[JSC] OSR entry should respect abstract values in addition to flush formats
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] OSR entry should respect abstract values in addition to flush formats
4         https://bugs.webkit.org/show_bug.cgi?id=195653
5
6         Reviewed by Mark Lam.
7
8         * stress/osr-entry-locals-none.js: Added.
9
10 2019-03-12  Michael Saboff  <msaboff@apple.com>
11
12         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
13         https://bugs.webkit.org/show_bug.cgi?id=195613
14
15         Reviewed by Mark Lam.
16
17         New regression test.
18
19         * stress/regexp-backref-inbounds.js: Added.
20         (testRegExp):
21
22 2019-03-12  Mark Lam  <mark.lam@apple.com>
23
24         The HasIndexedProperty node does GC.
25         https://bugs.webkit.org/show_bug.cgi?id=195559
26         <rdar://problem/48767923>
27
28         Reviewed by Yusuke Suzuki.
29
30         * stress/HasIndexedProperty-does-gc.js: Added.
31
32 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
33
34         [ESNext][BigInt] Implement "~" unary operation
35         https://bugs.webkit.org/show_bug.cgi?id=182216
36
37         Reviewed by Keith Miller.
38
39         * stress/big-int-bit-not-general.js: Added.
40         * stress/big-int-bitwise-not-jit.js: Added.
41         * stress/big-int-bitwise-not-wrapped-value.js: Added.
42         * stress/bit-op-with-object-returning-int32.js:
43         * stress/bitwise-not-fixup-rules.js: Added.
44         * stress/value-bit-not-ai-rule.js: Added.
45
46 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
47
48         Invalid flags in a RegExp literal should be an early SyntaxError
49         https://bugs.webkit.org/show_bug.cgi?id=195514
50
51         Reviewed by Darin Adler.
52
53         * test262/expectations.yaml:
54         Mark 4 test cases as passing.
55
56         * stress/regexp-syntax-error-invalid-flags.js:
57         * stress/regress-161995.js: Removed.
58         Update existing test, merging in an older test for the same behavior.
59
60 2019-03-08  Mark Lam  <mark.lam@apple.com>
61
62         Stack overflow crash in JSC::JSObject::hasInstance.
63         https://bugs.webkit.org/show_bug.cgi?id=195458
64         <rdar://problem/48710195>
65
66         Reviewed by Yusuke Suzuki.
67
68         * stress/stack-overflow-in-custom-hasInstance.js: Added.
69
70 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
71
72         op_check_tdz does not def its argument
73         https://bugs.webkit.org/show_bug.cgi?id=192880
74         <rdar://problem/46221598>
75
76         Reviewed by Saam Barati.
77
78         * microbenchmarks/let-for-in.js: Added.
79         (foo):
80
81 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
82
83         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
84         https://bugs.webkit.org/show_bug.cgi?id=195429
85
86         Reviewed by Saam Barati.
87
88         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
89         (foo):
90         * stress/string-from-char-code-255.js: Added.
91
92 2019-03-06  Mark Lam  <mark.lam@apple.com>
93
94         Fix incorrect handling of try-finally completion values.
95         https://bugs.webkit.org/show_bug.cgi?id=195131
96         <rdar://problem/46222079>
97
98         Reviewed by Saam Barati and Yusuke Suzuki.
99
100         Added many permutations of new test case to test-finally.js.  test-finally.js has
101         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
102         tests passes there as well.
103
104         * stress/test-finally.js:
105
106 2019-03-06  Saam Barati  <sbarati@apple.com>
107
108         Air::reportUsedRegisters must padInterference
109         https://bugs.webkit.org/show_bug.cgi?id=195303
110         <rdar://problem/48270343>
111
112         Reviewed by Keith Miller.
113
114         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
115
116 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
117
118         [JSC] AI should not propagate AbstractValue relying on constant folding phase
119         https://bugs.webkit.org/show_bug.cgi?id=195375
120
121         Reviewed by Saam Barati.
122
123         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
124         (let.array):
125
126 2019-03-05  Saam barati  <sbarati@apple.com>
127
128         op_switch_char broken for rope strings after JSRopeString layout rewrite
129         https://bugs.webkit.org/show_bug.cgi?id=195339
130         <rdar://problem/48592545>
131
132         Reviewed by Yusuke Suzuki.
133
134         * stress/switch-on-char-llint-rope.js: Added.
135
136 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
137
138         [JSC] Store bits for JSRopeString in 3 stores
139         https://bugs.webkit.org/show_bug.cgi?id=195234
140
141         Reviewed by Saam Barati.
142
143         * stress/null-rope-and-collectors.js: Added.
144
145 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
146
147         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
148         https://bugs.webkit.org/show_bug.cgi?id=195207
149
150         Unreviewed. After test runtime was reduced in r242213, test can be
151         run again on ARM/MIPS.
152
153         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
154
155 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
156
157         [JSC] sizeof(JSString) should be 16
158         https://bugs.webkit.org/show_bug.cgi?id=194375
159
160         Reviewed by Saam Barati.
161
162         * microbenchmarks/make-rope.js: Added.
163         (makeRope):
164         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
165         (returnRope.helper): Deleted.
166         (returnRope): Deleted.
167
168 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
169
170         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
171         https://bugs.webkit.org/show_bug.cgi?id=195144
172
173         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
174         Change the number from 1e8 to 1e5.
175
176         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
177         (foo):
178
179 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
180
181         Test times out on ARM/MIPS
182         https://bugs.webkit.org/show_bug.cgi?id=195168
183
184         Unreviewed. Skip test on ARM/MIPS.
185
186         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
187
188 2019-02-27  Mark Lam  <mark.lam@apple.com>
189
190         The parser is failing to record the token location of new in new.target.
191         https://bugs.webkit.org/show_bug.cgi?id=195127
192         <rdar://problem/39645578>
193
194         Reviewed by Yusuke Suzuki.
195
196         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
197
198 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
199
200         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
201         https://bugs.webkit.org/show_bug.cgi?id=195144
202         <rdar://problem/47595961>
203
204         Reviewed by Mark Lam.
205
206         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
207         (bar):
208         (foo):
209         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
210         (bar):
211         (foo):
212
213 2019-02-27  Robin Morisset  <rmorisset@apple.com>
214
215         DFG: Loop-invariant code motion (LICM) should not hoist dead code
216         https://bugs.webkit.org/show_bug.cgi?id=194945
217         <rdar://problem/48311657>
218
219         Reviewed by Mark Lam.
220
221         * stress/licm-dead-code.js: Added.
222
223 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
224
225         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
226         https://bugs.webkit.org/show_bug.cgi?id=194677
227         <rdar://problem/48112492>
228
229         Reviewed by Mark Lam.
230
231         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
232         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
233         it immediately fails due the large size.
234
235         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
236         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
237         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
238         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
239
240         This patch changes the test to produce 16bit string from String.fromCharCode.
241
242         * stress/regress-178386.js:
243
244 2019-02-26  Mark Lam  <mark.lam@apple.com>
245
246         wasmToJS() should purify incoming NaNs.
247         https://bugs.webkit.org/show_bug.cgi?id=194807
248         <rdar://problem/48189132>
249
250         Reviewed by Saam Barati.
251
252         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
253
254 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
255
256         [JSC] Repeat string created from Array.prototype.join() take too much memory
257         https://bugs.webkit.org/show_bug.cgi?id=193912
258
259         Reviewed by Saam Barati.
260
261         Added a test and a microbenchmark for corner cases of
262         Array.prototype.join() with an uninitialized array.
263
264         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
265         * stress/array-prototype-join-uninitialized.js: Added.
266         (testArray):
267         (testABC):
268         (B):
269         (C):
270
271 2019-02-22  Robin Morisset  <rmorisset@apple.com>
272
273         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
274         https://bugs.webkit.org/show_bug.cgi?id=194953
275         <rdar://problem/47595253>
276
277         Reviewed by Saam Barati.
278
279         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
280
281         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
282
283 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
284
285         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
286         https://bugs.webkit.org/show_bug.cgi?id=172848
287         <rdar://problem/25709212>
288
289         Reviewed by Mark Lam.
290
291         * typeProfiler/inheritance.js:
292         Rewrite the test slightly for clarity. The hoisting was confusing.
293
294         * heapProfiler/class-names.js: Added.
295         (MyES5Class):
296         (MyES6Class):
297         (MyES6Subclass):
298         Test object types and improved class names.
299
300         * heapProfiler/driver/driver.js:
301         (CheapHeapSnapshotNode):
302         (CheapHeapSnapshot):
303         (createCheapHeapSnapshot):
304         (HeapSnapshot):
305         (createHeapSnapshot):
306         Update snapshot parsing from version 1 to version 2.
307
308 2019-02-19  Truitt Savell  <tsavell@apple.com>
309
310         Unreviewed, rolling out r241784.
311
312         Broke all OpenSource builds.
313
314         Reverted changeset:
315
316         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
317         instances view"
318         https://bugs.webkit.org/show_bug.cgi?id=172848
319         https://trac.webkit.org/changeset/241784
320
321 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
322
323         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
324         https://bugs.webkit.org/show_bug.cgi?id=172848
325         <rdar://problem/25709212>
326
327         Reviewed by Mark Lam.
328
329         * typeProfiler/inheritance.js:
330         Rewrite the test slightly for clarity. The hoisting was confusing.
331
332         * heapProfiler/class-names.js: Added.
333         (MyES5Class):
334         (MyES6Class):
335         (MyES6Subclass):
336         Test object types and improved class names.
337
338         * heapProfiler/driver/driver.js:
339         (CheapHeapSnapshotNode):
340         (CheapHeapSnapshot):
341         (createCheapHeapSnapshot):
342         (HeapSnapshot):
343         (createHeapSnapshot):
344         Update snapshot parsing from version 1 to version 2.
345
346 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
347
348         [ARM] Fix crash with sampling profiler
349         https://bugs.webkit.org/show_bug.cgi?id=194772
350
351         Reviewed by Mark Lam.
352
353         Do not skip test since crash with sampling profiler is now fixed.
354
355         * stress/sampling-profiler-richards.js:
356
357 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
358
359         [JSC] Add LazyClassStructure::getInitializedOnMainThread
360         https://bugs.webkit.org/show_bug.cgi?id=194784
361         <rdar://problem/48154820>
362
363         Reviewed by Mark Lam.
364
365         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
366         (getProperties):
367         (getRandomProperty):
368         (i.catch):
369
370 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
371
372         [ARM] Test gardening: Test running out of executable memory
373         https://bugs.webkit.org/show_bug.cgi?id=194771
374
375         Unreviewed. Do not run test without LLInt, test is running out of executable
376         memory on ARM otherwise.
377
378         * stress/tagged-template-object-collect.js:
379
380 2019-02-18  Tomas Popela  <tpopela@redhat.com>
381
382         Unreviewed, skip the test on platforms without sampling profiler
383
384         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
385         (platformSupportsSamplingProfiler.foo):
386         (platformSupportsSamplingProfiler.test):
387         (platformSupportsSamplingProfiler):
388         (foo): Deleted.
389         (test): Deleted.
390
391 2019-02-17  Saam Barati  <sbarati@apple.com>
392
393         Deadlock when adding a Structure property transition and then doing incremental marking
394         https://bugs.webkit.org/show_bug.cgi?id=194767
395
396         Reviewed by Mark Lam.
397
398         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
399
400 2019-02-15  Michael Saboff  <msaboff@apple.com>
401
402         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
403         https://bugs.webkit.org/show_bug.cgi?id=194558
404
405         Reviewed by Saam Barati.
406
407         New regression test.
408
409         * stress/regexp-unicode-within-string.js: Added.
410
411 2019-02-15  Mark Lam  <mark.lam@apple.com>
412
413         SamplingProfiler::stackTracesAsJSON() should escape strings.
414         https://bugs.webkit.org/show_bug.cgi?id=194649
415         <rdar://problem/48072386>
416
417         Reviewed by Saam Barati.
418
419         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
420         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
421         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
422         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
423
424 2019-02-15  Robin Morisset  <rmorisset@apple.com>
425         CodeBlock::jettison should clear related watchpoints
426         https://bugs.webkit.org/show_bug.cgi?id=194544
427
428         Reviewed by Mark Lam.
429
430         * stress/regexp-replace-double-watchpoint.js: Added.
431         (foo):
432
433 2019-02-15  Saam barati  <sbarati@apple.com>
434
435         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
436         https://bugs.webkit.org/show_bug.cgi?id=194036
437
438         Reviewed by Yusuke Suzuki.
439
440         * stress/tail-call-many-arguments.js: Added.
441         (foo):
442         (bar):
443
444 2019-02-14  Saam Barati  <sbarati@apple.com>
445
446         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
447         https://bugs.webkit.org/show_bug.cgi?id=194583
448         <rdar://problem/48028140>
449
450         Reviewed by Yusuke Suzuki.
451
452         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
453
454 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
455
456         [JSC] String.fromCharCode's slow path always generates 16bit string
457         https://bugs.webkit.org/show_bug.cgi?id=194466
458
459         Reviewed by Keith Miller.
460
461         * stress/string-from-char-code-slow-path.js: Added.
462         (shouldBe):
463         (testWithLength):
464
465 2019-02-08  Saam barati  <sbarati@apple.com>
466
467         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
468         https://bugs.webkit.org/show_bug.cgi?id=194334
469         <rdar://problem/47844327>
470
471         Reviewed by Mark Lam.
472
473         * stress/check-in-bounds-should-be-a-child-use.js: Added.
474         (func):
475
476 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
479         https://bugs.webkit.org/show_bug.cgi?id=194369
480         <rdar://problem/47813087>
481
482         Reviewed by Saam Barati.
483
484         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
485         (A):
486
487 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
488
489         [JSC] PrivateName to PublicName hash table is wasteful
490         https://bugs.webkit.org/show_bug.cgi?id=194277
491
492         Reviewed by Michael Saboff.
493
494         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
495
496         * ChakraCore.yaml:
497
498 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
499
500         [ARM] Test running out of executable memory
501         https://bugs.webkit.org/show_bug.cgi?id=194285
502
503         Unreviewed. Do no execute test with LLInt disabled, test runs out of
504         executable memory otherwise.
505
506         * stress/class-subclassing-function.js:
507
508 2019-02-04  Robin Morisset  <rmorisset@apple.com>
509
510         when lowering AssertNotEmpty, create the value before creating the patchpoint
511         https://bugs.webkit.org/show_bug.cgi?id=194231
512
513         Reviewed by Saam Barati.
514
515         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
516         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
517         So even tiny changes to this test can change the path code taken.
518
519         * stress/assert-not-empty.js: Added.
520         (foo):
521
522 2019-02-01  Mark Lam  <mark.lam@apple.com>
523
524         Remove invalid assertion in DFG's compileDoubleRep().
525         https://bugs.webkit.org/show_bug.cgi?id=194130
526         <rdar://problem/47699474>
527
528         Reviewed by Saam Barati.
529
530         * stress/constant-fold-double-rep-into-double-constant.js: Added.
531
532 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
533
534         Import latest Test262 updates.
535
536         Rubber-stamped by Keith Miller.
537
538         * test262.yaml: Deleted.
539         * test262/config.yaml:
540         * test262/expectations.yaml:
541         * test262/latest-changes-summary.txt:
542         * test262/test/:
543         * test262/test262-Revision.txt:
544
545 2019-01-30  Robin Morisset  <rmorisset@apple.com>
546
547         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
548         https://bugs.webkit.org/show_bug.cgi?id=194050
549         <rdar://problem/47595592>
550
551         Reviewed by Yusuke Suzuki.
552
553         * stress/object-keys-osr-exit.js: Added.
554         (foo):
555         (catch):
556
557 2019-01-29  Mark Lam  <mark.lam@apple.com>
558
559         ValueRecovery::recover() should purify NaN values it recovers.
560         https://bugs.webkit.org/show_bug.cgi?id=193978
561         <rdar://problem/47625488>
562
563         Reviewed by Saam Barati.
564
565         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
566
567 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
568
569         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
570         https://bugs.webkit.org/show_bug.cgi?id=193713
571
572         * stress/try-get-by-id-should-spill-registers-dfg.js:
573         (let.f.createBuiltin):
574
575 2019-01-28  Mark Lam  <mark.lam@apple.com>
576
577         ToString node actually does GC.
578         https://bugs.webkit.org/show_bug.cgi?id=193920
579         <rdar://problem/46695900>
580
581         Reviewed by Yusuke Suzuki.
582
583         * stress/dfg-to-string-on-int-does-gc.js: Added.
584         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
585         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
586
587 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
588
589         [JSC] NativeErrorConstructor should not have own IsoSubspace
590         https://bugs.webkit.org/show_bug.cgi?id=193713
591
592         Reviewed by Saam Barati.
593
594         Remove @Error use.
595
596         * stress/try-get-by-id-should-spill-registers-dfg.js:
597         (let.f.createBuiltin):
598
599 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
600
601         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
602         https://bugs.webkit.org/show_bug.cgi?id=190693
603
604         Reviewed by Michael Saboff.
605
606         * stress/regress-190693.js: Added.
607         (truth):
608         (assert):
609         (shouldThrowInvalidConstAssignment):
610         (taz):
611
612 2019-01-24  Saam Barati  <sbarati@apple.com>
613
614         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
615         https://bugs.webkit.org/show_bug.cgi?id=193751
616         <rdar://problem/47280215>
617
618         Reviewed by Michael Saboff.
619
620         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
621         (let.thing):
622         (foo.let.hello):
623         (foo):
624
625 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
626
627         [JSC] Reenable baseline JIT on mips
628         https://bugs.webkit.org/show_bug.cgi?id=192983
629
630         Reviewed by Mark Lam.
631
632         Added a new test for a case that was triggering a RELEASE_ASSERT when
633         testing.
634         Disable some slow tests that were already disabled for arm and x86.
635
636         * stress/json-parse-big-object.js: Added.
637         * stress/new-largeish-contiguous-array-with-size.js:
638         * stress/op_add.js:
639         * stress/op_bitand.js:
640         * stress/op_bitor.js:
641         * stress/op_bitxor.js:
642         * stress/op_lshift-ConstVar.js:
643         * stress/op_lshift-VarConst.js:
644         * stress/op_lshift-VarVar.js:
645         * stress/op_mod-ConstVar.js:
646         * stress/op_mod-VarConst.js:
647         * stress/op_mod-VarVar.js:
648         * stress/op_mul-ConstVar.js:
649         * stress/op_mul-VarConst.js:
650         * stress/op_mul-VarVar.js:
651         * stress/op_rshift-ConstVar.js:
652         * stress/op_rshift-VarConst.js:
653         * stress/op_rshift-VarVar.js:
654         * stress/op_sub-ConstVar.js:
655         * stress/op_sub-VarConst.js:
656         * stress/op_sub-VarVar.js:
657         * stress/op_urshift-ConstVar.js:
658         * stress/op_urshift-VarConst.js:
659         * stress/op_urshift-VarVar.js:
660         * stress/sampling-profiler-richards.js:
661         * stress/spread-forward-call-varargs-stack-overflow.js:
662
663 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
666         https://bugs.webkit.org/show_bug.cgi?id=193711
667         <rdar://problem/47250262>
668
669         Reviewed by Saam Barati.
670
671         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
672         (shouldBe):
673         (foo):
674         (bar):
675         (baz):
676
677 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
678
679         Unreviewed, fix initial global lexical binding epoch
680         https://bugs.webkit.org/show_bug.cgi?id=193603
681         <rdar://problem/47380869>
682
683         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
684         (f1.f2.f3.f4):
685         (f1.f2.f3):
686         (f1.f2):
687         (f1):
688
689 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
692         https://bugs.webkit.org/show_bug.cgi?id=193709
693         <rdar://problem/47363838>
694
695         Unreviewed, rollout to watch the tests.
696
697         * stress/object-tostring-changed-proto.js: Removed.
698         * stress/object-tostring-changed.js: Removed.
699         * stress/object-tostring-misc.js: Removed.
700         * stress/object-tostring-other.js: Removed.
701         * stress/object-tostring-untyped.js: Removed.
702
703 2019-01-22  Saam Barati  <sbarati@apple.com>
704
705         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
706
707         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
708         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
709         (testUncheckedLessThanZero):
710         (testUncheckedLessThanOrEqualZero):
711         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
712         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
713
714 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
715
716         [JSC] Invalidate old scope operations using global lexical binding epoch
717         https://bugs.webkit.org/show_bug.cgi?id=193603
718         <rdar://problem/47380869>
719
720         Reviewed by Saam Barati.
721
722         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
723         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
724         (shouldThrow):
725         (bar):
726         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
727         (shouldBe):
728         (get1):
729         (get2):
730         (get1If):
731         (get2If):
732         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
733         (shouldThrow):
734         (foo):
735
736 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         Unreviewed, roll out r240220 due to date-format-xparb regression
739         https://bugs.webkit.org/show_bug.cgi?id=193603
740
741         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
742         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
743         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
744         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
745
746 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
747
748         DoesGC rule is wrong for nodes with BigIntUse
749         https://bugs.webkit.org/show_bug.cgi?id=193652
750
751         Reviewed by Saam Barati.
752
753         * stress/big-int-value-op-update-gc-rules.js: Added.
754         (assert):
755         (doesGCAdd):
756         (doesGCSub):
757         (doesGCDiv):
758         (doesGCMul):
759         (doesGCBitAnd):
760         (doesGCBitOr):
761         (doesGCBitXor):
762
763 2019-01-20  Saam Barati  <sbarati@apple.com>
764
765         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
766         https://bugs.webkit.org/show_bug.cgi?id=193644
767         <rdar://problem/46209745>
768
769         Reviewed by Yusuke Suzuki.
770
771         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
772         (foo):
773         * stress/data-view-set-intrinsic-undefined-result.js: Added.
774         (foo):
775         (bar):
776
777 2019-01-20  Saam Barati  <sbarati@apple.com>
778
779         MovHint must merge NodeBytecodeUsesAsValue for its child
780         https://bugs.webkit.org/show_bug.cgi?id=186916
781         <rdar://problem/41396612>
782
783         Reviewed by Yusuke Suzuki.
784
785         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
786         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
787
788 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
789
790         [JSC] Invalidate old scope operations using global lexical binding epoch
791         https://bugs.webkit.org/show_bug.cgi?id=193603
792         <rdar://problem/47380869>
793
794         Reviewed by Saam Barati.
795
796         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
797         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
798         (shouldThrow):
799         (bar):
800         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
801         (shouldBe):
802         (get1):
803         (get2):
804         (get1If):
805         (get2If):
806         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
807         (shouldThrow):
808         (foo):
809
810 2019-01-17  Saam barati  <sbarati@apple.com>
811
812         StringObjectUse should not be a structure check for the original string object structure
813         https://bugs.webkit.org/show_bug.cgi?id=193483
814         <rdar://problem/47280522>
815
816         Reviewed by Yusuke Suzuki.
817
818         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
819         (foo):
820         (a.valueOf.0):
821
822 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
823
824         [JSC] ToThis omission in DFGByteCodeParser is wrong
825         https://bugs.webkit.org/show_bug.cgi?id=193513
826         <rdar://problem/45842236>
827
828         Reviewed by Saam Barati.
829
830         * stress/to-this-omission-with-different-strict-modes.js: Added.
831         (thisA):
832         (thisAStrictWrapper):
833
834 2019-01-15  Mark Lam  <mark.lam@apple.com>
835
836         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
837         https://bugs.webkit.org/show_bug.cgi?id=193423
838         <rdar://problem/46209355>
839
840         Reviewed by Saam Barati.
841
842         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
843         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
844         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
845         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
846
847 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
848
849         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
850         https://bugs.webkit.org/show_bug.cgi?id=193438
851         <rdar://problem/45581249>
852
853         Reviewed by Saam Barati and Keith Miller.
854
855         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
856         Then, GetByVal(String) crashed.
857
858         * stress/string-get-by-val-lowering.js: Added.
859         (shouldBe):
860         (test):
861         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
862         (Hello):
863         (foo):
864
865 2019-01-15  Tomas Popela  <tpopela@redhat.com>
866
867         Unreviewed, skip JIT tests if it's not enabled
868
869         * stress/bit-op-with-object-returning-int32.js:
870
871 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
872
873         DFGByteCodeParser rules for bitwise operations should consider type of their operands
874         https://bugs.webkit.org/show_bug.cgi?id=192966
875
876         Reviewed by Yusuke Suzuki.
877
878         * stress/bit-op-with-object-returning-int32.js: Added.
879
880 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
881
882         Skip a slow test and a flakey test on arm
883
884         Unreviewed gardening.
885
886         * typeProfiler/getter-richards.js:
887         this test always times out, it used to be always skipped on arm and
888         mips, but got accidentally enabled by r237919 now that we have DFG on
889         arm. Also skipping on mips as we plan to soon enable DFG for it too.
890
891 2019-01-14  Keith Miller  <keith_miller@apple.com>
892
893         Skip type-check-hoisting-phase-hoist... with no jit
894         https://bugs.webkit.org/show_bug.cgi?id=193421
895
896         Reviewed by Mark Lam.
897
898         It's timing out the 32-bit bots and takes 330 seconds
899         on my machine when run by itself.
900
901         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
902
903 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
904
905         [JSC] AI should check the given constant's array type when folding GetByVal into constant
906         https://bugs.webkit.org/show_bug.cgi?id=193413
907         <rdar://problem/46092389>
908
909         Reviewed by Keith Miller.
910
911         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
912         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
913         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
914         but GetByVal does not have appropriate ArrayModes, JSC crashes.
915
916         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
917         (compareArray):
918
919 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
920
921         [BigInt] Literal parsing is crashing when used inside a Object Literal
922         https://bugs.webkit.org/show_bug.cgi?id=193404
923
924         Reviewed by Yusuke Suzuki.
925
926         * stress/big-int-literal-inside-literal-object.js: Added.
927
928 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
929
930         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
931         https://bugs.webkit.org/show_bug.cgi?id=193372
932
933         Reviewed by Saam Barati.
934
935         * stress/typed-array-array-modes-profile.js: Added.
936         (foo):
937
938 2019-01-14  Mark Lam  <mark.lam@apple.com>
939
940         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
941         https://bugs.webkit.org/show_bug.cgi?id=193402
942         <rdar://problem/46012309>
943
944         Reviewed by Keith Miller.
945
946         * stress/regexp-compile-oom.js:
947         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
948           is enabled.  As a result, it will fail on cloop builds though there is no bug.
949
950 2019-01-11  Saam barati  <sbarati@apple.com>
951
952         DFG combined liveness can be wrong for terminal basic blocks
953         https://bugs.webkit.org/show_bug.cgi?id=193304
954         <rdar://problem/45268632>
955
956         Reviewed by Yusuke Suzuki.
957
958         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
959
960 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
961
962         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
963         https://bugs.webkit.org/show_bug.cgi?id=193308
964         <rdar://problem/45546542>
965
966         Reviewed by Saam Barati.
967
968         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
969         (shouldThrow):
970         (shouldBe):
971         (foo):
972         (get shouldThrow):
973         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
974         (shouldThrow):
975         (shouldBe):
976         (foo):
977         (get shouldBe):
978         (get shouldThrow):
979         (get return):
980         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
981         (shouldThrow):
982         (shouldBe):
983         (foo):
984         (get shouldBe):
985         (get shouldThrow):
986         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
987         (shouldThrow):
988         (shouldBe):
989         (foo):
990         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
991         (shouldThrow):
992         (shouldBe):
993         (foo):
994         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
995         (shouldThrow):
996         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
997         (shouldThrow):
998         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
999         (shouldThrow):
1000         (shouldBe):
1001         (foo):
1002         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1003         (shouldThrow):
1004         (shouldBe):
1005         (foo):
1006         (get shouldBe):
1007         (get shouldThrow):
1008         (get return):
1009         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1010         (shouldThrow):
1011         (shouldBe):
1012         (foo):
1013         (get shouldBe):
1014         (get shouldThrow):
1015         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1016         (shouldThrow):
1017         (shouldBe):
1018         (foo):
1019         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1020         (shouldThrow):
1021         (shouldBe):
1022         (foo):
1023
1024 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1025
1026         Enable DFG on ARM/Linux again
1027         https://bugs.webkit.org/show_bug.cgi?id=192496
1028
1029         Reviewed by Yusuke Suzuki.
1030
1031         Test wasn't really skipped before moving the line with skip
1032         to the top.
1033
1034         * stress/regress-192717.js:
1035
1036 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1037
1038         Unreviewed, rolling out r239825.
1039         https://bugs.webkit.org/show_bug.cgi?id=193330
1040
1041         Broke tests on armv7/linux bots (Requested by guijemont on
1042         #webkit).
1043
1044         Reverted changeset:
1045
1046         "Enable DFG on ARM/Linux again"
1047         https://bugs.webkit.org/show_bug.cgi?id=192496
1048         https://trac.webkit.org/changeset/239825
1049
1050 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1051
1052         Enable DFG on ARM/Linux again
1053         https://bugs.webkit.org/show_bug.cgi?id=192496
1054
1055         Reviewed by Yusuke Suzuki.
1056
1057         Test wasn't really skipped before moving the line with skip
1058         to the top.
1059
1060         * stress/regress-192717.js:
1061
1062 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1063
1064         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1065         https://bugs.webkit.org/show_bug.cgi?id=193127
1066
1067         Reviewed by Saam Barati.
1068
1069         * stress/array-species-create-should-handle-masquerader.js: Added.
1070         (shouldThrow):
1071         * stress/is-undefined-or-null-builtin.js: Added.
1072         (shouldBe):
1073         (isUndefinedOrNull.vm.createBuiltin):
1074
1075 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1076
1077         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1078         https://bugs.webkit.org/show_bug.cgi?id=193221
1079
1080         Reviewed by Mark Lam.
1081
1082         * stress/put-by-id-flags.js: Added.
1083         (f):
1084         (g):
1085         (numberOfDFGCompiles):
1086
1087 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1088
1089         Baseline version of get_by_id may corrupt metadata
1090         https://bugs.webkit.org/show_bug.cgi?id=193085
1091         <rdar://problem/23453006>
1092
1093         Reviewed by Saam Barati.
1094
1095         * stress/get-by-id-change-mode.js: Added.
1096         (forEach):
1097
1098 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1099
1100         [JSC] Optimize Object.prototype.toString
1101         https://bugs.webkit.org/show_bug.cgi?id=193031
1102
1103         Reviewed by Saam Barati.
1104
1105         * stress/object-tostring-changed-proto.js: Added.
1106         (shouldBe):
1107         (test):
1108         * stress/object-tostring-changed.js: Added.
1109         (shouldBe):
1110         (test):
1111         * stress/object-tostring-misc.js: Added.
1112         (shouldBe):
1113         (test):
1114         (i.switch):
1115         * stress/object-tostring-other.js: Added.
1116         (shouldBe):
1117         (test):
1118         * stress/object-tostring-untyped.js: Added.
1119         (shouldBe):
1120         (test):
1121         (i.switch):
1122
1123 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1124
1125         test262-runner misbehaves when test file YAML has a trailing space
1126         https://bugs.webkit.org/show_bug.cgi?id=193053
1127
1128         Reviewed by Yusuke Suzuki.
1129
1130         * test262/expectations.yaml:
1131         Mark two dozen tests as passing (and correct the output of another).
1132
1133 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1134
1135         Unreviewed, JSTests gardening with memoryLimited
1136
1137         * stress/string-overflow-createError.js:
1138
1139 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1140
1141         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1142         https://bugs.webkit.org/show_bug.cgi?id=193050
1143
1144         Reviewed by Yusuke Suzuki.
1145
1146         * test262.yaml:
1147         * test262/expectations.yaml:
1148         Mark 16 tests as passing.
1149
1150 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1151
1152         [BigInt] Support BigInt in JSON.stringify
1153         https://bugs.webkit.org/show_bug.cgi?id=192624
1154
1155         Reviewed by Saam Barati.
1156
1157         * stress/big-int-json-stringify-to-json.js: Added.
1158         (shouldBe):
1159         (shouldThrow):
1160         (BigInt.prototype.toJSON):
1161         (shouldBe.JSON.stringify):
1162         * stress/big-int-json-stringify.js: Added.
1163         (shouldBe):
1164         (shouldThrow):
1165
1166 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1167
1168         [JSC] Implement "well-formed JSON.stringify" proposal
1169         https://bugs.webkit.org/show_bug.cgi?id=191677
1170
1171         Reviewed by Darin Adler.
1172
1173         * stress/json-surrogate-pair.js: Added.
1174         (shouldBe):
1175         * test262/expectations.yaml:
1176
1177 2018-12-20  Keith Miller  <keith_miller@apple.com>
1178
1179         Add support for globalThis
1180         https://bugs.webkit.org/show_bug.cgi?id=165171
1181
1182         Reviewed by Mark Lam.
1183
1184         * test262/config.yaml:
1185
1186 2018-12-19  Keith Miller  <keith_miller@apple.com>
1187
1188         Update test262 configuration to not run tests dependent on ICU version.
1189         https://bugs.webkit.org/show_bug.cgi?id=192920
1190
1191         Reviewed by Saam Barati.
1192
1193         * test262/expectations.yaml:
1194
1195 2018-12-20  Mark Lam  <mark.lam@apple.com>
1196
1197         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1198         https://bugs.webkit.org/show_bug.cgi?id=192939
1199         <rdar://problem/46869516>
1200
1201         Reviewed by Keith Miller.
1202
1203         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1204
1205 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1206
1207         WTF::String and StringImpl overflow MaxLength
1208         https://bugs.webkit.org/show_bug.cgi?id=192853
1209         <rdar://problem/45726906>
1210
1211         Reviewed by Mark Lam.
1212
1213         * stress/string-16bit-repeat-overflow.js: Added.
1214         (catch):
1215
1216 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1217
1218         Unreviewed follow-up to r192914.
1219
1220         * test262/expectations.yaml:
1221         Add the last 20 missing expectations.
1222
1223 2018-12-19  Keith Miller  <keith_miller@apple.com>
1224
1225         Fix test262 expectations
1226         https://bugs.webkit.org/show_bug.cgi?id=192914
1227
1228         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1229
1230         * test262/expectations.yaml:
1231
1232 2018-12-19  Keith Miller  <keith_miller@apple.com>
1233
1234         Update test262 tests.
1235         https://bugs.webkit.org/show_bug.cgi?id=192907
1236
1237         Rubber stamped by Mark Lam.
1238
1239         * test262/*: Omitted because prepare-changelog crashes.
1240
1241 2018-12-19  Mark Lam  <mark.lam@apple.com>
1242
1243         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1244         https://bugs.webkit.org/show_bug.cgi?id=192464
1245         <rdar://problem/46519455>
1246
1247         Reviewed by Saam Barati.
1248
1249         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1250         microbenchmark.
1251
1252         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1253         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1254
1255 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1256
1257         String overflow in JSC::createError results in ASSERT in WTF::makeString
1258         https://bugs.webkit.org/show_bug.cgi?id=192833
1259         <rdar://problem/45706868>
1260
1261         Reviewed by Mark Lam.
1262
1263         * stress/string-overflow-createError.js: Added.
1264
1265 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1266
1267         Error message for `-x ** y` contains a typo.
1268         https://bugs.webkit.org/show_bug.cgi?id=192832
1269
1270         Reviewed by Saam Barati.
1271
1272         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1273         (assert.assert.return.throws):
1274         * stress/pow-expects-update-expression-on-lhs.js:
1275         (throw.new.Error):
1276         Update test expectations which match against the exact error message.
1277
1278 2018-12-18  Mark Lam  <mark.lam@apple.com>
1279
1280         Gardening: test options fix.
1281         https://bugs.webkit.org/show_bug.cgi?id=192822
1282
1283         Unreviewed.
1284
1285         * stress/json-stringify-string-builder-overflow.js:
1286
1287 2018-12-18  Mark Lam  <mark.lam@apple.com>
1288
1289         JSON.stringify() should throw OOM on StringBuilder overflows.
1290         https://bugs.webkit.org/show_bug.cgi?id=192822
1291         <rdar://problem/46670577>
1292
1293         Reviewed by Saam Barati.
1294
1295         * stress/json-stringify-string-builder-overflow.js: Added.
1296
1297 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1298
1299         Redeclaration of var over let/const/class should be a syntax error.
1300         https://bugs.webkit.org/show_bug.cgi?id=192298
1301
1302         Reviewed by Keith Miller.
1303
1304         * test262.yaml:
1305         * test262/expectations.yaml:
1306         Mark 46 tests as passing.
1307
1308         * stress/block-scope-redeclarations.js:
1309         Add some new tests.
1310
1311         * stress/for-in-invalidate-context-weird-assignments.js:
1312         * stress/for-in-tests.js:
1313         Replace tests for outdated behavior with tests for SyntaxError.
1314
1315         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1316         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1317         Update expectations.
1318
1319 2018-12-18  Mark Lam  <mark.lam@apple.com>
1320
1321         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1322         https://bugs.webkit.org/show_bug.cgi?id=191374
1323         <rdar://problem/46525447>
1324
1325         Reviewed by Yusuke Suzuki.
1326
1327         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1328
1329         * stress/elidable-new-object-roflcopter-then-exit.js:
1330
1331 2018-12-17  Mark Lam  <mark.lam@apple.com>
1332
1333         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1334         https://bugs.webkit.org/show_bug.cgi?id=192019
1335         <rdar://problem/46525456>
1336
1337         Reviewed by Yusuke Suzuki.
1338
1339         The test runs too slow on 32-bit.
1340
1341         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1342
1343 2018-12-17  Mark Lam  <mark.lam@apple.com>
1344
1345         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1346         https://bugs.webkit.org/show_bug.cgi?id=191373
1347         <rdar://problem/46525458>
1348
1349         Reviewed by Yusuke Suzuki.
1350
1351         The test is already slow running with a JIT on 64-bit.  It will always timeout
1352         on 32-bit without a JIT.
1353
1354         * stress/materialize-regexp-cyclic-regexp.js:
1355
1356 2018-12-17  Mark Lam  <mark.lam@apple.com>
1357
1358         Array unshift/shift should not race against the AI in the compiler thread.
1359         https://bugs.webkit.org/show_bug.cgi?id=192795
1360         <rdar://problem/46724263>
1361
1362         Reviewed by Saam Barati.
1363
1364         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1365
1366 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1367
1368         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1369         https://bugs.webkit.org/show_bug.cgi?id=190047
1370
1371         Reviewed by Saam Barati.
1372
1373         * stress/object-keys-cached-zero.js: Added.
1374         (shouldBe):
1375         (test):
1376         * stress/object-keys-changed-attribute.js: Added.
1377         (shouldBe):
1378         (test):
1379         * stress/object-keys-changed-index.js: Added.
1380         (shouldBe):
1381         (test):
1382         * stress/object-keys-changed.js: Added.
1383         (shouldBe):
1384         (test):
1385         * stress/object-keys-indexed-non-cache.js: Added.
1386         (shouldBe):
1387         (test):
1388         * stress/object-keys-overrides-get-property-names.js: Added.
1389         (shouldBe):
1390         (test):
1391         (noInline):
1392
1393 2018-12-17  Mark Lam  <mark.lam@apple.com>
1394
1395         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1396         https://bugs.webkit.org/show_bug.cgi?id=192779
1397         <rdar://problem/46775869>
1398
1399         Reviewed by Saam Barati.
1400
1401         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1402
1403 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1404
1405         Unreviewed test gardening, address a syntax error in a new test.
1406
1407         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1408
1409 2018-12-17  Mark Lam  <mark.lam@apple.com>
1410
1411         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1412         https://bugs.webkit.org/show_bug.cgi?id=192776
1413         <rdar://problem/46772368>
1414
1415         Reviewed by Keith Miller.
1416
1417         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1418
1419 2018-12-17  Mark Lam  <mark.lam@apple.com>
1420
1421         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1422         https://bugs.webkit.org/show_bug.cgi?id=192770
1423         <rdar://problem/46449037>
1424
1425         Reviewed by Keith Miller.
1426
1427         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1428
1429 2018-12-14  Mark Lam  <mark.lam@apple.com>
1430
1431         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1432         https://bugs.webkit.org/show_bug.cgi?id=192717
1433         <rdar://problem/46660677>
1434
1435         Reviewed by Saam Barati.
1436
1437         * stress/regress-192717.js: Added.
1438
1439 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1440
1441         Unreviewed, rolling out r239153, r239154, and r239155.
1442         https://bugs.webkit.org/show_bug.cgi?id=192715
1443
1444         Caused flaky GC-related crashes seen with layout tests
1445         (Requested by ryanhaddad on #webkit).
1446
1447         Reverted changesets:
1448
1449         "[JSC] Optimize Object.keys by caching own keys results in
1450         StructureRareData"
1451         https://bugs.webkit.org/show_bug.cgi?id=190047
1452         https://trac.webkit.org/changeset/239153
1453
1454         "Unreviewed, build fix after r239153"
1455         https://bugs.webkit.org/show_bug.cgi?id=190047
1456         https://trac.webkit.org/changeset/239154
1457
1458         "Unreviewed, build fix after r239153, part 2"
1459         https://bugs.webkit.org/show_bug.cgi?id=190047
1460         https://trac.webkit.org/changeset/239155
1461
1462 2018-12-14  Keith Miller  <keith_miller@apple.com>
1463
1464         Callers of JSString::getIndex should check for OOM exceptions
1465         https://bugs.webkit.org/show_bug.cgi?id=192709
1466
1467         Reviewed by Mark Lam.
1468
1469         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1470
1471 2018-12-13  Mark Lam  <mark.lam@apple.com>
1472
1473         Add a missing exception check.
1474         https://bugs.webkit.org/show_bug.cgi?id=192626
1475         <rdar://problem/46662163>
1476
1477         Reviewed by Keith Miller.
1478
1479         * stress/regress-192626.js: Added.
1480
1481 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1482
1483         [BigInt] Add ValueDiv into DFG
1484         https://bugs.webkit.org/show_bug.cgi?id=186178
1485
1486         Reviewed by Yusuke Suzuki.
1487
1488         * stress/big-int-div-jit-osr.js: Added.
1489         * stress/big-int-div-jit-untyped.js: Added.
1490         * stress/value-div-fixup-int32-big-int.js: Added.
1491
1492 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1493
1494         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1495         https://bugs.webkit.org/show_bug.cgi?id=190047
1496
1497         Reviewed by Keith Miller.
1498
1499         * stress/object-keys-cached-zero.js: Added.
1500         (shouldBe):
1501         (test):
1502         * stress/object-keys-changed-attribute.js: Added.
1503         (shouldBe):
1504         (test):
1505         * stress/object-keys-changed-index.js: Added.
1506         (shouldBe):
1507         (test):
1508         * stress/object-keys-changed.js: Added.
1509         (shouldBe):
1510         (test):
1511         * stress/object-keys-indexed-non-cache.js: Added.
1512         (shouldBe):
1513         (test):
1514         * stress/object-keys-overrides-get-property-names.js: Added.
1515         (shouldBe):
1516         (test):
1517         (noInline):
1518
1519 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1520
1521         [DFG][FTL] Add NewSymbol
1522         https://bugs.webkit.org/show_bug.cgi?id=192620
1523
1524         Reviewed by Saam Barati.
1525
1526         * microbenchmarks/symbol-creation.js: Added.
1527         (test):
1528         * stress/symbol-description-identity.js: Added.
1529         (shouldBe):
1530         (test):
1531         * stress/symbol-identity.js: Added.
1532         (shouldBe):
1533         (test):
1534         * stress/symbol-with-description-throw-error.js: Added.
1535         (shouldBe):
1536         (shouldThrow):
1537         (test):
1538         (object.toString):
1539
1540 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1541
1542         [BigInt] Implement DFG/FTL typeof for BigInt
1543         https://bugs.webkit.org/show_bug.cgi?id=192619
1544
1545         Reviewed by Keith Miller.
1546
1547         * stress/big-int-boolean-proven-type.js: Added.
1548         (assert):
1549         (bool):
1550         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1551         (assert):
1552         (typeOf):
1553         (i.switch):
1554         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1555         (assert):
1556         (typeOf):
1557         * stress/big-int-type-of.js:
1558         (typeOf):
1559         (func):
1560
1561 2018-12-10  Mark Lam  <mark.lam@apple.com>
1562
1563         PropertyAttribute needs a CustomValue bit.
1564         https://bugs.webkit.org/show_bug.cgi?id=191993
1565         <rdar://problem/46264467>
1566
1567         Reviewed by Saam Barati.
1568
1569         * stress/regress-191993.js: Added.
1570
1571 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1572
1573         [BigInt] Add ValueMul into DFG
1574         https://bugs.webkit.org/show_bug.cgi?id=186175
1575
1576         Reviewed by Yusuke Suzuki.
1577
1578         * stress/big-int-mul-jit-osr.js: Added.
1579         * stress/big-int-mul-jit-untyped.js: Added.
1580         * stress/value-mul-fixup-int32-big-int.js: Added.
1581
1582 2018-12-06  Keith Miller  <keith_miller@apple.com>
1583
1584         stress/big-wasm-memory tests failing on 32-bit JSC bot
1585         https://bugs.webkit.org/show_bug.cgi?id=192020
1586
1587         Reviewed by Saam Barati.
1588
1589         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1590         the wasm stress tests if the WebAssembly object does not exist.
1591
1592         * stress/big-wasm-memory-grow-no-max.js:
1593         (test.foo):
1594         (test):
1595         (foo): Deleted.
1596         (catch): Deleted.
1597         * stress/big-wasm-memory-grow.js:
1598         (test.foo):
1599         (test):
1600         (foo): Deleted.
1601         (catch): Deleted.
1602         * stress/big-wasm-memory.js:
1603         (test.foo):
1604         (test):
1605         (foo): Deleted.
1606         (catch): Deleted.
1607
1608 2018-12-05  Mark Lam  <mark.lam@apple.com>
1609
1610         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1611         https://bugs.webkit.org/show_bug.cgi?id=192441
1612         <rdar://problem/46480355>
1613
1614         Reviewed by Saam Barati.
1615
1616         * stress/regress-192441.js: Added.
1617
1618 2018-12-04  Mark Lam  <mark.lam@apple.com>
1619
1620         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1621         https://bugs.webkit.org/show_bug.cgi?id=192386
1622         <rdar://problem/46445516>
1623
1624         Reviewed by Saam Barati.
1625
1626         * stress/regress-192386.js: Added.
1627
1628 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1629
1630         [ESNext][BigInt] Support logic operations
1631         https://bugs.webkit.org/show_bug.cgi?id=179903
1632
1633         Reviewed by Yusuke Suzuki.
1634
1635         * stress/big-int-branch-usage.js: Added.
1636         * stress/big-int-logical-and.js: Added.
1637         * stress/big-int-logical-not.js: Added.
1638         * stress/big-int-logical-or.js: Added.
1639
1640 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1641
1642         Unreviewed, rolling out r238833.
1643
1644         Breaks macOS and iOS debug builds.
1645
1646         Reverted changeset:
1647
1648         "[ESNext][BigInt] Support logic operations"
1649         https://bugs.webkit.org/show_bug.cgi?id=179903
1650         https://trac.webkit.org/changeset/238833
1651
1652 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1653
1654         [ESNext][BigInt] Support logic operations
1655         https://bugs.webkit.org/show_bug.cgi?id=179903
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         * stress/big-int-branch-usage.js: Added.
1660         * stress/big-int-logical-and.js: Added.
1661         * stress/big-int-logical-not.js: Added.
1662         * stress/big-int-logical-or.js: Added.
1663
1664 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1665
1666         [ESNext][BigInt] Implement support for "<<" and ">>"
1667         https://bugs.webkit.org/show_bug.cgi?id=186233
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         * stress/big-int-left-shift-general.js: Added.
1672         * stress/big-int-left-shift-range-error.js: Added.
1673         * stress/big-int-left-shift-type-error.js: Added.
1674         * stress/big-int-left-shift-wrapped-value.js: Added.
1675         * stress/big-int-right-shift-general.js: Added.
1676         * stress/big-int-right-shift-type-error.js: Added.
1677         * stress/big-int-right-shift-wrapped-value.js: Added.
1678         * stress/left-shift-to-primitive-precedence.js: Added.
1679         * stress/right-shift-to-primitive-precedence.js: Added.
1680
1681 2018-11-30  Dean Jackson  <dino@apple.com>
1682
1683         Add first-class support for .mjs files in jsc binary
1684         https://bugs.webkit.org/show_bug.cgi?id=192190
1685         <rdar://problem/46375715>
1686
1687         Reviewed by Keith Miller.
1688
1689         * stress/simple-module.mjs: Added.
1690         * stress/simple-script.js: Added.
1691
1692 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1693
1694         [BigInt] Implement ValueBitXor into DFG
1695         https://bugs.webkit.org/show_bug.cgi?id=190264
1696
1697         Reviewed by Yusuke Suzuki.
1698
1699         * stress/big-int-bitwise-xor-jit.js: Added.
1700         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1701         * stress/big-int-bitwise-xor-untyped.js: Added.
1702
1703 2018-11-27  Saam barati  <sbarati@apple.com>
1704
1705         r238510 broke scopes of size zero
1706         https://bugs.webkit.org/show_bug.cgi?id=192033
1707         <rdar://problem/46281734>
1708
1709         Reviewed by Keith Miller.
1710
1711         * stress/r238510-bad-loop.js: Added.
1712         (foo):
1713
1714 2018-11-27  Mark Lam  <mark.lam@apple.com>
1715
1716         [Re-landing] NaNs read from Wasm code needs to be be purified.
1717         https://bugs.webkit.org/show_bug.cgi?id=191056
1718         <rdar://problem/45660341>
1719
1720         Reviewed by Filip Pizlo.
1721
1722         * wasm/regress/regress-191056.js: Added.
1723
1724 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1725
1726         Unreviewed, rolling out r238509.
1727
1728         Causes JSC tests to fail on iOS.
1729
1730         Reverted changeset:
1731
1732         "NaNs read from Wasm code needs to be be purified."
1733         https://bugs.webkit.org/show_bug.cgi?id=191056
1734         https://trac.webkit.org/changeset/238509
1735
1736 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1737
1738         Re-introduce op_bitnot
1739         https://bugs.webkit.org/show_bug.cgi?id=190923
1740
1741         Reviewed by Yusuke Suzuki.
1742
1743         * stress/bit-not-must-generate.js: Added.
1744         * stress/bitwise-not-no-int32.js: Added.
1745
1746 2018-11-26  Saam barati  <sbarati@apple.com>
1747
1748         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1749         https://bugs.webkit.org/show_bug.cgi?id=191956
1750         <rdar://problem/45665806>
1751
1752         Reviewed by Yusuke Suzuki.
1753
1754         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1755         (bar):
1756         (foo):
1757
1758 2018-11-26  Saam barati  <sbarati@apple.com>
1759
1760         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1761         https://bugs.webkit.org/show_bug.cgi?id=191958
1762         <rdar://problem/46221877>
1763
1764         Reviewed by Yusuke Suzuki.
1765
1766         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1767         (x):
1768         (foo):
1769
1770 2018-11-26  Mark Lam  <mark.lam@apple.com>
1771
1772         NaNs read from Wasm code needs to be be purified.
1773         https://bugs.webkit.org/show_bug.cgi?id=191056
1774         <rdar://problem/45660341>
1775
1776         Reviewed by Filip Pizlo.
1777
1778         * wasm/regress/regress-191056.js: Added.
1779
1780 2018-11-26  Michael Saboff  <msaboff@apple.com>
1781
1782         32-bit JSC test failure: stress/regexp-compile-oom.js
1783         https://bugs.webkit.org/show_bug.cgi?id=191375
1784
1785         Reviewed by Mark Lam.
1786
1787         Disabled the test for 32 bit platforms.
1788
1789         * stress/regexp-compile-oom.js:
1790
1791 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1792
1793         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1794         https://bugs.webkit.org/show_bug.cgi?id=191716
1795         <rdar://problem/45723878>
1796
1797         Reviewed by Saam Barati.
1798
1799         * stress/regress-187373.js: Added.
1800         (async.fn):
1801
1802 2018-11-21  Saam barati  <sbarati@apple.com>
1803
1804         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1805         https://bugs.webkit.org/show_bug.cgi?id=191897
1806         <rdar://problem/45871998>
1807
1808         Reviewed by Mark Lam.
1809
1810         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1811         (bar):
1812         (foo):
1813
1814 2018-11-21  Saam barati  <sbarati@apple.com>
1815
1816         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1817         https://bugs.webkit.org/show_bug.cgi?id=191895
1818         <rdar://problem/46167406>
1819
1820         Reviewed by Mark Lam.
1821
1822         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1823         (foo):
1824         (bar):
1825
1826 2018-11-21  Mark Lam  <mark.lam@apple.com>
1827
1828         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1829         https://bugs.webkit.org/show_bug.cgi?id=191776
1830         <rdar://problem/46152851>
1831
1832         Reviewed by Saam Barati.
1833
1834         * stress/big-wasm-memory-grow-no-max.js:
1835         * stress/big-wasm-memory-grow.js:
1836         * stress/big-wasm-memory.js:
1837         - updated these to expect an OutOfMemoryError.
1838
1839         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1840         (Binary.prototype.emit_u8):
1841         (Binary.prototype.emit_u32v):
1842         (Binary.prototype.emit_header):
1843         (Binary.prototype.emit_section):
1844         (Binary):
1845         (WasmModuleBuilder):
1846         (WasmModuleBuilder.prototype.addMemory):
1847         (WasmModuleBuilder.prototype.toArray):
1848         (WasmModuleBuilder.prototype.toBuffer):
1849         (WasmModuleBuilder.prototype.instantiate):
1850         (catch):
1851         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1852         (catch):
1853
1854 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1855
1856         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1857         https://bugs.webkit.org/show_bug.cgi?id=190836
1858
1859         Reviewed by Saam Barati and Yusuke Suzuki.
1860
1861         * stress/big-int-out-of-memory-tests.js: Added.
1862
1863 2018-11-20  Mark Lam  <mark.lam@apple.com>
1864
1865         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1866         https://bugs.webkit.org/show_bug.cgi?id=191856
1867         <rdar://problem/46089992>
1868
1869         Reviewed by Yusuke Suzuki.
1870
1871         * stress/regress-191856.js: Added.
1872         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1873
1874 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1875
1876         Enable JIT on ARM/Linux
1877         https://bugs.webkit.org/show_bug.cgi?id=191548
1878
1879         Reviewed by Yusuke Suzuki.
1880
1881         Disable test on system with limited memory. Program was killed by
1882         the OS before the exception was thrown.
1883
1884         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1885
1886 2018-11-20  Saam barati  <sbarati@apple.com>
1887
1888         Merging an IC variant may lead to the IC status containing overlapping structure sets
1889         https://bugs.webkit.org/show_bug.cgi?id=191869
1890         <rdar://problem/45403453>
1891
1892         Reviewed by Mark Lam.
1893
1894         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1895
1896 2018-11-19  Mark Lam  <mark.lam@apple.com>
1897
1898         globalFuncImportModule() should return a promise when it clears exceptions.
1899         https://bugs.webkit.org/show_bug.cgi?id=191792
1900         <rdar://problem/46090763>
1901
1902         Reviewed by Michael Saboff.
1903
1904         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1905
1906 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1907
1908         Skip new memory-hungry tests on memory limited devices
1909
1910         Unreviewed gardening.
1911
1912         * stress/big-wasm-memory-grow-no-max.js:
1913         * stress/big-wasm-memory-grow.js:
1914         * stress/big-wasm-memory.js:
1915
1916 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1917
1918         Unreviewed, rolling in the rest of r237254
1919         https://bugs.webkit.org/show_bug.cgi?id=190340
1920
1921         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1922         * stress/function-cache-with-parameters-end-position.js: Added.
1923         (shouldBe):
1924         (shouldThrow):
1925         (i.anonymous):
1926         * stress/function-constructor-name.js: Added.
1927         (shouldBe):
1928         (GeneratorFunction):
1929         (AsyncFunction.async):
1930         (AsyncGeneratorFunction.async):
1931         (anonymous):
1932         (async.anonymous):
1933         * test262/expectations.yaml:
1934
1935 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1936
1937         All users of ArrayBuffer should agree on the same max size
1938         https://bugs.webkit.org/show_bug.cgi?id=191771
1939
1940         Reviewed by Mark Lam.
1941
1942         * stress/big-wasm-memory-grow-no-max.js: Added.
1943         (foo):
1944         (catch):
1945         * stress/big-wasm-memory-grow.js: Added.
1946         (foo):
1947         (catch):
1948         * stress/big-wasm-memory.js: Added.
1949         (foo):
1950         (catch):
1951
1952 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1953
1954         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1955         run for each JSC config since they're regression tests for runtime bugs.
1956
1957         * stress/json-stringified-overflow-2.js:
1958         * stress/json-stringified-overflow.js:
1959
1960 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1961
1962         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1963         config since they're regression tests for runtime bugs.
1964
1965         * stress/large-unshift-splice.js:
1966         * stress/regress-185888.js:
1967
1968 2018-11-16  Saam Barati  <sbarati@apple.com>
1969
1970         KnownCellUse should also have SpecCellCheck as its type filter
1971         https://bugs.webkit.org/show_bug.cgi?id=191729
1972         <rdar://problem/45872852>
1973
1974         Reviewed by Filip Pizlo.
1975
1976         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1977         (C):
1978
1979 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1980
1981         Fix assertion failure on BytecodeGenerator::recordOpcode
1982         https://bugs.webkit.org/show_bug.cgi?id=191724
1983         <rdar://problem/45724395>
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/regress-187373-2.js: Added.
1988         (foo):
1989
1990 2018-11-15  Mark Lam  <mark.lam@apple.com>
1991
1992         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1993         https://bugs.webkit.org/show_bug.cgi?id=191730
1994         <rdar://problem/46048517>
1995
1996         Reviewed by Saam Barati.
1997
1998         * stress/regress-187006.js: Removed.
1999           - this test is invalid because its sole purpose is to test for the non-spec
2000             compliant behavior that we just fixed.
2001
2002         * stress/regress-191730.js: Added.
2003
2004 2018-11-15  Mark Lam  <mark.lam@apple.com>
2005
2006         RegExp operations should not take fast patch if lastIndex is not numeric.
2007         https://bugs.webkit.org/show_bug.cgi?id=191731
2008         <rdar://problem/46017305>
2009
2010         Reviewed by Saam Barati.
2011
2012         * stress/regress-191731.js: Added.
2013
2014 2018-11-13  Saam Barati  <sbarati@apple.com>
2015
2016         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2017         https://bugs.webkit.org/show_bug.cgi?id=191600
2018
2019         Reviewed by Mark Lam.
2020
2021         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2022         (foo):
2023         (test):
2024         (bar):
2025
2026 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2027
2028         Unreviewed, rolling out r238132.
2029
2030         The test added with this change is timing out on Debug JSC
2031         bots.
2032
2033         Reverted changeset:
2034
2035         "[BigInt] JSBigInt::createWithLength should throw when length
2036         is greater than JSBigInt::maxLength"
2037         https://bugs.webkit.org/show_bug.cgi?id=190836
2038         https://trac.webkit.org/changeset/238132
2039
2040 2018-11-13  Mark Lam  <mark.lam@apple.com>
2041
2042         Add OOM detection to StringPrototype's substituteBackreferences().
2043         https://bugs.webkit.org/show_bug.cgi?id=191563
2044         <rdar://problem/45720428>
2045
2046         Reviewed by Saam Barati.
2047
2048         * stress/regress-191563.js: Added.
2049
2050 2018-11-13  Mark Lam  <mark.lam@apple.com>
2051
2052         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2053         https://bugs.webkit.org/show_bug.cgi?id=191579
2054         <rdar://problem/45942472>
2055
2056         Reviewed by Saam Barati.
2057
2058         * stress/regress-191579.js: Added.
2059
2060 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2061
2062         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2063         https://bugs.webkit.org/show_bug.cgi?id=190836
2064
2065         Reviewed by Saam Barati.
2066
2067         * stress/big-int-out-of-memory-tests.js: Added.
2068
2069 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2070
2071         U+180E is no longer a whitespace character
2072         https://bugs.webkit.org/show_bug.cgi?id=191415
2073
2074         Reviewed by Saam Barati.
2075
2076         * ChakraCore/test/es5/regexSpace.baseline:
2077         * ChakraCore/test/es6/unicode_whitespace.js:
2078         Update tests to latest version.
2079         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2080
2081         * test262.yaml:
2082         * test262/config.yaml:
2083         * test262/expectations.yaml:
2084         Update expectations.
2085
2086 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2087
2088         [BigInt] Add support to BigInt into ValueAdd
2089         https://bugs.webkit.org/show_bug.cgi?id=186177
2090
2091         Reviewed by Keith Miller.
2092
2093         * stress/big-int-negate-jit.js:
2094         * stress/value-add-big-int-and-string.js: Added.
2095         * stress/value-add-big-int-prediction-propagation.js: Added.
2096         * stress/value-add-big-int-untyped.js: Added.
2097
2098 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2099
2100         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2101         https://bugs.webkit.org/show_bug.cgi?id=191184
2102
2103         Reviewed by Saam Barati.
2104
2105         Most tests were failing due to timeouts, since they are too slow to
2106         run on CLoop. The exceptions are:
2107
2108         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2109         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2110         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2111         to change the stack size since CLoop requires it to be page aligned.
2112
2113         * microbenchmarks/array-push-1.js:
2114         * microbenchmarks/array-push-2.js:
2115         * microbenchmarks/elidable-new-object-dag.js:
2116         * microbenchmarks/elidable-new-object-roflcopter.js:
2117         * microbenchmarks/elidable-new-object-tree.js:
2118         * microbenchmarks/getter-richards.js:
2119         * microbenchmarks/sinkable-new-object-dag.js:
2120         * microbenchmarks/string-concat-long-convert.js:
2121         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2122         * slowMicrobenchmarks/array-push-3.js:
2123         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2124         * slowMicrobenchmarks/spread-small-array.js:
2125         * slowMicrobenchmarks/undefined-property-access.js:
2126         * stress/activation-sink-default-value-tdz-error.js:
2127         * stress/activation-sink-default-value.js:
2128         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2129         * stress/activation-sink-osrexit-default-value.js:
2130         * stress/activation-sink-osrexit.js:
2131         * stress/activation-sink.js:
2132         * stress/allow-math-ic-b3-code-duplication.js:
2133         * stress/array-push-multiple-int32.js:
2134         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2135         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2136         * stress/arrowfunction-lexical-this-activation-sink.js:
2137         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2138         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2139         * stress/elide-new-object-dag-then-exit.js:
2140         * stress/materialize-regexp-cyclic.js:
2141         * stress/new-regex-inline.js:
2142         * stress/op_add.js:
2143         * stress/op_bitand.js:
2144         * stress/op_bitor.js:
2145         * stress/op_bitxor.js:
2146         * stress/op_div-ConstVar.js:
2147         * stress/op_div-VarConst.js:
2148         * stress/op_div-VarVar.js:
2149         * stress/op_lshift-ConstVar.js:
2150         * stress/op_lshift-VarConst.js:
2151         * stress/op_lshift-VarVar.js:
2152         * stress/op_mod-ConstVar.js:
2153         * stress/op_mod-VarConst.js:
2154         * stress/op_mod-VarVar.js:
2155         * stress/op_mul-ConstVar.js:
2156         * stress/op_mul-VarConst.js:
2157         * stress/op_mul-VarVar.js:
2158         * stress/op_rshift-ConstVar.js:
2159         * stress/op_rshift-VarConst.js:
2160         * stress/op_rshift-VarVar.js:
2161         * stress/op_sub-ConstVar.js:
2162         * stress/op_sub-VarConst.js:
2163         * stress/op_sub-VarVar.js:
2164         * stress/op_urshift-ConstVar.js:
2165         * stress/op_urshift-VarConst.js:
2166         * stress/op_urshift-VarVar.js:
2167         * stress/proxy-get-set-correct-receiver.js:
2168         * stress/regress-179562.js:
2169         * stress/rest-parameter-many-arguments.js:
2170         * stress/sampling-profiler-richards.js:
2171         * stress/splay-flash-access-1ms.js:
2172         * stress/tailCallForwardArguments.js:
2173         * stress/typed-array-get-by-val-profiling.js:
2174         * typeProfiler/getter-richards.js:
2175
2176 2018-11-06  Michael Saboff  <msaboff@apple.com>
2177
2178         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2179         https://bugs.webkit.org/show_bug.cgi?id=191271
2180
2181         Reviewed by Saam Barati.
2182
2183         Added more test cases and made all test cases run with the same deeply recursive stack
2184         instead of finding that same point for each test case.
2185
2186         * stress/regexp-compile-oom.js:
2187         (prototype.runTest):
2188         (recurseAndTest):
2189         (testList.push.new.TestAndExpectedException):
2190
2191 2018-11-05  Michael Saboff  <msaboff@apple.com>
2192
2193         Unreviewed build fix for linux.
2194
2195         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2196
2197 2018-11-02  Michael Saboff  <msaboff@apple.com>
2198
2199         Rolling in r237753 with unreviewed build fix.
2200
2201         Fixed issues with DECLARE_THROW_SCOPE placement.
2202
2203 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2204
2205         Unreviewed, rolling out r237753.
2206
2207         Introduced JSC test failures
2208
2209         Reverted changeset:
2210
2211         "Running out of stack space not properly handled in
2212         RegExp::compile() and its callers"
2213         https://bugs.webkit.org/show_bug.cgi?id=191206
2214         https://trac.webkit.org/changeset/237753
2215
2216 2018-11-02  Michael Saboff  <msaboff@apple.com>
2217
2218         Running out of stack space not properly handled in RegExp::compile() and its callers
2219         https://bugs.webkit.org/show_bug.cgi?id=191206
2220
2221         Reviewed by Filip Pizlo.
2222
2223         New regression test.
2224
2225         * stress/regexp-compile-oom.js: Added.
2226         (recurseAndTest):
2227
2228 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2229
2230         Skip tests on arm/mips that time out now we're running on CLoop
2231
2232         Unreviewed gardening.
2233
2234         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2235         time out on the bots and need to be disabled. There's more tests
2236         disabled on arm because the timeout is longer on the mips bot (as the
2237         device is slower to start with), so many of the tests don't time out
2238         there.
2239
2240         * microbenchmarks/getter-richards.js: disable on arm and mips.
2241         * stress/op_add.js: disable on arm.
2242         * stress/op_bitand.js: disable on arm.
2243         * stress/op_bitor.js: disable on arm.
2244         * stress/op_bitxor.js: disable on arm.
2245         * stress/op_lshift-ConstVar.js: disable on arm.
2246         * stress/op_lshift-VarConst.js: disable on arm.
2247         * stress/op_lshift-VarVar.js: disable on arm.
2248         * stress/op_mod-ConstVar.js: disable on arm.
2249         * stress/op_mod-VarConst.js: disable on arm.
2250         * stress/op_mod-VarVar.js: disable on arm.
2251         * stress/op_mul-ConstVar.js: disable on arm.
2252         * stress/op_mul-VarConst.js: disable on arm.
2253         * stress/op_mul-VarVar.js: disable on arm.
2254         * stress/op_rshift-ConstVar.js: disable on arm.
2255         * stress/op_rshift-VarConst.js: disable on arm.
2256         * stress/op_rshift-VarVar.js: disable on arm.
2257         * stress/op_sub-ConstVar.js: disable on arm.
2258         * stress/op_sub-VarConst.js: disable on arm.
2259         * stress/op_sub-VarVar.js: disable on arm.
2260         * stress/op_urshift-ConstVar.js: disable on arm.
2261         * stress/op_urshift-VarConst.js: disable on arm.
2262         * stress/op_urshift-VarVar.js: disable on arm.
2263         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2264         * stress/value-to-boolean.js: disable on arm and mips.
2265
2266 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2267
2268         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2269         https://bugs.webkit.org/show_bug.cgi?id=191108
2270         <rdar://problem/45690700>
2271
2272         Reviewed by Saam Barati.
2273
2274         * stress/wide-op_catch.js: Added.
2275         (catch):
2276
2277 2018-10-29  Mark Lam  <mark.lam@apple.com>
2278
2279         Correctly detect string overflow when using the 'Function' constructor.
2280         https://bugs.webkit.org/show_bug.cgi?id=184883
2281         <rdar://problem/36320331>
2282
2283         Reviewed by Saam Barati.
2284
2285         I've verified that this passes on 32-bit as well.
2286
2287         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2288
2289 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2290
2291         Add support for GetStack FlushedDouble
2292         https://bugs.webkit.org/show_bug.cgi?id=191012
2293         <rdar://problem/45265141>
2294
2295         Reviewed by Saam Barati.
2296
2297         * stress/get-stack-double.js: Added.
2298         (bar):
2299         (noInline):
2300
2301 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2302
2303         New bytecode format for JSC
2304         https://bugs.webkit.org/show_bug.cgi?id=187373
2305         <rdar://problem/44186758>
2306
2307         Reviewed by Filip Pizlo.
2308
2309         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2310
2311         * stress/maximum-inline-capacity.js: Added.
2312         (test1):
2313         (test3.Foo):
2314         (test3):
2315
2316 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2317
2318         Unreviewed, rolling out r237479 and r237484.
2319         https://bugs.webkit.org/show_bug.cgi?id=190978
2320
2321         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2322
2323         Reverted changesets:
2324
2325         "New bytecode format for JSC"
2326         https://bugs.webkit.org/show_bug.cgi?id=187373
2327         https://trac.webkit.org/changeset/237479
2328
2329         "Gardening: Build fix after r237479."
2330         https://bugs.webkit.org/show_bug.cgi?id=187373
2331         https://trac.webkit.org/changeset/237484
2332
2333 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2334
2335         New bytecode format for JSC
2336         https://bugs.webkit.org/show_bug.cgi?id=187373
2337         <rdar://problem/44186758>
2338
2339         Reviewed by Filip Pizlo.
2340
2341         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2342
2343         * stress/maximum-inline-capacity.js: Added.
2344         (test1):
2345         (test3.Foo):
2346         (test3):
2347
2348 2018-10-26  Mark Lam  <mark.lam@apple.com>
2349
2350         Fix missing edge cases with JSGlobalObjects having a bad time.
2351         https://bugs.webkit.org/show_bug.cgi?id=189028
2352         <rdar://problem/45204939>
2353
2354         Reviewed by Saam Barati.
2355
2356         * stress/regress-189028.js: Added.
2357
2358 2018-10-22  Mark Lam  <mark.lam@apple.com>
2359
2360         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2361         https://bugs.webkit.org/show_bug.cgi?id=190515
2362         <rdar://problem/45222379>
2363
2364         Rubber-stamped by Saam Barati.
2365
2366         Adding another test.
2367
2368         * stress/regress-190515-2.js: Added.
2369
2370 2018-10-22  Mark Lam  <mark.lam@apple.com>
2371
2372         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2373         https://bugs.webkit.org/show_bug.cgi?id=190515
2374         <rdar://problem/45222379>
2375
2376         Reviewed by Saam Barati.
2377
2378         * stress/regress-190515.js: Added.
2379
2380 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2381
2382         Unreviewed, rolling out r237254.
2383         https://bugs.webkit.org/show_bug.cgi?id=190760
2384
2385         "It regresses JetStream 2 by 5% on some iOS devices"
2386         (Requested by saamyjoon on #webkit).
2387
2388         Reverted changeset:
2389
2390         "[JSC] JSC should have "parseFunction" to optimize Function
2391         constructor"
2392         https://bugs.webkit.org/show_bug.cgi?id=190340
2393         https://trac.webkit.org/changeset/237254
2394
2395 2018-10-19  Saam Barati  <sbarati@apple.com>
2396
2397         vmCall should check if we exit before emitting an OSR exit due to exceptions
2398         https://bugs.webkit.org/show_bug.cgi?id=190740
2399         <rdar://problem/45220139>
2400
2401         Reviewed by Mark Lam.
2402
2403         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2404         (foo):
2405
2406 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2407
2408         [ESNext][BigInt] Implement support for "^"
2409         https://bugs.webkit.org/show_bug.cgi?id=186235
2410
2411         Reviewed by Yusuke Suzuki.
2412
2413         * stress/big-int-bitwise-xor-general.js: Added.
2414         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2415         * stress/big-int-bitwise-xor-type-error.js: Added.
2416         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2417
2418 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2419
2420         [BigInt] Add ValueSub into DFG
2421         https://bugs.webkit.org/show_bug.cgi?id=186176
2422
2423         Reviewed by Yusuke Suzuki.
2424
2425         * stress/big-int-subtraction-jit.js:
2426         * stress/value-sub-big-int-prediction-propagation.js: Added.
2427         * stress/value-sub-big-int-untyped.js: Added.
2428         * stress/value-sub-spec-none-case.js: Added.
2429
2430 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2431
2432         [JSC] JSC should have "parseFunction" to optimize Function constructor
2433         https://bugs.webkit.org/show_bug.cgi?id=190340
2434
2435         Reviewed by Mark Lam.
2436
2437         This patch fixes the line number of syntax errors raised by the Function constructor,
2438         since we now parse the final code only once. And we no longer use block statement
2439         for Function constructor's parsing.
2440
2441         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2442         * stress/function-cache-with-parameters-end-position.js: Added.
2443         (shouldBe):
2444         (shouldThrow):
2445         (i.anonymous):
2446         * stress/function-constructor-name.js: Added.
2447         (shouldBe):
2448         (GeneratorFunction):
2449         (AsyncFunction.async):
2450         (AsyncGeneratorFunction.async):
2451         (anonymous):
2452         (async.anonymous):
2453         * test262/expectations.yaml:
2454
2455 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2456
2457         Unreviewed, rolling out r237242.
2458         https://bugs.webkit.org/show_bug.cgi?id=190701
2459
2460         it breaks "stress/sampling-profiler-basic.js" (Requested by
2461         caiolima on #webkit).
2462
2463         Reverted changeset:
2464
2465         "[BigInt] Add ValueSub into DFG"
2466         https://bugs.webkit.org/show_bug.cgi?id=186176
2467         https://trac.webkit.org/changeset/237242
2468
2469 2018-10-17  Keith Miller  <keith_miller@apple.com>
2470
2471         AI does not clear Phantom allocation nodes.
2472         https://bugs.webkit.org/show_bug.cgi?id=190694
2473
2474         Reviewed by Saam Barati.
2475
2476         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2477         (Day):
2478         (DaysInYear):
2479         (TimeInYear):
2480         (TimeFromYear):
2481         (DayFromYear):
2482         (InLeapYear):
2483         (YearFromTime):
2484         (WeekDay):
2485         (DaylightSavingTA):
2486         (GetSecondSundayInMarch):
2487         (TimeInMonth):
2488
2489 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2490
2491         [BigInt] Add ValueSub into DFG
2492         https://bugs.webkit.org/show_bug.cgi?id=186176
2493
2494         Reviewed by Yusuke Suzuki.
2495
2496         * stress/big-int-subtraction-jit.js:
2497         * stress/value-sub-big-int-prediction-propagation.js: Added.
2498         * stress/value-sub-big-int-untyped.js: Added.
2499
2500 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2501
2502         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2503         https://bugs.webkit.org/show_bug.cgi?id=190611
2504
2505         Reviewed by Saam Barati.
2506
2507         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2508         to improve test runtime. On ARM/MIPS this test even timed out when running all
2509         tests.
2510
2511         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2512         (test):
2513
2514 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2515
2516         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2517
2518         Unreviewed gardening.
2519
2520         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2521
2522 2018-10-15  Saam barati  <sbarati@apple.com>
2523
2524         Emit fjcvtzs on ARM64E on Darwin
2525         https://bugs.webkit.org/show_bug.cgi?id=184023
2526
2527         Reviewed by Yusuke Suzuki and Filip Pizlo.
2528
2529         * stress/double-to-int32-NaN.js: Added.
2530         (assert):
2531         (foo):
2532
2533 2018-10-15  Saam Barati  <sbarati@apple.com>
2534
2535         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2536         https://bugs.webkit.org/show_bug.cgi?id=190262
2537         <rdar://problem/44986241>
2538
2539         Reviewed by Mark Lam.
2540
2541         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2542         (test):
2543         * stress/slice-array-storage-with-holes.js: Added.
2544         (main):
2545
2546 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2547
2548         Unreviewed, rolling out r237054.
2549         https://bugs.webkit.org/show_bug.cgi?id=190593
2550
2551         "this regressed JetStream 2 by 6% on iOS" (Requested by
2552         saamyjoon on #webkit).
2553
2554         Reverted changeset:
2555
2556         "[JSC] JSC should have "parseFunction" to optimize Function
2557         constructor"
2558         https://bugs.webkit.org/show_bug.cgi?id=190340
2559         https://trac.webkit.org/changeset/237054
2560
2561 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2562
2563         [JSC] JSON.stringify can accept call-with-no-arguments
2564         https://bugs.webkit.org/show_bug.cgi?id=190343
2565
2566         Reviewed by Mark Lam.
2567
2568         * stress/json-stringify-no-arguments.js: Added.
2569         (shouldBe):
2570
2571 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2572
2573         [JSC] JSC should have "parseFunction" to optimize Function constructor
2574         https://bugs.webkit.org/show_bug.cgi?id=190340
2575
2576         Reviewed by Mark Lam.
2577
2578         This patch fixes the line number of syntax errors raised by the Function constructor,
2579         since we now parse the final code only once. And we no longer use block statement
2580         for Function constructor's parsing.
2581
2582         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2583         * stress/function-cache-with-parameters-end-position.js: Added.
2584         (shouldBe):
2585         (shouldThrow):
2586         (i.anonymous):
2587         * stress/function-constructor-name.js: Added.
2588         (shouldBe):
2589         (GeneratorFunction):
2590         (AsyncFunction.async):
2591         (AsyncGeneratorFunction.async):
2592         (anonymous):
2593         (async.anonymous):
2594         * test262/expectations.yaml:
2595
2596 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2597
2598         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2599         https://bugs.webkit.org/show_bug.cgi?id=190426
2600
2601         Unreviewed gardening.
2602
2603         * stress/sampling-profiler-richards.js:
2604
2605 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2606
2607         [ESNext][BigInt] Implement support for "|"
2608         https://bugs.webkit.org/show_bug.cgi?id=186229
2609
2610         Reviewed by Yusuke Suzuki.
2611
2612         * stress/big-int-bitwise-and-jit.js:
2613         * stress/big-int-bitwise-or-general.js: Added.
2614         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2615         * stress/big-int-bitwise-or-jit.js: Added.
2616         * stress/big-int-bitwise-or-memory-stress.js: Added.
2617         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2618         * stress/big-int-bitwise-or-type-error.js: Added.
2619         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2620
2621 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2622
2623         Skip test on systems with limited memory
2624         https://bugs.webkit.org/show_bug.cgi?id=190310
2625
2626         Invoking runDefault adds test to runlist, skipping the test in the next
2627         line does not prevent the test from executing. Change order of lines such
2628         that runDefault is only executed if test is not executed.
2629
2630         Reviewed by Mark Lam.
2631
2632         * stress/regress-190187.js:
2633
2634 2018-10-03  Saam barati  <sbarati@apple.com>
2635
2636         lowXYZ in FTLLower should always filter the type of the incoming edge
2637         https://bugs.webkit.org/show_bug.cgi?id=189939
2638         <rdar://problem/44407030>
2639
2640         Reviewed by Michael Saboff.
2641
2642         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2643         (foo):
2644         (test):
2645
2646 2018-10-03  Mark Lam  <mark.lam@apple.com>
2647
2648         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2649         https://bugs.webkit.org/show_bug.cgi?id=190187
2650         <rdar://problem/42512909>
2651
2652         Reviewed by Michael Saboff.
2653
2654         * stress/regress-190187.js: Added.
2655
2656 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2657
2658         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2659         https://bugs.webkit.org/show_bug.cgi?id=190033
2660
2661         Reviewed by Yusuke Suzuki.
2662
2663         * stress/big-int-to-string.js:
2664
2665 2018-10-01  Mark Lam  <mark.lam@apple.com>
2666
2667         Function.toString() should also copy the source code Functions that are class definitions.
2668         https://bugs.webkit.org/show_bug.cgi?id=190186
2669         <rdar://problem/44733360>
2670
2671         Reviewed by Saam Barati.
2672
2673         * stress/regress-190186.js: Added.
2674
2675 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2676
2677         Split NaN-check into separate test
2678         https://bugs.webkit.org/show_bug.cgi?id=190010
2679
2680         Reviewed by Saam Barati.
2681
2682         DataView exposes NaN-representation, which is not necessarily the same on each
2683         architecture. Therefore move the check of the NaN-representation into its own
2684         file such that we can disable this test on MIPS where NaN-representation can be
2685         different on older CPUs.
2686
2687         * stress/dataview-jit-set-nan.js: Added.
2688         (assert):
2689         (test.storeLittleEndian):
2690         (test.storeBigEndian):
2691         (test.store):
2692         (test):
2693         * stress/dataview-jit-set.js:
2694         (test5):
2695
2696 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2697
2698         Unreviewed, rolling out r236647.
2699         https://bugs.webkit.org/show_bug.cgi?id=190124
2700
2701         Breaking test stress/big-int-to-string.js (Requested by
2702         caiolima_ on #webkit).
2703
2704         Reverted changeset:
2705
2706         "[BigInt] BigInt.proptotype.toString is broken when radix is
2707         power of 2"
2708         https://bugs.webkit.org/show_bug.cgi?id=190033
2709         https://trac.webkit.org/changeset/236647
2710
2711 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2712
2713         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2714         https://bugs.webkit.org/show_bug.cgi?id=190033
2715
2716         Reviewed by Yusuke Suzuki.
2717
2718         * stress/big-int-to-string.js:
2719
2720 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2721
2722         [ESNext][BigInt] Implement support for "&"
2723         https://bugs.webkit.org/show_bug.cgi?id=186228
2724
2725         Reviewed by Yusuke Suzuki.
2726
2727         * stress/big-int-bitwise-and-general.js: Added.
2728         (assert):
2729         (assert.sameValue):
2730         * stress/big-int-bitwise-and-jit.js: Added.
2731         (let.assert.sameValue):
2732         (bigIntBitAnd):
2733         * stress/big-int-bitwise-and-memory-stress.js: Added.
2734         (assert):
2735         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2736         (assert.sameValue):
2737         (let.o.Symbol.toPrimitive):
2738         (catch):
2739         * stress/big-int-bitwise-and-type-error.js: Added.
2740         (assert):
2741         (assertThrowTypeError):
2742         (let.o.valueOf):
2743         (o.valueOf):
2744         (o.toString):
2745         (o.Symbol.toPrimitive):
2746         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2747         (assert.sameValue):
2748         (testBitAnd):
2749         (let.o.Symbol.toPrimitive):
2750         (o.valueOf):
2751         (o.toString):
2752
2753 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2754
2755         JSC test stress/jsc-read.js doesn't support CRLF
2756         https://bugs.webkit.org/show_bug.cgi?id=190063
2757
2758         Reviewed by Yusuke Suzuki.
2759
2760         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2761
2762         * stress/jsc-read.js:
2763         (test):
2764
2765 2018-09-27  Saam barati  <sbarati@apple.com>
2766
2767         Verify the contents of AssemblerBuffer on arm64e
2768         https://bugs.webkit.org/show_bug.cgi?id=190057
2769         <rdar://problem/38916630>
2770
2771         Reviewed by Mark Lam.
2772
2773         * stress/regress-189132.js:
2774
2775 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2776
2777         Disable test without LLInt on ARMv7
2778         https://bugs.webkit.org/show_bug.cgi?id=190037
2779
2780         Reviewed by Mark Lam.
2781
2782         Test runs out of executable memory on ARMv7, do not run
2783         this test without LLInt enabled.
2784
2785         * stress/regress-169445.js:
2786
2787 2018-09-26  Keith Miller  <keith_miller@apple.com>
2788
2789         We should zero unused property storage when rebalancing array storage.
2790         https://bugs.webkit.org/show_bug.cgi?id=188151
2791
2792         Reviewed by Michael Saboff.
2793
2794         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2795
2796 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2797
2798         [JSC] Optimize Array#lastIndexOf
2799         https://bugs.webkit.org/show_bug.cgi?id=189780
2800
2801         Reviewed by Saam Barati.
2802
2803         * stress/array-lastindexof-array-prototype-trap.js: Added.
2804         (shouldBe):
2805         (AncestorArray.prototype.get 2):
2806         (AncestorArray):
2807         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2808         (shouldBe):
2809         * stress/array-lastindexof-hole-nan.js: Added.
2810         (shouldBe):
2811         (throw.new.Error):
2812         * stress/array-lastindexof-infinity.js: Added.
2813         (shouldBe):
2814         (throw.new.Error):
2815         * stress/array-lastindexof-negative-zero.js: Added.
2816         (shouldBe):
2817         (throw.new.Error):
2818         * stress/array-lastindexof-own-getter.js: Added.
2819         (shouldBe):
2820         (throw.new.Error.get array):
2821         (get array):
2822         * stress/array-lastindexof-prototype-trap.js: Added.
2823         (shouldBe):
2824         (DerivedArray.prototype.get 2):
2825         (DerivedArray):
2826
2827 2018-09-25  Saam Barati  <sbarati@apple.com>
2828
2829         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2830         https://bugs.webkit.org/show_bug.cgi?id=189940
2831         <rdar://problem/43640987>
2832
2833         Reviewed by Mark Lam.
2834
2835         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2836
2837 2018-09-24  Saam Barati  <sbarati@apple.com>
2838
2839         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2840         https://bugs.webkit.org/show_bug.cgi?id=189922
2841         <rdar://problem/44651275>
2842
2843         Reviewed by Mark Lam.
2844
2845         * stress/array-indexof-fast-path-effects.js: Added.
2846         * stress/array-indexof-cached-length.js: Added.
2847
2848 2018-09-24  Saam barati  <sbarati@apple.com>
2849
2850         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2851         https://bugs.webkit.org/show_bug.cgi?id=189682
2852         <rdar://problem/43557315>
2853
2854         Reviewed by Mark Lam.
2855
2856         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2857         (foo):
2858
2859 2018-09-22  Saam barati  <sbarati@apple.com>
2860
2861         The sampling should not use Strong<CodeBlock> in its machineLocation field
2862         https://bugs.webkit.org/show_bug.cgi?id=189319
2863
2864         Reviewed by Filip Pizlo.
2865
2866         * stress/sampling-profiler-richards.js: Added.
2867
2868 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2869
2870         [JSC] Optimize Array#indexOf in C++ runtime
2871         https://bugs.webkit.org/show_bug.cgi?id=189507
2872
2873         Reviewed by Saam Barati.
2874
2875         * stress/array-indexof-array-prototype-trap.js: Added.
2876         (shouldBe):
2877         (AncestorArray.prototype.get 2):
2878         (AncestorArray):
2879         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2880         (shouldBe):
2881         * stress/array-indexof-hole-nan.js: Added.
2882         (shouldBe):
2883         (throw.new.Error):
2884         * stress/array-indexof-infinity.js: Added.
2885         (shouldBe):
2886         (throw.new.Error):
2887         * stress/array-indexof-negative-zero.js: Added.
2888         (shouldBe):
2889         (throw.new.Error):
2890         * stress/array-indexof-own-getter.js: Added.
2891         (shouldBe):
2892         (throw.new.Error.get array):
2893         (get array):
2894         * stress/array-indexof-prototype-trap.js: Added.
2895         (shouldBe):
2896         (DerivedArray.prototype.get 2):
2897         (DerivedArray):
2898
2899 2018-09-19  Saam barati  <sbarati@apple.com>
2900
2901         AI rule for MultiPutByOffset executes its effects in the wrong order
2902         https://bugs.webkit.org/show_bug.cgi?id=189757
2903         <rdar://problem/43535257>
2904
2905         Reviewed by Michael Saboff.
2906
2907         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2908         (foo):
2909         (Foo):
2910         (g):
2911
2912 2018-09-17  Mark Lam  <mark.lam@apple.com>
2913
2914         Ensure that ForInContexts are invalidated if their loop local is over-written.
2915         https://bugs.webkit.org/show_bug.cgi?id=189571
2916         <rdar://problem/44402277>
2917
2918         Reviewed by Saam Barati.
2919
2920         * stress/regress-189571.js: Added.
2921
2922 2018-09-17  Saam barati  <sbarati@apple.com>
2923
2924         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2925         https://bugs.webkit.org/show_bug.cgi?id=189676
2926         <rdar://problem/39682897>
2927
2928         Reviewed by Michael Saboff.
2929
2930         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2931         (A):
2932         (K):
2933         (i.catch):
2934
2935 2018-09-14  Saam barati  <sbarati@apple.com>
2936
2937         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2938         https://bugs.webkit.org/show_bug.cgi?id=189628
2939         <rdar://problem/39481690>
2940
2941         Reviewed by Mark Lam.
2942
2943         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2944         (foo):
2945
2946 2018-09-11  Mark Lam  <mark.lam@apple.com>
2947
2948         Test for array initialization in arrayProtoFuncSplice.
2949         https://bugs.webkit.org/show_bug.cgi?id=170253
2950         <rdar://problem/31328773>
2951
2952         Rubber-stamped by Saam Barati.
2953
2954         * stress/regress-170253.js: Added.
2955
2956 2018-09-11  Mark Lam  <mark.lam@apple.com>
2957
2958         Test for IntlObject initialization.
2959         https://bugs.webkit.org/show_bug.cgi?id=170251
2960         <rdar://problem/31328419>
2961
2962         Rubber-stamped by Saam Barati.
2963
2964         * stress/regress-170251.js: Added.
2965
2966 2018-09-11  Mark Lam  <mark.lam@apple.com>
2967
2968         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2969         https://bugs.webkit.org/show_bug.cgi?id=169889
2970         <rdar://problem/31155607>
2971
2972         Reviewed by Saam Barati.
2973
2974         * stress/regress-169889-array-concat.js: Added.
2975         * stress/regress-169889-array-concat1.js: Added.
2976         * stress/regress-169889-array-slice.js: Added.
2977
2978 2018-09-11  Mark Lam  <mark.lam@apple.com>
2979
2980         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2981         https://bugs.webkit.org/show_bug.cgi?id=169445
2982         <rdar://problem/30957435>
2983
2984         Reviewed by Saam Barati.
2985
2986         * stress/regress-169445.js: Added.
2987         (let.gun.eval.A):
2988         (let.gun.eval.B.C):
2989         (let.gun.eval.B.C.prototype.trigger):
2990         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2991         (let.gun.eval.B):
2992         (let.gun.eval):
2993
2994 == Rolled over to ChangeLog-2018-09-11 ==