Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
4         https://bugs.webkit.org/show_bug.cgi?id=195144
5
6         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
7         Change the number from 1e8 to 1e5.
8
9         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
10         (foo):
11
12 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
13
14         Test times out on ARM/MIPS
15         https://bugs.webkit.org/show_bug.cgi?id=195168
16
17         Unreviewed. Skip test on ARM/MIPS.
18
19         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
20
21 2019-02-27  Mark Lam  <mark.lam@apple.com>
22
23         The parser is failing to record the token location of new in new.target.
24         https://bugs.webkit.org/show_bug.cgi?id=195127
25         <rdar://problem/39645578>
26
27         Reviewed by Yusuke Suzuki.
28
29         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
30
31 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
32
33         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
34         https://bugs.webkit.org/show_bug.cgi?id=195144
35         <rdar://problem/47595961>
36
37         Reviewed by Mark Lam.
38
39         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
40         (bar):
41         (foo):
42         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
43         (bar):
44         (foo):
45
46 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
47
48         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
49         https://bugs.webkit.org/show_bug.cgi?id=194677
50         <rdar://problem/48112492>
51
52         Reviewed by Mark Lam.
53
54         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
55         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
56         it immediately fails due the large size.
57
58         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
59         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
60         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
61         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
62
63         This patch changes the test to produce 16bit string from String.fromCharCode.
64
65         * stress/regress-178386.js:
66
67 2019-02-26  Mark Lam  <mark.lam@apple.com>
68
69         wasmToJS() should purify incoming NaNs.
70         https://bugs.webkit.org/show_bug.cgi?id=194807
71         <rdar://problem/48189132>
72
73         Reviewed by Saam Barati.
74
75         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
76
77 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
78
79         [JSC] Repeat string created from Array.prototype.join() take too much memory
80         https://bugs.webkit.org/show_bug.cgi?id=193912
81
82         Reviewed by Saam Barati.
83
84         Added a test and a microbenchmark for corner cases of
85         Array.prototype.join() with an uninitialized array.
86
87         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
88         * stress/array-prototype-join-uninitialized.js: Added.
89         (testArray):
90         (testABC):
91         (B):
92         (C):
93
94 2019-02-22  Robin Morisset  <rmorisset@apple.com>
95
96         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
97         https://bugs.webkit.org/show_bug.cgi?id=194953
98         <rdar://problem/47595253>
99
100         Reviewed by Saam Barati.
101
102         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
103
104         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
105
106 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
107
108         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
109         https://bugs.webkit.org/show_bug.cgi?id=172848
110         <rdar://problem/25709212>
111
112         Reviewed by Mark Lam.
113
114         * typeProfiler/inheritance.js:
115         Rewrite the test slightly for clarity. The hoisting was confusing.
116
117         * heapProfiler/class-names.js: Added.
118         (MyES5Class):
119         (MyES6Class):
120         (MyES6Subclass):
121         Test object types and improved class names.
122
123         * heapProfiler/driver/driver.js:
124         (CheapHeapSnapshotNode):
125         (CheapHeapSnapshot):
126         (createCheapHeapSnapshot):
127         (HeapSnapshot):
128         (createHeapSnapshot):
129         Update snapshot parsing from version 1 to version 2.
130
131 2019-02-19  Truitt Savell  <tsavell@apple.com>
132
133         Unreviewed, rolling out r241784.
134
135         Broke all OpenSource builds.
136
137         Reverted changeset:
138
139         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
140         instances view"
141         https://bugs.webkit.org/show_bug.cgi?id=172848
142         https://trac.webkit.org/changeset/241784
143
144 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
145
146         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
147         https://bugs.webkit.org/show_bug.cgi?id=172848
148         <rdar://problem/25709212>
149
150         Reviewed by Mark Lam.
151
152         * typeProfiler/inheritance.js:
153         Rewrite the test slightly for clarity. The hoisting was confusing.
154
155         * heapProfiler/class-names.js: Added.
156         (MyES5Class):
157         (MyES6Class):
158         (MyES6Subclass):
159         Test object types and improved class names.
160
161         * heapProfiler/driver/driver.js:
162         (CheapHeapSnapshotNode):
163         (CheapHeapSnapshot):
164         (createCheapHeapSnapshot):
165         (HeapSnapshot):
166         (createHeapSnapshot):
167         Update snapshot parsing from version 1 to version 2.
168
169 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
170
171         [ARM] Fix crash with sampling profiler
172         https://bugs.webkit.org/show_bug.cgi?id=194772
173
174         Reviewed by Mark Lam.
175
176         Do not skip test since crash with sampling profiler is now fixed.
177
178         * stress/sampling-profiler-richards.js:
179
180 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
181
182         [JSC] Add LazyClassStructure::getInitializedOnMainThread
183         https://bugs.webkit.org/show_bug.cgi?id=194784
184         <rdar://problem/48154820>
185
186         Reviewed by Mark Lam.
187
188         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
189         (getProperties):
190         (getRandomProperty):
191         (i.catch):
192
193 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
194
195         [ARM] Test gardening: Test running out of executable memory
196         https://bugs.webkit.org/show_bug.cgi?id=194771
197
198         Unreviewed. Do not run test without LLInt, test is running out of executable
199         memory on ARM otherwise.
200
201         * stress/tagged-template-object-collect.js:
202
203 2019-02-18  Tomas Popela  <tpopela@redhat.com>
204
205         Unreviewed, skip the test on platforms without sampling profiler
206
207         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
208         (platformSupportsSamplingProfiler.foo):
209         (platformSupportsSamplingProfiler.test):
210         (platformSupportsSamplingProfiler):
211         (foo): Deleted.
212         (test): Deleted.
213
214 2019-02-17  Saam Barati  <sbarati@apple.com>
215
216         Deadlock when adding a Structure property transition and then doing incremental marking
217         https://bugs.webkit.org/show_bug.cgi?id=194767
218
219         Reviewed by Mark Lam.
220
221         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
222
223 2019-02-15  Michael Saboff  <msaboff@apple.com>
224
225         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
226         https://bugs.webkit.org/show_bug.cgi?id=194558
227
228         Reviewed by Saam Barati.
229
230         New regression test.
231
232         * stress/regexp-unicode-within-string.js: Added.
233
234 2019-02-15  Mark Lam  <mark.lam@apple.com>
235
236         SamplingProfiler::stackTracesAsJSON() should escape strings.
237         https://bugs.webkit.org/show_bug.cgi?id=194649
238         <rdar://problem/48072386>
239
240         Reviewed by Saam Barati.
241
242         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
243         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
244         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
245         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
246
247 2019-02-15  Robin Morisset  <rmorisset@apple.com>
248         CodeBlock::jettison should clear related watchpoints
249         https://bugs.webkit.org/show_bug.cgi?id=194544
250
251         Reviewed by Mark Lam.
252
253         * stress/regexp-replace-double-watchpoint.js: Added.
254         (foo):
255
256 2019-02-15  Saam barati  <sbarati@apple.com>
257
258         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
259         https://bugs.webkit.org/show_bug.cgi?id=194036
260
261         Reviewed by Yusuke Suzuki.
262
263         * stress/tail-call-many-arguments.js: Added.
264         (foo):
265         (bar):
266
267 2019-02-14  Saam Barati  <sbarati@apple.com>
268
269         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
270         https://bugs.webkit.org/show_bug.cgi?id=194583
271         <rdar://problem/48028140>
272
273         Reviewed by Yusuke Suzuki.
274
275         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
276
277 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
278
279         [JSC] String.fromCharCode's slow path always generates 16bit string
280         https://bugs.webkit.org/show_bug.cgi?id=194466
281
282         Reviewed by Keith Miller.
283
284         * stress/string-from-char-code-slow-path.js: Added.
285         (shouldBe):
286         (testWithLength):
287
288 2019-02-08  Saam barati  <sbarati@apple.com>
289
290         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
291         https://bugs.webkit.org/show_bug.cgi?id=194334
292         <rdar://problem/47844327>
293
294         Reviewed by Mark Lam.
295
296         * stress/check-in-bounds-should-be-a-child-use.js: Added.
297         (func):
298
299 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
302         https://bugs.webkit.org/show_bug.cgi?id=194369
303         <rdar://problem/47813087>
304
305         Reviewed by Saam Barati.
306
307         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
308         (A):
309
310 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
311
312         [JSC] PrivateName to PublicName hash table is wasteful
313         https://bugs.webkit.org/show_bug.cgi?id=194277
314
315         Reviewed by Michael Saboff.
316
317         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
318
319         * ChakraCore.yaml:
320
321 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
322
323         [ARM] Test running out of executable memory
324         https://bugs.webkit.org/show_bug.cgi?id=194285
325
326         Unreviewed. Do no execute test with LLInt disabled, test runs out of
327         executable memory otherwise.
328
329         * stress/class-subclassing-function.js:
330
331 2019-02-04  Robin Morisset  <rmorisset@apple.com>
332
333         when lowering AssertNotEmpty, create the value before creating the patchpoint
334         https://bugs.webkit.org/show_bug.cgi?id=194231
335
336         Reviewed by Saam Barati.
337
338         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
339         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
340         So even tiny changes to this test can change the path code taken.
341
342         * stress/assert-not-empty.js: Added.
343         (foo):
344
345 2019-02-01  Mark Lam  <mark.lam@apple.com>
346
347         Remove invalid assertion in DFG's compileDoubleRep().
348         https://bugs.webkit.org/show_bug.cgi?id=194130
349         <rdar://problem/47699474>
350
351         Reviewed by Saam Barati.
352
353         * stress/constant-fold-double-rep-into-double-constant.js: Added.
354
355 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
356
357         Import latest Test262 updates.
358
359         Rubber-stamped by Keith Miller.
360
361         * test262.yaml: Deleted.
362         * test262/config.yaml:
363         * test262/expectations.yaml:
364         * test262/latest-changes-summary.txt:
365         * test262/test/:
366         * test262/test262-Revision.txt:
367
368 2019-01-30  Robin Morisset  <rmorisset@apple.com>
369
370         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
371         https://bugs.webkit.org/show_bug.cgi?id=194050
372         <rdar://problem/47595592>
373
374         Reviewed by Yusuke Suzuki.
375
376         * stress/object-keys-osr-exit.js: Added.
377         (foo):
378         (catch):
379
380 2019-01-29  Mark Lam  <mark.lam@apple.com>
381
382         ValueRecovery::recover() should purify NaN values it recovers.
383         https://bugs.webkit.org/show_bug.cgi?id=193978
384         <rdar://problem/47625488>
385
386         Reviewed by Saam Barati.
387
388         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
389
390 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
391
392         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
393         https://bugs.webkit.org/show_bug.cgi?id=193713
394
395         * stress/try-get-by-id-should-spill-registers-dfg.js:
396         (let.f.createBuiltin):
397
398 2019-01-28  Mark Lam  <mark.lam@apple.com>
399
400         ToString node actually does GC.
401         https://bugs.webkit.org/show_bug.cgi?id=193920
402         <rdar://problem/46695900>
403
404         Reviewed by Yusuke Suzuki.
405
406         * stress/dfg-to-string-on-int-does-gc.js: Added.
407         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
408         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
409
410 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
411
412         [JSC] NativeErrorConstructor should not have own IsoSubspace
413         https://bugs.webkit.org/show_bug.cgi?id=193713
414
415         Reviewed by Saam Barati.
416
417         Remove @Error use.
418
419         * stress/try-get-by-id-should-spill-registers-dfg.js:
420         (let.f.createBuiltin):
421
422 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
423
424         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
425         https://bugs.webkit.org/show_bug.cgi?id=190693
426
427         Reviewed by Michael Saboff.
428
429         * stress/regress-190693.js: Added.
430         (truth):
431         (assert):
432         (shouldThrowInvalidConstAssignment):
433         (taz):
434
435 2019-01-24  Saam Barati  <sbarati@apple.com>
436
437         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
438         https://bugs.webkit.org/show_bug.cgi?id=193751
439         <rdar://problem/47280215>
440
441         Reviewed by Michael Saboff.
442
443         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
444         (let.thing):
445         (foo.let.hello):
446         (foo):
447
448 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
449
450         [JSC] Reenable baseline JIT on mips
451         https://bugs.webkit.org/show_bug.cgi?id=192983
452
453         Reviewed by Mark Lam.
454
455         Added a new test for a case that was triggering a RELEASE_ASSERT when
456         testing.
457         Disable some slow tests that were already disabled for arm and x86.
458
459         * stress/json-parse-big-object.js: Added.
460         * stress/new-largeish-contiguous-array-with-size.js:
461         * stress/op_add.js:
462         * stress/op_bitand.js:
463         * stress/op_bitor.js:
464         * stress/op_bitxor.js:
465         * stress/op_lshift-ConstVar.js:
466         * stress/op_lshift-VarConst.js:
467         * stress/op_lshift-VarVar.js:
468         * stress/op_mod-ConstVar.js:
469         * stress/op_mod-VarConst.js:
470         * stress/op_mod-VarVar.js:
471         * stress/op_mul-ConstVar.js:
472         * stress/op_mul-VarConst.js:
473         * stress/op_mul-VarVar.js:
474         * stress/op_rshift-ConstVar.js:
475         * stress/op_rshift-VarConst.js:
476         * stress/op_rshift-VarVar.js:
477         * stress/op_sub-ConstVar.js:
478         * stress/op_sub-VarConst.js:
479         * stress/op_sub-VarVar.js:
480         * stress/op_urshift-ConstVar.js:
481         * stress/op_urshift-VarConst.js:
482         * stress/op_urshift-VarVar.js:
483         * stress/sampling-profiler-richards.js:
484         * stress/spread-forward-call-varargs-stack-overflow.js:
485
486 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
487
488         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
489         https://bugs.webkit.org/show_bug.cgi?id=193711
490         <rdar://problem/47250262>
491
492         Reviewed by Saam Barati.
493
494         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
495         (shouldBe):
496         (foo):
497         (bar):
498         (baz):
499
500 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
501
502         Unreviewed, fix initial global lexical binding epoch
503         https://bugs.webkit.org/show_bug.cgi?id=193603
504         <rdar://problem/47380869>
505
506         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
507         (f1.f2.f3.f4):
508         (f1.f2.f3):
509         (f1.f2):
510         (f1):
511
512 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
513
514         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
515         https://bugs.webkit.org/show_bug.cgi?id=193709
516         <rdar://problem/47363838>
517
518         Unreviewed, rollout to watch the tests.
519
520         * stress/object-tostring-changed-proto.js: Removed.
521         * stress/object-tostring-changed.js: Removed.
522         * stress/object-tostring-misc.js: Removed.
523         * stress/object-tostring-other.js: Removed.
524         * stress/object-tostring-untyped.js: Removed.
525
526 2019-01-22  Saam Barati  <sbarati@apple.com>
527
528         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
529
530         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
531         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
532         (testUncheckedLessThanZero):
533         (testUncheckedLessThanOrEqualZero):
534         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
535         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
536
537 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
538
539         [JSC] Invalidate old scope operations using global lexical binding epoch
540         https://bugs.webkit.org/show_bug.cgi?id=193603
541         <rdar://problem/47380869>
542
543         Reviewed by Saam Barati.
544
545         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
546         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
547         (shouldThrow):
548         (bar):
549         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
550         (shouldBe):
551         (get1):
552         (get2):
553         (get1If):
554         (get2If):
555         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
556         (shouldThrow):
557         (foo):
558
559 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
560
561         Unreviewed, roll out r240220 due to date-format-xparb regression
562         https://bugs.webkit.org/show_bug.cgi?id=193603
563
564         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
565         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
566         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
567         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
568
569 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
570
571         DoesGC rule is wrong for nodes with BigIntUse
572         https://bugs.webkit.org/show_bug.cgi?id=193652
573
574         Reviewed by Saam Barati.
575
576         * stress/big-int-value-op-update-gc-rules.js: Added.
577         (assert):
578         (doesGCAdd):
579         (doesGCSub):
580         (doesGCDiv):
581         (doesGCMul):
582         (doesGCBitAnd):
583         (doesGCBitOr):
584         (doesGCBitXor):
585
586 2019-01-20  Saam Barati  <sbarati@apple.com>
587
588         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
589         https://bugs.webkit.org/show_bug.cgi?id=193644
590         <rdar://problem/46209745>
591
592         Reviewed by Yusuke Suzuki.
593
594         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
595         (foo):
596         * stress/data-view-set-intrinsic-undefined-result.js: Added.
597         (foo):
598         (bar):
599
600 2019-01-20  Saam Barati  <sbarati@apple.com>
601
602         MovHint must merge NodeBytecodeUsesAsValue for its child
603         https://bugs.webkit.org/show_bug.cgi?id=186916
604         <rdar://problem/41396612>
605
606         Reviewed by Yusuke Suzuki.
607
608         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
609         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
610
611 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
612
613         [JSC] Invalidate old scope operations using global lexical binding epoch
614         https://bugs.webkit.org/show_bug.cgi?id=193603
615         <rdar://problem/47380869>
616
617         Reviewed by Saam Barati.
618
619         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
620         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
621         (shouldThrow):
622         (bar):
623         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
624         (shouldBe):
625         (get1):
626         (get2):
627         (get1If):
628         (get2If):
629         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
630         (shouldThrow):
631         (foo):
632
633 2019-01-17  Saam barati  <sbarati@apple.com>
634
635         StringObjectUse should not be a structure check for the original string object structure
636         https://bugs.webkit.org/show_bug.cgi?id=193483
637         <rdar://problem/47280522>
638
639         Reviewed by Yusuke Suzuki.
640
641         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
642         (foo):
643         (a.valueOf.0):
644
645 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
646
647         [JSC] ToThis omission in DFGByteCodeParser is wrong
648         https://bugs.webkit.org/show_bug.cgi?id=193513
649         <rdar://problem/45842236>
650
651         Reviewed by Saam Barati.
652
653         * stress/to-this-omission-with-different-strict-modes.js: Added.
654         (thisA):
655         (thisAStrictWrapper):
656
657 2019-01-15  Mark Lam  <mark.lam@apple.com>
658
659         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
660         https://bugs.webkit.org/show_bug.cgi?id=193423
661         <rdar://problem/46209355>
662
663         Reviewed by Saam Barati.
664
665         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
666         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
667         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
668         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
669
670 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
671
672         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
673         https://bugs.webkit.org/show_bug.cgi?id=193438
674         <rdar://problem/45581249>
675
676         Reviewed by Saam Barati and Keith Miller.
677
678         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
679         Then, GetByVal(String) crashed.
680
681         * stress/string-get-by-val-lowering.js: Added.
682         (shouldBe):
683         (test):
684         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
685         (Hello):
686         (foo):
687
688 2019-01-15  Tomas Popela  <tpopela@redhat.com>
689
690         Unreviewed, skip JIT tests if it's not enabled
691
692         * stress/bit-op-with-object-returning-int32.js:
693
694 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
695
696         DFGByteCodeParser rules for bitwise operations should consider type of their operands
697         https://bugs.webkit.org/show_bug.cgi?id=192966
698
699         Reviewed by Yusuke Suzuki.
700
701         * stress/bit-op-with-object-returning-int32.js: Added.
702
703 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
704
705         Skip a slow test and a flakey test on arm
706
707         Unreviewed gardening.
708
709         * typeProfiler/getter-richards.js:
710         this test always times out, it used to be always skipped on arm and
711         mips, but got accidentally enabled by r237919 now that we have DFG on
712         arm. Also skipping on mips as we plan to soon enable DFG for it too.
713
714 2019-01-14  Keith Miller  <keith_miller@apple.com>
715
716         Skip type-check-hoisting-phase-hoist... with no jit
717         https://bugs.webkit.org/show_bug.cgi?id=193421
718
719         Reviewed by Mark Lam.
720
721         It's timing out the 32-bit bots and takes 330 seconds
722         on my machine when run by itself.
723
724         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
725
726 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
727
728         [JSC] AI should check the given constant's array type when folding GetByVal into constant
729         https://bugs.webkit.org/show_bug.cgi?id=193413
730         <rdar://problem/46092389>
731
732         Reviewed by Keith Miller.
733
734         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
735         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
736         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
737         but GetByVal does not have appropriate ArrayModes, JSC crashes.
738
739         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
740         (compareArray):
741
742 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
743
744         [BigInt] Literal parsing is crashing when used inside a Object Literal
745         https://bugs.webkit.org/show_bug.cgi?id=193404
746
747         Reviewed by Yusuke Suzuki.
748
749         * stress/big-int-literal-inside-literal-object.js: Added.
750
751 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
752
753         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
754         https://bugs.webkit.org/show_bug.cgi?id=193372
755
756         Reviewed by Saam Barati.
757
758         * stress/typed-array-array-modes-profile.js: Added.
759         (foo):
760
761 2019-01-14  Mark Lam  <mark.lam@apple.com>
762
763         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
764         https://bugs.webkit.org/show_bug.cgi?id=193402
765         <rdar://problem/46012309>
766
767         Reviewed by Keith Miller.
768
769         * stress/regexp-compile-oom.js:
770         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
771           is enabled.  As a result, it will fail on cloop builds though there is no bug.
772
773 2019-01-11  Saam barati  <sbarati@apple.com>
774
775         DFG combined liveness can be wrong for terminal basic blocks
776         https://bugs.webkit.org/show_bug.cgi?id=193304
777         <rdar://problem/45268632>
778
779         Reviewed by Yusuke Suzuki.
780
781         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
782
783 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
784
785         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
786         https://bugs.webkit.org/show_bug.cgi?id=193308
787         <rdar://problem/45546542>
788
789         Reviewed by Saam Barati.
790
791         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
792         (shouldThrow):
793         (shouldBe):
794         (foo):
795         (get shouldThrow):
796         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
797         (shouldThrow):
798         (shouldBe):
799         (foo):
800         (get shouldBe):
801         (get shouldThrow):
802         (get return):
803         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
804         (shouldThrow):
805         (shouldBe):
806         (foo):
807         (get shouldBe):
808         (get shouldThrow):
809         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
810         (shouldThrow):
811         (shouldBe):
812         (foo):
813         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
814         (shouldThrow):
815         (shouldBe):
816         (foo):
817         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
818         (shouldThrow):
819         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
820         (shouldThrow):
821         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
822         (shouldThrow):
823         (shouldBe):
824         (foo):
825         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
826         (shouldThrow):
827         (shouldBe):
828         (foo):
829         (get shouldBe):
830         (get shouldThrow):
831         (get return):
832         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
833         (shouldThrow):
834         (shouldBe):
835         (foo):
836         (get shouldBe):
837         (get shouldThrow):
838         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
839         (shouldThrow):
840         (shouldBe):
841         (foo):
842         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
843         (shouldThrow):
844         (shouldBe):
845         (foo):
846
847 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
848
849         Enable DFG on ARM/Linux again
850         https://bugs.webkit.org/show_bug.cgi?id=192496
851
852         Reviewed by Yusuke Suzuki.
853
854         Test wasn't really skipped before moving the line with skip
855         to the top.
856
857         * stress/regress-192717.js:
858
859 2019-01-10  Commit Queue  <commit-queue@webkit.org>
860
861         Unreviewed, rolling out r239825.
862         https://bugs.webkit.org/show_bug.cgi?id=193330
863
864         Broke tests on armv7/linux bots (Requested by guijemont on
865         #webkit).
866
867         Reverted changeset:
868
869         "Enable DFG on ARM/Linux again"
870         https://bugs.webkit.org/show_bug.cgi?id=192496
871         https://trac.webkit.org/changeset/239825
872
873 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
874
875         Enable DFG on ARM/Linux again
876         https://bugs.webkit.org/show_bug.cgi?id=192496
877
878         Reviewed by Yusuke Suzuki.
879
880         Test wasn't really skipped before moving the line with skip
881         to the top.
882
883         * stress/regress-192717.js:
884
885 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
886
887         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
888         https://bugs.webkit.org/show_bug.cgi?id=193127
889
890         Reviewed by Saam Barati.
891
892         * stress/array-species-create-should-handle-masquerader.js: Added.
893         (shouldThrow):
894         * stress/is-undefined-or-null-builtin.js: Added.
895         (shouldBe):
896         (isUndefinedOrNull.vm.createBuiltin):
897
898 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
899
900         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
901         https://bugs.webkit.org/show_bug.cgi?id=193221
902
903         Reviewed by Mark Lam.
904
905         * stress/put-by-id-flags.js: Added.
906         (f):
907         (g):
908         (numberOfDFGCompiles):
909
910 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
911
912         Baseline version of get_by_id may corrupt metadata
913         https://bugs.webkit.org/show_bug.cgi?id=193085
914         <rdar://problem/23453006>
915
916         Reviewed by Saam Barati.
917
918         * stress/get-by-id-change-mode.js: Added.
919         (forEach):
920
921 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
922
923         [JSC] Optimize Object.prototype.toString
924         https://bugs.webkit.org/show_bug.cgi?id=193031
925
926         Reviewed by Saam Barati.
927
928         * stress/object-tostring-changed-proto.js: Added.
929         (shouldBe):
930         (test):
931         * stress/object-tostring-changed.js: Added.
932         (shouldBe):
933         (test):
934         * stress/object-tostring-misc.js: Added.
935         (shouldBe):
936         (test):
937         (i.switch):
938         * stress/object-tostring-other.js: Added.
939         (shouldBe):
940         (test):
941         * stress/object-tostring-untyped.js: Added.
942         (shouldBe):
943         (test):
944         (i.switch):
945
946 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
947
948         test262-runner misbehaves when test file YAML has a trailing space
949         https://bugs.webkit.org/show_bug.cgi?id=193053
950
951         Reviewed by Yusuke Suzuki.
952
953         * test262/expectations.yaml:
954         Mark two dozen tests as passing (and correct the output of another).
955
956 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
957
958         Unreviewed, JSTests gardening with memoryLimited
959
960         * stress/string-overflow-createError.js:
961
962 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
963
964         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
965         https://bugs.webkit.org/show_bug.cgi?id=193050
966
967         Reviewed by Yusuke Suzuki.
968
969         * test262.yaml:
970         * test262/expectations.yaml:
971         Mark 16 tests as passing.
972
973 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
974
975         [BigInt] Support BigInt in JSON.stringify
976         https://bugs.webkit.org/show_bug.cgi?id=192624
977
978         Reviewed by Saam Barati.
979
980         * stress/big-int-json-stringify-to-json.js: Added.
981         (shouldBe):
982         (shouldThrow):
983         (BigInt.prototype.toJSON):
984         (shouldBe.JSON.stringify):
985         * stress/big-int-json-stringify.js: Added.
986         (shouldBe):
987         (shouldThrow):
988
989 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
990
991         [JSC] Implement "well-formed JSON.stringify" proposal
992         https://bugs.webkit.org/show_bug.cgi?id=191677
993
994         Reviewed by Darin Adler.
995
996         * stress/json-surrogate-pair.js: Added.
997         (shouldBe):
998         * test262/expectations.yaml:
999
1000 2018-12-20  Keith Miller  <keith_miller@apple.com>
1001
1002         Add support for globalThis
1003         https://bugs.webkit.org/show_bug.cgi?id=165171
1004
1005         Reviewed by Mark Lam.
1006
1007         * test262/config.yaml:
1008
1009 2018-12-19  Keith Miller  <keith_miller@apple.com>
1010
1011         Update test262 configuration to not run tests dependent on ICU version.
1012         https://bugs.webkit.org/show_bug.cgi?id=192920
1013
1014         Reviewed by Saam Barati.
1015
1016         * test262/expectations.yaml:
1017
1018 2018-12-20  Mark Lam  <mark.lam@apple.com>
1019
1020         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1021         https://bugs.webkit.org/show_bug.cgi?id=192939
1022         <rdar://problem/46869516>
1023
1024         Reviewed by Keith Miller.
1025
1026         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1027
1028 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1029
1030         WTF::String and StringImpl overflow MaxLength
1031         https://bugs.webkit.org/show_bug.cgi?id=192853
1032         <rdar://problem/45726906>
1033
1034         Reviewed by Mark Lam.
1035
1036         * stress/string-16bit-repeat-overflow.js: Added.
1037         (catch):
1038
1039 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1040
1041         Unreviewed follow-up to r192914.
1042
1043         * test262/expectations.yaml:
1044         Add the last 20 missing expectations.
1045
1046 2018-12-19  Keith Miller  <keith_miller@apple.com>
1047
1048         Fix test262 expectations
1049         https://bugs.webkit.org/show_bug.cgi?id=192914
1050
1051         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1052
1053         * test262/expectations.yaml:
1054
1055 2018-12-19  Keith Miller  <keith_miller@apple.com>
1056
1057         Update test262 tests.
1058         https://bugs.webkit.org/show_bug.cgi?id=192907
1059
1060         Rubber stamped by Mark Lam.
1061
1062         * test262/*: Omitted because prepare-changelog crashes.
1063
1064 2018-12-19  Mark Lam  <mark.lam@apple.com>
1065
1066         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1067         https://bugs.webkit.org/show_bug.cgi?id=192464
1068         <rdar://problem/46519455>
1069
1070         Reviewed by Saam Barati.
1071
1072         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1073         microbenchmark.
1074
1075         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1076         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1077
1078 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1079
1080         String overflow in JSC::createError results in ASSERT in WTF::makeString
1081         https://bugs.webkit.org/show_bug.cgi?id=192833
1082         <rdar://problem/45706868>
1083
1084         Reviewed by Mark Lam.
1085
1086         * stress/string-overflow-createError.js: Added.
1087
1088 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1089
1090         Error message for `-x ** y` contains a typo.
1091         https://bugs.webkit.org/show_bug.cgi?id=192832
1092
1093         Reviewed by Saam Barati.
1094
1095         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1096         (assert.assert.return.throws):
1097         * stress/pow-expects-update-expression-on-lhs.js:
1098         (throw.new.Error):
1099         Update test expectations which match against the exact error message.
1100
1101 2018-12-18  Mark Lam  <mark.lam@apple.com>
1102
1103         Gardening: test options fix.
1104         https://bugs.webkit.org/show_bug.cgi?id=192822
1105
1106         Unreviewed.
1107
1108         * stress/json-stringify-string-builder-overflow.js:
1109
1110 2018-12-18  Mark Lam  <mark.lam@apple.com>
1111
1112         JSON.stringify() should throw OOM on StringBuilder overflows.
1113         https://bugs.webkit.org/show_bug.cgi?id=192822
1114         <rdar://problem/46670577>
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/json-stringify-string-builder-overflow.js: Added.
1119
1120 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1121
1122         Redeclaration of var over let/const/class should be a syntax error.
1123         https://bugs.webkit.org/show_bug.cgi?id=192298
1124
1125         Reviewed by Keith Miller.
1126
1127         * test262.yaml:
1128         * test262/expectations.yaml:
1129         Mark 46 tests as passing.
1130
1131         * stress/block-scope-redeclarations.js:
1132         Add some new tests.
1133
1134         * stress/for-in-invalidate-context-weird-assignments.js:
1135         * stress/for-in-tests.js:
1136         Replace tests for outdated behavior with tests for SyntaxError.
1137
1138         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1139         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1140         Update expectations.
1141
1142 2018-12-18  Mark Lam  <mark.lam@apple.com>
1143
1144         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1145         https://bugs.webkit.org/show_bug.cgi?id=191374
1146         <rdar://problem/46525447>
1147
1148         Reviewed by Yusuke Suzuki.
1149
1150         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1151
1152         * stress/elidable-new-object-roflcopter-then-exit.js:
1153
1154 2018-12-17  Mark Lam  <mark.lam@apple.com>
1155
1156         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1157         https://bugs.webkit.org/show_bug.cgi?id=192019
1158         <rdar://problem/46525456>
1159
1160         Reviewed by Yusuke Suzuki.
1161
1162         The test runs too slow on 32-bit.
1163
1164         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1165
1166 2018-12-17  Mark Lam  <mark.lam@apple.com>
1167
1168         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1169         https://bugs.webkit.org/show_bug.cgi?id=191373
1170         <rdar://problem/46525458>
1171
1172         Reviewed by Yusuke Suzuki.
1173
1174         The test is already slow running with a JIT on 64-bit.  It will always timeout
1175         on 32-bit without a JIT.
1176
1177         * stress/materialize-regexp-cyclic-regexp.js:
1178
1179 2018-12-17  Mark Lam  <mark.lam@apple.com>
1180
1181         Array unshift/shift should not race against the AI in the compiler thread.
1182         https://bugs.webkit.org/show_bug.cgi?id=192795
1183         <rdar://problem/46724263>
1184
1185         Reviewed by Saam Barati.
1186
1187         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1188
1189 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1190
1191         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1192         https://bugs.webkit.org/show_bug.cgi?id=190047
1193
1194         Reviewed by Saam Barati.
1195
1196         * stress/object-keys-cached-zero.js: Added.
1197         (shouldBe):
1198         (test):
1199         * stress/object-keys-changed-attribute.js: Added.
1200         (shouldBe):
1201         (test):
1202         * stress/object-keys-changed-index.js: Added.
1203         (shouldBe):
1204         (test):
1205         * stress/object-keys-changed.js: Added.
1206         (shouldBe):
1207         (test):
1208         * stress/object-keys-indexed-non-cache.js: Added.
1209         (shouldBe):
1210         (test):
1211         * stress/object-keys-overrides-get-property-names.js: Added.
1212         (shouldBe):
1213         (test):
1214         (noInline):
1215
1216 2018-12-17  Mark Lam  <mark.lam@apple.com>
1217
1218         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1219         https://bugs.webkit.org/show_bug.cgi?id=192779
1220         <rdar://problem/46775869>
1221
1222         Reviewed by Saam Barati.
1223
1224         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1225
1226 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1227
1228         Unreviewed test gardening, address a syntax error in a new test.
1229
1230         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1231
1232 2018-12-17  Mark Lam  <mark.lam@apple.com>
1233
1234         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1235         https://bugs.webkit.org/show_bug.cgi?id=192776
1236         <rdar://problem/46772368>
1237
1238         Reviewed by Keith Miller.
1239
1240         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1241
1242 2018-12-17  Mark Lam  <mark.lam@apple.com>
1243
1244         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1245         https://bugs.webkit.org/show_bug.cgi?id=192770
1246         <rdar://problem/46449037>
1247
1248         Reviewed by Keith Miller.
1249
1250         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1251
1252 2018-12-14  Mark Lam  <mark.lam@apple.com>
1253
1254         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1255         https://bugs.webkit.org/show_bug.cgi?id=192717
1256         <rdar://problem/46660677>
1257
1258         Reviewed by Saam Barati.
1259
1260         * stress/regress-192717.js: Added.
1261
1262 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1263
1264         Unreviewed, rolling out r239153, r239154, and r239155.
1265         https://bugs.webkit.org/show_bug.cgi?id=192715
1266
1267         Caused flaky GC-related crashes seen with layout tests
1268         (Requested by ryanhaddad on #webkit).
1269
1270         Reverted changesets:
1271
1272         "[JSC] Optimize Object.keys by caching own keys results in
1273         StructureRareData"
1274         https://bugs.webkit.org/show_bug.cgi?id=190047
1275         https://trac.webkit.org/changeset/239153
1276
1277         "Unreviewed, build fix after r239153"
1278         https://bugs.webkit.org/show_bug.cgi?id=190047
1279         https://trac.webkit.org/changeset/239154
1280
1281         "Unreviewed, build fix after r239153, part 2"
1282         https://bugs.webkit.org/show_bug.cgi?id=190047
1283         https://trac.webkit.org/changeset/239155
1284
1285 2018-12-14  Keith Miller  <keith_miller@apple.com>
1286
1287         Callers of JSString::getIndex should check for OOM exceptions
1288         https://bugs.webkit.org/show_bug.cgi?id=192709
1289
1290         Reviewed by Mark Lam.
1291
1292         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1293
1294 2018-12-13  Mark Lam  <mark.lam@apple.com>
1295
1296         Add a missing exception check.
1297         https://bugs.webkit.org/show_bug.cgi?id=192626
1298         <rdar://problem/46662163>
1299
1300         Reviewed by Keith Miller.
1301
1302         * stress/regress-192626.js: Added.
1303
1304 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1305
1306         [BigInt] Add ValueDiv into DFG
1307         https://bugs.webkit.org/show_bug.cgi?id=186178
1308
1309         Reviewed by Yusuke Suzuki.
1310
1311         * stress/big-int-div-jit-osr.js: Added.
1312         * stress/big-int-div-jit-untyped.js: Added.
1313         * stress/value-div-fixup-int32-big-int.js: Added.
1314
1315 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1316
1317         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1318         https://bugs.webkit.org/show_bug.cgi?id=190047
1319
1320         Reviewed by Keith Miller.
1321
1322         * stress/object-keys-cached-zero.js: Added.
1323         (shouldBe):
1324         (test):
1325         * stress/object-keys-changed-attribute.js: Added.
1326         (shouldBe):
1327         (test):
1328         * stress/object-keys-changed-index.js: Added.
1329         (shouldBe):
1330         (test):
1331         * stress/object-keys-changed.js: Added.
1332         (shouldBe):
1333         (test):
1334         * stress/object-keys-indexed-non-cache.js: Added.
1335         (shouldBe):
1336         (test):
1337         * stress/object-keys-overrides-get-property-names.js: Added.
1338         (shouldBe):
1339         (test):
1340         (noInline):
1341
1342 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1343
1344         [DFG][FTL] Add NewSymbol
1345         https://bugs.webkit.org/show_bug.cgi?id=192620
1346
1347         Reviewed by Saam Barati.
1348
1349         * microbenchmarks/symbol-creation.js: Added.
1350         (test):
1351         * stress/symbol-description-identity.js: Added.
1352         (shouldBe):
1353         (test):
1354         * stress/symbol-identity.js: Added.
1355         (shouldBe):
1356         (test):
1357         * stress/symbol-with-description-throw-error.js: Added.
1358         (shouldBe):
1359         (shouldThrow):
1360         (test):
1361         (object.toString):
1362
1363 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1364
1365         [BigInt] Implement DFG/FTL typeof for BigInt
1366         https://bugs.webkit.org/show_bug.cgi?id=192619
1367
1368         Reviewed by Keith Miller.
1369
1370         * stress/big-int-boolean-proven-type.js: Added.
1371         (assert):
1372         (bool):
1373         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1374         (assert):
1375         (typeOf):
1376         (i.switch):
1377         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1378         (assert):
1379         (typeOf):
1380         * stress/big-int-type-of.js:
1381         (typeOf):
1382         (func):
1383
1384 2018-12-10  Mark Lam  <mark.lam@apple.com>
1385
1386         PropertyAttribute needs a CustomValue bit.
1387         https://bugs.webkit.org/show_bug.cgi?id=191993
1388         <rdar://problem/46264467>
1389
1390         Reviewed by Saam Barati.
1391
1392         * stress/regress-191993.js: Added.
1393
1394 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1395
1396         [BigInt] Add ValueMul into DFG
1397         https://bugs.webkit.org/show_bug.cgi?id=186175
1398
1399         Reviewed by Yusuke Suzuki.
1400
1401         * stress/big-int-mul-jit-osr.js: Added.
1402         * stress/big-int-mul-jit-untyped.js: Added.
1403         * stress/value-mul-fixup-int32-big-int.js: Added.
1404
1405 2018-12-06  Keith Miller  <keith_miller@apple.com>
1406
1407         stress/big-wasm-memory tests failing on 32-bit JSC bot
1408         https://bugs.webkit.org/show_bug.cgi?id=192020
1409
1410         Reviewed by Saam Barati.
1411
1412         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1413         the wasm stress tests if the WebAssembly object does not exist.
1414
1415         * stress/big-wasm-memory-grow-no-max.js:
1416         (test.foo):
1417         (test):
1418         (foo): Deleted.
1419         (catch): Deleted.
1420         * stress/big-wasm-memory-grow.js:
1421         (test.foo):
1422         (test):
1423         (foo): Deleted.
1424         (catch): Deleted.
1425         * stress/big-wasm-memory.js:
1426         (test.foo):
1427         (test):
1428         (foo): Deleted.
1429         (catch): Deleted.
1430
1431 2018-12-05  Mark Lam  <mark.lam@apple.com>
1432
1433         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1434         https://bugs.webkit.org/show_bug.cgi?id=192441
1435         <rdar://problem/46480355>
1436
1437         Reviewed by Saam Barati.
1438
1439         * stress/regress-192441.js: Added.
1440
1441 2018-12-04  Mark Lam  <mark.lam@apple.com>
1442
1443         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1444         https://bugs.webkit.org/show_bug.cgi?id=192386
1445         <rdar://problem/46445516>
1446
1447         Reviewed by Saam Barati.
1448
1449         * stress/regress-192386.js: Added.
1450
1451 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1452
1453         [ESNext][BigInt] Support logic operations
1454         https://bugs.webkit.org/show_bug.cgi?id=179903
1455
1456         Reviewed by Yusuke Suzuki.
1457
1458         * stress/big-int-branch-usage.js: Added.
1459         * stress/big-int-logical-and.js: Added.
1460         * stress/big-int-logical-not.js: Added.
1461         * stress/big-int-logical-or.js: Added.
1462
1463 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1464
1465         Unreviewed, rolling out r238833.
1466
1467         Breaks macOS and iOS debug builds.
1468
1469         Reverted changeset:
1470
1471         "[ESNext][BigInt] Support logic operations"
1472         https://bugs.webkit.org/show_bug.cgi?id=179903
1473         https://trac.webkit.org/changeset/238833
1474
1475 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1476
1477         [ESNext][BigInt] Support logic operations
1478         https://bugs.webkit.org/show_bug.cgi?id=179903
1479
1480         Reviewed by Yusuke Suzuki.
1481
1482         * stress/big-int-branch-usage.js: Added.
1483         * stress/big-int-logical-and.js: Added.
1484         * stress/big-int-logical-not.js: Added.
1485         * stress/big-int-logical-or.js: Added.
1486
1487 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1488
1489         [ESNext][BigInt] Implement support for "<<" and ">>"
1490         https://bugs.webkit.org/show_bug.cgi?id=186233
1491
1492         Reviewed by Yusuke Suzuki.
1493
1494         * stress/big-int-left-shift-general.js: Added.
1495         * stress/big-int-left-shift-range-error.js: Added.
1496         * stress/big-int-left-shift-type-error.js: Added.
1497         * stress/big-int-left-shift-wrapped-value.js: Added.
1498         * stress/big-int-right-shift-general.js: Added.
1499         * stress/big-int-right-shift-type-error.js: Added.
1500         * stress/big-int-right-shift-wrapped-value.js: Added.
1501         * stress/left-shift-to-primitive-precedence.js: Added.
1502         * stress/right-shift-to-primitive-precedence.js: Added.
1503
1504 2018-11-30  Dean Jackson  <dino@apple.com>
1505
1506         Add first-class support for .mjs files in jsc binary
1507         https://bugs.webkit.org/show_bug.cgi?id=192190
1508         <rdar://problem/46375715>
1509
1510         Reviewed by Keith Miller.
1511
1512         * stress/simple-module.mjs: Added.
1513         * stress/simple-script.js: Added.
1514
1515 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1516
1517         [BigInt] Implement ValueBitXor into DFG
1518         https://bugs.webkit.org/show_bug.cgi?id=190264
1519
1520         Reviewed by Yusuke Suzuki.
1521
1522         * stress/big-int-bitwise-xor-jit.js: Added.
1523         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1524         * stress/big-int-bitwise-xor-untyped.js: Added.
1525
1526 2018-11-27  Saam barati  <sbarati@apple.com>
1527
1528         r238510 broke scopes of size zero
1529         https://bugs.webkit.org/show_bug.cgi?id=192033
1530         <rdar://problem/46281734>
1531
1532         Reviewed by Keith Miller.
1533
1534         * stress/r238510-bad-loop.js: Added.
1535         (foo):
1536
1537 2018-11-27  Mark Lam  <mark.lam@apple.com>
1538
1539         [Re-landing] NaNs read from Wasm code needs to be be purified.
1540         https://bugs.webkit.org/show_bug.cgi?id=191056
1541         <rdar://problem/45660341>
1542
1543         Reviewed by Filip Pizlo.
1544
1545         * wasm/regress/regress-191056.js: Added.
1546
1547 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1548
1549         Unreviewed, rolling out r238509.
1550
1551         Causes JSC tests to fail on iOS.
1552
1553         Reverted changeset:
1554
1555         "NaNs read from Wasm code needs to be be purified."
1556         https://bugs.webkit.org/show_bug.cgi?id=191056
1557         https://trac.webkit.org/changeset/238509
1558
1559 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1560
1561         Re-introduce op_bitnot
1562         https://bugs.webkit.org/show_bug.cgi?id=190923
1563
1564         Reviewed by Yusuke Suzuki.
1565
1566         * stress/bit-not-must-generate.js: Added.
1567         * stress/bitwise-not-no-int32.js: Added.
1568
1569 2018-11-26  Saam barati  <sbarati@apple.com>
1570
1571         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1572         https://bugs.webkit.org/show_bug.cgi?id=191956
1573         <rdar://problem/45665806>
1574
1575         Reviewed by Yusuke Suzuki.
1576
1577         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1578         (bar):
1579         (foo):
1580
1581 2018-11-26  Saam barati  <sbarati@apple.com>
1582
1583         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
1584         https://bugs.webkit.org/show_bug.cgi?id=191958
1585         <rdar://problem/46221877>
1586
1587         Reviewed by Yusuke Suzuki.
1588
1589         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
1590         (x):
1591         (foo):
1592
1593 2018-11-26  Mark Lam  <mark.lam@apple.com>
1594
1595         NaNs read from Wasm code needs to be be purified.
1596         https://bugs.webkit.org/show_bug.cgi?id=191056
1597         <rdar://problem/45660341>
1598
1599         Reviewed by Filip Pizlo.
1600
1601         * wasm/regress/regress-191056.js: Added.
1602
1603 2018-11-26  Michael Saboff  <msaboff@apple.com>
1604
1605         32-bit JSC test failure: stress/regexp-compile-oom.js
1606         https://bugs.webkit.org/show_bug.cgi?id=191375
1607
1608         Reviewed by Mark Lam.
1609
1610         Disabled the test for 32 bit platforms.
1611
1612         * stress/regexp-compile-oom.js:
1613
1614 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
1615
1616         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
1617         https://bugs.webkit.org/show_bug.cgi?id=191716
1618         <rdar://problem/45723878>
1619
1620         Reviewed by Saam Barati.
1621
1622         * stress/regress-187373.js: Added.
1623         (async.fn):
1624
1625 2018-11-21  Saam barati  <sbarati@apple.com>
1626
1627         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
1628         https://bugs.webkit.org/show_bug.cgi?id=191897
1629         <rdar://problem/45871998>
1630
1631         Reviewed by Mark Lam.
1632
1633         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
1634         (bar):
1635         (foo):
1636
1637 2018-11-21  Saam barati  <sbarati@apple.com>
1638
1639         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
1640         https://bugs.webkit.org/show_bug.cgi?id=191895
1641         <rdar://problem/46167406>
1642
1643         Reviewed by Mark Lam.
1644
1645         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1646         (foo):
1647         (bar):
1648
1649 2018-11-21  Mark Lam  <mark.lam@apple.com>
1650
1651         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1652         https://bugs.webkit.org/show_bug.cgi?id=191776
1653         <rdar://problem/46152851>
1654
1655         Reviewed by Saam Barati.
1656
1657         * stress/big-wasm-memory-grow-no-max.js:
1658         * stress/big-wasm-memory-grow.js:
1659         * stress/big-wasm-memory.js:
1660         - updated these to expect an OutOfMemoryError.
1661
1662         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1663         (Binary.prototype.emit_u8):
1664         (Binary.prototype.emit_u32v):
1665         (Binary.prototype.emit_header):
1666         (Binary.prototype.emit_section):
1667         (Binary):
1668         (WasmModuleBuilder):
1669         (WasmModuleBuilder.prototype.addMemory):
1670         (WasmModuleBuilder.prototype.toArray):
1671         (WasmModuleBuilder.prototype.toBuffer):
1672         (WasmModuleBuilder.prototype.instantiate):
1673         (catch):
1674         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1675         (catch):
1676
1677 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1678
1679         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1680         https://bugs.webkit.org/show_bug.cgi?id=190836
1681
1682         Reviewed by Saam Barati and Yusuke Suzuki.
1683
1684         * stress/big-int-out-of-memory-tests.js: Added.
1685
1686 2018-11-20  Mark Lam  <mark.lam@apple.com>
1687
1688         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1689         https://bugs.webkit.org/show_bug.cgi?id=191856
1690         <rdar://problem/46089992>
1691
1692         Reviewed by Yusuke Suzuki.
1693
1694         * stress/regress-191856.js: Added.
1695         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1696
1697 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1698
1699         Enable JIT on ARM/Linux
1700         https://bugs.webkit.org/show_bug.cgi?id=191548
1701
1702         Reviewed by Yusuke Suzuki.
1703
1704         Disable test on system with limited memory. Program was killed by
1705         the OS before the exception was thrown.
1706
1707         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1708
1709 2018-11-20  Saam barati  <sbarati@apple.com>
1710
1711         Merging an IC variant may lead to the IC status containing overlapping structure sets
1712         https://bugs.webkit.org/show_bug.cgi?id=191869
1713         <rdar://problem/45403453>
1714
1715         Reviewed by Mark Lam.
1716
1717         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1718
1719 2018-11-19  Mark Lam  <mark.lam@apple.com>
1720
1721         globalFuncImportModule() should return a promise when it clears exceptions.
1722         https://bugs.webkit.org/show_bug.cgi?id=191792
1723         <rdar://problem/46090763>
1724
1725         Reviewed by Michael Saboff.
1726
1727         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1728
1729 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1730
1731         Skip new memory-hungry tests on memory limited devices
1732
1733         Unreviewed gardening.
1734
1735         * stress/big-wasm-memory-grow-no-max.js:
1736         * stress/big-wasm-memory-grow.js:
1737         * stress/big-wasm-memory.js:
1738
1739 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1740
1741         Unreviewed, rolling in the rest of r237254
1742         https://bugs.webkit.org/show_bug.cgi?id=190340
1743
1744         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1745         * stress/function-cache-with-parameters-end-position.js: Added.
1746         (shouldBe):
1747         (shouldThrow):
1748         (i.anonymous):
1749         * stress/function-constructor-name.js: Added.
1750         (shouldBe):
1751         (GeneratorFunction):
1752         (AsyncFunction.async):
1753         (AsyncGeneratorFunction.async):
1754         (anonymous):
1755         (async.anonymous):
1756         * test262/expectations.yaml:
1757
1758 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1759
1760         All users of ArrayBuffer should agree on the same max size
1761         https://bugs.webkit.org/show_bug.cgi?id=191771
1762
1763         Reviewed by Mark Lam.
1764
1765         * stress/big-wasm-memory-grow-no-max.js: Added.
1766         (foo):
1767         (catch):
1768         * stress/big-wasm-memory-grow.js: Added.
1769         (foo):
1770         (catch):
1771         * stress/big-wasm-memory.js: Added.
1772         (foo):
1773         (catch):
1774
1775 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1776
1777         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1778         run for each JSC config since they're regression tests for runtime bugs.
1779
1780         * stress/json-stringified-overflow-2.js:
1781         * stress/json-stringified-overflow.js:
1782
1783 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1784
1785         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1786         config since they're regression tests for runtime bugs.
1787
1788         * stress/large-unshift-splice.js:
1789         * stress/regress-185888.js:
1790
1791 2018-11-16  Saam Barati  <sbarati@apple.com>
1792
1793         KnownCellUse should also have SpecCellCheck as its type filter
1794         https://bugs.webkit.org/show_bug.cgi?id=191729
1795         <rdar://problem/45872852>
1796
1797         Reviewed by Filip Pizlo.
1798
1799         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1800         (C):
1801
1802 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1803
1804         Fix assertion failure on BytecodeGenerator::recordOpcode
1805         https://bugs.webkit.org/show_bug.cgi?id=191724
1806         <rdar://problem/45724395>
1807
1808         Reviewed by Saam Barati.
1809
1810         * stress/regress-187373-2.js: Added.
1811         (foo):
1812
1813 2018-11-15  Mark Lam  <mark.lam@apple.com>
1814
1815         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1816         https://bugs.webkit.org/show_bug.cgi?id=191730
1817         <rdar://problem/46048517>
1818
1819         Reviewed by Saam Barati.
1820
1821         * stress/regress-187006.js: Removed.
1822           - this test is invalid because its sole purpose is to test for the non-spec
1823             compliant behavior that we just fixed.
1824
1825         * stress/regress-191730.js: Added.
1826
1827 2018-11-15  Mark Lam  <mark.lam@apple.com>
1828
1829         RegExp operations should not take fast patch if lastIndex is not numeric.
1830         https://bugs.webkit.org/show_bug.cgi?id=191731
1831         <rdar://problem/46017305>
1832
1833         Reviewed by Saam Barati.
1834
1835         * stress/regress-191731.js: Added.
1836
1837 2018-11-13  Saam Barati  <sbarati@apple.com>
1838
1839         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1840         https://bugs.webkit.org/show_bug.cgi?id=191600
1841
1842         Reviewed by Mark Lam.
1843
1844         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1845         (foo):
1846         (test):
1847         (bar):
1848
1849 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1850
1851         Unreviewed, rolling out r238132.
1852
1853         The test added with this change is timing out on Debug JSC
1854         bots.
1855
1856         Reverted changeset:
1857
1858         "[BigInt] JSBigInt::createWithLength should throw when length
1859         is greater than JSBigInt::maxLength"
1860         https://bugs.webkit.org/show_bug.cgi?id=190836
1861         https://trac.webkit.org/changeset/238132
1862
1863 2018-11-13  Mark Lam  <mark.lam@apple.com>
1864
1865         Add OOM detection to StringPrototype's substituteBackreferences().
1866         https://bugs.webkit.org/show_bug.cgi?id=191563
1867         <rdar://problem/45720428>
1868
1869         Reviewed by Saam Barati.
1870
1871         * stress/regress-191563.js: Added.
1872
1873 2018-11-13  Mark Lam  <mark.lam@apple.com>
1874
1875         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1876         https://bugs.webkit.org/show_bug.cgi?id=191579
1877         <rdar://problem/45942472>
1878
1879         Reviewed by Saam Barati.
1880
1881         * stress/regress-191579.js: Added.
1882
1883 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1884
1885         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1886         https://bugs.webkit.org/show_bug.cgi?id=190836
1887
1888         Reviewed by Saam Barati.
1889
1890         * stress/big-int-out-of-memory-tests.js: Added.
1891
1892 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1893
1894         U+180E is no longer a whitespace character
1895         https://bugs.webkit.org/show_bug.cgi?id=191415
1896
1897         Reviewed by Saam Barati.
1898
1899         * ChakraCore/test/es5/regexSpace.baseline:
1900         * ChakraCore/test/es6/unicode_whitespace.js:
1901         Update tests to latest version.
1902         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1903
1904         * test262.yaml:
1905         * test262/config.yaml:
1906         * test262/expectations.yaml:
1907         Update expectations.
1908
1909 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1910
1911         [BigInt] Add support to BigInt into ValueAdd
1912         https://bugs.webkit.org/show_bug.cgi?id=186177
1913
1914         Reviewed by Keith Miller.
1915
1916         * stress/big-int-negate-jit.js:
1917         * stress/value-add-big-int-and-string.js: Added.
1918         * stress/value-add-big-int-prediction-propagation.js: Added.
1919         * stress/value-add-big-int-untyped.js: Added.
1920
1921 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1922
1923         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1924         https://bugs.webkit.org/show_bug.cgi?id=191184
1925
1926         Reviewed by Saam Barati.
1927
1928         Most tests were failing due to timeouts, since they are too slow to
1929         run on CLoop. The exceptions are:
1930
1931         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1932         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1933         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1934         to change the stack size since CLoop requires it to be page aligned.
1935
1936         * microbenchmarks/array-push-1.js:
1937         * microbenchmarks/array-push-2.js:
1938         * microbenchmarks/elidable-new-object-dag.js:
1939         * microbenchmarks/elidable-new-object-roflcopter.js:
1940         * microbenchmarks/elidable-new-object-tree.js:
1941         * microbenchmarks/getter-richards.js:
1942         * microbenchmarks/sinkable-new-object-dag.js:
1943         * microbenchmarks/string-concat-long-convert.js:
1944         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1945         * slowMicrobenchmarks/array-push-3.js:
1946         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1947         * slowMicrobenchmarks/spread-small-array.js:
1948         * slowMicrobenchmarks/undefined-property-access.js:
1949         * stress/activation-sink-default-value-tdz-error.js:
1950         * stress/activation-sink-default-value.js:
1951         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1952         * stress/activation-sink-osrexit-default-value.js:
1953         * stress/activation-sink-osrexit.js:
1954         * stress/activation-sink.js:
1955         * stress/allow-math-ic-b3-code-duplication.js:
1956         * stress/array-push-multiple-int32.js:
1957         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1958         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1959         * stress/arrowfunction-lexical-this-activation-sink.js:
1960         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1961         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1962         * stress/elide-new-object-dag-then-exit.js:
1963         * stress/materialize-regexp-cyclic.js:
1964         * stress/new-regex-inline.js:
1965         * stress/op_add.js:
1966         * stress/op_bitand.js:
1967         * stress/op_bitor.js:
1968         * stress/op_bitxor.js:
1969         * stress/op_div-ConstVar.js:
1970         * stress/op_div-VarConst.js:
1971         * stress/op_div-VarVar.js:
1972         * stress/op_lshift-ConstVar.js:
1973         * stress/op_lshift-VarConst.js:
1974         * stress/op_lshift-VarVar.js:
1975         * stress/op_mod-ConstVar.js:
1976         * stress/op_mod-VarConst.js:
1977         * stress/op_mod-VarVar.js:
1978         * stress/op_mul-ConstVar.js:
1979         * stress/op_mul-VarConst.js:
1980         * stress/op_mul-VarVar.js:
1981         * stress/op_rshift-ConstVar.js:
1982         * stress/op_rshift-VarConst.js:
1983         * stress/op_rshift-VarVar.js:
1984         * stress/op_sub-ConstVar.js:
1985         * stress/op_sub-VarConst.js:
1986         * stress/op_sub-VarVar.js:
1987         * stress/op_urshift-ConstVar.js:
1988         * stress/op_urshift-VarConst.js:
1989         * stress/op_urshift-VarVar.js:
1990         * stress/proxy-get-set-correct-receiver.js:
1991         * stress/regress-179562.js:
1992         * stress/rest-parameter-many-arguments.js:
1993         * stress/sampling-profiler-richards.js:
1994         * stress/splay-flash-access-1ms.js:
1995         * stress/tailCallForwardArguments.js:
1996         * stress/typed-array-get-by-val-profiling.js:
1997         * typeProfiler/getter-richards.js:
1998
1999 2018-11-06  Michael Saboff  <msaboff@apple.com>
2000
2001         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2002         https://bugs.webkit.org/show_bug.cgi?id=191271
2003
2004         Reviewed by Saam Barati.
2005
2006         Added more test cases and made all test cases run with the same deeply recursive stack
2007         instead of finding that same point for each test case.
2008
2009         * stress/regexp-compile-oom.js:
2010         (prototype.runTest):
2011         (recurseAndTest):
2012         (testList.push.new.TestAndExpectedException):
2013
2014 2018-11-05  Michael Saboff  <msaboff@apple.com>
2015
2016         Unreviewed build fix for linux.
2017
2018         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2019
2020 2018-11-02  Michael Saboff  <msaboff@apple.com>
2021
2022         Rolling in r237753 with unreviewed build fix.
2023
2024         Fixed issues with DECLARE_THROW_SCOPE placement.
2025
2026 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2027
2028         Unreviewed, rolling out r237753.
2029
2030         Introduced JSC test failures
2031
2032         Reverted changeset:
2033
2034         "Running out of stack space not properly handled in
2035         RegExp::compile() and its callers"
2036         https://bugs.webkit.org/show_bug.cgi?id=191206
2037         https://trac.webkit.org/changeset/237753
2038
2039 2018-11-02  Michael Saboff  <msaboff@apple.com>
2040
2041         Running out of stack space not properly handled in RegExp::compile() and its callers
2042         https://bugs.webkit.org/show_bug.cgi?id=191206
2043
2044         Reviewed by Filip Pizlo.
2045
2046         New regression test.
2047
2048         * stress/regexp-compile-oom.js: Added.
2049         (recurseAndTest):
2050
2051 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2052
2053         Skip tests on arm/mips that time out now we're running on CLoop
2054
2055         Unreviewed gardening.
2056
2057         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2058         time out on the bots and need to be disabled. There's more tests
2059         disabled on arm because the timeout is longer on the mips bot (as the
2060         device is slower to start with), so many of the tests don't time out
2061         there.
2062
2063         * microbenchmarks/getter-richards.js: disable on arm and mips.
2064         * stress/op_add.js: disable on arm.
2065         * stress/op_bitand.js: disable on arm.
2066         * stress/op_bitor.js: disable on arm.
2067         * stress/op_bitxor.js: disable on arm.
2068         * stress/op_lshift-ConstVar.js: disable on arm.
2069         * stress/op_lshift-VarConst.js: disable on arm.
2070         * stress/op_lshift-VarVar.js: disable on arm.
2071         * stress/op_mod-ConstVar.js: disable on arm.
2072         * stress/op_mod-VarConst.js: disable on arm.
2073         * stress/op_mod-VarVar.js: disable on arm.
2074         * stress/op_mul-ConstVar.js: disable on arm.
2075         * stress/op_mul-VarConst.js: disable on arm.
2076         * stress/op_mul-VarVar.js: disable on arm.
2077         * stress/op_rshift-ConstVar.js: disable on arm.
2078         * stress/op_rshift-VarConst.js: disable on arm.
2079         * stress/op_rshift-VarVar.js: disable on arm.
2080         * stress/op_sub-ConstVar.js: disable on arm.
2081         * stress/op_sub-VarConst.js: disable on arm.
2082         * stress/op_sub-VarVar.js: disable on arm.
2083         * stress/op_urshift-ConstVar.js: disable on arm.
2084         * stress/op_urshift-VarConst.js: disable on arm.
2085         * stress/op_urshift-VarVar.js: disable on arm.
2086         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2087         * stress/value-to-boolean.js: disable on arm and mips.
2088
2089 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2090
2091         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2092         https://bugs.webkit.org/show_bug.cgi?id=191108
2093         <rdar://problem/45690700>
2094
2095         Reviewed by Saam Barati.
2096
2097         * stress/wide-op_catch.js: Added.
2098         (catch):
2099
2100 2018-10-29  Mark Lam  <mark.lam@apple.com>
2101
2102         Correctly detect string overflow when using the 'Function' constructor.
2103         https://bugs.webkit.org/show_bug.cgi?id=184883
2104         <rdar://problem/36320331>
2105
2106         Reviewed by Saam Barati.
2107
2108         I've verified that this passes on 32-bit as well.
2109
2110         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2111
2112 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2113
2114         Add support for GetStack FlushedDouble
2115         https://bugs.webkit.org/show_bug.cgi?id=191012
2116         <rdar://problem/45265141>
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/get-stack-double.js: Added.
2121         (bar):
2122         (noInline):
2123
2124 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2125
2126         New bytecode format for JSC
2127         https://bugs.webkit.org/show_bug.cgi?id=187373
2128         <rdar://problem/44186758>
2129
2130         Reviewed by Filip Pizlo.
2131
2132         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2133
2134         * stress/maximum-inline-capacity.js: Added.
2135         (test1):
2136         (test3.Foo):
2137         (test3):
2138
2139 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2140
2141         Unreviewed, rolling out r237479 and r237484.
2142         https://bugs.webkit.org/show_bug.cgi?id=190978
2143
2144         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2145
2146         Reverted changesets:
2147
2148         "New bytecode format for JSC"
2149         https://bugs.webkit.org/show_bug.cgi?id=187373
2150         https://trac.webkit.org/changeset/237479
2151
2152         "Gardening: Build fix after r237479."
2153         https://bugs.webkit.org/show_bug.cgi?id=187373
2154         https://trac.webkit.org/changeset/237484
2155
2156 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2157
2158         New bytecode format for JSC
2159         https://bugs.webkit.org/show_bug.cgi?id=187373
2160         <rdar://problem/44186758>
2161
2162         Reviewed by Filip Pizlo.
2163
2164         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2165
2166         * stress/maximum-inline-capacity.js: Added.
2167         (test1):
2168         (test3.Foo):
2169         (test3):
2170
2171 2018-10-26  Mark Lam  <mark.lam@apple.com>
2172
2173         Fix missing edge cases with JSGlobalObjects having a bad time.
2174         https://bugs.webkit.org/show_bug.cgi?id=189028
2175         <rdar://problem/45204939>
2176
2177         Reviewed by Saam Barati.
2178
2179         * stress/regress-189028.js: Added.
2180
2181 2018-10-22  Mark Lam  <mark.lam@apple.com>
2182
2183         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2184         https://bugs.webkit.org/show_bug.cgi?id=190515
2185         <rdar://problem/45222379>
2186
2187         Rubber-stamped by Saam Barati.
2188
2189         Adding another test.
2190
2191         * stress/regress-190515-2.js: Added.
2192
2193 2018-10-22  Mark Lam  <mark.lam@apple.com>
2194
2195         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2196         https://bugs.webkit.org/show_bug.cgi?id=190515
2197         <rdar://problem/45222379>
2198
2199         Reviewed by Saam Barati.
2200
2201         * stress/regress-190515.js: Added.
2202
2203 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2204
2205         Unreviewed, rolling out r237254.
2206         https://bugs.webkit.org/show_bug.cgi?id=190760
2207
2208         "It regresses JetStream 2 by 5% on some iOS devices"
2209         (Requested by saamyjoon on #webkit).
2210
2211         Reverted changeset:
2212
2213         "[JSC] JSC should have "parseFunction" to optimize Function
2214         constructor"
2215         https://bugs.webkit.org/show_bug.cgi?id=190340
2216         https://trac.webkit.org/changeset/237254
2217
2218 2018-10-19  Saam Barati  <sbarati@apple.com>
2219
2220         vmCall should check if we exit before emitting an OSR exit due to exceptions
2221         https://bugs.webkit.org/show_bug.cgi?id=190740
2222         <rdar://problem/45220139>
2223
2224         Reviewed by Mark Lam.
2225
2226         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2227         (foo):
2228
2229 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2230
2231         [ESNext][BigInt] Implement support for "^"
2232         https://bugs.webkit.org/show_bug.cgi?id=186235
2233
2234         Reviewed by Yusuke Suzuki.
2235
2236         * stress/big-int-bitwise-xor-general.js: Added.
2237         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2238         * stress/big-int-bitwise-xor-type-error.js: Added.
2239         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2240
2241 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2242
2243         [BigInt] Add ValueSub into DFG
2244         https://bugs.webkit.org/show_bug.cgi?id=186176
2245
2246         Reviewed by Yusuke Suzuki.
2247
2248         * stress/big-int-subtraction-jit.js:
2249         * stress/value-sub-big-int-prediction-propagation.js: Added.
2250         * stress/value-sub-big-int-untyped.js: Added.
2251         * stress/value-sub-spec-none-case.js: Added.
2252
2253 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2254
2255         [JSC] JSC should have "parseFunction" to optimize Function constructor
2256         https://bugs.webkit.org/show_bug.cgi?id=190340
2257
2258         Reviewed by Mark Lam.
2259
2260         This patch fixes the line number of syntax errors raised by the Function constructor,
2261         since we now parse the final code only once. And we no longer use block statement
2262         for Function constructor's parsing.
2263
2264         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2265         * stress/function-cache-with-parameters-end-position.js: Added.
2266         (shouldBe):
2267         (shouldThrow):
2268         (i.anonymous):
2269         * stress/function-constructor-name.js: Added.
2270         (shouldBe):
2271         (GeneratorFunction):
2272         (AsyncFunction.async):
2273         (AsyncGeneratorFunction.async):
2274         (anonymous):
2275         (async.anonymous):
2276         * test262/expectations.yaml:
2277
2278 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2279
2280         Unreviewed, rolling out r237242.
2281         https://bugs.webkit.org/show_bug.cgi?id=190701
2282
2283         it breaks "stress/sampling-profiler-basic.js" (Requested by
2284         caiolima on #webkit).
2285
2286         Reverted changeset:
2287
2288         "[BigInt] Add ValueSub into DFG"
2289         https://bugs.webkit.org/show_bug.cgi?id=186176
2290         https://trac.webkit.org/changeset/237242
2291
2292 2018-10-17  Keith Miller  <keith_miller@apple.com>
2293
2294         AI does not clear Phantom allocation nodes.
2295         https://bugs.webkit.org/show_bug.cgi?id=190694
2296
2297         Reviewed by Saam Barati.
2298
2299         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2300         (Day):
2301         (DaysInYear):
2302         (TimeInYear):
2303         (TimeFromYear):
2304         (DayFromYear):
2305         (InLeapYear):
2306         (YearFromTime):
2307         (WeekDay):
2308         (DaylightSavingTA):
2309         (GetSecondSundayInMarch):
2310         (TimeInMonth):
2311
2312 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2313
2314         [BigInt] Add ValueSub into DFG
2315         https://bugs.webkit.org/show_bug.cgi?id=186176
2316
2317         Reviewed by Yusuke Suzuki.
2318
2319         * stress/big-int-subtraction-jit.js:
2320         * stress/value-sub-big-int-prediction-propagation.js: Added.
2321         * stress/value-sub-big-int-untyped.js: Added.
2322
2323 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2324
2325         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2326         https://bugs.webkit.org/show_bug.cgi?id=190611
2327
2328         Reviewed by Saam Barati.
2329
2330         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2331         to improve test runtime. On ARM/MIPS this test even timed out when running all
2332         tests.
2333
2334         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2335         (test):
2336
2337 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2338
2339         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2340
2341         Unreviewed gardening.
2342
2343         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2344
2345 2018-10-15  Saam barati  <sbarati@apple.com>
2346
2347         Emit fjcvtzs on ARM64E on Darwin
2348         https://bugs.webkit.org/show_bug.cgi?id=184023
2349
2350         Reviewed by Yusuke Suzuki and Filip Pizlo.
2351
2352         * stress/double-to-int32-NaN.js: Added.
2353         (assert):
2354         (foo):
2355
2356 2018-10-15  Saam Barati  <sbarati@apple.com>
2357
2358         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2359         https://bugs.webkit.org/show_bug.cgi?id=190262
2360         <rdar://problem/44986241>
2361
2362         Reviewed by Mark Lam.
2363
2364         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2365         (test):
2366         * stress/slice-array-storage-with-holes.js: Added.
2367         (main):
2368
2369 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2370
2371         Unreviewed, rolling out r237054.
2372         https://bugs.webkit.org/show_bug.cgi?id=190593
2373
2374         "this regressed JetStream 2 by 6% on iOS" (Requested by
2375         saamyjoon on #webkit).
2376
2377         Reverted changeset:
2378
2379         "[JSC] JSC should have "parseFunction" to optimize Function
2380         constructor"
2381         https://bugs.webkit.org/show_bug.cgi?id=190340
2382         https://trac.webkit.org/changeset/237054
2383
2384 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2385
2386         [JSC] JSON.stringify can accept call-with-no-arguments
2387         https://bugs.webkit.org/show_bug.cgi?id=190343
2388
2389         Reviewed by Mark Lam.
2390
2391         * stress/json-stringify-no-arguments.js: Added.
2392         (shouldBe):
2393
2394 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2395
2396         [JSC] JSC should have "parseFunction" to optimize Function constructor
2397         https://bugs.webkit.org/show_bug.cgi?id=190340
2398
2399         Reviewed by Mark Lam.
2400
2401         This patch fixes the line number of syntax errors raised by the Function constructor,
2402         since we now parse the final code only once. And we no longer use block statement
2403         for Function constructor's parsing.
2404
2405         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2406         * stress/function-cache-with-parameters-end-position.js: Added.
2407         (shouldBe):
2408         (shouldThrow):
2409         (i.anonymous):
2410         * stress/function-constructor-name.js: Added.
2411         (shouldBe):
2412         (GeneratorFunction):
2413         (AsyncFunction.async):
2414         (AsyncGeneratorFunction.async):
2415         (anonymous):
2416         (async.anonymous):
2417         * test262/expectations.yaml:
2418
2419 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2420
2421         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2422         https://bugs.webkit.org/show_bug.cgi?id=190426
2423
2424         Unreviewed gardening.
2425
2426         * stress/sampling-profiler-richards.js:
2427
2428 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2429
2430         [ESNext][BigInt] Implement support for "|"
2431         https://bugs.webkit.org/show_bug.cgi?id=186229
2432
2433         Reviewed by Yusuke Suzuki.
2434
2435         * stress/big-int-bitwise-and-jit.js:
2436         * stress/big-int-bitwise-or-general.js: Added.
2437         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2438         * stress/big-int-bitwise-or-jit.js: Added.
2439         * stress/big-int-bitwise-or-memory-stress.js: Added.
2440         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2441         * stress/big-int-bitwise-or-type-error.js: Added.
2442         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2443
2444 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2445
2446         Skip test on systems with limited memory
2447         https://bugs.webkit.org/show_bug.cgi?id=190310
2448
2449         Invoking runDefault adds test to runlist, skipping the test in the next
2450         line does not prevent the test from executing. Change order of lines such
2451         that runDefault is only executed if test is not executed.
2452
2453         Reviewed by Mark Lam.
2454
2455         * stress/regress-190187.js:
2456
2457 2018-10-03  Saam barati  <sbarati@apple.com>
2458
2459         lowXYZ in FTLLower should always filter the type of the incoming edge
2460         https://bugs.webkit.org/show_bug.cgi?id=189939
2461         <rdar://problem/44407030>
2462
2463         Reviewed by Michael Saboff.
2464
2465         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2466         (foo):
2467         (test):
2468
2469 2018-10-03  Mark Lam  <mark.lam@apple.com>
2470
2471         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2472         https://bugs.webkit.org/show_bug.cgi?id=190187
2473         <rdar://problem/42512909>
2474
2475         Reviewed by Michael Saboff.
2476
2477         * stress/regress-190187.js: Added.
2478
2479 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2480
2481         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2482         https://bugs.webkit.org/show_bug.cgi?id=190033
2483
2484         Reviewed by Yusuke Suzuki.
2485
2486         * stress/big-int-to-string.js:
2487
2488 2018-10-01  Mark Lam  <mark.lam@apple.com>
2489
2490         Function.toString() should also copy the source code Functions that are class definitions.
2491         https://bugs.webkit.org/show_bug.cgi?id=190186
2492         <rdar://problem/44733360>
2493
2494         Reviewed by Saam Barati.
2495
2496         * stress/regress-190186.js: Added.
2497
2498 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2499
2500         Split NaN-check into separate test
2501         https://bugs.webkit.org/show_bug.cgi?id=190010
2502
2503         Reviewed by Saam Barati.
2504
2505         DataView exposes NaN-representation, which is not necessarily the same on each
2506         architecture. Therefore move the check of the NaN-representation into its own
2507         file such that we can disable this test on MIPS where NaN-representation can be
2508         different on older CPUs.
2509
2510         * stress/dataview-jit-set-nan.js: Added.
2511         (assert):
2512         (test.storeLittleEndian):
2513         (test.storeBigEndian):
2514         (test.store):
2515         (test):
2516         * stress/dataview-jit-set.js:
2517         (test5):
2518
2519 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2520
2521         Unreviewed, rolling out r236647.
2522         https://bugs.webkit.org/show_bug.cgi?id=190124
2523
2524         Breaking test stress/big-int-to-string.js (Requested by
2525         caiolima_ on #webkit).
2526
2527         Reverted changeset:
2528
2529         "[BigInt] BigInt.proptotype.toString is broken when radix is
2530         power of 2"
2531         https://bugs.webkit.org/show_bug.cgi?id=190033
2532         https://trac.webkit.org/changeset/236647
2533
2534 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2535
2536         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2537         https://bugs.webkit.org/show_bug.cgi?id=190033
2538
2539         Reviewed by Yusuke Suzuki.
2540
2541         * stress/big-int-to-string.js:
2542
2543 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2544
2545         [ESNext][BigInt] Implement support for "&"
2546         https://bugs.webkit.org/show_bug.cgi?id=186228
2547
2548         Reviewed by Yusuke Suzuki.
2549
2550         * stress/big-int-bitwise-and-general.js: Added.
2551         (assert):
2552         (assert.sameValue):
2553         * stress/big-int-bitwise-and-jit.js: Added.
2554         (let.assert.sameValue):
2555         (bigIntBitAnd):
2556         * stress/big-int-bitwise-and-memory-stress.js: Added.
2557         (assert):
2558         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2559         (assert.sameValue):
2560         (let.o.Symbol.toPrimitive):
2561         (catch):
2562         * stress/big-int-bitwise-and-type-error.js: Added.
2563         (assert):
2564         (assertThrowTypeError):
2565         (let.o.valueOf):
2566         (o.valueOf):
2567         (o.toString):
2568         (o.Symbol.toPrimitive):
2569         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2570         (assert.sameValue):
2571         (testBitAnd):
2572         (let.o.Symbol.toPrimitive):
2573         (o.valueOf):
2574         (o.toString):
2575
2576 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2577
2578         JSC test stress/jsc-read.js doesn't support CRLF
2579         https://bugs.webkit.org/show_bug.cgi?id=190063
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
2584
2585         * stress/jsc-read.js:
2586         (test):
2587
2588 2018-09-27  Saam barati  <sbarati@apple.com>
2589
2590         Verify the contents of AssemblerBuffer on arm64e
2591         https://bugs.webkit.org/show_bug.cgi?id=190057
2592         <rdar://problem/38916630>
2593
2594         Reviewed by Mark Lam.
2595
2596         * stress/regress-189132.js:
2597
2598 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
2599
2600         Disable test without LLInt on ARMv7
2601         https://bugs.webkit.org/show_bug.cgi?id=190037
2602
2603         Reviewed by Mark Lam.
2604
2605         Test runs out of executable memory on ARMv7, do not run
2606         this test without LLInt enabled.
2607
2608         * stress/regress-169445.js:
2609
2610 2018-09-26  Keith Miller  <keith_miller@apple.com>
2611
2612         We should zero unused property storage when rebalancing array storage.
2613         https://bugs.webkit.org/show_bug.cgi?id=188151
2614
2615         Reviewed by Michael Saboff.
2616
2617         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2618
2619 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2620
2621         [JSC] Optimize Array#lastIndexOf
2622         https://bugs.webkit.org/show_bug.cgi?id=189780
2623
2624         Reviewed by Saam Barati.
2625
2626         * stress/array-lastindexof-array-prototype-trap.js: Added.
2627         (shouldBe):
2628         (AncestorArray.prototype.get 2):
2629         (AncestorArray):
2630         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
2631         (shouldBe):
2632         * stress/array-lastindexof-hole-nan.js: Added.
2633         (shouldBe):
2634         (throw.new.Error):
2635         * stress/array-lastindexof-infinity.js: Added.
2636         (shouldBe):
2637         (throw.new.Error):
2638         * stress/array-lastindexof-negative-zero.js: Added.
2639         (shouldBe):
2640         (throw.new.Error):
2641         * stress/array-lastindexof-own-getter.js: Added.
2642         (shouldBe):
2643         (throw.new.Error.get array):
2644         (get array):
2645         * stress/array-lastindexof-prototype-trap.js: Added.
2646         (shouldBe):
2647         (DerivedArray.prototype.get 2):
2648         (DerivedArray):
2649
2650 2018-09-25  Saam Barati  <sbarati@apple.com>
2651
2652         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2653         https://bugs.webkit.org/show_bug.cgi?id=189940
2654         <rdar://problem/43640987>
2655
2656         Reviewed by Mark Lam.
2657
2658         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2659
2660 2018-09-24  Saam Barati  <sbarati@apple.com>
2661
2662         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2663         https://bugs.webkit.org/show_bug.cgi?id=189922
2664         <rdar://problem/44651275>
2665
2666         Reviewed by Mark Lam.
2667
2668         * stress/array-indexof-fast-path-effects.js: Added.
2669         * stress/array-indexof-cached-length.js: Added.
2670
2671 2018-09-24  Saam barati  <sbarati@apple.com>
2672
2673         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2674         https://bugs.webkit.org/show_bug.cgi?id=189682
2675         <rdar://problem/43557315>
2676
2677         Reviewed by Mark Lam.
2678
2679         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2680         (foo):
2681
2682 2018-09-22  Saam barati  <sbarati@apple.com>
2683
2684         The sampling should not use Strong<CodeBlock> in its machineLocation field
2685         https://bugs.webkit.org/show_bug.cgi?id=189319
2686
2687         Reviewed by Filip Pizlo.
2688
2689         * stress/sampling-profiler-richards.js: Added.
2690
2691 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2692
2693         [JSC] Optimize Array#indexOf in C++ runtime
2694         https://bugs.webkit.org/show_bug.cgi?id=189507
2695
2696         Reviewed by Saam Barati.
2697
2698         * stress/array-indexof-array-prototype-trap.js: Added.
2699         (shouldBe):
2700         (AncestorArray.prototype.get 2):
2701         (AncestorArray):
2702         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2703         (shouldBe):
2704         * stress/array-indexof-hole-nan.js: Added.
2705         (shouldBe):
2706         (throw.new.Error):
2707         * stress/array-indexof-infinity.js: Added.
2708         (shouldBe):
2709         (throw.new.Error):
2710         * stress/array-indexof-negative-zero.js: Added.
2711         (shouldBe):
2712         (throw.new.Error):
2713         * stress/array-indexof-own-getter.js: Added.
2714         (shouldBe):
2715         (throw.new.Error.get array):
2716         (get array):
2717         * stress/array-indexof-prototype-trap.js: Added.
2718         (shouldBe):
2719         (DerivedArray.prototype.get 2):
2720         (DerivedArray):
2721
2722 2018-09-19  Saam barati  <sbarati@apple.com>
2723
2724         AI rule for MultiPutByOffset executes its effects in the wrong order
2725         https://bugs.webkit.org/show_bug.cgi?id=189757
2726         <rdar://problem/43535257>
2727
2728         Reviewed by Michael Saboff.
2729
2730         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2731         (foo):
2732         (Foo):
2733         (g):
2734
2735 2018-09-17  Mark Lam  <mark.lam@apple.com>
2736
2737         Ensure that ForInContexts are invalidated if their loop local is over-written.
2738         https://bugs.webkit.org/show_bug.cgi?id=189571
2739         <rdar://problem/44402277>
2740
2741         Reviewed by Saam Barati.
2742
2743         * stress/regress-189571.js: Added.
2744
2745 2018-09-17  Saam barati  <sbarati@apple.com>
2746
2747         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2748         https://bugs.webkit.org/show_bug.cgi?id=189676
2749         <rdar://problem/39682897>
2750
2751         Reviewed by Michael Saboff.
2752
2753         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2754         (A):
2755         (K):
2756         (i.catch):
2757
2758 2018-09-14  Saam barati  <sbarati@apple.com>
2759
2760         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2761         https://bugs.webkit.org/show_bug.cgi?id=189628
2762         <rdar://problem/39481690>
2763
2764         Reviewed by Mark Lam.
2765
2766         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2767         (foo):
2768
2769 2018-09-11  Mark Lam  <mark.lam@apple.com>
2770
2771         Test for array initialization in arrayProtoFuncSplice.
2772         https://bugs.webkit.org/show_bug.cgi?id=170253
2773         <rdar://problem/31328773>
2774
2775         Rubber-stamped by Saam Barati.
2776
2777         * stress/regress-170253.js: Added.
2778
2779 2018-09-11  Mark Lam  <mark.lam@apple.com>
2780
2781         Test for IntlObject initialization.
2782         https://bugs.webkit.org/show_bug.cgi?id=170251
2783         <rdar://problem/31328419>
2784
2785         Rubber-stamped by Saam Barati.
2786
2787         * stress/regress-170251.js: Added.
2788
2789 2018-09-11  Mark Lam  <mark.lam@apple.com>
2790
2791         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2792         https://bugs.webkit.org/show_bug.cgi?id=169889
2793         <rdar://problem/31155607>
2794
2795         Reviewed by Saam Barati.
2796
2797         * stress/regress-169889-array-concat.js: Added.
2798         * stress/regress-169889-array-concat1.js: Added.
2799         * stress/regress-169889-array-slice.js: Added.
2800
2801 2018-09-11  Mark Lam  <mark.lam@apple.com>
2802
2803         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2804         https://bugs.webkit.org/show_bug.cgi?id=169445
2805         <rdar://problem/30957435>
2806
2807         Reviewed by Saam Barati.
2808
2809         * stress/regress-169445.js: Added.
2810         (let.gun.eval.A):
2811         (let.gun.eval.B.C):
2812         (let.gun.eval.B.C.prototype.trigger):
2813         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2814         (let.gun.eval.B):
2815         (let.gun.eval):
2816
2817 == Rolled over to ChangeLog-2018-09-11 ==