[JSC] ToThis omission in DFGByteCodeParser is wrong
[WebKit-https.git] / JSTests / ChangeLog
1 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] ToThis omission in DFGByteCodeParser is wrong
4         https://bugs.webkit.org/show_bug.cgi?id=193513
5         <rdar://problem/45842236>
6
7         Reviewed by Saam Barati.
8
9         * stress/to-this-omission-with-different-strict-modes.js: Added.
10         (thisA):
11         (thisAStrictWrapper):
12
13 2019-01-15  Mark Lam  <mark.lam@apple.com>
14
15         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
16         https://bugs.webkit.org/show_bug.cgi?id=193423
17         <rdar://problem/46209355>
18
19         Reviewed by Saam Barati.
20
21         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
22         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
23         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
24         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
25
26 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
27
28         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
29         https://bugs.webkit.org/show_bug.cgi?id=193438
30         <rdar://problem/45581249>
31
32         Reviewed by Saam Barati and Keith Miller.
33
34         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
35         Then, GetByVal(String) crashed.
36
37         * stress/string-get-by-val-lowering.js: Added.
38         (shouldBe):
39         (test):
40         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
41         (Hello):
42         (foo):
43
44 2019-01-15  Tomas Popela  <tpopela@redhat.com>
45
46         Unreviewed, skip JIT tests if it's not enabled
47
48         * stress/bit-op-with-object-returning-int32.js:
49
50 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
51
52         DFGByteCodeParser rules for bitwise operations should consider type of their operands
53         https://bugs.webkit.org/show_bug.cgi?id=192966
54
55         Reviewed by Yusuke Suzuki.
56
57         * stress/bit-op-with-object-returning-int32.js: Added.
58
59 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
60
61         Skip a slow test and a flakey test on arm
62
63         Unreviewed gardening.
64
65         * typeProfiler/getter-richards.js:
66         this test always times out, it used to be always skipped on arm and
67         mips, but got accidentally enabled by r237919 now that we have DFG on
68         arm. Also skipping on mips as we plan to soon enable DFG for it too.
69
70 2019-01-14  Keith Miller  <keith_miller@apple.com>
71
72         Skip type-check-hoisting-phase-hoist... with no jit
73         https://bugs.webkit.org/show_bug.cgi?id=193421
74
75         Reviewed by Mark Lam.
76
77         It's timing out the 32-bit bots and takes 330 seconds
78         on my machine when run by itself.
79
80         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
81
82 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
83
84         [JSC] AI should check the given constant's array type when folding GetByVal into constant
85         https://bugs.webkit.org/show_bug.cgi?id=193413
86         <rdar://problem/46092389>
87
88         Reviewed by Keith Miller.
89
90         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
91         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
92         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
93         but GetByVal does not have appropriate ArrayModes, JSC crashes.
94
95         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
96         (compareArray):
97
98 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
99
100         [BigInt] Literal parsing is crashing when used inside a Object Literal
101         https://bugs.webkit.org/show_bug.cgi?id=193404
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/big-int-literal-inside-literal-object.js: Added.
106
107 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
108
109         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
110         https://bugs.webkit.org/show_bug.cgi?id=193372
111
112         Reviewed by Saam Barati.
113
114         * stress/typed-array-array-modes-profile.js: Added.
115         (foo):
116
117 2019-01-14  Mark Lam  <mark.lam@apple.com>
118
119         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
120         https://bugs.webkit.org/show_bug.cgi?id=193402
121         <rdar://problem/46012309>
122
123         Reviewed by Keith Miller.
124
125         * stress/regexp-compile-oom.js:
126         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
127           is enabled.  As a result, it will fail on cloop builds though there is no bug.
128
129 2019-01-11  Saam barati  <sbarati@apple.com>
130
131         DFG combined liveness can be wrong for terminal basic blocks
132         https://bugs.webkit.org/show_bug.cgi?id=193304
133         <rdar://problem/45268632>
134
135         Reviewed by Yusuke Suzuki.
136
137         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
138
139 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
140
141         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
142         https://bugs.webkit.org/show_bug.cgi?id=193308
143         <rdar://problem/45546542>
144
145         Reviewed by Saam Barati.
146
147         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
148         (shouldThrow):
149         (shouldBe):
150         (foo):
151         (get shouldThrow):
152         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
153         (shouldThrow):
154         (shouldBe):
155         (foo):
156         (get shouldBe):
157         (get shouldThrow):
158         (get return):
159         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
160         (shouldThrow):
161         (shouldBe):
162         (foo):
163         (get shouldBe):
164         (get shouldThrow):
165         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
166         (shouldThrow):
167         (shouldBe):
168         (foo):
169         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
170         (shouldThrow):
171         (shouldBe):
172         (foo):
173         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
174         (shouldThrow):
175         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
176         (shouldThrow):
177         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
178         (shouldThrow):
179         (shouldBe):
180         (foo):
181         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
182         (shouldThrow):
183         (shouldBe):
184         (foo):
185         (get shouldBe):
186         (get shouldThrow):
187         (get return):
188         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
189         (shouldThrow):
190         (shouldBe):
191         (foo):
192         (get shouldBe):
193         (get shouldThrow):
194         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
195         (shouldThrow):
196         (shouldBe):
197         (foo):
198         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
199         (shouldThrow):
200         (shouldBe):
201         (foo):
202
203 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
204
205         Enable DFG on ARM/Linux again
206         https://bugs.webkit.org/show_bug.cgi?id=192496
207
208         Reviewed by Yusuke Suzuki.
209
210         Test wasn't really skipped before moving the line with skip
211         to the top.
212
213         * stress/regress-192717.js:
214
215 2019-01-10  Commit Queue  <commit-queue@webkit.org>
216
217         Unreviewed, rolling out r239825.
218         https://bugs.webkit.org/show_bug.cgi?id=193330
219
220         Broke tests on armv7/linux bots (Requested by guijemont on
221         #webkit).
222
223         Reverted changeset:
224
225         "Enable DFG on ARM/Linux again"
226         https://bugs.webkit.org/show_bug.cgi?id=192496
227         https://trac.webkit.org/changeset/239825
228
229 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
230
231         Enable DFG on ARM/Linux again
232         https://bugs.webkit.org/show_bug.cgi?id=192496
233
234         Reviewed by Yusuke Suzuki.
235
236         Test wasn't really skipped before moving the line with skip
237         to the top.
238
239         * stress/regress-192717.js:
240
241 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
242
243         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
244         https://bugs.webkit.org/show_bug.cgi?id=193127
245
246         Reviewed by Saam Barati.
247
248         * stress/array-species-create-should-handle-masquerader.js: Added.
249         (shouldThrow):
250         * stress/is-undefined-or-null-builtin.js: Added.
251         (shouldBe):
252         (isUndefinedOrNull.vm.createBuiltin):
253
254 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
255
256         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
257         https://bugs.webkit.org/show_bug.cgi?id=193221
258
259         Reviewed by Mark Lam.
260
261         * stress/put-by-id-flags.js: Added.
262         (f):
263         (g):
264         (numberOfDFGCompiles):
265
266 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
267
268         Baseline version of get_by_id may corrupt metadata
269         https://bugs.webkit.org/show_bug.cgi?id=193085
270         <rdar://problem/23453006>
271
272         Reviewed by Saam Barati.
273
274         * stress/get-by-id-change-mode.js: Added.
275         (forEach):
276
277 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
278
279         [JSC] Optimize Object.prototype.toString
280         https://bugs.webkit.org/show_bug.cgi?id=193031
281
282         Reviewed by Saam Barati.
283
284         * stress/object-tostring-changed-proto.js: Added.
285         (shouldBe):
286         (test):
287         * stress/object-tostring-changed.js: Added.
288         (shouldBe):
289         (test):
290         * stress/object-tostring-misc.js: Added.
291         (shouldBe):
292         (test):
293         (i.switch):
294         * stress/object-tostring-other.js: Added.
295         (shouldBe):
296         (test):
297         * stress/object-tostring-untyped.js: Added.
298         (shouldBe):
299         (test):
300         (i.switch):
301
302 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
303
304         test262-runner misbehaves when test file YAML has a trailing space
305         https://bugs.webkit.org/show_bug.cgi?id=193053
306
307         Reviewed by Yusuke Suzuki.
308
309         * test262/expectations.yaml:
310         Mark two dozen tests as passing (and correct the output of another).
311
312 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
313
314         Unreviewed, JSTests gardening with memoryLimited
315
316         * stress/string-overflow-createError.js:
317
318 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
319
320         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
321         https://bugs.webkit.org/show_bug.cgi?id=193050
322
323         Reviewed by Yusuke Suzuki.
324
325         * test262.yaml:
326         * test262/expectations.yaml:
327         Mark 16 tests as passing.
328
329 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
330
331         [BigInt] Support BigInt in JSON.stringify
332         https://bugs.webkit.org/show_bug.cgi?id=192624
333
334         Reviewed by Saam Barati.
335
336         * stress/big-int-json-stringify-to-json.js: Added.
337         (shouldBe):
338         (shouldThrow):
339         (BigInt.prototype.toJSON):
340         (shouldBe.JSON.stringify):
341         * stress/big-int-json-stringify.js: Added.
342         (shouldBe):
343         (shouldThrow):
344
345 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
346
347         [JSC] Implement "well-formed JSON.stringify" proposal
348         https://bugs.webkit.org/show_bug.cgi?id=191677
349
350         Reviewed by Darin Adler.
351
352         * stress/json-surrogate-pair.js: Added.
353         (shouldBe):
354         * test262/expectations.yaml:
355
356 2018-12-20  Keith Miller  <keith_miller@apple.com>
357
358         Add support for globalThis
359         https://bugs.webkit.org/show_bug.cgi?id=165171
360
361         Reviewed by Mark Lam.
362
363         * test262/config.yaml:
364
365 2018-12-19  Keith Miller  <keith_miller@apple.com>
366
367         Update test262 configuration to not run tests dependent on ICU version.
368         https://bugs.webkit.org/show_bug.cgi?id=192920
369
370         Reviewed by Saam Barati.
371
372         * test262/expectations.yaml:
373
374 2018-12-20  Mark Lam  <mark.lam@apple.com>
375
376         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
377         https://bugs.webkit.org/show_bug.cgi?id=192939
378         <rdar://problem/46869516>
379
380         Reviewed by Keith Miller.
381
382         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
383
384 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
385
386         WTF::String and StringImpl overflow MaxLength
387         https://bugs.webkit.org/show_bug.cgi?id=192853
388         <rdar://problem/45726906>
389
390         Reviewed by Mark Lam.
391
392         * stress/string-16bit-repeat-overflow.js: Added.
393         (catch):
394
395 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
396
397         Unreviewed follow-up to r192914.
398
399         * test262/expectations.yaml:
400         Add the last 20 missing expectations.
401
402 2018-12-19  Keith Miller  <keith_miller@apple.com>
403
404         Fix test262 expectations
405         https://bugs.webkit.org/show_bug.cgi?id=192914
406
407         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
408
409         * test262/expectations.yaml:
410
411 2018-12-19  Keith Miller  <keith_miller@apple.com>
412
413         Update test262 tests.
414         https://bugs.webkit.org/show_bug.cgi?id=192907
415
416         Rubber stamped by Mark Lam.
417
418         * test262/*: Omitted because prepare-changelog crashes.
419
420 2018-12-19  Mark Lam  <mark.lam@apple.com>
421
422         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
423         https://bugs.webkit.org/show_bug.cgi?id=192464
424         <rdar://problem/46519455>
425
426         Reviewed by Saam Barati.
427
428         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
429         microbenchmark.
430
431         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
432         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
433
434 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
435
436         String overflow in JSC::createError results in ASSERT in WTF::makeString
437         https://bugs.webkit.org/show_bug.cgi?id=192833
438         <rdar://problem/45706868>
439
440         Reviewed by Mark Lam.
441
442         * stress/string-overflow-createError.js: Added.
443
444 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
445
446         Error message for `-x ** y` contains a typo.
447         https://bugs.webkit.org/show_bug.cgi?id=192832
448
449         Reviewed by Saam Barati.
450
451         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
452         (assert.assert.return.throws):
453         * stress/pow-expects-update-expression-on-lhs.js:
454         (throw.new.Error):
455         Update test expectations which match against the exact error message.
456
457 2018-12-18  Mark Lam  <mark.lam@apple.com>
458
459         Gardening: test options fix.
460         https://bugs.webkit.org/show_bug.cgi?id=192822
461
462         Unreviewed.
463
464         * stress/json-stringify-string-builder-overflow.js:
465
466 2018-12-18  Mark Lam  <mark.lam@apple.com>
467
468         JSON.stringify() should throw OOM on StringBuilder overflows.
469         https://bugs.webkit.org/show_bug.cgi?id=192822
470         <rdar://problem/46670577>
471
472         Reviewed by Saam Barati.
473
474         * stress/json-stringify-string-builder-overflow.js: Added.
475
476 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
477
478         Redeclaration of var over let/const/class should be a syntax error.
479         https://bugs.webkit.org/show_bug.cgi?id=192298
480
481         Reviewed by Keith Miller.
482
483         * test262.yaml:
484         * test262/expectations.yaml:
485         Mark 46 tests as passing.
486
487         * stress/block-scope-redeclarations.js:
488         Add some new tests.
489
490         * stress/for-in-invalidate-context-weird-assignments.js:
491         * stress/for-in-tests.js:
492         Replace tests for outdated behavior with tests for SyntaxError.
493
494         * ChakraCore/test/LetConst/defer3.baseline-jsc:
495         * ChakraCore/test/LetConst/letvar.baseline-jsc:
496         Update expectations.
497
498 2018-12-18  Mark Lam  <mark.lam@apple.com>
499
500         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
501         https://bugs.webkit.org/show_bug.cgi?id=191374
502         <rdar://problem/46525447>
503
504         Reviewed by Yusuke Suzuki.
505
506         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
507
508         * stress/elidable-new-object-roflcopter-then-exit.js:
509
510 2018-12-17  Mark Lam  <mark.lam@apple.com>
511
512         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
513         https://bugs.webkit.org/show_bug.cgi?id=192019
514         <rdar://problem/46525456>
515
516         Reviewed by Yusuke Suzuki.
517
518         The test runs too slow on 32-bit.
519
520         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
521
522 2018-12-17  Mark Lam  <mark.lam@apple.com>
523
524         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
525         https://bugs.webkit.org/show_bug.cgi?id=191373
526         <rdar://problem/46525458>
527
528         Reviewed by Yusuke Suzuki.
529
530         The test is already slow running with a JIT on 64-bit.  It will always timeout
531         on 32-bit without a JIT.
532
533         * stress/materialize-regexp-cyclic-regexp.js:
534
535 2018-12-17  Mark Lam  <mark.lam@apple.com>
536
537         Array unshift/shift should not race against the AI in the compiler thread.
538         https://bugs.webkit.org/show_bug.cgi?id=192795
539         <rdar://problem/46724263>
540
541         Reviewed by Saam Barati.
542
543         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
544
545 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
546
547         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
548         https://bugs.webkit.org/show_bug.cgi?id=190047
549
550         Reviewed by Saam Barati.
551
552         * stress/object-keys-cached-zero.js: Added.
553         (shouldBe):
554         (test):
555         * stress/object-keys-changed-attribute.js: Added.
556         (shouldBe):
557         (test):
558         * stress/object-keys-changed-index.js: Added.
559         (shouldBe):
560         (test):
561         * stress/object-keys-changed.js: Added.
562         (shouldBe):
563         (test):
564         * stress/object-keys-indexed-non-cache.js: Added.
565         (shouldBe):
566         (test):
567         * stress/object-keys-overrides-get-property-names.js: Added.
568         (shouldBe):
569         (test):
570         (noInline):
571
572 2018-12-17  Mark Lam  <mark.lam@apple.com>
573
574         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
575         https://bugs.webkit.org/show_bug.cgi?id=192779
576         <rdar://problem/46775869>
577
578         Reviewed by Saam Barati.
579
580         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
581
582 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
583
584         Unreviewed test gardening, address a syntax error in a new test.
585
586         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
587
588 2018-12-17  Mark Lam  <mark.lam@apple.com>
589
590         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
591         https://bugs.webkit.org/show_bug.cgi?id=192776
592         <rdar://problem/46772368>
593
594         Reviewed by Keith Miller.
595
596         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
597
598 2018-12-17  Mark Lam  <mark.lam@apple.com>
599
600         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
601         https://bugs.webkit.org/show_bug.cgi?id=192770
602         <rdar://problem/46449037>
603
604         Reviewed by Keith Miller.
605
606         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
607
608 2018-12-14  Mark Lam  <mark.lam@apple.com>
609
610         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
611         https://bugs.webkit.org/show_bug.cgi?id=192717
612         <rdar://problem/46660677>
613
614         Reviewed by Saam Barati.
615
616         * stress/regress-192717.js: Added.
617
618 2018-12-14  Commit Queue  <commit-queue@webkit.org>
619
620         Unreviewed, rolling out r239153, r239154, and r239155.
621         https://bugs.webkit.org/show_bug.cgi?id=192715
622
623         Caused flaky GC-related crashes seen with layout tests
624         (Requested by ryanhaddad on #webkit).
625
626         Reverted changesets:
627
628         "[JSC] Optimize Object.keys by caching own keys results in
629         StructureRareData"
630         https://bugs.webkit.org/show_bug.cgi?id=190047
631         https://trac.webkit.org/changeset/239153
632
633         "Unreviewed, build fix after r239153"
634         https://bugs.webkit.org/show_bug.cgi?id=190047
635         https://trac.webkit.org/changeset/239154
636
637         "Unreviewed, build fix after r239153, part 2"
638         https://bugs.webkit.org/show_bug.cgi?id=190047
639         https://trac.webkit.org/changeset/239155
640
641 2018-12-14  Keith Miller  <keith_miller@apple.com>
642
643         Callers of JSString::getIndex should check for OOM exceptions
644         https://bugs.webkit.org/show_bug.cgi?id=192709
645
646         Reviewed by Mark Lam.
647
648         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
649
650 2018-12-13  Mark Lam  <mark.lam@apple.com>
651
652         Add a missing exception check.
653         https://bugs.webkit.org/show_bug.cgi?id=192626
654         <rdar://problem/46662163>
655
656         Reviewed by Keith Miller.
657
658         * stress/regress-192626.js: Added.
659
660 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
661
662         [BigInt] Add ValueDiv into DFG
663         https://bugs.webkit.org/show_bug.cgi?id=186178
664
665         Reviewed by Yusuke Suzuki.
666
667         * stress/big-int-div-jit-osr.js: Added.
668         * stress/big-int-div-jit-untyped.js: Added.
669         * stress/value-div-fixup-int32-big-int.js: Added.
670
671 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
672
673         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
674         https://bugs.webkit.org/show_bug.cgi?id=190047
675
676         Reviewed by Keith Miller.
677
678         * stress/object-keys-cached-zero.js: Added.
679         (shouldBe):
680         (test):
681         * stress/object-keys-changed-attribute.js: Added.
682         (shouldBe):
683         (test):
684         * stress/object-keys-changed-index.js: Added.
685         (shouldBe):
686         (test):
687         * stress/object-keys-changed.js: Added.
688         (shouldBe):
689         (test):
690         * stress/object-keys-indexed-non-cache.js: Added.
691         (shouldBe):
692         (test):
693         * stress/object-keys-overrides-get-property-names.js: Added.
694         (shouldBe):
695         (test):
696         (noInline):
697
698 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
699
700         [DFG][FTL] Add NewSymbol
701         https://bugs.webkit.org/show_bug.cgi?id=192620
702
703         Reviewed by Saam Barati.
704
705         * microbenchmarks/symbol-creation.js: Added.
706         (test):
707         * stress/symbol-description-identity.js: Added.
708         (shouldBe):
709         (test):
710         * stress/symbol-identity.js: Added.
711         (shouldBe):
712         (test):
713         * stress/symbol-with-description-throw-error.js: Added.
714         (shouldBe):
715         (shouldThrow):
716         (test):
717         (object.toString):
718
719 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
720
721         [BigInt] Implement DFG/FTL typeof for BigInt
722         https://bugs.webkit.org/show_bug.cgi?id=192619
723
724         Reviewed by Keith Miller.
725
726         * stress/big-int-boolean-proven-type.js: Added.
727         (assert):
728         (bool):
729         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
730         (assert):
731         (typeOf):
732         (i.switch):
733         * stress/big-int-type-of-proven-type-non-constant.js: Added.
734         (assert):
735         (typeOf):
736         * stress/big-int-type-of.js:
737         (typeOf):
738         (func):
739
740 2018-12-10  Mark Lam  <mark.lam@apple.com>
741
742         PropertyAttribute needs a CustomValue bit.
743         https://bugs.webkit.org/show_bug.cgi?id=191993
744         <rdar://problem/46264467>
745
746         Reviewed by Saam Barati.
747
748         * stress/regress-191993.js: Added.
749
750 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
751
752         [BigInt] Add ValueMul into DFG
753         https://bugs.webkit.org/show_bug.cgi?id=186175
754
755         Reviewed by Yusuke Suzuki.
756
757         * stress/big-int-mul-jit-osr.js: Added.
758         * stress/big-int-mul-jit-untyped.js: Added.
759         * stress/value-mul-fixup-int32-big-int.js: Added.
760
761 2018-12-06  Keith Miller  <keith_miller@apple.com>
762
763         stress/big-wasm-memory tests failing on 32-bit JSC bot
764         https://bugs.webkit.org/show_bug.cgi?id=192020
765
766         Reviewed by Saam Barati.
767
768         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
769         the wasm stress tests if the WebAssembly object does not exist.
770
771         * stress/big-wasm-memory-grow-no-max.js:
772         (test.foo):
773         (test):
774         (foo): Deleted.
775         (catch): Deleted.
776         * stress/big-wasm-memory-grow.js:
777         (test.foo):
778         (test):
779         (foo): Deleted.
780         (catch): Deleted.
781         * stress/big-wasm-memory.js:
782         (test.foo):
783         (test):
784         (foo): Deleted.
785         (catch): Deleted.
786
787 2018-12-05  Mark Lam  <mark.lam@apple.com>
788
789         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
790         https://bugs.webkit.org/show_bug.cgi?id=192441
791         <rdar://problem/46480355>
792
793         Reviewed by Saam Barati.
794
795         * stress/regress-192441.js: Added.
796
797 2018-12-04  Mark Lam  <mark.lam@apple.com>
798
799         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
800         https://bugs.webkit.org/show_bug.cgi?id=192386
801         <rdar://problem/46445516>
802
803         Reviewed by Saam Barati.
804
805         * stress/regress-192386.js: Added.
806
807 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
808
809         [ESNext][BigInt] Support logic operations
810         https://bugs.webkit.org/show_bug.cgi?id=179903
811
812         Reviewed by Yusuke Suzuki.
813
814         * stress/big-int-branch-usage.js: Added.
815         * stress/big-int-logical-and.js: Added.
816         * stress/big-int-logical-not.js: Added.
817         * stress/big-int-logical-or.js: Added.
818
819 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
820
821         Unreviewed, rolling out r238833.
822
823         Breaks macOS and iOS debug builds.
824
825         Reverted changeset:
826
827         "[ESNext][BigInt] Support logic operations"
828         https://bugs.webkit.org/show_bug.cgi?id=179903
829         https://trac.webkit.org/changeset/238833
830
831 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
832
833         [ESNext][BigInt] Support logic operations
834         https://bugs.webkit.org/show_bug.cgi?id=179903
835
836         Reviewed by Yusuke Suzuki.
837
838         * stress/big-int-branch-usage.js: Added.
839         * stress/big-int-logical-and.js: Added.
840         * stress/big-int-logical-not.js: Added.
841         * stress/big-int-logical-or.js: Added.
842
843 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
844
845         [ESNext][BigInt] Implement support for "<<" and ">>"
846         https://bugs.webkit.org/show_bug.cgi?id=186233
847
848         Reviewed by Yusuke Suzuki.
849
850         * stress/big-int-left-shift-general.js: Added.
851         * stress/big-int-left-shift-range-error.js: Added.
852         * stress/big-int-left-shift-type-error.js: Added.
853         * stress/big-int-left-shift-wrapped-value.js: Added.
854         * stress/big-int-right-shift-general.js: Added.
855         * stress/big-int-right-shift-type-error.js: Added.
856         * stress/big-int-right-shift-wrapped-value.js: Added.
857         * stress/left-shift-to-primitive-precedence.js: Added.
858         * stress/right-shift-to-primitive-precedence.js: Added.
859
860 2018-11-30  Dean Jackson  <dino@apple.com>
861
862         Add first-class support for .mjs files in jsc binary
863         https://bugs.webkit.org/show_bug.cgi?id=192190
864         <rdar://problem/46375715>
865
866         Reviewed by Keith Miller.
867
868         * stress/simple-module.mjs: Added.
869         * stress/simple-script.js: Added.
870
871 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
872
873         [BigInt] Implement ValueBitXor into DFG
874         https://bugs.webkit.org/show_bug.cgi?id=190264
875
876         Reviewed by Yusuke Suzuki.
877
878         * stress/big-int-bitwise-xor-jit.js: Added.
879         * stress/big-int-bitwise-xor-memory-stress.js: Added.
880         * stress/big-int-bitwise-xor-untyped.js: Added.
881
882 2018-11-27  Saam barati  <sbarati@apple.com>
883
884         r238510 broke scopes of size zero
885         https://bugs.webkit.org/show_bug.cgi?id=192033
886         <rdar://problem/46281734>
887
888         Reviewed by Keith Miller.
889
890         * stress/r238510-bad-loop.js: Added.
891         (foo):
892
893 2018-11-27  Mark Lam  <mark.lam@apple.com>
894
895         [Re-landing] NaNs read from Wasm code needs to be be purified.
896         https://bugs.webkit.org/show_bug.cgi?id=191056
897         <rdar://problem/45660341>
898
899         Reviewed by Filip Pizlo.
900
901         * wasm/regress/regress-191056.js: Added.
902
903 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
904
905         Unreviewed, rolling out r238509.
906
907         Causes JSC tests to fail on iOS.
908
909         Reverted changeset:
910
911         "NaNs read from Wasm code needs to be be purified."
912         https://bugs.webkit.org/show_bug.cgi?id=191056
913         https://trac.webkit.org/changeset/238509
914
915 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
916
917         Re-introduce op_bitnot
918         https://bugs.webkit.org/show_bug.cgi?id=190923
919
920         Reviewed by Yusuke Suzuki.
921
922         * stress/bit-not-must-generate.js: Added.
923         * stress/bitwise-not-no-int32.js: Added.
924
925 2018-11-26  Saam barati  <sbarati@apple.com>
926
927         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
928         https://bugs.webkit.org/show_bug.cgi?id=191956
929         <rdar://problem/45665806>
930
931         Reviewed by Yusuke Suzuki.
932
933         * stress/end-basic-block-set-local-should-filter-type.js: Added.
934         (bar):
935         (foo):
936
937 2018-11-26  Saam barati  <sbarati@apple.com>
938
939         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
940         https://bugs.webkit.org/show_bug.cgi?id=191958
941         <rdar://problem/46221877>
942
943         Reviewed by Yusuke Suzuki.
944
945         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
946         (x):
947         (foo):
948
949 2018-11-26  Mark Lam  <mark.lam@apple.com>
950
951         NaNs read from Wasm code needs to be be purified.
952         https://bugs.webkit.org/show_bug.cgi?id=191056
953         <rdar://problem/45660341>
954
955         Reviewed by Filip Pizlo.
956
957         * wasm/regress/regress-191056.js: Added.
958
959 2018-11-26  Michael Saboff  <msaboff@apple.com>
960
961         32-bit JSC test failure: stress/regexp-compile-oom.js
962         https://bugs.webkit.org/show_bug.cgi?id=191375
963
964         Reviewed by Mark Lam.
965
966         Disabled the test for 32 bit platforms.
967
968         * stress/regexp-compile-oom.js:
969
970 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
971
972         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
973         https://bugs.webkit.org/show_bug.cgi?id=191716
974         <rdar://problem/45723878>
975
976         Reviewed by Saam Barati.
977
978         * stress/regress-187373.js: Added.
979         (async.fn):
980
981 2018-11-21  Saam barati  <sbarati@apple.com>
982
983         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
984         https://bugs.webkit.org/show_bug.cgi?id=191897
985         <rdar://problem/45871998>
986
987         Reviewed by Mark Lam.
988
989         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
990         (bar):
991         (foo):
992
993 2018-11-21  Saam barati  <sbarati@apple.com>
994
995         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
996         https://bugs.webkit.org/show_bug.cgi?id=191895
997         <rdar://problem/46167406>
998
999         Reviewed by Mark Lam.
1000
1001         * stress/known-cell-use-needs-type-check-assertion.js: Added.
1002         (foo):
1003         (bar):
1004
1005 2018-11-21  Mark Lam  <mark.lam@apple.com>
1006
1007         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
1008         https://bugs.webkit.org/show_bug.cgi?id=191776
1009         <rdar://problem/46152851>
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/big-wasm-memory-grow-no-max.js:
1014         * stress/big-wasm-memory-grow.js:
1015         * stress/big-wasm-memory.js:
1016         - updated these to expect an OutOfMemoryError.
1017
1018         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
1019         (Binary.prototype.emit_u8):
1020         (Binary.prototype.emit_u32v):
1021         (Binary.prototype.emit_header):
1022         (Binary.prototype.emit_section):
1023         (Binary):
1024         (WasmModuleBuilder):
1025         (WasmModuleBuilder.prototype.addMemory):
1026         (WasmModuleBuilder.prototype.toArray):
1027         (WasmModuleBuilder.prototype.toBuffer):
1028         (WasmModuleBuilder.prototype.instantiate):
1029         (catch):
1030         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
1031         (catch):
1032
1033 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
1034
1035         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1036         https://bugs.webkit.org/show_bug.cgi?id=190836
1037
1038         Reviewed by Saam Barati and Yusuke Suzuki.
1039
1040         * stress/big-int-out-of-memory-tests.js: Added.
1041
1042 2018-11-20  Mark Lam  <mark.lam@apple.com>
1043
1044         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
1045         https://bugs.webkit.org/show_bug.cgi?id=191856
1046         <rdar://problem/46089992>
1047
1048         Reviewed by Yusuke Suzuki.
1049
1050         * stress/regress-191856.js: Added.
1051         - this test is skipped for now until we have a fix for webkit.org/b/191855.
1052
1053 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
1054
1055         Enable JIT on ARM/Linux
1056         https://bugs.webkit.org/show_bug.cgi?id=191548
1057
1058         Reviewed by Yusuke Suzuki.
1059
1060         Disable test on system with limited memory. Program was killed by
1061         the OS before the exception was thrown.
1062
1063         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
1064
1065 2018-11-20  Saam barati  <sbarati@apple.com>
1066
1067         Merging an IC variant may lead to the IC status containing overlapping structure sets
1068         https://bugs.webkit.org/show_bug.cgi?id=191869
1069         <rdar://problem/45403453>
1070
1071         Reviewed by Mark Lam.
1072
1073         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
1074
1075 2018-11-19  Mark Lam  <mark.lam@apple.com>
1076
1077         globalFuncImportModule() should return a promise when it clears exceptions.
1078         https://bugs.webkit.org/show_bug.cgi?id=191792
1079         <rdar://problem/46090763>
1080
1081         Reviewed by Michael Saboff.
1082
1083         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
1084
1085 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
1086
1087         Skip new memory-hungry tests on memory limited devices
1088
1089         Unreviewed gardening.
1090
1091         * stress/big-wasm-memory-grow-no-max.js:
1092         * stress/big-wasm-memory-grow.js:
1093         * stress/big-wasm-memory.js:
1094
1095 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1096
1097         Unreviewed, rolling in the rest of r237254
1098         https://bugs.webkit.org/show_bug.cgi?id=190340
1099
1100         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1101         * stress/function-cache-with-parameters-end-position.js: Added.
1102         (shouldBe):
1103         (shouldThrow):
1104         (i.anonymous):
1105         * stress/function-constructor-name.js: Added.
1106         (shouldBe):
1107         (GeneratorFunction):
1108         (AsyncFunction.async):
1109         (AsyncGeneratorFunction.async):
1110         (anonymous):
1111         (async.anonymous):
1112         * test262/expectations.yaml:
1113
1114 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1115
1116         All users of ArrayBuffer should agree on the same max size
1117         https://bugs.webkit.org/show_bug.cgi?id=191771
1118
1119         Reviewed by Mark Lam.
1120
1121         * stress/big-wasm-memory-grow-no-max.js: Added.
1122         (foo):
1123         (catch):
1124         * stress/big-wasm-memory-grow.js: Added.
1125         (foo):
1126         (catch):
1127         * stress/big-wasm-memory.js: Added.
1128         (foo):
1129         (catch):
1130
1131 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
1134         run for each JSC config since they're regression tests for runtime bugs.
1135
1136         * stress/json-stringified-overflow-2.js:
1137         * stress/json-stringified-overflow.js:
1138
1139 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
1140
1141         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
1142         config since they're regression tests for runtime bugs.
1143
1144         * stress/large-unshift-splice.js:
1145         * stress/regress-185888.js:
1146
1147 2018-11-16  Saam Barati  <sbarati@apple.com>
1148
1149         KnownCellUse should also have SpecCellCheck as its type filter
1150         https://bugs.webkit.org/show_bug.cgi?id=191729
1151         <rdar://problem/45872852>
1152
1153         Reviewed by Filip Pizlo.
1154
1155         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
1156         (C):
1157
1158 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
1159
1160         Fix assertion failure on BytecodeGenerator::recordOpcode
1161         https://bugs.webkit.org/show_bug.cgi?id=191724
1162         <rdar://problem/45724395>
1163
1164         Reviewed by Saam Barati.
1165
1166         * stress/regress-187373-2.js: Added.
1167         (foo):
1168
1169 2018-11-15  Mark Lam  <mark.lam@apple.com>
1170
1171         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
1172         https://bugs.webkit.org/show_bug.cgi?id=191730
1173         <rdar://problem/46048517>
1174
1175         Reviewed by Saam Barati.
1176
1177         * stress/regress-187006.js: Removed.
1178           - this test is invalid because its sole purpose is to test for the non-spec
1179             compliant behavior that we just fixed.
1180
1181         * stress/regress-191730.js: Added.
1182
1183 2018-11-15  Mark Lam  <mark.lam@apple.com>
1184
1185         RegExp operations should not take fast patch if lastIndex is not numeric.
1186         https://bugs.webkit.org/show_bug.cgi?id=191731
1187         <rdar://problem/46017305>
1188
1189         Reviewed by Saam Barati.
1190
1191         * stress/regress-191731.js: Added.
1192
1193 2018-11-13  Saam Barati  <sbarati@apple.com>
1194
1195         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
1196         https://bugs.webkit.org/show_bug.cgi?id=191600
1197
1198         Reviewed by Mark Lam.
1199
1200         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
1201         (foo):
1202         (test):
1203         (bar):
1204
1205 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
1206
1207         Unreviewed, rolling out r238132.
1208
1209         The test added with this change is timing out on Debug JSC
1210         bots.
1211
1212         Reverted changeset:
1213
1214         "[BigInt] JSBigInt::createWithLength should throw when length
1215         is greater than JSBigInt::maxLength"
1216         https://bugs.webkit.org/show_bug.cgi?id=190836
1217         https://trac.webkit.org/changeset/238132
1218
1219 2018-11-13  Mark Lam  <mark.lam@apple.com>
1220
1221         Add OOM detection to StringPrototype's substituteBackreferences().
1222         https://bugs.webkit.org/show_bug.cgi?id=191563
1223         <rdar://problem/45720428>
1224
1225         Reviewed by Saam Barati.
1226
1227         * stress/regress-191563.js: Added.
1228
1229 2018-11-13  Mark Lam  <mark.lam@apple.com>
1230
1231         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
1232         https://bugs.webkit.org/show_bug.cgi?id=191579
1233         <rdar://problem/45942472>
1234
1235         Reviewed by Saam Barati.
1236
1237         * stress/regress-191579.js: Added.
1238
1239 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
1240
1241         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
1242         https://bugs.webkit.org/show_bug.cgi?id=190836
1243
1244         Reviewed by Saam Barati.
1245
1246         * stress/big-int-out-of-memory-tests.js: Added.
1247
1248 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
1249
1250         U+180E is no longer a whitespace character
1251         https://bugs.webkit.org/show_bug.cgi?id=191415
1252
1253         Reviewed by Saam Barati.
1254
1255         * ChakraCore/test/es5/regexSpace.baseline:
1256         * ChakraCore/test/es6/unicode_whitespace.js:
1257         Update tests to latest version.
1258         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
1259
1260         * test262.yaml:
1261         * test262/config.yaml:
1262         * test262/expectations.yaml:
1263         Update expectations.
1264
1265 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
1266
1267         [BigInt] Add support to BigInt into ValueAdd
1268         https://bugs.webkit.org/show_bug.cgi?id=186177
1269
1270         Reviewed by Keith Miller.
1271
1272         * stress/big-int-negate-jit.js:
1273         * stress/value-add-big-int-and-string.js: Added.
1274         * stress/value-add-big-int-prediction-propagation.js: Added.
1275         * stress/value-add-big-int-untyped.js: Added.
1276
1277 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
1278
1279         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
1280         https://bugs.webkit.org/show_bug.cgi?id=191184
1281
1282         Reviewed by Saam Barati.
1283
1284         Most tests were failing due to timeouts, since they are too slow to
1285         run on CLoop. The exceptions are:
1286
1287         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
1288         dont-crash-on-stack-overflow-when-parsing-builtin.js and
1289         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
1290         to change the stack size since CLoop requires it to be page aligned.
1291
1292         * microbenchmarks/array-push-1.js:
1293         * microbenchmarks/array-push-2.js:
1294         * microbenchmarks/elidable-new-object-dag.js:
1295         * microbenchmarks/elidable-new-object-roflcopter.js:
1296         * microbenchmarks/elidable-new-object-tree.js:
1297         * microbenchmarks/getter-richards.js:
1298         * microbenchmarks/sinkable-new-object-dag.js:
1299         * microbenchmarks/string-concat-long-convert.js:
1300         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
1301         * slowMicrobenchmarks/array-push-3.js:
1302         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
1303         * slowMicrobenchmarks/spread-small-array.js:
1304         * slowMicrobenchmarks/undefined-property-access.js:
1305         * stress/activation-sink-default-value-tdz-error.js:
1306         * stress/activation-sink-default-value.js:
1307         * stress/activation-sink-osrexit-default-value-tdz-error.js:
1308         * stress/activation-sink-osrexit-default-value.js:
1309         * stress/activation-sink-osrexit.js:
1310         * stress/activation-sink.js:
1311         * stress/allow-math-ic-b3-code-duplication.js:
1312         * stress/array-push-multiple-int32.js:
1313         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
1314         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
1315         * stress/arrowfunction-lexical-this-activation-sink.js:
1316         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
1317         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
1318         * stress/elide-new-object-dag-then-exit.js:
1319         * stress/materialize-regexp-cyclic.js:
1320         * stress/new-regex-inline.js:
1321         * stress/op_add.js:
1322         * stress/op_bitand.js:
1323         * stress/op_bitor.js:
1324         * stress/op_bitxor.js:
1325         * stress/op_div-ConstVar.js:
1326         * stress/op_div-VarConst.js:
1327         * stress/op_div-VarVar.js:
1328         * stress/op_lshift-ConstVar.js:
1329         * stress/op_lshift-VarConst.js:
1330         * stress/op_lshift-VarVar.js:
1331         * stress/op_mod-ConstVar.js:
1332         * stress/op_mod-VarConst.js:
1333         * stress/op_mod-VarVar.js:
1334         * stress/op_mul-ConstVar.js:
1335         * stress/op_mul-VarConst.js:
1336         * stress/op_mul-VarVar.js:
1337         * stress/op_rshift-ConstVar.js:
1338         * stress/op_rshift-VarConst.js:
1339         * stress/op_rshift-VarVar.js:
1340         * stress/op_sub-ConstVar.js:
1341         * stress/op_sub-VarConst.js:
1342         * stress/op_sub-VarVar.js:
1343         * stress/op_urshift-ConstVar.js:
1344         * stress/op_urshift-VarConst.js:
1345         * stress/op_urshift-VarVar.js:
1346         * stress/proxy-get-set-correct-receiver.js:
1347         * stress/regress-179562.js:
1348         * stress/rest-parameter-many-arguments.js:
1349         * stress/sampling-profiler-richards.js:
1350         * stress/splay-flash-access-1ms.js:
1351         * stress/tailCallForwardArguments.js:
1352         * stress/typed-array-get-by-val-profiling.js:
1353         * typeProfiler/getter-richards.js:
1354
1355 2018-11-06  Michael Saboff  <msaboff@apple.com>
1356
1357         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
1358         https://bugs.webkit.org/show_bug.cgi?id=191271
1359
1360         Reviewed by Saam Barati.
1361
1362         Added more test cases and made all test cases run with the same deeply recursive stack
1363         instead of finding that same point for each test case.
1364
1365         * stress/regexp-compile-oom.js:
1366         (prototype.runTest):
1367         (recurseAndTest):
1368         (testList.push.new.TestAndExpectedException):
1369
1370 2018-11-05  Michael Saboff  <msaboff@apple.com>
1371
1372         Unreviewed build fix for linux.
1373
1374         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
1375
1376 2018-11-02  Michael Saboff  <msaboff@apple.com>
1377
1378         Rolling in r237753 with unreviewed build fix.
1379
1380         Fixed issues with DECLARE_THROW_SCOPE placement.
1381
1382 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
1383
1384         Unreviewed, rolling out r237753.
1385
1386         Introduced JSC test failures
1387
1388         Reverted changeset:
1389
1390         "Running out of stack space not properly handled in
1391         RegExp::compile() and its callers"
1392         https://bugs.webkit.org/show_bug.cgi?id=191206
1393         https://trac.webkit.org/changeset/237753
1394
1395 2018-11-02  Michael Saboff  <msaboff@apple.com>
1396
1397         Running out of stack space not properly handled in RegExp::compile() and its callers
1398         https://bugs.webkit.org/show_bug.cgi?id=191206
1399
1400         Reviewed by Filip Pizlo.
1401
1402         New regression test.
1403
1404         * stress/regexp-compile-oom.js: Added.
1405         (recurseAndTest):
1406
1407 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
1408
1409         Skip tests on arm/mips that time out now we're running on CLoop
1410
1411         Unreviewed gardening.
1412
1413         Since the JIT is temporarily disabled on 32-bit platforms, these tests
1414         time out on the bots and need to be disabled. There's more tests
1415         disabled on arm because the timeout is longer on the mips bot (as the
1416         device is slower to start with), so many of the tests don't time out
1417         there.
1418
1419         * microbenchmarks/getter-richards.js: disable on arm and mips.
1420         * stress/op_add.js: disable on arm.
1421         * stress/op_bitand.js: disable on arm.
1422         * stress/op_bitor.js: disable on arm.
1423         * stress/op_bitxor.js: disable on arm.
1424         * stress/op_lshift-ConstVar.js: disable on arm.
1425         * stress/op_lshift-VarConst.js: disable on arm.
1426         * stress/op_lshift-VarVar.js: disable on arm.
1427         * stress/op_mod-ConstVar.js: disable on arm.
1428         * stress/op_mod-VarConst.js: disable on arm.
1429         * stress/op_mod-VarVar.js: disable on arm.
1430         * stress/op_mul-ConstVar.js: disable on arm.
1431         * stress/op_mul-VarConst.js: disable on arm.
1432         * stress/op_mul-VarVar.js: disable on arm.
1433         * stress/op_rshift-ConstVar.js: disable on arm.
1434         * stress/op_rshift-VarConst.js: disable on arm.
1435         * stress/op_rshift-VarVar.js: disable on arm.
1436         * stress/op_sub-ConstVar.js: disable on arm.
1437         * stress/op_sub-VarConst.js: disable on arm.
1438         * stress/op_sub-VarVar.js: disable on arm.
1439         * stress/op_urshift-ConstVar.js: disable on arm.
1440         * stress/op_urshift-VarConst.js: disable on arm.
1441         * stress/op_urshift-VarVar.js: disable on arm.
1442         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
1443         * stress/value-to-boolean.js: disable on arm and mips.
1444
1445 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
1446
1447         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
1448         https://bugs.webkit.org/show_bug.cgi?id=191108
1449         <rdar://problem/45690700>
1450
1451         Reviewed by Saam Barati.
1452
1453         * stress/wide-op_catch.js: Added.
1454         (catch):
1455
1456 2018-10-29  Mark Lam  <mark.lam@apple.com>
1457
1458         Correctly detect string overflow when using the 'Function' constructor.
1459         https://bugs.webkit.org/show_bug.cgi?id=184883
1460         <rdar://problem/36320331>
1461
1462         Reviewed by Saam Barati.
1463
1464         I've verified that this passes on 32-bit as well.
1465
1466         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1467
1468 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1469
1470         Add support for GetStack FlushedDouble
1471         https://bugs.webkit.org/show_bug.cgi?id=191012
1472         <rdar://problem/45265141>
1473
1474         Reviewed by Saam Barati.
1475
1476         * stress/get-stack-double.js: Added.
1477         (bar):
1478         (noInline):
1479
1480 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1481
1482         New bytecode format for JSC
1483         https://bugs.webkit.org/show_bug.cgi?id=187373
1484         <rdar://problem/44186758>
1485
1486         Reviewed by Filip Pizlo.
1487
1488         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1489
1490         * stress/maximum-inline-capacity.js: Added.
1491         (test1):
1492         (test3.Foo):
1493         (test3):
1494
1495 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1496
1497         Unreviewed, rolling out r237479 and r237484.
1498         https://bugs.webkit.org/show_bug.cgi?id=190978
1499
1500         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1501
1502         Reverted changesets:
1503
1504         "New bytecode format for JSC"
1505         https://bugs.webkit.org/show_bug.cgi?id=187373
1506         https://trac.webkit.org/changeset/237479
1507
1508         "Gardening: Build fix after r237479."
1509         https://bugs.webkit.org/show_bug.cgi?id=187373
1510         https://trac.webkit.org/changeset/237484
1511
1512 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1513
1514         New bytecode format for JSC
1515         https://bugs.webkit.org/show_bug.cgi?id=187373
1516         <rdar://problem/44186758>
1517
1518         Reviewed by Filip Pizlo.
1519
1520         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1521
1522         * stress/maximum-inline-capacity.js: Added.
1523         (test1):
1524         (test3.Foo):
1525         (test3):
1526
1527 2018-10-26  Mark Lam  <mark.lam@apple.com>
1528
1529         Fix missing edge cases with JSGlobalObjects having a bad time.
1530         https://bugs.webkit.org/show_bug.cgi?id=189028
1531         <rdar://problem/45204939>
1532
1533         Reviewed by Saam Barati.
1534
1535         * stress/regress-189028.js: Added.
1536
1537 2018-10-22  Mark Lam  <mark.lam@apple.com>
1538
1539         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1540         https://bugs.webkit.org/show_bug.cgi?id=190515
1541         <rdar://problem/45222379>
1542
1543         Rubber-stamped by Saam Barati.
1544
1545         Adding another test.
1546
1547         * stress/regress-190515-2.js: Added.
1548
1549 2018-10-22  Mark Lam  <mark.lam@apple.com>
1550
1551         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1552         https://bugs.webkit.org/show_bug.cgi?id=190515
1553         <rdar://problem/45222379>
1554
1555         Reviewed by Saam Barati.
1556
1557         * stress/regress-190515.js: Added.
1558
1559 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1560
1561         Unreviewed, rolling out r237254.
1562         https://bugs.webkit.org/show_bug.cgi?id=190760
1563
1564         "It regresses JetStream 2 by 5% on some iOS devices"
1565         (Requested by saamyjoon on #webkit).
1566
1567         Reverted changeset:
1568
1569         "[JSC] JSC should have "parseFunction" to optimize Function
1570         constructor"
1571         https://bugs.webkit.org/show_bug.cgi?id=190340
1572         https://trac.webkit.org/changeset/237254
1573
1574 2018-10-19  Saam Barati  <sbarati@apple.com>
1575
1576         vmCall should check if we exit before emitting an OSR exit due to exceptions
1577         https://bugs.webkit.org/show_bug.cgi?id=190740
1578         <rdar://problem/45220139>
1579
1580         Reviewed by Mark Lam.
1581
1582         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1583         (foo):
1584
1585 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1586
1587         [ESNext][BigInt] Implement support for "^"
1588         https://bugs.webkit.org/show_bug.cgi?id=186235
1589
1590         Reviewed by Yusuke Suzuki.
1591
1592         * stress/big-int-bitwise-xor-general.js: Added.
1593         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1594         * stress/big-int-bitwise-xor-type-error.js: Added.
1595         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1596
1597 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1598
1599         [BigInt] Add ValueSub into DFG
1600         https://bugs.webkit.org/show_bug.cgi?id=186176
1601
1602         Reviewed by Yusuke Suzuki.
1603
1604         * stress/big-int-subtraction-jit.js:
1605         * stress/value-sub-big-int-prediction-propagation.js: Added.
1606         * stress/value-sub-big-int-untyped.js: Added.
1607         * stress/value-sub-spec-none-case.js: Added.
1608
1609 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1610
1611         [JSC] JSC should have "parseFunction" to optimize Function constructor
1612         https://bugs.webkit.org/show_bug.cgi?id=190340
1613
1614         Reviewed by Mark Lam.
1615
1616         This patch fixes the line number of syntax errors raised by the Function constructor,
1617         since we now parse the final code only once. And we no longer use block statement
1618         for Function constructor's parsing.
1619
1620         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1621         * stress/function-cache-with-parameters-end-position.js: Added.
1622         (shouldBe):
1623         (shouldThrow):
1624         (i.anonymous):
1625         * stress/function-constructor-name.js: Added.
1626         (shouldBe):
1627         (GeneratorFunction):
1628         (AsyncFunction.async):
1629         (AsyncGeneratorFunction.async):
1630         (anonymous):
1631         (async.anonymous):
1632         * test262/expectations.yaml:
1633
1634 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1635
1636         Unreviewed, rolling out r237242.
1637         https://bugs.webkit.org/show_bug.cgi?id=190701
1638
1639         it breaks "stress/sampling-profiler-basic.js" (Requested by
1640         caiolima on #webkit).
1641
1642         Reverted changeset:
1643
1644         "[BigInt] Add ValueSub into DFG"
1645         https://bugs.webkit.org/show_bug.cgi?id=186176
1646         https://trac.webkit.org/changeset/237242
1647
1648 2018-10-17  Keith Miller  <keith_miller@apple.com>
1649
1650         AI does not clear Phantom allocation nodes.
1651         https://bugs.webkit.org/show_bug.cgi?id=190694
1652
1653         Reviewed by Saam Barati.
1654
1655         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1656         (Day):
1657         (DaysInYear):
1658         (TimeInYear):
1659         (TimeFromYear):
1660         (DayFromYear):
1661         (InLeapYear):
1662         (YearFromTime):
1663         (WeekDay):
1664         (DaylightSavingTA):
1665         (GetSecondSundayInMarch):
1666         (TimeInMonth):
1667
1668 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1669
1670         [BigInt] Add ValueSub into DFG
1671         https://bugs.webkit.org/show_bug.cgi?id=186176
1672
1673         Reviewed by Yusuke Suzuki.
1674
1675         * stress/big-int-subtraction-jit.js:
1676         * stress/value-sub-big-int-prediction-propagation.js: Added.
1677         * stress/value-sub-big-int-untyped.js: Added.
1678
1679 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1680
1681         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1682         https://bugs.webkit.org/show_bug.cgi?id=190611
1683
1684         Reviewed by Saam Barati.
1685
1686         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1687         to improve test runtime. On ARM/MIPS this test even timed out when running all
1688         tests.
1689
1690         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1691         (test):
1692
1693 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1694
1695         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1696
1697         Unreviewed gardening.
1698
1699         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1700
1701 2018-10-15  Saam barati  <sbarati@apple.com>
1702
1703         Emit fjcvtzs on ARM64E on Darwin
1704         https://bugs.webkit.org/show_bug.cgi?id=184023
1705
1706         Reviewed by Yusuke Suzuki and Filip Pizlo.
1707
1708         * stress/double-to-int32-NaN.js: Added.
1709         (assert):
1710         (foo):
1711
1712 2018-10-15  Saam Barati  <sbarati@apple.com>
1713
1714         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1715         https://bugs.webkit.org/show_bug.cgi?id=190262
1716         <rdar://problem/44986241>
1717
1718         Reviewed by Mark Lam.
1719
1720         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1721         (test):
1722         * stress/slice-array-storage-with-holes.js: Added.
1723         (main):
1724
1725 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1726
1727         Unreviewed, rolling out r237054.
1728         https://bugs.webkit.org/show_bug.cgi?id=190593
1729
1730         "this regressed JetStream 2 by 6% on iOS" (Requested by
1731         saamyjoon on #webkit).
1732
1733         Reverted changeset:
1734
1735         "[JSC] JSC should have "parseFunction" to optimize Function
1736         constructor"
1737         https://bugs.webkit.org/show_bug.cgi?id=190340
1738         https://trac.webkit.org/changeset/237054
1739
1740 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1741
1742         [JSC] JSON.stringify can accept call-with-no-arguments
1743         https://bugs.webkit.org/show_bug.cgi?id=190343
1744
1745         Reviewed by Mark Lam.
1746
1747         * stress/json-stringify-no-arguments.js: Added.
1748         (shouldBe):
1749
1750 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1751
1752         [JSC] JSC should have "parseFunction" to optimize Function constructor
1753         https://bugs.webkit.org/show_bug.cgi?id=190340
1754
1755         Reviewed by Mark Lam.
1756
1757         This patch fixes the line number of syntax errors raised by the Function constructor,
1758         since we now parse the final code only once. And we no longer use block statement
1759         for Function constructor's parsing.
1760
1761         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1762         * stress/function-cache-with-parameters-end-position.js: Added.
1763         (shouldBe):
1764         (shouldThrow):
1765         (i.anonymous):
1766         * stress/function-constructor-name.js: Added.
1767         (shouldBe):
1768         (GeneratorFunction):
1769         (AsyncFunction.async):
1770         (AsyncGeneratorFunction.async):
1771         (anonymous):
1772         (async.anonymous):
1773         * test262/expectations.yaml:
1774
1775 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1776
1777         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1778         https://bugs.webkit.org/show_bug.cgi?id=190426
1779
1780         Unreviewed gardening.
1781
1782         * stress/sampling-profiler-richards.js:
1783
1784 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1785
1786         [ESNext][BigInt] Implement support for "|"
1787         https://bugs.webkit.org/show_bug.cgi?id=186229
1788
1789         Reviewed by Yusuke Suzuki.
1790
1791         * stress/big-int-bitwise-and-jit.js:
1792         * stress/big-int-bitwise-or-general.js: Added.
1793         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1794         * stress/big-int-bitwise-or-jit.js: Added.
1795         * stress/big-int-bitwise-or-memory-stress.js: Added.
1796         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1797         * stress/big-int-bitwise-or-type-error.js: Added.
1798         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1799
1800 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1801
1802         Skip test on systems with limited memory
1803         https://bugs.webkit.org/show_bug.cgi?id=190310
1804
1805         Invoking runDefault adds test to runlist, skipping the test in the next
1806         line does not prevent the test from executing. Change order of lines such
1807         that runDefault is only executed if test is not executed.
1808
1809         Reviewed by Mark Lam.
1810
1811         * stress/regress-190187.js:
1812
1813 2018-10-03  Saam barati  <sbarati@apple.com>
1814
1815         lowXYZ in FTLLower should always filter the type of the incoming edge
1816         https://bugs.webkit.org/show_bug.cgi?id=189939
1817         <rdar://problem/44407030>
1818
1819         Reviewed by Michael Saboff.
1820
1821         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1822         (foo):
1823         (test):
1824
1825 2018-10-03  Mark Lam  <mark.lam@apple.com>
1826
1827         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1828         https://bugs.webkit.org/show_bug.cgi?id=190187
1829         <rdar://problem/42512909>
1830
1831         Reviewed by Michael Saboff.
1832
1833         * stress/regress-190187.js: Added.
1834
1835 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1836
1837         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1838         https://bugs.webkit.org/show_bug.cgi?id=190033
1839
1840         Reviewed by Yusuke Suzuki.
1841
1842         * stress/big-int-to-string.js:
1843
1844 2018-10-01  Mark Lam  <mark.lam@apple.com>
1845
1846         Function.toString() should also copy the source code Functions that are class definitions.
1847         https://bugs.webkit.org/show_bug.cgi?id=190186
1848         <rdar://problem/44733360>
1849
1850         Reviewed by Saam Barati.
1851
1852         * stress/regress-190186.js: Added.
1853
1854 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1855
1856         Split NaN-check into separate test
1857         https://bugs.webkit.org/show_bug.cgi?id=190010
1858
1859         Reviewed by Saam Barati.
1860
1861         DataView exposes NaN-representation, which is not necessarily the same on each
1862         architecture. Therefore move the check of the NaN-representation into its own
1863         file such that we can disable this test on MIPS where NaN-representation can be
1864         different on older CPUs.
1865
1866         * stress/dataview-jit-set-nan.js: Added.
1867         (assert):
1868         (test.storeLittleEndian):
1869         (test.storeBigEndian):
1870         (test.store):
1871         (test):
1872         * stress/dataview-jit-set.js:
1873         (test5):
1874
1875 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1876
1877         Unreviewed, rolling out r236647.
1878         https://bugs.webkit.org/show_bug.cgi?id=190124
1879
1880         Breaking test stress/big-int-to-string.js (Requested by
1881         caiolima_ on #webkit).
1882
1883         Reverted changeset:
1884
1885         "[BigInt] BigInt.proptotype.toString is broken when radix is
1886         power of 2"
1887         https://bugs.webkit.org/show_bug.cgi?id=190033
1888         https://trac.webkit.org/changeset/236647
1889
1890 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1891
1892         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1893         https://bugs.webkit.org/show_bug.cgi?id=190033
1894
1895         Reviewed by Yusuke Suzuki.
1896
1897         * stress/big-int-to-string.js:
1898
1899 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1900
1901         [ESNext][BigInt] Implement support for "&"
1902         https://bugs.webkit.org/show_bug.cgi?id=186228
1903
1904         Reviewed by Yusuke Suzuki.
1905
1906         * stress/big-int-bitwise-and-general.js: Added.
1907         (assert):
1908         (assert.sameValue):
1909         * stress/big-int-bitwise-and-jit.js: Added.
1910         (let.assert.sameValue):
1911         (bigIntBitAnd):
1912         * stress/big-int-bitwise-and-memory-stress.js: Added.
1913         (assert):
1914         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1915         (assert.sameValue):
1916         (let.o.Symbol.toPrimitive):
1917         (catch):
1918         * stress/big-int-bitwise-and-type-error.js: Added.
1919         (assert):
1920         (assertThrowTypeError):
1921         (let.o.valueOf):
1922         (o.valueOf):
1923         (o.toString):
1924         (o.Symbol.toPrimitive):
1925         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1926         (assert.sameValue):
1927         (testBitAnd):
1928         (let.o.Symbol.toPrimitive):
1929         (o.valueOf):
1930         (o.toString):
1931
1932 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1933
1934         JSC test stress/jsc-read.js doesn't support CRLF
1935         https://bugs.webkit.org/show_bug.cgi?id=190063
1936
1937         Reviewed by Yusuke Suzuki.
1938
1939         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1940
1941         * stress/jsc-read.js:
1942         (test):
1943
1944 2018-09-27  Saam barati  <sbarati@apple.com>
1945
1946         Verify the contents of AssemblerBuffer on arm64e
1947         https://bugs.webkit.org/show_bug.cgi?id=190057
1948         <rdar://problem/38916630>
1949
1950         Reviewed by Mark Lam.
1951
1952         * stress/regress-189132.js:
1953
1954 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1955
1956         Disable test without LLInt on ARMv7
1957         https://bugs.webkit.org/show_bug.cgi?id=190037
1958
1959         Reviewed by Mark Lam.
1960
1961         Test runs out of executable memory on ARMv7, do not run
1962         this test without LLInt enabled.
1963
1964         * stress/regress-169445.js:
1965
1966 2018-09-26  Keith Miller  <keith_miller@apple.com>
1967
1968         We should zero unused property storage when rebalancing array storage.
1969         https://bugs.webkit.org/show_bug.cgi?id=188151
1970
1971         Reviewed by Michael Saboff.
1972
1973         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1974
1975 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1976
1977         [JSC] Optimize Array#lastIndexOf
1978         https://bugs.webkit.org/show_bug.cgi?id=189780
1979
1980         Reviewed by Saam Barati.
1981
1982         * stress/array-lastindexof-array-prototype-trap.js: Added.
1983         (shouldBe):
1984         (AncestorArray.prototype.get 2):
1985         (AncestorArray):
1986         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1987         (shouldBe):
1988         * stress/array-lastindexof-hole-nan.js: Added.
1989         (shouldBe):
1990         (throw.new.Error):
1991         * stress/array-lastindexof-infinity.js: Added.
1992         (shouldBe):
1993         (throw.new.Error):
1994         * stress/array-lastindexof-negative-zero.js: Added.
1995         (shouldBe):
1996         (throw.new.Error):
1997         * stress/array-lastindexof-own-getter.js: Added.
1998         (shouldBe):
1999         (throw.new.Error.get array):
2000         (get array):
2001         * stress/array-lastindexof-prototype-trap.js: Added.
2002         (shouldBe):
2003         (DerivedArray.prototype.get 2):
2004         (DerivedArray):
2005
2006 2018-09-25  Saam Barati  <sbarati@apple.com>
2007
2008         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2009         https://bugs.webkit.org/show_bug.cgi?id=189940
2010         <rdar://problem/43640987>
2011
2012         Reviewed by Mark Lam.
2013
2014         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2015
2016 2018-09-24  Saam Barati  <sbarati@apple.com>
2017
2018         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2019         https://bugs.webkit.org/show_bug.cgi?id=189922
2020         <rdar://problem/44651275>
2021
2022         Reviewed by Mark Lam.
2023
2024         * stress/array-indexof-fast-path-effects.js: Added.
2025         * stress/array-indexof-cached-length.js: Added.
2026
2027 2018-09-24  Saam barati  <sbarati@apple.com>
2028
2029         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2030         https://bugs.webkit.org/show_bug.cgi?id=189682
2031         <rdar://problem/43557315>
2032
2033         Reviewed by Mark Lam.
2034
2035         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
2036         (foo):
2037
2038 2018-09-22  Saam barati  <sbarati@apple.com>
2039
2040         The sampling should not use Strong<CodeBlock> in its machineLocation field
2041         https://bugs.webkit.org/show_bug.cgi?id=189319
2042
2043         Reviewed by Filip Pizlo.
2044
2045         * stress/sampling-profiler-richards.js: Added.
2046
2047 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2048
2049         [JSC] Optimize Array#indexOf in C++ runtime
2050         https://bugs.webkit.org/show_bug.cgi?id=189507
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/array-indexof-array-prototype-trap.js: Added.
2055         (shouldBe):
2056         (AncestorArray.prototype.get 2):
2057         (AncestorArray):
2058         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
2059         (shouldBe):
2060         * stress/array-indexof-hole-nan.js: Added.
2061         (shouldBe):
2062         (throw.new.Error):
2063         * stress/array-indexof-infinity.js: Added.
2064         (shouldBe):
2065         (throw.new.Error):
2066         * stress/array-indexof-negative-zero.js: Added.
2067         (shouldBe):
2068         (throw.new.Error):
2069         * stress/array-indexof-own-getter.js: Added.
2070         (shouldBe):
2071         (throw.new.Error.get array):
2072         (get array):
2073         * stress/array-indexof-prototype-trap.js: Added.
2074         (shouldBe):
2075         (DerivedArray.prototype.get 2):
2076         (DerivedArray):
2077
2078 2018-09-19  Saam barati  <sbarati@apple.com>
2079
2080         AI rule for MultiPutByOffset executes its effects in the wrong order
2081         https://bugs.webkit.org/show_bug.cgi?id=189757
2082         <rdar://problem/43535257>
2083
2084         Reviewed by Michael Saboff.
2085
2086         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
2087         (foo):
2088         (Foo):
2089         (g):
2090
2091 2018-09-17  Mark Lam  <mark.lam@apple.com>
2092
2093         Ensure that ForInContexts are invalidated if their loop local is over-written.
2094         https://bugs.webkit.org/show_bug.cgi?id=189571
2095         <rdar://problem/44402277>
2096
2097         Reviewed by Saam Barati.
2098
2099         * stress/regress-189571.js: Added.
2100
2101 2018-09-17  Saam barati  <sbarati@apple.com>
2102
2103         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
2104         https://bugs.webkit.org/show_bug.cgi?id=189676
2105         <rdar://problem/39682897>
2106
2107         Reviewed by Michael Saboff.
2108
2109         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
2110         (A):
2111         (K):
2112         (i.catch):
2113
2114 2018-09-14  Saam barati  <sbarati@apple.com>
2115
2116         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
2117         https://bugs.webkit.org/show_bug.cgi?id=189628
2118         <rdar://problem/39481690>
2119
2120         Reviewed by Mark Lam.
2121
2122         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
2123         (foo):
2124
2125 2018-09-11  Mark Lam  <mark.lam@apple.com>
2126
2127         Test for array initialization in arrayProtoFuncSplice.
2128         https://bugs.webkit.org/show_bug.cgi?id=170253
2129         <rdar://problem/31328773>
2130
2131         Rubber-stamped by Saam Barati.
2132
2133         * stress/regress-170253.js: Added.
2134
2135 2018-09-11  Mark Lam  <mark.lam@apple.com>
2136
2137         Test for IntlObject initialization.
2138         https://bugs.webkit.org/show_bug.cgi?id=170251
2139         <rdar://problem/31328419>
2140
2141         Rubber-stamped by Saam Barati.
2142
2143         * stress/regress-170251.js: Added.
2144
2145 2018-09-11  Mark Lam  <mark.lam@apple.com>
2146
2147         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
2148         https://bugs.webkit.org/show_bug.cgi?id=169889
2149         <rdar://problem/31155607>
2150
2151         Reviewed by Saam Barati.
2152
2153         * stress/regress-169889-array-concat.js: Added.
2154         * stress/regress-169889-array-concat1.js: Added.
2155         * stress/regress-169889-array-slice.js: Added.
2156
2157 2018-09-11  Mark Lam  <mark.lam@apple.com>
2158
2159         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
2160         https://bugs.webkit.org/show_bug.cgi?id=169445
2161         <rdar://problem/30957435>
2162
2163         Reviewed by Saam Barati.
2164
2165         * stress/regress-169445.js: Added.
2166         (let.gun.eval.A):
2167         (let.gun.eval.B.C):
2168         (let.gun.eval.B.C.prototype.trigger):
2169         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
2170         (let.gun.eval.B):
2171         (let.gun.eval):
2172
2173 == Rolled over to ChangeLog-2018-09-11 ==