DFG should be able to constant fold Object.create() with a constant prototype operand
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2
3         DFG should be able to constant fold Object.create() with a constant prototype operand
4         https://bugs.webkit.org/show_bug.cgi?id=196886
5
6         Reviewed by Yusuke Suzuki.
7
8         Note that this new benchmark does not currently see a speedup with inlining removed.
9         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
10
11         * microbenchmarks/object-create-constant-prototype.js: Added.
12         (test):
13
14 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
15
16         Incremental bytecode cache should not append function updates when loaded from memory
17         https://bugs.webkit.org/show_bug.cgi?id=196865
18
19         Reviewed by Filip Pizlo.
20
21         * stress/bytecode-cache-shared-code-block.js: Added.
22         (b):
23         (program):
24
25 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
26
27         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
28         https://bugs.webkit.org/show_bug.cgi?id=196880
29
30         Reviewed by Yusuke Suzuki.
31
32         * stress/bytecode-cache-syntax-error.js: Added.
33         (catch):
34
35 2019-04-12  Saam barati  <sbarati@apple.com>
36
37         r244079 logically broke shouldSpeculateInt52
38         https://bugs.webkit.org/show_bug.cgi?id=196884
39
40         Reviewed by Yusuke Suzuki.
41
42         * microbenchmarks/int52-rand-function.js: Added.
43         (Math.random):
44
45 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
46
47         [JSC] op_has_indexed_property should not assume subscript part is Uint32
48         https://bugs.webkit.org/show_bug.cgi?id=196850
49
50         Reviewed by Saam Barati.
51
52         * stress/has-indexed-property-should-accept-non-int32.js: Added.
53         (foo):
54
55 2019-04-11  Saam barati  <sbarati@apple.com>
56
57         Remove invalid assertion in operationInstanceOfCustom
58         https://bugs.webkit.org/show_bug.cgi?id=196842
59         <rdar://problem/49725493>
60
61         Reviewed by Michael Saboff.
62
63         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
64
65 2019-04-10  Saam Barati  <sbarati@apple.com>
66
67         AbstractValue::validateOSREntryValue is wrong for Int52 constants
68         https://bugs.webkit.org/show_bug.cgi?id=196801
69         <rdar://problem/49771122>
70
71         Reviewed by Yusuke Suzuki.
72
73         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
74
75 2019-04-10  Robin Morisset  <rmorisset@apple.com>
76
77         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
78         https://bugs.webkit.org/show_bug.cgi?id=196746
79
80         Reviewed by Yusuke Suzuki.
81
82         * stress/cyclic-define-properties.js: Added.
83         (foo):
84
85 2019-04-09  Saam barati  <sbarati@apple.com>
86
87         Clean up Int52 code and some bugs in it
88         https://bugs.webkit.org/show_bug.cgi?id=196639
89         <rdar://problem/49515757>
90
91         Reviewed by Yusuke Suzuki.
92
93         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
94
95 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
96
97         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
98         https://bugs.webkit.org/show_bug.cgi?id=196708
99         <rdar://problem/49556803>
100
101         Reviewed by Yusuke Suzuki.
102
103         * stress/proxy-getter-stack-overflow.js: Added.
104         (const.handler.get target):
105         (const.handler.has):
106         (try.with):
107         (catch):
108
109 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
110
111         [JSC] DFG should respect node's strict flag
112         https://bugs.webkit.org/show_bug.cgi?id=196617
113
114         Reviewed by Saam Barati.
115
116         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
117         (shouldEqual):
118         (makeUnwriteableUnconfigurableObject):
119         (runTest):
120         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
121         (shouldBe):
122         (shouldThrow):
123         (with.result):
124         (with.putValueStrict):
125         (with.putValueSloppy):
126
127 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
128
129         [JSC] isRope jump in StringSlice should not jump over register allocations
130         https://bugs.webkit.org/show_bug.cgi?id=196716
131
132         Reviewed by Saam Barati.
133
134         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
135         (foo.bar):
136         (foo):
137
138 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] to_index_string should not assume incoming value is Uint32
141         https://bugs.webkit.org/show_bug.cgi?id=196713
142
143         Reviewed by Saam Barati.
144
145         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
146         (foo):
147
148 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
149
150         [JSC] Add more tests for r243966
151         https://bugs.webkit.org/show_bug.cgi?id=196711
152
153         Reviewed by Saam Barati.
154
155         Adding one more test for r243966 fix. The added test will not crash after r243966.
156
157         * stress/stress-cleared-calllinkinfo.js: Added.
158         (runNearStackLimit.t):
159         (runNearStackLimit):
160         (repeat):
161         (cls):
162         (let.item.of.array.runNearStackLimit):
163
164 2019-04-08  Saam Barati  <sbarati@apple.com>
165
166         WebAssembly.RuntimeError missing exception check
167         https://bugs.webkit.org/show_bug.cgi?id=196700
168         <rdar://problem/49693932>
169
170         Reviewed by Yusuke Suzuki.
171
172         * wasm/js-api/runtime-error-should-exception-check.js: Added.
173
174 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
175
176         Unreviewed, rolling in r243948 with test fix
177         https://bugs.webkit.org/show_bug.cgi?id=196486
178
179         * stress/arrow-function-and-use-strict-directive.js: Added.
180         * stress/arrow-function-syntax.js: Added.
181         (checkSyntax):
182         (checkSyntaxError):
183
184 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
185
186         Unreviewed, rolling out r243948.
187
188         Caused inspector/runtime/parse.html to fail
189
190         Reverted changeset:
191
192         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
193         https://bugs.webkit.org/show_bug.cgi?id=196486
194         https://trac.webkit.org/changeset/243948
195
196 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
197
198         Unreviewed, rolling out r243943.
199
200         Caused test262 failures.
201
202         Reverted changeset:
203
204         "[JSC] Filter DontEnum properties in
205         ProxyObject::getOwnPropertyNames()"
206         https://bugs.webkit.org/show_bug.cgi?id=176810
207         https://trac.webkit.org/changeset/243943
208
209 2019-04-07  Michael Saboff  <msaboff@apple.com>
210
211         REGRESSION (r243642): Crash in reddit.com page
212         https://bugs.webkit.org/show_bug.cgi?id=196684
213
214         Reviewed by Geoffrey Garen.
215
216         New regression test.
217
218         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
219
220 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
221
222         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
223         https://bugs.webkit.org/show_bug.cgi?id=196683
224
225         Reviewed by Saam Barati.
226
227         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
228         (foo):
229
230 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
231
232         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
233         https://bugs.webkit.org/show_bug.cgi?id=196582
234
235         Reviewed by Saam Barati.
236
237         * stress/add-overflow-check-with-three-same-registers.js: Added.
238         (foo):
239         (Number.prototype.valueOf):
240         (runWithNumber):
241
242 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
243
244         Unreviewed, rolling out r243665.
245
246         Caused iOS JSC tests to exit with an exception.
247
248         Reverted changeset:
249
250         "Assertion failed in JSC::createError"
251         https://bugs.webkit.org/show_bug.cgi?id=196305
252         https://trac.webkit.org/changeset/243665
253
254 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
257         https://bugs.webkit.org/show_bug.cgi?id=196486
258
259         Reviewed by Saam Barati.
260
261         * stress/arrow-function-and-use-strict-directive.js: Added.
262         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
263         (checkSyntax):
264         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
265
266 2019-04-05  Caitlin Potter  <caitp@igalia.com>
267
268         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
269         https://bugs.webkit.org/show_bug.cgi?id=176810
270
271         Reviewed by Saam Barati.
272
273         Add tests for the DontEnum filtering, and variations of other tests
274         take the DontEnum-filtering path.
275
276         * stress/proxy-own-keys.js:
277         (i.catch):
278         (set assert):
279         (set add):
280         (let.set new):
281         (get let):
282
283 2019-04-05  Caitlin Potter  <caitp@igalia.com>
284
285         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
286         https://bugs.webkit.org/show_bug.cgi?id=185211
287
288         Reviewed by Saam Barati.
289
290         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
291
292         This changes several assertions to expect a TypeError to be thrown (in some cases,
293         changing thee expected message).
294
295         * es6/Proxy_ownKeys_duplicates.js:
296         (handler):
297         (shouldThrow):
298         (test):
299         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
300         (shouldThrow):
301         * stress/proxy-own-keys.js:
302         (i.catch):
303         (assert):
304
305 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
308         https://bugs.webkit.org/show_bug.cgi?id=196631
309
310         Reviewed by Saam Barati.
311
312         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
313         (assert):
314         (test):
315         (foo):
316
317 2019-04-04  Saam Barati  <sbarati@apple.com>
318
319         Unreviewed. Make the test from r243906 catch the thrown exceptions.
320
321         * stress/inferred-types-regex-matches-array.js:
322
323 2019-04-04  Saam Barati  <sbarati@apple.com>
324
325         createRegExpMatchesArray does not respect inferred types
326         https://bugs.webkit.org/show_bug.cgi?id=193287
327
328         Reviewed by Yusuke Suzuki.
329
330         This checks in the test case for 193287. This issue was discovered by
331         Samuel Groß of Google Project Zero.
332
333         * stress/inferred-types-regex-matches-array.js: Added.
334
335 2019-04-04  Saam barati  <sbarati@apple.com>
336
337         Teach Call ICs how to call Wasm
338         https://bugs.webkit.org/show_bug.cgi?id=196387
339
340         Reviewed by Filip Pizlo.
341
342         * wasm/function-tests/stack-trace.js:
343
344 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
345
346         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
347         https://bugs.webkit.org/show_bug.cgi?id=194944
348
349         Reviewed by Keith Miller.
350
351         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
352
353 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
354
355         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
356         https://bugs.webkit.org/show_bug.cgi?id=196409
357
358         Reviewed by Saam Barati.
359
360         * stress/bytecode-cache-cached-string-impl.js: Added.
361         (f):
362         (g):
363         * stress/bytecode-cache-run-string.js: Added.
364
365 2019-04-03  Robin Morisset  <rmorisset@apple.com>
366
367         B3 should use associativity to optimize expression trees
368         https://bugs.webkit.org/show_bug.cgi?id=194081
369
370         Reviewed by Filip Pizlo.
371
372         Added three microbenchmarks:
373         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
374         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
375           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
376         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
377
378         * microbenchmarks/add-tree.js: Added.
379         * microbenchmarks/bit-or-tree.js: Added.
380         * microbenchmarks/bit-xor-tree.js: Added.
381
382 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
383
384         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
385         https://bugs.webkit.org/show_bug.cgi?id=196574
386
387         Reviewed by Saam Barati.
388
389         * stress/string-index-of-exception-check.js: Added.
390         (blurType):
391         (1.forEach):
392
393 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
394
395         Assertion failed in JSC::createError
396         https://bugs.webkit.org/show_bug.cgi?id=196305
397         <rdar://problem/49387382>
398
399         Reviewed by Saam Barati.
400
401         * stress/create-error-out-of-memory-rope-string-2.js: Added.
402         (assert):
403         (catch):
404
405 2019-03-28  Saam Barati  <sbarati@apple.com>
406
407         BackwardsGraph needs to consider back edges as the backward's root successor
408         https://bugs.webkit.org/show_bug.cgi?id=195991
409
410         Reviewed by Filip Pizlo.
411
412         * stress/map-b3-licm-infinite-loop.js: Added.
413
414 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
415
416         CodeBlock::jettison() should disallow repatching its own calls
417         https://bugs.webkit.org/show_bug.cgi?id=196359
418         <rdar://problem/48973663>
419
420         Reviewed by Saam Barati.
421
422         * stress/call-link-info-osrexit-repatch.js: Added.
423         (foo):
424
425 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
426
427         [JSC] imports-oom.js intermittently fails
428         https://bugs.webkit.org/show_bug.cgi?id=196373
429
430         Reviewed by Saam Barati.
431
432         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
433         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
434         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
435         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
436         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
437
438         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
439         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
440
441         * wasm/lowExecutableMemory/imports-oom.js:
442
443 2019-03-27  Saam Barati  <sbarati@apple.com>
444
445         validateOSREntryValue with Int52 should box the value being checked into double format
446         https://bugs.webkit.org/show_bug.cgi?id=196313
447         <rdar://problem/49306703>
448
449         Reviewed by Yusuke Suzuki.
450
451         * stress/validate-int-52-ai-state.js: Added.
452
453 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
454
455         [JSC] Owner of watchpoints should validate at GC finalizing phase
456         https://bugs.webkit.org/show_bug.cgi?id=195827
457
458         Reviewed by Filip Pizlo.
459
460         * stress/gc-should-reap-dead-watchpoints.js: Added.
461         (foo):
462         (A.prototype.y):
463         (A):
464
465 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
466
467         Skip WebAssembly test on 32-bit systems
468         https://bugs.webkit.org/show_bug.cgi?id=196206
469
470         Reviewed by Saam Barati.
471
472         Invoking runDefault executes test immediately even though
473         that test should be skipped due to missing WASM support.
474         Therefore remove runDefault.
475
476         * wasm/regress/web-assembly-link-error-exception-check.js:
477
478 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
479
480         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
481         https://bugs.webkit.org/show_bug.cgi?id=196217
482
483         Reviewed by Saam Barati.
484
485         Re-enable all NaN tests for f32.min, f64.min and f64.max.
486
487         * wasm/spec-tests/f32.wast.js:
488         * wasm/spec-tests/f64.wast.js:
489         * wasm/wasm.json:
490
491 2019-03-25  Keith Miller  <keith_miller@apple.com>
492
493         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
494         https://bugs.webkit.org/show_bug.cgi?id=196176
495
496         Reviewed by Saam Barati.
497
498         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
499         (main.v10):
500         (main):
501
502 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
503
504         WebAssembly: f32.max with NaN generates incorrect result
505         https://bugs.webkit.org/show_bug.cgi?id=175691
506         <rdar://problem/33952228>
507
508         Reviewed by Saam Barati.
509
510         Enable all f32.max NaN tests
511
512         * wasm/spec-tests/f32.wast.js:
513         * wasm/wasm.json:
514
515 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
516
517         [JSC] Move test into directory for WASM tests
518         https://bugs.webkit.org/show_bug.cgi?id=196187
519
520         Reviewed by Mark Lam.
521
522         Move Test into wasm-directory. Otherwise this test
523         is also executed on systems without WASM support.
524
525         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
526
527 2019-03-23  Mark Lam  <mark.lam@apple.com>
528
529         Rolling out r243032 and r243071 because the fix is incorrect.
530         https://bugs.webkit.org/show_bug.cgi?id=195892
531         <rdar://problem/48981239>
532
533         Not reviewed.
534
535         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
536
537 2019-03-22  Mark Lam  <mark.lam@apple.com>
538
539         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
540         https://bugs.webkit.org/show_bug.cgi?id=196154
541         <rdar://problem/49145307>
542
543         Reviewed by Filip Pizlo.
544
545         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
546         There's no need to run this test on more than 1 test configuration.
547
548         * stress/typed-array-lastIndexOf-exception-check.js: Added.
549         * stress/web-assembly-link-error-exception-check.js:
550
551 2019-03-22  Mark Lam  <mark.lam@apple.com>
552
553         Placate exception check validation in constructJSWebAssemblyLinkError().
554         https://bugs.webkit.org/show_bug.cgi?id=196152
555         <rdar://problem/49145257>
556
557         Reviewed by Michael Saboff.
558
559         * stress/web-assembly-link-error-exception-check.js: Added.
560
561 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
562
563         Skip tests running out of memory on ARM/MIPS
564         https://bugs.webkit.org/show_bug.cgi?id=196131
565
566         Unreviewed. Skip test if memory is limited.
567
568         * microbenchmarks/put-by-val-direct-large-index.js:
569
570 2019-03-21  Mark Lam  <mark.lam@apple.com>
571
572         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
573         https://bugs.webkit.org/show_bug.cgi?id=196116
574         <rdar://problem/48976951>
575
576         Reviewed by Filip Pizlo.
577
578         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
579
580 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
581
582         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
583         https://bugs.webkit.org/show_bug.cgi?id=196078
584         <rdar://problem/35925380>
585
586         Reviewed by Mark Lam.
587
588         Add a new benchmark that allocates several objects and invokes put_by_val_direct
589         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
590
591         * microbenchmarks/put-by-val-direct-large-index.js: Added.
592
593 2019-03-21  Mark Lam  <mark.lam@apple.com>
594
595         Placate exception check validation in operationArrayIndexOfString().
596         https://bugs.webkit.org/show_bug.cgi?id=196067
597         <rdar://problem/49056572>
598
599         Reviewed by Michael Saboff.
600
601         * stress/string-equal-exception-check.js: Added.
602
603 2019-03-21  Mark Lam  <mark.lam@apple.com>
604
605         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
606         https://bugs.webkit.org/show_bug.cgi?id=196055
607         <rdar://problem/49067448>
608
609         Reviewed by Yusuke Suzuki.
610
611         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
612
613 2019-03-20  Saam Barati  <sbarati@apple.com>
614
615         typeOfDoubleSum is wrong for when NaN can be produced
616         https://bugs.webkit.org/show_bug.cgi?id=196030
617
618         Reviewed by Filip Pizlo.
619
620         * stress/double-add-sub-mul-can-produce-nan.js: Added.
621         (assert):
622         (noInline.sub):
623         (noInline):
624         (assert.mul):
625         (assert.add):
626
627 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
628
629         Update the test to ensure OutOfMemoryError is thrown as intended
630         https://bugs.webkit.org/show_bug.cgi?id=196032
631         <rdar://problem/46842740>
632
633         Rubber stamped by Saam Barati.
634
635         * stress/create-error-out-of-memory-rope-string.js:
636         (assert):
637         (catch):
638
639 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
640
641         JSC::createError needs to check for OOM in errorDescriptionForValue
642         https://bugs.webkit.org/show_bug.cgi?id=196032
643         <rdar://problem/46842740>
644
645         Reviewed by Mark Lam.
646
647         * stress/create-error-out-of-memory-rope-string.js: Added.
648
649 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
650
651         Unreviewed, reduce # of iterations to avoid timing out after r242991
652         https://bugs.webkit.org/show_bug.cgi?id=195791
653
654         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
655
656         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
657
658 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
659
660         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
661         https://bugs.webkit.org/show_bug.cgi?id=195950
662
663         Unreviewed, reducing the amount of memory used on this test to avoid
664         OOM on devices with memory restrictions.
665
666         * microbenchmarks/generate-multiple-llint-entrypoints.js:
667
668 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
669
670         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
671         https://bugs.webkit.org/show_bug.cgi?id=194648
672
673         Reviewed by Keith Miller.
674
675         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
676
677 2019-03-18  Mark Lam  <mark.lam@apple.com>
678
679         Missing a ThrowScope release in JSObject::toString().
680         https://bugs.webkit.org/show_bug.cgi?id=195893
681         <rdar://problem/48970986>
682
683         Reviewed by Michael Saboff.
684
685         * stress/to-string-exception-check-release.js: Added.
686
687 2019-03-18  Mark Lam  <mark.lam@apple.com>
688
689         Structure::flattenDictionary() should clear unused property slots.
690         https://bugs.webkit.org/show_bug.cgi?id=195871
691         <rdar://problem/48959497>
692
693         Reviewed by Michael Saboff.
694
695         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
696
697 2019-03-15  Mark Lam  <mark.lam@apple.com>
698
699         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
700         https://bugs.webkit.org/show_bug.cgi?id=195827
701         <rdar://problem/48845513>
702
703         Reviewed by Filip Pizlo.
704
705         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
706
707 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
708
709         [ARM,MIPS] Skip slow tests
710         https://bugs.webkit.org/show_bug.cgi?id=195799
711
712         Unreviewed, test does not finish on ARM and MIPS within the
713         timeout limit.
714
715         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
716
717 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
718
719         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
720         https://bugs.webkit.org/show_bug.cgi?id=195791
721         <rdar://problem/48806130>
722
723         Reviewed by Mark Lam.
724
725         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
726         (foo):
727
728 2019-03-14  Saam barati  <sbarati@apple.com>
729
730         We can't remove code after ForceOSRExit until after FixupPhase
731         https://bugs.webkit.org/show_bug.cgi?id=186916
732         <rdar://problem/41396612>
733
734         Reviewed by Yusuke Suzuki.
735
736         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
737         (foo):
738         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
739         (foo):
740
741 2019-03-13  Michael Saboff  <msaboff@apple.com>
742
743         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
744         https://bugs.webkit.org/show_bug.cgi?id=195735
745
746         Reviewed by Mark Lam.
747
748         New regression test.
749
750         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
751         (foo):
752         (bar):
753
754 2019-03-14  Saam barati  <sbarati@apple.com>
755
756         Fixup uses KnownInt32 incorrectly in some nodes
757         https://bugs.webkit.org/show_bug.cgi?id=195279
758         <rdar://problem/47915654>
759
760         Reviewed by Yusuke Suzuki.
761
762         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
763         (foo):
764
765 2019-03-14  Keith Miller  <keith_miller@apple.com>
766
767         DFG liveness can't skip tail caller inline frames
768         https://bugs.webkit.org/show_bug.cgi?id=195715
769
770         Reviewed by Saam Barati.
771
772         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
773         (i.foo):
774
775 2019-03-13  Mark Lam  <mark.lam@apple.com>
776
777         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
778         https://bugs.webkit.org/show_bug.cgi?id=195415
779
780         Not reviewed.
781
782         Changed these tests to only run the default configuration.
783         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
784         There's no strong need to run this test on that variant.
785
786         * stress/dfg-to-string-on-int-does-gc.js:
787         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
788
789 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
790
791         String overflow when using StringBuilder in JSC::createError
792         https://bugs.webkit.org/show_bug.cgi?id=194957
793
794         Reviewed by Mark Lam.
795
796         Add test string-overflow-createError-bulder.js that overflows
797         StringBuilder in notAFunctionSourceAppender. The second new test
798         string-overflow-createError-fit.js has an error message that doesn't
799         overflow, it still failed since the String's capacity can't be doubled.
800         Run test string-overflow-createError.js only in the default
801         configuration to reduce memory consumption when running the test
802         in all configurations on multiple CPUs in parallel.
803
804         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
805         (catch):
806         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
807         (catch):
808         * stress/string-overflow-createError.js:
809
810 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
811
812         [JSC] OSR entry should respect abstract values in addition to flush formats
813         https://bugs.webkit.org/show_bug.cgi?id=195653
814
815         Reviewed by Mark Lam.
816
817         * stress/osr-entry-locals-none.js: Added.
818
819 2019-03-12  Michael Saboff  <msaboff@apple.com>
820
821         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
822         https://bugs.webkit.org/show_bug.cgi?id=195613
823
824         Reviewed by Mark Lam.
825
826         New regression test.
827
828         * stress/regexp-backref-inbounds.js: Added.
829         (testRegExp):
830
831 2019-03-12  Mark Lam  <mark.lam@apple.com>
832
833         The HasIndexedProperty node does GC.
834         https://bugs.webkit.org/show_bug.cgi?id=195559
835         <rdar://problem/48767923>
836
837         Reviewed by Yusuke Suzuki.
838
839         * stress/HasIndexedProperty-does-gc.js: Added.
840
841 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
842
843         [ESNext][BigInt] Implement "~" unary operation
844         https://bugs.webkit.org/show_bug.cgi?id=182216
845
846         Reviewed by Keith Miller.
847
848         * stress/big-int-bit-not-general.js: Added.
849         * stress/big-int-bitwise-not-jit.js: Added.
850         * stress/big-int-bitwise-not-wrapped-value.js: Added.
851         * stress/bit-op-with-object-returning-int32.js:
852         * stress/bitwise-not-fixup-rules.js: Added.
853         * stress/value-bit-not-ai-rule.js: Added.
854
855 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
856
857         Invalid flags in a RegExp literal should be an early SyntaxError
858         https://bugs.webkit.org/show_bug.cgi?id=195514
859
860         Reviewed by Darin Adler.
861
862         * test262/expectations.yaml:
863         Mark 4 test cases as passing.
864
865         * stress/regexp-syntax-error-invalid-flags.js:
866         * stress/regress-161995.js: Removed.
867         Update existing test, merging in an older test for the same behavior.
868
869 2019-03-08  Mark Lam  <mark.lam@apple.com>
870
871         Stack overflow crash in JSC::JSObject::hasInstance.
872         https://bugs.webkit.org/show_bug.cgi?id=195458
873         <rdar://problem/48710195>
874
875         Reviewed by Yusuke Suzuki.
876
877         * stress/stack-overflow-in-custom-hasInstance.js: Added.
878
879 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
880
881         op_check_tdz does not def its argument
882         https://bugs.webkit.org/show_bug.cgi?id=192880
883         <rdar://problem/46221598>
884
885         Reviewed by Saam Barati.
886
887         * microbenchmarks/let-for-in.js: Added.
888         (foo):
889
890 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
891
892         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
893         https://bugs.webkit.org/show_bug.cgi?id=195429
894
895         Reviewed by Saam Barati.
896
897         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
898         (foo):
899         * stress/string-from-char-code-255.js: Added.
900
901 2019-03-06  Mark Lam  <mark.lam@apple.com>
902
903         Fix incorrect handling of try-finally completion values.
904         https://bugs.webkit.org/show_bug.cgi?id=195131
905         <rdar://problem/46222079>
906
907         Reviewed by Saam Barati and Yusuke Suzuki.
908
909         Added many permutations of new test case to test-finally.js.  test-finally.js has
910         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
911         tests passes there as well.
912
913         * stress/test-finally.js:
914
915 2019-03-06  Saam Barati  <sbarati@apple.com>
916
917         Air::reportUsedRegisters must padInterference
918         https://bugs.webkit.org/show_bug.cgi?id=195303
919         <rdar://problem/48270343>
920
921         Reviewed by Keith Miller.
922
923         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
924
925 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
926
927         [JSC] AI should not propagate AbstractValue relying on constant folding phase
928         https://bugs.webkit.org/show_bug.cgi?id=195375
929
930         Reviewed by Saam Barati.
931
932         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
933         (let.array):
934
935 2019-03-05  Saam barati  <sbarati@apple.com>
936
937         op_switch_char broken for rope strings after JSRopeString layout rewrite
938         https://bugs.webkit.org/show_bug.cgi?id=195339
939         <rdar://problem/48592545>
940
941         Reviewed by Yusuke Suzuki.
942
943         * stress/switch-on-char-llint-rope.js: Added.
944
945 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
946
947         [JSC] Store bits for JSRopeString in 3 stores
948         https://bugs.webkit.org/show_bug.cgi?id=195234
949
950         Reviewed by Saam Barati.
951
952         * stress/null-rope-and-collectors.js: Added.
953
954 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
955
956         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
957         https://bugs.webkit.org/show_bug.cgi?id=195207
958
959         Unreviewed. After test runtime was reduced in r242213, test can be
960         run again on ARM/MIPS.
961
962         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
963
964 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
965
966         [JSC] sizeof(JSString) should be 16
967         https://bugs.webkit.org/show_bug.cgi?id=194375
968
969         Reviewed by Saam Barati.
970
971         * microbenchmarks/make-rope.js: Added.
972         (makeRope):
973         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
974         (returnRope.helper): Deleted.
975         (returnRope): Deleted.
976
977 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
978
979         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
980         https://bugs.webkit.org/show_bug.cgi?id=195144
981
982         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
983         Change the number from 1e8 to 1e5.
984
985         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
986         (foo):
987
988 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
989
990         Test times out on ARM/MIPS
991         https://bugs.webkit.org/show_bug.cgi?id=195168
992
993         Unreviewed. Skip test on ARM/MIPS.
994
995         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
996
997 2019-02-27  Mark Lam  <mark.lam@apple.com>
998
999         The parser is failing to record the token location of new in new.target.
1000         https://bugs.webkit.org/show_bug.cgi?id=195127
1001         <rdar://problem/39645578>
1002
1003         Reviewed by Yusuke Suzuki.
1004
1005         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1006
1007 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1008
1009         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1010         https://bugs.webkit.org/show_bug.cgi?id=195144
1011         <rdar://problem/47595961>
1012
1013         Reviewed by Mark Lam.
1014
1015         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1016         (bar):
1017         (foo):
1018         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1019         (bar):
1020         (foo):
1021
1022 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1023
1024         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1025         https://bugs.webkit.org/show_bug.cgi?id=194945
1026         <rdar://problem/48311657>
1027
1028         Reviewed by Mark Lam.
1029
1030         * stress/licm-dead-code.js: Added.
1031
1032 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1033
1034         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1035         https://bugs.webkit.org/show_bug.cgi?id=194677
1036         <rdar://problem/48112492>
1037
1038         Reviewed by Mark Lam.
1039
1040         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1041         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1042         it immediately fails due the large size.
1043
1044         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1045         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1046         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1047         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1048
1049         This patch changes the test to produce 16bit string from String.fromCharCode.
1050
1051         * stress/regress-178386.js:
1052
1053 2019-02-26  Mark Lam  <mark.lam@apple.com>
1054
1055         wasmToJS() should purify incoming NaNs.
1056         https://bugs.webkit.org/show_bug.cgi?id=194807
1057         <rdar://problem/48189132>
1058
1059         Reviewed by Saam Barati.
1060
1061         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1062
1063 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1064
1065         [JSC] Repeat string created from Array.prototype.join() take too much memory
1066         https://bugs.webkit.org/show_bug.cgi?id=193912
1067
1068         Reviewed by Saam Barati.
1069
1070         Added a test and a microbenchmark for corner cases of
1071         Array.prototype.join() with an uninitialized array.
1072
1073         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1074         * stress/array-prototype-join-uninitialized.js: Added.
1075         (testArray):
1076         (testABC):
1077         (B):
1078         (C):
1079
1080 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1081
1082         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1083         https://bugs.webkit.org/show_bug.cgi?id=194953
1084         <rdar://problem/47595253>
1085
1086         Reviewed by Saam Barati.
1087
1088         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1089
1090         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1091
1092 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1093
1094         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1095         https://bugs.webkit.org/show_bug.cgi?id=172848
1096         <rdar://problem/25709212>
1097
1098         Reviewed by Mark Lam.
1099
1100         * typeProfiler/inheritance.js:
1101         Rewrite the test slightly for clarity. The hoisting was confusing.
1102
1103         * heapProfiler/class-names.js: Added.
1104         (MyES5Class):
1105         (MyES6Class):
1106         (MyES6Subclass):
1107         Test object types and improved class names.
1108
1109         * heapProfiler/driver/driver.js:
1110         (CheapHeapSnapshotNode):
1111         (CheapHeapSnapshot):
1112         (createCheapHeapSnapshot):
1113         (HeapSnapshot):
1114         (createHeapSnapshot):
1115         Update snapshot parsing from version 1 to version 2.
1116
1117 2019-02-19  Truitt Savell  <tsavell@apple.com>
1118
1119         Unreviewed, rolling out r241784.
1120
1121         Broke all OpenSource builds.
1122
1123         Reverted changeset:
1124
1125         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1126         instances view"
1127         https://bugs.webkit.org/show_bug.cgi?id=172848
1128         https://trac.webkit.org/changeset/241784
1129
1130 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1131
1132         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1133         https://bugs.webkit.org/show_bug.cgi?id=172848
1134         <rdar://problem/25709212>
1135
1136         Reviewed by Mark Lam.
1137
1138         * typeProfiler/inheritance.js:
1139         Rewrite the test slightly for clarity. The hoisting was confusing.
1140
1141         * heapProfiler/class-names.js: Added.
1142         (MyES5Class):
1143         (MyES6Class):
1144         (MyES6Subclass):
1145         Test object types and improved class names.
1146
1147         * heapProfiler/driver/driver.js:
1148         (CheapHeapSnapshotNode):
1149         (CheapHeapSnapshot):
1150         (createCheapHeapSnapshot):
1151         (HeapSnapshot):
1152         (createHeapSnapshot):
1153         Update snapshot parsing from version 1 to version 2.
1154
1155 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1156
1157         [ARM] Fix crash with sampling profiler
1158         https://bugs.webkit.org/show_bug.cgi?id=194772
1159
1160         Reviewed by Mark Lam.
1161
1162         Do not skip test since crash with sampling profiler is now fixed.
1163
1164         * stress/sampling-profiler-richards.js:
1165
1166 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1167
1168         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1169         https://bugs.webkit.org/show_bug.cgi?id=194784
1170         <rdar://problem/48154820>
1171
1172         Reviewed by Mark Lam.
1173
1174         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1175         (getProperties):
1176         (getRandomProperty):
1177         (i.catch):
1178
1179 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1180
1181         [ARM] Test gardening: Test running out of executable memory
1182         https://bugs.webkit.org/show_bug.cgi?id=194771
1183
1184         Unreviewed. Do not run test without LLInt, test is running out of executable
1185         memory on ARM otherwise.
1186
1187         * stress/tagged-template-object-collect.js:
1188
1189 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1190
1191         Unreviewed, skip the test on platforms without sampling profiler
1192
1193         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1194         (platformSupportsSamplingProfiler.foo):
1195         (platformSupportsSamplingProfiler.test):
1196         (platformSupportsSamplingProfiler):
1197         (foo): Deleted.
1198         (test): Deleted.
1199
1200 2019-02-17  Saam Barati  <sbarati@apple.com>
1201
1202         Deadlock when adding a Structure property transition and then doing incremental marking
1203         https://bugs.webkit.org/show_bug.cgi?id=194767
1204
1205         Reviewed by Mark Lam.
1206
1207         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1208
1209 2019-02-15  Michael Saboff  <msaboff@apple.com>
1210
1211         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1212         https://bugs.webkit.org/show_bug.cgi?id=194558
1213
1214         Reviewed by Saam Barati.
1215
1216         New regression test.
1217
1218         * stress/regexp-unicode-within-string.js: Added.
1219
1220 2019-02-15  Mark Lam  <mark.lam@apple.com>
1221
1222         SamplingProfiler::stackTracesAsJSON() should escape strings.
1223         https://bugs.webkit.org/show_bug.cgi?id=194649
1224         <rdar://problem/48072386>
1225
1226         Reviewed by Saam Barati.
1227
1228         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1229         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1230         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1231         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1232
1233 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1234         CodeBlock::jettison should clear related watchpoints
1235         https://bugs.webkit.org/show_bug.cgi?id=194544
1236
1237         Reviewed by Mark Lam.
1238
1239         * stress/regexp-replace-double-watchpoint.js: Added.
1240         (foo):
1241
1242 2019-02-15  Saam barati  <sbarati@apple.com>
1243
1244         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1245         https://bugs.webkit.org/show_bug.cgi?id=194036
1246
1247         Reviewed by Yusuke Suzuki.
1248
1249         * stress/tail-call-many-arguments.js: Added.
1250         (foo):
1251         (bar):
1252
1253 2019-02-14  Saam Barati  <sbarati@apple.com>
1254
1255         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1256         https://bugs.webkit.org/show_bug.cgi?id=194583
1257         <rdar://problem/48028140>
1258
1259         Reviewed by Yusuke Suzuki.
1260
1261         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1262
1263 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1264
1265         [JSC] String.fromCharCode's slow path always generates 16bit string
1266         https://bugs.webkit.org/show_bug.cgi?id=194466
1267
1268         Reviewed by Keith Miller.
1269
1270         * stress/string-from-char-code-slow-path.js: Added.
1271         (shouldBe):
1272         (testWithLength):
1273
1274 2019-02-08  Saam barati  <sbarati@apple.com>
1275
1276         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1277         https://bugs.webkit.org/show_bug.cgi?id=194334
1278         <rdar://problem/47844327>
1279
1280         Reviewed by Mark Lam.
1281
1282         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1283         (func):
1284
1285 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1286
1287         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1288         https://bugs.webkit.org/show_bug.cgi?id=194369
1289         <rdar://problem/47813087>
1290
1291         Reviewed by Saam Barati.
1292
1293         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1294         (A):
1295
1296 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1297
1298         [JSC] PrivateName to PublicName hash table is wasteful
1299         https://bugs.webkit.org/show_bug.cgi?id=194277
1300
1301         Reviewed by Michael Saboff.
1302
1303         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1304
1305         * ChakraCore.yaml:
1306
1307 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1308
1309         [ARM] Test running out of executable memory
1310         https://bugs.webkit.org/show_bug.cgi?id=194285
1311
1312         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1313         executable memory otherwise.
1314
1315         * stress/class-subclassing-function.js:
1316
1317 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1318
1319         when lowering AssertNotEmpty, create the value before creating the patchpoint
1320         https://bugs.webkit.org/show_bug.cgi?id=194231
1321
1322         Reviewed by Saam Barati.
1323
1324         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1325         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1326         So even tiny changes to this test can change the path code taken.
1327
1328         * stress/assert-not-empty.js: Added.
1329         (foo):
1330
1331 2019-02-01  Mark Lam  <mark.lam@apple.com>
1332
1333         Remove invalid assertion in DFG's compileDoubleRep().
1334         https://bugs.webkit.org/show_bug.cgi?id=194130
1335         <rdar://problem/47699474>
1336
1337         Reviewed by Saam Barati.
1338
1339         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1340
1341 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1342
1343         Import latest Test262 updates.
1344
1345         Rubber-stamped by Keith Miller.
1346
1347         * test262.yaml: Deleted.
1348         * test262/config.yaml:
1349         * test262/expectations.yaml:
1350         * test262/latest-changes-summary.txt:
1351         * test262/test/:
1352         * test262/test262-Revision.txt:
1353
1354 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1355
1356         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1357         https://bugs.webkit.org/show_bug.cgi?id=194050
1358         <rdar://problem/47595592>
1359
1360         Reviewed by Yusuke Suzuki.
1361
1362         * stress/object-keys-osr-exit.js: Added.
1363         (foo):
1364         (catch):
1365
1366 2019-01-29  Mark Lam  <mark.lam@apple.com>
1367
1368         ValueRecovery::recover() should purify NaN values it recovers.
1369         https://bugs.webkit.org/show_bug.cgi?id=193978
1370         <rdar://problem/47625488>
1371
1372         Reviewed by Saam Barati.
1373
1374         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1375
1376 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1377
1378         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1379         https://bugs.webkit.org/show_bug.cgi?id=193713
1380
1381         * stress/try-get-by-id-should-spill-registers-dfg.js:
1382         (let.f.createBuiltin):
1383
1384 2019-01-28  Mark Lam  <mark.lam@apple.com>
1385
1386         ToString node actually does GC.
1387         https://bugs.webkit.org/show_bug.cgi?id=193920
1388         <rdar://problem/46695900>
1389
1390         Reviewed by Yusuke Suzuki.
1391
1392         * stress/dfg-to-string-on-int-does-gc.js: Added.
1393         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1394         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1395
1396 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1397
1398         [JSC] NativeErrorConstructor should not have own IsoSubspace
1399         https://bugs.webkit.org/show_bug.cgi?id=193713
1400
1401         Reviewed by Saam Barati.
1402
1403         Remove @Error use.
1404
1405         * stress/try-get-by-id-should-spill-registers-dfg.js:
1406         (let.f.createBuiltin):
1407
1408 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1409
1410         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1411         https://bugs.webkit.org/show_bug.cgi?id=190693
1412
1413         Reviewed by Michael Saboff.
1414
1415         * stress/regress-190693.js: Added.
1416         (truth):
1417         (assert):
1418         (shouldThrowInvalidConstAssignment):
1419         (taz):
1420
1421 2019-01-24  Saam Barati  <sbarati@apple.com>
1422
1423         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1424         https://bugs.webkit.org/show_bug.cgi?id=193751
1425         <rdar://problem/47280215>
1426
1427         Reviewed by Michael Saboff.
1428
1429         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1430         (let.thing):
1431         (foo.let.hello):
1432         (foo):
1433
1434 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1435
1436         [JSC] Reenable baseline JIT on mips
1437         https://bugs.webkit.org/show_bug.cgi?id=192983
1438
1439         Reviewed by Mark Lam.
1440
1441         Added a new test for a case that was triggering a RELEASE_ASSERT when
1442         testing.
1443         Disable some slow tests that were already disabled for arm and x86.
1444
1445         * stress/json-parse-big-object.js: Added.
1446         * stress/new-largeish-contiguous-array-with-size.js:
1447         * stress/op_add.js:
1448         * stress/op_bitand.js:
1449         * stress/op_bitor.js:
1450         * stress/op_bitxor.js:
1451         * stress/op_lshift-ConstVar.js:
1452         * stress/op_lshift-VarConst.js:
1453         * stress/op_lshift-VarVar.js:
1454         * stress/op_mod-ConstVar.js:
1455         * stress/op_mod-VarConst.js:
1456         * stress/op_mod-VarVar.js:
1457         * stress/op_mul-ConstVar.js:
1458         * stress/op_mul-VarConst.js:
1459         * stress/op_mul-VarVar.js:
1460         * stress/op_rshift-ConstVar.js:
1461         * stress/op_rshift-VarConst.js:
1462         * stress/op_rshift-VarVar.js:
1463         * stress/op_sub-ConstVar.js:
1464         * stress/op_sub-VarConst.js:
1465         * stress/op_sub-VarVar.js:
1466         * stress/op_urshift-ConstVar.js:
1467         * stress/op_urshift-VarConst.js:
1468         * stress/op_urshift-VarVar.js:
1469         * stress/sampling-profiler-richards.js:
1470         * stress/spread-forward-call-varargs-stack-overflow.js:
1471
1472 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1473
1474         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1475         https://bugs.webkit.org/show_bug.cgi?id=193711
1476         <rdar://problem/47250262>
1477
1478         Reviewed by Saam Barati.
1479
1480         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1481         (shouldBe):
1482         (foo):
1483         (bar):
1484         (baz):
1485
1486 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1487
1488         Unreviewed, fix initial global lexical binding epoch
1489         https://bugs.webkit.org/show_bug.cgi?id=193603
1490         <rdar://problem/47380869>
1491
1492         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1493         (f1.f2.f3.f4):
1494         (f1.f2.f3):
1495         (f1.f2):
1496         (f1):
1497
1498 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1499
1500         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1501         https://bugs.webkit.org/show_bug.cgi?id=193709
1502         <rdar://problem/47363838>
1503
1504         Unreviewed, rollout to watch the tests.
1505
1506         * stress/object-tostring-changed-proto.js: Removed.
1507         * stress/object-tostring-changed.js: Removed.
1508         * stress/object-tostring-misc.js: Removed.
1509         * stress/object-tostring-other.js: Removed.
1510         * stress/object-tostring-untyped.js: Removed.
1511
1512 2019-01-22  Saam Barati  <sbarati@apple.com>
1513
1514         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1515
1516         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1517         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1518         (testUncheckedLessThanZero):
1519         (testUncheckedLessThanOrEqualZero):
1520         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1521         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1522
1523 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1524
1525         [JSC] Invalidate old scope operations using global lexical binding epoch
1526         https://bugs.webkit.org/show_bug.cgi?id=193603
1527         <rdar://problem/47380869>
1528
1529         Reviewed by Saam Barati.
1530
1531         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1532         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1533         (shouldThrow):
1534         (bar):
1535         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1536         (shouldBe):
1537         (get1):
1538         (get2):
1539         (get1If):
1540         (get2If):
1541         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1542         (shouldThrow):
1543         (foo):
1544
1545 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1546
1547         Unreviewed, roll out r240220 due to date-format-xparb regression
1548         https://bugs.webkit.org/show_bug.cgi?id=193603
1549
1550         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1551         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1552         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1553         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1554
1555 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1556
1557         DoesGC rule is wrong for nodes with BigIntUse
1558         https://bugs.webkit.org/show_bug.cgi?id=193652
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/big-int-value-op-update-gc-rules.js: Added.
1563         (assert):
1564         (doesGCAdd):
1565         (doesGCSub):
1566         (doesGCDiv):
1567         (doesGCMul):
1568         (doesGCBitAnd):
1569         (doesGCBitOr):
1570         (doesGCBitXor):
1571
1572 2019-01-20  Saam Barati  <sbarati@apple.com>
1573
1574         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1575         https://bugs.webkit.org/show_bug.cgi?id=193644
1576         <rdar://problem/46209745>
1577
1578         Reviewed by Yusuke Suzuki.
1579
1580         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1581         (foo):
1582         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1583         (foo):
1584         (bar):
1585
1586 2019-01-20  Saam Barati  <sbarati@apple.com>
1587
1588         MovHint must merge NodeBytecodeUsesAsValue for its child
1589         https://bugs.webkit.org/show_bug.cgi?id=186916
1590         <rdar://problem/41396612>
1591
1592         Reviewed by Yusuke Suzuki.
1593
1594         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1595         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1596
1597 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1598
1599         [JSC] Invalidate old scope operations using global lexical binding epoch
1600         https://bugs.webkit.org/show_bug.cgi?id=193603
1601         <rdar://problem/47380869>
1602
1603         Reviewed by Saam Barati.
1604
1605         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1606         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1607         (shouldThrow):
1608         (bar):
1609         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1610         (shouldBe):
1611         (get1):
1612         (get2):
1613         (get1If):
1614         (get2If):
1615         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1616         (shouldThrow):
1617         (foo):
1618
1619 2019-01-17  Saam barati  <sbarati@apple.com>
1620
1621         StringObjectUse should not be a structure check for the original string object structure
1622         https://bugs.webkit.org/show_bug.cgi?id=193483
1623         <rdar://problem/47280522>
1624
1625         Reviewed by Yusuke Suzuki.
1626
1627         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1628         (foo):
1629         (a.valueOf.0):
1630
1631 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1632
1633         [JSC] ToThis omission in DFGByteCodeParser is wrong
1634         https://bugs.webkit.org/show_bug.cgi?id=193513
1635         <rdar://problem/45842236>
1636
1637         Reviewed by Saam Barati.
1638
1639         * stress/to-this-omission-with-different-strict-modes.js: Added.
1640         (thisA):
1641         (thisAStrictWrapper):
1642
1643 2019-01-15  Mark Lam  <mark.lam@apple.com>
1644
1645         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1646         https://bugs.webkit.org/show_bug.cgi?id=193423
1647         <rdar://problem/46209355>
1648
1649         Reviewed by Saam Barati.
1650
1651         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1652         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1653         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1654         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1655
1656 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1657
1658         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1659         https://bugs.webkit.org/show_bug.cgi?id=193438
1660         <rdar://problem/45581249>
1661
1662         Reviewed by Saam Barati and Keith Miller.
1663
1664         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1665         Then, GetByVal(String) crashed.
1666
1667         * stress/string-get-by-val-lowering.js: Added.
1668         (shouldBe):
1669         (test):
1670         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1671         (Hello):
1672         (foo):
1673
1674 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1675
1676         Unreviewed, skip JIT tests if it's not enabled
1677
1678         * stress/bit-op-with-object-returning-int32.js:
1679
1680 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1681
1682         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1683         https://bugs.webkit.org/show_bug.cgi?id=192966
1684
1685         Reviewed by Yusuke Suzuki.
1686
1687         * stress/bit-op-with-object-returning-int32.js: Added.
1688
1689 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1690
1691         Skip a slow test and a flakey test on arm
1692
1693         Unreviewed gardening.
1694
1695         * typeProfiler/getter-richards.js:
1696         this test always times out, it used to be always skipped on arm and
1697         mips, but got accidentally enabled by r237919 now that we have DFG on
1698         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1699
1700 2019-01-14  Keith Miller  <keith_miller@apple.com>
1701
1702         Skip type-check-hoisting-phase-hoist... with no jit
1703         https://bugs.webkit.org/show_bug.cgi?id=193421
1704
1705         Reviewed by Mark Lam.
1706
1707         It's timing out the 32-bit bots and takes 330 seconds
1708         on my machine when run by itself.
1709
1710         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1711
1712 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1713
1714         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1715         https://bugs.webkit.org/show_bug.cgi?id=193413
1716         <rdar://problem/46092389>
1717
1718         Reviewed by Keith Miller.
1719
1720         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1721         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1722         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1723         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1724
1725         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1726         (compareArray):
1727
1728 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1729
1730         [BigInt] Literal parsing is crashing when used inside a Object Literal
1731         https://bugs.webkit.org/show_bug.cgi?id=193404
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         * stress/big-int-literal-inside-literal-object.js: Added.
1736
1737 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1738
1739         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1740         https://bugs.webkit.org/show_bug.cgi?id=193372
1741
1742         Reviewed by Saam Barati.
1743
1744         * stress/typed-array-array-modes-profile.js: Added.
1745         (foo):
1746
1747 2019-01-14  Mark Lam  <mark.lam@apple.com>
1748
1749         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1750         https://bugs.webkit.org/show_bug.cgi?id=193402
1751         <rdar://problem/46012309>
1752
1753         Reviewed by Keith Miller.
1754
1755         * stress/regexp-compile-oom.js:
1756         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1757           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1758
1759 2019-01-11  Saam barati  <sbarati@apple.com>
1760
1761         DFG combined liveness can be wrong for terminal basic blocks
1762         https://bugs.webkit.org/show_bug.cgi?id=193304
1763         <rdar://problem/45268632>
1764
1765         Reviewed by Yusuke Suzuki.
1766
1767         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1768
1769 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1770
1771         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1772         https://bugs.webkit.org/show_bug.cgi?id=193308
1773         <rdar://problem/45546542>
1774
1775         Reviewed by Saam Barati.
1776
1777         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1778         (shouldThrow):
1779         (shouldBe):
1780         (foo):
1781         (get shouldThrow):
1782         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1783         (shouldThrow):
1784         (shouldBe):
1785         (foo):
1786         (get shouldBe):
1787         (get shouldThrow):
1788         (get return):
1789         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1790         (shouldThrow):
1791         (shouldBe):
1792         (foo):
1793         (get shouldBe):
1794         (get shouldThrow):
1795         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1796         (shouldThrow):
1797         (shouldBe):
1798         (foo):
1799         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1800         (shouldThrow):
1801         (shouldBe):
1802         (foo):
1803         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1804         (shouldThrow):
1805         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1806         (shouldThrow):
1807         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1808         (shouldThrow):
1809         (shouldBe):
1810         (foo):
1811         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1812         (shouldThrow):
1813         (shouldBe):
1814         (foo):
1815         (get shouldBe):
1816         (get shouldThrow):
1817         (get return):
1818         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1819         (shouldThrow):
1820         (shouldBe):
1821         (foo):
1822         (get shouldBe):
1823         (get shouldThrow):
1824         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1825         (shouldThrow):
1826         (shouldBe):
1827         (foo):
1828         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1829         (shouldThrow):
1830         (shouldBe):
1831         (foo):
1832
1833 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1834
1835         Enable DFG on ARM/Linux again
1836         https://bugs.webkit.org/show_bug.cgi?id=192496
1837
1838         Reviewed by Yusuke Suzuki.
1839
1840         Test wasn't really skipped before moving the line with skip
1841         to the top.
1842
1843         * stress/regress-192717.js:
1844
1845 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1846
1847         Unreviewed, rolling out r239825.
1848         https://bugs.webkit.org/show_bug.cgi?id=193330
1849
1850         Broke tests on armv7/linux bots (Requested by guijemont on
1851         #webkit).
1852
1853         Reverted changeset:
1854
1855         "Enable DFG on ARM/Linux again"
1856         https://bugs.webkit.org/show_bug.cgi?id=192496
1857         https://trac.webkit.org/changeset/239825
1858
1859 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1860
1861         Enable DFG on ARM/Linux again
1862         https://bugs.webkit.org/show_bug.cgi?id=192496
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         Test wasn't really skipped before moving the line with skip
1867         to the top.
1868
1869         * stress/regress-192717.js:
1870
1871 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1872
1873         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1874         https://bugs.webkit.org/show_bug.cgi?id=193127
1875
1876         Reviewed by Saam Barati.
1877
1878         * stress/array-species-create-should-handle-masquerader.js: Added.
1879         (shouldThrow):
1880         * stress/is-undefined-or-null-builtin.js: Added.
1881         (shouldBe):
1882         (isUndefinedOrNull.vm.createBuiltin):
1883
1884 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1885
1886         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1887         https://bugs.webkit.org/show_bug.cgi?id=193221
1888
1889         Reviewed by Mark Lam.
1890
1891         * stress/put-by-id-flags.js: Added.
1892         (f):
1893         (g):
1894         (numberOfDFGCompiles):
1895
1896 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1897
1898         Baseline version of get_by_id may corrupt metadata
1899         https://bugs.webkit.org/show_bug.cgi?id=193085
1900         <rdar://problem/23453006>
1901
1902         Reviewed by Saam Barati.
1903
1904         * stress/get-by-id-change-mode.js: Added.
1905         (forEach):
1906
1907 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1908
1909         [JSC] Optimize Object.prototype.toString
1910         https://bugs.webkit.org/show_bug.cgi?id=193031
1911
1912         Reviewed by Saam Barati.
1913
1914         * stress/object-tostring-changed-proto.js: Added.
1915         (shouldBe):
1916         (test):
1917         * stress/object-tostring-changed.js: Added.
1918         (shouldBe):
1919         (test):
1920         * stress/object-tostring-misc.js: Added.
1921         (shouldBe):
1922         (test):
1923         (i.switch):
1924         * stress/object-tostring-other.js: Added.
1925         (shouldBe):
1926         (test):
1927         * stress/object-tostring-untyped.js: Added.
1928         (shouldBe):
1929         (test):
1930         (i.switch):
1931
1932 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1933
1934         test262-runner misbehaves when test file YAML has a trailing space
1935         https://bugs.webkit.org/show_bug.cgi?id=193053
1936
1937         Reviewed by Yusuke Suzuki.
1938
1939         * test262/expectations.yaml:
1940         Mark two dozen tests as passing (and correct the output of another).
1941
1942 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1943
1944         Unreviewed, JSTests gardening with memoryLimited
1945
1946         * stress/string-overflow-createError.js:
1947
1948 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1949
1950         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1951         https://bugs.webkit.org/show_bug.cgi?id=193050
1952
1953         Reviewed by Yusuke Suzuki.
1954
1955         * test262.yaml:
1956         * test262/expectations.yaml:
1957         Mark 16 tests as passing.
1958
1959 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1960
1961         [BigInt] Support BigInt in JSON.stringify
1962         https://bugs.webkit.org/show_bug.cgi?id=192624
1963
1964         Reviewed by Saam Barati.
1965
1966         * stress/big-int-json-stringify-to-json.js: Added.
1967         (shouldBe):
1968         (shouldThrow):
1969         (BigInt.prototype.toJSON):
1970         (shouldBe.JSON.stringify):
1971         * stress/big-int-json-stringify.js: Added.
1972         (shouldBe):
1973         (shouldThrow):
1974
1975 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1976
1977         [JSC] Implement "well-formed JSON.stringify" proposal
1978         https://bugs.webkit.org/show_bug.cgi?id=191677
1979
1980         Reviewed by Darin Adler.
1981
1982         * stress/json-surrogate-pair.js: Added.
1983         (shouldBe):
1984         * test262/expectations.yaml:
1985
1986 2018-12-20  Keith Miller  <keith_miller@apple.com>
1987
1988         Add support for globalThis
1989         https://bugs.webkit.org/show_bug.cgi?id=165171
1990
1991         Reviewed by Mark Lam.
1992
1993         * test262/config.yaml:
1994
1995 2018-12-19  Keith Miller  <keith_miller@apple.com>
1996
1997         Update test262 configuration to not run tests dependent on ICU version.
1998         https://bugs.webkit.org/show_bug.cgi?id=192920
1999
2000         Reviewed by Saam Barati.
2001
2002         * test262/expectations.yaml:
2003
2004 2018-12-20  Mark Lam  <mark.lam@apple.com>
2005
2006         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2007         https://bugs.webkit.org/show_bug.cgi?id=192939
2008         <rdar://problem/46869516>
2009
2010         Reviewed by Keith Miller.
2011
2012         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2013
2014 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2015
2016         WTF::String and StringImpl overflow MaxLength
2017         https://bugs.webkit.org/show_bug.cgi?id=192853
2018         <rdar://problem/45726906>
2019
2020         Reviewed by Mark Lam.
2021
2022         * stress/string-16bit-repeat-overflow.js: Added.
2023         (catch):
2024
2025 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2026
2027         Unreviewed follow-up to r192914.
2028
2029         * test262/expectations.yaml:
2030         Add the last 20 missing expectations.
2031
2032 2018-12-19  Keith Miller  <keith_miller@apple.com>
2033
2034         Fix test262 expectations
2035         https://bugs.webkit.org/show_bug.cgi?id=192914
2036
2037         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2038
2039         * test262/expectations.yaml:
2040
2041 2018-12-19  Keith Miller  <keith_miller@apple.com>
2042
2043         Update test262 tests.
2044         https://bugs.webkit.org/show_bug.cgi?id=192907
2045
2046         Rubber stamped by Mark Lam.
2047
2048         * test262/*: Omitted because prepare-changelog crashes.
2049
2050 2018-12-19  Mark Lam  <mark.lam@apple.com>
2051
2052         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2053         https://bugs.webkit.org/show_bug.cgi?id=192464
2054         <rdar://problem/46519455>
2055
2056         Reviewed by Saam Barati.
2057
2058         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2059         microbenchmark.
2060
2061         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2062         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2063
2064 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2065
2066         String overflow in JSC::createError results in ASSERT in WTF::makeString
2067         https://bugs.webkit.org/show_bug.cgi?id=192833
2068         <rdar://problem/45706868>
2069
2070         Reviewed by Mark Lam.
2071
2072         * stress/string-overflow-createError.js: Added.
2073
2074 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2075
2076         Error message for `-x ** y` contains a typo.
2077         https://bugs.webkit.org/show_bug.cgi?id=192832
2078
2079         Reviewed by Saam Barati.
2080
2081         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2082         (assert.assert.return.throws):
2083         * stress/pow-expects-update-expression-on-lhs.js:
2084         (throw.new.Error):
2085         Update test expectations which match against the exact error message.
2086
2087 2018-12-18  Mark Lam  <mark.lam@apple.com>
2088
2089         Gardening: test options fix.
2090         https://bugs.webkit.org/show_bug.cgi?id=192822
2091
2092         Unreviewed.
2093
2094         * stress/json-stringify-string-builder-overflow.js:
2095
2096 2018-12-18  Mark Lam  <mark.lam@apple.com>
2097
2098         JSON.stringify() should throw OOM on StringBuilder overflows.
2099         https://bugs.webkit.org/show_bug.cgi?id=192822
2100         <rdar://problem/46670577>
2101
2102         Reviewed by Saam Barati.
2103
2104         * stress/json-stringify-string-builder-overflow.js: Added.
2105
2106 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2107
2108         Redeclaration of var over let/const/class should be a syntax error.
2109         https://bugs.webkit.org/show_bug.cgi?id=192298
2110
2111         Reviewed by Keith Miller.
2112
2113         * test262.yaml:
2114         * test262/expectations.yaml:
2115         Mark 46 tests as passing.
2116
2117         * stress/block-scope-redeclarations.js:
2118         Add some new tests.
2119
2120         * stress/for-in-invalidate-context-weird-assignments.js:
2121         * stress/for-in-tests.js:
2122         Replace tests for outdated behavior with tests for SyntaxError.
2123
2124         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2125         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2126         Update expectations.
2127
2128 2018-12-18  Mark Lam  <mark.lam@apple.com>
2129
2130         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2131         https://bugs.webkit.org/show_bug.cgi?id=191374
2132         <rdar://problem/46525447>
2133
2134         Reviewed by Yusuke Suzuki.
2135
2136         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2137
2138         * stress/elidable-new-object-roflcopter-then-exit.js:
2139
2140 2018-12-17  Mark Lam  <mark.lam@apple.com>
2141
2142         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2143         https://bugs.webkit.org/show_bug.cgi?id=192019
2144         <rdar://problem/46525456>
2145
2146         Reviewed by Yusuke Suzuki.
2147
2148         The test runs too slow on 32-bit.
2149
2150         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2151
2152 2018-12-17  Mark Lam  <mark.lam@apple.com>
2153
2154         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2155         https://bugs.webkit.org/show_bug.cgi?id=191373
2156         <rdar://problem/46525458>
2157
2158         Reviewed by Yusuke Suzuki.
2159
2160         The test is already slow running with a JIT on 64-bit.  It will always timeout
2161         on 32-bit without a JIT.
2162
2163         * stress/materialize-regexp-cyclic-regexp.js:
2164
2165 2018-12-17  Mark Lam  <mark.lam@apple.com>
2166
2167         Array unshift/shift should not race against the AI in the compiler thread.
2168         https://bugs.webkit.org/show_bug.cgi?id=192795
2169         <rdar://problem/46724263>
2170
2171         Reviewed by Saam Barati.
2172
2173         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2174
2175 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2176
2177         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2178         https://bugs.webkit.org/show_bug.cgi?id=190047
2179
2180         Reviewed by Saam Barati.
2181
2182         * stress/object-keys-cached-zero.js: Added.
2183         (shouldBe):
2184         (test):
2185         * stress/object-keys-changed-attribute.js: Added.
2186         (shouldBe):
2187         (test):
2188         * stress/object-keys-changed-index.js: Added.
2189         (shouldBe):
2190         (test):
2191         * stress/object-keys-changed.js: Added.
2192         (shouldBe):
2193         (test):
2194         * stress/object-keys-indexed-non-cache.js: Added.
2195         (shouldBe):
2196         (test):
2197         * stress/object-keys-overrides-get-property-names.js: Added.
2198         (shouldBe):
2199         (test):
2200         (noInline):
2201
2202 2018-12-17  Mark Lam  <mark.lam@apple.com>
2203
2204         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2205         https://bugs.webkit.org/show_bug.cgi?id=192779
2206         <rdar://problem/46775869>
2207
2208         Reviewed by Saam Barati.
2209
2210         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2211
2212 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2213
2214         Unreviewed test gardening, address a syntax error in a new test.
2215
2216         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2217
2218 2018-12-17  Mark Lam  <mark.lam@apple.com>
2219
2220         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2221         https://bugs.webkit.org/show_bug.cgi?id=192776
2222         <rdar://problem/46772368>
2223
2224         Reviewed by Keith Miller.
2225
2226         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2227
2228 2018-12-17  Mark Lam  <mark.lam@apple.com>
2229
2230         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2231         https://bugs.webkit.org/show_bug.cgi?id=192770
2232         <rdar://problem/46449037>
2233
2234         Reviewed by Keith Miller.
2235
2236         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2237
2238 2018-12-14  Mark Lam  <mark.lam@apple.com>
2239
2240         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2241         https://bugs.webkit.org/show_bug.cgi?id=192717
2242         <rdar://problem/46660677>
2243
2244         Reviewed by Saam Barati.
2245
2246         * stress/regress-192717.js: Added.
2247
2248 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2249
2250         Unreviewed, rolling out r239153, r239154, and r239155.
2251         https://bugs.webkit.org/show_bug.cgi?id=192715
2252
2253         Caused flaky GC-related crashes seen with layout tests
2254         (Requested by ryanhaddad on #webkit).
2255
2256         Reverted changesets:
2257
2258         "[JSC] Optimize Object.keys by caching own keys results in
2259         StructureRareData"
2260         https://bugs.webkit.org/show_bug.cgi?id=190047
2261         https://trac.webkit.org/changeset/239153
2262
2263         "Unreviewed, build fix after r239153"
2264         https://bugs.webkit.org/show_bug.cgi?id=190047
2265         https://trac.webkit.org/changeset/239154
2266
2267         "Unreviewed, build fix after r239153, part 2"
2268         https://bugs.webkit.org/show_bug.cgi?id=190047
2269         https://trac.webkit.org/changeset/239155
2270
2271 2018-12-14  Keith Miller  <keith_miller@apple.com>
2272
2273         Callers of JSString::getIndex should check for OOM exceptions
2274         https://bugs.webkit.org/show_bug.cgi?id=192709
2275
2276         Reviewed by Mark Lam.
2277
2278         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2279
2280 2018-12-13  Mark Lam  <mark.lam@apple.com>
2281
2282         Add a missing exception check.
2283         https://bugs.webkit.org/show_bug.cgi?id=192626
2284         <rdar://problem/46662163>
2285
2286         Reviewed by Keith Miller.
2287
2288         * stress/regress-192626.js: Added.
2289
2290 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2291
2292         [BigInt] Add ValueDiv into DFG
2293         https://bugs.webkit.org/show_bug.cgi?id=186178
2294
2295         Reviewed by Yusuke Suzuki.
2296
2297         * stress/big-int-div-jit-osr.js: Added.
2298         * stress/big-int-div-jit-untyped.js: Added.
2299         * stress/value-div-fixup-int32-big-int.js: Added.
2300
2301 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2302
2303         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2304         https://bugs.webkit.org/show_bug.cgi?id=190047
2305
2306         Reviewed by Keith Miller.
2307
2308         * stress/object-keys-cached-zero.js: Added.
2309         (shouldBe):
2310         (test):
2311         * stress/object-keys-changed-attribute.js: Added.
2312         (shouldBe):
2313         (test):
2314         * stress/object-keys-changed-index.js: Added.
2315         (shouldBe):
2316         (test):
2317         * stress/object-keys-changed.js: Added.
2318         (shouldBe):
2319         (test):
2320         * stress/object-keys-indexed-non-cache.js: Added.
2321         (shouldBe):
2322         (test):
2323         * stress/object-keys-overrides-get-property-names.js: Added.
2324         (shouldBe):
2325         (test):
2326         (noInline):
2327
2328 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2329
2330         [DFG][FTL] Add NewSymbol
2331         https://bugs.webkit.org/show_bug.cgi?id=192620
2332
2333         Reviewed by Saam Barati.
2334
2335         * microbenchmarks/symbol-creation.js: Added.
2336         (test):
2337         * stress/symbol-description-identity.js: Added.
2338         (shouldBe):
2339         (test):
2340         * stress/symbol-identity.js: Added.
2341         (shouldBe):
2342         (test):
2343         * stress/symbol-with-description-throw-error.js: Added.
2344         (shouldBe):
2345         (shouldThrow):
2346         (test):
2347         (object.toString):
2348
2349 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2350
2351         [BigInt] Implement DFG/FTL typeof for BigInt
2352         https://bugs.webkit.org/show_bug.cgi?id=192619
2353
2354         Reviewed by Keith Miller.
2355
2356         * stress/big-int-boolean-proven-type.js: Added.
2357         (assert):
2358         (bool):
2359         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2360         (assert):
2361         (typeOf):
2362         (i.switch):
2363         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2364         (assert):
2365         (typeOf):
2366         * stress/big-int-type-of.js:
2367         (typeOf):
2368         (func):
2369
2370 2018-12-10  Mark Lam  <mark.lam@apple.com>
2371
2372         PropertyAttribute needs a CustomValue bit.
2373         https://bugs.webkit.org/show_bug.cgi?id=191993
2374         <rdar://problem/46264467>
2375
2376         Reviewed by Saam Barati.
2377
2378         * stress/regress-191993.js: Added.
2379
2380 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2381
2382         [BigInt] Add ValueMul into DFG
2383         https://bugs.webkit.org/show_bug.cgi?id=186175
2384
2385         Reviewed by Yusuke Suzuki.
2386
2387         * stress/big-int-mul-jit-osr.js: Added.
2388         * stress/big-int-mul-jit-untyped.js: Added.
2389         * stress/value-mul-fixup-int32-big-int.js: Added.
2390
2391 2018-12-06  Keith Miller  <keith_miller@apple.com>
2392
2393         stress/big-wasm-memory tests failing on 32-bit JSC bot
2394         https://bugs.webkit.org/show_bug.cgi?id=192020
2395
2396         Reviewed by Saam Barati.
2397
2398         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2399         the wasm stress tests if the WebAssembly object does not exist.
2400
2401         * stress/big-wasm-memory-grow-no-max.js:
2402         (test.foo):
2403         (test):
2404         (foo): Deleted.
2405         (catch): Deleted.
2406         * stress/big-wasm-memory-grow.js:
2407         (test.foo):
2408         (test):
2409         (foo): Deleted.
2410         (catch): Deleted.
2411         * stress/big-wasm-memory.js:
2412         (test.foo):
2413         (test):
2414         (foo): Deleted.
2415         (catch): Deleted.
2416
2417 2018-12-05  Mark Lam  <mark.lam@apple.com>
2418
2419         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2420         https://bugs.webkit.org/show_bug.cgi?id=192441
2421         <rdar://problem/46480355>
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/regress-192441.js: Added.
2426
2427 2018-12-04  Mark Lam  <mark.lam@apple.com>
2428
2429         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2430         https://bugs.webkit.org/show_bug.cgi?id=192386
2431         <rdar://problem/46445516>
2432
2433         Reviewed by Saam Barati.
2434
2435         * stress/regress-192386.js: Added.
2436
2437 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2438
2439         [ESNext][BigInt] Support logic operations
2440         https://bugs.webkit.org/show_bug.cgi?id=179903
2441
2442         Reviewed by Yusuke Suzuki.
2443
2444         * stress/big-int-branch-usage.js: Added.
2445         * stress/big-int-logical-and.js: Added.
2446         * stress/big-int-logical-not.js: Added.
2447         * stress/big-int-logical-or.js: Added.
2448
2449 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2450
2451         Unreviewed, rolling out r238833.
2452
2453         Breaks macOS and iOS debug builds.
2454
2455         Reverted changeset:
2456
2457         "[ESNext][BigInt] Support logic operations"
2458         https://bugs.webkit.org/show_bug.cgi?id=179903
2459         https://trac.webkit.org/changeset/238833
2460
2461 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2462
2463         [ESNext][BigInt] Support logic operations
2464         https://bugs.webkit.org/show_bug.cgi?id=179903
2465
2466         Reviewed by Yusuke Suzuki.
2467
2468         * stress/big-int-branch-usage.js: Added.
2469         * stress/big-int-logical-and.js: Added.
2470         * stress/big-int-logical-not.js: Added.
2471         * stress/big-int-logical-or.js: Added.
2472
2473 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2474
2475         [ESNext][BigInt] Implement support for "<<" and ">>"
2476         https://bugs.webkit.org/show_bug.cgi?id=186233
2477
2478         Reviewed by Yusuke Suzuki.
2479
2480         * stress/big-int-left-shift-general.js: Added.
2481         * stress/big-int-left-shift-range-error.js: Added.
2482         * stress/big-int-left-shift-type-error.js: Added.
2483         * stress/big-int-left-shift-wrapped-value.js: Added.
2484         * stress/big-int-right-shift-general.js: Added.
2485         * stress/big-int-right-shift-type-error.js: Added.
2486         * stress/big-int-right-shift-wrapped-value.js: Added.
2487         * stress/left-shift-to-primitive-precedence.js: Added.
2488         * stress/right-shift-to-primitive-precedence.js: Added.
2489
2490 2018-11-30  Dean Jackson  <dino@apple.com>
2491
2492         Add first-class support for .mjs files in jsc binary
2493         https://bugs.webkit.org/show_bug.cgi?id=192190
2494         <rdar://problem/46375715>
2495
2496         Reviewed by Keith Miller.
2497
2498         * stress/simple-module.mjs: Added.
2499         * stress/simple-script.js: Added.
2500
2501 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2502
2503         [BigInt] Implement ValueBitXor into DFG
2504         https://bugs.webkit.org/show_bug.cgi?id=190264
2505
2506         Reviewed by Yusuke Suzuki.
2507
2508         * stress/big-int-bitwise-xor-jit.js: Added.
2509         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2510         * stress/big-int-bitwise-xor-untyped.js: Added.
2511
2512 2018-11-27  Saam barati  <sbarati@apple.com>
2513
2514         r238510 broke scopes of size zero
2515         https://bugs.webkit.org/show_bug.cgi?id=192033
2516         <rdar://problem/46281734>
2517
2518         Reviewed by Keith Miller.
2519
2520         * stress/r238510-bad-loop.js: Added.
2521         (foo):
2522
2523 2018-11-27  Mark Lam  <mark.lam@apple.com>
2524
2525         [Re-landing] NaNs read from Wasm code needs to be be purified.
2526         https://bugs.webkit.org/show_bug.cgi?id=191056
2527         <rdar://problem/45660341>
2528
2529         Reviewed by Filip Pizlo.
2530
2531         * wasm/regress/regress-191056.js: Added.
2532
2533 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2534
2535         Unreviewed, rolling out r238509.
2536
2537         Causes JSC tests to fail on iOS.
2538
2539         Reverted changeset:
2540
2541         "NaNs read from Wasm code needs to be be purified."
2542         https://bugs.webkit.org/show_bug.cgi?id=191056
2543         https://trac.webkit.org/changeset/238509
2544
2545 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2546
2547         Re-introduce op_bitnot
2548         https://bugs.webkit.org/show_bug.cgi?id=190923
2549
2550         Reviewed by Yusuke Suzuki.
2551
2552         * stress/bit-not-must-generate.js: Added.
2553         * stress/bitwise-not-no-int32.js: Added.
2554
2555 2018-11-26  Saam barati  <sbarati@apple.com>
2556
2557         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2558         https://bugs.webkit.org/show_bug.cgi?id=191956
2559         <rdar://problem/45665806>
2560
2561         Reviewed by Yusuke Suzuki.
2562
2563         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2564         (bar):
2565         (foo):
2566
2567 2018-11-26  Saam barati  <sbarati@apple.com>
2568
2569         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2570         https://bugs.webkit.org/show_bug.cgi?id=191958
2571         <rdar://problem/46221877>
2572
2573         Reviewed by Yusuke Suzuki.
2574
2575         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2576         (x):
2577         (foo):
2578
2579 2018-11-26  Mark Lam  <mark.lam@apple.com>
2580
2581         NaNs read from Wasm code needs to be be purified.
2582         https://bugs.webkit.org/show_bug.cgi?id=191056
2583         <rdar://problem/45660341>
2584
2585         Reviewed by Filip Pizlo.
2586
2587         * wasm/regress/regress-191056.js: Added.
2588
2589 2018-11-26  Michael Saboff  <msaboff@apple.com>
2590
2591         32-bit JSC test failure: stress/regexp-compile-oom.js
2592         https://bugs.webkit.org/show_bug.cgi?id=191375
2593
2594         Reviewed by Mark Lam.
2595
2596         Disabled the test for 32 bit platforms.
2597
2598         * stress/regexp-compile-oom.js:
2599
2600 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2601
2602         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2603         https://bugs.webkit.org/show_bug.cgi?id=191716
2604         <rdar://problem/45723878>
2605
2606         Reviewed by Saam Barati.
2607
2608         * stress/regress-187373.js: Added.
2609         (async.fn):
2610
2611 2018-11-21  Saam barati  <sbarati@apple.com>
2612
2613         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2614         https://bugs.webkit.org/show_bug.cgi?id=191897
2615         <rdar://problem/45871998>
2616
2617         Reviewed by Mark Lam.
2618
2619         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2620         (bar):
2621         (foo):
2622
2623 2018-11-21  Saam barati  <sbarati@apple.com>
2624
2625         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2626         https://bugs.webkit.org/show_bug.cgi?id=191895
2627         <rdar://problem/46167406>
2628
2629         Reviewed by Mark Lam.
2630
2631         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2632         (foo):
2633         (bar):
2634
2635 2018-11-21  Mark Lam  <mark.lam@apple.com>
2636
2637         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2638         https://bugs.webkit.org/show_bug.cgi?id=191776
2639         <rdar://problem/46152851>
2640
2641         Reviewed by Saam Barati.
2642
2643         * stress/big-wasm-memory-grow-no-max.js:
2644         * stress/big-wasm-memory-grow.js:
2645         * stress/big-wasm-memory.js:
2646         - updated these to expect an OutOfMemoryError.
2647
2648         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2649         (Binary.prototype.emit_u8):
2650         (Binary.prototype.emit_u32v):
2651         (Binary.prototype.emit_header):
2652         (Binary.prototype.emit_section):
2653         (Binary):
2654         (WasmModuleBuilder):
2655         (WasmModuleBuilder.prototype.addMemory):
2656         (WasmModuleBuilder.prototype.toArray):
2657         (WasmModuleBuilder.prototype.toBuffer):
2658         (WasmModuleBuilder.prototype.instantiate):
2659         (catch):
2660         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2661         (catch):
2662
2663 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2664
2665         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2666         https://bugs.webkit.org/show_bug.cgi?id=190836
2667
2668         Reviewed by Saam Barati and Yusuke Suzuki.
2669
2670         * stress/big-int-out-of-memory-tests.js: Added.
2671
2672 2018-11-20  Mark Lam  <mark.lam@apple.com>
2673
2674         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2675         https://bugs.webkit.org/show_bug.cgi?id=191856
2676         <rdar://problem/46089992>
2677
2678         Reviewed by Yusuke Suzuki.
2679
2680         * stress/regress-191856.js: Added.
2681         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2682
2683 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2684
2685         Enable JIT on ARM/Linux
2686         https://bugs.webkit.org/show_bug.cgi?id=191548
2687
2688         Reviewed by Yusuke Suzuki.
2689
2690         Disable test on system with limited memory. Program was killed by
2691         the OS before the exception was thrown.
2692
2693         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2694
2695 2018-11-20  Saam barati  <sbarati@apple.com>
2696
2697         Merging an IC variant may lead to the IC status containing overlapping structure sets
2698         https://bugs.webkit.org/show_bug.cgi?id=191869
2699         <rdar://problem/45403453>
2700
2701         Reviewed by Mark Lam.
2702
2703         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2704
2705 2018-11-19  Mark Lam  <mark.lam@apple.com>
2706
2707         globalFuncImportModule() should return a promise when it clears exceptions.
2708         https://bugs.webkit.org/show_bug.cgi?id=191792
2709         <rdar://problem/46090763>
2710
2711         Reviewed by Michael Saboff.
2712
2713         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2714
2715 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2716
2717         Skip new memory-hungry tests on memory limited devices
2718
2719         Unreviewed gardening.
2720
2721         * stress/big-wasm-memory-grow-no-max.js:
2722         * stress/big-wasm-memory-grow.js:
2723         * stress/big-wasm-memory.js:
2724
2725 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2726
2727         Unreviewed, rolling in the rest of r237254
2728         https://bugs.webkit.org/show_bug.cgi?id=190340
2729
2730         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2731         * stress/function-cache-with-parameters-end-position.js: Added.
2732         (shouldBe):
2733         (shouldThrow):
2734         (i.anonymous):
2735         * stress/function-constructor-name.js: Added.
2736         (shouldBe):
2737         (GeneratorFunction):
2738         (AsyncFunction.async):
2739         (AsyncGeneratorFunction.async):
2740         (anonymous):
2741         (async.anonymous):
2742         * test262/expectations.yaml:
2743
2744 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2745
2746         All users of ArrayBuffer should agree on the same max size
2747         https://bugs.webkit.org/show_bug.cgi?id=191771
2748
2749         Reviewed by Mark Lam.
2750
2751         * stress/big-wasm-memory-grow-no-max.js: Added.
2752         (foo):
2753         (catch):
2754         * stress/big-wasm-memory-grow.js: Added.
2755         (foo):
2756         (catch):
2757         * stress/big-wasm-memory.js: Added.
2758         (foo):
2759         (catch):
2760
2761 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2762
2763         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2764         run for each JSC config since they're regression tests for runtime bugs.
2765
2766         * stress/json-stringified-overflow-2.js:
2767         * stress/json-stringified-overflow.js:
2768
2769 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2770
2771         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2772         config since they're regression tests for runtime bugs.
2773
2774         * stress/large-unshift-splice.js:
2775         * stress/regress-185888.js:
2776
2777 2018-11-16  Saam Barati  <sbarati@apple.com>
2778
2779         KnownCellUse should also have SpecCellCheck as its type filter
2780         https://bugs.webkit.org/show_bug.cgi?id=191729
2781         <rdar://problem/45872852>
2782
2783         Reviewed by Filip Pizlo.
2784
2785         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2786         (C):
2787
2788 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2789
2790         Fix assertion failure on BytecodeGenerator::recordOpcode
2791         https://bugs.webkit.org/show_bug.cgi?id=191724
2792         <rdar://problem/45724395>
2793
2794         Reviewed by Saam Barati.
2795
2796         * stress/regress-187373-2.js: Added.
2797         (foo):
2798
2799 2018-11-15  Mark Lam  <mark.lam@apple.com>
2800
2801         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2802         https://bugs.webkit.org/show_bug.cgi?id=191730
2803         <rdar://problem/46048517>
2804
2805         Reviewed by Saam Barati.
2806
2807         * stress/regress-187006.js: Removed.
2808           - this test is invalid because its sole purpose is to test for the non-spec
2809             compliant behavior that we just fixed.
2810
2811         * stress/regress-191730.js: Added.
2812
2813 2018-11-15  Mark Lam  <mark.lam@apple.com>
2814
2815         RegExp operations should not take fast patch if lastIndex is not numeric.
2816         https://bugs.webkit.org/show_bug.cgi?id=191731
2817         <rdar://problem/46017305>
2818
2819         Reviewed by Saam Barati.
2820
2821         * stress/regress-191731.js: Added.
2822
2823 2018-11-13  Saam Barati  <sbarati@apple.com>
2824
2825         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2826         https://bugs.webkit.org/show_bug.cgi?id=191600
2827
2828         Reviewed by Mark Lam.
2829
2830         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2831         (foo):
2832         (test):
2833         (bar):
2834
2835 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2836
2837         Unreviewed, rolling out r238132.
2838
2839         The test added with this change is timing out on Debug JSC
2840         bots.
2841
2842         Reverted changeset:
2843
2844         "[BigInt] JSBigInt::createWithLength should throw when length
2845         is greater than JSBigInt::maxLength"
2846         https://bugs.webkit.org/show_bug.cgi?id=190836
2847         https://trac.webkit.org/changeset/238132
2848
2849 2018-11-13  Mark Lam  <mark.lam@apple.com>
2850
2851         Add OOM detection to StringPrototype's substituteBackreferences().
2852         https://bugs.webkit.org/show_bug.cgi?id=191563
2853         <rdar://problem/45720428>
2854
2855         Reviewed by Saam Barati.
2856
2857         * stress/regress-191563.js: Added.
2858
2859 2018-11-13  Mark Lam  <mark.lam@apple.com>
2860
2861         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2862         https://bugs.webkit.org/show_bug.cgi?id=191579
2863         <rdar://problem/45942472>
2864
2865         Reviewed by Saam Barati.
2866
2867         * stress/regress-191579.js: Added.
2868
2869 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2870
2871         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2872         https://bugs.webkit.org/show_bug.cgi?id=190836
2873
2874         Reviewed by Saam Barati.
2875
2876         * stress/big-int-out-of-memory-tests.js: Added.
2877
2878 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2879
2880         U+180E is no longer a whitespace character
2881         https://bugs.webkit.org/show_bug.cgi?id=191415
2882
2883         Reviewed by Saam Barati.
2884
2885         * ChakraCore/test/es5/regexSpace.baseline:
2886         * ChakraCore/test/es6/unicode_whitespace.js:
2887         Update tests to latest version.
2888         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2889
2890         * test262.yaml:
2891         * test262/config.yaml:
2892         * test262/expectations.yaml:
2893         Update expectations.
2894
2895 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2896
2897         [BigInt] Add support to BigInt into ValueAdd
2898         https://bugs.webkit.org/show_bug.cgi?id=186177
2899
2900         Reviewed by Keith Miller.
2901
2902         * stress/big-int-negate-jit.js:
2903         * stress/value-add-big-int-and-string.js: Added.
2904         * stress/value-add-big-int-prediction-propagation.js: Added.
2905         * stress/value-add-big-int-untyped.js: Added.
2906
2907 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2908
2909         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2910         https://bugs.webkit.org/show_bug.cgi?id=191184
2911
2912         Reviewed by Saam Barati.
2913
2914         Most tests were failing due to timeouts, since they are too slow to
2915         run on CLoop. The exceptions are:
2916
2917         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2918         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2919         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2920         to change the stack size since CLoop requires it to be page aligned.
2921
2922         * microbenchmarks/array-push-1.js:
2923         * microbenchmarks/array-push-2.js:
2924         * microbenchmarks/elidable-new-object-dag.js:
2925         * microbenchmarks/elidable-new-object-roflcopter.js:
2926         * microbenchmarks/elidable-new-object-tree.js:
2927         * microbenchmarks/getter-richards.js:
2928         * microbenchmarks/sinkable-new-object-dag.js:
2929         * microbenchmarks/string-concat-long-convert.js:
2930         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2931         * slowMicrobenchmarks/array-push-3.js:
2932         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2933         * slowMicrobenchmarks/spread-small-array.js:
2934         * slowMicrobenchmarks/undefined-property-access.js:
2935         * stress/activation-sink-default-value-tdz-error.js:
2936         * stress/activation-sink-default-value.js:
2937         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2938         * stress/activation-sink-osrexit-default-value.js:
2939         * stress/activation-sink-osrexit.js:
2940         * stress/activation-sink.js:
2941         * stress/allow-math-ic-b3-code-duplication.js:
2942         * stress/array-push-multiple-int32.js:
2943         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2944         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2945         * stress/arrowfunction-lexical-this-activation-sink.js:
2946         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2947         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2948         * stress/elide-new-object-dag-then-exit.js:
2949         * stress/materialize-regexp-cyclic.js:
2950         * stress/new-regex-inline.js:
2951         * stress/op_add.js:
2952         * stress/op_bitand.js:
2953         * stress/op_bitor.js:
2954         * stress/op_bitxor.js:
2955         * stress/op_div-ConstVar.js:
2956         * stress/op_div-VarConst.js:
2957         * stress/op_div-VarVar.js:
2958         * stress/op_lshift-ConstVar.js:
2959         * stress/op_lshift-VarConst.js:
2960         * stress/op_lshift-VarVar.js:
2961         * stress/op_mod-ConstVar.js:
2962         * stress/op_mod-VarConst.js:
2963         * stress/op_mod-VarVar.js:
2964         * stress/op_mul-ConstVar.js:
2965         * stress/op_mul-VarConst.js:
2966         * stress/op_mul-VarVar.js:
2967         * stress/op_rshift-ConstVar.js:
2968         * stress/op_rshift-VarConst.js:
2969         * stress/op_rshift-VarVar.js:
2970         * stress/op_sub-ConstVar.js:
2971         * stress/op_sub-VarConst.js:
2972         * stress/op_sub-VarVar.js:
2973         * stress/op_urshift-ConstVar.js:
2974         * stress/op_urshift-VarConst.js:
2975         * stress/op_urshift-VarVar.js:
2976         * stress/proxy-get-set-correct-receiver.js:
2977         * stress/regress-179562.js:
2978         * stress/rest-parameter-many-arguments.js:
2979         * stress/sampling-profiler-richards.js:
2980         * stress/splay-flash-access-1ms.js:
2981         * stress/tailCallForwardArguments.js:
2982         * stress/typed-array-get-by-val-profiling.js:
2983         * typeProfiler/getter-richards.js:
2984
2985 2018-11-06  Michael Saboff  <msaboff@apple.com>
2986
2987         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2988         https://bugs.webkit.org/show_bug.cgi?id=191271
2989
2990         Reviewed by Saam Barati.
2991
2992         Added more test cases and made all test cases run with the same deeply recursive stack
2993         instead of finding that same point for each test case.
2994
2995         * stress/regexp-compile-oom.js:
2996         (prototype.runTest):
2997         (recurseAndTest):
2998         (testList.push.new.TestAndExpectedException):
2999
3000 2018-11-05  Michael Saboff  <msaboff@apple.com>
3001
3002         Unreviewed build fix for linux.
3003
3004         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3005
3006 2018-11-02  Michael Saboff  <msaboff@apple.com>
3007
3008         Rolling in r237753 with unreviewed build fix.
3009
3010         Fixed issues with DECLARE_THROW_SCOPE placement.
3011
3012 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3013
3014         Unreviewed, rolling out r237753.
3015
3016         Introduced JSC test failures
3017
3018         Reverted changeset:
3019
3020         "Running out of stack space not properly handled in
3021         RegExp::compile() and its callers"
3022         https://bugs.webkit.org/show_bug.cgi?id=191206
3023         https://trac.webkit.org/changeset/237753
3024
3025 2018-11-02  Michael Saboff  <msaboff@apple.com>
3026
3027         Running out of stack space not properly handled in RegExp::compile() and its callers
3028         https://bugs.webkit.org/show_bug.cgi?id=191206
3029
3030         Reviewed by Filip Pizlo.
3031
3032         New regression test.
3033
3034         * stress/regexp-compile-oom.js: Added.
3035         (recurseAndTest):
3036
3037 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3038
3039         Skip tests on arm/mips that time out now we're running on CLoop
3040
3041         Unreviewed gardening.
3042
3043         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3044         time out on the bots and need to be disabled. There's more tests
3045         disabled on arm because the timeout is longer on the mips bot (as the
3046         device is slower to start with), so many of the tests don't time out
3047         there.
3048
3049         * microbenchmarks/getter-richards.js: disable on arm and mips.
3050         * stress/op_add.js: disable on arm.
3051         * stress/op_bitand.js: disable on arm.
3052         * stress/op_bitor.js: disable on arm.
3053         * stress/op_bitxor.js: disable on arm.
3054         * stress/op_lshift-ConstVar.js: disable on arm.
3055         * stress/op_lshift-VarConst.js: disable on arm.
3056         * stress/op_lshift-VarVar.js: disable on arm.
3057         * stress/op_mod-ConstVar.js: disable on arm.
3058         * stress/op_mod-VarConst.js: disable on arm.
3059         * stress/op_mod-VarVar.js: disable on arm.
3060         * stress/op_mul-ConstVar.js: disable on arm.
3061         * stress/op_mul-VarConst.js: disable on arm.
3062         * stress/op_mul-VarVar.js: disable on arm.
3063         * stress/op_rshift-ConstVar.js: disable on arm.
3064         * stress/op_rshift-VarConst.js: disable on arm.
3065         * stress/op_rshift-VarVar.js: disable on arm.
3066         * stress/op_sub-ConstVar.js: disable on arm.
3067         * stress/op_sub-VarConst.js: disable on arm.
3068         * stress/op_sub-VarVar.js: disable on arm.
3069         * stress/op_urshift-ConstVar.js: disable on arm.
3070         * stress/op_urshift-VarConst.js: disable on arm.
3071         * stress/op_urshift-VarVar.js: disable on arm.
3072         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3073         * stress/value-to-boolean.js: disable on arm and mips.
3074
3075 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3076
3077         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3078         https://bugs.webkit.org/show_bug.cgi?id=191108
3079         <rdar://problem/45690700>
3080
3081         Reviewed by Saam Barati.
3082
3083         * stress/wide-op_catch.js: Added.
3084         (catch):
3085
3086 2018-10-29  Mark Lam  <mark.lam@apple.com>
3087
3088         Correctly detect string overflow when using the 'Function' constructor.
3089         https://bugs.webkit.org/show_bug.cgi?id=184883
3090         <rdar://problem/36320331>
3091
3092         Reviewed by Saam Barati.
3093
3094         I've verified that this passes on 32-bit as well.
3095
3096         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3097
3098 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3099
3100         Add support for GetStack FlushedDouble
3101         https://bugs.webkit.org/show_bug.cgi?id=191012
3102         <rdar://problem/45265141>
3103
3104         Reviewed by Saam Barati.
3105
3106         * stress/get-stack-double.js: Added.
3107         (bar):
3108         (noInline):
3109
3110 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3111
3112         New bytecode format for JSC
3113         https://bugs.webkit.org/show_bug.cgi?id=187373
3114         <rdar://problem/44186758>
3115
3116         Reviewed by Filip Pizlo.
3117
3118         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3119
3120         * stress/maximum-inline-capacity.js: Added.
3121         (test1):
3122         (test3.Foo):
3123         (test3):
3124
3125 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3126
3127         Unreviewed, rolling out r237479 and r237484.
3128         https://bugs.webkit.org/show_bug.cgi?id=190978
3129
3130         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3131
3132         Reverted changesets:
3133
3134         "New bytecode format for JSC"
3135         https://bugs.webkit.org/show_bug.cgi?id=187373
3136         https://trac.webkit.org/changeset/237479
3137
3138         "Gardening: Build fix after r237479."
3139         https://bugs.webkit.org/show_bug.cgi?id=187373
3140         https://trac.webkit.org/changeset/237484
3141
3142 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3143
3144         New bytecode format for JSC
3145         https://bugs.webkit.org/show_bug.cgi?id=187373
3146         <rdar://problem/44186758>
3147
3148         Reviewed by Filip Pizlo.
3149
3150         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3151
3152         * stress/maximum-inline-capacity.js: Added.
3153         (test1):
3154         (test3.Foo):
3155         (test3):
3156
3157 2018-10-26  Mark Lam  <mark.lam@apple.com>
3158
3159         Fix missing edge cases with JSGlobalObjects having a bad time.
3160         https://bugs.webkit.org/show_bug.cgi?id=189028
3161         <rdar://problem/45204939>
3162
3163         Reviewed by Saam Barati.
3164
3165         * stress/regress-189028.js: Added.
3166
3167 2018-10-22  Mark Lam  <mark.lam@apple.com>
3168
3169         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3170         https://bugs.webkit.org/show_bug.cgi?id=190515
3171         <rdar://problem/45222379>
3172
3173         Rubber-stamped by Saam Barati.
3174
3175         Adding another test.
3176
3177         * stress/regress-190515-2.js: Added.
3178
3179 2018-10-22  Mark Lam  <mark.lam@apple.com>
3180
3181         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3182         https://bugs.webkit.org/show_bug.cgi?id=190515
3183         <rdar://problem/45222379>
3184
3185         Reviewed by Saam Barati.
3186
3187         * stress/regress-190515.js: Added.
3188
3189 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3190
3191         Unreviewed, rolling out r237254.
3192         https://bugs.webkit.org/show_bug.cgi?id=190760
3193
3194         "It regresses JetStream 2 by 5% on some iOS devices"
3195         (Requested by saamyjoon on #webkit).
3196
3197         Reverted changeset:
3198
3199         "[JSC] JSC should have "parseFunction" to optimize Function
3200         constructor"
3201         https://bugs.webkit.org/show_bug.cgi?id=190340
3202         https://trac.webkit.org/changeset/237254
3203
3204 2018-10-19  Saam Barati  <sbarati@apple.com>
3205
3206         vmCall should check if we exit before emitting an OSR exit due to exceptions
3207         https://bugs.webkit.org/show_bug.cgi?id=190740
3208         <rdar://problem/45220139>
3209
3210         Reviewed by Mark Lam.
3211
3212         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3213         (foo):
3214
3215 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3216
3217         [ESNext][BigInt] Implement support for "^"
3218         https://bugs.webkit.org/show_bug.cgi?id=186235
3219
3220         Reviewed by Yusuke Suzuki.
3221
3222         * stress/big-int-bitwise-xor-general.js: Added.
3223         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3224         * stress/big-int-bitwise-xor-type-error.js: Added.
3225         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3226
3227 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3228
3229         [BigInt] Add ValueSub into DFG
3230         https://bugs.webkit.org/show_bug.cgi?id=186176
3231
3232         Reviewed by Yusuke Suzuki.
3233
3234         * stress/big-int-subtraction-jit.js:
3235         * stress/value-sub-big-int-prediction-propagation.js: Added.
3236         * stress/value-sub-big-int-untyped.js: Added.
3237         * stress/value-sub-spec-none-case.js: Added.
3238
3239 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3240
3241         [JSC] JSC should have "parseFunction" to optimize Function constructor
3242         https://bugs.webkit.org/show_bug.cgi?id=190340
3243
3244         Reviewed by Mark Lam.
3245
3246         This patch fixes the line number of syntax errors raised by the Function constructor,
3247         since we now parse the final code only once. And we no longer use block statement
3248         for Function constructor's parsing.
3249
3250         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3251         * stress/function-cache-with-parameters-end-position.js: Added.
3252         (shouldBe):
3253         (shouldThrow):
3254         (i.anonymous):
3255         * stress/function-constructor-name.js: Added.
3256         (shouldBe):
3257         (GeneratorFunction):
3258         (AsyncFunction.async):
3259         (AsyncGeneratorFunction.async):
3260         (anonymous):
3261         (async.anonymous):
3262         * test262/expectations.yaml:
3263
3264 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3265
3266         Unreviewed, rolling out r237242.
3267         https://bugs.webkit.org/show_bug.cgi?id=190701
3268
3269         it breaks "stress/sampling-profiler-basic.js" (Requested by
3270         caiolima on #webkit).
3271
3272         Reverted changeset:
3273
3274         "[BigInt] Add ValueSub into DFG"
3275         https://bugs.webkit.org/show_bug.cgi?id=186176
3276         https://trac.webkit.org/changeset/237242
3277
3278 2018-10-17  Keith Miller  <keith_miller@apple.com>
3279
3280         AI does not clear Phantom allocation nodes.
3281         https://bugs.webkit.org/show_bug.cgi?id=190694
3282
3283         Reviewed by Saam Barati.
3284
3285         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3286         (Day):
3287         (DaysInYear):
3288         (TimeInYear):
3289         (TimeFromYear):
3290         (DayFromYear):
3291         (InLeapYear):
3292         (YearFromTime):
3293         (WeekDay):
3294         (DaylightSavingTA):
3295         (GetSecondSundayInMarch):
3296         (TimeInMonth):
3297
3298 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3299
3300         [BigInt] Add ValueSub into DFG
3301         https://bugs.webkit.org/show_bug.cgi?id=186176
3302
3303         Reviewed by Yusuke Suzuki.
3304
3305         * stress/big-int-subtraction-jit.js:
3306         * stress/value-sub-big-int-prediction-propagation.js: Added.
3307         * stress/value-sub-big-int-untyped.js: Added.
3308
3309 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3310
3311         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3312         https://bugs.webkit.org/show_bug.cgi?id=190611
3313
3314         Reviewed by Saam Barati.
3315
3316         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3317         to improve test runtime. On ARM/MIPS this test even timed out when running all
3318         tests.
3319
3320         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3321         (test):
3322
3323 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3324
3325         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3326
3327         Unreviewed gardening.
3328
3329         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3330
3331 2018-10-15  Saam barati  <sbarati@apple.com>
3332
3333         Emit fjcvtzs on ARM64E on Darwin
3334         https://bugs.webkit.org/show_bug.cgi?id=184023
3335
3336         Reviewed by Yusuke Suzuki and Filip Pizlo.
3337
3338         * stress/double-to-int32-NaN.js: Added.
3339         (assert):
3340         (foo):
3341
3342 2018-10-15  Saam Barati  <sbarati@apple.com>
3343
3344         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3345         https://bugs.webkit.org/show_bug.cgi?id=190262
3346         <rdar://problem/44986241>
3347
3348         Reviewed by Mark Lam.
3349
3350         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3351         (test):
3352         * stress/slice-array-storage-with-holes.js: Added.
3353         (main):
3354
3355 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3356
3357         Unreviewed, rolling out r237054.
3358         https://bugs.webkit.org/show_bug.cgi?id=190593
3359
3360         "this regressed JetStream 2 by 6% on iOS" (Requested by
3361         saamyjoon on #webkit).
3362
3363         Reverted changeset:
3364
3365         "[JSC] JSC should have "parseFunction" to optimize Function
3366         constructor"
3367         https://bugs.webkit.org/show_bug.cgi?id=190340
3368         https://trac.webkit.org/changeset/237054
3369
3370 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3371
3372         [JSC] JSON.stringify can accept call-with-no-arguments
3373         https://bugs.webkit.org/show_bug.cgi?id=190343
3374
3375         Reviewed by Mark Lam.
3376
3377         * stress/json-stringify-no-arguments.js: Added.
3378         (shouldBe):
3379
3380 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3381
3382         [JSC] JSC should have "parseFunction" to optimize Function constructor
3383         https://bugs.webkit.org/show_bug.cgi?id=190340
3384
3385         Reviewed by Mark Lam.
3386
3387         This patch fixes the line number of syntax errors raised by the Function constructor,
3388         since we now parse the final code only once. And we no longer use block statement
3389         for Function constructor's parsing.
3390
3391         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3392         * stress/function-cache-with-parameters-end-position.js: Added.
3393         (shouldBe):
3394         (shouldThrow):
3395         (i.anonymous):
3396         * stress/function-constructor-name.js: Added.
3397         (shouldBe):
3398         (GeneratorFunction):
3399         (AsyncFunction.async):
3400         (AsyncGeneratorFunction.async):
3401         (anonymous):
3402         (async.anonymous):
3403         * test262/expectations.yaml:
3404
3405 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3406
3407         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3408         https://bugs.webkit.org/show_bug.cgi?id=190426
3409
3410         Unreviewed gardening.
3411
3412         * stress/sampling-profiler-richards.js:
3413
3414 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3415
3416         [ESNext][BigInt] Implement support for "|"
3417         https://bugs.webkit.org/show_bug.cgi?id=186229
3418
3419         Reviewed by Yusuke Suzuki.
3420
3421         * stress/big-int-bitwise-and-jit.js:
3422         * stress/big-int-bitwise-or-general.js: Added.
3423         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3424         * stress/big-int-bitwise-or-jit.js: Added.
3425         * stress/big-int-bitwise-or-memory-stress.js: Added.
3426         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3427         * stress/big-int-bitwise-or-type-error.js: Added.
3428         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3429
3430 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3431
3432         Skip test on systems with limited memory
3433         https://bugs.webkit.org/show_bug.cgi?id=190310
3434
3435         Invoking runDefault adds test to runlist, skipping the test in the next
3436         line does not prevent the test from executing. Change order of lines such
3437         that runDefault is only executed if test is not executed.
3438
3439         Reviewed by Mark Lam.
3440
3441         * stress/regress-190187.js:
3442
3443 2018-10-03  Saam barati  <sbarati@apple.com>
3444
3445         lowXYZ in FTLLower should always filter the type of the incoming edge
3446         https://bugs.webkit.org/show_bug.cgi?id=189939
3447         <rdar://problem/44407030>
3448
3449         Reviewed by Michael Saboff.
3450
3451         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3452         (foo):
3453         (test):
3454
3455 2018-10-03  Mark Lam  <mark.lam@apple.com>
3456
3457         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3458         https://bugs.webkit.org/show_bug.cgi?id=190187
3459         <rdar://problem/42512909>
3460
3461         Reviewed by Michael Saboff.
3462
3463         * stress/regress-190187.js: Added.
3464
3465 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3466
3467         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3468         https://bugs.webkit.org/show_bug.cgi?id=190033
3469
3470         Reviewed by Yusuke Suzuki.
3471
3472         * stress/big-int-to-string.js:
3473
3474 2018-10-01  Mark Lam  <mark.lam@apple.com>
3475
3476         Function.toString() should also copy the source code Functions that are class definitions.
3477         https://bugs.webkit.org/show_bug.cgi?id=190186
3478         <rdar://problem/44733360>
3479
3480         Reviewed by Saam Barati.
3481
3482         * stress/regress-190186.js: Added.
3483
3484 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3485
3486         Split NaN-check into separate test
3487         https://bugs.webkit.org/show_bug.cgi?id=190010
3488
3489         Reviewed by Saam Barati.
3490
3491         DataView exposes NaN-representation, which is not necessarily the same on each
3492         architecture. Therefore move the check of the NaN-representation into its own
3493         file such that we can disable this test on MIPS where NaN-representation can be
3494         different on older CPUs.
3495
3496         * stress/dataview-jit-set-nan.js: Added.
3497         (assert):
3498         (test.storeLittleEndian):
3499         (test.storeBigEndian):
3500         (test.store):
3501         (test):
3502         * stress/dataview-jit-set.js:
3503         (test5):
3504
3505 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3506
3507         Unreviewed, rolling out r236647.
3508         https://bugs.webkit.org/show_bug.cgi?id=190124
3509
3510         Breaking test stress/big-int-to-string.js (Requested by
3511         caiolima_ on #webkit).
3512
3513         Reverted changeset:
3514
3515         "[BigInt] BigInt.proptotype.toString is broken when radix is
3516         power of 2"
3517         https://bugs.webkit.org/show_bug.cgi?id=190033
3518         https://trac.webkit.org/changeset/236647
3519
3520 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3521
3522         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3523         https://bugs.webkit.org/show_bug.cgi?id=190033
3524
3525         Reviewed by Yusuke Suzuki.
3526
3527         * stress/big-int-to-string.js:
3528
3529 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3530
3531         [ESNext][BigInt] Implement support for "&"
3532         https://bugs.webkit.org/show_bug.cgi?id=186228
3533
3534         Reviewed by Yusuke Suzuki.
3535
3536         * stress/big-int-bitwise-and-general.js: Added.
3537         (assert):
3538         (assert.sameValue):
3539         * stress/big-int-bitwise-and-jit.js: Added.
3540         (let.assert.sameValue):
3541         (bigIntBitAnd):
3542         * stress/big-int-bitwise-and-memory-stress.js: Added.
3543         (assert):
3544         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3545         (assert.sameValue):
3546         (let.o.Symbol.toPrimitive):
3547         (catch):
3548         * stress/big-int-bitwise-and-type-error.js: Added.
3549         (assert):
3550         (assertThrowTypeError):
3551         (let.o.valueOf):
3552         (o.valueOf):
3553         (o.toString):
3554         (o.Symbol.toPrimitive):
3555         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3556         (assert.sameValue):
3557         (testBitAnd):
3558         (let.o.Symbol.toPrimitive):
3559         (o.valueOf):
3560         (o.toString):
3561
3562 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3563
3564         JSC test stress/jsc-read.js doesn't support CRLF
3565         https://bugs.webkit.org/show_bug.cgi?id=190063
3566
3567         Reviewed by Yusuke Suzuki.
3568
3569         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3570
3571         * stress/jsc-read.js:
3572         (test):
3573
3574 2018-09-27  Saam barati  <sbarati@apple.com>
3575
3576         Verify the contents of AssemblerBuffer on arm64e
3577         https://bugs.webkit.org/show_bug.cgi?id=190057
3578         <rdar://problem/38916630>
3579
3580         Reviewed by Mark Lam.
3581
3582         * stress/regress-189132.js:
3583
3584 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3585
3586         Disable test without LLInt on ARMv7
3587         https://bugs.webkit.org/show_bug.cgi?id=190037
3588
3589         Reviewed by Mark Lam.
3590
3591         Test runs out of executable memory on ARMv7, do not run
3592         this test without LLInt enabled.
3593
3594         * stress/regress-169445.js:
3595
3596 2018-09-26  Keith Miller  <keith_miller@apple.com>
3597
3598         We should zero unused property storage when rebalancing array storage.
3599         https://bugs.webkit.org/show_bug.cgi?id=188151
3600
3601         Reviewed by Michael Saboff.
3602
3603         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3604
3605 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3606
3607         [JSC] Optimize Array#lastIndexOf
3608         https://bugs.webkit.org/show_bug.cgi?id=189780
3609
3610         Reviewed by Saam Barati.
3611
3612         * stress/array-lastindexof-array-prototype-trap.js: Added.
3613         (shouldBe):
3614         (AncestorArray.prototype.get 2):
3615         (AncestorArray):
3616         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3617         (shouldBe):
3618         * stress/array-lastindexof-hole-nan.js: Added.
3619         (shouldBe):
3620         (throw.new.Error):
3621         * stress/array-lastindexof-infinity.js: Added.
3622         (shouldBe):
3623         (throw.new.Error):
3624         * stress/array-lastindexof-negative-zero.js: Added.
3625         (shouldBe):
3626         (throw.new.Error):
3627         * stress/array-lastindexof-own-getter.js: Added.
3628         (shouldBe):
3629         (throw.new.Error.get array):
3630         (get array):
3631         * stress/array-lastindexof-prototype-trap.js: Added.
3632         (shouldBe):
3633         (DerivedArray.prototype.get 2):
3634         (DerivedArray):
3635
3636 2018-09-25  Saam Barati  <sbarati@apple.com>
3637
3638         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3639         https://bugs.webkit.org/show_bug.cgi?id=189940
3640         <rdar://problem/43640987>
3641
3642         Reviewed by Mark Lam.
3643
3644         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3645
3646 2018-09-24  Saam Barati  <sbarati@apple.com>
3647
3648         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3649         https://bugs.webkit.org/show_bug.cgi?id=189922
3650         <rdar://problem/44651275>
3651
3652         Reviewed by Mark Lam.
3653
3654         * stress/array-indexof-fast-path-effects.js: Added.
3655         * stress/array-indexof-cached-length.js: Added.
3656
3657 2018-09-24  Saam barati  <sbarati@apple.com>
3658
3659         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3660         https://bugs.webkit.org/show_bug.cgi?id=189682
3661         <rdar://problem/43557315>
3662
3663         Reviewed by Mark Lam.
3664
3665         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3666         (foo):
3667
3668 2018-09-22  Saam barati  <sbarati@apple.com>
3669
3670         The sampling should not use Strong<CodeBlock> in its machineLocation field
3671         https://bugs.webkit.org/show_bug.cgi?id=189319
3672
3673         Reviewed by Filip Pizlo.
3674
3675         * stress/sampling-profiler-richards.js: Added.
3676
3677 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3678
3679         [JSC] Optimize Array#indexOf in C++ runtime
3680         https://bugs.webkit.org/show_bug.cgi?id=189507
3681
3682         Reviewed by Saam Barati.
3683
3684         * stress/array-indexof-array-prototype-trap.js: Added.
3685         (shouldBe):
3686         (AncestorArray.prototype.get 2):
3687         (AncestorArray):
3688         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3689         (shouldBe):
3690         * stress/array-indexof-hole-nan.js: Added.
3691         (shouldBe):
3692         (throw.new.Error):
3693         * stress/array-indexof-infinity.js: Added.
3694         (shouldBe):
3695         (throw.new.Error):
3696         * stress/array-indexof-negative-zero.js: Added.
3697         (shouldBe):
3698         (throw.new.Error):
3699         * stress/array-indexof-own-getter.js: Added.
3700         (shouldBe):
3701         (throw.new.Error.get array):
3702         (get array):
3703         * stress/array-indexof-prototype-trap.js: Added.
3704         (shouldBe):
3705         (DerivedArray.prototype.get 2):
3706         (DerivedArray):
3707
3708 2018-09-19  Saam barati  <sbarati@apple.com>
3709
3710         AI rule for MultiPutByOffset executes its effects in the wrong order
3711         https://bugs.webkit.org/show_bug.cgi?id=189757
3712         <rdar://problem/43535257>
3713
3714         Reviewed by Michael Saboff.
3715
3716         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3717         (foo):
3718         (Foo):
3719         (g):
3720
3721 2018-09-17  Mark Lam  <mark.lam@apple.com>
3722
3723         Ensure that ForInContexts are invalidated if their loop local is over-written.
3724         https://bugs.webkit.org/show_bug.cgi?id=189571
3725         <rdar://problem/44402277>
3726
3727         Reviewed by Saam Barati.
3728
3729         * stress/regress-189571.js: Added.
3730
3731 2018-09-17  Saam barati  <sbarati@apple.com>
3732
3733         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3734         https://bugs.webkit.org/show_bug.cgi?id=189676
3735         <rdar://problem/39682897>
3736
3737         Reviewed by Michael Saboff.
3738
3739         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3740         (A):
3741         (K):
3742         (i.catch):
3743
3744 2018-09-14  Saam barati  <sbarati@apple.com>
3745
3746         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3747         https://bugs.webkit.org/show_bug.cgi?id=189628
3748         <rdar://problem/39481690>
3749
3750         Reviewed by Mark Lam.
3751
3752         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3753         (foo):
3754
3755 2018-09-11  Mark Lam  <mark.lam@apple.com>
3756
3757         Test for array initialization in arrayProtoFuncSplice.
3758         https://bugs.webkit.org/show_bug.cgi?id=170253
3759         <rdar://problem/31328773>
3760
3761         Rubber-stamped by Saam Barati.
3762
3763         * stress/regress-170253.js: Added.
3764
3765 2018-09-11  Mark Lam  <mark.lam@apple.com>
3766
3767         Test for IntlObject initialization.
3768         https://bugs.webkit.org/show_bug.cgi?id=170251
3769         <rdar://problem/31328419>
3770
3771         Rubber-stamped by Saam Barati.
3772
3773         * stress/regress-170251.js: Added.
3774
3775 2018-09-11  Mark Lam  <mark.lam@apple.com>
3776
3777         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3778         https://bugs.webkit.org/show_bug.cgi?id=169889
3779         <rdar://problem/31155607>
3780
3781         Reviewed by Saam Barati.
3782
3783         * stress/regress-169889-array-concat.js: Added.
3784         * stress/regress-169889-array-concat1.js: Added.
3785         * stress/regress-169889-array-slice.js: Added.
3786
3787 2018-09-11  Mark Lam  <mark.lam@apple.com>
3788
3789         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3790         https://bugs.webkit.org/show_bug.cgi?id=169445
3791         <rdar://problem/30957435>
3792
3793         Reviewed by Saam Barati.
3794
3795         * stress/regress-169445.js: Added.
3796         (let.gun.eval.A):
3797         (let.gun.eval.B.C):
3798         (let.gun.eval.B.C.prototype.trigger):
3799         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3800         (let.gun.eval.B):
3801         (let.gun.eval):
3802
3803 == Rolled over to ChangeLog-2018-09-11 ==