JSON.stringify() should throw OOM on StringBuilder overflows.
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-18  Mark Lam  <mark.lam@apple.com>
2
3         JSON.stringify() should throw OOM on StringBuilder overflows.
4         https://bugs.webkit.org/show_bug.cgi?id=192822
5         <rdar://problem/46670577>
6
7         Reviewed by Saam Barati.
8
9         * stress/json-stringify-string-builder-overflow.js: Added.
10
11 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
12
13         Redeclaration of var over let/const/class should be a syntax error.
14         https://bugs.webkit.org/show_bug.cgi?id=192298
15
16         Reviewed by Keith Miller.
17
18         * test262.yaml:
19         * test262/expectations.yaml:
20         Mark 46 tests as passing.
21
22         * stress/block-scope-redeclarations.js:
23         Add some new tests.
24
25         * stress/for-in-invalidate-context-weird-assignments.js:
26         * stress/for-in-tests.js:
27         Replace tests for outdated behavior with tests for SyntaxError.
28
29         * ChakraCore/test/LetConst/defer3.baseline-jsc:
30         * ChakraCore/test/LetConst/letvar.baseline-jsc:
31         Update expectations.
32
33 2018-12-18  Mark Lam  <mark.lam@apple.com>
34
35         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
36         https://bugs.webkit.org/show_bug.cgi?id=191374
37         <rdar://problem/46525447>
38
39         Reviewed by Yusuke Suzuki.
40
41         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
42
43         * stress/elidable-new-object-roflcopter-then-exit.js:
44
45 2018-12-17  Mark Lam  <mark.lam@apple.com>
46
47         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
48         https://bugs.webkit.org/show_bug.cgi?id=192019
49         <rdar://problem/46525456>
50
51         Reviewed by Yusuke Suzuki.
52
53         The test runs too slow on 32-bit.
54
55         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
56
57 2018-12-17  Mark Lam  <mark.lam@apple.com>
58
59         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
60         https://bugs.webkit.org/show_bug.cgi?id=191373
61         <rdar://problem/46525458>
62
63         Reviewed by Yusuke Suzuki.
64
65         The test is already slow running with a JIT on 64-bit.  It will always timeout
66         on 32-bit without a JIT.
67
68         * stress/materialize-regexp-cyclic-regexp.js:
69
70 2018-12-17  Mark Lam  <mark.lam@apple.com>
71
72         Array unshift/shift should not race against the AI in the compiler thread.
73         https://bugs.webkit.org/show_bug.cgi?id=192795
74         <rdar://problem/46724263>
75
76         Reviewed by Saam Barati.
77
78         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
79
80 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
81
82         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
83         https://bugs.webkit.org/show_bug.cgi?id=190047
84
85         Reviewed by Saam Barati.
86
87         * stress/object-keys-cached-zero.js: Added.
88         (shouldBe):
89         (test):
90         * stress/object-keys-changed-attribute.js: Added.
91         (shouldBe):
92         (test):
93         * stress/object-keys-changed-index.js: Added.
94         (shouldBe):
95         (test):
96         * stress/object-keys-changed.js: Added.
97         (shouldBe):
98         (test):
99         * stress/object-keys-indexed-non-cache.js: Added.
100         (shouldBe):
101         (test):
102         * stress/object-keys-overrides-get-property-names.js: Added.
103         (shouldBe):
104         (test):
105         (noInline):
106
107 2018-12-17  Mark Lam  <mark.lam@apple.com>
108
109         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
110         https://bugs.webkit.org/show_bug.cgi?id=192779
111         <rdar://problem/46775869>
112
113         Reviewed by Saam Barati.
114
115         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
116
117 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
118
119         Unreviewed test gardening, address a syntax error in a new test.
120
121         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
122
123 2018-12-17  Mark Lam  <mark.lam@apple.com>
124
125         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
126         https://bugs.webkit.org/show_bug.cgi?id=192776
127         <rdar://problem/46772368>
128
129         Reviewed by Keith Miller.
130
131         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
132
133 2018-12-17  Mark Lam  <mark.lam@apple.com>
134
135         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
136         https://bugs.webkit.org/show_bug.cgi?id=192770
137         <rdar://problem/46449037>
138
139         Reviewed by Keith Miller.
140
141         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
142
143 2018-12-14  Mark Lam  <mark.lam@apple.com>
144
145         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
146         https://bugs.webkit.org/show_bug.cgi?id=192717
147         <rdar://problem/46660677>
148
149         Reviewed by Saam Barati.
150
151         * stress/regress-192717.js: Added.
152
153 2018-12-14  Commit Queue  <commit-queue@webkit.org>
154
155         Unreviewed, rolling out r239153, r239154, and r239155.
156         https://bugs.webkit.org/show_bug.cgi?id=192715
157
158         Caused flaky GC-related crashes seen with layout tests
159         (Requested by ryanhaddad on #webkit).
160
161         Reverted changesets:
162
163         "[JSC] Optimize Object.keys by caching own keys results in
164         StructureRareData"
165         https://bugs.webkit.org/show_bug.cgi?id=190047
166         https://trac.webkit.org/changeset/239153
167
168         "Unreviewed, build fix after r239153"
169         https://bugs.webkit.org/show_bug.cgi?id=190047
170         https://trac.webkit.org/changeset/239154
171
172         "Unreviewed, build fix after r239153, part 2"
173         https://bugs.webkit.org/show_bug.cgi?id=190047
174         https://trac.webkit.org/changeset/239155
175
176 2018-12-14  Keith Miller  <keith_miller@apple.com>
177
178         Callers of JSString::getIndex should check for OOM exceptions
179         https://bugs.webkit.org/show_bug.cgi?id=192709
180
181         Reviewed by Mark Lam.
182
183         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
184
185 2018-12-13  Mark Lam  <mark.lam@apple.com>
186
187         Add a missing exception check.
188         https://bugs.webkit.org/show_bug.cgi?id=192626
189         <rdar://problem/46662163>
190
191         Reviewed by Keith Miller.
192
193         * stress/regress-192626.js: Added.
194
195 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
196
197         [BigInt] Add ValueDiv into DFG
198         https://bugs.webkit.org/show_bug.cgi?id=186178
199
200         Reviewed by Yusuke Suzuki.
201
202         * stress/big-int-div-jit-osr.js: Added.
203         * stress/big-int-div-jit-untyped.js: Added.
204         * stress/value-div-fixup-int32-big-int.js: Added.
205
206 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
207
208         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
209         https://bugs.webkit.org/show_bug.cgi?id=190047
210
211         Reviewed by Keith Miller.
212
213         * stress/object-keys-cached-zero.js: Added.
214         (shouldBe):
215         (test):
216         * stress/object-keys-changed-attribute.js: Added.
217         (shouldBe):
218         (test):
219         * stress/object-keys-changed-index.js: Added.
220         (shouldBe):
221         (test):
222         * stress/object-keys-changed.js: Added.
223         (shouldBe):
224         (test):
225         * stress/object-keys-indexed-non-cache.js: Added.
226         (shouldBe):
227         (test):
228         * stress/object-keys-overrides-get-property-names.js: Added.
229         (shouldBe):
230         (test):
231         (noInline):
232
233 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
234
235         [DFG][FTL] Add NewSymbol
236         https://bugs.webkit.org/show_bug.cgi?id=192620
237
238         Reviewed by Saam Barati.
239
240         * microbenchmarks/symbol-creation.js: Added.
241         (test):
242         * stress/symbol-description-identity.js: Added.
243         (shouldBe):
244         (test):
245         * stress/symbol-identity.js: Added.
246         (shouldBe):
247         (test):
248         * stress/symbol-with-description-throw-error.js: Added.
249         (shouldBe):
250         (shouldThrow):
251         (test):
252         (object.toString):
253
254 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
255
256         [BigInt] Implement DFG/FTL typeof for BigInt
257         https://bugs.webkit.org/show_bug.cgi?id=192619
258
259         Reviewed by Keith Miller.
260
261         * stress/big-int-boolean-proven-type.js: Added.
262         (assert):
263         (bool):
264         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
265         (assert):
266         (typeOf):
267         (i.switch):
268         * stress/big-int-type-of-proven-type-non-constant.js: Added.
269         (assert):
270         (typeOf):
271         * stress/big-int-type-of.js:
272         (typeOf):
273         (func):
274
275 2018-12-10  Mark Lam  <mark.lam@apple.com>
276
277         PropertyAttribute needs a CustomValue bit.
278         https://bugs.webkit.org/show_bug.cgi?id=191993
279         <rdar://problem/46264467>
280
281         Reviewed by Saam Barati.
282
283         * stress/regress-191993.js: Added.
284
285 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
286
287         [BigInt] Add ValueMul into DFG
288         https://bugs.webkit.org/show_bug.cgi?id=186175
289
290         Reviewed by Yusuke Suzuki.
291
292         * stress/big-int-mul-jit-osr.js: Added.
293         * stress/big-int-mul-jit-untyped.js: Added.
294         * stress/value-mul-fixup-int32-big-int.js: Added.
295
296 2018-12-06  Keith Miller  <keith_miller@apple.com>
297
298         stress/big-wasm-memory tests failing on 32-bit JSC bot
299         https://bugs.webkit.org/show_bug.cgi?id=192020
300
301         Reviewed by Saam Barati.
302
303         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
304         the wasm stress tests if the WebAssembly object does not exist.
305
306         * stress/big-wasm-memory-grow-no-max.js:
307         (test.foo):
308         (test):
309         (foo): Deleted.
310         (catch): Deleted.
311         * stress/big-wasm-memory-grow.js:
312         (test.foo):
313         (test):
314         (foo): Deleted.
315         (catch): Deleted.
316         * stress/big-wasm-memory.js:
317         (test.foo):
318         (test):
319         (foo): Deleted.
320         (catch): Deleted.
321
322 2018-12-05  Mark Lam  <mark.lam@apple.com>
323
324         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
325         https://bugs.webkit.org/show_bug.cgi?id=192441
326         <rdar://problem/46480355>
327
328         Reviewed by Saam Barati.
329
330         * stress/regress-192441.js: Added.
331
332 2018-12-04  Mark Lam  <mark.lam@apple.com>
333
334         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
335         https://bugs.webkit.org/show_bug.cgi?id=192386
336         <rdar://problem/46445516>
337
338         Reviewed by Saam Barati.
339
340         * stress/regress-192386.js: Added.
341
342 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
343
344         [ESNext][BigInt] Support logic operations
345         https://bugs.webkit.org/show_bug.cgi?id=179903
346
347         Reviewed by Yusuke Suzuki.
348
349         * stress/big-int-branch-usage.js: Added.
350         * stress/big-int-logical-and.js: Added.
351         * stress/big-int-logical-not.js: Added.
352         * stress/big-int-logical-or.js: Added.
353
354 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
355
356         Unreviewed, rolling out r238833.
357
358         Breaks macOS and iOS debug builds.
359
360         Reverted changeset:
361
362         "[ESNext][BigInt] Support logic operations"
363         https://bugs.webkit.org/show_bug.cgi?id=179903
364         https://trac.webkit.org/changeset/238833
365
366 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
367
368         [ESNext][BigInt] Support logic operations
369         https://bugs.webkit.org/show_bug.cgi?id=179903
370
371         Reviewed by Yusuke Suzuki.
372
373         * stress/big-int-branch-usage.js: Added.
374         * stress/big-int-logical-and.js: Added.
375         * stress/big-int-logical-not.js: Added.
376         * stress/big-int-logical-or.js: Added.
377
378 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
379
380         [ESNext][BigInt] Implement support for "<<" and ">>"
381         https://bugs.webkit.org/show_bug.cgi?id=186233
382
383         Reviewed by Yusuke Suzuki.
384
385         * stress/big-int-left-shift-general.js: Added.
386         * stress/big-int-left-shift-range-error.js: Added.
387         * stress/big-int-left-shift-type-error.js: Added.
388         * stress/big-int-left-shift-wrapped-value.js: Added.
389         * stress/big-int-right-shift-general.js: Added.
390         * stress/big-int-right-shift-type-error.js: Added.
391         * stress/big-int-right-shift-wrapped-value.js: Added.
392         * stress/left-shift-to-primitive-precedence.js: Added.
393         * stress/right-shift-to-primitive-precedence.js: Added.
394
395 2018-11-30  Dean Jackson  <dino@apple.com>
396
397         Add first-class support for .mjs files in jsc binary
398         https://bugs.webkit.org/show_bug.cgi?id=192190
399         <rdar://problem/46375715>
400
401         Reviewed by Keith Miller.
402
403         * stress/simple-module.mjs: Added.
404         * stress/simple-script.js: Added.
405
406 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
407
408         [BigInt] Implement ValueBitXor into DFG
409         https://bugs.webkit.org/show_bug.cgi?id=190264
410
411         Reviewed by Yusuke Suzuki.
412
413         * stress/big-int-bitwise-xor-jit.js: Added.
414         * stress/big-int-bitwise-xor-memory-stress.js: Added.
415         * stress/big-int-bitwise-xor-untyped.js: Added.
416
417 2018-11-27  Saam barati  <sbarati@apple.com>
418
419         r238510 broke scopes of size zero
420         https://bugs.webkit.org/show_bug.cgi?id=192033
421         <rdar://problem/46281734>
422
423         Reviewed by Keith Miller.
424
425         * stress/r238510-bad-loop.js: Added.
426         (foo):
427
428 2018-11-27  Mark Lam  <mark.lam@apple.com>
429
430         [Re-landing] NaNs read from Wasm code needs to be be purified.
431         https://bugs.webkit.org/show_bug.cgi?id=191056
432         <rdar://problem/45660341>
433
434         Reviewed by Filip Pizlo.
435
436         * wasm/regress/regress-191056.js: Added.
437
438 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
439
440         Unreviewed, rolling out r238509.
441
442         Causes JSC tests to fail on iOS.
443
444         Reverted changeset:
445
446         "NaNs read from Wasm code needs to be be purified."
447         https://bugs.webkit.org/show_bug.cgi?id=191056
448         https://trac.webkit.org/changeset/238509
449
450 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
451
452         Re-introduce op_bitnot
453         https://bugs.webkit.org/show_bug.cgi?id=190923
454
455         Reviewed by Yusuke Suzuki.
456
457         * stress/bit-not-must-generate.js: Added.
458         * stress/bitwise-not-no-int32.js: Added.
459
460 2018-11-26  Saam barati  <sbarati@apple.com>
461
462         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
463         https://bugs.webkit.org/show_bug.cgi?id=191956
464         <rdar://problem/45665806>
465
466         Reviewed by Yusuke Suzuki.
467
468         * stress/end-basic-block-set-local-should-filter-type.js: Added.
469         (bar):
470         (foo):
471
472 2018-11-26  Saam barati  <sbarati@apple.com>
473
474         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
475         https://bugs.webkit.org/show_bug.cgi?id=191958
476         <rdar://problem/46221877>
477
478         Reviewed by Yusuke Suzuki.
479
480         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
481         (x):
482         (foo):
483
484 2018-11-26  Mark Lam  <mark.lam@apple.com>
485
486         NaNs read from Wasm code needs to be be purified.
487         https://bugs.webkit.org/show_bug.cgi?id=191056
488         <rdar://problem/45660341>
489
490         Reviewed by Filip Pizlo.
491
492         * wasm/regress/regress-191056.js: Added.
493
494 2018-11-26  Michael Saboff  <msaboff@apple.com>
495
496         32-bit JSC test failure: stress/regexp-compile-oom.js
497         https://bugs.webkit.org/show_bug.cgi?id=191375
498
499         Reviewed by Mark Lam.
500
501         Disabled the test for 32 bit platforms.
502
503         * stress/regexp-compile-oom.js:
504
505 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
506
507         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
508         https://bugs.webkit.org/show_bug.cgi?id=191716
509         <rdar://problem/45723878>
510
511         Reviewed by Saam Barati.
512
513         * stress/regress-187373.js: Added.
514         (async.fn):
515
516 2018-11-21  Saam barati  <sbarati@apple.com>
517
518         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
519         https://bugs.webkit.org/show_bug.cgi?id=191897
520         <rdar://problem/45871998>
521
522         Reviewed by Mark Lam.
523
524         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
525         (bar):
526         (foo):
527
528 2018-11-21  Saam barati  <sbarati@apple.com>
529
530         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
531         https://bugs.webkit.org/show_bug.cgi?id=191895
532         <rdar://problem/46167406>
533
534         Reviewed by Mark Lam.
535
536         * stress/known-cell-use-needs-type-check-assertion.js: Added.
537         (foo):
538         (bar):
539
540 2018-11-21  Mark Lam  <mark.lam@apple.com>
541
542         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
543         https://bugs.webkit.org/show_bug.cgi?id=191776
544         <rdar://problem/46152851>
545
546         Reviewed by Saam Barati.
547
548         * stress/big-wasm-memory-grow-no-max.js:
549         * stress/big-wasm-memory-grow.js:
550         * stress/big-wasm-memory.js:
551         - updated these to expect an OutOfMemoryError.
552
553         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
554         (Binary.prototype.emit_u8):
555         (Binary.prototype.emit_u32v):
556         (Binary.prototype.emit_header):
557         (Binary.prototype.emit_section):
558         (Binary):
559         (WasmModuleBuilder):
560         (WasmModuleBuilder.prototype.addMemory):
561         (WasmModuleBuilder.prototype.toArray):
562         (WasmModuleBuilder.prototype.toBuffer):
563         (WasmModuleBuilder.prototype.instantiate):
564         (catch):
565         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
566         (catch):
567
568 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
569
570         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
571         https://bugs.webkit.org/show_bug.cgi?id=190836
572
573         Reviewed by Saam Barati and Yusuke Suzuki.
574
575         * stress/big-int-out-of-memory-tests.js: Added.
576
577 2018-11-20  Mark Lam  <mark.lam@apple.com>
578
579         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
580         https://bugs.webkit.org/show_bug.cgi?id=191856
581         <rdar://problem/46089992>
582
583         Reviewed by Yusuke Suzuki.
584
585         * stress/regress-191856.js: Added.
586         - this test is skipped for now until we have a fix for webkit.org/b/191855.
587
588 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
589
590         Enable JIT on ARM/Linux
591         https://bugs.webkit.org/show_bug.cgi?id=191548
592
593         Reviewed by Yusuke Suzuki.
594
595         Disable test on system with limited memory. Program was killed by
596         the OS before the exception was thrown.
597
598         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
599
600 2018-11-20  Saam barati  <sbarati@apple.com>
601
602         Merging an IC variant may lead to the IC status containing overlapping structure sets
603         https://bugs.webkit.org/show_bug.cgi?id=191869
604         <rdar://problem/45403453>
605
606         Reviewed by Mark Lam.
607
608         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
609
610 2018-11-19  Mark Lam  <mark.lam@apple.com>
611
612         globalFuncImportModule() should return a promise when it clears exceptions.
613         https://bugs.webkit.org/show_bug.cgi?id=191792
614         <rdar://problem/46090763>
615
616         Reviewed by Michael Saboff.
617
618         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
619
620 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
621
622         Skip new memory-hungry tests on memory limited devices
623
624         Unreviewed gardening.
625
626         * stress/big-wasm-memory-grow-no-max.js:
627         * stress/big-wasm-memory-grow.js:
628         * stress/big-wasm-memory.js:
629
630 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
631
632         Unreviewed, rolling in the rest of r237254
633         https://bugs.webkit.org/show_bug.cgi?id=190340
634
635         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
636         * stress/function-cache-with-parameters-end-position.js: Added.
637         (shouldBe):
638         (shouldThrow):
639         (i.anonymous):
640         * stress/function-constructor-name.js: Added.
641         (shouldBe):
642         (GeneratorFunction):
643         (AsyncFunction.async):
644         (AsyncGeneratorFunction.async):
645         (anonymous):
646         (async.anonymous):
647         * test262/expectations.yaml:
648
649 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
650
651         All users of ArrayBuffer should agree on the same max size
652         https://bugs.webkit.org/show_bug.cgi?id=191771
653
654         Reviewed by Mark Lam.
655
656         * stress/big-wasm-memory-grow-no-max.js: Added.
657         (foo):
658         (catch):
659         * stress/big-wasm-memory-grow.js: Added.
660         (foo):
661         (catch):
662         * stress/big-wasm-memory.js: Added.
663         (foo):
664         (catch):
665
666 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
667
668         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
669         run for each JSC config since they're regression tests for runtime bugs.
670
671         * stress/json-stringified-overflow-2.js:
672         * stress/json-stringified-overflow.js:
673
674 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
675
676         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
677         config since they're regression tests for runtime bugs.
678
679         * stress/large-unshift-splice.js:
680         * stress/regress-185888.js:
681
682 2018-11-16  Saam Barati  <sbarati@apple.com>
683
684         KnownCellUse should also have SpecCellCheck as its type filter
685         https://bugs.webkit.org/show_bug.cgi?id=191729
686         <rdar://problem/45872852>
687
688         Reviewed by Filip Pizlo.
689
690         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
691         (C):
692
693 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
694
695         Fix assertion failure on BytecodeGenerator::recordOpcode
696         https://bugs.webkit.org/show_bug.cgi?id=191724
697         <rdar://problem/45724395>
698
699         Reviewed by Saam Barati.
700
701         * stress/regress-187373-2.js: Added.
702         (foo):
703
704 2018-11-15  Mark Lam  <mark.lam@apple.com>
705
706         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
707         https://bugs.webkit.org/show_bug.cgi?id=191730
708         <rdar://problem/46048517>
709
710         Reviewed by Saam Barati.
711
712         * stress/regress-187006.js: Removed.
713           - this test is invalid because its sole purpose is to test for the non-spec
714             compliant behavior that we just fixed.
715
716         * stress/regress-191730.js: Added.
717
718 2018-11-15  Mark Lam  <mark.lam@apple.com>
719
720         RegExp operations should not take fast patch if lastIndex is not numeric.
721         https://bugs.webkit.org/show_bug.cgi?id=191731
722         <rdar://problem/46017305>
723
724         Reviewed by Saam Barati.
725
726         * stress/regress-191731.js: Added.
727
728 2018-11-13  Saam Barati  <sbarati@apple.com>
729
730         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
731         https://bugs.webkit.org/show_bug.cgi?id=191600
732
733         Reviewed by Mark Lam.
734
735         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
736         (foo):
737         (test):
738         (bar):
739
740 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
741
742         Unreviewed, rolling out r238132.
743
744         The test added with this change is timing out on Debug JSC
745         bots.
746
747         Reverted changeset:
748
749         "[BigInt] JSBigInt::createWithLength should throw when length
750         is greater than JSBigInt::maxLength"
751         https://bugs.webkit.org/show_bug.cgi?id=190836
752         https://trac.webkit.org/changeset/238132
753
754 2018-11-13  Mark Lam  <mark.lam@apple.com>
755
756         Add OOM detection to StringPrototype's substituteBackreferences().
757         https://bugs.webkit.org/show_bug.cgi?id=191563
758         <rdar://problem/45720428>
759
760         Reviewed by Saam Barati.
761
762         * stress/regress-191563.js: Added.
763
764 2018-11-13  Mark Lam  <mark.lam@apple.com>
765
766         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
767         https://bugs.webkit.org/show_bug.cgi?id=191579
768         <rdar://problem/45942472>
769
770         Reviewed by Saam Barati.
771
772         * stress/regress-191579.js: Added.
773
774 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
775
776         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
777         https://bugs.webkit.org/show_bug.cgi?id=190836
778
779         Reviewed by Saam Barati.
780
781         * stress/big-int-out-of-memory-tests.js: Added.
782
783 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
784
785         U+180E is no longer a whitespace character
786         https://bugs.webkit.org/show_bug.cgi?id=191415
787
788         Reviewed by Saam Barati.
789
790         * ChakraCore/test/es5/regexSpace.baseline:
791         * ChakraCore/test/es6/unicode_whitespace.js:
792         Update tests to latest version.
793         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
794
795         * test262.yaml:
796         * test262/config.yaml:
797         * test262/expectations.yaml:
798         Update expectations.
799
800 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
801
802         [BigInt] Add support to BigInt into ValueAdd
803         https://bugs.webkit.org/show_bug.cgi?id=186177
804
805         Reviewed by Keith Miller.
806
807         * stress/big-int-negate-jit.js:
808         * stress/value-add-big-int-and-string.js: Added.
809         * stress/value-add-big-int-prediction-propagation.js: Added.
810         * stress/value-add-big-int-untyped.js: Added.
811
812 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
813
814         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
815         https://bugs.webkit.org/show_bug.cgi?id=191184
816
817         Reviewed by Saam Barati.
818
819         Most tests were failing due to timeouts, since they are too slow to
820         run on CLoop. The exceptions are:
821
822         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
823         dont-crash-on-stack-overflow-when-parsing-builtin.js and
824         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
825         to change the stack size since CLoop requires it to be page aligned.
826
827         * microbenchmarks/array-push-1.js:
828         * microbenchmarks/array-push-2.js:
829         * microbenchmarks/elidable-new-object-dag.js:
830         * microbenchmarks/elidable-new-object-roflcopter.js:
831         * microbenchmarks/elidable-new-object-tree.js:
832         * microbenchmarks/getter-richards.js:
833         * microbenchmarks/sinkable-new-object-dag.js:
834         * microbenchmarks/string-concat-long-convert.js:
835         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
836         * slowMicrobenchmarks/array-push-3.js:
837         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
838         * slowMicrobenchmarks/spread-small-array.js:
839         * slowMicrobenchmarks/undefined-property-access.js:
840         * stress/activation-sink-default-value-tdz-error.js:
841         * stress/activation-sink-default-value.js:
842         * stress/activation-sink-osrexit-default-value-tdz-error.js:
843         * stress/activation-sink-osrexit-default-value.js:
844         * stress/activation-sink-osrexit.js:
845         * stress/activation-sink.js:
846         * stress/allow-math-ic-b3-code-duplication.js:
847         * stress/array-push-multiple-int32.js:
848         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
849         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
850         * stress/arrowfunction-lexical-this-activation-sink.js:
851         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
852         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
853         * stress/elide-new-object-dag-then-exit.js:
854         * stress/materialize-regexp-cyclic.js:
855         * stress/new-regex-inline.js:
856         * stress/op_add.js:
857         * stress/op_bitand.js:
858         * stress/op_bitor.js:
859         * stress/op_bitxor.js:
860         * stress/op_div-ConstVar.js:
861         * stress/op_div-VarConst.js:
862         * stress/op_div-VarVar.js:
863         * stress/op_lshift-ConstVar.js:
864         * stress/op_lshift-VarConst.js:
865         * stress/op_lshift-VarVar.js:
866         * stress/op_mod-ConstVar.js:
867         * stress/op_mod-VarConst.js:
868         * stress/op_mod-VarVar.js:
869         * stress/op_mul-ConstVar.js:
870         * stress/op_mul-VarConst.js:
871         * stress/op_mul-VarVar.js:
872         * stress/op_rshift-ConstVar.js:
873         * stress/op_rshift-VarConst.js:
874         * stress/op_rshift-VarVar.js:
875         * stress/op_sub-ConstVar.js:
876         * stress/op_sub-VarConst.js:
877         * stress/op_sub-VarVar.js:
878         * stress/op_urshift-ConstVar.js:
879         * stress/op_urshift-VarConst.js:
880         * stress/op_urshift-VarVar.js:
881         * stress/proxy-get-set-correct-receiver.js:
882         * stress/regress-179562.js:
883         * stress/rest-parameter-many-arguments.js:
884         * stress/sampling-profiler-richards.js:
885         * stress/splay-flash-access-1ms.js:
886         * stress/tailCallForwardArguments.js:
887         * stress/typed-array-get-by-val-profiling.js:
888         * typeProfiler/getter-richards.js:
889
890 2018-11-06  Michael Saboff  <msaboff@apple.com>
891
892         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
893         https://bugs.webkit.org/show_bug.cgi?id=191271
894
895         Reviewed by Saam Barati.
896
897         Added more test cases and made all test cases run with the same deeply recursive stack
898         instead of finding that same point for each test case.
899
900         * stress/regexp-compile-oom.js:
901         (prototype.runTest):
902         (recurseAndTest):
903         (testList.push.new.TestAndExpectedException):
904
905 2018-11-05  Michael Saboff  <msaboff@apple.com>
906
907         Unreviewed build fix for linux.
908
909         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
910
911 2018-11-02  Michael Saboff  <msaboff@apple.com>
912
913         Rolling in r237753 with unreviewed build fix.
914
915         Fixed issues with DECLARE_THROW_SCOPE placement.
916
917 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
918
919         Unreviewed, rolling out r237753.
920
921         Introduced JSC test failures
922
923         Reverted changeset:
924
925         "Running out of stack space not properly handled in
926         RegExp::compile() and its callers"
927         https://bugs.webkit.org/show_bug.cgi?id=191206
928         https://trac.webkit.org/changeset/237753
929
930 2018-11-02  Michael Saboff  <msaboff@apple.com>
931
932         Running out of stack space not properly handled in RegExp::compile() and its callers
933         https://bugs.webkit.org/show_bug.cgi?id=191206
934
935         Reviewed by Filip Pizlo.
936
937         New regression test.
938
939         * stress/regexp-compile-oom.js: Added.
940         (recurseAndTest):
941
942 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
943
944         Skip tests on arm/mips that time out now we're running on CLoop
945
946         Unreviewed gardening.
947
948         Since the JIT is temporarily disabled on 32-bit platforms, these tests
949         time out on the bots and need to be disabled. There's more tests
950         disabled on arm because the timeout is longer on the mips bot (as the
951         device is slower to start with), so many of the tests don't time out
952         there.
953
954         * microbenchmarks/getter-richards.js: disable on arm and mips.
955         * stress/op_add.js: disable on arm.
956         * stress/op_bitand.js: disable on arm.
957         * stress/op_bitor.js: disable on arm.
958         * stress/op_bitxor.js: disable on arm.
959         * stress/op_lshift-ConstVar.js: disable on arm.
960         * stress/op_lshift-VarConst.js: disable on arm.
961         * stress/op_lshift-VarVar.js: disable on arm.
962         * stress/op_mod-ConstVar.js: disable on arm.
963         * stress/op_mod-VarConst.js: disable on arm.
964         * stress/op_mod-VarVar.js: disable on arm.
965         * stress/op_mul-ConstVar.js: disable on arm.
966         * stress/op_mul-VarConst.js: disable on arm.
967         * stress/op_mul-VarVar.js: disable on arm.
968         * stress/op_rshift-ConstVar.js: disable on arm.
969         * stress/op_rshift-VarConst.js: disable on arm.
970         * stress/op_rshift-VarVar.js: disable on arm.
971         * stress/op_sub-ConstVar.js: disable on arm.
972         * stress/op_sub-VarConst.js: disable on arm.
973         * stress/op_sub-VarVar.js: disable on arm.
974         * stress/op_urshift-ConstVar.js: disable on arm.
975         * stress/op_urshift-VarConst.js: disable on arm.
976         * stress/op_urshift-VarVar.js: disable on arm.
977         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
978         * stress/value-to-boolean.js: disable on arm and mips.
979
980 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
981
982         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
983         https://bugs.webkit.org/show_bug.cgi?id=191108
984         <rdar://problem/45690700>
985
986         Reviewed by Saam Barati.
987
988         * stress/wide-op_catch.js: Added.
989         (catch):
990
991 2018-10-29  Mark Lam  <mark.lam@apple.com>
992
993         Correctly detect string overflow when using the 'Function' constructor.
994         https://bugs.webkit.org/show_bug.cgi?id=184883
995         <rdar://problem/36320331>
996
997         Reviewed by Saam Barati.
998
999         I've verified that this passes on 32-bit as well.
1000
1001         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1002
1003 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1004
1005         Add support for GetStack FlushedDouble
1006         https://bugs.webkit.org/show_bug.cgi?id=191012
1007         <rdar://problem/45265141>
1008
1009         Reviewed by Saam Barati.
1010
1011         * stress/get-stack-double.js: Added.
1012         (bar):
1013         (noInline):
1014
1015 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
1016
1017         New bytecode format for JSC
1018         https://bugs.webkit.org/show_bug.cgi?id=187373
1019         <rdar://problem/44186758>
1020
1021         Reviewed by Filip Pizlo.
1022
1023         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1024
1025         * stress/maximum-inline-capacity.js: Added.
1026         (test1):
1027         (test3.Foo):
1028         (test3):
1029
1030 2018-10-26  Commit Queue  <commit-queue@webkit.org>
1031
1032         Unreviewed, rolling out r237479 and r237484.
1033         https://bugs.webkit.org/show_bug.cgi?id=190978
1034
1035         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
1036
1037         Reverted changesets:
1038
1039         "New bytecode format for JSC"
1040         https://bugs.webkit.org/show_bug.cgi?id=187373
1041         https://trac.webkit.org/changeset/237479
1042
1043         "Gardening: Build fix after r237479."
1044         https://bugs.webkit.org/show_bug.cgi?id=187373
1045         https://trac.webkit.org/changeset/237484
1046
1047 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
1048
1049         New bytecode format for JSC
1050         https://bugs.webkit.org/show_bug.cgi?id=187373
1051         <rdar://problem/44186758>
1052
1053         Reviewed by Filip Pizlo.
1054
1055         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
1056
1057         * stress/maximum-inline-capacity.js: Added.
1058         (test1):
1059         (test3.Foo):
1060         (test3):
1061
1062 2018-10-26  Mark Lam  <mark.lam@apple.com>
1063
1064         Fix missing edge cases with JSGlobalObjects having a bad time.
1065         https://bugs.webkit.org/show_bug.cgi?id=189028
1066         <rdar://problem/45204939>
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/regress-189028.js: Added.
1071
1072 2018-10-22  Mark Lam  <mark.lam@apple.com>
1073
1074         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1075         https://bugs.webkit.org/show_bug.cgi?id=190515
1076         <rdar://problem/45222379>
1077
1078         Rubber-stamped by Saam Barati.
1079
1080         Adding another test.
1081
1082         * stress/regress-190515-2.js: Added.
1083
1084 2018-10-22  Mark Lam  <mark.lam@apple.com>
1085
1086         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
1087         https://bugs.webkit.org/show_bug.cgi?id=190515
1088         <rdar://problem/45222379>
1089
1090         Reviewed by Saam Barati.
1091
1092         * stress/regress-190515.js: Added.
1093
1094 2018-10-19  Commit Queue  <commit-queue@webkit.org>
1095
1096         Unreviewed, rolling out r237254.
1097         https://bugs.webkit.org/show_bug.cgi?id=190760
1098
1099         "It regresses JetStream 2 by 5% on some iOS devices"
1100         (Requested by saamyjoon on #webkit).
1101
1102         Reverted changeset:
1103
1104         "[JSC] JSC should have "parseFunction" to optimize Function
1105         constructor"
1106         https://bugs.webkit.org/show_bug.cgi?id=190340
1107         https://trac.webkit.org/changeset/237254
1108
1109 2018-10-19  Saam Barati  <sbarati@apple.com>
1110
1111         vmCall should check if we exit before emitting an OSR exit due to exceptions
1112         https://bugs.webkit.org/show_bug.cgi?id=190740
1113         <rdar://problem/45220139>
1114
1115         Reviewed by Mark Lam.
1116
1117         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1118         (foo):
1119
1120 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1121
1122         [ESNext][BigInt] Implement support for "^"
1123         https://bugs.webkit.org/show_bug.cgi?id=186235
1124
1125         Reviewed by Yusuke Suzuki.
1126
1127         * stress/big-int-bitwise-xor-general.js: Added.
1128         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1129         * stress/big-int-bitwise-xor-type-error.js: Added.
1130         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1131
1132 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1133
1134         [BigInt] Add ValueSub into DFG
1135         https://bugs.webkit.org/show_bug.cgi?id=186176
1136
1137         Reviewed by Yusuke Suzuki.
1138
1139         * stress/big-int-subtraction-jit.js:
1140         * stress/value-sub-big-int-prediction-propagation.js: Added.
1141         * stress/value-sub-big-int-untyped.js: Added.
1142         * stress/value-sub-spec-none-case.js: Added.
1143
1144 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1145
1146         [JSC] JSC should have "parseFunction" to optimize Function constructor
1147         https://bugs.webkit.org/show_bug.cgi?id=190340
1148
1149         Reviewed by Mark Lam.
1150
1151         This patch fixes the line number of syntax errors raised by the Function constructor,
1152         since we now parse the final code only once. And we no longer use block statement
1153         for Function constructor's parsing.
1154
1155         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1156         * stress/function-cache-with-parameters-end-position.js: Added.
1157         (shouldBe):
1158         (shouldThrow):
1159         (i.anonymous):
1160         * stress/function-constructor-name.js: Added.
1161         (shouldBe):
1162         (GeneratorFunction):
1163         (AsyncFunction.async):
1164         (AsyncGeneratorFunction.async):
1165         (anonymous):
1166         (async.anonymous):
1167         * test262/expectations.yaml:
1168
1169 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1170
1171         Unreviewed, rolling out r237242.
1172         https://bugs.webkit.org/show_bug.cgi?id=190701
1173
1174         it breaks "stress/sampling-profiler-basic.js" (Requested by
1175         caiolima on #webkit).
1176
1177         Reverted changeset:
1178
1179         "[BigInt] Add ValueSub into DFG"
1180         https://bugs.webkit.org/show_bug.cgi?id=186176
1181         https://trac.webkit.org/changeset/237242
1182
1183 2018-10-17  Keith Miller  <keith_miller@apple.com>
1184
1185         AI does not clear Phantom allocation nodes.
1186         https://bugs.webkit.org/show_bug.cgi?id=190694
1187
1188         Reviewed by Saam Barati.
1189
1190         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1191         (Day):
1192         (DaysInYear):
1193         (TimeInYear):
1194         (TimeFromYear):
1195         (DayFromYear):
1196         (InLeapYear):
1197         (YearFromTime):
1198         (WeekDay):
1199         (DaylightSavingTA):
1200         (GetSecondSundayInMarch):
1201         (TimeInMonth):
1202
1203 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1204
1205         [BigInt] Add ValueSub into DFG
1206         https://bugs.webkit.org/show_bug.cgi?id=186176
1207
1208         Reviewed by Yusuke Suzuki.
1209
1210         * stress/big-int-subtraction-jit.js:
1211         * stress/value-sub-big-int-prediction-propagation.js: Added.
1212         * stress/value-sub-big-int-untyped.js: Added.
1213
1214 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1215
1216         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1217         https://bugs.webkit.org/show_bug.cgi?id=190611
1218
1219         Reviewed by Saam Barati.
1220
1221         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1222         to improve test runtime. On ARM/MIPS this test even timed out when running all
1223         tests.
1224
1225         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1226         (test):
1227
1228 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1229
1230         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1231
1232         Unreviewed gardening.
1233
1234         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1235
1236 2018-10-15  Saam barati  <sbarati@apple.com>
1237
1238         Emit fjcvtzs on ARM64E on Darwin
1239         https://bugs.webkit.org/show_bug.cgi?id=184023
1240
1241         Reviewed by Yusuke Suzuki and Filip Pizlo.
1242
1243         * stress/double-to-int32-NaN.js: Added.
1244         (assert):
1245         (foo):
1246
1247 2018-10-15  Saam Barati  <sbarati@apple.com>
1248
1249         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1250         https://bugs.webkit.org/show_bug.cgi?id=190262
1251         <rdar://problem/44986241>
1252
1253         Reviewed by Mark Lam.
1254
1255         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1256         (test):
1257         * stress/slice-array-storage-with-holes.js: Added.
1258         (main):
1259
1260 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1261
1262         Unreviewed, rolling out r237054.
1263         https://bugs.webkit.org/show_bug.cgi?id=190593
1264
1265         "this regressed JetStream 2 by 6% on iOS" (Requested by
1266         saamyjoon on #webkit).
1267
1268         Reverted changeset:
1269
1270         "[JSC] JSC should have "parseFunction" to optimize Function
1271         constructor"
1272         https://bugs.webkit.org/show_bug.cgi?id=190340
1273         https://trac.webkit.org/changeset/237054
1274
1275 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1276
1277         [JSC] JSON.stringify can accept call-with-no-arguments
1278         https://bugs.webkit.org/show_bug.cgi?id=190343
1279
1280         Reviewed by Mark Lam.
1281
1282         * stress/json-stringify-no-arguments.js: Added.
1283         (shouldBe):
1284
1285 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1286
1287         [JSC] JSC should have "parseFunction" to optimize Function constructor
1288         https://bugs.webkit.org/show_bug.cgi?id=190340
1289
1290         Reviewed by Mark Lam.
1291
1292         This patch fixes the line number of syntax errors raised by the Function constructor,
1293         since we now parse the final code only once. And we no longer use block statement
1294         for Function constructor's parsing.
1295
1296         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1297         * stress/function-cache-with-parameters-end-position.js: Added.
1298         (shouldBe):
1299         (shouldThrow):
1300         (i.anonymous):
1301         * stress/function-constructor-name.js: Added.
1302         (shouldBe):
1303         (GeneratorFunction):
1304         (AsyncFunction.async):
1305         (AsyncGeneratorFunction.async):
1306         (anonymous):
1307         (async.anonymous):
1308         * test262/expectations.yaml:
1309
1310 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1311
1312         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1313         https://bugs.webkit.org/show_bug.cgi?id=190426
1314
1315         Unreviewed gardening.
1316
1317         * stress/sampling-profiler-richards.js:
1318
1319 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1320
1321         [ESNext][BigInt] Implement support for "|"
1322         https://bugs.webkit.org/show_bug.cgi?id=186229
1323
1324         Reviewed by Yusuke Suzuki.
1325
1326         * stress/big-int-bitwise-and-jit.js:
1327         * stress/big-int-bitwise-or-general.js: Added.
1328         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1329         * stress/big-int-bitwise-or-jit.js: Added.
1330         * stress/big-int-bitwise-or-memory-stress.js: Added.
1331         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1332         * stress/big-int-bitwise-or-type-error.js: Added.
1333         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1334
1335 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1336
1337         Skip test on systems with limited memory
1338         https://bugs.webkit.org/show_bug.cgi?id=190310
1339
1340         Invoking runDefault adds test to runlist, skipping the test in the next
1341         line does not prevent the test from executing. Change order of lines such
1342         that runDefault is only executed if test is not executed.
1343
1344         Reviewed by Mark Lam.
1345
1346         * stress/regress-190187.js:
1347
1348 2018-10-03  Saam barati  <sbarati@apple.com>
1349
1350         lowXYZ in FTLLower should always filter the type of the incoming edge
1351         https://bugs.webkit.org/show_bug.cgi?id=189939
1352         <rdar://problem/44407030>
1353
1354         Reviewed by Michael Saboff.
1355
1356         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1357         (foo):
1358         (test):
1359
1360 2018-10-03  Mark Lam  <mark.lam@apple.com>
1361
1362         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1363         https://bugs.webkit.org/show_bug.cgi?id=190187
1364         <rdar://problem/42512909>
1365
1366         Reviewed by Michael Saboff.
1367
1368         * stress/regress-190187.js: Added.
1369
1370 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1371
1372         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1373         https://bugs.webkit.org/show_bug.cgi?id=190033
1374
1375         Reviewed by Yusuke Suzuki.
1376
1377         * stress/big-int-to-string.js:
1378
1379 2018-10-01  Mark Lam  <mark.lam@apple.com>
1380
1381         Function.toString() should also copy the source code Functions that are class definitions.
1382         https://bugs.webkit.org/show_bug.cgi?id=190186
1383         <rdar://problem/44733360>
1384
1385         Reviewed by Saam Barati.
1386
1387         * stress/regress-190186.js: Added.
1388
1389 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1390
1391         Split NaN-check into separate test
1392         https://bugs.webkit.org/show_bug.cgi?id=190010
1393
1394         Reviewed by Saam Barati.
1395
1396         DataView exposes NaN-representation, which is not necessarily the same on each
1397         architecture. Therefore move the check of the NaN-representation into its own
1398         file such that we can disable this test on MIPS where NaN-representation can be
1399         different on older CPUs.
1400
1401         * stress/dataview-jit-set-nan.js: Added.
1402         (assert):
1403         (test.storeLittleEndian):
1404         (test.storeBigEndian):
1405         (test.store):
1406         (test):
1407         * stress/dataview-jit-set.js:
1408         (test5):
1409
1410 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1411
1412         Unreviewed, rolling out r236647.
1413         https://bugs.webkit.org/show_bug.cgi?id=190124
1414
1415         Breaking test stress/big-int-to-string.js (Requested by
1416         caiolima_ on #webkit).
1417
1418         Reverted changeset:
1419
1420         "[BigInt] BigInt.proptotype.toString is broken when radix is
1421         power of 2"
1422         https://bugs.webkit.org/show_bug.cgi?id=190033
1423         https://trac.webkit.org/changeset/236647
1424
1425 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1426
1427         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1428         https://bugs.webkit.org/show_bug.cgi?id=190033
1429
1430         Reviewed by Yusuke Suzuki.
1431
1432         * stress/big-int-to-string.js:
1433
1434 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1435
1436         [ESNext][BigInt] Implement support for "&"
1437         https://bugs.webkit.org/show_bug.cgi?id=186228
1438
1439         Reviewed by Yusuke Suzuki.
1440
1441         * stress/big-int-bitwise-and-general.js: Added.
1442         (assert):
1443         (assert.sameValue):
1444         * stress/big-int-bitwise-and-jit.js: Added.
1445         (let.assert.sameValue):
1446         (bigIntBitAnd):
1447         * stress/big-int-bitwise-and-memory-stress.js: Added.
1448         (assert):
1449         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1450         (assert.sameValue):
1451         (let.o.Symbol.toPrimitive):
1452         (catch):
1453         * stress/big-int-bitwise-and-type-error.js: Added.
1454         (assert):
1455         (assertThrowTypeError):
1456         (let.o.valueOf):
1457         (o.valueOf):
1458         (o.toString):
1459         (o.Symbol.toPrimitive):
1460         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1461         (assert.sameValue):
1462         (testBitAnd):
1463         (let.o.Symbol.toPrimitive):
1464         (o.valueOf):
1465         (o.toString):
1466
1467 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1468
1469         JSC test stress/jsc-read.js doesn't support CRLF
1470         https://bugs.webkit.org/show_bug.cgi?id=190063
1471
1472         Reviewed by Yusuke Suzuki.
1473
1474         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1475
1476         * stress/jsc-read.js:
1477         (test):
1478
1479 2018-09-27  Saam barati  <sbarati@apple.com>
1480
1481         Verify the contents of AssemblerBuffer on arm64e
1482         https://bugs.webkit.org/show_bug.cgi?id=190057
1483         <rdar://problem/38916630>
1484
1485         Reviewed by Mark Lam.
1486
1487         * stress/regress-189132.js:
1488
1489 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1490
1491         Disable test without LLInt on ARMv7
1492         https://bugs.webkit.org/show_bug.cgi?id=190037
1493
1494         Reviewed by Mark Lam.
1495
1496         Test runs out of executable memory on ARMv7, do not run
1497         this test without LLInt enabled.
1498
1499         * stress/regress-169445.js:
1500
1501 2018-09-26  Keith Miller  <keith_miller@apple.com>
1502
1503         We should zero unused property storage when rebalancing array storage.
1504         https://bugs.webkit.org/show_bug.cgi?id=188151
1505
1506         Reviewed by Michael Saboff.
1507
1508         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1509
1510 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1511
1512         [JSC] Optimize Array#lastIndexOf
1513         https://bugs.webkit.org/show_bug.cgi?id=189780
1514
1515         Reviewed by Saam Barati.
1516
1517         * stress/array-lastindexof-array-prototype-trap.js: Added.
1518         (shouldBe):
1519         (AncestorArray.prototype.get 2):
1520         (AncestorArray):
1521         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1522         (shouldBe):
1523         * stress/array-lastindexof-hole-nan.js: Added.
1524         (shouldBe):
1525         (throw.new.Error):
1526         * stress/array-lastindexof-infinity.js: Added.
1527         (shouldBe):
1528         (throw.new.Error):
1529         * stress/array-lastindexof-negative-zero.js: Added.
1530         (shouldBe):
1531         (throw.new.Error):
1532         * stress/array-lastindexof-own-getter.js: Added.
1533         (shouldBe):
1534         (throw.new.Error.get array):
1535         (get array):
1536         * stress/array-lastindexof-prototype-trap.js: Added.
1537         (shouldBe):
1538         (DerivedArray.prototype.get 2):
1539         (DerivedArray):
1540
1541 2018-09-25  Saam Barati  <sbarati@apple.com>
1542
1543         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1544         https://bugs.webkit.org/show_bug.cgi?id=189940
1545         <rdar://problem/43640987>
1546
1547         Reviewed by Mark Lam.
1548
1549         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1550
1551 2018-09-24  Saam Barati  <sbarati@apple.com>
1552
1553         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1554         https://bugs.webkit.org/show_bug.cgi?id=189922
1555         <rdar://problem/44651275>
1556
1557         Reviewed by Mark Lam.
1558
1559         * stress/array-indexof-fast-path-effects.js: Added.
1560         * stress/array-indexof-cached-length.js: Added.
1561
1562 2018-09-24  Saam barati  <sbarati@apple.com>
1563
1564         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1565         https://bugs.webkit.org/show_bug.cgi?id=189682
1566         <rdar://problem/43557315>
1567
1568         Reviewed by Mark Lam.
1569
1570         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1571         (foo):
1572
1573 2018-09-22  Saam barati  <sbarati@apple.com>
1574
1575         The sampling should not use Strong<CodeBlock> in its machineLocation field
1576         https://bugs.webkit.org/show_bug.cgi?id=189319
1577
1578         Reviewed by Filip Pizlo.
1579
1580         * stress/sampling-profiler-richards.js: Added.
1581
1582 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1583
1584         [JSC] Optimize Array#indexOf in C++ runtime
1585         https://bugs.webkit.org/show_bug.cgi?id=189507
1586
1587         Reviewed by Saam Barati.
1588
1589         * stress/array-indexof-array-prototype-trap.js: Added.
1590         (shouldBe):
1591         (AncestorArray.prototype.get 2):
1592         (AncestorArray):
1593         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1594         (shouldBe):
1595         * stress/array-indexof-hole-nan.js: Added.
1596         (shouldBe):
1597         (throw.new.Error):
1598         * stress/array-indexof-infinity.js: Added.
1599         (shouldBe):
1600         (throw.new.Error):
1601         * stress/array-indexof-negative-zero.js: Added.
1602         (shouldBe):
1603         (throw.new.Error):
1604         * stress/array-indexof-own-getter.js: Added.
1605         (shouldBe):
1606         (throw.new.Error.get array):
1607         (get array):
1608         * stress/array-indexof-prototype-trap.js: Added.
1609         (shouldBe):
1610         (DerivedArray.prototype.get 2):
1611         (DerivedArray):
1612
1613 2018-09-19  Saam barati  <sbarati@apple.com>
1614
1615         AI rule for MultiPutByOffset executes its effects in the wrong order
1616         https://bugs.webkit.org/show_bug.cgi?id=189757
1617         <rdar://problem/43535257>
1618
1619         Reviewed by Michael Saboff.
1620
1621         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1622         (foo):
1623         (Foo):
1624         (g):
1625
1626 2018-09-17  Mark Lam  <mark.lam@apple.com>
1627
1628         Ensure that ForInContexts are invalidated if their loop local is over-written.
1629         https://bugs.webkit.org/show_bug.cgi?id=189571
1630         <rdar://problem/44402277>
1631
1632         Reviewed by Saam Barati.
1633
1634         * stress/regress-189571.js: Added.
1635
1636 2018-09-17  Saam barati  <sbarati@apple.com>
1637
1638         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1639         https://bugs.webkit.org/show_bug.cgi?id=189676
1640         <rdar://problem/39682897>
1641
1642         Reviewed by Michael Saboff.
1643
1644         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1645         (A):
1646         (K):
1647         (i.catch):
1648
1649 2018-09-14  Saam barati  <sbarati@apple.com>
1650
1651         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1652         https://bugs.webkit.org/show_bug.cgi?id=189628
1653         <rdar://problem/39481690>
1654
1655         Reviewed by Mark Lam.
1656
1657         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1658         (foo):
1659
1660 2018-09-11  Mark Lam  <mark.lam@apple.com>
1661
1662         Test for array initialization in arrayProtoFuncSplice.
1663         https://bugs.webkit.org/show_bug.cgi?id=170253
1664         <rdar://problem/31328773>
1665
1666         Rubber-stamped by Saam Barati.
1667
1668         * stress/regress-170253.js: Added.
1669
1670 2018-09-11  Mark Lam  <mark.lam@apple.com>
1671
1672         Test for IntlObject initialization.
1673         https://bugs.webkit.org/show_bug.cgi?id=170251
1674         <rdar://problem/31328419>
1675
1676         Rubber-stamped by Saam Barati.
1677
1678         * stress/regress-170251.js: Added.
1679
1680 2018-09-11  Mark Lam  <mark.lam@apple.com>
1681
1682         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1683         https://bugs.webkit.org/show_bug.cgi?id=169889
1684         <rdar://problem/31155607>
1685
1686         Reviewed by Saam Barati.
1687
1688         * stress/regress-169889-array-concat.js: Added.
1689         * stress/regress-169889-array-concat1.js: Added.
1690         * stress/regress-169889-array-slice.js: Added.
1691
1692 2018-09-11  Mark Lam  <mark.lam@apple.com>
1693
1694         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1695         https://bugs.webkit.org/show_bug.cgi?id=169445
1696         <rdar://problem/30957435>
1697
1698         Reviewed by Saam Barati.
1699
1700         * stress/regress-169445.js: Added.
1701         (let.gun.eval.A):
1702         (let.gun.eval.B.C):
1703         (let.gun.eval.B.C.prototype.trigger):
1704         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1705         (let.gun.eval.B):
1706         (let.gun.eval):
1707
1708 == Rolled over to ChangeLog-2018-09-11 ==