We should clear m_needsOverflowCheck when hitting an exception in defineProperties...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2
3         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
4         https://bugs.webkit.org/show_bug.cgi?id=196746
5
6         Reviewed by Yusuke Suzuki.
7
8         * stress/cyclic-define-properties.js: Added.
9         (foo):
10
11 2019-04-09  Saam barati  <sbarati@apple.com>
12
13         Clean up Int52 code and some bugs in it
14         https://bugs.webkit.org/show_bug.cgi?id=196639
15         <rdar://problem/49515757>
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
20
21 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
22
23         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
24         https://bugs.webkit.org/show_bug.cgi?id=196708
25         <rdar://problem/49556803>
26
27         Reviewed by Yusuke Suzuki.
28
29         * stress/proxy-getter-stack-overflow.js: Added.
30         (const.handler.get target):
31         (const.handler.has):
32         (try.with):
33         (catch):
34
35 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
36
37         [JSC] DFG should respect node's strict flag
38         https://bugs.webkit.org/show_bug.cgi?id=196617
39
40         Reviewed by Saam Barati.
41
42         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
43         (shouldEqual):
44         (makeUnwriteableUnconfigurableObject):
45         (runTest):
46         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
47         (shouldBe):
48         (shouldThrow):
49         (with.result):
50         (with.putValueStrict):
51         (with.putValueSloppy):
52
53 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
54
55         [JSC] isRope jump in StringSlice should not jump over register allocations
56         https://bugs.webkit.org/show_bug.cgi?id=196716
57
58         Reviewed by Saam Barati.
59
60         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
61         (foo.bar):
62         (foo):
63
64 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
65
66         [JSC] to_index_string should not assume incoming value is Uint32
67         https://bugs.webkit.org/show_bug.cgi?id=196713
68
69         Reviewed by Saam Barati.
70
71         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
72         (foo):
73
74 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
75
76         [JSC] Add more tests for r243966
77         https://bugs.webkit.org/show_bug.cgi?id=196711
78
79         Reviewed by Saam Barati.
80
81         Adding one more test for r243966 fix. The added test will not crash after r243966.
82
83         * stress/stress-cleared-calllinkinfo.js: Added.
84         (runNearStackLimit.t):
85         (runNearStackLimit):
86         (repeat):
87         (cls):
88         (let.item.of.array.runNearStackLimit):
89
90 2019-04-08  Saam Barati  <sbarati@apple.com>
91
92         WebAssembly.RuntimeError missing exception check
93         https://bugs.webkit.org/show_bug.cgi?id=196700
94         <rdar://problem/49693932>
95
96         Reviewed by Yusuke Suzuki.
97
98         * wasm/js-api/runtime-error-should-exception-check.js: Added.
99
100 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
101
102         Unreviewed, rolling in r243948 with test fix
103         https://bugs.webkit.org/show_bug.cgi?id=196486
104
105         * stress/arrow-function-and-use-strict-directive.js: Added.
106         * stress/arrow-function-syntax.js: Added.
107         (checkSyntax):
108         (checkSyntaxError):
109
110 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
111
112         Unreviewed, rolling out r243948.
113
114         Caused inspector/runtime/parse.html to fail
115
116         Reverted changeset:
117
118         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
119         https://bugs.webkit.org/show_bug.cgi?id=196486
120         https://trac.webkit.org/changeset/243948
121
122 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
123
124         Unreviewed, rolling out r243943.
125
126         Caused test262 failures.
127
128         Reverted changeset:
129
130         "[JSC] Filter DontEnum properties in
131         ProxyObject::getOwnPropertyNames()"
132         https://bugs.webkit.org/show_bug.cgi?id=176810
133         https://trac.webkit.org/changeset/243943
134
135 2019-04-07  Michael Saboff  <msaboff@apple.com>
136
137         REGRESSION (r243642): Crash in reddit.com page
138         https://bugs.webkit.org/show_bug.cgi?id=196684
139
140         Reviewed by Geoffrey Garen.
141
142         New regression test.
143
144         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
145
146 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
147
148         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
149         https://bugs.webkit.org/show_bug.cgi?id=196683
150
151         Reviewed by Saam Barati.
152
153         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
154         (foo):
155
156 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
157
158         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
159         https://bugs.webkit.org/show_bug.cgi?id=196582
160
161         Reviewed by Saam Barati.
162
163         * stress/add-overflow-check-with-three-same-registers.js: Added.
164         (foo):
165         (Number.prototype.valueOf):
166         (runWithNumber):
167
168 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
169
170         Unreviewed, rolling out r243665.
171
172         Caused iOS JSC tests to exit with an exception.
173
174         Reverted changeset:
175
176         "Assertion failed in JSC::createError"
177         https://bugs.webkit.org/show_bug.cgi?id=196305
178         https://trac.webkit.org/changeset/243665
179
180 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
181
182         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
183         https://bugs.webkit.org/show_bug.cgi?id=196486
184
185         Reviewed by Saam Barati.
186
187         * stress/arrow-function-and-use-strict-directive.js: Added.
188         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
189         (checkSyntax):
190         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
191
192 2019-04-05  Caitlin Potter  <caitp@igalia.com>
193
194         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
195         https://bugs.webkit.org/show_bug.cgi?id=176810
196
197         Reviewed by Saam Barati.
198
199         Add tests for the DontEnum filtering, and variations of other tests
200         take the DontEnum-filtering path.
201
202         * stress/proxy-own-keys.js:
203         (i.catch):
204         (set assert):
205         (set add):
206         (let.set new):
207         (get let):
208
209 2019-04-05  Caitlin Potter  <caitp@igalia.com>
210
211         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
212         https://bugs.webkit.org/show_bug.cgi?id=185211
213
214         Reviewed by Saam Barati.
215
216         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
217
218         This changes several assertions to expect a TypeError to be thrown (in some cases,
219         changing thee expected message).
220
221         * es6/Proxy_ownKeys_duplicates.js:
222         (handler):
223         (shouldThrow):
224         (test):
225         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
226         (shouldThrow):
227         * stress/proxy-own-keys.js:
228         (i.catch):
229         (assert):
230
231 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
232
233         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
234         https://bugs.webkit.org/show_bug.cgi?id=196631
235
236         Reviewed by Saam Barati.
237
238         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
239         (assert):
240         (test):
241         (foo):
242
243 2019-04-04  Saam Barati  <sbarati@apple.com>
244
245         Unreviewed. Make the test from r243906 catch the thrown exceptions.
246
247         * stress/inferred-types-regex-matches-array.js:
248
249 2019-04-04  Saam Barati  <sbarati@apple.com>
250
251         createRegExpMatchesArray does not respect inferred types
252         https://bugs.webkit.org/show_bug.cgi?id=193287
253
254         Reviewed by Yusuke Suzuki.
255
256         This checks in the test case for 193287. This issue was discovered by
257         Samuel GroƟ of Google Project Zero.
258
259         * stress/inferred-types-regex-matches-array.js: Added.
260
261 2019-04-04  Saam barati  <sbarati@apple.com>
262
263         Teach Call ICs how to call Wasm
264         https://bugs.webkit.org/show_bug.cgi?id=196387
265
266         Reviewed by Filip Pizlo.
267
268         * wasm/function-tests/stack-trace.js:
269
270 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
271
272         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
273         https://bugs.webkit.org/show_bug.cgi?id=194944
274
275         Reviewed by Keith Miller.
276
277         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
278
279 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
280
281         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
282         https://bugs.webkit.org/show_bug.cgi?id=196409
283
284         Reviewed by Saam Barati.
285
286         * stress/bytecode-cache-cached-string-impl.js: Added.
287         (f):
288         (g):
289         * stress/bytecode-cache-run-string.js: Added.
290
291 2019-04-03  Robin Morisset  <rmorisset@apple.com>
292
293         B3 should use associativity to optimize expression trees
294         https://bugs.webkit.org/show_bug.cgi?id=194081
295
296         Reviewed by Filip Pizlo.
297
298         Added three microbenchmarks:
299         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
300         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
301           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
302         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
303
304         * microbenchmarks/add-tree.js: Added.
305         * microbenchmarks/bit-or-tree.js: Added.
306         * microbenchmarks/bit-xor-tree.js: Added.
307
308 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
309
310         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
311         https://bugs.webkit.org/show_bug.cgi?id=196574
312
313         Reviewed by Saam Barati.
314
315         * stress/string-index-of-exception-check.js: Added.
316         (blurType):
317         (1.forEach):
318
319 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
320
321         Assertion failed in JSC::createError
322         https://bugs.webkit.org/show_bug.cgi?id=196305
323         <rdar://problem/49387382>
324
325         Reviewed by Saam Barati.
326
327         * stress/create-error-out-of-memory-rope-string-2.js: Added.
328         (assert):
329         (catch):
330
331 2019-03-28  Saam Barati  <sbarati@apple.com>
332
333         BackwardsGraph needs to consider back edges as the backward's root successor
334         https://bugs.webkit.org/show_bug.cgi?id=195991
335
336         Reviewed by Filip Pizlo.
337
338         * stress/map-b3-licm-infinite-loop.js: Added.
339
340 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
341
342         CodeBlock::jettison() should disallow repatching its own calls
343         https://bugs.webkit.org/show_bug.cgi?id=196359
344         <rdar://problem/48973663>
345
346         Reviewed by Saam Barati.
347
348         * stress/call-link-info-osrexit-repatch.js: Added.
349         (foo):
350
351 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
352
353         [JSC] imports-oom.js intermittently fails
354         https://bugs.webkit.org/show_bug.cgi?id=196373
355
356         Reviewed by Saam Barati.
357
358         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
359         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
360         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
361         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
362         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
363
364         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
365         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
366
367         * wasm/lowExecutableMemory/imports-oom.js:
368
369 2019-03-27  Saam Barati  <sbarati@apple.com>
370
371         validateOSREntryValue with Int52 should box the value being checked into double format
372         https://bugs.webkit.org/show_bug.cgi?id=196313
373         <rdar://problem/49306703>
374
375         Reviewed by Yusuke Suzuki.
376
377         * stress/validate-int-52-ai-state.js: Added.
378
379 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
380
381         [JSC] Owner of watchpoints should validate at GC finalizing phase
382         https://bugs.webkit.org/show_bug.cgi?id=195827
383
384         Reviewed by Filip Pizlo.
385
386         * stress/gc-should-reap-dead-watchpoints.js: Added.
387         (foo):
388         (A.prototype.y):
389         (A):
390
391 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
392
393         Skip WebAssembly test on 32-bit systems
394         https://bugs.webkit.org/show_bug.cgi?id=196206
395
396         Reviewed by Saam Barati.
397
398         Invoking runDefault executes test immediately even though
399         that test should be skipped due to missing WASM support.
400         Therefore remove runDefault.
401
402         * wasm/regress/web-assembly-link-error-exception-check.js:
403
404 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
405
406         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
407         https://bugs.webkit.org/show_bug.cgi?id=196217
408
409         Reviewed by Saam Barati.
410
411         Re-enable all NaN tests for f32.min, f64.min and f64.max.
412
413         * wasm/spec-tests/f32.wast.js:
414         * wasm/spec-tests/f64.wast.js:
415         * wasm/wasm.json:
416
417 2019-03-25  Keith Miller  <keith_miller@apple.com>
418
419         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
420         https://bugs.webkit.org/show_bug.cgi?id=196176
421
422         Reviewed by Saam Barati.
423
424         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
425         (main.v10):
426         (main):
427
428 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
429
430         WebAssembly: f32.max with NaN generates incorrect result
431         https://bugs.webkit.org/show_bug.cgi?id=175691
432         <rdar://problem/33952228>
433
434         Reviewed by Saam Barati.
435
436         Enable all f32.max NaN tests
437
438         * wasm/spec-tests/f32.wast.js:
439         * wasm/wasm.json:
440
441 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
442
443         [JSC] Move test into directory for WASM tests
444         https://bugs.webkit.org/show_bug.cgi?id=196187
445
446         Reviewed by Mark Lam.
447
448         Move Test into wasm-directory. Otherwise this test
449         is also executed on systems without WASM support.
450
451         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
452
453 2019-03-23  Mark Lam  <mark.lam@apple.com>
454
455         Rolling out r243032 and r243071 because the fix is incorrect.
456         https://bugs.webkit.org/show_bug.cgi?id=195892
457         <rdar://problem/48981239>
458
459         Not reviewed.
460
461         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
462
463 2019-03-22  Mark Lam  <mark.lam@apple.com>
464
465         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
466         https://bugs.webkit.org/show_bug.cgi?id=196154
467         <rdar://problem/49145307>
468
469         Reviewed by Filip Pizlo.
470
471         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
472         There's no need to run this test on more than 1 test configuration.
473
474         * stress/typed-array-lastIndexOf-exception-check.js: Added.
475         * stress/web-assembly-link-error-exception-check.js:
476
477 2019-03-22  Mark Lam  <mark.lam@apple.com>
478
479         Placate exception check validation in constructJSWebAssemblyLinkError().
480         https://bugs.webkit.org/show_bug.cgi?id=196152
481         <rdar://problem/49145257>
482
483         Reviewed by Michael Saboff.
484
485         * stress/web-assembly-link-error-exception-check.js: Added.
486
487 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
488
489         Skip tests running out of memory on ARM/MIPS
490         https://bugs.webkit.org/show_bug.cgi?id=196131
491
492         Unreviewed. Skip test if memory is limited.
493
494         * microbenchmarks/put-by-val-direct-large-index.js:
495
496 2019-03-21  Mark Lam  <mark.lam@apple.com>
497
498         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
499         https://bugs.webkit.org/show_bug.cgi?id=196116
500         <rdar://problem/48976951>
501
502         Reviewed by Filip Pizlo.
503
504         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
505
506 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
507
508         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
509         https://bugs.webkit.org/show_bug.cgi?id=196078
510         <rdar://problem/35925380>
511
512         Reviewed by Mark Lam.
513
514         Add a new benchmark that allocates several objects and invokes put_by_val_direct
515         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
516
517         * microbenchmarks/put-by-val-direct-large-index.js: Added.
518
519 2019-03-21  Mark Lam  <mark.lam@apple.com>
520
521         Placate exception check validation in operationArrayIndexOfString().
522         https://bugs.webkit.org/show_bug.cgi?id=196067
523         <rdar://problem/49056572>
524
525         Reviewed by Michael Saboff.
526
527         * stress/string-equal-exception-check.js: Added.
528
529 2019-03-21  Mark Lam  <mark.lam@apple.com>
530
531         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
532         https://bugs.webkit.org/show_bug.cgi?id=196055
533         <rdar://problem/49067448>
534
535         Reviewed by Yusuke Suzuki.
536
537         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
538
539 2019-03-20  Saam Barati  <sbarati@apple.com>
540
541         typeOfDoubleSum is wrong for when NaN can be produced
542         https://bugs.webkit.org/show_bug.cgi?id=196030
543
544         Reviewed by Filip Pizlo.
545
546         * stress/double-add-sub-mul-can-produce-nan.js: Added.
547         (assert):
548         (noInline.sub):
549         (noInline):
550         (assert.mul):
551         (assert.add):
552
553 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
554
555         Update the test to ensure OutOfMemoryError is thrown as intended
556         https://bugs.webkit.org/show_bug.cgi?id=196032
557         <rdar://problem/46842740>
558
559         Rubber stamped by Saam Barati.
560
561         * stress/create-error-out-of-memory-rope-string.js:
562         (assert):
563         (catch):
564
565 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
566
567         JSC::createError needs to check for OOM in errorDescriptionForValue
568         https://bugs.webkit.org/show_bug.cgi?id=196032
569         <rdar://problem/46842740>
570
571         Reviewed by Mark Lam.
572
573         * stress/create-error-out-of-memory-rope-string.js: Added.
574
575 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
576
577         Unreviewed, reduce # of iterations to avoid timing out after r242991
578         https://bugs.webkit.org/show_bug.cgi?id=195791
579
580         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
581
582         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
583
584 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
585
586         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
587         https://bugs.webkit.org/show_bug.cgi?id=195950
588
589         Unreviewed, reducing the amount of memory used on this test to avoid
590         OOM on devices with memory restrictions.
591
592         * microbenchmarks/generate-multiple-llint-entrypoints.js:
593
594 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
595
596         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
597         https://bugs.webkit.org/show_bug.cgi?id=194648
598
599         Reviewed by Keith Miller.
600
601         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
602
603 2019-03-18  Mark Lam  <mark.lam@apple.com>
604
605         Missing a ThrowScope release in JSObject::toString().
606         https://bugs.webkit.org/show_bug.cgi?id=195893
607         <rdar://problem/48970986>
608
609         Reviewed by Michael Saboff.
610
611         * stress/to-string-exception-check-release.js: Added.
612
613 2019-03-18  Mark Lam  <mark.lam@apple.com>
614
615         Structure::flattenDictionary() should clear unused property slots.
616         https://bugs.webkit.org/show_bug.cgi?id=195871
617         <rdar://problem/48959497>
618
619         Reviewed by Michael Saboff.
620
621         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
622
623 2019-03-15  Mark Lam  <mark.lam@apple.com>
624
625         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
626         https://bugs.webkit.org/show_bug.cgi?id=195827
627         <rdar://problem/48845513>
628
629         Reviewed by Filip Pizlo.
630
631         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
632
633 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
634
635         [ARM,MIPS] Skip slow tests
636         https://bugs.webkit.org/show_bug.cgi?id=195799
637
638         Unreviewed, test does not finish on ARM and MIPS within the
639         timeout limit.
640
641         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
642
643 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
646         https://bugs.webkit.org/show_bug.cgi?id=195791
647         <rdar://problem/48806130>
648
649         Reviewed by Mark Lam.
650
651         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
652         (foo):
653
654 2019-03-14  Saam barati  <sbarati@apple.com>
655
656         We can't remove code after ForceOSRExit until after FixupPhase
657         https://bugs.webkit.org/show_bug.cgi?id=186916
658         <rdar://problem/41396612>
659
660         Reviewed by Yusuke Suzuki.
661
662         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
663         (foo):
664         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
665         (foo):
666
667 2019-03-13  Michael Saboff  <msaboff@apple.com>
668
669         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
670         https://bugs.webkit.org/show_bug.cgi?id=195735
671
672         Reviewed by Mark Lam.
673
674         New regression test.
675
676         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
677         (foo):
678         (bar):
679
680 2019-03-14  Saam barati  <sbarati@apple.com>
681
682         Fixup uses KnownInt32 incorrectly in some nodes
683         https://bugs.webkit.org/show_bug.cgi?id=195279
684         <rdar://problem/47915654>
685
686         Reviewed by Yusuke Suzuki.
687
688         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
689         (foo):
690
691 2019-03-14  Keith Miller  <keith_miller@apple.com>
692
693         DFG liveness can't skip tail caller inline frames
694         https://bugs.webkit.org/show_bug.cgi?id=195715
695
696         Reviewed by Saam Barati.
697
698         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
699         (i.foo):
700
701 2019-03-13  Mark Lam  <mark.lam@apple.com>
702
703         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
704         https://bugs.webkit.org/show_bug.cgi?id=195415
705
706         Not reviewed.
707
708         Changed these tests to only run the default configuration.
709         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
710         There's no strong need to run this test on that variant.
711
712         * stress/dfg-to-string-on-int-does-gc.js:
713         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
714
715 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
716
717         String overflow when using StringBuilder in JSC::createError
718         https://bugs.webkit.org/show_bug.cgi?id=194957
719
720         Reviewed by Mark Lam.
721
722         Add test string-overflow-createError-bulder.js that overflows
723         StringBuilder in notAFunctionSourceAppender. The second new test
724         string-overflow-createError-fit.js has an error message that doesn't
725         overflow, it still failed since the String's capacity can't be doubled.
726         Run test string-overflow-createError.js only in the default
727         configuration to reduce memory consumption when running the test
728         in all configurations on multiple CPUs in parallel.
729
730         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
731         (catch):
732         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
733         (catch):
734         * stress/string-overflow-createError.js:
735
736 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         [JSC] OSR entry should respect abstract values in addition to flush formats
739         https://bugs.webkit.org/show_bug.cgi?id=195653
740
741         Reviewed by Mark Lam.
742
743         * stress/osr-entry-locals-none.js: Added.
744
745 2019-03-12  Michael Saboff  <msaboff@apple.com>
746
747         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
748         https://bugs.webkit.org/show_bug.cgi?id=195613
749
750         Reviewed by Mark Lam.
751
752         New regression test.
753
754         * stress/regexp-backref-inbounds.js: Added.
755         (testRegExp):
756
757 2019-03-12  Mark Lam  <mark.lam@apple.com>
758
759         The HasIndexedProperty node does GC.
760         https://bugs.webkit.org/show_bug.cgi?id=195559
761         <rdar://problem/48767923>
762
763         Reviewed by Yusuke Suzuki.
764
765         * stress/HasIndexedProperty-does-gc.js: Added.
766
767 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
768
769         [ESNext][BigInt] Implement "~" unary operation
770         https://bugs.webkit.org/show_bug.cgi?id=182216
771
772         Reviewed by Keith Miller.
773
774         * stress/big-int-bit-not-general.js: Added.
775         * stress/big-int-bitwise-not-jit.js: Added.
776         * stress/big-int-bitwise-not-wrapped-value.js: Added.
777         * stress/bit-op-with-object-returning-int32.js:
778         * stress/bitwise-not-fixup-rules.js: Added.
779         * stress/value-bit-not-ai-rule.js: Added.
780
781 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
782
783         Invalid flags in a RegExp literal should be an early SyntaxError
784         https://bugs.webkit.org/show_bug.cgi?id=195514
785
786         Reviewed by Darin Adler.
787
788         * test262/expectations.yaml:
789         Mark 4 test cases as passing.
790
791         * stress/regexp-syntax-error-invalid-flags.js:
792         * stress/regress-161995.js: Removed.
793         Update existing test, merging in an older test for the same behavior.
794
795 2019-03-08  Mark Lam  <mark.lam@apple.com>
796
797         Stack overflow crash in JSC::JSObject::hasInstance.
798         https://bugs.webkit.org/show_bug.cgi?id=195458
799         <rdar://problem/48710195>
800
801         Reviewed by Yusuke Suzuki.
802
803         * stress/stack-overflow-in-custom-hasInstance.js: Added.
804
805 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
806
807         op_check_tdz does not def its argument
808         https://bugs.webkit.org/show_bug.cgi?id=192880
809         <rdar://problem/46221598>
810
811         Reviewed by Saam Barati.
812
813         * microbenchmarks/let-for-in.js: Added.
814         (foo):
815
816 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
817
818         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
819         https://bugs.webkit.org/show_bug.cgi?id=195429
820
821         Reviewed by Saam Barati.
822
823         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
824         (foo):
825         * stress/string-from-char-code-255.js: Added.
826
827 2019-03-06  Mark Lam  <mark.lam@apple.com>
828
829         Fix incorrect handling of try-finally completion values.
830         https://bugs.webkit.org/show_bug.cgi?id=195131
831         <rdar://problem/46222079>
832
833         Reviewed by Saam Barati and Yusuke Suzuki.
834
835         Added many permutations of new test case to test-finally.js.  test-finally.js has
836         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
837         tests passes there as well.
838
839         * stress/test-finally.js:
840
841 2019-03-06  Saam Barati  <sbarati@apple.com>
842
843         Air::reportUsedRegisters must padInterference
844         https://bugs.webkit.org/show_bug.cgi?id=195303
845         <rdar://problem/48270343>
846
847         Reviewed by Keith Miller.
848
849         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
850
851 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
852
853         [JSC] AI should not propagate AbstractValue relying on constant folding phase
854         https://bugs.webkit.org/show_bug.cgi?id=195375
855
856         Reviewed by Saam Barati.
857
858         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
859         (let.array):
860
861 2019-03-05  Saam barati  <sbarati@apple.com>
862
863         op_switch_char broken for rope strings after JSRopeString layout rewrite
864         https://bugs.webkit.org/show_bug.cgi?id=195339
865         <rdar://problem/48592545>
866
867         Reviewed by Yusuke Suzuki.
868
869         * stress/switch-on-char-llint-rope.js: Added.
870
871 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
872
873         [JSC] Store bits for JSRopeString in 3 stores
874         https://bugs.webkit.org/show_bug.cgi?id=195234
875
876         Reviewed by Saam Barati.
877
878         * stress/null-rope-and-collectors.js: Added.
879
880 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
881
882         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
883         https://bugs.webkit.org/show_bug.cgi?id=195207
884
885         Unreviewed. After test runtime was reduced in r242213, test can be
886         run again on ARM/MIPS.
887
888         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
889
890 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
891
892         [JSC] sizeof(JSString) should be 16
893         https://bugs.webkit.org/show_bug.cgi?id=194375
894
895         Reviewed by Saam Barati.
896
897         * microbenchmarks/make-rope.js: Added.
898         (makeRope):
899         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
900         (returnRope.helper): Deleted.
901         (returnRope): Deleted.
902
903 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
904
905         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
906         https://bugs.webkit.org/show_bug.cgi?id=195144
907
908         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
909         Change the number from 1e8 to 1e5.
910
911         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
912         (foo):
913
914 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
915
916         Test times out on ARM/MIPS
917         https://bugs.webkit.org/show_bug.cgi?id=195168
918
919         Unreviewed. Skip test on ARM/MIPS.
920
921         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
922
923 2019-02-27  Mark Lam  <mark.lam@apple.com>
924
925         The parser is failing to record the token location of new in new.target.
926         https://bugs.webkit.org/show_bug.cgi?id=195127
927         <rdar://problem/39645578>
928
929         Reviewed by Yusuke Suzuki.
930
931         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
932
933 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
934
935         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
936         https://bugs.webkit.org/show_bug.cgi?id=195144
937         <rdar://problem/47595961>
938
939         Reviewed by Mark Lam.
940
941         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
942         (bar):
943         (foo):
944         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
945         (bar):
946         (foo):
947
948 2019-02-27  Robin Morisset  <rmorisset@apple.com>
949
950         DFG: Loop-invariant code motion (LICM) should not hoist dead code
951         https://bugs.webkit.org/show_bug.cgi?id=194945
952         <rdar://problem/48311657>
953
954         Reviewed by Mark Lam.
955
956         * stress/licm-dead-code.js: Added.
957
958 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
959
960         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
961         https://bugs.webkit.org/show_bug.cgi?id=194677
962         <rdar://problem/48112492>
963
964         Reviewed by Mark Lam.
965
966         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
967         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
968         it immediately fails due the large size.
969
970         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
971         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
972         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
973         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
974
975         This patch changes the test to produce 16bit string from String.fromCharCode.
976
977         * stress/regress-178386.js:
978
979 2019-02-26  Mark Lam  <mark.lam@apple.com>
980
981         wasmToJS() should purify incoming NaNs.
982         https://bugs.webkit.org/show_bug.cgi?id=194807
983         <rdar://problem/48189132>
984
985         Reviewed by Saam Barati.
986
987         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
988
989 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
990
991         [JSC] Repeat string created from Array.prototype.join() take too much memory
992         https://bugs.webkit.org/show_bug.cgi?id=193912
993
994         Reviewed by Saam Barati.
995
996         Added a test and a microbenchmark for corner cases of
997         Array.prototype.join() with an uninitialized array.
998
999         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1000         * stress/array-prototype-join-uninitialized.js: Added.
1001         (testArray):
1002         (testABC):
1003         (B):
1004         (C):
1005
1006 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1007
1008         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1009         https://bugs.webkit.org/show_bug.cgi?id=194953
1010         <rdar://problem/47595253>
1011
1012         Reviewed by Saam Barati.
1013
1014         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1015
1016         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1017
1018 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1019
1020         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1021         https://bugs.webkit.org/show_bug.cgi?id=172848
1022         <rdar://problem/25709212>
1023
1024         Reviewed by Mark Lam.
1025
1026         * typeProfiler/inheritance.js:
1027         Rewrite the test slightly for clarity. The hoisting was confusing.
1028
1029         * heapProfiler/class-names.js: Added.
1030         (MyES5Class):
1031         (MyES6Class):
1032         (MyES6Subclass):
1033         Test object types and improved class names.
1034
1035         * heapProfiler/driver/driver.js:
1036         (CheapHeapSnapshotNode):
1037         (CheapHeapSnapshot):
1038         (createCheapHeapSnapshot):
1039         (HeapSnapshot):
1040         (createHeapSnapshot):
1041         Update snapshot parsing from version 1 to version 2.
1042
1043 2019-02-19  Truitt Savell  <tsavell@apple.com>
1044
1045         Unreviewed, rolling out r241784.
1046
1047         Broke all OpenSource builds.
1048
1049         Reverted changeset:
1050
1051         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1052         instances view"
1053         https://bugs.webkit.org/show_bug.cgi?id=172848
1054         https://trac.webkit.org/changeset/241784
1055
1056 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1057
1058         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1059         https://bugs.webkit.org/show_bug.cgi?id=172848
1060         <rdar://problem/25709212>
1061
1062         Reviewed by Mark Lam.
1063
1064         * typeProfiler/inheritance.js:
1065         Rewrite the test slightly for clarity. The hoisting was confusing.
1066
1067         * heapProfiler/class-names.js: Added.
1068         (MyES5Class):
1069         (MyES6Class):
1070         (MyES6Subclass):
1071         Test object types and improved class names.
1072
1073         * heapProfiler/driver/driver.js:
1074         (CheapHeapSnapshotNode):
1075         (CheapHeapSnapshot):
1076         (createCheapHeapSnapshot):
1077         (HeapSnapshot):
1078         (createHeapSnapshot):
1079         Update snapshot parsing from version 1 to version 2.
1080
1081 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1082
1083         [ARM] Fix crash with sampling profiler
1084         https://bugs.webkit.org/show_bug.cgi?id=194772
1085
1086         Reviewed by Mark Lam.
1087
1088         Do not skip test since crash with sampling profiler is now fixed.
1089
1090         * stress/sampling-profiler-richards.js:
1091
1092 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1095         https://bugs.webkit.org/show_bug.cgi?id=194784
1096         <rdar://problem/48154820>
1097
1098         Reviewed by Mark Lam.
1099
1100         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1101         (getProperties):
1102         (getRandomProperty):
1103         (i.catch):
1104
1105 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1106
1107         [ARM] Test gardening: Test running out of executable memory
1108         https://bugs.webkit.org/show_bug.cgi?id=194771
1109
1110         Unreviewed. Do not run test without LLInt, test is running out of executable
1111         memory on ARM otherwise.
1112
1113         * stress/tagged-template-object-collect.js:
1114
1115 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1116
1117         Unreviewed, skip the test on platforms without sampling profiler
1118
1119         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1120         (platformSupportsSamplingProfiler.foo):
1121         (platformSupportsSamplingProfiler.test):
1122         (platformSupportsSamplingProfiler):
1123         (foo): Deleted.
1124         (test): Deleted.
1125
1126 2019-02-17  Saam Barati  <sbarati@apple.com>
1127
1128         Deadlock when adding a Structure property transition and then doing incremental marking
1129         https://bugs.webkit.org/show_bug.cgi?id=194767
1130
1131         Reviewed by Mark Lam.
1132
1133         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1134
1135 2019-02-15  Michael Saboff  <msaboff@apple.com>
1136
1137         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1138         https://bugs.webkit.org/show_bug.cgi?id=194558
1139
1140         Reviewed by Saam Barati.
1141
1142         New regression test.
1143
1144         * stress/regexp-unicode-within-string.js: Added.
1145
1146 2019-02-15  Mark Lam  <mark.lam@apple.com>
1147
1148         SamplingProfiler::stackTracesAsJSON() should escape strings.
1149         https://bugs.webkit.org/show_bug.cgi?id=194649
1150         <rdar://problem/48072386>
1151
1152         Reviewed by Saam Barati.
1153
1154         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1155         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1156         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1157         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1158
1159 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1160         CodeBlock::jettison should clear related watchpoints
1161         https://bugs.webkit.org/show_bug.cgi?id=194544
1162
1163         Reviewed by Mark Lam.
1164
1165         * stress/regexp-replace-double-watchpoint.js: Added.
1166         (foo):
1167
1168 2019-02-15  Saam barati  <sbarati@apple.com>
1169
1170         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1171         https://bugs.webkit.org/show_bug.cgi?id=194036
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * stress/tail-call-many-arguments.js: Added.
1176         (foo):
1177         (bar):
1178
1179 2019-02-14  Saam Barati  <sbarati@apple.com>
1180
1181         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1182         https://bugs.webkit.org/show_bug.cgi?id=194583
1183         <rdar://problem/48028140>
1184
1185         Reviewed by Yusuke Suzuki.
1186
1187         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1188
1189 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1190
1191         [JSC] String.fromCharCode's slow path always generates 16bit string
1192         https://bugs.webkit.org/show_bug.cgi?id=194466
1193
1194         Reviewed by Keith Miller.
1195
1196         * stress/string-from-char-code-slow-path.js: Added.
1197         (shouldBe):
1198         (testWithLength):
1199
1200 2019-02-08  Saam barati  <sbarati@apple.com>
1201
1202         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1203         https://bugs.webkit.org/show_bug.cgi?id=194334
1204         <rdar://problem/47844327>
1205
1206         Reviewed by Mark Lam.
1207
1208         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1209         (func):
1210
1211 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1212
1213         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1214         https://bugs.webkit.org/show_bug.cgi?id=194369
1215         <rdar://problem/47813087>
1216
1217         Reviewed by Saam Barati.
1218
1219         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1220         (A):
1221
1222 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1223
1224         [JSC] PrivateName to PublicName hash table is wasteful
1225         https://bugs.webkit.org/show_bug.cgi?id=194277
1226
1227         Reviewed by Michael Saboff.
1228
1229         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1230
1231         * ChakraCore.yaml:
1232
1233 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1234
1235         [ARM] Test running out of executable memory
1236         https://bugs.webkit.org/show_bug.cgi?id=194285
1237
1238         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1239         executable memory otherwise.
1240
1241         * stress/class-subclassing-function.js:
1242
1243 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1244
1245         when lowering AssertNotEmpty, create the value before creating the patchpoint
1246         https://bugs.webkit.org/show_bug.cgi?id=194231
1247
1248         Reviewed by Saam Barati.
1249
1250         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1251         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1252         So even tiny changes to this test can change the path code taken.
1253
1254         * stress/assert-not-empty.js: Added.
1255         (foo):
1256
1257 2019-02-01  Mark Lam  <mark.lam@apple.com>
1258
1259         Remove invalid assertion in DFG's compileDoubleRep().
1260         https://bugs.webkit.org/show_bug.cgi?id=194130
1261         <rdar://problem/47699474>
1262
1263         Reviewed by Saam Barati.
1264
1265         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1266
1267 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1268
1269         Import latest Test262 updates.
1270
1271         Rubber-stamped by Keith Miller.
1272
1273         * test262.yaml: Deleted.
1274         * test262/config.yaml:
1275         * test262/expectations.yaml:
1276         * test262/latest-changes-summary.txt:
1277         * test262/test/:
1278         * test262/test262-Revision.txt:
1279
1280 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1281
1282         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1283         https://bugs.webkit.org/show_bug.cgi?id=194050
1284         <rdar://problem/47595592>
1285
1286         Reviewed by Yusuke Suzuki.
1287
1288         * stress/object-keys-osr-exit.js: Added.
1289         (foo):
1290         (catch):
1291
1292 2019-01-29  Mark Lam  <mark.lam@apple.com>
1293
1294         ValueRecovery::recover() should purify NaN values it recovers.
1295         https://bugs.webkit.org/show_bug.cgi?id=193978
1296         <rdar://problem/47625488>
1297
1298         Reviewed by Saam Barati.
1299
1300         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1301
1302 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1303
1304         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1305         https://bugs.webkit.org/show_bug.cgi?id=193713
1306
1307         * stress/try-get-by-id-should-spill-registers-dfg.js:
1308         (let.f.createBuiltin):
1309
1310 2019-01-28  Mark Lam  <mark.lam@apple.com>
1311
1312         ToString node actually does GC.
1313         https://bugs.webkit.org/show_bug.cgi?id=193920
1314         <rdar://problem/46695900>
1315
1316         Reviewed by Yusuke Suzuki.
1317
1318         * stress/dfg-to-string-on-int-does-gc.js: Added.
1319         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1320         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1321
1322 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1323
1324         [JSC] NativeErrorConstructor should not have own IsoSubspace
1325         https://bugs.webkit.org/show_bug.cgi?id=193713
1326
1327         Reviewed by Saam Barati.
1328
1329         Remove @Error use.
1330
1331         * stress/try-get-by-id-should-spill-registers-dfg.js:
1332         (let.f.createBuiltin):
1333
1334 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1335
1336         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1337         https://bugs.webkit.org/show_bug.cgi?id=190693
1338
1339         Reviewed by Michael Saboff.
1340
1341         * stress/regress-190693.js: Added.
1342         (truth):
1343         (assert):
1344         (shouldThrowInvalidConstAssignment):
1345         (taz):
1346
1347 2019-01-24  Saam Barati  <sbarati@apple.com>
1348
1349         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1350         https://bugs.webkit.org/show_bug.cgi?id=193751
1351         <rdar://problem/47280215>
1352
1353         Reviewed by Michael Saboff.
1354
1355         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1356         (let.thing):
1357         (foo.let.hello):
1358         (foo):
1359
1360 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1361
1362         [JSC] Reenable baseline JIT on mips
1363         https://bugs.webkit.org/show_bug.cgi?id=192983
1364
1365         Reviewed by Mark Lam.
1366
1367         Added a new test for a case that was triggering a RELEASE_ASSERT when
1368         testing.
1369         Disable some slow tests that were already disabled for arm and x86.
1370
1371         * stress/json-parse-big-object.js: Added.
1372         * stress/new-largeish-contiguous-array-with-size.js:
1373         * stress/op_add.js:
1374         * stress/op_bitand.js:
1375         * stress/op_bitor.js:
1376         * stress/op_bitxor.js:
1377         * stress/op_lshift-ConstVar.js:
1378         * stress/op_lshift-VarConst.js:
1379         * stress/op_lshift-VarVar.js:
1380         * stress/op_mod-ConstVar.js:
1381         * stress/op_mod-VarConst.js:
1382         * stress/op_mod-VarVar.js:
1383         * stress/op_mul-ConstVar.js:
1384         * stress/op_mul-VarConst.js:
1385         * stress/op_mul-VarVar.js:
1386         * stress/op_rshift-ConstVar.js:
1387         * stress/op_rshift-VarConst.js:
1388         * stress/op_rshift-VarVar.js:
1389         * stress/op_sub-ConstVar.js:
1390         * stress/op_sub-VarConst.js:
1391         * stress/op_sub-VarVar.js:
1392         * stress/op_urshift-ConstVar.js:
1393         * stress/op_urshift-VarConst.js:
1394         * stress/op_urshift-VarVar.js:
1395         * stress/sampling-profiler-richards.js:
1396         * stress/spread-forward-call-varargs-stack-overflow.js:
1397
1398 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1399
1400         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1401         https://bugs.webkit.org/show_bug.cgi?id=193711
1402         <rdar://problem/47250262>
1403
1404         Reviewed by Saam Barati.
1405
1406         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1407         (shouldBe):
1408         (foo):
1409         (bar):
1410         (baz):
1411
1412 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1413
1414         Unreviewed, fix initial global lexical binding epoch
1415         https://bugs.webkit.org/show_bug.cgi?id=193603
1416         <rdar://problem/47380869>
1417
1418         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1419         (f1.f2.f3.f4):
1420         (f1.f2.f3):
1421         (f1.f2):
1422         (f1):
1423
1424 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1425
1426         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1427         https://bugs.webkit.org/show_bug.cgi?id=193709
1428         <rdar://problem/47363838>
1429
1430         Unreviewed, rollout to watch the tests.
1431
1432         * stress/object-tostring-changed-proto.js: Removed.
1433         * stress/object-tostring-changed.js: Removed.
1434         * stress/object-tostring-misc.js: Removed.
1435         * stress/object-tostring-other.js: Removed.
1436         * stress/object-tostring-untyped.js: Removed.
1437
1438 2019-01-22  Saam Barati  <sbarati@apple.com>
1439
1440         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1441
1442         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1443         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1444         (testUncheckedLessThanZero):
1445         (testUncheckedLessThanOrEqualZero):
1446         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1447         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1448
1449 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1450
1451         [JSC] Invalidate old scope operations using global lexical binding epoch
1452         https://bugs.webkit.org/show_bug.cgi?id=193603
1453         <rdar://problem/47380869>
1454
1455         Reviewed by Saam Barati.
1456
1457         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1458         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1459         (shouldThrow):
1460         (bar):
1461         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1462         (shouldBe):
1463         (get1):
1464         (get2):
1465         (get1If):
1466         (get2If):
1467         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1468         (shouldThrow):
1469         (foo):
1470
1471 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1472
1473         Unreviewed, roll out r240220 due to date-format-xparb regression
1474         https://bugs.webkit.org/show_bug.cgi?id=193603
1475
1476         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1477         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1478         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1479         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1480
1481 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1482
1483         DoesGC rule is wrong for nodes with BigIntUse
1484         https://bugs.webkit.org/show_bug.cgi?id=193652
1485
1486         Reviewed by Saam Barati.
1487
1488         * stress/big-int-value-op-update-gc-rules.js: Added.
1489         (assert):
1490         (doesGCAdd):
1491         (doesGCSub):
1492         (doesGCDiv):
1493         (doesGCMul):
1494         (doesGCBitAnd):
1495         (doesGCBitOr):
1496         (doesGCBitXor):
1497
1498 2019-01-20  Saam Barati  <sbarati@apple.com>
1499
1500         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1501         https://bugs.webkit.org/show_bug.cgi?id=193644
1502         <rdar://problem/46209745>
1503
1504         Reviewed by Yusuke Suzuki.
1505
1506         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1507         (foo):
1508         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1509         (foo):
1510         (bar):
1511
1512 2019-01-20  Saam Barati  <sbarati@apple.com>
1513
1514         MovHint must merge NodeBytecodeUsesAsValue for its child
1515         https://bugs.webkit.org/show_bug.cgi?id=186916
1516         <rdar://problem/41396612>
1517
1518         Reviewed by Yusuke Suzuki.
1519
1520         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1521         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1522
1523 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1524
1525         [JSC] Invalidate old scope operations using global lexical binding epoch
1526         https://bugs.webkit.org/show_bug.cgi?id=193603
1527         <rdar://problem/47380869>
1528
1529         Reviewed by Saam Barati.
1530
1531         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1532         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1533         (shouldThrow):
1534         (bar):
1535         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1536         (shouldBe):
1537         (get1):
1538         (get2):
1539         (get1If):
1540         (get2If):
1541         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1542         (shouldThrow):
1543         (foo):
1544
1545 2019-01-17  Saam barati  <sbarati@apple.com>
1546
1547         StringObjectUse should not be a structure check for the original string object structure
1548         https://bugs.webkit.org/show_bug.cgi?id=193483
1549         <rdar://problem/47280522>
1550
1551         Reviewed by Yusuke Suzuki.
1552
1553         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1554         (foo):
1555         (a.valueOf.0):
1556
1557 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1558
1559         [JSC] ToThis omission in DFGByteCodeParser is wrong
1560         https://bugs.webkit.org/show_bug.cgi?id=193513
1561         <rdar://problem/45842236>
1562
1563         Reviewed by Saam Barati.
1564
1565         * stress/to-this-omission-with-different-strict-modes.js: Added.
1566         (thisA):
1567         (thisAStrictWrapper):
1568
1569 2019-01-15  Mark Lam  <mark.lam@apple.com>
1570
1571         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1572         https://bugs.webkit.org/show_bug.cgi?id=193423
1573         <rdar://problem/46209355>
1574
1575         Reviewed by Saam Barati.
1576
1577         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1578         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1579         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1580         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1581
1582 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1583
1584         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1585         https://bugs.webkit.org/show_bug.cgi?id=193438
1586         <rdar://problem/45581249>
1587
1588         Reviewed by Saam Barati and Keith Miller.
1589
1590         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1591         Then, GetByVal(String) crashed.
1592
1593         * stress/string-get-by-val-lowering.js: Added.
1594         (shouldBe):
1595         (test):
1596         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1597         (Hello):
1598         (foo):
1599
1600 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1601
1602         Unreviewed, skip JIT tests if it's not enabled
1603
1604         * stress/bit-op-with-object-returning-int32.js:
1605
1606 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1607
1608         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1609         https://bugs.webkit.org/show_bug.cgi?id=192966
1610
1611         Reviewed by Yusuke Suzuki.
1612
1613         * stress/bit-op-with-object-returning-int32.js: Added.
1614
1615 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1616
1617         Skip a slow test and a flakey test on arm
1618
1619         Unreviewed gardening.
1620
1621         * typeProfiler/getter-richards.js:
1622         this test always times out, it used to be always skipped on arm and
1623         mips, but got accidentally enabled by r237919 now that we have DFG on
1624         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1625
1626 2019-01-14  Keith Miller  <keith_miller@apple.com>
1627
1628         Skip type-check-hoisting-phase-hoist... with no jit
1629         https://bugs.webkit.org/show_bug.cgi?id=193421
1630
1631         Reviewed by Mark Lam.
1632
1633         It's timing out the 32-bit bots and takes 330 seconds
1634         on my machine when run by itself.
1635
1636         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1637
1638 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1639
1640         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1641         https://bugs.webkit.org/show_bug.cgi?id=193413
1642         <rdar://problem/46092389>
1643
1644         Reviewed by Keith Miller.
1645
1646         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1647         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1648         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1649         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1650
1651         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1652         (compareArray):
1653
1654 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1655
1656         [BigInt] Literal parsing is crashing when used inside a Object Literal
1657         https://bugs.webkit.org/show_bug.cgi?id=193404
1658
1659         Reviewed by Yusuke Suzuki.
1660
1661         * stress/big-int-literal-inside-literal-object.js: Added.
1662
1663 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1664
1665         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1666         https://bugs.webkit.org/show_bug.cgi?id=193372
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/typed-array-array-modes-profile.js: Added.
1671         (foo):
1672
1673 2019-01-14  Mark Lam  <mark.lam@apple.com>
1674
1675         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1676         https://bugs.webkit.org/show_bug.cgi?id=193402
1677         <rdar://problem/46012309>
1678
1679         Reviewed by Keith Miller.
1680
1681         * stress/regexp-compile-oom.js:
1682         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1683           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1684
1685 2019-01-11  Saam barati  <sbarati@apple.com>
1686
1687         DFG combined liveness can be wrong for terminal basic blocks
1688         https://bugs.webkit.org/show_bug.cgi?id=193304
1689         <rdar://problem/45268632>
1690
1691         Reviewed by Yusuke Suzuki.
1692
1693         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1694
1695 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1696
1697         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1698         https://bugs.webkit.org/show_bug.cgi?id=193308
1699         <rdar://problem/45546542>
1700
1701         Reviewed by Saam Barati.
1702
1703         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1704         (shouldThrow):
1705         (shouldBe):
1706         (foo):
1707         (get shouldThrow):
1708         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1709         (shouldThrow):
1710         (shouldBe):
1711         (foo):
1712         (get shouldBe):
1713         (get shouldThrow):
1714         (get return):
1715         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1716         (shouldThrow):
1717         (shouldBe):
1718         (foo):
1719         (get shouldBe):
1720         (get shouldThrow):
1721         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1722         (shouldThrow):
1723         (shouldBe):
1724         (foo):
1725         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1726         (shouldThrow):
1727         (shouldBe):
1728         (foo):
1729         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1730         (shouldThrow):
1731         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1732         (shouldThrow):
1733         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1734         (shouldThrow):
1735         (shouldBe):
1736         (foo):
1737         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1738         (shouldThrow):
1739         (shouldBe):
1740         (foo):
1741         (get shouldBe):
1742         (get shouldThrow):
1743         (get return):
1744         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1745         (shouldThrow):
1746         (shouldBe):
1747         (foo):
1748         (get shouldBe):
1749         (get shouldThrow):
1750         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1751         (shouldThrow):
1752         (shouldBe):
1753         (foo):
1754         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1755         (shouldThrow):
1756         (shouldBe):
1757         (foo):
1758
1759 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1760
1761         Enable DFG on ARM/Linux again
1762         https://bugs.webkit.org/show_bug.cgi?id=192496
1763
1764         Reviewed by Yusuke Suzuki.
1765
1766         Test wasn't really skipped before moving the line with skip
1767         to the top.
1768
1769         * stress/regress-192717.js:
1770
1771 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1772
1773         Unreviewed, rolling out r239825.
1774         https://bugs.webkit.org/show_bug.cgi?id=193330
1775
1776         Broke tests on armv7/linux bots (Requested by guijemont on
1777         #webkit).
1778
1779         Reverted changeset:
1780
1781         "Enable DFG on ARM/Linux again"
1782         https://bugs.webkit.org/show_bug.cgi?id=192496
1783         https://trac.webkit.org/changeset/239825
1784
1785 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1786
1787         Enable DFG on ARM/Linux again
1788         https://bugs.webkit.org/show_bug.cgi?id=192496
1789
1790         Reviewed by Yusuke Suzuki.
1791
1792         Test wasn't really skipped before moving the line with skip
1793         to the top.
1794
1795         * stress/regress-192717.js:
1796
1797 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1798
1799         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1800         https://bugs.webkit.org/show_bug.cgi?id=193127
1801
1802         Reviewed by Saam Barati.
1803
1804         * stress/array-species-create-should-handle-masquerader.js: Added.
1805         (shouldThrow):
1806         * stress/is-undefined-or-null-builtin.js: Added.
1807         (shouldBe):
1808         (isUndefinedOrNull.vm.createBuiltin):
1809
1810 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1811
1812         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1813         https://bugs.webkit.org/show_bug.cgi?id=193221
1814
1815         Reviewed by Mark Lam.
1816
1817         * stress/put-by-id-flags.js: Added.
1818         (f):
1819         (g):
1820         (numberOfDFGCompiles):
1821
1822 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1823
1824         Baseline version of get_by_id may corrupt metadata
1825         https://bugs.webkit.org/show_bug.cgi?id=193085
1826         <rdar://problem/23453006>
1827
1828         Reviewed by Saam Barati.
1829
1830         * stress/get-by-id-change-mode.js: Added.
1831         (forEach):
1832
1833 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1834
1835         [JSC] Optimize Object.prototype.toString
1836         https://bugs.webkit.org/show_bug.cgi?id=193031
1837
1838         Reviewed by Saam Barati.
1839
1840         * stress/object-tostring-changed-proto.js: Added.
1841         (shouldBe):
1842         (test):
1843         * stress/object-tostring-changed.js: Added.
1844         (shouldBe):
1845         (test):
1846         * stress/object-tostring-misc.js: Added.
1847         (shouldBe):
1848         (test):
1849         (i.switch):
1850         * stress/object-tostring-other.js: Added.
1851         (shouldBe):
1852         (test):
1853         * stress/object-tostring-untyped.js: Added.
1854         (shouldBe):
1855         (test):
1856         (i.switch):
1857
1858 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1859
1860         test262-runner misbehaves when test file YAML has a trailing space
1861         https://bugs.webkit.org/show_bug.cgi?id=193053
1862
1863         Reviewed by Yusuke Suzuki.
1864
1865         * test262/expectations.yaml:
1866         Mark two dozen tests as passing (and correct the output of another).
1867
1868 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1869
1870         Unreviewed, JSTests gardening with memoryLimited
1871
1872         * stress/string-overflow-createError.js:
1873
1874 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1875
1876         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1877         https://bugs.webkit.org/show_bug.cgi?id=193050
1878
1879         Reviewed by Yusuke Suzuki.
1880
1881         * test262.yaml:
1882         * test262/expectations.yaml:
1883         Mark 16 tests as passing.
1884
1885 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1886
1887         [BigInt] Support BigInt in JSON.stringify
1888         https://bugs.webkit.org/show_bug.cgi?id=192624
1889
1890         Reviewed by Saam Barati.
1891
1892         * stress/big-int-json-stringify-to-json.js: Added.
1893         (shouldBe):
1894         (shouldThrow):
1895         (BigInt.prototype.toJSON):
1896         (shouldBe.JSON.stringify):
1897         * stress/big-int-json-stringify.js: Added.
1898         (shouldBe):
1899         (shouldThrow):
1900
1901 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1902
1903         [JSC] Implement "well-formed JSON.stringify" proposal
1904         https://bugs.webkit.org/show_bug.cgi?id=191677
1905
1906         Reviewed by Darin Adler.
1907
1908         * stress/json-surrogate-pair.js: Added.
1909         (shouldBe):
1910         * test262/expectations.yaml:
1911
1912 2018-12-20  Keith Miller  <keith_miller@apple.com>
1913
1914         Add support for globalThis
1915         https://bugs.webkit.org/show_bug.cgi?id=165171
1916
1917         Reviewed by Mark Lam.
1918
1919         * test262/config.yaml:
1920
1921 2018-12-19  Keith Miller  <keith_miller@apple.com>
1922
1923         Update test262 configuration to not run tests dependent on ICU version.
1924         https://bugs.webkit.org/show_bug.cgi?id=192920
1925
1926         Reviewed by Saam Barati.
1927
1928         * test262/expectations.yaml:
1929
1930 2018-12-20  Mark Lam  <mark.lam@apple.com>
1931
1932         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1933         https://bugs.webkit.org/show_bug.cgi?id=192939
1934         <rdar://problem/46869516>
1935
1936         Reviewed by Keith Miller.
1937
1938         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1939
1940 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1941
1942         WTF::String and StringImpl overflow MaxLength
1943         https://bugs.webkit.org/show_bug.cgi?id=192853
1944         <rdar://problem/45726906>
1945
1946         Reviewed by Mark Lam.
1947
1948         * stress/string-16bit-repeat-overflow.js: Added.
1949         (catch):
1950
1951 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1952
1953         Unreviewed follow-up to r192914.
1954
1955         * test262/expectations.yaml:
1956         Add the last 20 missing expectations.
1957
1958 2018-12-19  Keith Miller  <keith_miller@apple.com>
1959
1960         Fix test262 expectations
1961         https://bugs.webkit.org/show_bug.cgi?id=192914
1962
1963         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1964
1965         * test262/expectations.yaml:
1966
1967 2018-12-19  Keith Miller  <keith_miller@apple.com>
1968
1969         Update test262 tests.
1970         https://bugs.webkit.org/show_bug.cgi?id=192907
1971
1972         Rubber stamped by Mark Lam.
1973
1974         * test262/*: Omitted because prepare-changelog crashes.
1975
1976 2018-12-19  Mark Lam  <mark.lam@apple.com>
1977
1978         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1979         https://bugs.webkit.org/show_bug.cgi?id=192464
1980         <rdar://problem/46519455>
1981
1982         Reviewed by Saam Barati.
1983
1984         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1985         microbenchmark.
1986
1987         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1988         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1989
1990 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1991
1992         String overflow in JSC::createError results in ASSERT in WTF::makeString
1993         https://bugs.webkit.org/show_bug.cgi?id=192833
1994         <rdar://problem/45706868>
1995
1996         Reviewed by Mark Lam.
1997
1998         * stress/string-overflow-createError.js: Added.
1999
2000 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2001
2002         Error message for `-x ** y` contains a typo.
2003         https://bugs.webkit.org/show_bug.cgi?id=192832
2004
2005         Reviewed by Saam Barati.
2006
2007         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2008         (assert.assert.return.throws):
2009         * stress/pow-expects-update-expression-on-lhs.js:
2010         (throw.new.Error):
2011         Update test expectations which match against the exact error message.
2012
2013 2018-12-18  Mark Lam  <mark.lam@apple.com>
2014
2015         Gardening: test options fix.
2016         https://bugs.webkit.org/show_bug.cgi?id=192822
2017
2018         Unreviewed.
2019
2020         * stress/json-stringify-string-builder-overflow.js:
2021
2022 2018-12-18  Mark Lam  <mark.lam@apple.com>
2023
2024         JSON.stringify() should throw OOM on StringBuilder overflows.
2025         https://bugs.webkit.org/show_bug.cgi?id=192822
2026         <rdar://problem/46670577>
2027
2028         Reviewed by Saam Barati.
2029
2030         * stress/json-stringify-string-builder-overflow.js: Added.
2031
2032 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2033
2034         Redeclaration of var over let/const/class should be a syntax error.
2035         https://bugs.webkit.org/show_bug.cgi?id=192298
2036
2037         Reviewed by Keith Miller.
2038
2039         * test262.yaml:
2040         * test262/expectations.yaml:
2041         Mark 46 tests as passing.
2042
2043         * stress/block-scope-redeclarations.js:
2044         Add some new tests.
2045
2046         * stress/for-in-invalidate-context-weird-assignments.js:
2047         * stress/for-in-tests.js:
2048         Replace tests for outdated behavior with tests for SyntaxError.
2049
2050         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2051         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2052         Update expectations.
2053
2054 2018-12-18  Mark Lam  <mark.lam@apple.com>
2055
2056         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2057         https://bugs.webkit.org/show_bug.cgi?id=191374
2058         <rdar://problem/46525447>
2059
2060         Reviewed by Yusuke Suzuki.
2061
2062         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2063
2064         * stress/elidable-new-object-roflcopter-then-exit.js:
2065
2066 2018-12-17  Mark Lam  <mark.lam@apple.com>
2067
2068         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2069         https://bugs.webkit.org/show_bug.cgi?id=192019
2070         <rdar://problem/46525456>
2071
2072         Reviewed by Yusuke Suzuki.
2073
2074         The test runs too slow on 32-bit.
2075
2076         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2077
2078 2018-12-17  Mark Lam  <mark.lam@apple.com>
2079
2080         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2081         https://bugs.webkit.org/show_bug.cgi?id=191373
2082         <rdar://problem/46525458>
2083
2084         Reviewed by Yusuke Suzuki.
2085
2086         The test is already slow running with a JIT on 64-bit.  It will always timeout
2087         on 32-bit without a JIT.
2088
2089         * stress/materialize-regexp-cyclic-regexp.js:
2090
2091 2018-12-17  Mark Lam  <mark.lam@apple.com>
2092
2093         Array unshift/shift should not race against the AI in the compiler thread.
2094         https://bugs.webkit.org/show_bug.cgi?id=192795
2095         <rdar://problem/46724263>
2096
2097         Reviewed by Saam Barati.
2098
2099         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2100
2101 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2102
2103         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2104         https://bugs.webkit.org/show_bug.cgi?id=190047
2105
2106         Reviewed by Saam Barati.
2107
2108         * stress/object-keys-cached-zero.js: Added.
2109         (shouldBe):
2110         (test):
2111         * stress/object-keys-changed-attribute.js: Added.
2112         (shouldBe):
2113         (test):
2114         * stress/object-keys-changed-index.js: Added.
2115         (shouldBe):
2116         (test):
2117         * stress/object-keys-changed.js: Added.
2118         (shouldBe):
2119         (test):
2120         * stress/object-keys-indexed-non-cache.js: Added.
2121         (shouldBe):
2122         (test):
2123         * stress/object-keys-overrides-get-property-names.js: Added.
2124         (shouldBe):
2125         (test):
2126         (noInline):
2127
2128 2018-12-17  Mark Lam  <mark.lam@apple.com>
2129
2130         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2131         https://bugs.webkit.org/show_bug.cgi?id=192779
2132         <rdar://problem/46775869>
2133
2134         Reviewed by Saam Barati.
2135
2136         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2137
2138 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2139
2140         Unreviewed test gardening, address a syntax error in a new test.
2141
2142         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2143
2144 2018-12-17  Mark Lam  <mark.lam@apple.com>
2145
2146         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2147         https://bugs.webkit.org/show_bug.cgi?id=192776
2148         <rdar://problem/46772368>
2149
2150         Reviewed by Keith Miller.
2151
2152         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2153
2154 2018-12-17  Mark Lam  <mark.lam@apple.com>
2155
2156         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2157         https://bugs.webkit.org/show_bug.cgi?id=192770
2158         <rdar://problem/46449037>
2159
2160         Reviewed by Keith Miller.
2161
2162         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2163
2164 2018-12-14  Mark Lam  <mark.lam@apple.com>
2165
2166         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2167         https://bugs.webkit.org/show_bug.cgi?id=192717
2168         <rdar://problem/46660677>
2169
2170         Reviewed by Saam Barati.
2171
2172         * stress/regress-192717.js: Added.
2173
2174 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2175
2176         Unreviewed, rolling out r239153, r239154, and r239155.
2177         https://bugs.webkit.org/show_bug.cgi?id=192715
2178
2179         Caused flaky GC-related crashes seen with layout tests
2180         (Requested by ryanhaddad on #webkit).
2181
2182         Reverted changesets:
2183
2184         "[JSC] Optimize Object.keys by caching own keys results in
2185         StructureRareData"
2186         https://bugs.webkit.org/show_bug.cgi?id=190047
2187         https://trac.webkit.org/changeset/239153
2188
2189         "Unreviewed, build fix after r239153"
2190         https://bugs.webkit.org/show_bug.cgi?id=190047
2191         https://trac.webkit.org/changeset/239154
2192
2193         "Unreviewed, build fix after r239153, part 2"
2194         https://bugs.webkit.org/show_bug.cgi?id=190047
2195         https://trac.webkit.org/changeset/239155
2196
2197 2018-12-14  Keith Miller  <keith_miller@apple.com>
2198
2199         Callers of JSString::getIndex should check for OOM exceptions
2200         https://bugs.webkit.org/show_bug.cgi?id=192709
2201
2202         Reviewed by Mark Lam.
2203
2204         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2205
2206 2018-12-13  Mark Lam  <mark.lam@apple.com>
2207
2208         Add a missing exception check.
2209         https://bugs.webkit.org/show_bug.cgi?id=192626
2210         <rdar://problem/46662163>
2211
2212         Reviewed by Keith Miller.
2213
2214         * stress/regress-192626.js: Added.
2215
2216 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2217
2218         [BigInt] Add ValueDiv into DFG
2219         https://bugs.webkit.org/show_bug.cgi?id=186178
2220
2221         Reviewed by Yusuke Suzuki.
2222
2223         * stress/big-int-div-jit-osr.js: Added.
2224         * stress/big-int-div-jit-untyped.js: Added.
2225         * stress/value-div-fixup-int32-big-int.js: Added.
2226
2227 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2228
2229         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2230         https://bugs.webkit.org/show_bug.cgi?id=190047
2231
2232         Reviewed by Keith Miller.
2233
2234         * stress/object-keys-cached-zero.js: Added.
2235         (shouldBe):
2236         (test):
2237         * stress/object-keys-changed-attribute.js: Added.
2238         (shouldBe):
2239         (test):
2240         * stress/object-keys-changed-index.js: Added.
2241         (shouldBe):
2242         (test):
2243         * stress/object-keys-changed.js: Added.
2244         (shouldBe):
2245         (test):
2246         * stress/object-keys-indexed-non-cache.js: Added.
2247         (shouldBe):
2248         (test):
2249         * stress/object-keys-overrides-get-property-names.js: Added.
2250         (shouldBe):
2251         (test):
2252         (noInline):
2253
2254 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2255
2256         [DFG][FTL] Add NewSymbol
2257         https://bugs.webkit.org/show_bug.cgi?id=192620
2258
2259         Reviewed by Saam Barati.
2260
2261         * microbenchmarks/symbol-creation.js: Added.
2262         (test):
2263         * stress/symbol-description-identity.js: Added.
2264         (shouldBe):
2265         (test):
2266         * stress/symbol-identity.js: Added.
2267         (shouldBe):
2268         (test):
2269         * stress/symbol-with-description-throw-error.js: Added.
2270         (shouldBe):
2271         (shouldThrow):
2272         (test):
2273         (object.toString):
2274
2275 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2276
2277         [BigInt] Implement DFG/FTL typeof for BigInt
2278         https://bugs.webkit.org/show_bug.cgi?id=192619
2279
2280         Reviewed by Keith Miller.
2281
2282         * stress/big-int-boolean-proven-type.js: Added.
2283         (assert):
2284         (bool):
2285         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2286         (assert):
2287         (typeOf):
2288         (i.switch):
2289         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2290         (assert):
2291         (typeOf):
2292         * stress/big-int-type-of.js:
2293         (typeOf):
2294         (func):
2295
2296 2018-12-10  Mark Lam  <mark.lam@apple.com>
2297
2298         PropertyAttribute needs a CustomValue bit.
2299         https://bugs.webkit.org/show_bug.cgi?id=191993
2300         <rdar://problem/46264467>
2301
2302         Reviewed by Saam Barati.
2303
2304         * stress/regress-191993.js: Added.
2305
2306 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2307
2308         [BigInt] Add ValueMul into DFG
2309         https://bugs.webkit.org/show_bug.cgi?id=186175
2310
2311         Reviewed by Yusuke Suzuki.
2312
2313         * stress/big-int-mul-jit-osr.js: Added.
2314         * stress/big-int-mul-jit-untyped.js: Added.
2315         * stress/value-mul-fixup-int32-big-int.js: Added.
2316
2317 2018-12-06  Keith Miller  <keith_miller@apple.com>
2318
2319         stress/big-wasm-memory tests failing on 32-bit JSC bot
2320         https://bugs.webkit.org/show_bug.cgi?id=192020
2321
2322         Reviewed by Saam Barati.
2323
2324         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2325         the wasm stress tests if the WebAssembly object does not exist.
2326
2327         * stress/big-wasm-memory-grow-no-max.js:
2328         (test.foo):
2329         (test):
2330         (foo): Deleted.
2331         (catch): Deleted.
2332         * stress/big-wasm-memory-grow.js:
2333         (test.foo):
2334         (test):
2335         (foo): Deleted.
2336         (catch): Deleted.
2337         * stress/big-wasm-memory.js:
2338         (test.foo):
2339         (test):
2340         (foo): Deleted.
2341         (catch): Deleted.
2342
2343 2018-12-05  Mark Lam  <mark.lam@apple.com>
2344
2345         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2346         https://bugs.webkit.org/show_bug.cgi?id=192441
2347         <rdar://problem/46480355>
2348
2349         Reviewed by Saam Barati.
2350
2351         * stress/regress-192441.js: Added.
2352
2353 2018-12-04  Mark Lam  <mark.lam@apple.com>
2354
2355         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2356         https://bugs.webkit.org/show_bug.cgi?id=192386
2357         <rdar://problem/46445516>
2358
2359         Reviewed by Saam Barati.
2360
2361         * stress/regress-192386.js: Added.
2362
2363 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2364
2365         [ESNext][BigInt] Support logic operations
2366         https://bugs.webkit.org/show_bug.cgi?id=179903
2367
2368         Reviewed by Yusuke Suzuki.
2369
2370         * stress/big-int-branch-usage.js: Added.
2371         * stress/big-int-logical-and.js: Added.
2372         * stress/big-int-logical-not.js: Added.
2373         * stress/big-int-logical-or.js: Added.
2374
2375 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2376
2377         Unreviewed, rolling out r238833.
2378
2379         Breaks macOS and iOS debug builds.
2380
2381         Reverted changeset:
2382
2383         "[ESNext][BigInt] Support logic operations"
2384         https://bugs.webkit.org/show_bug.cgi?id=179903
2385         https://trac.webkit.org/changeset/238833
2386
2387 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2388
2389         [ESNext][BigInt] Support logic operations
2390         https://bugs.webkit.org/show_bug.cgi?id=179903
2391
2392         Reviewed by Yusuke Suzuki.
2393
2394         * stress/big-int-branch-usage.js: Added.
2395         * stress/big-int-logical-and.js: Added.
2396         * stress/big-int-logical-not.js: Added.
2397         * stress/big-int-logical-or.js: Added.
2398
2399 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2400
2401         [ESNext][BigInt] Implement support for "<<" and ">>"
2402         https://bugs.webkit.org/show_bug.cgi?id=186233
2403
2404         Reviewed by Yusuke Suzuki.
2405
2406         * stress/big-int-left-shift-general.js: Added.
2407         * stress/big-int-left-shift-range-error.js: Added.
2408         * stress/big-int-left-shift-type-error.js: Added.
2409         * stress/big-int-left-shift-wrapped-value.js: Added.
2410         * stress/big-int-right-shift-general.js: Added.
2411         * stress/big-int-right-shift-type-error.js: Added.
2412         * stress/big-int-right-shift-wrapped-value.js: Added.
2413         * stress/left-shift-to-primitive-precedence.js: Added.
2414         * stress/right-shift-to-primitive-precedence.js: Added.
2415
2416 2018-11-30  Dean Jackson  <dino@apple.com>
2417
2418         Add first-class support for .mjs files in jsc binary
2419         https://bugs.webkit.org/show_bug.cgi?id=192190
2420         <rdar://problem/46375715>
2421
2422         Reviewed by Keith Miller.
2423
2424         * stress/simple-module.mjs: Added.
2425         * stress/simple-script.js: Added.
2426
2427 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2428
2429         [BigInt] Implement ValueBitXor into DFG
2430         https://bugs.webkit.org/show_bug.cgi?id=190264
2431
2432         Reviewed by Yusuke Suzuki.
2433
2434         * stress/big-int-bitwise-xor-jit.js: Added.
2435         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2436         * stress/big-int-bitwise-xor-untyped.js: Added.
2437
2438 2018-11-27  Saam barati  <sbarati@apple.com>
2439
2440         r238510 broke scopes of size zero
2441         https://bugs.webkit.org/show_bug.cgi?id=192033
2442         <rdar://problem/46281734>
2443
2444         Reviewed by Keith Miller.
2445
2446         * stress/r238510-bad-loop.js: Added.
2447         (foo):
2448
2449 2018-11-27  Mark Lam  <mark.lam@apple.com>
2450
2451         [Re-landing] NaNs read from Wasm code needs to be be purified.
2452         https://bugs.webkit.org/show_bug.cgi?id=191056
2453         <rdar://problem/45660341>
2454
2455         Reviewed by Filip Pizlo.
2456
2457         * wasm/regress/regress-191056.js: Added.
2458
2459 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2460
2461         Unreviewed, rolling out r238509.
2462
2463         Causes JSC tests to fail on iOS.
2464
2465         Reverted changeset:
2466
2467         "NaNs read from Wasm code needs to be be purified."
2468         https://bugs.webkit.org/show_bug.cgi?id=191056
2469         https://trac.webkit.org/changeset/238509
2470
2471 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2472
2473         Re-introduce op_bitnot
2474         https://bugs.webkit.org/show_bug.cgi?id=190923
2475
2476         Reviewed by Yusuke Suzuki.
2477
2478         * stress/bit-not-must-generate.js: Added.
2479         * stress/bitwise-not-no-int32.js: Added.
2480
2481 2018-11-26  Saam barati  <sbarati@apple.com>
2482
2483         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2484         https://bugs.webkit.org/show_bug.cgi?id=191956
2485         <rdar://problem/45665806>
2486
2487         Reviewed by Yusuke Suzuki.
2488
2489         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2490         (bar):
2491         (foo):
2492
2493 2018-11-26  Saam barati  <sbarati@apple.com>
2494
2495         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2496         https://bugs.webkit.org/show_bug.cgi?id=191958
2497         <rdar://problem/46221877>
2498
2499         Reviewed by Yusuke Suzuki.
2500
2501         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2502         (x):
2503         (foo):
2504
2505 2018-11-26  Mark Lam  <mark.lam@apple.com>
2506
2507         NaNs read from Wasm code needs to be be purified.
2508         https://bugs.webkit.org/show_bug.cgi?id=191056
2509         <rdar://problem/45660341>
2510
2511         Reviewed by Filip Pizlo.
2512
2513         * wasm/regress/regress-191056.js: Added.
2514
2515 2018-11-26  Michael Saboff  <msaboff@apple.com>
2516
2517         32-bit JSC test failure: stress/regexp-compile-oom.js
2518         https://bugs.webkit.org/show_bug.cgi?id=191375
2519
2520         Reviewed by Mark Lam.
2521
2522         Disabled the test for 32 bit platforms.
2523
2524         * stress/regexp-compile-oom.js:
2525
2526 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2527
2528         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2529         https://bugs.webkit.org/show_bug.cgi?id=191716
2530         <rdar://problem/45723878>
2531
2532         Reviewed by Saam Barati.
2533
2534         * stress/regress-187373.js: Added.
2535         (async.fn):
2536
2537 2018-11-21  Saam barati  <sbarati@apple.com>
2538
2539         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2540         https://bugs.webkit.org/show_bug.cgi?id=191897
2541         <rdar://problem/45871998>
2542
2543         Reviewed by Mark Lam.
2544
2545         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2546         (bar):
2547         (foo):
2548
2549 2018-11-21  Saam barati  <sbarati@apple.com>
2550
2551         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2552         https://bugs.webkit.org/show_bug.cgi?id=191895
2553         <rdar://problem/46167406>
2554
2555         Reviewed by Mark Lam.
2556
2557         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2558         (foo):
2559         (bar):
2560
2561 2018-11-21  Mark Lam  <mark.lam@apple.com>
2562
2563         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2564         https://bugs.webkit.org/show_bug.cgi?id=191776
2565         <rdar://problem/46152851>
2566
2567         Reviewed by Saam Barati.
2568
2569         * stress/big-wasm-memory-grow-no-max.js:
2570         * stress/big-wasm-memory-grow.js:
2571         * stress/big-wasm-memory.js:
2572         - updated these to expect an OutOfMemoryError.
2573
2574         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2575         (Binary.prototype.emit_u8):
2576         (Binary.prototype.emit_u32v):
2577         (Binary.prototype.emit_header):
2578         (Binary.prototype.emit_section):
2579         (Binary):
2580         (WasmModuleBuilder):
2581         (WasmModuleBuilder.prototype.addMemory):
2582         (WasmModuleBuilder.prototype.toArray):
2583         (WasmModuleBuilder.prototype.toBuffer):
2584         (WasmModuleBuilder.prototype.instantiate):
2585         (catch):
2586         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2587         (catch):
2588
2589 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2590
2591         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2592         https://bugs.webkit.org/show_bug.cgi?id=190836
2593
2594         Reviewed by Saam Barati and Yusuke Suzuki.
2595
2596         * stress/big-int-out-of-memory-tests.js: Added.
2597
2598 2018-11-20  Mark Lam  <mark.lam@apple.com>
2599
2600         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2601         https://bugs.webkit.org/show_bug.cgi?id=191856
2602         <rdar://problem/46089992>
2603
2604         Reviewed by Yusuke Suzuki.
2605
2606         * stress/regress-191856.js: Added.
2607         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2608
2609 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2610
2611         Enable JIT on ARM/Linux
2612         https://bugs.webkit.org/show_bug.cgi?id=191548
2613
2614         Reviewed by Yusuke Suzuki.
2615
2616         Disable test on system with limited memory. Program was killed by
2617         the OS before the exception was thrown.
2618
2619         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2620
2621 2018-11-20  Saam barati  <sbarati@apple.com>
2622
2623         Merging an IC variant may lead to the IC status containing overlapping structure sets
2624         https://bugs.webkit.org/show_bug.cgi?id=191869
2625         <rdar://problem/45403453>
2626
2627         Reviewed by Mark Lam.
2628
2629         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2630
2631 2018-11-19  Mark Lam  <mark.lam@apple.com>
2632
2633         globalFuncImportModule() should return a promise when it clears exceptions.
2634         https://bugs.webkit.org/show_bug.cgi?id=191792
2635         <rdar://problem/46090763>
2636
2637         Reviewed by Michael Saboff.
2638
2639         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2640
2641 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2642
2643         Skip new memory-hungry tests on memory limited devices
2644
2645         Unreviewed gardening.
2646
2647         * stress/big-wasm-memory-grow-no-max.js:
2648         * stress/big-wasm-memory-grow.js:
2649         * stress/big-wasm-memory.js:
2650
2651 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2652
2653         Unreviewed, rolling in the rest of r237254
2654         https://bugs.webkit.org/show_bug.cgi?id=190340
2655
2656         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2657         * stress/function-cache-with-parameters-end-position.js: Added.
2658         (shouldBe):
2659         (shouldThrow):
2660         (i.anonymous):
2661         * stress/function-constructor-name.js: Added.
2662         (shouldBe):
2663         (GeneratorFunction):
2664         (AsyncFunction.async):
2665         (AsyncGeneratorFunction.async):
2666         (anonymous):
2667         (async.anonymous):
2668         * test262/expectations.yaml:
2669
2670 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2671
2672         All users of ArrayBuffer should agree on the same max size
2673         https://bugs.webkit.org/show_bug.cgi?id=191771
2674
2675         Reviewed by Mark Lam.
2676
2677         * stress/big-wasm-memory-grow-no-max.js: Added.
2678         (foo):
2679         (catch):
2680         * stress/big-wasm-memory-grow.js: Added.
2681         (foo):
2682         (catch):
2683         * stress/big-wasm-memory.js: Added.
2684         (foo):
2685         (catch):
2686
2687 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2688
2689         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2690         run for each JSC config since they're regression tests for runtime bugs.
2691
2692         * stress/json-stringified-overflow-2.js:
2693         * stress/json-stringified-overflow.js:
2694
2695 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2696
2697         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2698         config since they're regression tests for runtime bugs.
2699
2700         * stress/large-unshift-splice.js:
2701         * stress/regress-185888.js:
2702
2703 2018-11-16  Saam Barati  <sbarati@apple.com>
2704
2705         KnownCellUse should also have SpecCellCheck as its type filter
2706         https://bugs.webkit.org/show_bug.cgi?id=191729
2707         <rdar://problem/45872852>
2708
2709         Reviewed by Filip Pizlo.
2710
2711         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2712         (C):
2713
2714 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2715
2716         Fix assertion failure on BytecodeGenerator::recordOpcode
2717         https://bugs.webkit.org/show_bug.cgi?id=191724
2718         <rdar://problem/45724395>
2719
2720         Reviewed by Saam Barati.
2721
2722         * stress/regress-187373-2.js: Added.
2723         (foo):
2724
2725 2018-11-15  Mark Lam  <mark.lam@apple.com>
2726
2727         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2728         https://bugs.webkit.org/show_bug.cgi?id=191730
2729         <rdar://problem/46048517>
2730
2731         Reviewed by Saam Barati.
2732
2733         * stress/regress-187006.js: Removed.
2734           - this test is invalid because its sole purpose is to test for the non-spec
2735             compliant behavior that we just fixed.
2736
2737         * stress/regress-191730.js: Added.
2738
2739 2018-11-15  Mark Lam  <mark.lam@apple.com>
2740
2741         RegExp operations should not take fast patch if lastIndex is not numeric.
2742         https://bugs.webkit.org/show_bug.cgi?id=191731
2743         <rdar://problem/46017305>
2744
2745         Reviewed by Saam Barati.
2746
2747         * stress/regress-191731.js: Added.
2748
2749 2018-11-13  Saam Barati  <sbarati@apple.com>
2750
2751         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2752         https://bugs.webkit.org/show_bug.cgi?id=191600
2753
2754         Reviewed by Mark Lam.
2755
2756         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2757         (foo):
2758         (test):
2759         (bar):
2760
2761 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2762
2763         Unreviewed, rolling out r238132.
2764
2765         The test added with this change is timing out on Debug JSC
2766         bots.
2767
2768         Reverted changeset:
2769
2770         "[BigInt] JSBigInt::createWithLength should throw when length
2771         is greater than JSBigInt::maxLength"
2772         https://bugs.webkit.org/show_bug.cgi?id=190836
2773         https://trac.webkit.org/changeset/238132
2774
2775 2018-11-13  Mark Lam  <mark.lam@apple.com>
2776
2777         Add OOM detection to StringPrototype's substituteBackreferences().
2778         https://bugs.webkit.org/show_bug.cgi?id=191563
2779         <rdar://problem/45720428>
2780
2781         Reviewed by Saam Barati.
2782
2783         * stress/regress-191563.js: Added.
2784
2785 2018-11-13  Mark Lam  <mark.lam@apple.com>
2786
2787         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2788         https://bugs.webkit.org/show_bug.cgi?id=191579
2789         <rdar://problem/45942472>
2790
2791         Reviewed by Saam Barati.
2792
2793         * stress/regress-191579.js: Added.
2794
2795 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2796
2797         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2798         https://bugs.webkit.org/show_bug.cgi?id=190836
2799
2800         Reviewed by Saam Barati.
2801
2802         * stress/big-int-out-of-memory-tests.js: Added.
2803
2804 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2805
2806         U+180E is no longer a whitespace character
2807         https://bugs.webkit.org/show_bug.cgi?id=191415
2808
2809         Reviewed by Saam Barati.
2810
2811         * ChakraCore/test/es5/regexSpace.baseline:
2812         * ChakraCore/test/es6/unicode_whitespace.js:
2813         Update tests to latest version.
2814         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2815
2816         * test262.yaml:
2817         * test262/config.yaml:
2818         * test262/expectations.yaml:
2819         Update expectations.
2820
2821 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2822
2823         [BigInt] Add support to BigInt into ValueAdd
2824         https://bugs.webkit.org/show_bug.cgi?id=186177
2825
2826         Reviewed by Keith Miller.
2827
2828         * stress/big-int-negate-jit.js:
2829         * stress/value-add-big-int-and-string.js: Added.
2830         * stress/value-add-big-int-prediction-propagation.js: Added.
2831         * stress/value-add-big-int-untyped.js: Added.
2832
2833 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2834
2835         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2836         https://bugs.webkit.org/show_bug.cgi?id=191184
2837
2838         Reviewed by Saam Barati.
2839
2840         Most tests were failing due to timeouts, since they are too slow to
2841         run on CLoop. The exceptions are:
2842
2843         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2844         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2845         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2846         to change the stack size since CLoop requires it to be page aligned.
2847
2848         * microbenchmarks/array-push-1.js:
2849         * microbenchmarks/array-push-2.js:
2850         * microbenchmarks/elidable-new-object-dag.js:
2851         * microbenchmarks/elidable-new-object-roflcopter.js:
2852         * microbenchmarks/elidable-new-object-tree.js:
2853         * microbenchmarks/getter-richards.js:
2854         * microbenchmarks/sinkable-new-object-dag.js:
2855         * microbenchmarks/string-concat-long-convert.js:
2856         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2857         * slowMicrobenchmarks/array-push-3.js:
2858         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2859         * slowMicrobenchmarks/spread-small-array.js:
2860         * slowMicrobenchmarks/undefined-property-access.js:
2861         * stress/activation-sink-default-value-tdz-error.js:
2862         * stress/activation-sink-default-value.js:
2863         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2864         * stress/activation-sink-osrexit-default-value.js:
2865         * stress/activation-sink-osrexit.js:
2866         * stress/activation-sink.js:
2867         * stress/allow-math-ic-b3-code-duplication.js:
2868         * stress/array-push-multiple-int32.js:
2869         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2870         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2871         * stress/arrowfunction-lexical-this-activation-sink.js:
2872         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2873         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2874         * stress/elide-new-object-dag-then-exit.js:
2875         * stress/materialize-regexp-cyclic.js:
2876         * stress/new-regex-inline.js:
2877         * stress/op_add.js:
2878         * stress/op_bitand.js:
2879         * stress/op_bitor.js:
2880         * stress/op_bitxor.js:
2881         * stress/op_div-ConstVar.js:
2882         * stress/op_div-VarConst.js:
2883         * stress/op_div-VarVar.js:
2884         * stress/op_lshift-ConstVar.js:
2885         * stress/op_lshift-VarConst.js:
2886         * stress/op_lshift-VarVar.js:
2887         * stress/op_mod-ConstVar.js:
2888         * stress/op_mod-VarConst.js:
2889         * stress/op_mod-VarVar.js:
2890         * stress/op_mul-ConstVar.js:
2891         * stress/op_mul-VarConst.js:
2892         * stress/op_mul-VarVar.js:
2893         * stress/op_rshift-ConstVar.js:
2894         * stress/op_rshift-VarConst.js:
2895         * stress/op_rshift-VarVar.js:
2896         * stress/op_sub-ConstVar.js:
2897         * stress/op_sub-VarConst.js:
2898         * stress/op_sub-VarVar.js:
2899         * stress/op_urshift-ConstVar.js:
2900         * stress/op_urshift-VarConst.js:
2901         * stress/op_urshift-VarVar.js:
2902         * stress/proxy-get-set-correct-receiver.js:
2903         * stress/regress-179562.js:
2904         * stress/rest-parameter-many-arguments.js:
2905         * stress/sampling-profiler-richards.js:
2906         * stress/splay-flash-access-1ms.js:
2907         * stress/tailCallForwardArguments.js:
2908         * stress/typed-array-get-by-val-profiling.js:
2909         * typeProfiler/getter-richards.js:
2910
2911 2018-11-06  Michael Saboff  <msaboff@apple.com>
2912
2913         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2914         https://bugs.webkit.org/show_bug.cgi?id=191271
2915
2916         Reviewed by Saam Barati.
2917
2918         Added more test cases and made all test cases run with the same deeply recursive stack
2919         instead of finding that same point for each test case.
2920
2921         * stress/regexp-compile-oom.js:
2922         (prototype.runTest):
2923         (recurseAndTest):
2924         (testList.push.new.TestAndExpectedException):
2925
2926 2018-11-05  Michael Saboff  <msaboff@apple.com>
2927
2928         Unreviewed build fix for linux.
2929
2930         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2931
2932 2018-11-02  Michael Saboff  <msaboff@apple.com>
2933
2934         Rolling in r237753 with unreviewed build fix.
2935
2936         Fixed issues with DECLARE_THROW_SCOPE placement.
2937
2938 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2939
2940         Unreviewed, rolling out r237753.
2941
2942         Introduced JSC test failures
2943
2944         Reverted changeset:
2945
2946         "Running out of stack space not properly handled in
2947         RegExp::compile() and its callers"
2948         https://bugs.webkit.org/show_bug.cgi?id=191206
2949         https://trac.webkit.org/changeset/237753
2950
2951 2018-11-02  Michael Saboff  <msaboff@apple.com>
2952
2953         Running out of stack space not properly handled in RegExp::compile() and its callers
2954         https://bugs.webkit.org/show_bug.cgi?id=191206
2955
2956         Reviewed by Filip Pizlo.
2957
2958         New regression test.
2959
2960         * stress/regexp-compile-oom.js: Added.
2961         (recurseAndTest):
2962
2963 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2964
2965         Skip tests on arm/mips that time out now we're running on CLoop
2966
2967         Unreviewed gardening.
2968
2969         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2970         time out on the bots and need to be disabled. There's more tests
2971         disabled on arm because the timeout is longer on the mips bot (as the
2972         device is slower to start with), so many of the tests don't time out
2973         there.
2974
2975         * microbenchmarks/getter-richards.js: disable on arm and mips.
2976         * stress/op_add.js: disable on arm.
2977         * stress/op_bitand.js: disable on arm.
2978         * stress/op_bitor.js: disable on arm.
2979         * stress/op_bitxor.js: disable on arm.
2980         * stress/op_lshift-ConstVar.js: disable on arm.
2981         * stress/op_lshift-VarConst.js: disable on arm.
2982         * stress/op_lshift-VarVar.js: disable on arm.
2983         * stress/op_mod-ConstVar.js: disable on arm.
2984         * stress/op_mod-VarConst.js: disable on arm.
2985         * stress/op_mod-VarVar.js: disable on arm.
2986         * stress/op_mul-ConstVar.js: disable on arm.
2987         * stress/op_mul-VarConst.js: disable on arm.
2988         * stress/op_mul-VarVar.js: disable on arm.
2989         * stress/op_rshift-ConstVar.js: disable on arm.
2990         * stress/op_rshift-VarConst.js: disable on arm.
2991         * stress/op_rshift-VarVar.js: disable on arm.
2992         * stress/op_sub-ConstVar.js: disable on arm.
2993         * stress/op_sub-VarConst.js: disable on arm.
2994         * stress/op_sub-VarVar.js: disable on arm.
2995         * stress/op_urshift-ConstVar.js: disable on arm.
2996         * stress/op_urshift-VarConst.js: disable on arm.
2997         * stress/op_urshift-VarVar.js: disable on arm.
2998         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2999         * stress/value-to-boolean.js: disable on arm and mips.
3000
3001 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3002
3003         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3004         https://bugs.webkit.org/show_bug.cgi?id=191108
3005         <rdar://problem/45690700>
3006
3007         Reviewed by Saam Barati.
3008
3009         * stress/wide-op_catch.js: Added.
3010         (catch):
3011
3012 2018-10-29  Mark Lam  <mark.lam@apple.com>
3013
3014         Correctly detect string overflow when using the 'Function' constructor.
3015         https://bugs.webkit.org/show_bug.cgi?id=184883
3016         <rdar://problem/36320331>
3017
3018         Reviewed by Saam Barati.
3019
3020         I've verified that this passes on 32-bit as well.
3021
3022         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3023
3024 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3025
3026         Add support for GetStack FlushedDouble
3027         https://bugs.webkit.org/show_bug.cgi?id=191012
3028         <rdar://problem/45265141>
3029
3030         Reviewed by Saam Barati.
3031
3032         * stress/get-stack-double.js: Added.
3033         (bar):
3034         (noInline):
3035
3036 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3037
3038         New bytecode format for JSC
3039         https://bugs.webkit.org/show_bug.cgi?id=187373
3040         <rdar://problem/44186758>
3041
3042         Reviewed by Filip Pizlo.
3043
3044         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3045
3046         * stress/maximum-inline-capacity.js: Added.
3047         (test1):
3048         (test3.Foo):
3049         (test3):
3050
3051 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3052
3053         Unreviewed, rolling out r237479 and r237484.
3054         https://bugs.webkit.org/show_bug.cgi?id=190978
3055
3056         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3057
3058         Reverted changesets:
3059
3060         "New bytecode format for JSC"
3061         https://bugs.webkit.org/show_bug.cgi?id=187373
3062         https://trac.webkit.org/changeset/237479
3063
3064         "Gardening: Build fix after r237479."
3065         https://bugs.webkit.org/show_bug.cgi?id=187373
3066         https://trac.webkit.org/changeset/237484
3067
3068 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3069
3070         New bytecode format for JSC
3071         https://bugs.webkit.org/show_bug.cgi?id=187373
3072         <rdar://problem/44186758>
3073
3074         Reviewed by Filip Pizlo.
3075
3076         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3077
3078         * stress/maximum-inline-capacity.js: Added.
3079         (test1):
3080         (test3.Foo):
3081         (test3):
3082
3083 2018-10-26  Mark Lam  <mark.lam@apple.com>
3084
3085         Fix missing edge cases with JSGlobalObjects having a bad time.
3086         https://bugs.webkit.org/show_bug.cgi?id=189028
3087         <rdar://problem/45204939>
3088
3089         Reviewed by Saam Barati.
3090
3091         * stress/regress-189028.js: Added.
3092
3093 2018-10-22  Mark Lam  <mark.lam@apple.com>
3094
3095         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3096         https://bugs.webkit.org/show_bug.cgi?id=190515
3097         <rdar://problem/45222379>
3098
3099         Rubber-stamped by Saam Barati.
3100
3101         Adding another test.
3102
3103         * stress/regress-190515-2.js: Added.
3104
3105 2018-10-22  Mark Lam  <mark.lam@apple.com>
3106
3107         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3108         https://bugs.webkit.org/show_bug.cgi?id=190515
3109         <rdar://problem/45222379>
3110
3111         Reviewed by Saam Barati.
3112
3113         * stress/regress-190515.js: Added.
3114
3115 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3116
3117         Unreviewed, rolling out r237254.
3118         https://bugs.webkit.org/show_bug.cgi?id=190760
3119
3120         "It regresses JetStream 2 by 5% on some iOS devices"
3121         (Requested by saamyjoon on #webkit).
3122
3123         Reverted changeset:
3124
3125         "[JSC] JSC should have "parseFunction" to optimize Function
3126         constructor"
3127         https://bugs.webkit.org/show_bug.cgi?id=190340
3128         https://trac.webkit.org/changeset/237254
3129
3130 2018-10-19  Saam Barati  <sbarati@apple.com>
3131
3132         vmCall should check if we exit before emitting an OSR exit due to exceptions
3133         https://bugs.webkit.org/show_bug.cgi?id=190740
3134         <rdar://problem/45220139>
3135
3136         Reviewed by Mark Lam.
3137
3138         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3139         (foo):
3140
3141 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3142
3143         [ESNext][BigInt] Implement support for "^"
3144         https://bugs.webkit.org/show_bug.cgi?id=186235
3145
3146         Reviewed by Yusuke Suzuki.
3147
3148         * stress/big-int-bitwise-xor-general.js: Added.
3149         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3150         * stress/big-int-bitwise-xor-type-error.js: Added.
3151         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3152
3153 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3154
3155         [BigInt] Add ValueSub into DFG
3156         https://bugs.webkit.org/show_bug.cgi?id=186176
3157
3158         Reviewed by Yusuke Suzuki.
3159
3160         * stress/big-int-subtraction-jit.js:
3161         * stress/value-sub-big-int-prediction-propagation.js: Added.
3162         * stress/value-sub-big-int-untyped.js: Added.
3163         * stress/value-sub-spec-none-case.js: Added.
3164
3165 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3166
3167         [JSC] JSC should have "parseFunction" to optimize Function constructor
3168         https://bugs.webkit.org/show_bug.cgi?id=190340
3169
3170         Reviewed by Mark Lam.
3171
3172         This patch fixes the line number of syntax errors raised by the Function constructor,
3173         since we now parse the final code only once. And we no longer use block statement
3174         for Function constructor's parsing.
3175
3176         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3177         * stress/function-cache-with-parameters-end-position.js: Added.
3178         (shouldBe):
3179         (shouldThrow):
3180         (i.anonymous):
3181         * stress/function-constructor-name.js: Added.
3182         (shouldBe):
3183         (GeneratorFunction):
3184         (AsyncFunction.async):
3185         (AsyncGeneratorFunction.async):
3186         (anonymous):
3187         (async.anonymous):
3188         * test262/expectations.yaml:
3189
3190 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3191
3192         Unreviewed, rolling out r237242.
3193         https://bugs.webkit.org/show_bug.cgi?id=190701
3194
3195         it breaks "stress/sampling-profiler-basic.js" (Requested by
3196         caiolima on #webkit).
3197
3198         Reverted changeset:
3199
3200         "[BigInt] Add ValueSub into DFG"
3201         https://bugs.webkit.org/show_bug.cgi?id=186176
3202         https://trac.webkit.org/changeset/237242
3203
3204 2018-10-17  Keith Miller  <keith_miller@apple.com>
3205
3206         AI does not clear Phantom allocation nodes.
3207         https://bugs.webkit.org/show_bug.cgi?id=190694
3208
3209         Reviewed by Saam Barati.
3210
3211         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3212         (Day):
3213         (DaysInYear):
3214         (TimeInYear):
3215         (TimeFromYear):
3216         (DayFromYear):
3217         (InLeapYear):
3218         (YearFromTime):
3219         (WeekDay):
3220         (DaylightSavingTA):
3221         (GetSecondSundayInMarch):
3222         (TimeInMonth):
3223
3224 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3225
3226         [BigInt] Add ValueSub into DFG
3227         https://bugs.webkit.org/show_bug.cgi?id=186176
3228
3229         Reviewed by Yusuke Suzuki.
3230
3231         * stress/big-int-subtraction-jit.js:
3232         * stress/value-sub-big-int-prediction-propagation.js: Added.
3233         * stress/value-sub-big-int-untyped.js: Added.
3234
3235 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3236
3237         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3238         https://bugs.webkit.org/show_bug.cgi?id=190611
3239
3240         Reviewed by Saam Barati.
3241
3242         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3243         to improve test runtime. On ARM/MIPS this test even timed out when running all
3244         tests.
3245
3246         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3247         (test):
3248
3249 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3250
3251         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3252
3253         Unreviewed gardening.
3254
3255         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3256
3257 2018-10-15  Saam barati  <sbarati@apple.com>
3258
3259         Emit fjcvtzs on ARM64E on Darwin
3260         https://bugs.webkit.org/show_bug.cgi?id=184023
3261
3262         Reviewed by Yusuke Suzuki and Filip Pizlo.
3263
3264         * stress/double-to-int32-NaN.js: Added.
3265         (assert):
3266         (foo):
3267
3268 2018-10-15  Saam Barati  <sbarati@apple.com>
3269
3270         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3271         https://bugs.webkit.org/show_bug.cgi?id=190262
3272         <rdar://problem/44986241>
3273
3274         Reviewed by Mark Lam.
3275
3276         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3277         (test):
3278         * stress/slice-array-storage-with-holes.js: Added.
3279         (main):
3280
3281 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3282
3283         Unreviewed, rolling out r237054.
3284         https://bugs.webkit.org/show_bug.cgi?id=190593
3285
3286         "this regressed JetStream 2 by 6% on iOS" (Requested by
3287         saamyjoon on #webkit).
3288
3289         Reverted changeset:
3290
3291         "[JSC] JSC should have "parseFunction" to optimize Function
3292         constructor"
3293         https://bugs.webkit.org/show_bug.cgi?id=190340
3294         https://trac.webkit.org/changeset/237054
3295
3296 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3297
3298         [JSC] JSON.stringify can accept call-with-no-arguments
3299         https://bugs.webkit.org/show_bug.cgi?id=190343
3300
3301         Reviewed by Mark Lam.
3302
3303         * stress/json-stringify-no-arguments.js: Added.
3304         (shouldBe):
3305
3306 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3307
3308         [JSC] JSC should have "parseFunction" to optimize Function constructor
3309         https://bugs.webkit.org/show_bug.cgi?id=190340
3310
3311         Reviewed by Mark Lam.
3312
3313         This patch fixes the line number of syntax errors raised by the Function constructor,
3314         since we now parse the final code only once. And we no longer use block statement
3315         for Function constructor's parsing.
3316
3317         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3318         * stress/function-cache-with-parameters-end-position.js: Added.
3319         (shouldBe):
3320         (shouldThrow):
3321         (i.anonymous):
3322         * stress/function-constructor-name.js: Added.
3323         (shouldBe):
3324         (GeneratorFunction):
3325         (AsyncFunction.async):
3326         (AsyncGeneratorFunction.async):
3327         (anonymous):
3328         (async.anonymous):
3329         * test262/expectations.yaml:
3330
3331 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3332
3333         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3334         https://bugs.webkit.org/show_bug.cgi?id=190426
3335
3336         Unreviewed gardening.
3337
3338         * stress/sampling-profiler-richards.js:
3339
3340 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3341
3342         [ESNext][BigInt] Implement support for "|"
3343         https://bugs.webkit.org/show_bug.cgi?id=186229
3344
3345         Reviewed by Yusuke Suzuki.
3346
3347         * stress/big-int-bitwise-and-jit.js:
3348         * stress/big-int-bitwise-or-general.js: Added.
3349         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3350         * stress/big-int-bitwise-or-jit.js: Added.
3351         * stress/big-int-bitwise-or-memory-stress.js: Added.
3352         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3353         * stress/big-int-bitwise-or-type-error.js: Added.
3354         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3355
3356 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3357
3358         Skip test on systems with limited memory
3359         https://bugs.webkit.org/show_bug.cgi?id=190310
3360
3361         Invoking runDefault adds test to runlist, skipping the test in the next
3362         line does not prevent the test from executing. Change order of lines such
3363         that runDefault is only executed if test is not executed.
3364
3365         Reviewed by Mark Lam.
3366
3367         * stress/regress-190187.js:
3368
3369 2018-10-03  Saam barati  <sbarati@apple.com>
3370
3371         lowXYZ in FTLLower should always filter the type of the incoming edge
3372         https://bugs.webkit.org/show_bug.cgi?id=189939
3373         <rdar://problem/44407030>
3374
3375         Reviewed by Michael Saboff.
3376
3377         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3378         (foo):
3379         (test):
3380
3381 2018-10-03  Mark Lam  <mark.lam@apple.com>
3382
3383         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3384         https://bugs.webkit.org/show_bug.cgi?id=190187
3385         <rdar://problem/42512909>
3386
3387         Reviewed by Michael Saboff.
3388
3389         * stress/regress-190187.js: Added.
3390
3391 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3392
3393         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3394         https://bugs.webkit.org/show_bug.cgi?id=190033
3395
3396         Reviewed by Yusuke Suzuki.
3397
3398         * stress/big-int-to-string.js:
3399
3400 2018-10-01  Mark Lam  <mark.lam@apple.com>
3401
3402         Function.toString() should also copy the source code Functions that are class definitions.
3403         https://bugs.webkit.org/show_bug.cgi?id=190186
3404         <rdar://problem/44733360>
3405
3406         Reviewed by Saam Barati.
3407
3408         * stress/regress-190186.js: Added.
3409
3410 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3411
3412         Split NaN-check into separate test
3413         https://bugs.webkit.org/show_bug.cgi?id=190010
3414
3415         Reviewed by Saam Barati.
3416
3417         DataView exposes NaN-representation, which is not necessarily the same on each
3418         architecture. Therefore move the check of the NaN-representation into its own
3419         file such that we can disable this test on MIPS where NaN-representation can be
3420         different on older CPUs.
3421
3422         * stress/dataview-jit-set-nan.js: Added.
3423         (assert):
3424         (test.storeLittleEndian):
3425         (test.storeBigEndian):
3426         (test.store):
3427         (test):
3428         * stress/dataview-jit-set.js:
3429         (test5):
3430
3431 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3432
3433         Unreviewed, rolling out r236647.
3434         https://bugs.webkit.org/show_bug.cgi?id=190124
3435
3436         Breaking test stress/big-int-to-string.js (Requested by
3437         caiolima_ on #webkit).
3438
3439         Reverted changeset:
3440
3441         "[BigInt] BigInt.proptotype.toString is broken when radix is
3442         power of 2"
3443         https://bugs.webkit.org/show_bug.cgi?id=190033
3444         https://trac.webkit.org/changeset/236647
3445
3446 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3447
3448         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3449         https://bugs.webkit.org/show_bug.cgi?id=190033
3450
3451         Reviewed by Yusuke Suzuki.
3452
3453         * stress/big-int-to-string.js:
3454
3455 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3456
3457         [ESNext][BigInt] Implement support for "&"
3458         https://bugs.webkit.org/show_bug.cgi?id=186228
3459
3460         Reviewed by Yusuke Suzuki.
3461
3462         * stress/big-int-bitwise-and-general.js: Added.
3463         (assert):
3464         (assert.sameValue):
3465         * stress/big-int-bitwise-and-jit.js: Added.
3466         (let.assert.sameValue):
3467         (bigIntBitAnd):
3468         * stress/big-int-bitwise-and-memory-stress.js: Added.
3469         (assert):
3470         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3471         (assert.sameValue):
3472         (let.o.Symbol.toPrimitive):
3473         (catch):
3474         * stress/big-int-bitwise-and-type-error.js: Added.
3475         (assert):
3476         (assertThrowTypeError):
3477         (let.o.valueOf):
3478         (o.valueOf):
3479         (o.toString):
3480         (o.Symbol.toPrimitive):
3481         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3482         (assert.sameValue):
3483         (testBitAnd):
3484         (let.o.Symbol.toPrimitive):
3485         (o.valueOf):
3486         (o.toString):
3487
3488 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3489
3490         JSC test stress/jsc-read.js doesn't support CRLF
3491         https://bugs.webkit.org/show_bug.cgi?id=190063
3492
3493         Reviewed by Yusuke Suzuki.
3494
3495         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3496
3497         * stress/jsc-read.js:
3498         (test):
3499
3500 2018-09-27  Saam barati  <sbarati@apple.com>
3501
3502         Verify the contents of AssemblerBuffer on arm64e
3503         https://bugs.webkit.org/show_bug.cgi?id=190057
3504         <rdar://problem/38916630>
3505
3506         Reviewed by Mark Lam.
3507
3508         * stress/regress-189132.js:
3509
3510 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3511
3512         Disable test without LLInt on ARMv7
3513         https://bugs.webkit.org/show_bug.cgi?id=190037
3514
3515         Reviewed by Mark Lam.
3516
3517         Test runs out of executable memory on ARMv7, do not run
3518         this test without LLInt enabled.
3519
3520         * stress/regress-169445.js:
3521
3522 2018-09-26  Keith Miller  <keith_miller@apple.com>
3523
3524         We should zero unused property storage when rebalancing array storage.
3525         https://bugs.webkit.org/show_bug.cgi?id=188151
3526
3527         Reviewed by Michael Saboff.
3528
3529         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3530
3531 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3532
3533         [JSC] Optimize Array#lastIndexOf
3534         https://bugs.webkit.org/show_bug.cgi?id=189780
3535
3536         Reviewed by Saam Barati.
3537
3538         * stress/array-lastindexof-array-prototype-trap.js: Added.
3539         (shouldBe):
3540         (AncestorArray.prototype.get 2):
3541         (AncestorArray):
3542         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3543         (shouldBe):
3544         * stress/array-lastindexof-hole-nan.js: Added.
3545         (shouldBe):
3546         (throw.new.Error):
3547         * stress/array-lastindexof-infinity.js: Added.
3548         (shouldBe):
3549         (throw.new.Error):
3550         * stress/array-lastindexof-negative-zero.js: Added.
3551         (shouldBe):
3552         (throw.new.Error):
3553         * stress/array-lastindexof-own-getter.js: Added.
3554         (shouldBe):
3555         (throw.new.Error.get array):
3556         (get array):
3557         * stress/array-lastindexof-prototype-trap.js: Added.
3558         (shouldBe):
3559         (DerivedArray.prototype.get 2):
3560         (DerivedArray):
3561
3562 2018-09-25  Saam Barati  <sbarati@apple.com>
3563
3564         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3565         https://bugs.webkit.org/show_bug.cgi?id=189940
3566         <rdar://problem/43640987>
3567
3568         Reviewed by Mark Lam.
3569
3570         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3571
3572 2018-09-24  Saam Barati  <sbarati@apple.com>
3573
3574         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3575         https://bugs.webkit.org/show_bug.cgi?id=189922
3576         <rdar://problem/44651275>
3577
3578         Reviewed by Mark Lam.
3579
3580         * stress/array-indexof-fast-path-effects.js: Added.
3581         * stress/array-indexof-cached-length.js: Added.
3582
3583 2018-09-24  Saam barati  <sbarati@apple.com>
3584
3585         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3586         https://bugs.webkit.org/show_bug.cgi?id=189682
3587         <rdar://problem/43557315>
3588
3589         Reviewed by Mark Lam.
3590
3591         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3592         (foo):
3593
3594 2018-09-22  Saam barati  <sbarati@apple.com>
3595
3596         The sampling should not use Strong<CodeBlock> in its machineLocation field
3597         https://bugs.webkit.org/show_bug.cgi?id=189319
3598
3599         Reviewed by Filip Pizlo.
3600
3601         * stress/sampling-profiler-richards.js: Added.
3602
3603 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3604
3605         [JSC] Optimize Array#indexOf in C++ runtime
3606         https://bugs.webkit.org/show_bug.cgi?id=189507
3607
3608         Reviewed by Saam Barati.
3609
3610         * stress/array-indexof-array-prototype-trap.js: Added.
3611         (shouldBe):
3612         (AncestorArray.prototype.get 2):
3613         (AncestorArray):
3614         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3615         (shouldBe):
3616         * stress/array-indexof-hole-nan.js: Added.
3617         (shouldBe):
3618         (throw.new.Error):
3619         * stress/array-indexof-infinity.js: Added.
3620         (shouldBe):
3621         (throw.new.Error):
3622         * stress/array-indexof-negative-zero.js: Added.
3623         (shouldBe):
3624         (throw.new.Error):
3625         * stress/array-indexof-own-getter.js: Added.
3626         (shouldBe):
3627         (throw.new.Error.get array):
3628         (get array):
3629         * stress/array-indexof-prototype-trap.js: Added.
3630         (shouldBe):
3631         (DerivedArray.prototype.get 2):
3632         (DerivedArray):
3633
3634 2018-09-19  Saam barati  <sbarati@apple.com>
3635
3636         AI rule for MultiPutByOffset executes its effects in the wrong order
3637         https://bugs.webkit.org/show_bug.cgi?id=189757
3638         <rdar://problem/43535257>
3639
3640         Reviewed by Michael Saboff.
3641
3642         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3643         (foo):
3644         (Foo):
3645         (g):
3646
3647 2018-09-17  Mark Lam  <mark.lam@apple.com>
3648
3649         Ensure that ForInContexts are invalidated if their loop local is over-written.
3650         https://bugs.webkit.org/show_bug.cgi?id=189571
3651         <rdar://problem/44402277>
3652
3653         Reviewed by Saam Barati.
3654
3655         * stress/regress-189571.js: Added.
3656
3657 2018-09-17  Saam barati  <sbarati@apple.com>
3658
3659         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3660         https://bugs.webkit.org/show_bug.cgi?id=189676
3661         <rdar://problem/39682897>
3662
3663         Reviewed by Michael Saboff.
3664
3665         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3666         (A):
3667         (K):
3668         (i.catch):
3669
3670 2018-09-14  Saam barati  <sbarati@apple.com>
3671
3672         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3673         https://bugs.webkit.org/show_bug.cgi?id=189628
3674         <rdar://problem/39481690>
3675
3676         Reviewed by Mark Lam.
3677
3678         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3679         (foo):
3680
3681 2018-09-11  Mark Lam  <mark.lam@apple.com>
3682
3683         Test for array initialization in arrayProtoFuncSplice.
3684         https://bugs.webkit.org/show_bug.cgi?id=170253
3685         <rdar://problem/31328773>
3686
3687         Rubber-stamped by Saam Barati.
3688
3689         * stress/regress-170253.js: Added.
3690
3691 2018-09-11  Mark Lam  <mark.lam@apple.com>
3692
3693         Test for IntlObject initialization.
3694         https://bugs.webkit.org/show_bug.cgi?id=170251
3695         <rdar://problem/31328419>
3696
3697         Rubber-stamped by Saam Barati.
3698
3699         * stress/regress-170251.js: Added.
3700
3701 2018-09-11  Mark Lam  <mark.lam@apple.com>
3702
3703         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3704         https://bugs.webkit.org/show_bug.cgi?id=169889
3705         <rdar://problem/31155607>
3706
3707         Reviewed by Saam Barati.
3708
3709         * stress/regress-169889-array-concat.js: Added.
3710         * stress/regress-169889-array-concat1.js: Added.
3711         * stress/regress-169889-array-slice.js: Added.
3712
3713 2018-09-11  Mark Lam  <mark.lam@apple.com>
3714
3715         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3716         https://bugs.webkit.org/show_bug.cgi?id=169445
3717         <rdar://problem/30957435>
3718
3719         Reviewed by Saam Barati.
3720
3721         * stress/regress-169445.js: Added.
3722         (let.gun.eval.A):
3723         (let.gun.eval.B.C):
3724         (let.gun.eval.B.C.prototype.trigger):
3725         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3726         (let.gun.eval.B):
3727         (let.gun.eval):
3728
3729 == Rolled over to ChangeLog-2018-09-11 ==