[JSC] Reenable baseline JIT on mips
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
2
3         [JSC] Reenable baseline JIT on mips
4         https://bugs.webkit.org/show_bug.cgi?id=192983
5
6         Reviewed by Mark Lam.
7
8         Added a new test for a case that was triggering a RELEASE_ASSERT when
9         testing.
10         Disable some slow tests that were already disabled for arm and x86.
11
12         * stress/json-parse-big-object.js: Added.
13         * stress/new-largeish-contiguous-array-with-size.js:
14         * stress/op_add.js:
15         * stress/op_bitand.js:
16         * stress/op_bitor.js:
17         * stress/op_bitxor.js:
18         * stress/op_lshift-ConstVar.js:
19         * stress/op_lshift-VarConst.js:
20         * stress/op_lshift-VarVar.js:
21         * stress/op_mod-ConstVar.js:
22         * stress/op_mod-VarConst.js:
23         * stress/op_mod-VarVar.js:
24         * stress/op_mul-ConstVar.js:
25         * stress/op_mul-VarConst.js:
26         * stress/op_mul-VarVar.js:
27         * stress/op_rshift-ConstVar.js:
28         * stress/op_rshift-VarConst.js:
29         * stress/op_rshift-VarVar.js:
30         * stress/op_sub-ConstVar.js:
31         * stress/op_sub-VarConst.js:
32         * stress/op_sub-VarVar.js:
33         * stress/op_urshift-ConstVar.js:
34         * stress/op_urshift-VarConst.js:
35         * stress/op_urshift-VarVar.js:
36         * stress/sampling-profiler-richards.js:
37         * stress/spread-forward-call-varargs-stack-overflow.js:
38
39 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
40
41         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
42         https://bugs.webkit.org/show_bug.cgi?id=193711
43         <rdar://problem/47250262>
44
45         Reviewed by Saam Barati.
46
47         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
48         (shouldBe):
49         (foo):
50         (bar):
51         (baz):
52
53 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
54
55         Unreviewed, fix initial global lexical binding epoch
56         https://bugs.webkit.org/show_bug.cgi?id=193603
57         <rdar://problem/47380869>
58
59         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
60         (f1.f2.f3.f4):
61         (f1.f2.f3):
62         (f1.f2):
63         (f1):
64
65 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
66
67         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
68         https://bugs.webkit.org/show_bug.cgi?id=193709
69         <rdar://problem/47363838>
70
71         Unreviewed, rollout to watch the tests.
72
73         * stress/object-tostring-changed-proto.js: Removed.
74         * stress/object-tostring-changed.js: Removed.
75         * stress/object-tostring-misc.js: Removed.
76         * stress/object-tostring-other.js: Removed.
77         * stress/object-tostring-untyped.js: Removed.
78
79 2019-01-22  Saam Barati  <sbarati@apple.com>
80
81         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
82
83         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
84         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
85         (testUncheckedLessThanZero):
86         (testUncheckedLessThanOrEqualZero):
87         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
88         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
89
90 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
91
92         [JSC] Invalidate old scope operations using global lexical binding epoch
93         https://bugs.webkit.org/show_bug.cgi?id=193603
94         <rdar://problem/47380869>
95
96         Reviewed by Saam Barati.
97
98         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
99         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
100         (shouldThrow):
101         (bar):
102         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
103         (shouldBe):
104         (get1):
105         (get2):
106         (get1If):
107         (get2If):
108         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
109         (shouldThrow):
110         (foo):
111
112 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
113
114         Unreviewed, roll out r240220 due to date-format-xparb regression
115         https://bugs.webkit.org/show_bug.cgi?id=193603
116
117         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
118         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
119         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
120         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
121
122 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
123
124         DoesGC rule is wrong for nodes with BigIntUse
125         https://bugs.webkit.org/show_bug.cgi?id=193652
126
127         Reviewed by Saam Barati.
128
129         * stress/big-int-value-op-update-gc-rules.js: Added.
130         (assert):
131         (doesGCAdd):
132         (doesGCSub):
133         (doesGCDiv):
134         (doesGCMul):
135         (doesGCBitAnd):
136         (doesGCBitOr):
137         (doesGCBitXor):
138
139 2019-01-20  Saam Barati  <sbarati@apple.com>
140
141         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
142         https://bugs.webkit.org/show_bug.cgi?id=193644
143         <rdar://problem/46209745>
144
145         Reviewed by Yusuke Suzuki.
146
147         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
148         (foo):
149         * stress/data-view-set-intrinsic-undefined-result.js: Added.
150         (foo):
151         (bar):
152
153 2019-01-20  Saam Barati  <sbarati@apple.com>
154
155         MovHint must merge NodeBytecodeUsesAsValue for its child
156         https://bugs.webkit.org/show_bug.cgi?id=186916
157         <rdar://problem/41396612>
158
159         Reviewed by Yusuke Suzuki.
160
161         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
162         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
163
164 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
165
166         [JSC] Invalidate old scope operations using global lexical binding epoch
167         https://bugs.webkit.org/show_bug.cgi?id=193603
168         <rdar://problem/47380869>
169
170         Reviewed by Saam Barati.
171
172         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
173         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
174         (shouldThrow):
175         (bar):
176         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
177         (shouldBe):
178         (get1):
179         (get2):
180         (get1If):
181         (get2If):
182         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
183         (shouldThrow):
184         (foo):
185
186 2019-01-17  Saam barati  <sbarati@apple.com>
187
188         StringObjectUse should not be a structure check for the original string object structure
189         https://bugs.webkit.org/show_bug.cgi?id=193483
190         <rdar://problem/47280522>
191
192         Reviewed by Yusuke Suzuki.
193
194         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
195         (foo):
196         (a.valueOf.0):
197
198 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
199
200         [JSC] ToThis omission in DFGByteCodeParser is wrong
201         https://bugs.webkit.org/show_bug.cgi?id=193513
202         <rdar://problem/45842236>
203
204         Reviewed by Saam Barati.
205
206         * stress/to-this-omission-with-different-strict-modes.js: Added.
207         (thisA):
208         (thisAStrictWrapper):
209
210 2019-01-15  Mark Lam  <mark.lam@apple.com>
211
212         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
213         https://bugs.webkit.org/show_bug.cgi?id=193423
214         <rdar://problem/46209355>
215
216         Reviewed by Saam Barati.
217
218         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
219         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
220         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
221         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
222
223 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
224
225         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
226         https://bugs.webkit.org/show_bug.cgi?id=193438
227         <rdar://problem/45581249>
228
229         Reviewed by Saam Barati and Keith Miller.
230
231         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
232         Then, GetByVal(String) crashed.
233
234         * stress/string-get-by-val-lowering.js: Added.
235         (shouldBe):
236         (test):
237         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
238         (Hello):
239         (foo):
240
241 2019-01-15  Tomas Popela  <tpopela@redhat.com>
242
243         Unreviewed, skip JIT tests if it's not enabled
244
245         * stress/bit-op-with-object-returning-int32.js:
246
247 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
248
249         DFGByteCodeParser rules for bitwise operations should consider type of their operands
250         https://bugs.webkit.org/show_bug.cgi?id=192966
251
252         Reviewed by Yusuke Suzuki.
253
254         * stress/bit-op-with-object-returning-int32.js: Added.
255
256 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
257
258         Skip a slow test and a flakey test on arm
259
260         Unreviewed gardening.
261
262         * typeProfiler/getter-richards.js:
263         this test always times out, it used to be always skipped on arm and
264         mips, but got accidentally enabled by r237919 now that we have DFG on
265         arm. Also skipping on mips as we plan to soon enable DFG for it too.
266
267 2019-01-14  Keith Miller  <keith_miller@apple.com>
268
269         Skip type-check-hoisting-phase-hoist... with no jit
270         https://bugs.webkit.org/show_bug.cgi?id=193421
271
272         Reviewed by Mark Lam.
273
274         It's timing out the 32-bit bots and takes 330 seconds
275         on my machine when run by itself.
276
277         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
278
279 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
280
281         [JSC] AI should check the given constant's array type when folding GetByVal into constant
282         https://bugs.webkit.org/show_bug.cgi?id=193413
283         <rdar://problem/46092389>
284
285         Reviewed by Keith Miller.
286
287         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
288         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
289         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
290         but GetByVal does not have appropriate ArrayModes, JSC crashes.
291
292         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
293         (compareArray):
294
295 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
296
297         [BigInt] Literal parsing is crashing when used inside a Object Literal
298         https://bugs.webkit.org/show_bug.cgi?id=193404
299
300         Reviewed by Yusuke Suzuki.
301
302         * stress/big-int-literal-inside-literal-object.js: Added.
303
304 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
305
306         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
307         https://bugs.webkit.org/show_bug.cgi?id=193372
308
309         Reviewed by Saam Barati.
310
311         * stress/typed-array-array-modes-profile.js: Added.
312         (foo):
313
314 2019-01-14  Mark Lam  <mark.lam@apple.com>
315
316         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
317         https://bugs.webkit.org/show_bug.cgi?id=193402
318         <rdar://problem/46012309>
319
320         Reviewed by Keith Miller.
321
322         * stress/regexp-compile-oom.js:
323         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
324           is enabled.  As a result, it will fail on cloop builds though there is no bug.
325
326 2019-01-11  Saam barati  <sbarati@apple.com>
327
328         DFG combined liveness can be wrong for terminal basic blocks
329         https://bugs.webkit.org/show_bug.cgi?id=193304
330         <rdar://problem/45268632>
331
332         Reviewed by Yusuke Suzuki.
333
334         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
335
336 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
337
338         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
339         https://bugs.webkit.org/show_bug.cgi?id=193308
340         <rdar://problem/45546542>
341
342         Reviewed by Saam Barati.
343
344         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
345         (shouldThrow):
346         (shouldBe):
347         (foo):
348         (get shouldThrow):
349         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
350         (shouldThrow):
351         (shouldBe):
352         (foo):
353         (get shouldBe):
354         (get shouldThrow):
355         (get return):
356         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
357         (shouldThrow):
358         (shouldBe):
359         (foo):
360         (get shouldBe):
361         (get shouldThrow):
362         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
363         (shouldThrow):
364         (shouldBe):
365         (foo):
366         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
367         (shouldThrow):
368         (shouldBe):
369         (foo):
370         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
371         (shouldThrow):
372         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
373         (shouldThrow):
374         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
375         (shouldThrow):
376         (shouldBe):
377         (foo):
378         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
379         (shouldThrow):
380         (shouldBe):
381         (foo):
382         (get shouldBe):
383         (get shouldThrow):
384         (get return):
385         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
386         (shouldThrow):
387         (shouldBe):
388         (foo):
389         (get shouldBe):
390         (get shouldThrow):
391         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
392         (shouldThrow):
393         (shouldBe):
394         (foo):
395         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
396         (shouldThrow):
397         (shouldBe):
398         (foo):
399
400 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
401
402         Enable DFG on ARM/Linux again
403         https://bugs.webkit.org/show_bug.cgi?id=192496
404
405         Reviewed by Yusuke Suzuki.
406
407         Test wasn't really skipped before moving the line with skip
408         to the top.
409
410         * stress/regress-192717.js:
411
412 2019-01-10  Commit Queue  <commit-queue@webkit.org>
413
414         Unreviewed, rolling out r239825.
415         https://bugs.webkit.org/show_bug.cgi?id=193330
416
417         Broke tests on armv7/linux bots (Requested by guijemont on
418         #webkit).
419
420         Reverted changeset:
421
422         "Enable DFG on ARM/Linux again"
423         https://bugs.webkit.org/show_bug.cgi?id=192496
424         https://trac.webkit.org/changeset/239825
425
426 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
427
428         Enable DFG on ARM/Linux again
429         https://bugs.webkit.org/show_bug.cgi?id=192496
430
431         Reviewed by Yusuke Suzuki.
432
433         Test wasn't really skipped before moving the line with skip
434         to the top.
435
436         * stress/regress-192717.js:
437
438 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
439
440         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
441         https://bugs.webkit.org/show_bug.cgi?id=193127
442
443         Reviewed by Saam Barati.
444
445         * stress/array-species-create-should-handle-masquerader.js: Added.
446         (shouldThrow):
447         * stress/is-undefined-or-null-builtin.js: Added.
448         (shouldBe):
449         (isUndefinedOrNull.vm.createBuiltin):
450
451 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
452
453         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
454         https://bugs.webkit.org/show_bug.cgi?id=193221
455
456         Reviewed by Mark Lam.
457
458         * stress/put-by-id-flags.js: Added.
459         (f):
460         (g):
461         (numberOfDFGCompiles):
462
463 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
464
465         Baseline version of get_by_id may corrupt metadata
466         https://bugs.webkit.org/show_bug.cgi?id=193085
467         <rdar://problem/23453006>
468
469         Reviewed by Saam Barati.
470
471         * stress/get-by-id-change-mode.js: Added.
472         (forEach):
473
474 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
475
476         [JSC] Optimize Object.prototype.toString
477         https://bugs.webkit.org/show_bug.cgi?id=193031
478
479         Reviewed by Saam Barati.
480
481         * stress/object-tostring-changed-proto.js: Added.
482         (shouldBe):
483         (test):
484         * stress/object-tostring-changed.js: Added.
485         (shouldBe):
486         (test):
487         * stress/object-tostring-misc.js: Added.
488         (shouldBe):
489         (test):
490         (i.switch):
491         * stress/object-tostring-other.js: Added.
492         (shouldBe):
493         (test):
494         * stress/object-tostring-untyped.js: Added.
495         (shouldBe):
496         (test):
497         (i.switch):
498
499 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
500
501         test262-runner misbehaves when test file YAML has a trailing space
502         https://bugs.webkit.org/show_bug.cgi?id=193053
503
504         Reviewed by Yusuke Suzuki.
505
506         * test262/expectations.yaml:
507         Mark two dozen tests as passing (and correct the output of another).
508
509 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
510
511         Unreviewed, JSTests gardening with memoryLimited
512
513         * stress/string-overflow-createError.js:
514
515 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
516
517         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
518         https://bugs.webkit.org/show_bug.cgi?id=193050
519
520         Reviewed by Yusuke Suzuki.
521
522         * test262.yaml:
523         * test262/expectations.yaml:
524         Mark 16 tests as passing.
525
526 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
527
528         [BigInt] Support BigInt in JSON.stringify
529         https://bugs.webkit.org/show_bug.cgi?id=192624
530
531         Reviewed by Saam Barati.
532
533         * stress/big-int-json-stringify-to-json.js: Added.
534         (shouldBe):
535         (shouldThrow):
536         (BigInt.prototype.toJSON):
537         (shouldBe.JSON.stringify):
538         * stress/big-int-json-stringify.js: Added.
539         (shouldBe):
540         (shouldThrow):
541
542 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
543
544         [JSC] Implement "well-formed JSON.stringify" proposal
545         https://bugs.webkit.org/show_bug.cgi?id=191677
546
547         Reviewed by Darin Adler.
548
549         * stress/json-surrogate-pair.js: Added.
550         (shouldBe):
551         * test262/expectations.yaml:
552
553 2018-12-20  Keith Miller  <keith_miller@apple.com>
554
555         Add support for globalThis
556         https://bugs.webkit.org/show_bug.cgi?id=165171
557
558         Reviewed by Mark Lam.
559
560         * test262/config.yaml:
561
562 2018-12-19  Keith Miller  <keith_miller@apple.com>
563
564         Update test262 configuration to not run tests dependent on ICU version.
565         https://bugs.webkit.org/show_bug.cgi?id=192920
566
567         Reviewed by Saam Barati.
568
569         * test262/expectations.yaml:
570
571 2018-12-20  Mark Lam  <mark.lam@apple.com>
572
573         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
574         https://bugs.webkit.org/show_bug.cgi?id=192939
575         <rdar://problem/46869516>
576
577         Reviewed by Keith Miller.
578
579         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
580
581 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
582
583         WTF::String and StringImpl overflow MaxLength
584         https://bugs.webkit.org/show_bug.cgi?id=192853
585         <rdar://problem/45726906>
586
587         Reviewed by Mark Lam.
588
589         * stress/string-16bit-repeat-overflow.js: Added.
590         (catch):
591
592 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
593
594         Unreviewed follow-up to r192914.
595
596         * test262/expectations.yaml:
597         Add the last 20 missing expectations.
598
599 2018-12-19  Keith Miller  <keith_miller@apple.com>
600
601         Fix test262 expectations
602         https://bugs.webkit.org/show_bug.cgi?id=192914
603
604         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
605
606         * test262/expectations.yaml:
607
608 2018-12-19  Keith Miller  <keith_miller@apple.com>
609
610         Update test262 tests.
611         https://bugs.webkit.org/show_bug.cgi?id=192907
612
613         Rubber stamped by Mark Lam.
614
615         * test262/*: Omitted because prepare-changelog crashes.
616
617 2018-12-19  Mark Lam  <mark.lam@apple.com>
618
619         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
620         https://bugs.webkit.org/show_bug.cgi?id=192464
621         <rdar://problem/46519455>
622
623         Reviewed by Saam Barati.
624
625         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
626         microbenchmark.
627
628         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
629         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
630
631 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
632
633         String overflow in JSC::createError results in ASSERT in WTF::makeString
634         https://bugs.webkit.org/show_bug.cgi?id=192833
635         <rdar://problem/45706868>
636
637         Reviewed by Mark Lam.
638
639         * stress/string-overflow-createError.js: Added.
640
641 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
642
643         Error message for `-x ** y` contains a typo.
644         https://bugs.webkit.org/show_bug.cgi?id=192832
645
646         Reviewed by Saam Barati.
647
648         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
649         (assert.assert.return.throws):
650         * stress/pow-expects-update-expression-on-lhs.js:
651         (throw.new.Error):
652         Update test expectations which match against the exact error message.
653
654 2018-12-18  Mark Lam  <mark.lam@apple.com>
655
656         Gardening: test options fix.
657         https://bugs.webkit.org/show_bug.cgi?id=192822
658
659         Unreviewed.
660
661         * stress/json-stringify-string-builder-overflow.js:
662
663 2018-12-18  Mark Lam  <mark.lam@apple.com>
664
665         JSON.stringify() should throw OOM on StringBuilder overflows.
666         https://bugs.webkit.org/show_bug.cgi?id=192822
667         <rdar://problem/46670577>
668
669         Reviewed by Saam Barati.
670
671         * stress/json-stringify-string-builder-overflow.js: Added.
672
673 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
674
675         Redeclaration of var over let/const/class should be a syntax error.
676         https://bugs.webkit.org/show_bug.cgi?id=192298
677
678         Reviewed by Keith Miller.
679
680         * test262.yaml:
681         * test262/expectations.yaml:
682         Mark 46 tests as passing.
683
684         * stress/block-scope-redeclarations.js:
685         Add some new tests.
686
687         * stress/for-in-invalidate-context-weird-assignments.js:
688         * stress/for-in-tests.js:
689         Replace tests for outdated behavior with tests for SyntaxError.
690
691         * ChakraCore/test/LetConst/defer3.baseline-jsc:
692         * ChakraCore/test/LetConst/letvar.baseline-jsc:
693         Update expectations.
694
695 2018-12-18  Mark Lam  <mark.lam@apple.com>
696
697         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
698         https://bugs.webkit.org/show_bug.cgi?id=191374
699         <rdar://problem/46525447>
700
701         Reviewed by Yusuke Suzuki.
702
703         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
704
705         * stress/elidable-new-object-roflcopter-then-exit.js:
706
707 2018-12-17  Mark Lam  <mark.lam@apple.com>
708
709         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
710         https://bugs.webkit.org/show_bug.cgi?id=192019
711         <rdar://problem/46525456>
712
713         Reviewed by Yusuke Suzuki.
714
715         The test runs too slow on 32-bit.
716
717         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
718
719 2018-12-17  Mark Lam  <mark.lam@apple.com>
720
721         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
722         https://bugs.webkit.org/show_bug.cgi?id=191373
723         <rdar://problem/46525458>
724
725         Reviewed by Yusuke Suzuki.
726
727         The test is already slow running with a JIT on 64-bit.  It will always timeout
728         on 32-bit without a JIT.
729
730         * stress/materialize-regexp-cyclic-regexp.js:
731
732 2018-12-17  Mark Lam  <mark.lam@apple.com>
733
734         Array unshift/shift should not race against the AI in the compiler thread.
735         https://bugs.webkit.org/show_bug.cgi?id=192795
736         <rdar://problem/46724263>
737
738         Reviewed by Saam Barati.
739
740         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
741
742 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
743
744         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
745         https://bugs.webkit.org/show_bug.cgi?id=190047
746
747         Reviewed by Saam Barati.
748
749         * stress/object-keys-cached-zero.js: Added.
750         (shouldBe):
751         (test):
752         * stress/object-keys-changed-attribute.js: Added.
753         (shouldBe):
754         (test):
755         * stress/object-keys-changed-index.js: Added.
756         (shouldBe):
757         (test):
758         * stress/object-keys-changed.js: Added.
759         (shouldBe):
760         (test):
761         * stress/object-keys-indexed-non-cache.js: Added.
762         (shouldBe):
763         (test):
764         * stress/object-keys-overrides-get-property-names.js: Added.
765         (shouldBe):
766         (test):
767         (noInline):
768
769 2018-12-17  Mark Lam  <mark.lam@apple.com>
770
771         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
772         https://bugs.webkit.org/show_bug.cgi?id=192779
773         <rdar://problem/46775869>
774
775         Reviewed by Saam Barati.
776
777         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
778
779 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
780
781         Unreviewed test gardening, address a syntax error in a new test.
782
783         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
784
785 2018-12-17  Mark Lam  <mark.lam@apple.com>
786
787         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
788         https://bugs.webkit.org/show_bug.cgi?id=192776
789         <rdar://problem/46772368>
790
791         Reviewed by Keith Miller.
792
793         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
794
795 2018-12-17  Mark Lam  <mark.lam@apple.com>
796
797         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
798         https://bugs.webkit.org/show_bug.cgi?id=192770
799         <rdar://problem/46449037>
800
801         Reviewed by Keith Miller.
802
803         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
804
805 2018-12-14  Mark Lam  <mark.lam@apple.com>
806
807         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
808         https://bugs.webkit.org/show_bug.cgi?id=192717
809         <rdar://problem/46660677>
810
811         Reviewed by Saam Barati.
812
813         * stress/regress-192717.js: Added.
814
815 2018-12-14  Commit Queue  <commit-queue@webkit.org>
816
817         Unreviewed, rolling out r239153, r239154, and r239155.
818         https://bugs.webkit.org/show_bug.cgi?id=192715
819
820         Caused flaky GC-related crashes seen with layout tests
821         (Requested by ryanhaddad on #webkit).
822
823         Reverted changesets:
824
825         "[JSC] Optimize Object.keys by caching own keys results in
826         StructureRareData"
827         https://bugs.webkit.org/show_bug.cgi?id=190047
828         https://trac.webkit.org/changeset/239153
829
830         "Unreviewed, build fix after r239153"
831         https://bugs.webkit.org/show_bug.cgi?id=190047
832         https://trac.webkit.org/changeset/239154
833
834         "Unreviewed, build fix after r239153, part 2"
835         https://bugs.webkit.org/show_bug.cgi?id=190047
836         https://trac.webkit.org/changeset/239155
837
838 2018-12-14  Keith Miller  <keith_miller@apple.com>
839
840         Callers of JSString::getIndex should check for OOM exceptions
841         https://bugs.webkit.org/show_bug.cgi?id=192709
842
843         Reviewed by Mark Lam.
844
845         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
846
847 2018-12-13  Mark Lam  <mark.lam@apple.com>
848
849         Add a missing exception check.
850         https://bugs.webkit.org/show_bug.cgi?id=192626
851         <rdar://problem/46662163>
852
853         Reviewed by Keith Miller.
854
855         * stress/regress-192626.js: Added.
856
857 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
858
859         [BigInt] Add ValueDiv into DFG
860         https://bugs.webkit.org/show_bug.cgi?id=186178
861
862         Reviewed by Yusuke Suzuki.
863
864         * stress/big-int-div-jit-osr.js: Added.
865         * stress/big-int-div-jit-untyped.js: Added.
866         * stress/value-div-fixup-int32-big-int.js: Added.
867
868 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
869
870         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
871         https://bugs.webkit.org/show_bug.cgi?id=190047
872
873         Reviewed by Keith Miller.
874
875         * stress/object-keys-cached-zero.js: Added.
876         (shouldBe):
877         (test):
878         * stress/object-keys-changed-attribute.js: Added.
879         (shouldBe):
880         (test):
881         * stress/object-keys-changed-index.js: Added.
882         (shouldBe):
883         (test):
884         * stress/object-keys-changed.js: Added.
885         (shouldBe):
886         (test):
887         * stress/object-keys-indexed-non-cache.js: Added.
888         (shouldBe):
889         (test):
890         * stress/object-keys-overrides-get-property-names.js: Added.
891         (shouldBe):
892         (test):
893         (noInline):
894
895 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
896
897         [DFG][FTL] Add NewSymbol
898         https://bugs.webkit.org/show_bug.cgi?id=192620
899
900         Reviewed by Saam Barati.
901
902         * microbenchmarks/symbol-creation.js: Added.
903         (test):
904         * stress/symbol-description-identity.js: Added.
905         (shouldBe):
906         (test):
907         * stress/symbol-identity.js: Added.
908         (shouldBe):
909         (test):
910         * stress/symbol-with-description-throw-error.js: Added.
911         (shouldBe):
912         (shouldThrow):
913         (test):
914         (object.toString):
915
916 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
917
918         [BigInt] Implement DFG/FTL typeof for BigInt
919         https://bugs.webkit.org/show_bug.cgi?id=192619
920
921         Reviewed by Keith Miller.
922
923         * stress/big-int-boolean-proven-type.js: Added.
924         (assert):
925         (bool):
926         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
927         (assert):
928         (typeOf):
929         (i.switch):
930         * stress/big-int-type-of-proven-type-non-constant.js: Added.
931         (assert):
932         (typeOf):
933         * stress/big-int-type-of.js:
934         (typeOf):
935         (func):
936
937 2018-12-10  Mark Lam  <mark.lam@apple.com>
938
939         PropertyAttribute needs a CustomValue bit.
940         https://bugs.webkit.org/show_bug.cgi?id=191993
941         <rdar://problem/46264467>
942
943         Reviewed by Saam Barati.
944
945         * stress/regress-191993.js: Added.
946
947 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
948
949         [BigInt] Add ValueMul into DFG
950         https://bugs.webkit.org/show_bug.cgi?id=186175
951
952         Reviewed by Yusuke Suzuki.
953
954         * stress/big-int-mul-jit-osr.js: Added.
955         * stress/big-int-mul-jit-untyped.js: Added.
956         * stress/value-mul-fixup-int32-big-int.js: Added.
957
958 2018-12-06  Keith Miller  <keith_miller@apple.com>
959
960         stress/big-wasm-memory tests failing on 32-bit JSC bot
961         https://bugs.webkit.org/show_bug.cgi?id=192020
962
963         Reviewed by Saam Barati.
964
965         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
966         the wasm stress tests if the WebAssembly object does not exist.
967
968         * stress/big-wasm-memory-grow-no-max.js:
969         (test.foo):
970         (test):
971         (foo): Deleted.
972         (catch): Deleted.
973         * stress/big-wasm-memory-grow.js:
974         (test.foo):
975         (test):
976         (foo): Deleted.
977         (catch): Deleted.
978         * stress/big-wasm-memory.js:
979         (test.foo):
980         (test):
981         (foo): Deleted.
982         (catch): Deleted.
983
984 2018-12-05  Mark Lam  <mark.lam@apple.com>
985
986         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
987         https://bugs.webkit.org/show_bug.cgi?id=192441
988         <rdar://problem/46480355>
989
990         Reviewed by Saam Barati.
991
992         * stress/regress-192441.js: Added.
993
994 2018-12-04  Mark Lam  <mark.lam@apple.com>
995
996         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
997         https://bugs.webkit.org/show_bug.cgi?id=192386
998         <rdar://problem/46445516>
999
1000         Reviewed by Saam Barati.
1001
1002         * stress/regress-192386.js: Added.
1003
1004 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1005
1006         [ESNext][BigInt] Support logic operations
1007         https://bugs.webkit.org/show_bug.cgi?id=179903
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         * stress/big-int-branch-usage.js: Added.
1012         * stress/big-int-logical-and.js: Added.
1013         * stress/big-int-logical-not.js: Added.
1014         * stress/big-int-logical-or.js: Added.
1015
1016 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1017
1018         Unreviewed, rolling out r238833.
1019
1020         Breaks macOS and iOS debug builds.
1021
1022         Reverted changeset:
1023
1024         "[ESNext][BigInt] Support logic operations"
1025         https://bugs.webkit.org/show_bug.cgi?id=179903
1026         https://trac.webkit.org/changeset/238833
1027
1028 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1029
1030         [ESNext][BigInt] Support logic operations
1031         https://bugs.webkit.org/show_bug.cgi?id=179903
1032
1033         Reviewed by Yusuke Suzuki.
1034
1035         * stress/big-int-branch-usage.js: Added.
1036         * stress/big-int-logical-and.js: Added.
1037         * stress/big-int-logical-not.js: Added.
1038         * stress/big-int-logical-or.js: Added.
1039
1040 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1041
1042         [ESNext][BigInt] Implement support for "<<" and ">>"
1043         https://bugs.webkit.org/show_bug.cgi?id=186233
1044
1045         Reviewed by Yusuke Suzuki.
1046
1047         * stress/big-int-left-shift-general.js: Added.
1048         * stress/big-int-left-shift-range-error.js: Added.
1049         * stress/big-int-left-shift-type-error.js: Added.
1050         * stress/big-int-left-shift-wrapped-value.js: Added.
1051         * stress/big-int-right-shift-general.js: Added.
1052         * stress/big-int-right-shift-type-error.js: Added.
1053         * stress/big-int-right-shift-wrapped-value.js: Added.
1054         * stress/left-shift-to-primitive-precedence.js: Added.
1055         * stress/right-shift-to-primitive-precedence.js: Added.
1056
1057 2018-11-30  Dean Jackson  <dino@apple.com>
1058
1059         Add first-class support for .mjs files in jsc binary
1060         https://bugs.webkit.org/show_bug.cgi?id=192190
1061         <rdar://problem/46375715>
1062
1063         Reviewed by Keith Miller.
1064
1065         * stress/simple-module.mjs: Added.
1066         * stress/simple-script.js: Added.
1067
1068 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1069
1070         [BigInt] Implement ValueBitXor into DFG
1071         https://bugs.webkit.org/show_bug.cgi?id=190264
1072
1073         Reviewed by Yusuke Suzuki.
1074
1075         * stress/big-int-bitwise-xor-jit.js: Added.
1076         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1077         * stress/big-int-bitwise-xor-untyped.js: Added.
1078
1079 2018-11-27  Saam barati  <sbarati@apple.com>
1080
1081         r238510 broke scopes of size zero
1082         https://bugs.webkit.org/show_bug.cgi?id=192033
1083         <rdar://problem/46281734>
1084
1085         Reviewed by Keith Miller.
1086
1087         * stress/r238510-bad-loop.js: Added.
1088         (foo):
1089
1090 2018-11-27  Mark Lam  <mark.lam@apple.com>
1091
1092         [Re-landing] NaNs read from Wasm code needs to be be purified.
1093         https://bugs.webkit.org/show_bug.cgi?id=191056
1094         <rdar://problem/45660341>
1095
1096         Reviewed by Filip Pizlo.
1097
1098         * wasm/regress/regress-191056.js: Added.
1099
1100 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1101
1102         Unreviewed, rolling out r238509.
1103
1104         Causes JSC tests to fail on iOS.
1105
1106         Reverted changeset:
1107
1108         "NaNs read from Wasm code needs to be be purified."
1109         https://bugs.webkit.org/show_bug.cgi?id=191056
1110         https://trac.webkit.org/changeset/238509
1111
1112 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1113
1114         Re-introduce op_bitnot
1115         https://bugs.webkit.org/show_bug.cgi?id=190923
1116
1117         Reviewed by Yusuke Suzuki.
1118
1119         * stress/bit-not-must-generate.js: Added.
1120         * stress/bitwise-not-no-int32.js: Added.
1121
1122 2018-11-26  Saam barati  <sbarati@apple.com>
1123
1124         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1125         https://bugs.webkit.org/show_bug.cgi?id=191956
1126         <rdar://problem/45665806>
1127
1128         Reviewed by Yusuke Suzuki.
1129
1130         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1131         (bar):
1132         (foo):
1133
1134 2018-11-26  Saam barati  <sbarati@apple.com>
1135
1136         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1137         https://bugs.webkit.org/show_bug.cgi?id=191958
1138         <rdar://problem/46221877>
1139
1140         Reviewed by Yusuke Suzuki.
1141
1142         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1143         (x):
1144         (foo):
1145
1146 2018-11-26  Mark Lam  <mark.lam@apple.com>
1147
1148         NaNs read from Wasm code needs to be be purified.
1149         https://bugs.webkit.org/show_bug.cgi?id=191056
1150         <rdar://problem/45660341>
1151
1152         Reviewed by Filip Pizlo.
1153
1154         * wasm/regress/regress-191056.js: Added.
1155
1156 2018-11-26  Michael Saboff  <msaboff@apple.com>
1157
1158         32-bit JSC test failure: stress/regexp-compile-oom.js
1159         https://bugs.webkit.org/show_bug.cgi?id=191375
1160
1161         Reviewed by Mark Lam.
1162
1163         Disabled the test for 32 bit platforms.
1164
1165         * stress/regexp-compile-oom.js:
1166
1167 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1168
1169         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1170         https://bugs.webkit.org/show_bug.cgi?id=191716
1171         <rdar://problem/45723878>
1172
1173         Reviewed by Saam Barati.
1174
1175         * stress/regress-187373.js: Added.
1176         (async.fn):
1177
1178 2018-11-21  Saam barati  <sbarati@apple.com>
1179
1180         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1181         https://bugs.webkit.org/show_bug.cgi?id=191897
1182         <rdar://problem/45871998>
1183
1184         Reviewed by Mark Lam.
1185
1186         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1187         (bar):
1188         (foo):
1189
1190 2018-11-21  Saam barati  <sbarati@apple.com>
1191
1192         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1193         https://bugs.webkit.org/show_bug.cgi?id=191895
1194         <rdar://problem/46167406>
1195
1196         Reviewed by Mark Lam.
1197
1198         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1199         (foo):
1200         (bar):
1201
1202 2018-11-21  Mark Lam  <mark.lam@apple.com>
1203
1204         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1205         https://bugs.webkit.org/show_bug.cgi?id=191776
1206         <rdar://problem/46152851>
1207
1208         Reviewed by Saam Barati.
1209
1210         * stress/big-wasm-memory-grow-no-max.js:
1211         * stress/big-wasm-memory-grow.js:
1212         * stress/big-wasm-memory.js:
1213         - updated these to expect an OutOfMemoryError.
1214
1215         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1216         (Binary.prototype.emit_u8):
1217         (Binary.prototype.emit_u32v):
1218         (Binary.prototype.emit_header):
1219         (Binary.prototype.emit_section):
1220         (Binary):
1221         (WasmModuleBuilder):
1222         (WasmModuleBuilder.prototype.addMemory):
1223         (WasmModuleBuilder.prototype.toArray):
1224         (WasmModuleBuilder.prototype.toBuffer):
1225         (WasmModuleBuilder.prototype.instantiate):
1226         (catch):
1227         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1228         (catch):
1229
1230 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1231
1232         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1233         https://bugs.webkit.org/show_bug.cgi?id=190836
1234
1235         Reviewed by Saam Barati and Yusuke Suzuki.
1236
1237         * stress/big-int-out-of-memory-tests.js: Added.
1238
1239 2018-11-20  Mark Lam  <mark.lam@apple.com>
1240
1241         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1242         https://bugs.webkit.org/show_bug.cgi?id=191856
1243         <rdar://problem/46089992>
1244
1245         Reviewed by Yusuke Suzuki.
1246
1247         * stress/regress-191856.js: Added.
1248         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1249
1250 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1251
1252         Enable JIT on ARM/Linux
1253         https://bugs.webkit.org/show_bug.cgi?id=191548
1254
1255         Reviewed by Yusuke Suzuki.
1256
1257         Disable test on system with limited memory. Program was killed by
1258         the OS before the exception was thrown.
1259
1260         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1261
1262 2018-11-20  Saam barati  <sbarati@apple.com>
1263
1264         Merging an IC variant may lead to the IC status containing overlapping structure sets
1265         https://bugs.webkit.org/show_bug.cgi?id=191869
1266         <rdar://problem/45403453>
1267
1268         Reviewed by Mark Lam.
1269
1270         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1271
1272 2018-11-19  Mark Lam  <mark.lam@apple.com>
1273
1274         globalFuncImportModule() should return a promise when it clears exceptions.
1275         https://bugs.webkit.org/show_bug.cgi?id=191792
1276         <rdar://problem/46090763>
1277
1278         Reviewed by Michael Saboff.
1279
1280         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1281
1282 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1283
1284         Skip new memory-hungry tests on memory limited devices
1285
1286         Unreviewed gardening.
1287
1288         * stress/big-wasm-memory-grow-no-max.js:
1289         * stress/big-wasm-memory-grow.js:
1290         * stress/big-wasm-memory.js:
1291
1292 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         Unreviewed, rolling in the rest of r237254
1295         https://bugs.webkit.org/show_bug.cgi?id=190340
1296
1297         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1298         * stress/function-cache-with-parameters-end-position.js: Added.
1299         (shouldBe):
1300         (shouldThrow):
1301         (i.anonymous):
1302         * stress/function-constructor-name.js: Added.
1303         (shouldBe):
1304         (GeneratorFunction):
1305         (AsyncFunction.async):
1306         (AsyncGeneratorFunction.async):
1307         (anonymous):
1308         (async.anonymous):
1309         * test262/expectations.yaml:
1310
1311 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1312
1313         All users of ArrayBuffer should agree on the same max size
1314         https://bugs.webkit.org/show_bug.cgi?id=191771
1315
1316         Reviewed by Mark Lam.
1317
1318         * stress/big-wasm-memory-grow-no-max.js: Added.
1319         (foo):
1320         (catch):
1321         * stress/big-wasm-memory-grow.js: Added.
1322         (foo):
1323         (catch):
1324         * stress/big-wasm-memory.js: Added.
1325         (foo):
1326         (catch):
1327
1328 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1329
1330         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1331         run for each JSC config since they're regression tests for runtime bugs.
1332
1333         * stress/json-stringified-overflow-2.js:
1334         * stress/json-stringified-overflow.js:
1335
1336 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1337
1338         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1339         config since they're regression tests for runtime bugs.
1340
1341         * stress/large-unshift-splice.js:
1342         * stress/regress-185888.js:
1343
1344 2018-11-16  Saam Barati  <sbarati@apple.com>
1345
1346         KnownCellUse should also have SpecCellCheck as its type filter
1347         https://bugs.webkit.org/show_bug.cgi?id=191729
1348         <rdar://problem/45872852>
1349
1350         Reviewed by Filip Pizlo.
1351
1352         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1353         (C):
1354
1355 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1356
1357         Fix assertion failure on BytecodeGenerator::recordOpcode
1358         https://bugs.webkit.org/show_bug.cgi?id=191724
1359         <rdar://problem/45724395>
1360
1361         Reviewed by Saam Barati.
1362
1363         * stress/regress-187373-2.js: Added.
1364         (foo):
1365
1366 2018-11-15  Mark Lam  <mark.lam@apple.com>
1367
1368         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1369         https://bugs.webkit.org/show_bug.cgi?id=191730
1370         <rdar://problem/46048517>
1371
1372         Reviewed by Saam Barati.
1373
1374         * stress/regress-187006.js: Removed.
1375           - this test is invalid because its sole purpose is to test for the non-spec
1376             compliant behavior that we just fixed.
1377
1378         * stress/regress-191730.js: Added.
1379
1380 2018-11-15  Mark Lam  <mark.lam@apple.com>
1381
1382         RegExp operations should not take fast patch if lastIndex is not numeric.
1383         https://bugs.webkit.org/show_bug.cgi?id=191731
1384         <rdar://problem/46017305>
1385
1386         Reviewed by Saam Barati.
1387
1388         * stress/regress-191731.js: Added.
1389
1390 2018-11-13  Saam Barati  <sbarati@apple.com>
1391
1392         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1393         https://bugs.webkit.org/show_bug.cgi?id=191600
1394
1395         Reviewed by Mark Lam.
1396
1397         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1398         (foo):
1399         (test):
1400         (bar):
1401
1402 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1403
1404         Unreviewed, rolling out r238132.
1405
1406         The test added with this change is timing out on Debug JSC
1407         bots.
1408
1409         Reverted changeset:
1410
1411         "[BigInt] JSBigInt::createWithLength should throw when length
1412         is greater than JSBigInt::maxLength"
1413         https://bugs.webkit.org/show_bug.cgi?id=190836
1414         https://trac.webkit.org/changeset/238132
1415
1416 2018-11-13  Mark Lam  <mark.lam@apple.com>
1417
1418         Add OOM detection to StringPrototype's substituteBackreferences().
1419         https://bugs.webkit.org/show_bug.cgi?id=191563
1420         <rdar://problem/45720428>
1421
1422         Reviewed by Saam Barati.
1423
1424         * stress/regress-191563.js: Added.
1425
1426 2018-11-13  Mark Lam  <mark.lam@apple.com>
1427
1428         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1429         https://bugs.webkit.org/show_bug.cgi?id=191579
1430         <rdar://problem/45942472>
1431
1432         Reviewed by Saam Barati.
1433
1434         * stress/regress-191579.js: Added.
1435
1436 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1437
1438         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1439         https://bugs.webkit.org/show_bug.cgi?id=190836
1440
1441         Reviewed by Saam Barati.
1442
1443         * stress/big-int-out-of-memory-tests.js: Added.
1444
1445 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1446
1447         U+180E is no longer a whitespace character
1448         https://bugs.webkit.org/show_bug.cgi?id=191415
1449
1450         Reviewed by Saam Barati.
1451
1452         * ChakraCore/test/es5/regexSpace.baseline:
1453         * ChakraCore/test/es6/unicode_whitespace.js:
1454         Update tests to latest version.
1455         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1456
1457         * test262.yaml:
1458         * test262/config.yaml:
1459         * test262/expectations.yaml:
1460         Update expectations.
1461
1462 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1463
1464         [BigInt] Add support to BigInt into ValueAdd
1465         https://bugs.webkit.org/show_bug.cgi?id=186177
1466
1467         Reviewed by Keith Miller.
1468
1469         * stress/big-int-negate-jit.js:
1470         * stress/value-add-big-int-and-string.js: Added.
1471         * stress/value-add-big-int-prediction-propagation.js: Added.
1472         * stress/value-add-big-int-untyped.js: Added.
1473
1474 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1475
1476         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1477         https://bugs.webkit.org/show_bug.cgi?id=191184
1478
1479         Reviewed by Saam Barati.
1480
1481         Most tests were failing due to timeouts, since they are too slow to
1482         run on CLoop. The exceptions are:
1483
1484         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1485         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1486         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1487         to change the stack size since CLoop requires it to be page aligned.
1488
1489         * microbenchmarks/array-push-1.js:
1490         * microbenchmarks/array-push-2.js:
1491         * microbenchmarks/elidable-new-object-dag.js:
1492         * microbenchmarks/elidable-new-object-roflcopter.js:
1493         * microbenchmarks/elidable-new-object-tree.js:
1494         * microbenchmarks/getter-richards.js:
1495         * microbenchmarks/sinkable-new-object-dag.js:
1496         * microbenchmarks/string-concat-long-convert.js:
1497         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1498         * slowMicrobenchmarks/array-push-3.js:
1499         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1500         * slowMicrobenchmarks/spread-small-array.js:
1501         * slowMicrobenchmarks/undefined-property-access.js:
1502         * stress/activation-sink-default-value-tdz-error.js:
1503         * stress/activation-sink-default-value.js:
1504         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1505         * stress/activation-sink-osrexit-default-value.js:
1506         * stress/activation-sink-osrexit.js:
1507         * stress/activation-sink.js:
1508         * stress/allow-math-ic-b3-code-duplication.js:
1509         * stress/array-push-multiple-int32.js:
1510         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1511         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1512         * stress/arrowfunction-lexical-this-activation-sink.js:
1513         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1514         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1515         * stress/elide-new-object-dag-then-exit.js:
1516         * stress/materialize-regexp-cyclic.js:
1517         * stress/new-regex-inline.js:
1518         * stress/op_add.js:
1519         * stress/op_bitand.js:
1520         * stress/op_bitor.js:
1521         * stress/op_bitxor.js:
1522         * stress/op_div-ConstVar.js:
1523         * stress/op_div-VarConst.js:
1524         * stress/op_div-VarVar.js:
1525         * stress/op_lshift-ConstVar.js:
1526         * stress/op_lshift-VarConst.js:
1527         * stress/op_lshift-VarVar.js:
1528         * stress/op_mod-ConstVar.js:
1529         * stress/op_mod-VarConst.js:
1530         * stress/op_mod-VarVar.js:
1531         * stress/op_mul-ConstVar.js:
1532         * stress/op_mul-VarConst.js:
1533         * stress/op_mul-VarVar.js:
1534         * stress/op_rshift-ConstVar.js:
1535         * stress/op_rshift-VarConst.js:
1536         * stress/op_rshift-VarVar.js:
1537         * stress/op_sub-ConstVar.js:
1538         * stress/op_sub-VarConst.js:
1539         * stress/op_sub-VarVar.js:
1540         * stress/op_urshift-ConstVar.js:
1541         * stress/op_urshift-VarConst.js:
1542         * stress/op_urshift-VarVar.js:
1543         * stress/proxy-get-set-correct-receiver.js:
1544         * stress/regress-179562.js:
1545         * stress/rest-parameter-many-arguments.js:
1546         * stress/sampling-profiler-richards.js:
1547         * stress/splay-flash-access-1ms.js:
1548         * stress/tailCallForwardArguments.js:
1549         * stress/typed-array-get-by-val-profiling.js:
1550         * typeProfiler/getter-richards.js:
1551
1552 2018-11-06  Michael Saboff  <msaboff@apple.com>
1553
1554         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1555         https://bugs.webkit.org/show_bug.cgi?id=191271
1556
1557         Reviewed by Saam Barati.
1558
1559         Added more test cases and made all test cases run with the same deeply recursive stack
1560         instead of finding that same point for each test case.
1561
1562         * stress/regexp-compile-oom.js:
1563         (prototype.runTest):
1564         (recurseAndTest):
1565         (testList.push.new.TestAndExpectedException):
1566
1567 2018-11-05  Michael Saboff  <msaboff@apple.com>
1568
1569         Unreviewed build fix for linux.
1570
1571         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1572
1573 2018-11-02  Michael Saboff  <msaboff@apple.com>
1574
1575         Rolling in r237753 with unreviewed build fix.
1576
1577         Fixed issues with DECLARE_THROW_SCOPE placement.
1578
1579 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1580
1581         Unreviewed, rolling out r237753.
1582
1583         Introduced JSC test failures
1584
1585         Reverted changeset:
1586
1587         "Running out of stack space not properly handled in
1588         RegExp::compile() and its callers"
1589         https://bugs.webkit.org/show_bug.cgi?id=191206
1590         https://trac.webkit.org/changeset/237753
1591
1592 2018-11-02  Michael Saboff  <msaboff@apple.com>
1593
1594         Running out of stack space not properly handled in RegExp::compile() and its callers
1595         https://bugs.webkit.org/show_bug.cgi?id=191206
1596
1597         Reviewed by Filip Pizlo.
1598
1599         New regression test.
1600
1601         * stress/regexp-compile-oom.js: Added.
1602         (recurseAndTest):
1603
1604 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1605
1606         Skip tests on arm/mips that time out now we're running on CLoop
1607
1608         Unreviewed gardening.
1609
1610         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1611         time out on the bots and need to be disabled. There's more tests
1612         disabled on arm because the timeout is longer on the mips bot (as the
1613         device is slower to start with), so many of the tests don't time out
1614         there.
1615
1616         * microbenchmarks/getter-richards.js: disable on arm and mips.
1617         * stress/op_add.js: disable on arm.
1618         * stress/op_bitand.js: disable on arm.
1619         * stress/op_bitor.js: disable on arm.
1620         * stress/op_bitxor.js: disable on arm.
1621         * stress/op_lshift-ConstVar.js: disable on arm.
1622         * stress/op_lshift-VarConst.js: disable on arm.
1623         * stress/op_lshift-VarVar.js: disable on arm.
1624         * stress/op_mod-ConstVar.js: disable on arm.
1625         * stress/op_mod-VarConst.js: disable on arm.
1626         * stress/op_mod-VarVar.js: disable on arm.
1627         * stress/op_mul-ConstVar.js: disable on arm.
1628         * stress/op_mul-VarConst.js: disable on arm.
1629         * stress/op_mul-VarVar.js: disable on arm.
1630         * stress/op_rshift-ConstVar.js: disable on arm.
1631         * stress/op_rshift-VarConst.js: disable on arm.
1632         * stress/op_rshift-VarVar.js: disable on arm.
1633         * stress/op_sub-ConstVar.js: disable on arm.
1634         * stress/op_sub-VarConst.js: disable on arm.
1635         * stress/op_sub-VarVar.js: disable on arm.
1636         * stress/op_urshift-ConstVar.js: disable on arm.
1637         * stress/op_urshift-VarConst.js: disable on arm.
1638         * stress/op_urshift-VarVar.js: disable on arm.
1639         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1640         * stress/value-to-boolean.js: disable on arm and mips.
1641
1642 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1643
1644         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1645         https://bugs.webkit.org/show_bug.cgi?id=191108
1646         <rdar://problem/45690700>
1647
1648         Reviewed by Saam Barati.
1649
1650         * stress/wide-op_catch.js: Added.
1651         (catch):
1652
1653 2018-10-29  Mark Lam  <mark.lam@apple.com>
1654
1655         Correctly detect string overflow when using the 'Function' constructor.
1656         https://bugs.webkit.org/show_bug.cgi?id=184883
1657         <rdar://problem/36320331>
1658
1659         Reviewed by Saam Barati.
1660
1661         I've verified that this passes on 32-bit as well.
1662
1663         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1664
1665 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1666
1667         Add support for GetStack FlushedDouble
1668         https://bugs.webkit.org/show_bug.cgi?id=191012
1669         <rdar://problem/45265141>
1670
1671         Reviewed by Saam Barati.
1672
1673         * stress/get-stack-double.js: Added.
1674         (bar):
1675         (noInline):
1676
1677 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1678
1679         New bytecode format for JSC
1680         https://bugs.webkit.org/show_bug.cgi?id=187373
1681         <rdar://problem/44186758>
1682
1683         Reviewed by Filip Pizlo.
1684
1685         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1686
1687         * stress/maximum-inline-capacity.js: Added.
1688         (test1):
1689         (test3.Foo):
1690         (test3):
1691
1692 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1693
1694         Unreviewed, rolling out r237479 and r237484.
1695         https://bugs.webkit.org/show_bug.cgi?id=190978
1696
1697         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1698
1699         Reverted changesets:
1700
1701         "New bytecode format for JSC"
1702         https://bugs.webkit.org/show_bug.cgi?id=187373
1703         https://trac.webkit.org/changeset/237479
1704
1705         "Gardening: Build fix after r237479."
1706         https://bugs.webkit.org/show_bug.cgi?id=187373
1707         https://trac.webkit.org/changeset/237484
1708
1709 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1710
1711         New bytecode format for JSC
1712         https://bugs.webkit.org/show_bug.cgi?id=187373
1713         <rdar://problem/44186758>
1714
1715         Reviewed by Filip Pizlo.
1716
1717         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1718
1719         * stress/maximum-inline-capacity.js: Added.
1720         (test1):
1721         (test3.Foo):
1722         (test3):
1723
1724 2018-10-26  Mark Lam  <mark.lam@apple.com>
1725
1726         Fix missing edge cases with JSGlobalObjects having a bad time.
1727         https://bugs.webkit.org/show_bug.cgi?id=189028
1728         <rdar://problem/45204939>
1729
1730         Reviewed by Saam Barati.
1731
1732         * stress/regress-189028.js: Added.
1733
1734 2018-10-22  Mark Lam  <mark.lam@apple.com>
1735
1736         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1737         https://bugs.webkit.org/show_bug.cgi?id=190515
1738         <rdar://problem/45222379>
1739
1740         Rubber-stamped by Saam Barati.
1741
1742         Adding another test.
1743
1744         * stress/regress-190515-2.js: Added.
1745
1746 2018-10-22  Mark Lam  <mark.lam@apple.com>
1747
1748         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1749         https://bugs.webkit.org/show_bug.cgi?id=190515
1750         <rdar://problem/45222379>
1751
1752         Reviewed by Saam Barati.
1753
1754         * stress/regress-190515.js: Added.
1755
1756 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1757
1758         Unreviewed, rolling out r237254.
1759         https://bugs.webkit.org/show_bug.cgi?id=190760
1760
1761         "It regresses JetStream 2 by 5% on some iOS devices"
1762         (Requested by saamyjoon on #webkit).
1763
1764         Reverted changeset:
1765
1766         "[JSC] JSC should have "parseFunction" to optimize Function
1767         constructor"
1768         https://bugs.webkit.org/show_bug.cgi?id=190340
1769         https://trac.webkit.org/changeset/237254
1770
1771 2018-10-19  Saam Barati  <sbarati@apple.com>
1772
1773         vmCall should check if we exit before emitting an OSR exit due to exceptions
1774         https://bugs.webkit.org/show_bug.cgi?id=190740
1775         <rdar://problem/45220139>
1776
1777         Reviewed by Mark Lam.
1778
1779         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1780         (foo):
1781
1782 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1783
1784         [ESNext][BigInt] Implement support for "^"
1785         https://bugs.webkit.org/show_bug.cgi?id=186235
1786
1787         Reviewed by Yusuke Suzuki.
1788
1789         * stress/big-int-bitwise-xor-general.js: Added.
1790         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1791         * stress/big-int-bitwise-xor-type-error.js: Added.
1792         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1793
1794 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1795
1796         [BigInt] Add ValueSub into DFG
1797         https://bugs.webkit.org/show_bug.cgi?id=186176
1798
1799         Reviewed by Yusuke Suzuki.
1800
1801         * stress/big-int-subtraction-jit.js:
1802         * stress/value-sub-big-int-prediction-propagation.js: Added.
1803         * stress/value-sub-big-int-untyped.js: Added.
1804         * stress/value-sub-spec-none-case.js: Added.
1805
1806 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1807
1808         [JSC] JSC should have "parseFunction" to optimize Function constructor
1809         https://bugs.webkit.org/show_bug.cgi?id=190340
1810
1811         Reviewed by Mark Lam.
1812
1813         This patch fixes the line number of syntax errors raised by the Function constructor,
1814         since we now parse the final code only once. And we no longer use block statement
1815         for Function constructor's parsing.
1816
1817         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1818         * stress/function-cache-with-parameters-end-position.js: Added.
1819         (shouldBe):
1820         (shouldThrow):
1821         (i.anonymous):
1822         * stress/function-constructor-name.js: Added.
1823         (shouldBe):
1824         (GeneratorFunction):
1825         (AsyncFunction.async):
1826         (AsyncGeneratorFunction.async):
1827         (anonymous):
1828         (async.anonymous):
1829         * test262/expectations.yaml:
1830
1831 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1832
1833         Unreviewed, rolling out r237242.
1834         https://bugs.webkit.org/show_bug.cgi?id=190701
1835
1836         it breaks "stress/sampling-profiler-basic.js" (Requested by
1837         caiolima on #webkit).
1838
1839         Reverted changeset:
1840
1841         "[BigInt] Add ValueSub into DFG"
1842         https://bugs.webkit.org/show_bug.cgi?id=186176
1843         https://trac.webkit.org/changeset/237242
1844
1845 2018-10-17  Keith Miller  <keith_miller@apple.com>
1846
1847         AI does not clear Phantom allocation nodes.
1848         https://bugs.webkit.org/show_bug.cgi?id=190694
1849
1850         Reviewed by Saam Barati.
1851
1852         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1853         (Day):
1854         (DaysInYear):
1855         (TimeInYear):
1856         (TimeFromYear):
1857         (DayFromYear):
1858         (InLeapYear):
1859         (YearFromTime):
1860         (WeekDay):
1861         (DaylightSavingTA):
1862         (GetSecondSundayInMarch):
1863         (TimeInMonth):
1864
1865 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1866
1867         [BigInt] Add ValueSub into DFG
1868         https://bugs.webkit.org/show_bug.cgi?id=186176
1869
1870         Reviewed by Yusuke Suzuki.
1871
1872         * stress/big-int-subtraction-jit.js:
1873         * stress/value-sub-big-int-prediction-propagation.js: Added.
1874         * stress/value-sub-big-int-untyped.js: Added.
1875
1876 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1877
1878         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1879         https://bugs.webkit.org/show_bug.cgi?id=190611
1880
1881         Reviewed by Saam Barati.
1882
1883         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1884         to improve test runtime. On ARM/MIPS this test even timed out when running all
1885         tests.
1886
1887         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1888         (test):
1889
1890 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1891
1892         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1893
1894         Unreviewed gardening.
1895
1896         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1897
1898 2018-10-15  Saam barati  <sbarati@apple.com>
1899
1900         Emit fjcvtzs on ARM64E on Darwin
1901         https://bugs.webkit.org/show_bug.cgi?id=184023
1902
1903         Reviewed by Yusuke Suzuki and Filip Pizlo.
1904
1905         * stress/double-to-int32-NaN.js: Added.
1906         (assert):
1907         (foo):
1908
1909 2018-10-15  Saam Barati  <sbarati@apple.com>
1910
1911         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1912         https://bugs.webkit.org/show_bug.cgi?id=190262
1913         <rdar://problem/44986241>
1914
1915         Reviewed by Mark Lam.
1916
1917         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1918         (test):
1919         * stress/slice-array-storage-with-holes.js: Added.
1920         (main):
1921
1922 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1923
1924         Unreviewed, rolling out r237054.
1925         https://bugs.webkit.org/show_bug.cgi?id=190593
1926
1927         "this regressed JetStream 2 by 6% on iOS" (Requested by
1928         saamyjoon on #webkit).
1929
1930         Reverted changeset:
1931
1932         "[JSC] JSC should have "parseFunction" to optimize Function
1933         constructor"
1934         https://bugs.webkit.org/show_bug.cgi?id=190340
1935         https://trac.webkit.org/changeset/237054
1936
1937 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1938
1939         [JSC] JSON.stringify can accept call-with-no-arguments
1940         https://bugs.webkit.org/show_bug.cgi?id=190343
1941
1942         Reviewed by Mark Lam.
1943
1944         * stress/json-stringify-no-arguments.js: Added.
1945         (shouldBe):
1946
1947 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1948
1949         [JSC] JSC should have "parseFunction" to optimize Function constructor
1950         https://bugs.webkit.org/show_bug.cgi?id=190340
1951
1952         Reviewed by Mark Lam.
1953
1954         This patch fixes the line number of syntax errors raised by the Function constructor,
1955         since we now parse the final code only once. And we no longer use block statement
1956         for Function constructor's parsing.
1957
1958         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1959         * stress/function-cache-with-parameters-end-position.js: Added.
1960         (shouldBe):
1961         (shouldThrow):
1962         (i.anonymous):
1963         * stress/function-constructor-name.js: Added.
1964         (shouldBe):
1965         (GeneratorFunction):
1966         (AsyncFunction.async):
1967         (AsyncGeneratorFunction.async):
1968         (anonymous):
1969         (async.anonymous):
1970         * test262/expectations.yaml:
1971
1972 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1973
1974         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1975         https://bugs.webkit.org/show_bug.cgi?id=190426
1976
1977         Unreviewed gardening.
1978
1979         * stress/sampling-profiler-richards.js:
1980
1981 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1982
1983         [ESNext][BigInt] Implement support for "|"
1984         https://bugs.webkit.org/show_bug.cgi?id=186229
1985
1986         Reviewed by Yusuke Suzuki.
1987
1988         * stress/big-int-bitwise-and-jit.js:
1989         * stress/big-int-bitwise-or-general.js: Added.
1990         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1991         * stress/big-int-bitwise-or-jit.js: Added.
1992         * stress/big-int-bitwise-or-memory-stress.js: Added.
1993         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1994         * stress/big-int-bitwise-or-type-error.js: Added.
1995         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1996
1997 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1998
1999         Skip test on systems with limited memory
2000         https://bugs.webkit.org/show_bug.cgi?id=190310
2001
2002         Invoking runDefault adds test to runlist, skipping the test in the next
2003         line does not prevent the test from executing. Change order of lines such
2004         that runDefault is only executed if test is not executed.
2005
2006         Reviewed by Mark Lam.
2007
2008         * stress/regress-190187.js:
2009
2010 2018-10-03  Saam barati  <sbarati@apple.com>
2011
2012         lowXYZ in FTLLower should always filter the type of the incoming edge
2013         https://bugs.webkit.org/show_bug.cgi?id=189939
2014         <rdar://problem/44407030>
2015
2016         Reviewed by Michael Saboff.
2017
2018         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2019         (foo):
2020         (test):
2021
2022 2018-10-03  Mark Lam  <mark.lam@apple.com>
2023
2024         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2025         https://bugs.webkit.org/show_bug.cgi?id=190187
2026         <rdar://problem/42512909>
2027
2028         Reviewed by Michael Saboff.
2029
2030         * stress/regress-190187.js: Added.
2031
2032 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2033
2034         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2035         https://bugs.webkit.org/show_bug.cgi?id=190033
2036
2037         Reviewed by Yusuke Suzuki.
2038
2039         * stress/big-int-to-string.js:
2040
2041 2018-10-01  Mark Lam  <mark.lam@apple.com>
2042
2043         Function.toString() should also copy the source code Functions that are class definitions.
2044         https://bugs.webkit.org/show_bug.cgi?id=190186
2045         <rdar://problem/44733360>
2046
2047         Reviewed by Saam Barati.
2048
2049         * stress/regress-190186.js: Added.
2050
2051 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2052
2053         Split NaN-check into separate test
2054         https://bugs.webkit.org/show_bug.cgi?id=190010
2055
2056         Reviewed by Saam Barati.
2057
2058         DataView exposes NaN-representation, which is not necessarily the same on each
2059         architecture. Therefore move the check of the NaN-representation into its own
2060         file such that we can disable this test on MIPS where NaN-representation can be
2061         different on older CPUs.
2062
2063         * stress/dataview-jit-set-nan.js: Added.
2064         (assert):
2065         (test.storeLittleEndian):
2066         (test.storeBigEndian):
2067         (test.store):
2068         (test):
2069         * stress/dataview-jit-set.js:
2070         (test5):
2071
2072 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2073
2074         Unreviewed, rolling out r236647.
2075         https://bugs.webkit.org/show_bug.cgi?id=190124
2076
2077         Breaking test stress/big-int-to-string.js (Requested by
2078         caiolima_ on #webkit).
2079
2080         Reverted changeset:
2081
2082         "[BigInt] BigInt.proptotype.toString is broken when radix is
2083         power of 2"
2084         https://bugs.webkit.org/show_bug.cgi?id=190033
2085         https://trac.webkit.org/changeset/236647
2086
2087 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2088
2089         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2090         https://bugs.webkit.org/show_bug.cgi?id=190033
2091
2092         Reviewed by Yusuke Suzuki.
2093
2094         * stress/big-int-to-string.js:
2095
2096 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2097
2098         [ESNext][BigInt] Implement support for "&"
2099         https://bugs.webkit.org/show_bug.cgi?id=186228
2100
2101         Reviewed by Yusuke Suzuki.
2102
2103         * stress/big-int-bitwise-and-general.js: Added.
2104         (assert):
2105         (assert.sameValue):
2106         * stress/big-int-bitwise-and-jit.js: Added.
2107         (let.assert.sameValue):
2108         (bigIntBitAnd):
2109         * stress/big-int-bitwise-and-memory-stress.js: Added.
2110         (assert):
2111         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2112         (assert.sameValue):
2113         (let.o.Symbol.toPrimitive):
2114         (catch):
2115         * stress/big-int-bitwise-and-type-error.js: Added.
2116         (assert):
2117         (assertThrowTypeError):
2118         (let.o.valueOf):
2119         (o.valueOf):
2120         (o.toString):
2121         (o.Symbol.toPrimitive):
2122         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2123         (assert.sameValue):
2124         (testBitAnd):
2125         (let.o.Symbol.toPrimitive):
2126         (o.valueOf):
2127         (o.toString):
2128
2129 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2130
2131         JSC test stress/jsc-read.js doesn't support CRLF
2132         https://bugs.webkit.org/show_bug.cgi?id=190063
2133
2134         Reviewed by Yusuke Suzuki.
2135
2136         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2137
2138         * stress/jsc-read.js:
2139         (test):
2140
2141 2018-09-27  Saam barati  <sbarati@apple.com>
2142
2143         Verify the contents of AssemblerBuffer on arm64e
2144         https://bugs.webkit.org/show_bug.cgi?id=190057
2145         <rdar://problem/38916630>
2146
2147         Reviewed by Mark Lam.
2148
2149         * stress/regress-189132.js:
2150
2151 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2152
2153         Disable test without LLInt on ARMv7
2154         https://bugs.webkit.org/show_bug.cgi?id=190037
2155
2156         Reviewed by Mark Lam.
2157
2158         Test runs out of executable memory on ARMv7, do not run
2159         this test without LLInt enabled.
2160
2161         * stress/regress-169445.js:
2162
2163 2018-09-26  Keith Miller  <keith_miller@apple.com>
2164
2165         We should zero unused property storage when rebalancing array storage.
2166         https://bugs.webkit.org/show_bug.cgi?id=188151
2167
2168         Reviewed by Michael Saboff.
2169
2170         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2171
2172 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2173
2174         [JSC] Optimize Array#lastIndexOf
2175         https://bugs.webkit.org/show_bug.cgi?id=189780
2176
2177         Reviewed by Saam Barati.
2178
2179         * stress/array-lastindexof-array-prototype-trap.js: Added.
2180         (shouldBe):
2181         (AncestorArray.prototype.get 2):
2182         (AncestorArray):
2183         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2184         (shouldBe):
2185         * stress/array-lastindexof-hole-nan.js: Added.
2186         (shouldBe):
2187         (throw.new.Error):
2188         * stress/array-lastindexof-infinity.js: Added.
2189         (shouldBe):
2190         (throw.new.Error):
2191         * stress/array-lastindexof-negative-zero.js: Added.
2192         (shouldBe):
2193         (throw.new.Error):
2194         * stress/array-lastindexof-own-getter.js: Added.
2195         (shouldBe):
2196         (throw.new.Error.get array):
2197         (get array):
2198         * stress/array-lastindexof-prototype-trap.js: Added.
2199         (shouldBe):
2200         (DerivedArray.prototype.get 2):
2201         (DerivedArray):
2202
2203 2018-09-25  Saam Barati  <sbarati@apple.com>
2204
2205         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2206         https://bugs.webkit.org/show_bug.cgi?id=189940
2207         <rdar://problem/43640987>
2208
2209         Reviewed by Mark Lam.
2210
2211         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2212
2213 2018-09-24  Saam Barati  <sbarati@apple.com>
2214
2215         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2216         https://bugs.webkit.org/show_bug.cgi?id=189922
2217         <rdar://problem/44651275>
2218
2219         Reviewed by Mark Lam.
2220
2221         * stress/array-indexof-fast-path-effects.js: Added.
2222         * stress/array-indexof-cached-length.js: Added.
2223
2224 2018-09-24  Saam barati  <sbarati@apple.com>
2225
2226         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2227         https://bugs.webkit.org/show_bug.cgi?id=189682
2228         <rdar://problem/43557315>
2229
2230         Reviewed by Mark Lam.
2231
2232         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2233         (foo):
2234
2235 2018-09-22  Saam barati  <sbarati@apple.com>
2236
2237         The sampling should not use Strong<CodeBlock> in its machineLocation field
2238         https://bugs.webkit.org/show_bug.cgi?id=189319
2239
2240         Reviewed by Filip Pizlo.
2241
2242         * stress/sampling-profiler-richards.js: Added.
2243
2244 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2245
2246         [JSC] Optimize Array#indexOf in C++ runtime
2247         https://bugs.webkit.org/show_bug.cgi?id=189507
2248
2249         Reviewed by Saam Barati.
2250
2251         * stress/array-indexof-array-prototype-trap.js: Added.
2252         (shouldBe):
2253         (AncestorArray.prototype.get 2):
2254         (AncestorArray):
2255         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2256         (shouldBe):
2257         * stress/array-indexof-hole-nan.js: Added.
2258         (shouldBe):
2259         (throw.new.Error):
2260         * stress/array-indexof-infinity.js: Added.
2261         (shouldBe):
2262         (throw.new.Error):
2263         * stress/array-indexof-negative-zero.js: Added.
2264         (shouldBe):
2265         (throw.new.Error):
2266         * stress/array-indexof-own-getter.js: Added.
2267         (shouldBe):
2268         (throw.new.Error.get array):
2269         (get array):
2270         * stress/array-indexof-prototype-trap.js: Added.
2271         (shouldBe):
2272         (DerivedArray.prototype.get 2):
2273         (DerivedArray):
2274
2275 2018-09-19  Saam barati  <sbarati@apple.com>
2276
2277         AI rule for MultiPutByOffset executes its effects in the wrong order
2278         https://bugs.webkit.org/show_bug.cgi?id=189757
2279         <rdar://problem/43535257>
2280
2281         Reviewed by Michael Saboff.
2282
2283         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2284         (foo):
2285         (Foo):
2286         (g):
2287
2288 2018-09-17  Mark Lam  <mark.lam@apple.com>
2289
2290         Ensure that ForInContexts are invalidated if their loop local is over-written.
2291         https://bugs.webkit.org/show_bug.cgi?id=189571
2292         <rdar://problem/44402277>
2293
2294         Reviewed by Saam Barati.
2295
2296         * stress/regress-189571.js: Added.
2297
2298 2018-09-17  Saam barati  <sbarati@apple.com>
2299
2300         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2301         https://bugs.webkit.org/show_bug.cgi?id=189676
2302         <rdar://problem/39682897>
2303
2304         Reviewed by Michael Saboff.
2305
2306         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2307         (A):
2308         (K):
2309         (i.catch):
2310
2311 2018-09-14  Saam barati  <sbarati@apple.com>
2312
2313         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2314         https://bugs.webkit.org/show_bug.cgi?id=189628
2315         <rdar://problem/39481690>
2316
2317         Reviewed by Mark Lam.
2318
2319         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2320         (foo):
2321
2322 2018-09-11  Mark Lam  <mark.lam@apple.com>
2323
2324         Test for array initialization in arrayProtoFuncSplice.
2325         https://bugs.webkit.org/show_bug.cgi?id=170253
2326         <rdar://problem/31328773>
2327
2328         Rubber-stamped by Saam Barati.
2329
2330         * stress/regress-170253.js: Added.
2331
2332 2018-09-11  Mark Lam  <mark.lam@apple.com>
2333
2334         Test for IntlObject initialization.
2335         https://bugs.webkit.org/show_bug.cgi?id=170251
2336         <rdar://problem/31328419>
2337
2338         Rubber-stamped by Saam Barati.
2339
2340         * stress/regress-170251.js: Added.
2341
2342 2018-09-11  Mark Lam  <mark.lam@apple.com>
2343
2344         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2345         https://bugs.webkit.org/show_bug.cgi?id=169889
2346         <rdar://problem/31155607>
2347
2348         Reviewed by Saam Barati.
2349
2350         * stress/regress-169889-array-concat.js: Added.
2351         * stress/regress-169889-array-concat1.js: Added.
2352         * stress/regress-169889-array-slice.js: Added.
2353
2354 2018-09-11  Mark Lam  <mark.lam@apple.com>
2355
2356         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2357         https://bugs.webkit.org/show_bug.cgi?id=169445
2358         <rdar://problem/30957435>
2359
2360         Reviewed by Saam Barati.
2361
2362         * stress/regress-169445.js: Added.
2363         (let.gun.eval.A):
2364         (let.gun.eval.B.C):
2365         (let.gun.eval.B.C.prototype.trigger):
2366         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2367         (let.gun.eval.B):
2368         (let.gun.eval):
2369
2370 == Rolled over to ChangeLog-2018-09-11 ==