barati.
367
368         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
369
370 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
371
372         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
373         https://bugs.webkit.org/show_bug.cgi?id=193713
374
375         * stress/try-get-by-id-should-spill-registers-dfg.js:
376         (let.f.createBuiltin):
377
378 2019-01-28  Mark Lam  <mark.lam@apple.com>
379
380         ToString node actually does GC.
381         https://bugs.webkit.org/show_bug.cgi?id=193920
382         <rdar://problem/46695900>
383
384         Reviewed by Yusuke Suzuki.
385
386         * stress/dfg-to-string-on-int-does-gc.js: Added.
387         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
388         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
389
390 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
391
392         [JSC] NativeErrorConstructor should not have own IsoSubspace
393         https://bugs.webkit.org/show_bug.cgi?id=193713
394
395         Reviewed by Saam Barati.
396
397         Remove @Error use.
398
399         * stress/try-get-by-id-should-spill-registers-dfg.js:
400         (let.f.createBuiltin):
401
402 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
403
404         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
405         https://bugs.webkit.org/show_bug.cgi?id=190693
406
407         Reviewed by Michael Saboff.
408
409         * stress/regress-190693.js: Added.
410         (truth):
411         (assert):
412         (shouldThrowInvalidConstAssignment):
413         (taz):
414
415 2019-01-24  Saam Barati  <sbarati@apple.com>
416
417         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
418         https://bugs.webkit.org/show_bug.cgi?id=193751
419         <rdar://problem/47280215>
420
421         Reviewed by Michael Saboff.
422
423         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
424         (let.thing):
425         (foo.let.hello):
426         (foo):
427
428 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
429
430         [JSC] Reenable baseline JIT on mips
431         https://bugs.webkit.org/show_bug.cgi?id=192983
432
433         Reviewed by Mark Lam.
434
435         Added a new test for a case that was triggering a RELEASE_ASSERT when
436         testing.
437         Disable some slow tests that were already disabled for arm and x86.
438
439         * stress/json-parse-big-object.js: Added.
440         * stress/new-largeish-contiguous-array-with-size.js:
441         * stress/op_add.js:
442         * stress/op_bitand.js:
443         * stress/op_bitor.js:
444         * stress/op_bitxor.js:
445         * stress/op_lshift-ConstVar.js:
446         * stress/op_lshift-VarConst.js:
447         * stress/op_lshift-VarVar.js:
448         * stress/op_mod-ConstVar.js:
449         * stress/op_mod-VarConst.js:
450         * stress/op_mod-VarVar.js:
451         * stress/op_mul-ConstVar.js:
452         * stress/op_mul-VarConst.js:
453         * stress/op_mul-VarVar.js:
454         * stress/op_rshift-ConstVar.js:
455         * stress/op_rshift-VarConst.js:
456         * stress/op_rshift-VarVar.js:
457         * stress/op_sub-ConstVar.js:
458         * stress/op_sub-VarConst.js:
459         * stress/op_sub-VarVar.js:
460         * stress/op_urshift-ConstVar.js:
461         * stress/op_urshift-VarConst.js:
462         * stress/op_urshift-VarVar.js:
463         * stress/sampling-profiler-richards.js:
464         * stress/spread-forward-call-varargs-stack-overflow.js:
465
466 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
467
468         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
469         https://bugs.webkit.org/show_bug.cgi?id=193711
470         <rdar://problem/47250262>
471
472         Reviewed by Saam Barati.
473
474         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
475         (shouldBe):
476         (foo):
477         (bar):
478         (baz):
479
480 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
481
482         Unreviewed, fix initial global lexical binding epoch
483         https://bugs.webkit.org/show_bug.cgi?id=193603
484         <rdar://problem/47380869>
485
486         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
487         (f1.f2.f3.f4):
488         (f1.f2.f3):
489         (f1.f2):
490         (f1):
491
492 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
493
494         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
495         https://bugs.webkit.org/show_bug.cgi?id=193709
496         <rdar://problem/47363838>
497
498         Unreviewed, rollout to watch the tests.
499
500         * stress/object-tostring-changed-proto.js: Removed.
501         * stress/object-tostring-changed.js: Removed.
502         * stress/object-tostring-misc.js: Removed.
503         * stress/object-tostring-other.js: Removed.
504         * stress/object-tostring-untyped.js: Removed.
505
506 2019-01-22  Saam Barati  <sbarati@apple.com>
507
508         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
509
510         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
511         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
512         (testUncheckedLessThanZero):
513         (testUncheckedLessThanOrEqualZero):
514         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
515         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
516
517 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
518
519         [JSC] Invalidate old scope operations using global lexical binding epoch
520         https://bugs.webkit.org/show_bug.cgi?id=193603
521         <rdar://problem/47380869>
522
523         Reviewed by Saam Barati.
524
525         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
526         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
527         (shouldThrow):
528         (bar):
529         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
530         (shouldBe):
531         (get1):
532         (get2):
533         (get1If):
534         (get2If):
535         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
536         (shouldThrow):
537         (foo):
538
539 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
540
541         Unreviewed, roll out r240220 due to date-format-xparb regression
542         https://bugs.webkit.org/show_bug.cgi?id=193603
543
544         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
545         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
546         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
547         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
548
549 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
550
551         DoesGC rule is wrong for nodes with BigIntUse
552         https://bugs.webkit.org/show_bug.cgi?id=193652
553
554         Reviewed by Saam Barati.
555
556         * stress/big-int-value-op-update-gc-rules.js: Added.
557         (assert):
558         (doesGCAdd):
559         (doesGCSub):
560         (doesGCDiv):
561         (doesGCMul):
562         (doesGCBitAnd):
563         (doesGCBitOr):
564         (doesGCBitXor):
565
566 2019-01-20  Saam Barati  <sbarati@apple.com>
567
568         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
569         https://bugs.webkit.org/show_bug.cgi?id=193644
570         <rdar://problem/46209745>
571
572         Reviewed by Yusuke Suzuki.
573
574         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
575         (foo):
576         * stress/data-view-set-intrinsic-undefined-result.js: Added.
577         (foo):
578         (bar):
579
580 2019-01-20  Saam Barati  <sbarati@apple.com>
581
582         MovHint must merge NodeBytecodeUsesAsValue for its child
583         https://bugs.webkit.org/show_bug.cgi?id=186916
584         <rdar://problem/41396612>
585
586         Reviewed by Yusuke Suzuki.
587
588         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
589         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
590
591 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         [JSC] Invalidate old scope operations using global lexical binding epoch
594         https://bugs.webkit.org/show_bug.cgi?id=193603
595         <rdar://problem/47380869>
596
597         Reviewed by Saam Barati.
598
599         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
600         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
601         (shouldThrow):
602         (bar):
603         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
604         (shouldBe):
605         (get1):
606         (get2):
607         (get1If):
608         (get2If):
609         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
610         (shouldThrow):
611         (foo):
612
613 2019-01-17  Saam barati  <sbarati@apple.com>
614
615         StringObjectUse should not be a structure check for the original string object structure
616         https://bugs.webkit.org/show_bug.cgi?id=193483
617         <rdar://problem/47280522>
618
619         Reviewed by Yusuke Suzuki.
620
621         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
622         (foo):
623         (a.valueOf.0):
624
625 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
626
627         [JSC] ToThis omission in DFGByteCodeParser is wrong
628         https://bugs.webkit.org/show_bug.cgi?id=193513
629         <rdar://problem/45842236>
630
631         Reviewed by Saam Barati.
632
633         * stress/to-this-omission-with-different-strict-modes.js: Added.
634         (thisA):
635         (thisAStrictWrapper):
636
637 2019-01-15  Mark Lam  <mark.lam@apple.com>
638
639         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
640         https://bugs.webkit.org/show_bug.cgi?id=193423
641         <rdar://problem/46209355>
642
643         Reviewed by Saam Barati.
644
645         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
646         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
647         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
648         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
649
650 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
651
652         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
653         https://bugs.webkit.org/show_bug.cgi?id=193438
654         <rdar://problem/45581249>
655
656         Reviewed by Saam Barati and Keith Miller.
657
658         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
659         Then, GetByVal(String) crashed.
660
661         * stress/string-get-by-val-lowering.js: Added.
662         (shouldBe):
663         (test):
664         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
665         (Hello):
666         (foo):
667
668 2019-01-15  Tomas Popela  <tpopela@redhat.com>
669
670         Unreviewed, skip JIT tests if it's not enabled
671
672         * stress/bit-op-with-object-returning-int32.js:
673
674 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
675
676         DFGByteCodeParser rules for bitwise operations should consider type of their operands
677         https://bugs.webkit.org/show_bug.cgi?id=192966
678
679         Reviewed by Yusuke Suzuki.
680
681         * stress/bit-op-with-object-returning-int32.js: Added.
682
683 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
684
685         Skip a slow test and a flakey test on arm
686
687         Unreviewed gardening.
688
689         * typeProfiler/getter-richards.js:
690         this test always times out, it used to be always skipped on arm and
691         mips, but got accidentally enabled by r237919 now that we have DFG on
692         arm. Also skipping on mips as we plan to soon enable DFG for it too.
693
694 2019-01-14  Keith Miller  <keith_miller@apple.com>
695
696         Skip type-check-hoisting-phase-hoist... with no jit
697         https://bugs.webkit.org/show_bug.cgi?id=193421
698
699         Reviewed by Mark Lam.
700
701         It's timing out the 32-bit bots and takes 330 seconds
702         on my machine when run by itself.
703
704         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
705
706 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
707
708         [JSC] AI should check the given constant's array type when folding GetByVal into constant
709         https://bugs.webkit.org/show_bug.cgi?id=193413
710         <rdar://problem/46092389>
711
712         Reviewed by Keith Miller.
713
714         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
715         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
716         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
717         but GetByVal does not have appropriate ArrayModes, JSC crashes.
718
719         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
720         (compareArray):
721
722 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
723
724         [BigInt] Literal parsing is crashing when used inside a Object Literal
725         https://bugs.webkit.org/show_bug.cgi?id=193404
726
727         Reviewed by Yusuke Suzuki.
728
729         * stress/big-int-literal-inside-literal-object.js: Added.
730
731 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
732
733         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
734         https://bugs.webkit.org/show_bug.cgi?id=193372
735
736         Reviewed by Saam Barati.
737
738         * stress/typed-array-array-modes-profile.js: Added.
739         (foo):
740
741 2019-01-14  Mark Lam  <mark.lam@apple.com>
742
743         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
744         https://bugs.webkit.org/show_bug.cgi?id=193402
745         <rdar://problem/46012309>
746
747         Reviewed by Keith Miller.
748
749         * stress/regexp-compile-oom.js:
750         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
751           is enabled.  As a result, it will fail on cloop builds though there is no bug.
752
753 2019-01-11  Saam barati  <sbarati@apple.com>
754
755         DFG combined liveness can be wrong for terminal basic blocks
756         https://bugs.webkit.org/show_bug.cgi?id=193304
757         <rdar://problem/45268632>
758
759         Reviewed by Yusuke Suzuki.
760
761         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
762
763 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
764
765         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
766         https://bugs.webkit.org/show_bug.cgi?id=193308
767         <rdar://problem/45546542>
768
769         Reviewed by Saam Barati.
770
771         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
772         (shouldThrow):
773         (shouldBe):
774         (foo):
775         (get shouldThrow):
776         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
777         (shouldThrow):
778         (shouldBe):
779         (foo):
780         (get shouldBe):
781         (get shouldThrow):
782         (get return):
783         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
784         (shouldThrow):
785         (shouldBe):
786         (foo):
787         (get shouldBe):
788         (get shouldThrow):
789         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
790         (shouldThrow):
791         (shouldBe):
792         (foo):
793         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
794         (shouldThrow):
795         (shouldBe):
796         (foo):
797         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
798         (shouldThrow):
799         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
800         (shouldThrow):
801         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
802         (shouldThrow):
803         (shouldBe):
804         (foo):
805         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
806         (shouldThrow):
807         (shouldBe):
808         (foo):
809         (get shouldBe):
810         (get shouldThrow):
811         (get return):
812         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
813         (shouldThrow):
814         (shouldBe):
815         (foo):
816         (get shouldBe):
817         (get shouldThrow):
818         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
819         (shouldThrow):
820         (shouldBe):
821         (foo):
822         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
823         (shouldThrow):
824         (shouldBe):
825         (foo):
826
827 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
828
829         Enable DFG on ARM/Linux again
830         https://bugs.webkit.org/show_bug.cgi?id=192496
831
832         Reviewed by Yusuke Suzuki.
833
834         Test wasn't really skipped before moving the line with skip
835         to the top.
836
837         * stress/regress-192717.js:
838
839 2019-01-10  Commit Queue  <commit-queue@webkit.org>
840
841         Unreviewed, rolling out r239825.
842         https://bugs.webkit.org/show_bug.cgi?id=193330
843
844         Broke tests on armv7/linux bots (Requested by guijemont on
845         #webkit).
846
847         Reverted changeset:
848
849         "Enable DFG on ARM/Linux again"
850         https://bugs.webkit.org/show_bug.cgi?id=192496
851         https://trac.webkit.org/changeset/239825
852
853 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
854
855         Enable DFG on ARM/Linux again
856         https://bugs.webkit.org/show_bug.cgi?id=192496
857
858         Reviewed by Yusuke Suzuki.
859
860         Test wasn't really skipped before moving the line with skip
861         to the top.
862
863         * stress/regress-192717.js:
864
865 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
866
867         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
868         https://bugs.webkit.org/show_bug.cgi?id=193127
869
870         Reviewed by Saam Barati.
871
872         * stress/array-species-create-should-handle-masquerader.js: Added.
873         (shouldThrow):
874         * stress/is-undefined-or-null-builtin.js: Added.
875         (shouldBe):
876         (isUndefinedOrNull.vm.createBuiltin):
877
878 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
879
880         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
881         https://bugs.webkit.org/show_bug.cgi?id=193221
882
883         Reviewed by Mark Lam.
884
885         * stress/put-by-id-flags.js: Added.
886         (f):
887         (g):
888         (numberOfDFGCompiles):
889
890 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
891
892         Baseline version of get_by_id may corrupt metadata
893         https://bugs.webkit.org/show_bug.cgi?id=193085
894         <rdar://problem/23453006>
895
896         Reviewed by Saam Barati.
897
898         * stress/get-by-id-change-mode.js: Added.
899         (forEach):
900
901 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
902
903         [JSC] Optimize Object.prototype.toString
904         https://bugs.webkit.org/show_bug.cgi?id=193031
905
906         Reviewed by Saam Barati.
907
908         * stress/object-tostring-changed-proto.js: Added.
909         (shouldBe):
910         (test):
911         * stress/object-tostring-changed.js: Added.
912         (shouldBe):
913         (test):
914         * stress/object-tostring-misc.js: Added.
915         (shouldBe):
916         (test):
917         (i.switch):
918         * stress/object-tostring-other.js: Added.
919         (shouldBe):
920         (test):
921         * stress/object-tostring-untyped.js: Added.
922         (shouldBe):
923         (test):
924         (i.switch):
925
926 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
927
928         test262-runner misbehaves when test file YAML has a trailing space
929         https://bugs.webkit.org/show_bug.cgi?id=193053
930
931         Reviewed by Yusuke Suzuki.
932
933         * test262/expectations.yaml:
934         Mark two dozen tests as passing (and correct the output of another).
935
936 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
937
938         Unreviewed, JSTests gardening with memoryLimited
939
940         * stress/string-overflow-createError.js:
941
942 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
943
944         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
945         https://bugs.webkit.org/show_bug.cgi?id=193050
946
947         Reviewed by Yusuke Suzuki.
948
949         * test262.yaml:
950         * test262/expectations.yaml:
951         Mark 16 tests as passing.
952
953 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
954
955         [BigInt] Support BigInt in JSON.stringify
956         https://bugs.webkit.org/show_bug.cgi?id=192624
957
958         Reviewed by Saam Barati.
959
960         * stress/big-int-json-stringify-to-json.js: Added.
961         (shouldBe):
962         (shouldThrow):
963         (BigInt.prototype.toJSON):
964         (shouldBe.JSON.stringify):
965         * stress/big-int-json-stringify.js: Added.
966         (shouldBe):
967         (shouldThrow):
968
969 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
970
971         [JSC] Implement "well-formed JSON.stringify" proposal
972         https://bugs.webkit.org/show_bug.cgi?id=191677
973
974         Reviewed by Darin Adler.
975
976         * stress/json-surrogate-pair.js: Added.
977         (shouldBe):
978         * test262/expectations.yaml:
979
980 2018-12-20  Keith Miller  <keith_miller@apple.com>
981
982         Add support for globalThis
983         https://bugs.webkit.org/show_bug.cgi?id=165171
984
985         Reviewed by Mark Lam.
986
987         * test262/config.yaml:
988
989 2018-12-19  Keith Miller  <keith_miller@apple.com>
990
991         Update test262 configuration to not run tests dependent on ICU version.
992         https://bugs.webkit.org/show_bug.cgi?id=192920
993
994         Reviewed by Saam Barati.
995
996         * test262/expectations.yaml:
997
998 2018-12-20  Mark Lam  <mark.lam@apple.com>
999
1000         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1001         https://bugs.webkit.org/show_bug.cgi?id=192939
1002         <rdar://problem/46869516>
1003
1004         Reviewed by Keith Miller.
1005
1006         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1007
1008 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1009
1010         WTF::String and StringImpl overflow MaxLength
1011         https://bugs.webkit.org/show_bug.cgi?id=192853
1012         <rdar://problem/45726906>
1013
1014         Reviewed by Mark Lam.
1015
1016         * stress/string-16bit-repeat-overflow.js: Added.
1017         (catch):
1018
1019 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1020
1021         Unreviewed follow-up to r192914.
1022
1023         * test262/expectations.yaml:
1024         Add the last 20 missing expectations.
1025
1026 2018-12-19  Keith Miller  <keith_miller@apple.com>
1027
1028         Fix test262 expectations
1029         https://bugs.webkit.org/show_bug.cgi?id=192914
1030
1031         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1032
1033         * test262/expectations.yaml:
1034
1035 2018-12-19  Keith Miller  <keith_miller@apple.com>
1036
1037         Update test262 tests.
1038         https://bugs.webkit.org/show_bug.cgi?id=192907
1039
1040         Rubber stamped by Mark Lam.
1041
1042         * test262/*: Omitted because prepare-changelog crashes.
1043
1044 2018-12-19  Mark Lam  <mark.lam@apple.com>
1045
1046         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1047         https://bugs.webkit.org/show_bug.cgi?id=192464
1048         <rdar://problem/46519455>
1049
1050         Reviewed by Saam Barati.
1051
1052         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1053         microbenchmark.
1054
1055         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1056         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1057
1058 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1059
1060         String overflow in JSC::createError results in ASSERT in WTF::makeString
1061         https://bugs.webkit.org/show_bug.cgi?id=192833
1062         <rdar://problem/45706868>
1063
1064         Reviewed by Mark Lam.
1065
1066         * stress/string-overflow-createError.js: Added.
1067
1068 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1069
1070         Error message for `-x ** y` contains a typo.
1071         https://bugs.webkit.org/show_bug.cgi?id=192832
1072
1073         Reviewed by Saam Barati.
1074
1075         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1076         (assert.assert.return.throws):
1077         * stress/pow-expects-update-expression-on-lhs.js:
1078         (throw.new.Error):
1079         Update test expectations which match against the exact error message.
1080
1081 2018-12-18  Mark Lam  <mark.lam@apple.com>
1082
1083         Gardening: test options fix.
1084         https://bugs.webkit.org/show_bug.cgi?id=192822
1085
1086         Unreviewed.
1087
1088         * stress/json-stringify-string-builder-overflow.js:
1089
1090 2018-12-18  Mark Lam  <mark.lam@apple.com>
1091
1092         JSON.stringify() should throw OOM on StringBuilder overflows.
1093         https://bugs.webkit.org/show_bug.cgi?id=192822
1094         <rdar://problem/46670577>
1095
1096         Reviewed by Saam Barati.
1097
1098         * stress/json-stringify-string-builder-overflow.js: Added.
1099
1100 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1101
1102         Redeclaration of var over let/const/class should be a syntax error.
1103         https://bugs.webkit.org/show_bug.cgi?id=192298
1104
1105         Reviewed by Keith Miller.
1106
1107         * test262.yaml:
1108         * test262/expectations.yaml:
1109         Mark 46 tests as passing.
1110
1111         * stress/block-scope-redeclarations.js:
1112         Add some new tests.
1113
1114         * stress/for-in-invalidate-context-weird-assignments.js:
1115         * stress/for-in-tests.js:
1116         Replace tests for outdated behavior with tests for SyntaxError.
1117
1118         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1119         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1120         Update expectations.
1121
1122 2018-12-18  Mark Lam  <mark.lam@apple.com>
1123
1124         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1125         https://bugs.webkit.org/show_bug.cgi?id=191374
1126         <rdar://problem/46525447>
1127
1128         Reviewed by Yusuke Suzuki.
1129
1130         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1131
1132         * stress/elidable-new-object-roflcopter-then-exit.js:
1133
1134 2018-12-17  Mark Lam  <mark.lam@apple.com>
1135
1136         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1137         https://bugs.webkit.org/show_bug.cgi?id=192019
1138         <rdar://problem/46525456>
1139
1140         Reviewed by Yusuke Suzuki.
1141
1142         The test runs too slow on 32-bit.
1143
1144         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1145
1146 2018-12-17  Mark Lam  <mark.lam@apple.com>
1147
1148         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1149         https://bugs.webkit.org/show_bug.cgi?id=191373
1150         <rdar://problem/46525458>
1151
1152         Reviewed by Yusuke Suzuki.
1153
1154         The test is already slow running with a JIT on 64-bit.  It will always timeout
1155         on 32-bit without a JIT.
1156
1157         * stress/materialize-regexp-cyclic-regexp.js:
1158
1159 2018-12-17  Mark Lam  <mark.lam@apple.com>
1160
1161         Array unshift/shift should not race against the AI in the compiler thread.
1162         https://bugs.webkit.org/show_bug.cgi?id=192795
1163         <rdar://problem/46724263>
1164
1165         Reviewed by Saam Barati.
1166
1167         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1168
1169 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1170
1171         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1172         https://bugs.webkit.org/show_bug.cgi?id=190047
1173
1174         Reviewed by Saam Barati.
1175
1176         * stress/object-keys-cached-zero.js: Added.
1177         (shouldBe):
1178         (test):
1179         * stress/object-keys-changed-attribute.js: Added.
1180         (shouldBe):
1181         (test):
1182         * stress/object-keys-changed-index.js: Added.
1183         (shouldBe):
1184         (test):
1185         * stress/object-keys-changed.js: Added.
1186         (shouldBe):
1187         (test):
1188         * stress/object-keys-indexed-non-cache.js: Added.
1189         (shouldBe):
1190         (test):
1191         * stress/object-keys-overrides-get-property-names.js: Added.
1192         (shouldBe):
1193         (test):
1194         (noInline):
1195
1196 2018-12-17  Mark Lam  <mark.lam@apple.com>
1197
1198         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1199         https://bugs.webkit.org/show_bug.cgi?id=192779
1200         <rdar://problem/46775869>
1201
1202         Reviewed by Saam Barati.
1203
1204         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1205
1206 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1207
1208         Unreviewed test gardening, address a syntax error in a new test.
1209
1210         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1211
1212 2018-12-17  Mark Lam  <mark.lam@apple.com>
1213
1214         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1215         https://bugs.webkit.org/show_bug.cgi?id=192776
1216         <rdar://problem/46772368>
1217
1218         Reviewed by Keith Miller.
1219
1220         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1221
1222 2018-12-17  Mark Lam  <mark.lam@apple.com>
1223
1224         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1225         https://bugs.webkit.org/show_bug.cgi?id=192770
1226         <rdar://problem/46449037>
1227
1228         Reviewed by Keith Miller.
1229
1230         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1231
1232 2018-12-14  Mark Lam  <mark.lam@apple.com>
1233
1234         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1235         https://bugs.webkit.org/show_bug.cgi?id=192717
1236         <rdar://problem/46660677>
1237
1238         Reviewed by Saam Barati.
1239
1240         * stress/regress-192717.js: Added.
1241
1242 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1243
1244         Unreviewed, rolling out r239153, r239154, and r239155.
1245         https://bugs.webkit.org/show_bug.cgi?id=192715
1246
1247         Caused flaky GC-related crashes seen with layout tests
1248         (Requested by ryanhaddad on #webkit).
1249
1250         Reverted changesets:
1251
1252         "[JSC] Optimize Object.keys by caching own keys results in
1253         StructureRareData"
1254         https://bugs.webkit.org/show_bug.cgi?id=190047
1255         https://trac.webkit.org/changeset/239153
1256
1257         "Unreviewed, build fix after r239153"
1258         https://bugs.webkit.org/show_bug.cgi?id=190047
1259         https://trac.webkit.org/changeset/239154
1260
1261         "Unreviewed, build fix after r239153, part 2"
1262         https://bugs.webkit.org/show_bug.cgi?id=190047
1263         https://trac.webkit.org/changeset/239155
1264
1265 2018-12-14  Keith Miller  <keith_miller@apple.com>
1266
1267         Callers of JSString::getIndex should check for OOM exceptions
1268         https://bugs.webkit.org/show_bug.cgi?id=192709
1269
1270         Reviewed by Mark Lam.
1271
1272         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1273
1274 2018-12-13  Mark Lam  <mark.lam@apple.com>
1275
1276         Add a missing exception check.
1277         https://bugs.webkit.org/show_bug.cgi?id=192626
1278         <rdar://problem/46662163>
1279
1280         Reviewed by Keith Miller.
1281
1282         * stress/regress-192626.js: Added.
1283
1284 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1285
1286         [BigInt] Add ValueDiv into DFG
1287         https://bugs.webkit.org/show_bug.cgi?id=186178
1288
1289         Reviewed by Yusuke Suzuki.
1290
1291         * stress/big-int-div-jit-osr.js: Added.
1292         * stress/big-int-div-jit-untyped.js: Added.
1293         * stress/value-div-fixup-int32-big-int.js: Added.
1294
1295 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1296
1297         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1298         https://bugs.webkit.org/show_bug.cgi?id=190047
1299
1300         Reviewed by Keith Miller.
1301
1302         * stress/object-keys-cached-zero.js: Added.
1303         (shouldBe):
1304         (test):
1305         * stress/object-keys-changed-attribute.js: Added.
1306         (shouldBe):
1307         (test):
1308         * stress/object-keys-changed-index.js: Added.
1309         (shouldBe):
1310         (test):
1311         * stress/object-keys-changed.js: Added.
1312         (shouldBe):
1313         (test):
1314         * stress/object-keys-indexed-non-cache.js: Added.
1315         (shouldBe):
1316         (test):
1317         * stress/object-keys-overrides-get-property-names.js: Added.
1318         (shouldBe):
1319         (test):
1320         (noInline):
1321
1322 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1323
1324         [DFG][FTL] Add NewSymbol
1325         https://bugs.webkit.org/show_bug.cgi?id=192620
1326
1327         Reviewed by Saam Barati.
1328
1329         * microbenchmarks/symbol-creation.js: Added.
1330         (test):
1331         * stress/symbol-description-identity.js: Added.
1332         (shouldBe):
1333         (test):
1334         * stress/symbol-identity.js: Added.
1335         (shouldBe):
1336         (test):
1337         * stress/symbol-with-description-throw-error.js: Added.
1338         (shouldBe):
1339         (shouldThrow):
1340         (test):
1341         (object.toString):
1342
1343 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1344
1345         [BigInt] Implement DFG/FTL typeof for BigInt
1346         https://bugs.webkit.org/show_bug.cgi?id=192619
1347
1348         Reviewed by Keith Miller.
1349
1350         * stress/big-int-boolean-proven-type.js: Added.
1351         (assert):
1352         (bool):
1353         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1354         (assert):
1355         (typeOf):
1356         (i.switch):
1357         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1358         (assert):
1359         (typeOf):
1360         * stress/big-int-type-of.js:
1361         (typeOf):
1362         (func):
1363
1364 2018-12-10  Mark Lam  <mark.lam@apple.com>
1365
1366         PropertyAttribute needs a CustomValue bit.
1367         https://bugs.webkit.org/show_bug.cgi?id=191993
1368         <rdar://problem/46264467>
1369
1370         Reviewed by Saam Barati.
1371
1372         * stress/regress-191993.js: Added.
1373
1374 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1375
1376         [BigInt] Add ValueMul into DFG
1377         https://bugs.webkit.org/show_bug.cgi?id=186175
1378
1379         Reviewed by Yusuke Suzuki.
1380
1381         * stress/big-int-mul-jit-osr.js: Added.
1382         * stress/big-int-mul-jit-untyped.js: Added.
1383         * stress/value-mul-fixup-int32-big-int.js: Added.
1384
1385 2018-12-06  Keith Miller  <keith_miller@apple.com>
1386
1387         stress/big-wasm-memory tests failing on 32-bit JSC bot
1388         https://bugs.webkit.org/show_bug.cgi?id=192020
1389
1390         Reviewed by Saam Barati.
1391
1392         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1393         the wasm stress tests if the WebAssembly object does not exist.
1394
1395         * stress/big-wasm-memory-grow-no-max.js:
1396         (test.foo):
1397         (test):
1398         (foo): Deleted.
1399         (catch): Deleted.
1400         * stress/big-wasm-memory-grow.js:
1401         (test.foo):
1402         (test):
1403         (foo): Deleted.
1404         (catch): Deleted.
1405         * stress/big-wasm-memory.js:
1406         (test.foo):
1407         (test):
1408         (foo): Deleted.
1409         (catch): Deleted.
1410
1411 2018-12-05  Mark Lam  <mark.lam@apple.com>
1412
1413         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1414         https://bugs.webkit.org/show_bug.cgi?id=192441
1415         <rdar://problem/46480355>
1416
1417         Reviewed by Saam Barati.
1418
1419         * stress/regress-192441.js: Added.
1420
1421 2018-12-04  Mark Lam  <mark.lam@apple.com>
1422
1423         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1424         https://bugs.webkit.org/show_bug.cgi?id=192386
1425         <rdar://problem/46445516>
1426
1427         Reviewed by Saam Barati.
1428
1429         * stress/regress-192386.js: Added.
1430
1431 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1432
1433         [ESNext][BigInt] Support logic operations
1434         https://bugs.webkit.org/show_bug.cgi?id=179903
1435
1436         Reviewed by Yusuke Suzuki.
1437
1438         * stress/big-int-branch-usage.js: Added.
1439         * stress/big-int-logical-and.js: Added.
1440         * stress/big-int-logical-not.js: Added.
1441         * stress/big-int-logical-or.js: Added.
1442
1443 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1444
1445         Unreviewed, rolling out r238833.
1446
1447         Breaks macOS and iOS debug builds.
1448
1449         Reverted changeset:
1450
1451         "[ESNext][BigInt] Support logic operations"
1452         https://bugs.webkit.org/show_bug.cgi?id=179903
1453         https://trac.webkit.org/changeset/238833
1454
1455 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1456
1457         [ESNext][BigInt] Support logic operations
1458         https://bugs.webkit.org/show_bug.cgi?id=179903
1459
1460         Reviewed by Yusuke Suzuki.
1461
1462         * stress/big-int-branch-usage.js: Added.
1463         * stress/big-int-logical-and.js: Added.
1464         * stress/big-int-logical-not.js: Added.
1465         * stress/big-int-logical-or.js: Added.
1466
1467 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1468
1469         [ESNext][BigInt] Implement support for "<<" and ">>"
1470         https://bugs.webkit.org/show_bug.cgi?id=186233
1471
1472         Reviewed by Yusuke Suzuki.
1473
1474         * stress/big-int-left-shift-general.js: Added.
1475         * stress/big-int-left-shift-range-error.js: Added.
1476         * stress/big-int-left-shift-type-error.js: Added.
1477         * stress/big-int-left-shift-wrapped-value.js: Added.
1478         * stress/big-int-right-shift-general.js: Added.
1479         * stress/big-int-right-shift-type-error.js: Added.
1480         * stress/big-int-right-shift-wrapped-value.js: Added.
1481         * stress/left-shift-to-primitive-precedence.js: Added.
1482         * stress/right-shift-to-primitive-precedence.js: Added.
1483
1484 2018-11-30  Dean Jackson  <dino@apple.com>
1485
1486         Add first-class support for .mjs files in jsc binary
1487         https://bugs.webkit.org/show_bug.cgi?id=192190
1488         <rdar://problem/46375715>
1489
1490         Reviewed by Keith Miller.
1491
1492         * stress/simple-module.mjs: Added.
1493         * stress/simple-script.js: Added.
1494
1495 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1496
1497         [BigInt] Implement ValueBitXor into DFG
1498         https://bugs.webkit.org/show_bug.cgi?id=190264
1499
1500         Reviewed by Yusuke Suzuki.
1501
1502         * stress/big-int-bitwise-xor-jit.js: Added.
1503         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1504         * stress/big-int-bitwise-xor-untyped.js: Added.
1505
1506 2018-11-27  Saam barati  <sbarati@apple.com>
1507
1508         r238510 broke scopes of size zero
1509         https://bugs.webkit.org/show_bug.cgi?id=192033
1510         <rdar://problem/46281734>
1511
1512         Reviewed by Keith Miller.
1513
1514         * stress/r238510-bad-loop.js: Added.
1515         (foo):
1516
1517 2018-11-27  Mark Lam  <mark.lam@apple.com>
1518
1519         [Re-landing] NaNs read from Wasm code needs to be be purified.
1520         https://bugs.webkit.org/show_bug.cgi?id=191056
1521         <rdar://problem/45660341>
1522
1523         Reviewed by Filip Pizlo.
1524
1525         * wasm/regress/regress-191056.js: Added.
1526
1527 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1528
1529         Unreviewed, rolling out r238509.
1530
1531         Causes JSC tests to fail on iOS.
1532
1533         Reverted changeset:
1534
1535         "NaNs read from Wasm code needs to be be purified."
1536         https://bugs.webkit.org/show_bug.cgi?id=191056
1537         https://trac.webkit.org/changeset/238509
1538
1539 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1540
1541         Re-introduce op_bitnot
1542         https://bugs.webkit.org/show_bug.cgi?id=190923
1543
1544         Reviewed by Yusuke Suzuki.
1545
1546         * stress/bit-not-must-generate.js: Added.
1547         * stress/bitwise-not-no-int32.js: Added.
1548
1549 2018-11-26  Saam barati  <sbarati@apple.com>
1550
1551         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1552         https://bugs.webkit.org/show_bug.cgi?id=191956
1553         <rdar://problem/45665806>
1554
1555         Reviewed by Yusuke Suzuki.
1556
1557         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1558         (bar):
1559         (foo):
1560
1561 2018-11-26  Saam barati  <sbarati@apple.com>
1562
1563         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1564         https://bugs.webkit.org/show_bug.cgi?id=191958
1565         <rdar://problem/46221877>
1566
1567         Reviewed by Yusuke Suzuki.
1568
1569         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1570         (x):
1571         (foo):
1572
1573 2018-11-26  Mark Lam  <mark.lam@apple.com>
1574
1575         NaNs read from Wasm code needs to be be purified.
1576         https://bugs.webkit.org/show_bug.cgi?id=191056
1577         <rdar://problem/45660341>
1578
1579         Reviewed by Filip Pizlo.
1580
1581         * wasm/regress/regress-191056.js: Added.
1582
1583 2018-11-26  Michael Saboff  <msaboff@apple.com>
1584
1585         32-bit JSC test failure: stress/regexp-compile-oom.js
1586         https://bugs.webkit.org/show_bug.cgi?id=191375
1587
1588         Reviewed by Mark Lam.
1589
1590         Disabled the test for 32 bit platforms.
1591
1592         * stress/regexp-compile-oom.js:
1593
1594 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1595
1596         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1597         https://bugs.webkit.org/show_bug.cgi?id=191716
1598         <rdar://problem/45723878>
1599
1600         Reviewed by Saam Barati.
1601
1602         * stress/regress-187373.js: Added.
1603         (async.fn):
1604
1605 2018-11-21  Saam barati  <sbarati@apple.com>
1606
1607         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1608         https://bugs.webkit.org/show_bug.cgi?id=191897
1609         <rdar://problem/45871998>
1610
1611         Reviewed by Mark Lam.
1612
1613         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1614         (bar):
1615         (foo):
1616
1617 2018-11-21  Saam barati  <sbarati@apple.com>
1618
1619         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1620         https://bugs.webkit.org/show_bug.cgi?id=191895
1621         <rdar://problem/46167406>
1622
1623         Reviewed by Mark Lam.
1624
1625         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1626         (foo):
1627         (bar):
1628
1629 2018-11-21  Mark Lam  <mark.lam@apple.com>
1630
1631         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1632         https://bugs.webkit.org/show_bug.cgi?id=191776
1633         <rdar://problem/46152851>
1634
1635         Reviewed by Saam Barati.
1636
1637         * stress/big-wasm-memory-grow-no-max.js:
1638         * stress/big-wasm-memory-grow.js:
1639         * stress/big-wasm-memory.js:
1640         - updated these to expect an OutOfMemoryError.
1641
1642         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1643         (Binary.prototype.emit_u8):
1644         (Binary.prototype.emit_u32v):
1645         (Binary.prototype.emit_header):
1646         (Binary.prototype.emit_section):
1647         (Binary):
1648         (WasmModuleBuilder):
1649         (WasmModuleBuilder.prototype.addMemory):
1650         (WasmModuleBuilder.prototype.toArray):
1651         (WasmModuleBuilder.prototype.toBuffer):
1652         (WasmModuleBuilder.prototype.instantiate):
1653         (catch):
1654         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1655         (catch):
1656
1657 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1658
1659         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1660         https://bugs.webkit.org/show_bug.cgi?id=190836
1661
1662         Reviewed by Saam Barati and Yusuke Suzuki.
1663
1664         * stress/big-int-out-of-memory-tests.js: Added.
1665
1666 2018-11-20  Mark Lam  <mark.lam@apple.com>
1667
1668         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1669         https://bugs.webkit.org/show_bug.cgi?id=191856
1670         <rdar://problem/46089992>
1671
1672         Reviewed by Yusuke Suzuki.
1673
1674         * stress/regress-191856.js: Added.
1675         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1676
1677 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1678
1679         Enable JIT on ARM/Linux
1680         https://bugs.webkit.org/show_bug.cgi?id=191548
1681
1682         Reviewed by Yusuke Suzuki.
1683
1684         Disable test on system with limited memory. Program was killed by
1685         the OS before the exception was thrown.
1686
1687         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1688
1689 2018-11-20  Saam barati  <sbarati@apple.com>
1690
1691         Merging an IC variant may lead to the IC status containing overlapping structure sets
1692         https://bugs.webkit.org/show_bug.cgi?id=191869
1693         <rdar://problem/45403453>
1694
1695         Reviewed by Mark Lam.
1696
1697         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1698
1699 2018-11-19  Mark Lam  <mark.lam@apple.com>
1700
1701         globalFuncImportModule() should return a promise when it clears exceptions.
1702         https://bugs.webkit.org/show_bug.cgi?id=191792
1703         <rdar://problem/46090763>
1704
1705         Reviewed by Michael Saboff.
1706
1707         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1708
1709 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1710
1711         Skip new memory-hungry tests on memory limited devices
1712
1713         Unreviewed gardening.
1714
1715         * stress/big-wasm-memory-grow-no-max.js:
1716         * stress/big-wasm-memory-grow.js:
1717         * stress/big-wasm-memory.js:
1718
1719 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1720
1721         Unreviewed, rolling in the rest of r237254
1722         https://bugs.webkit.org/show_bug.cgi?id=190340
1723
1724         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1725         * stress/function-cache-with-parameters-end-position.js: Added.
1726         (shouldBe):
1727         (shouldThrow):
1728         (i.anonymous):
1729         * stress/function-constructor-name.js: Added.
1730         (shouldBe):
1731         (GeneratorFunction):
1732         (AsyncFunction.async):
1733         (AsyncGeneratorFunction.async):
1734         (anonymous):
1735         (async.anonymous):
1736         * test262/expectations.yaml:
1737
1738 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1739
1740         All users of ArrayBuffer should agree on the same max size
1741         https://bugs.webkit.org/show_bug.cgi?id=191771
1742
1743         Reviewed by Mark Lam.
1744
1745         * stress/big-wasm-memory-grow-no-max.js: Added.
1746         (foo):
1747         (catch):
1748         * stress/big-wasm-memory-grow.js: Added.
1749         (foo):
1750         (catch):
1751         * stress/big-wasm-memory.js: Added.
1752         (foo):
1753         (catch):
1754
1755 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1756
1757         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1758         run for each JSC config since they're regression tests for runtime bugs.
1759
1760         * stress/json-stringified-overflow-2.js:
1761         * stress/json-stringified-overflow.js:
1762
1763 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1764
1765         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1766         config since they're regression tests for runtime bugs.
1767
1768         * stress/large-unshift-splice.js:
1769         * stress/regress-185888.js:
1770
1771 2018-11-16  Saam Barati  <sbarati@apple.com>
1772
1773         KnownCellUse should also have SpecCellCheck as its type filter
1774         https://bugs.webkit.org/show_bug.cgi?id=191729
1775         <rdar://problem/45872852>
1776
1777         Reviewed by Filip Pizlo.
1778
1779         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1780         (C):
1781
1782 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1783
1784         Fix assertion failure on BytecodeGenerator::recordOpcode
1785         https://bugs.webkit.org/show_bug.cgi?id=191724
1786         <rdar://problem/45724395>
1787
1788         Reviewed by Saam Barati.
1789
1790         * stress/regress-187373-2.js: Added.
1791         (foo):
1792
1793 2018-11-15  Mark Lam  <mark.lam@apple.com>
1794
1795         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1796         https://bugs.webkit.org/show_bug.cgi?id=191730
1797         <rdar://problem/46048517>
1798
1799         Reviewed by Saam Barati.
1800
1801         * stress/regress-187006.js: Removed.
1802           - this test is invalid because its sole purpose is to test for the non-spec
1803             compliant behavior that we just fixed.
1804
1805         * stress/regress-191730.js: Added.
1806
1807 2018-11-15  Mark Lam  <mark.lam@apple.com>
1808
1809         RegExp operations should not take fast patch if lastIndex is not numeric.
1810         https://bugs.webkit.org/show_bug.cgi?id=191731
1811         <rdar://problem/46017305>
1812
1813         Reviewed by Saam Barati.
1814
1815         * stress/regress-191731.js: Added.
1816
1817 2018-11-13  Saam Barati  <sbarati@apple.com>
1818
1819         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1820         https://bugs.webkit.org/show_bug.cgi?id=191600
1821
1822         Reviewed by Mark Lam.
1823
1824         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1825         (foo):
1826         (test):
1827         (bar):
1828
1829 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1830
1831         Unreviewed, rolling out r238132.
1832
1833         The test added with this change is timing out on Debug JSC
1834         bots.
1835
1836         Reverted changeset:
1837
1838         "[BigInt] JSBigInt::createWithLength should throw when length
1839         is greater than JSBigInt::maxLength"
1840         https://bugs.webkit.org/show_bug.cgi?id=190836
1841         https://trac.webkit.org/changeset/238132
1842
1843 2018-11-13  Mark Lam  <mark.lam@apple.com>
1844
1845         Add OOM detection to StringPrototype's substituteBackreferences().
1846         https://bugs.webkit.org/show_bug.cgi?id=191563
1847         <rdar://problem/45720428>
1848
1849         Reviewed by Saam Barati.
1850
1851         * stress/regress-191563.js: Added.
1852
1853 2018-11-13  Mark Lam  <mark.lam@apple.com>
1854
1855         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1856         https://bugs.webkit.org/show_bug.cgi?id=191579
1857         <rdar://problem/45942472>
1858
1859         Reviewed by Saam Barati.
1860
1861         * stress/regress-191579.js: Added.
1862
1863 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1864
1865         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1866         https://bugs.webkit.org/show_bug.cgi?id=190836
1867
1868         Reviewed by Saam Barati.
1869
1870         * stress/big-int-out-of-memory-tests.js: Added.
1871
1872 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1873
1874         U+180E is no longer a whitespace character
1875         https://bugs.webkit.org/show_bug.cgi?id=191415
1876
1877         Reviewed by Saam Barati.
1878
1879         * ChakraCore/test/es5/regexSpace.baseline:
1880         * ChakraCore/test/es6/unicode_whitespace.js:
1881         Update tests to latest version.
1882         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1883
1884         * test262.yaml:
1885         * test262/config.yaml:
1886         * test262/expectations.yaml:
1887         Update expectations.
1888
1889 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1890
1891         [BigInt] Add support to BigInt into ValueAdd
1892         https://bugs.webkit.org/show_bug.cgi?id=186177
1893
1894         Reviewed by Keith Miller.
1895
1896         * stress/big-int-negate-jit.js:
1897         * stress/value-add-big-int-and-string.js: Added.
1898         * stress/value-add-big-int-prediction-propagation.js: Added.
1899         * stress/value-add-big-int-untyped.js: Added.
1900
1901 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1902
1903         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1904         https://bugs.webkit.org/show_bug.cgi?id=191184
1905
1906         Reviewed by Saam Barati.
1907
1908         Most tests were failing due to timeouts, since they are too slow to
1909         run on CLoop. The exceptions are:
1910
1911         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1912         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1913         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1914         to change the stack size since CLoop requires it to be page aligned.
1915
1916         * microbenchmarks/array-push-1.js:
1917         * microbenchmarks/array-push-2.js:
1918         * microbenchmarks/elidable-new-object-dag.js:
1919         * microbenchmarks/elidable-new-object-roflcopter.js:
1920         * microbenchmarks/elidable-new-object-tree.js:
1921         * microbenchmarks/getter-richards.js:
1922         * microbenchmarks/sinkable-new-object-dag.js:
1923         * microbenchmarks/string-concat-long-convert.js:
1924         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1925         * slowMicrobenchmarks/array-push-3.js:
1926         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1927         * slowMicrobenchmarks/spread-small-array.js:
1928         * slowMicrobenchmarks/undefined-property-access.js:
1929         * stress/activation-sink-default-value-tdz-error.js:
1930         * stress/activation-sink-default-value.js:
1931         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1932         * stress/activation-sink-osrexit-default-value.js:
1933         * stress/activation-sink-osrexit.js:
1934         * stress/activation-sink.js:
1935         * stress/allow-math-ic-b3-code-duplication.js:
1936         * stress/array-push-multiple-int32.js:
1937         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1938         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1939         * stress/arrowfunction-lexical-this-activation-sink.js:
1940         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1941         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1942         * stress/elide-new-object-dag-then-exit.js:
1943         * stress/materialize-regexp-cyclic.js:
1944         * stress/new-regex-inline.js:
1945         * stress/op_add.js:
1946         * stress/op_bitand.js:
1947         * stress/op_bitor.js:
1948         * stress/op_bitxor.js:
1949         * stress/op_div-ConstVar.js:
1950         * stress/op_div-VarConst.js:
1951         * stress/op_div-VarVar.js:
1952         * stress/op_lshift-ConstVar.js:
1953         * stress/op_lshift-VarConst.js:
1954         * stress/op_lshift-VarVar.js:
1955         * stress/op_mod-ConstVar.js:
1956         * stress/op_mod-VarConst.js:
1957         * stress/op_mod-VarVar.js:
1958         * stress/op_mul-ConstVar.js:
1959         * stress/op_mul-VarConst.js:
1960         * stress/op_mul-VarVar.js:
1961         * stress/op_rshift-ConstVar.js:
1962         * stress/op_rshift-VarConst.js:
1963         * stress/op_rshift-VarVar.js:
1964         * stress/op_sub-ConstVar.js:
1965         * stress/op_sub-VarConst.js:
1966         * stress/op_sub-VarVar.js:
1967         * stress/op_urshift-ConstVar.js:
1968         * stress/op_urshift-VarConst.js:
1969         * stress/op_urshift-VarVar.js:
1970         * stress/proxy-get-set-correct-receiver.js:
1971         * stress/regress-179562.js:
1972         * stress/rest-parameter-many-arguments.js:
1973         * stress/sampling-profiler-richards.js:
1974         * stress/splay-flash-access-1ms.js:
1975         * stress/tailCallForwardArguments.js:
1976         * stress/typed-array-get-by-val-profiling.js:
1977         * typeProfiler/getter-richards.js:
1978
1979 2018-11-06  Michael Saboff  <msaboff@apple.com>
1980
1981         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1982         https://bugs.webkit.org/show_bug.cgi?id=191271
1983
1984         Reviewed by Saam Barati.
1985
1986         Added more test cases and made all test cases run with the same deeply recursive stack
1987         instead of finding that same point for each test case.
1988
1989         * stress/regexp-compile-oom.js:
1990         (prototype.runTest):
1991         (recurseAndTest):
1992         (testList.push.new.TestAndExpectedException):
1993
1994 2018-11-05  Michael Saboff  <msaboff@apple.com>
1995
1996         Unreviewed build fix for linux.
1997
1998         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1999
2000 2018-11-02  Michael Saboff  <msaboff@apple.com>
2001
2002         Rolling in r237753 with unreviewed build fix.
2003
2004         Fixed issues with DECLARE_THROW_SCOPE placement.
2005
2006 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2007
2008         Unreviewed, rolling out r237753.
2009
2010         Introduced JSC test failures
2011
2012         Reverted changeset:
2013
2014         "Running out of stack space not properly handled in
2015         RegExp::compile() and its callers"
2016         https://bugs.webkit.org/show_bug.cgi?id=191206
2017         https://trac.webkit.org/changeset/237753
2018
2019 2018-11-02  Michael Saboff  <msaboff@apple.com>
2020
2021         Running out of stack space not properly handled in RegExp::compile() and its callers
2022         https://bugs.webkit.org/show_bug.cgi?id=191206
2023
2024         Reviewed by Filip Pizlo.
2025
2026         New regression test.
2027
2028         * stress/regexp-compile-oom.js: Added.
2029         (recurseAndTest):
2030
2031 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2032
2033         Skip tests on arm/mips that time out now we're running on CLoop
2034
2035         Unreviewed gardening.
2036
2037         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2038         time out on the bots and need to be disabled. There's more tests
2039         disabled on arm because the timeout is longer on the mips bot (as the
2040         device is slower to start with), so many of the tests don't time out
2041         there.
2042
2043         * microbenchmarks/getter-richards.js: disable on arm and mips.
2044         * stress/op_add.js: disable on arm.
2045         * stress/op_bitand.js: disable on arm.
2046         * stress/op_bitor.js: disable on arm.
2047         * stress/op_bitxor.js: disable on arm.
2048         * stress/op_lshift-ConstVar.js: disable on arm.
2049         * stress/op_lshift-VarConst.js: disable on arm.
2050         * stress/op_lshift-VarVar.js: disable on arm.
2051         * stress/op_mod-ConstVar.js: disable on arm.
2052         * stress/op_mod-VarConst.js: disable on arm.
2053         * stress/op_mod-VarVar.js: disable on arm.
2054         * stress/op_mul-ConstVar.js: disable on arm.
2055         * stress/op_mul-VarConst.js: disable on arm.
2056         * stress/op_mul-VarVar.js: disable on arm.
2057         * stress/op_rshift-ConstVar.js: disable on arm.
2058         * stress/op_rshift-VarConst.js: disable on arm.
2059         * stress/op_rshift-VarVar.js: disable on arm.
2060         * stress/op_sub-ConstVar.js: disable on arm.
2061         * stress/op_sub-VarConst.js: disable on arm.
2062         * stress/op_sub-VarVar.js: disable on arm.
2063         * stress/op_urshift-ConstVar.js: disable on arm.
2064         * stress/op_urshift-VarConst.js: disable on arm.
2065         * stress/op_urshift-VarVar.js: disable on arm.
2066         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2067         * stress/value-to-boolean.js: disable on arm and mips.
2068
2069 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2070
2071         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2072         https://bugs.webkit.org/show_bug.cgi?id=191108
2073         <rdar://problem/45690700>
2074
2075         Reviewed by Saam Barati.
2076
2077         * stress/wide-op_catch.js: Added.
2078         (catch):
2079
2080 2018-10-29  Mark Lam  <mark.lam@apple.com>
2081
2082         Correctly detect string overflow when using the 'Function' constructor.
2083         https://bugs.webkit.org/show_bug.cgi?id=184883
2084         <rdar://problem/36320331>
2085
2086         Reviewed by Saam Barati.
2087
2088         I've verified that this passes on 32-bit as well.
2089
2090         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2091
2092 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2093
2094         Add support for GetStack FlushedDouble
2095         https://bugs.webkit.org/show_bug.cgi?id=191012
2096         <rdar://problem/45265141>
2097
2098         Reviewed by Saam Barati.
2099
2100         * stress/get-stack-double.js: Added.
2101         (bar):
2102         (noInline):
2103
2104 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2105
2106         New bytecode format for JSC
2107         https://bugs.webkit.org/show_bug.cgi?id=187373
2108         <rdar://problem/44186758>
2109
2110         Reviewed by Filip Pizlo.
2111
2112         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2113
2114         * stress/maximum-inline-capacity.js: Added.
2115         (test1):
2116         (test3.Foo):
2117         (test3):
2118
2119 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2120
2121         Unreviewed, rolling out r237479 and r237484.
2122         https://bugs.webkit.org/show_bug.cgi?id=190978
2123
2124         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2125
2126         Reverted changesets:
2127
2128         "New bytecode format for JSC"
2129         https://bugs.webkit.org/show_bug.cgi?id=187373
2130         https://trac.webkit.org/changeset/237479
2131
2132         "Gardening: Build fix after r237479."
2133         https://bugs.webkit.org/show_bug.cgi?id=187373
2134         https://trac.webkit.org/changeset/237484
2135
2136 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2137
2138         New bytecode format for JSC
2139         https://bugs.webkit.org/show_bug.cgi?id=187373
2140         <rdar://problem/44186758>
2141
2142         Reviewed by Filip Pizlo.
2143
2144         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2145
2146         * stress/maximum-inline-capacity.js: Added.
2147         (test1):
2148         (test3.Foo):
2149         (test3):
2150
2151 2018-10-26  Mark Lam  <mark.lam@apple.com>
2152
2153         Fix missing edge cases with JSGlobalObjects having a bad time.
2154         https://bugs.webkit.org/show_bug.cgi?id=189028
2155         <rdar://problem/45204939>
2156
2157         Reviewed by Saam Barati.
2158
2159         * stress/regress-189028.js: Added.
2160
2161 2018-10-22  Mark Lam  <mark.lam@apple.com>
2162
2163         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2164         https://bugs.webkit.org/show_bug.cgi?id=190515
2165         <rdar://problem/45222379>
2166
2167         Rubber-stamped by Saam Barati.
2168
2169         Adding another test.
2170
2171         * stress/regress-190515-2.js: Added.
2172
2173 2018-10-22  Mark Lam  <mark.lam@apple.com>
2174
2175         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2176         https://bugs.webkit.org/show_bug.cgi?id=190515
2177         <rdar://problem/45222379>
2178
2179         Reviewed by Saam Barati.
2180
2181         * stress/regress-190515.js: Added.
2182
2183 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2184
2185         Unreviewed, rolling out r237254.
2186         https://bugs.webkit.org/show_bug.cgi?id=190760
2187
2188         "It regresses JetStream 2 by 5% on some iOS devices"
2189         (Requested by saamyjoon on #webkit).
2190
2191         Reverted changeset:
2192
2193         "[JSC] JSC should have "parseFunction" to optimize Function
2194         constructor"
2195         https://bugs.webkit.org/show_bug.cgi?id=190340
2196         https://trac.webkit.org/changeset/237254
2197
2198 2018-10-19  Saam Barati  <sbarati@apple.com>
2199
2200         vmCall should check if we exit before emitting an OSR exit due to exceptions
2201         https://bugs.webkit.org/show_bug.cgi?id=190740
2202         <rdar://problem/45220139>
2203
2204         Reviewed by Mark Lam.
2205
2206         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2207         (foo):
2208
2209 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2210
2211         [ESNext][BigInt] Implement support for "^"
2212         https://bugs.webkit.org/show_bug.cgi?id=186235
2213
2214         Reviewed by Yusuke Suzuki.
2215
2216         * stress/big-int-bitwise-xor-general.js: Added.
2217         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2218         * stress/big-int-bitwise-xor-type-error.js: Added.
2219         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2220
2221 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2222
2223         [BigInt] Add ValueSub into DFG
2224         https://bugs.webkit.org/show_bug.cgi?id=186176
2225
2226         Reviewed by Yusuke Suzuki.
2227
2228         * stress/big-int-subtraction-jit.js:
2229         * stress/value-sub-big-int-prediction-propagation.js: Added.
2230         * stress/value-sub-big-int-untyped.js: Added.
2231         * stress/value-sub-spec-none-case.js: Added.
2232
2233 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2234
2235         [JSC] JSC should have "parseFunction" to optimize Function constructor
2236         https://bugs.webkit.org/show_bug.cgi?id=190340
2237
2238         Reviewed by Mark Lam.
2239
2240         This patch fixes the line number of syntax errors raised by the Function constructor,
2241         since we now parse the final code only once. And we no longer use block statement
2242         for Function constructor's parsing.
2243
2244         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2245         * stress/function-cache-with-parameters-end-position.js: Added.
2246         (shouldBe):
2247         (shouldThrow):
2248         (i.anonymous):
2249         * stress/function-constructor-name.js: Added.
2250         (shouldBe):
2251         (GeneratorFunction):
2252         (AsyncFunction.async):
2253         (AsyncGeneratorFunction.async):
2254         (anonymous):
2255         (async.anonymous):
2256         * test262/expectations.yaml:
2257
2258 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2259
2260         Unreviewed, rolling out r237242.
2261         https://bugs.webkit.org/show_bug.cgi?id=190701
2262
2263         it breaks "stress/sampling-profiler-basic.js" (Requested by
2264         caiolima on #webkit).
2265
2266         Reverted changeset:
2267
2268         "[BigInt] Add ValueSub into DFG"
2269         https://bugs.webkit.org/show_bug.cgi?id=186176
2270         https://trac.webkit.org/changeset/237242
2271
2272 2018-10-17  Keith Miller  <keith_miller@apple.com>
2273
2274         AI does not clear Phantom allocation nodes.
2275         https://bugs.webkit.org/show_bug.cgi?id=190694
2276
2277         Reviewed by Saam Barati.
2278
2279         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2280         (Day):
2281         (DaysInYear):
2282         (TimeInYear):
2283         (TimeFromYear):
2284         (DayFromYear):
2285         (InLeapYear):
2286         (YearFromTime):
2287         (WeekDay):
2288         (DaylightSavingTA):
2289         (GetSecondSundayInMarch):
2290         (TimeInMonth):
2291
2292 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2293
2294         [BigInt] Add ValueSub into DFG
2295         https://bugs.webkit.org/show_bug.cgi?id=186176
2296
2297         Reviewed by Yusuke Suzuki.
2298
2299         * stress/big-int-subtraction-jit.js:
2300         * stress/value-sub-big-int-prediction-propagation.js: Added.
2301         * stress/value-sub-big-int-untyped.js: Added.
2302
2303 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2304
2305         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2306         https://bugs.webkit.org/show_bug.cgi?id=190611
2307
2308         Reviewed by Saam Barati.
2309
2310         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2311         to improve test runtime. On ARM/MIPS this test even timed out when running all
2312         tests.
2313
2314         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2315         (test):
2316
2317 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2318
2319         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2320
2321         Unreviewed gardening.
2322
2323         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2324
2325 2018-10-15  Saam barati  <sbarati@apple.com>
2326
2327         Emit fjcvtzs on ARM64E on Darwin
2328         https://bugs.webkit.org/show_bug.cgi?id=184023
2329
2330         Reviewed by Yusuke Suzuki and Filip Pizlo.
2331
2332         * stress/double-to-int32-NaN.js: Added.
2333         (assert):
2334         (foo):
2335
2336 2018-10-15  Saam Barati  <sbarati@apple.com>
2337
2338         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2339         https://bugs.webkit.org/show_bug.cgi?id=190262
2340         <rdar://problem/44986241>
2341
2342         Reviewed by Mark Lam.
2343
2344         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2345         (test):
2346         * stress/slice-array-storage-with-holes.js: Added.
2347         (main):
2348
2349 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2350
2351         Unreviewed, rolling out r237054.
2352         https://bugs.webkit.org/show_bug.cgi?id=190593
2353
2354         "this regressed JetStream 2 by 6% on iOS" (Requested by
2355         saamyjoon on #webkit).
2356
2357         Reverted changeset:
2358
2359         "[JSC] JSC should have "parseFunction" to optimize Function
2360         constructor"
2361         https://bugs.webkit.org/show_bug.cgi?id=190340
2362         https://trac.webkit.org/changeset/237054
2363
2364 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2365
2366         [JSC] JSON.stringify can accept call-with-no-arguments
2367         https://bugs.webkit.org/show_bug.cgi?id=190343
2368
2369         Reviewed by Mark Lam.
2370
2371         * stress/json-stringify-no-arguments.js: Added.
2372         (shouldBe):
2373
2374 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2375
2376         [JSC] JSC should have "parseFunction" to optimize Function constructor
2377         https://bugs.webkit.org/show_bug.cgi?id=190340
2378
2379         Reviewed by Mark Lam.
2380
2381         This patch fixes the line number of syntax errors raised by the Function constructor,
2382         since we now parse the final code only once. And we no longer use block statement
2383         for Function constructor's parsing.
2384
2385         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2386         * stress/function-cache-with-parameters-end-position.js: Added.
2387         (shouldBe):
2388         (shouldThrow):
2389         (i.anonymous):
2390         * stress/function-constructor-name.js: Added.
2391         (shouldBe):
2392         (GeneratorFunction):
2393         (AsyncFunction.async):
2394         (AsyncGeneratorFunction.async):
2395         (anonymous):
2396         (async.anonymous):
2397         * test262/expectations.yaml:
2398
2399 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2400
2401         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2402         https://bugs.webkit.org/show_bug.cgi?id=190426
2403
2404         Unreviewed gardening.
2405
2406         * stress/sampling-profiler-richards.js:
2407
2408 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2409
2410         [ESNext][BigInt] Implement support for "|"
2411         https://bugs.webkit.org/show_bug.cgi?id=186229
2412
2413         Reviewed by Yusuke Suzuki.
2414
2415         * stress/big-int-bitwise-and-jit.js:
2416         * stress/big-int-bitwise-or-general.js: Added.
2417         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2418         * stress/big-int-bitwise-or-jit.js: Added.
2419         * stress/big-int-bitwise-or-memory-stress.js: Added.
2420         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2421         * stress/big-int-bitwise-or-type-error.js: Added.
2422         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2423
2424 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2425
2426         Skip test on systems with limited memory
2427         https://bugs.webkit.org/show_bug.cgi?id=190310
2428
2429         Invoking runDefault adds test to runlist, skipping the test in the next
2430         line does not prevent the test from executing. Change order of lines such
2431         that runDefault is only executed if test is not executed.
2432
2433         Reviewed by Mark Lam.
2434
2435         * stress/regress-190187.js:
2436
2437 2018-10-03  Saam barati  <sbarati@apple.com>
2438
2439         lowXYZ in FTLLower should always filter the type of the incoming edge
2440         https://bugs.webkit.org/show_bug.cgi?id=189939
2441         <rdar://problem/44407030>
2442
2443         Reviewed by Michael Saboff.
2444
2445         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2446         (foo):
2447         (test):
2448
2449 2018-10-03  Mark Lam  <mark.lam@apple.com>
2450
2451         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2452         https://bugs.webkit.org/show_bug.cgi?id=190187
2453         <rdar://problem/42512909>
2454
2455         Reviewed by Michael Saboff.
2456
2457         * stress/regress-190187.js: Added.
2458
2459 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2460
2461         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2462         https://bugs.webkit.org/show_bug.cgi?id=190033
2463
2464         Reviewed by Yusuke Suzuki.
2465
2466         * stress/big-int-to-string.js:
2467
2468 2018-10-01  Mark Lam  <mark.lam@apple.com>
2469
2470         Function.toString() should also copy the source code Functions that are class definitions.
2471         https://bugs.webkit.org/show_bug.cgi?id=190186
2472         <rdar://problem/44733360>
2473
2474         Reviewed by Saam Barati.
2475
2476         * stress/regress-190186.js: Added.
2477
2478 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2479
2480         Split NaN-check into separate test
2481         https://bugs.webkit.org/show_bug.cgi?id=190010
2482
2483         Reviewed by Saam Barati.
2484
2485         DataView exposes NaN-representation, which is not necessarily the same on each
2486         architecture. Therefore move the check of the NaN-representation into its own
2487         file such that we can disable this test on MIPS where NaN-representation can be
2488         different on older CPUs.
2489
2490         * stress/dataview-jit-set-nan.js: Added.
2491         (assert):
2492         (test.storeLittleEndian):
2493         (test.storeBigEndian):
2494         (test.store):
2495         (test):
2496         * stress/dataview-jit-set.js:
2497         (test5):
2498
2499 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2500
2501         Unreviewed, rolling out r236647.
2502         https://bugs.webkit.org/show_bug.cgi?id=190124
2503
2504         Breaking test stress/big-int-to-string.js (Requested by
2505         caiolima_ on #webkit).
2506
2507         Reverted changeset:
2508
2509         "[BigInt] BigInt.proptotype.toString is broken when radix is
2510         power of 2"
2511         https://bugs.webkit.org/show_bug.cgi?id=190033
2512         https://trac.webkit.org/changeset/236647
2513
2514 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2515
2516         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2517         https://bugs.webkit.org/show_bug.cgi?id=190033
2518
2519         Reviewed by Yusuke Suzuki.
2520
2521         * stress/big-int-to-string.js:
2522
2523 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2524
2525         [ESNext][BigInt] Implement support for "&"
2526         https://bugs.webkit.org/show_bug.cgi?id=186228
2527
2528         Reviewed by Yusuke Suzuki.
2529
2530         * stress/big-int-bitwise-and-general.js: Added.
2531         (assert):
2532         (assert.sameValue):
2533         * stress/big-int-bitwise-and-jit.js: Added.
2534         (let.assert.sameValue):
2535         (bigIntBitAnd):
2536         * stress/big-int-bitwise-and-memory-stress.js: Added.
2537         (assert):
2538         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2539         (assert.sameValue):
2540         (let.o.Symbol.toPrimitive):
2541         (catch):
2542         * stress/big-int-bitwise-and-type-error.js: Added.
2543         (assert):
2544         (assertThrowTypeError):
2545         (let.o.valueOf):
2546         (o.valueOf):
2547         (o.toString):
2548         (o.Symbol.toPrimitive):
2549         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2550         (assert.sameValue):
2551         (testBitAnd):
2552         (let.o.Symbol.toPrimitive):
2553         (o.valueOf):
2554         (o.toString):
2555
2556 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2557
2558         JSC test stress/jsc-read.js doesn't support CRLF
2559         https://bugs.webkit.org/show_bug.cgi?id=190063
2560
2561         Reviewed by Yusuke Suzuki.
2562
2563         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2564
2565         * stress/jsc-read.js:
2566         (test):
2567
2568 2018-09-27  Saam barati  <sbarati@apple.com>
2569
2570         Verify the contents of AssemblerBuffer on arm64e
2571         https://bugs.webkit.org/show_bug.cgi?id=190057
2572         <rdar://problem/38916630>
2573
2574         Reviewed by Mark Lam.
2575
2576         * stress/regress-189132.js:
2577
2578 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2579
2580         Disable test without LLInt on ARMv7
2581         https://bugs.webkit.org/show_bug.cgi?id=190037
2582
2583         Reviewed by Mark Lam.
2584
2585         Test runs out of executable memory on ARMv7, do not run
2586         this test without LLInt enabled.
2587
2588         * stress/regress-169445.js:
2589
2590 2018-09-26  Keith Miller  <keith_miller@apple.com>
2591
2592         We should zero unused property storage when rebalancing array storage.
2593         https://bugs.webkit.org/show_bug.cgi?id=188151
2594
2595         Reviewed by Michael Saboff.
2596
2597         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2598
2599 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2600
2601         [JSC] Optimize Array#lastIndexOf
2602         https://bugs.webkit.org/show_bug.cgi?id=189780
2603
2604         Reviewed by Saam Barati.
2605
2606         * stress/array-lastindexof-array-prototype-trap.js: Added.
2607         (shouldBe):
2608         (AncestorArray.prototype.get 2):
2609         (AncestorArray):
2610         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2611         (shouldBe):
2612         * stress/array-lastindexof-hole-nan.js: Added.
2613         (shouldBe):
2614         (throw.new.Error):
2615         * stress/array-lastindexof-infinity.js: Added.
2616         (shouldBe):
2617         (throw.new.Error):
2618         * stress/array-lastindexof-negative-zero.js: Added.
2619         (shouldBe):
2620         (throw.new.Error):
2621         * stress/array-lastindexof-own-getter.js: Added.
2622         (shouldBe):
2623         (throw.new.Error.get array):
2624         (get array):
2625         * stress/array-lastindexof-prototype-trap.js: Added.
2626         (shouldBe):
2627         (DerivedArray.prototype.get 2):
2628         (DerivedArray):
2629
2630 2018-09-25  Saam Barati  <sbarati@apple.com>
2631
2632         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2633         https://bugs.webkit.org/show_bug.cgi?id=189940
2634         <rdar://problem/43640987>
2635
2636         Reviewed by Mark Lam.
2637
2638         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2639
2640 2018-09-24  Saam Barati  <sbarati@apple.com>
2641
2642         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2643         https://bugs.webkit.org/show_bug.cgi?id=189922
2644         <rdar://problem/44651275>
2645
2646         Reviewed by Mark Lam.
2647
2648         * stress/array-indexof-fast-path-effects.js: Added.
2649         * stress/array-indexof-cached-length.js: Added.
2650
2651 2018-09-24  Saam barati  <sbarati@apple.com>
2652
2653         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2654         https://bugs.webkit.org/show_bug.cgi?id=189682
2655         <rdar://problem/43557315>
2656
2657         Reviewed by Mark Lam.
2658
2659         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2660         (foo):
2661
2662 2018-09-22  Saam barati  <sbarati@apple.com>
2663
2664         The sampling should not use Strong<CodeBlock> in its machineLocation field
2665         https://bugs.webkit.org/show_bug.cgi?id=189319
2666
2667         Reviewed by Filip Pizlo.
2668
2669         * stress/sampling-profiler-richards.js: Added.
2670
2671 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2672
2673         [JSC] Optimize Array#indexOf in C++ runtime
2674         https://bugs.webkit.org/show_bug.cgi?id=189507
2675
2676         Reviewed by Saam Barati.
2677
2678         * stress/array-indexof-array-prototype-trap.js: Added.
2679         (shouldBe):
2680         (AncestorArray.prototype.get 2):
2681         (AncestorArray):
2682         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2683         (shouldBe):
2684         * stress/array-indexof-hole-nan.js: Added.
2685         (shouldBe):
2686         (throw.new.Error):
2687         * stress/array-indexof-infinity.js: Added.
2688         (shouldBe):
2689         (throw.new.Error):
2690         * stress/array-indexof-negative-zero.js: Added.
2691         (shouldBe):
2692         (throw.new.Error):
2693         * stress/array-indexof-own-getter.js: Added.
2694         (shouldBe):
2695         (throw.new.Error.get array):
2696         (get array):
2697         * stress/array-indexof-prototype-trap.js: Added.
2698         (shouldBe):
2699         (DerivedArray.prototype.get 2):
2700         (DerivedArray):
2701
2702 2018-09-19  Saam barati  <sbarati@apple.com>
2703
2704         AI rule for MultiPutByOffset executes its effects in the wrong order
2705         https://bugs.webkit.org/show_bug.cgi?id=189757
2706         <rdar://problem/43535257>
2707
2708         Reviewed by Michael Saboff.
2709
2710         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2711         (foo):
2712         (Foo):
2713         (g):
2714
2715 2018-09-17  Mark Lam  <mark.lam@apple.com>
2716
2717         Ensure that ForInContexts are invalidated if their loop local is over-written.
2718         https://bugs.webkit.org/show_bug.cgi?id=189571
2719         <rdar://problem/44402277>
2720
2721         Reviewed by Saam Barati.
2722
2723         * stress/regress-189571.js: Added.
2724
2725 2018-09-17  Saam barati  <sbarati@apple.com>
2726
2727         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2728         https://bugs.webkit.org/show_bug.cgi?id=189676
2729         <rdar://problem/39682897>
2730
2731         Reviewed by Michael Saboff.
2732
2733         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2734         (A):
2735         (K):
2736         (i.catch):
2737
2738 2018-09-14  Saam barati  <sbarati@apple.com>
2739
2740         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2741         https://bugs.webkit.org/show_bug.cgi?id=189628
2742         <rdar://problem/39481690>
2743
2744         Reviewed by Mark Lam.
2745
2746         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2747         (foo):
2748
2749 2018-09-11  Mark Lam  <mark.lam@apple.com>
2750
2751         Test for array initialization in arrayProtoFuncSplice.
2752         https://bugs.webkit.org/show_bug.cgi?id=170253
2753         <rdar://problem/31328773>
2754
2755         Rubber-stamped by Saam Barati.
2756
2757         * stress/regress-170253.js: Added.
2758
2759 2018-09-11  Mark Lam  <mark.lam@apple.com>
2760
2761         Test for IntlObject initialization.
2762         https://bugs.webkit.org/show_bug.cgi?id=170251
2763         <rdar://problem/31328419>
2764
2765         Rubber-stamped by Saam Barati.
2766
2767         * stress/regress-170251.js: Added.
2768
2769 2018-09-11  Mark Lam  <mark.lam@apple.com>
2770
2771         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2772         https://bugs.webkit.org/show_bug.cgi?id=169889
2773         <rdar://problem/31155607>
2774
2775         Reviewed by Saam Barati.
2776
2777         * stress/regress-169889-array-concat.js: Added.
2778         * stress/regress-169889-array-concat1.js: Added.
2779         * stress/regress-169889-array-slice.js: Added.
2780
2781 2018-09-11  Mark Lam  <mark.lam@apple.com>
2782
2783         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2784         https://bugs.webkit.org/show_bug.cgi?id=169445
2785         <rdar://problem/30957435>
2786
2787         Reviewed by Saam Barati.
2788
2789         * stress/regress-169445.js: Added.
2790         (let.gun.eval.A):
2791         (let.gun.eval.B.C):
2792         (let.gun.eval.B.C.prototype.trigger):
2793         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2794         (let.gun.eval.B):
2795         (let.gun.eval):
2796
2797 == Rolled over to ChangeLog-2018-09-11 ==