Remove invalid assertion in operationInstanceOfCustom
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-11  Saam barati  <sbarati@apple.com>
2
3         Remove invalid assertion in operationInstanceOfCustom
4         https://bugs.webkit.org/show_bug.cgi?id=196842
5         <rdar://problem/49725493>
6
7         Reviewed by Michael Saboff.
8
9         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
10
11 2019-04-10  Saam Barati  <sbarati@apple.com>
12
13         AbstractValue::validateOSREntryValue is wrong for Int52 constants
14         https://bugs.webkit.org/show_bug.cgi?id=196801
15         <rdar://problem/49771122>
16
17         Reviewed by Yusuke Suzuki.
18
19         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
20
21 2019-04-10  Robin Morisset  <rmorisset@apple.com>
22
23         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
24         https://bugs.webkit.org/show_bug.cgi?id=196746
25
26         Reviewed by Yusuke Suzuki.
27
28         * stress/cyclic-define-properties.js: Added.
29         (foo):
30
31 2019-04-09  Saam barati  <sbarati@apple.com>
32
33         Clean up Int52 code and some bugs in it
34         https://bugs.webkit.org/show_bug.cgi?id=196639
35         <rdar://problem/49515757>
36
37         Reviewed by Yusuke Suzuki.
38
39         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
40
41 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
42
43         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
44         https://bugs.webkit.org/show_bug.cgi?id=196708
45         <rdar://problem/49556803>
46
47         Reviewed by Yusuke Suzuki.
48
49         * stress/proxy-getter-stack-overflow.js: Added.
50         (const.handler.get target):
51         (const.handler.has):
52         (try.with):
53         (catch):
54
55 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
56
57         [JSC] DFG should respect node's strict flag
58         https://bugs.webkit.org/show_bug.cgi?id=196617
59
60         Reviewed by Saam Barati.
61
62         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
63         (shouldEqual):
64         (makeUnwriteableUnconfigurableObject):
65         (runTest):
66         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
67         (shouldBe):
68         (shouldThrow):
69         (with.result):
70         (with.putValueStrict):
71         (with.putValueSloppy):
72
73 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
74
75         [JSC] isRope jump in StringSlice should not jump over register allocations
76         https://bugs.webkit.org/show_bug.cgi?id=196716
77
78         Reviewed by Saam Barati.
79
80         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
81         (foo.bar):
82         (foo):
83
84 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
85
86         [JSC] to_index_string should not assume incoming value is Uint32
87         https://bugs.webkit.org/show_bug.cgi?id=196713
88
89         Reviewed by Saam Barati.
90
91         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
92         (foo):
93
94 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         [JSC] Add more tests for r243966
97         https://bugs.webkit.org/show_bug.cgi?id=196711
98
99         Reviewed by Saam Barati.
100
101         Adding one more test for r243966 fix. The added test will not crash after r243966.
102
103         * stress/stress-cleared-calllinkinfo.js: Added.
104         (runNearStackLimit.t):
105         (runNearStackLimit):
106         (repeat):
107         (cls):
108         (let.item.of.array.runNearStackLimit):
109
110 2019-04-08  Saam Barati  <sbarati@apple.com>
111
112         WebAssembly.RuntimeError missing exception check
113         https://bugs.webkit.org/show_bug.cgi?id=196700
114         <rdar://problem/49693932>
115
116         Reviewed by Yusuke Suzuki.
117
118         * wasm/js-api/runtime-error-should-exception-check.js: Added.
119
120 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
121
122         Unreviewed, rolling in r243948 with test fix
123         https://bugs.webkit.org/show_bug.cgi?id=196486
124
125         * stress/arrow-function-and-use-strict-directive.js: Added.
126         * stress/arrow-function-syntax.js: Added.
127         (checkSyntax):
128         (checkSyntaxError):
129
130 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
131
132         Unreviewed, rolling out r243948.
133
134         Caused inspector/runtime/parse.html to fail
135
136         Reverted changeset:
137
138         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
139         https://bugs.webkit.org/show_bug.cgi?id=196486
140         https://trac.webkit.org/changeset/243948
141
142 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
143
144         Unreviewed, rolling out r243943.
145
146         Caused test262 failures.
147
148         Reverted changeset:
149
150         "[JSC] Filter DontEnum properties in
151         ProxyObject::getOwnPropertyNames()"
152         https://bugs.webkit.org/show_bug.cgi?id=176810
153         https://trac.webkit.org/changeset/243943
154
155 2019-04-07  Michael Saboff  <msaboff@apple.com>
156
157         REGRESSION (r243642): Crash in reddit.com page
158         https://bugs.webkit.org/show_bug.cgi?id=196684
159
160         Reviewed by Geoffrey Garen.
161
162         New regression test.
163
164         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
165
166 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
167
168         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
169         https://bugs.webkit.org/show_bug.cgi?id=196683
170
171         Reviewed by Saam Barati.
172
173         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
174         (foo):
175
176 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
179         https://bugs.webkit.org/show_bug.cgi?id=196582
180
181         Reviewed by Saam Barati.
182
183         * stress/add-overflow-check-with-three-same-registers.js: Added.
184         (foo):
185         (Number.prototype.valueOf):
186         (runWithNumber):
187
188 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
189
190         Unreviewed, rolling out r243665.
191
192         Caused iOS JSC tests to exit with an exception.
193
194         Reverted changeset:
195
196         "Assertion failed in JSC::createError"
197         https://bugs.webkit.org/show_bug.cgi?id=196305
198         https://trac.webkit.org/changeset/243665
199
200 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
201
202         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
203         https://bugs.webkit.org/show_bug.cgi?id=196486
204
205         Reviewed by Saam Barati.
206
207         * stress/arrow-function-and-use-strict-directive.js: Added.
208         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
209         (checkSyntax):
210         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
211
212 2019-04-05  Caitlin Potter  <caitp@igalia.com>
213
214         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
215         https://bugs.webkit.org/show_bug.cgi?id=176810
216
217         Reviewed by Saam Barati.
218
219         Add tests for the DontEnum filtering, and variations of other tests
220         take the DontEnum-filtering path.
221
222         * stress/proxy-own-keys.js:
223         (i.catch):
224         (set assert):
225         (set add):
226         (let.set new):
227         (get let):
228
229 2019-04-05  Caitlin Potter  <caitp@igalia.com>
230
231         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
232         https://bugs.webkit.org/show_bug.cgi?id=185211
233
234         Reviewed by Saam Barati.
235
236         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
237
238         This changes several assertions to expect a TypeError to be thrown (in some cases,
239         changing thee expected message).
240
241         * es6/Proxy_ownKeys_duplicates.js:
242         (handler):
243         (shouldThrow):
244         (test):
245         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
246         (shouldThrow):
247         * stress/proxy-own-keys.js:
248         (i.catch):
249         (assert):
250
251 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
252
253         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
254         https://bugs.webkit.org/show_bug.cgi?id=196631
255
256         Reviewed by Saam Barati.
257
258         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
259         (assert):
260         (test):
261         (foo):
262
263 2019-04-04  Saam Barati  <sbarati@apple.com>
264
265         Unreviewed. Make the test from r243906 catch the thrown exceptions.
266
267         * stress/inferred-types-regex-matches-array.js:
268
269 2019-04-04  Saam Barati  <sbarati@apple.com>
270
271         createRegExpMatchesArray does not respect inferred types
272         https://bugs.webkit.org/show_bug.cgi?id=193287
273
274         Reviewed by Yusuke Suzuki.
275
276         This checks in the test case for 193287. This issue was discovered by
277         Samuel GroƟ of Google Project Zero.
278
279         * stress/inferred-types-regex-matches-array.js: Added.
280
281 2019-04-04  Saam barati  <sbarati@apple.com>
282
283         Teach Call ICs how to call Wasm
284         https://bugs.webkit.org/show_bug.cgi?id=196387
285
286         Reviewed by Filip Pizlo.
287
288         * wasm/function-tests/stack-trace.js:
289
290 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
291
292         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
293         https://bugs.webkit.org/show_bug.cgi?id=194944
294
295         Reviewed by Keith Miller.
296
297         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
298
299 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
300
301         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
302         https://bugs.webkit.org/show_bug.cgi?id=196409
303
304         Reviewed by Saam Barati.
305
306         * stress/bytecode-cache-cached-string-impl.js: Added.
307         (f):
308         (g):
309         * stress/bytecode-cache-run-string.js: Added.
310
311 2019-04-03  Robin Morisset  <rmorisset@apple.com>
312
313         B3 should use associativity to optimize expression trees
314         https://bugs.webkit.org/show_bug.cgi?id=194081
315
316         Reviewed by Filip Pizlo.
317
318         Added three microbenchmarks:
319         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
320         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
321           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
322         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
323
324         * microbenchmarks/add-tree.js: Added.
325         * microbenchmarks/bit-or-tree.js: Added.
326         * microbenchmarks/bit-xor-tree.js: Added.
327
328 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
329
330         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
331         https://bugs.webkit.org/show_bug.cgi?id=196574
332
333         Reviewed by Saam Barati.
334
335         * stress/string-index-of-exception-check.js: Added.
336         (blurType):
337         (1.forEach):
338
339 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
340
341         Assertion failed in JSC::createError
342         https://bugs.webkit.org/show_bug.cgi?id=196305
343         <rdar://problem/49387382>
344
345         Reviewed by Saam Barati.
346
347         * stress/create-error-out-of-memory-rope-string-2.js: Added.
348         (assert):
349         (catch):
350
351 2019-03-28  Saam Barati  <sbarati@apple.com>
352
353         BackwardsGraph needs to consider back edges as the backward's root successor
354         https://bugs.webkit.org/show_bug.cgi?id=195991
355
356         Reviewed by Filip Pizlo.
357
358         * stress/map-b3-licm-infinite-loop.js: Added.
359
360 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
361
362         CodeBlock::jettison() should disallow repatching its own calls
363         https://bugs.webkit.org/show_bug.cgi?id=196359
364         <rdar://problem/48973663>
365
366         Reviewed by Saam Barati.
367
368         * stress/call-link-info-osrexit-repatch.js: Added.
369         (foo):
370
371 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
372
373         [JSC] imports-oom.js intermittently fails
374         https://bugs.webkit.org/show_bug.cgi?id=196373
375
376         Reviewed by Saam Barati.
377
378         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
379         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
380         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
381         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
382         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
383
384         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
385         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
386
387         * wasm/lowExecutableMemory/imports-oom.js:
388
389 2019-03-27  Saam Barati  <sbarati@apple.com>
390
391         validateOSREntryValue with Int52 should box the value being checked into double format
392         https://bugs.webkit.org/show_bug.cgi?id=196313
393         <rdar://problem/49306703>
394
395         Reviewed by Yusuke Suzuki.
396
397         * stress/validate-int-52-ai-state.js: Added.
398
399 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
400
401         [JSC] Owner of watchpoints should validate at GC finalizing phase
402         https://bugs.webkit.org/show_bug.cgi?id=195827
403
404         Reviewed by Filip Pizlo.
405
406         * stress/gc-should-reap-dead-watchpoints.js: Added.
407         (foo):
408         (A.prototype.y):
409         (A):
410
411 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
412
413         Skip WebAssembly test on 32-bit systems
414         https://bugs.webkit.org/show_bug.cgi?id=196206
415
416         Reviewed by Saam Barati.
417
418         Invoking runDefault executes test immediately even though
419         that test should be skipped due to missing WASM support.
420         Therefore remove runDefault.
421
422         * wasm/regress/web-assembly-link-error-exception-check.js:
423
424 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
425
426         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
427         https://bugs.webkit.org/show_bug.cgi?id=196217
428
429         Reviewed by Saam Barati.
430
431         Re-enable all NaN tests for f32.min, f64.min and f64.max.
432
433         * wasm/spec-tests/f32.wast.js:
434         * wasm/spec-tests/f64.wast.js:
435         * wasm/wasm.json:
436
437 2019-03-25  Keith Miller  <keith_miller@apple.com>
438
439         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
440         https://bugs.webkit.org/show_bug.cgi?id=196176
441
442         Reviewed by Saam Barati.
443
444         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
445         (main.v10):
446         (main):
447
448 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
449
450         WebAssembly: f32.max with NaN generates incorrect result
451         https://bugs.webkit.org/show_bug.cgi?id=175691
452         <rdar://problem/33952228>
453
454         Reviewed by Saam Barati.
455
456         Enable all f32.max NaN tests
457
458         * wasm/spec-tests/f32.wast.js:
459         * wasm/wasm.json:
460
461 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
462
463         [JSC] Move test into directory for WASM tests
464         https://bugs.webkit.org/show_bug.cgi?id=196187
465
466         Reviewed by Mark Lam.
467
468         Move Test into wasm-directory. Otherwise this test
469         is also executed on systems without WASM support.
470
471         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
472
473 2019-03-23  Mark Lam  <mark.lam@apple.com>
474
475         Rolling out r243032 and r243071 because the fix is incorrect.
476         https://bugs.webkit.org/show_bug.cgi?id=195892
477         <rdar://problem/48981239>
478
479         Not reviewed.
480
481         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
482
483 2019-03-22  Mark Lam  <mark.lam@apple.com>
484
485         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
486         https://bugs.webkit.org/show_bug.cgi?id=196154
487         <rdar://problem/49145307>
488
489         Reviewed by Filip Pizlo.
490
491         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
492         There's no need to run this test on more than 1 test configuration.
493
494         * stress/typed-array-lastIndexOf-exception-check.js: Added.
495         * stress/web-assembly-link-error-exception-check.js:
496
497 2019-03-22  Mark Lam  <mark.lam@apple.com>
498
499         Placate exception check validation in constructJSWebAssemblyLinkError().
500         https://bugs.webkit.org/show_bug.cgi?id=196152
501         <rdar://problem/49145257>
502
503         Reviewed by Michael Saboff.
504
505         * stress/web-assembly-link-error-exception-check.js: Added.
506
507 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
508
509         Skip tests running out of memory on ARM/MIPS
510         https://bugs.webkit.org/show_bug.cgi?id=196131
511
512         Unreviewed. Skip test if memory is limited.
513
514         * microbenchmarks/put-by-val-direct-large-index.js:
515
516 2019-03-21  Mark Lam  <mark.lam@apple.com>
517
518         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
519         https://bugs.webkit.org/show_bug.cgi?id=196116
520         <rdar://problem/48976951>
521
522         Reviewed by Filip Pizlo.
523
524         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
525
526 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
527
528         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
529         https://bugs.webkit.org/show_bug.cgi?id=196078
530         <rdar://problem/35925380>
531
532         Reviewed by Mark Lam.
533
534         Add a new benchmark that allocates several objects and invokes put_by_val_direct
535         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
536
537         * microbenchmarks/put-by-val-direct-large-index.js: Added.
538
539 2019-03-21  Mark Lam  <mark.lam@apple.com>
540
541         Placate exception check validation in operationArrayIndexOfString().
542         https://bugs.webkit.org/show_bug.cgi?id=196067
543         <rdar://problem/49056572>
544
545         Reviewed by Michael Saboff.
546
547         * stress/string-equal-exception-check.js: Added.
548
549 2019-03-21  Mark Lam  <mark.lam@apple.com>
550
551         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
552         https://bugs.webkit.org/show_bug.cgi?id=196055
553         <rdar://problem/49067448>
554
555         Reviewed by Yusuke Suzuki.
556
557         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
558
559 2019-03-20  Saam Barati  <sbarati@apple.com>
560
561         typeOfDoubleSum is wrong for when NaN can be produced
562         https://bugs.webkit.org/show_bug.cgi?id=196030
563
564         Reviewed by Filip Pizlo.
565
566         * stress/double-add-sub-mul-can-produce-nan.js: Added.
567         (assert):
568         (noInline.sub):
569         (noInline):
570         (assert.mul):
571         (assert.add):
572
573 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
574
575         Update the test to ensure OutOfMemoryError is thrown as intended
576         https://bugs.webkit.org/show_bug.cgi?id=196032
577         <rdar://problem/46842740>
578
579         Rubber stamped by Saam Barati.
580
581         * stress/create-error-out-of-memory-rope-string.js:
582         (assert):
583         (catch):
584
585 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
586
587         JSC::createError needs to check for OOM in errorDescriptionForValue
588         https://bugs.webkit.org/show_bug.cgi?id=196032
589         <rdar://problem/46842740>
590
591         Reviewed by Mark Lam.
592
593         * stress/create-error-out-of-memory-rope-string.js: Added.
594
595 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
596
597         Unreviewed, reduce # of iterations to avoid timing out after r242991
598         https://bugs.webkit.org/show_bug.cgi?id=195791
599
600         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
601
602         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
603
604 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
605
606         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
607         https://bugs.webkit.org/show_bug.cgi?id=195950
608
609         Unreviewed, reducing the amount of memory used on this test to avoid
610         OOM on devices with memory restrictions.
611
612         * microbenchmarks/generate-multiple-llint-entrypoints.js:
613
614 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
615
616         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
617         https://bugs.webkit.org/show_bug.cgi?id=194648
618
619         Reviewed by Keith Miller.
620
621         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
622
623 2019-03-18  Mark Lam  <mark.lam@apple.com>
624
625         Missing a ThrowScope release in JSObject::toString().
626         https://bugs.webkit.org/show_bug.cgi?id=195893
627         <rdar://problem/48970986>
628
629         Reviewed by Michael Saboff.
630
631         * stress/to-string-exception-check-release.js: Added.
632
633 2019-03-18  Mark Lam  <mark.lam@apple.com>
634
635         Structure::flattenDictionary() should clear unused property slots.
636         https://bugs.webkit.org/show_bug.cgi?id=195871
637         <rdar://problem/48959497>
638
639         Reviewed by Michael Saboff.
640
641         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
642
643 2019-03-15  Mark Lam  <mark.lam@apple.com>
644
645         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
646         https://bugs.webkit.org/show_bug.cgi?id=195827
647         <rdar://problem/48845513>
648
649         Reviewed by Filip Pizlo.
650
651         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
652
653 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
654
655         [ARM,MIPS] Skip slow tests
656         https://bugs.webkit.org/show_bug.cgi?id=195799
657
658         Unreviewed, test does not finish on ARM and MIPS within the
659         timeout limit.
660
661         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
662
663 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
664
665         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
666         https://bugs.webkit.org/show_bug.cgi?id=195791
667         <rdar://problem/48806130>
668
669         Reviewed by Mark Lam.
670
671         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
672         (foo):
673
674 2019-03-14  Saam barati  <sbarati@apple.com>
675
676         We can't remove code after ForceOSRExit until after FixupPhase
677         https://bugs.webkit.org/show_bug.cgi?id=186916
678         <rdar://problem/41396612>
679
680         Reviewed by Yusuke Suzuki.
681
682         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
683         (foo):
684         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
685         (foo):
686
687 2019-03-13  Michael Saboff  <msaboff@apple.com>
688
689         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
690         https://bugs.webkit.org/show_bug.cgi?id=195735
691
692         Reviewed by Mark Lam.
693
694         New regression test.
695
696         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
697         (foo):
698         (bar):
699
700 2019-03-14  Saam barati  <sbarati@apple.com>
701
702         Fixup uses KnownInt32 incorrectly in some nodes
703         https://bugs.webkit.org/show_bug.cgi?id=195279
704         <rdar://problem/47915654>
705
706         Reviewed by Yusuke Suzuki.
707
708         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
709         (foo):
710
711 2019-03-14  Keith Miller  <keith_miller@apple.com>
712
713         DFG liveness can't skip tail caller inline frames
714         https://bugs.webkit.org/show_bug.cgi?id=195715
715
716         Reviewed by Saam Barati.
717
718         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
719         (i.foo):
720
721 2019-03-13  Mark Lam  <mark.lam@apple.com>
722
723         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
724         https://bugs.webkit.org/show_bug.cgi?id=195415
725
726         Not reviewed.
727
728         Changed these tests to only run the default configuration.
729         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
730         There's no strong need to run this test on that variant.
731
732         * stress/dfg-to-string-on-int-does-gc.js:
733         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
734
735 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
736
737         String overflow when using StringBuilder in JSC::createError
738         https://bugs.webkit.org/show_bug.cgi?id=194957
739
740         Reviewed by Mark Lam.
741
742         Add test string-overflow-createError-bulder.js that overflows
743         StringBuilder in notAFunctionSourceAppender. The second new test
744         string-overflow-createError-fit.js has an error message that doesn't
745         overflow, it still failed since the String's capacity can't be doubled.
746         Run test string-overflow-createError.js only in the default
747         configuration to reduce memory consumption when running the test
748         in all configurations on multiple CPUs in parallel.
749
750         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
751         (catch):
752         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
753         (catch):
754         * stress/string-overflow-createError.js:
755
756 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
757
758         [JSC] OSR entry should respect abstract values in addition to flush formats
759         https://bugs.webkit.org/show_bug.cgi?id=195653
760
761         Reviewed by Mark Lam.
762
763         * stress/osr-entry-locals-none.js: Added.
764
765 2019-03-12  Michael Saboff  <msaboff@apple.com>
766
767         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
768         https://bugs.webkit.org/show_bug.cgi?id=195613
769
770         Reviewed by Mark Lam.
771
772         New regression test.
773
774         * stress/regexp-backref-inbounds.js: Added.
775         (testRegExp):
776
777 2019-03-12  Mark Lam  <mark.lam@apple.com>
778
779         The HasIndexedProperty node does GC.
780         https://bugs.webkit.org/show_bug.cgi?id=195559
781         <rdar://problem/48767923>
782
783         Reviewed by Yusuke Suzuki.
784
785         * stress/HasIndexedProperty-does-gc.js: Added.
786
787 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
788
789         [ESNext][BigInt] Implement "~" unary operation
790         https://bugs.webkit.org/show_bug.cgi?id=182216
791
792         Reviewed by Keith Miller.
793
794         * stress/big-int-bit-not-general.js: Added.
795         * stress/big-int-bitwise-not-jit.js: Added.
796         * stress/big-int-bitwise-not-wrapped-value.js: Added.
797         * stress/bit-op-with-object-returning-int32.js:
798         * stress/bitwise-not-fixup-rules.js: Added.
799         * stress/value-bit-not-ai-rule.js: Added.
800
801 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
802
803         Invalid flags in a RegExp literal should be an early SyntaxError
804         https://bugs.webkit.org/show_bug.cgi?id=195514
805
806         Reviewed by Darin Adler.
807
808         * test262/expectations.yaml:
809         Mark 4 test cases as passing.
810
811         * stress/regexp-syntax-error-invalid-flags.js:
812         * stress/regress-161995.js: Removed.
813         Update existing test, merging in an older test for the same behavior.
814
815 2019-03-08  Mark Lam  <mark.lam@apple.com>
816
817         Stack overflow crash in JSC::JSObject::hasInstance.
818         https://bugs.webkit.org/show_bug.cgi?id=195458
819         <rdar://problem/48710195>
820
821         Reviewed by Yusuke Suzuki.
822
823         * stress/stack-overflow-in-custom-hasInstance.js: Added.
824
825 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
826
827         op_check_tdz does not def its argument
828         https://bugs.webkit.org/show_bug.cgi?id=192880
829         <rdar://problem/46221598>
830
831         Reviewed by Saam Barati.
832
833         * microbenchmarks/let-for-in.js: Added.
834         (foo):
835
836 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
837
838         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
839         https://bugs.webkit.org/show_bug.cgi?id=195429
840
841         Reviewed by Saam Barati.
842
843         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
844         (foo):
845         * stress/string-from-char-code-255.js: Added.
846
847 2019-03-06  Mark Lam  <mark.lam@apple.com>
848
849         Fix incorrect handling of try-finally completion values.
850         https://bugs.webkit.org/show_bug.cgi?id=195131
851         <rdar://problem/46222079>
852
853         Reviewed by Saam Barati and Yusuke Suzuki.
854
855         Added many permutations of new test case to test-finally.js.  test-finally.js has
856         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
857         tests passes there as well.
858
859         * stress/test-finally.js:
860
861 2019-03-06  Saam Barati  <sbarati@apple.com>
862
863         Air::reportUsedRegisters must padInterference
864         https://bugs.webkit.org/show_bug.cgi?id=195303
865         <rdar://problem/48270343>
866
867         Reviewed by Keith Miller.
868
869         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
870
871 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
872
873         [JSC] AI should not propagate AbstractValue relying on constant folding phase
874         https://bugs.webkit.org/show_bug.cgi?id=195375
875
876         Reviewed by Saam Barati.
877
878         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
879         (let.array):
880
881 2019-03-05  Saam barati  <sbarati@apple.com>
882
883         op_switch_char broken for rope strings after JSRopeString layout rewrite
884         https://bugs.webkit.org/show_bug.cgi?id=195339
885         <rdar://problem/48592545>
886
887         Reviewed by Yusuke Suzuki.
888
889         * stress/switch-on-char-llint-rope.js: Added.
890
891 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
892
893         [JSC] Store bits for JSRopeString in 3 stores
894         https://bugs.webkit.org/show_bug.cgi?id=195234
895
896         Reviewed by Saam Barati.
897
898         * stress/null-rope-and-collectors.js: Added.
899
900 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
901
902         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
903         https://bugs.webkit.org/show_bug.cgi?id=195207
904
905         Unreviewed. After test runtime was reduced in r242213, test can be
906         run again on ARM/MIPS.
907
908         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
909
910 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
911
912         [JSC] sizeof(JSString) should be 16
913         https://bugs.webkit.org/show_bug.cgi?id=194375
914
915         Reviewed by Saam Barati.
916
917         * microbenchmarks/make-rope.js: Added.
918         (makeRope):
919         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
920         (returnRope.helper): Deleted.
921         (returnRope): Deleted.
922
923 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
924
925         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
926         https://bugs.webkit.org/show_bug.cgi?id=195144
927
928         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
929         Change the number from 1e8 to 1e5.
930
931         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
932         (foo):
933
934 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
935
936         Test times out on ARM/MIPS
937         https://bugs.webkit.org/show_bug.cgi?id=195168
938
939         Unreviewed. Skip test on ARM/MIPS.
940
941         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
942
943 2019-02-27  Mark Lam  <mark.lam@apple.com>
944
945         The parser is failing to record the token location of new in new.target.
946         https://bugs.webkit.org/show_bug.cgi?id=195127
947         <rdar://problem/39645578>
948
949         Reviewed by Yusuke Suzuki.
950
951         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
952
953 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
956         https://bugs.webkit.org/show_bug.cgi?id=195144
957         <rdar://problem/47595961>
958
959         Reviewed by Mark Lam.
960
961         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
962         (bar):
963         (foo):
964         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
965         (bar):
966         (foo):
967
968 2019-02-27  Robin Morisset  <rmorisset@apple.com>
969
970         DFG: Loop-invariant code motion (LICM) should not hoist dead code
971         https://bugs.webkit.org/show_bug.cgi?id=194945
972         <rdar://problem/48311657>
973
974         Reviewed by Mark Lam.
975
976         * stress/licm-dead-code.js: Added.
977
978 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
979
980         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
981         https://bugs.webkit.org/show_bug.cgi?id=194677
982         <rdar://problem/48112492>
983
984         Reviewed by Mark Lam.
985
986         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
987         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
988         it immediately fails due the large size.
989
990         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
991         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
992         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
993         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
994
995         This patch changes the test to produce 16bit string from String.fromCharCode.
996
997         * stress/regress-178386.js:
998
999 2019-02-26  Mark Lam  <mark.lam@apple.com>
1000
1001         wasmToJS() should purify incoming NaNs.
1002         https://bugs.webkit.org/show_bug.cgi?id=194807
1003         <rdar://problem/48189132>
1004
1005         Reviewed by Saam Barati.
1006
1007         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1008
1009 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1010
1011         [JSC] Repeat string created from Array.prototype.join() take too much memory
1012         https://bugs.webkit.org/show_bug.cgi?id=193912
1013
1014         Reviewed by Saam Barati.
1015
1016         Added a test and a microbenchmark for corner cases of
1017         Array.prototype.join() with an uninitialized array.
1018
1019         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1020         * stress/array-prototype-join-uninitialized.js: Added.
1021         (testArray):
1022         (testABC):
1023         (B):
1024         (C):
1025
1026 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1027
1028         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1029         https://bugs.webkit.org/show_bug.cgi?id=194953
1030         <rdar://problem/47595253>
1031
1032         Reviewed by Saam Barati.
1033
1034         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1035
1036         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1037
1038 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1039
1040         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1041         https://bugs.webkit.org/show_bug.cgi?id=172848
1042         <rdar://problem/25709212>
1043
1044         Reviewed by Mark Lam.
1045
1046         * typeProfiler/inheritance.js:
1047         Rewrite the test slightly for clarity. The hoisting was confusing.
1048
1049         * heapProfiler/class-names.js: Added.
1050         (MyES5Class):
1051         (MyES6Class):
1052         (MyES6Subclass):
1053         Test object types and improved class names.
1054
1055         * heapProfiler/driver/driver.js:
1056         (CheapHeapSnapshotNode):
1057         (CheapHeapSnapshot):
1058         (createCheapHeapSnapshot):
1059         (HeapSnapshot):
1060         (createHeapSnapshot):
1061         Update snapshot parsing from version 1 to version 2.
1062
1063 2019-02-19  Truitt Savell  <tsavell@apple.com>
1064
1065         Unreviewed, rolling out r241784.
1066
1067         Broke all OpenSource builds.
1068
1069         Reverted changeset:
1070
1071         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1072         instances view"
1073         https://bugs.webkit.org/show_bug.cgi?id=172848
1074         https://trac.webkit.org/changeset/241784
1075
1076 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1077
1078         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1079         https://bugs.webkit.org/show_bug.cgi?id=172848
1080         <rdar://problem/25709212>
1081
1082         Reviewed by Mark Lam.
1083
1084         * typeProfiler/inheritance.js:
1085         Rewrite the test slightly for clarity. The hoisting was confusing.
1086
1087         * heapProfiler/class-names.js: Added.
1088         (MyES5Class):
1089         (MyES6Class):
1090         (MyES6Subclass):
1091         Test object types and improved class names.
1092
1093         * heapProfiler/driver/driver.js:
1094         (CheapHeapSnapshotNode):
1095         (CheapHeapSnapshot):
1096         (createCheapHeapSnapshot):
1097         (HeapSnapshot):
1098         (createHeapSnapshot):
1099         Update snapshot parsing from version 1 to version 2.
1100
1101 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1102
1103         [ARM] Fix crash with sampling profiler
1104         https://bugs.webkit.org/show_bug.cgi?id=194772
1105
1106         Reviewed by Mark Lam.
1107
1108         Do not skip test since crash with sampling profiler is now fixed.
1109
1110         * stress/sampling-profiler-richards.js:
1111
1112 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1113
1114         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1115         https://bugs.webkit.org/show_bug.cgi?id=194784
1116         <rdar://problem/48154820>
1117
1118         Reviewed by Mark Lam.
1119
1120         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1121         (getProperties):
1122         (getRandomProperty):
1123         (i.catch):
1124
1125 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1126
1127         [ARM] Test gardening: Test running out of executable memory
1128         https://bugs.webkit.org/show_bug.cgi?id=194771
1129
1130         Unreviewed. Do not run test without LLInt, test is running out of executable
1131         memory on ARM otherwise.
1132
1133         * stress/tagged-template-object-collect.js:
1134
1135 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1136
1137         Unreviewed, skip the test on platforms without sampling profiler
1138
1139         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1140         (platformSupportsSamplingProfiler.foo):
1141         (platformSupportsSamplingProfiler.test):
1142         (platformSupportsSamplingProfiler):
1143         (foo): Deleted.
1144         (test): Deleted.
1145
1146 2019-02-17  Saam Barati  <sbarati@apple.com>
1147
1148         Deadlock when adding a Structure property transition and then doing incremental marking
1149         https://bugs.webkit.org/show_bug.cgi?id=194767
1150
1151         Reviewed by Mark Lam.
1152
1153         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1154
1155 2019-02-15  Michael Saboff  <msaboff@apple.com>
1156
1157         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1158         https://bugs.webkit.org/show_bug.cgi?id=194558
1159
1160         Reviewed by Saam Barati.
1161
1162         New regression test.
1163
1164         * stress/regexp-unicode-within-string.js: Added.
1165
1166 2019-02-15  Mark Lam  <mark.lam@apple.com>
1167
1168         SamplingProfiler::stackTracesAsJSON() should escape strings.
1169         https://bugs.webkit.org/show_bug.cgi?id=194649
1170         <rdar://problem/48072386>
1171
1172         Reviewed by Saam Barati.
1173
1174         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1175         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1176         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1177         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1178
1179 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1180         CodeBlock::jettison should clear related watchpoints
1181         https://bugs.webkit.org/show_bug.cgi?id=194544
1182
1183         Reviewed by Mark Lam.
1184
1185         * stress/regexp-replace-double-watchpoint.js: Added.
1186         (foo):
1187
1188 2019-02-15  Saam barati  <sbarati@apple.com>
1189
1190         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1191         https://bugs.webkit.org/show_bug.cgi?id=194036
1192
1193         Reviewed by Yusuke Suzuki.
1194
1195         * stress/tail-call-many-arguments.js: Added.
1196         (foo):
1197         (bar):
1198
1199 2019-02-14  Saam Barati  <sbarati@apple.com>
1200
1201         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1202         https://bugs.webkit.org/show_bug.cgi?id=194583
1203         <rdar://problem/48028140>
1204
1205         Reviewed by Yusuke Suzuki.
1206
1207         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1208
1209 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1210
1211         [JSC] String.fromCharCode's slow path always generates 16bit string
1212         https://bugs.webkit.org/show_bug.cgi?id=194466
1213
1214         Reviewed by Keith Miller.
1215
1216         * stress/string-from-char-code-slow-path.js: Added.
1217         (shouldBe):
1218         (testWithLength):
1219
1220 2019-02-08  Saam barati  <sbarati@apple.com>
1221
1222         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1223         https://bugs.webkit.org/show_bug.cgi?id=194334
1224         <rdar://problem/47844327>
1225
1226         Reviewed by Mark Lam.
1227
1228         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1229         (func):
1230
1231 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1232
1233         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1234         https://bugs.webkit.org/show_bug.cgi?id=194369
1235         <rdar://problem/47813087>
1236
1237         Reviewed by Saam Barati.
1238
1239         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1240         (A):
1241
1242 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1243
1244         [JSC] PrivateName to PublicName hash table is wasteful
1245         https://bugs.webkit.org/show_bug.cgi?id=194277
1246
1247         Reviewed by Michael Saboff.
1248
1249         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1250
1251         * ChakraCore.yaml:
1252
1253 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1254
1255         [ARM] Test running out of executable memory
1256         https://bugs.webkit.org/show_bug.cgi?id=194285
1257
1258         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1259         executable memory otherwise.
1260
1261         * stress/class-subclassing-function.js:
1262
1263 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1264
1265         when lowering AssertNotEmpty, create the value before creating the patchpoint
1266         https://bugs.webkit.org/show_bug.cgi?id=194231
1267
1268         Reviewed by Saam Barati.
1269
1270         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1271         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1272         So even tiny changes to this test can change the path code taken.
1273
1274         * stress/assert-not-empty.js: Added.
1275         (foo):
1276
1277 2019-02-01  Mark Lam  <mark.lam@apple.com>
1278
1279         Remove invalid assertion in DFG's compileDoubleRep().
1280         https://bugs.webkit.org/show_bug.cgi?id=194130
1281         <rdar://problem/47699474>
1282
1283         Reviewed by Saam Barati.
1284
1285         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1286
1287 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1288
1289         Import latest Test262 updates.
1290
1291         Rubber-stamped by Keith Miller.
1292
1293         * test262.yaml: Deleted.
1294         * test262/config.yaml:
1295         * test262/expectations.yaml:
1296         * test262/latest-changes-summary.txt:
1297         * test262/test/:
1298         * test262/test262-Revision.txt:
1299
1300 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1301
1302         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1303         https://bugs.webkit.org/show_bug.cgi?id=194050
1304         <rdar://problem/47595592>
1305
1306         Reviewed by Yusuke Suzuki.
1307
1308         * stress/object-keys-osr-exit.js: Added.
1309         (foo):
1310         (catch):
1311
1312 2019-01-29  Mark Lam  <mark.lam@apple.com>
1313
1314         ValueRecovery::recover() should purify NaN values it recovers.
1315         https://bugs.webkit.org/show_bug.cgi?id=193978
1316         <rdar://problem/47625488>
1317
1318         Reviewed by Saam Barati.
1319
1320         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1321
1322 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1323
1324         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1325         https://bugs.webkit.org/show_bug.cgi?id=193713
1326
1327         * stress/try-get-by-id-should-spill-registers-dfg.js:
1328         (let.f.createBuiltin):
1329
1330 2019-01-28  Mark Lam  <mark.lam@apple.com>
1331
1332         ToString node actually does GC.
1333         https://bugs.webkit.org/show_bug.cgi?id=193920
1334         <rdar://problem/46695900>
1335
1336         Reviewed by Yusuke Suzuki.
1337
1338         * stress/dfg-to-string-on-int-does-gc.js: Added.
1339         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1340         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1341
1342 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1343
1344         [JSC] NativeErrorConstructor should not have own IsoSubspace
1345         https://bugs.webkit.org/show_bug.cgi?id=193713
1346
1347         Reviewed by Saam Barati.
1348
1349         Remove @Error use.
1350
1351         * stress/try-get-by-id-should-spill-registers-dfg.js:
1352         (let.f.createBuiltin):
1353
1354 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1355
1356         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1357         https://bugs.webkit.org/show_bug.cgi?id=190693
1358
1359         Reviewed by Michael Saboff.
1360
1361         * stress/regress-190693.js: Added.
1362         (truth):
1363         (assert):
1364         (shouldThrowInvalidConstAssignment):
1365         (taz):
1366
1367 2019-01-24  Saam Barati  <sbarati@apple.com>
1368
1369         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1370         https://bugs.webkit.org/show_bug.cgi?id=193751
1371         <rdar://problem/47280215>
1372
1373         Reviewed by Michael Saboff.
1374
1375         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1376         (let.thing):
1377         (foo.let.hello):
1378         (foo):
1379
1380 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1381
1382         [JSC] Reenable baseline JIT on mips
1383         https://bugs.webkit.org/show_bug.cgi?id=192983
1384
1385         Reviewed by Mark Lam.
1386
1387         Added a new test for a case that was triggering a RELEASE_ASSERT when
1388         testing.
1389         Disable some slow tests that were already disabled for arm and x86.
1390
1391         * stress/json-parse-big-object.js: Added.
1392         * stress/new-largeish-contiguous-array-with-size.js:
1393         * stress/op_add.js:
1394         * stress/op_bitand.js:
1395         * stress/op_bitor.js:
1396         * stress/op_bitxor.js:
1397         * stress/op_lshift-ConstVar.js:
1398         * stress/op_lshift-VarConst.js:
1399         * stress/op_lshift-VarVar.js:
1400         * stress/op_mod-ConstVar.js:
1401         * stress/op_mod-VarConst.js:
1402         * stress/op_mod-VarVar.js:
1403         * stress/op_mul-ConstVar.js:
1404         * stress/op_mul-VarConst.js:
1405         * stress/op_mul-VarVar.js:
1406         * stress/op_rshift-ConstVar.js:
1407         * stress/op_rshift-VarConst.js:
1408         * stress/op_rshift-VarVar.js:
1409         * stress/op_sub-ConstVar.js:
1410         * stress/op_sub-VarConst.js:
1411         * stress/op_sub-VarVar.js:
1412         * stress/op_urshift-ConstVar.js:
1413         * stress/op_urshift-VarConst.js:
1414         * stress/op_urshift-VarVar.js:
1415         * stress/sampling-profiler-richards.js:
1416         * stress/spread-forward-call-varargs-stack-overflow.js:
1417
1418 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1419
1420         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1421         https://bugs.webkit.org/show_bug.cgi?id=193711
1422         <rdar://problem/47250262>
1423
1424         Reviewed by Saam Barati.
1425
1426         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1427         (shouldBe):
1428         (foo):
1429         (bar):
1430         (baz):
1431
1432 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1433
1434         Unreviewed, fix initial global lexical binding epoch
1435         https://bugs.webkit.org/show_bug.cgi?id=193603
1436         <rdar://problem/47380869>
1437
1438         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1439         (f1.f2.f3.f4):
1440         (f1.f2.f3):
1441         (f1.f2):
1442         (f1):
1443
1444 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1445
1446         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1447         https://bugs.webkit.org/show_bug.cgi?id=193709
1448         <rdar://problem/47363838>
1449
1450         Unreviewed, rollout to watch the tests.
1451
1452         * stress/object-tostring-changed-proto.js: Removed.
1453         * stress/object-tostring-changed.js: Removed.
1454         * stress/object-tostring-misc.js: Removed.
1455         * stress/object-tostring-other.js: Removed.
1456         * stress/object-tostring-untyped.js: Removed.
1457
1458 2019-01-22  Saam Barati  <sbarati@apple.com>
1459
1460         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1461
1462         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1463         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1464         (testUncheckedLessThanZero):
1465         (testUncheckedLessThanOrEqualZero):
1466         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1467         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1468
1469 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1470
1471         [JSC] Invalidate old scope operations using global lexical binding epoch
1472         https://bugs.webkit.org/show_bug.cgi?id=193603
1473         <rdar://problem/47380869>
1474
1475         Reviewed by Saam Barati.
1476
1477         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1478         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1479         (shouldThrow):
1480         (bar):
1481         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1482         (shouldBe):
1483         (get1):
1484         (get2):
1485         (get1If):
1486         (get2If):
1487         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1488         (shouldThrow):
1489         (foo):
1490
1491 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1492
1493         Unreviewed, roll out r240220 due to date-format-xparb regression
1494         https://bugs.webkit.org/show_bug.cgi?id=193603
1495
1496         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1497         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1498         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1499         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1500
1501 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1502
1503         DoesGC rule is wrong for nodes with BigIntUse
1504         https://bugs.webkit.org/show_bug.cgi?id=193652
1505
1506         Reviewed by Saam Barati.
1507
1508         * stress/big-int-value-op-update-gc-rules.js: Added.
1509         (assert):
1510         (doesGCAdd):
1511         (doesGCSub):
1512         (doesGCDiv):
1513         (doesGCMul):
1514         (doesGCBitAnd):
1515         (doesGCBitOr):
1516         (doesGCBitXor):
1517
1518 2019-01-20  Saam Barati  <sbarati@apple.com>
1519
1520         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1521         https://bugs.webkit.org/show_bug.cgi?id=193644
1522         <rdar://problem/46209745>
1523
1524         Reviewed by Yusuke Suzuki.
1525
1526         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1527         (foo):
1528         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1529         (foo):
1530         (bar):
1531
1532 2019-01-20  Saam Barati  <sbarati@apple.com>
1533
1534         MovHint must merge NodeBytecodeUsesAsValue for its child
1535         https://bugs.webkit.org/show_bug.cgi?id=186916
1536         <rdar://problem/41396612>
1537
1538         Reviewed by Yusuke Suzuki.
1539
1540         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1541         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1542
1543 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1544
1545         [JSC] Invalidate old scope operations using global lexical binding epoch
1546         https://bugs.webkit.org/show_bug.cgi?id=193603
1547         <rdar://problem/47380869>
1548
1549         Reviewed by Saam Barati.
1550
1551         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1552         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1553         (shouldThrow):
1554         (bar):
1555         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1556         (shouldBe):
1557         (get1):
1558         (get2):
1559         (get1If):
1560         (get2If):
1561         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1562         (shouldThrow):
1563         (foo):
1564
1565 2019-01-17  Saam barati  <sbarati@apple.com>
1566
1567         StringObjectUse should not be a structure check for the original string object structure
1568         https://bugs.webkit.org/show_bug.cgi?id=193483
1569         <rdar://problem/47280522>
1570
1571         Reviewed by Yusuke Suzuki.
1572
1573         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1574         (foo):
1575         (a.valueOf.0):
1576
1577 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1578
1579         [JSC] ToThis omission in DFGByteCodeParser is wrong
1580         https://bugs.webkit.org/show_bug.cgi?id=193513
1581         <rdar://problem/45842236>
1582
1583         Reviewed by Saam Barati.
1584
1585         * stress/to-this-omission-with-different-strict-modes.js: Added.
1586         (thisA):
1587         (thisAStrictWrapper):
1588
1589 2019-01-15  Mark Lam  <mark.lam@apple.com>
1590
1591         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1592         https://bugs.webkit.org/show_bug.cgi?id=193423
1593         <rdar://problem/46209355>
1594
1595         Reviewed by Saam Barati.
1596
1597         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1598         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1599         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1600         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1601
1602 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1603
1604         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1605         https://bugs.webkit.org/show_bug.cgi?id=193438
1606         <rdar://problem/45581249>
1607
1608         Reviewed by Saam Barati and Keith Miller.
1609
1610         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1611         Then, GetByVal(String) crashed.
1612
1613         * stress/string-get-by-val-lowering.js: Added.
1614         (shouldBe):
1615         (test):
1616         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1617         (Hello):
1618         (foo):
1619
1620 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1621
1622         Unreviewed, skip JIT tests if it's not enabled
1623
1624         * stress/bit-op-with-object-returning-int32.js:
1625
1626 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1627
1628         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1629         https://bugs.webkit.org/show_bug.cgi?id=192966
1630
1631         Reviewed by Yusuke Suzuki.
1632
1633         * stress/bit-op-with-object-returning-int32.js: Added.
1634
1635 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1636
1637         Skip a slow test and a flakey test on arm
1638
1639         Unreviewed gardening.
1640
1641         * typeProfiler/getter-richards.js:
1642         this test always times out, it used to be always skipped on arm and
1643         mips, but got accidentally enabled by r237919 now that we have DFG on
1644         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1645
1646 2019-01-14  Keith Miller  <keith_miller@apple.com>
1647
1648         Skip type-check-hoisting-phase-hoist... with no jit
1649         https://bugs.webkit.org/show_bug.cgi?id=193421
1650
1651         Reviewed by Mark Lam.
1652
1653         It's timing out the 32-bit bots and takes 330 seconds
1654         on my machine when run by itself.
1655
1656         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1657
1658 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1659
1660         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1661         https://bugs.webkit.org/show_bug.cgi?id=193413
1662         <rdar://problem/46092389>
1663
1664         Reviewed by Keith Miller.
1665
1666         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1667         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1668         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1669         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1670
1671         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1672         (compareArray):
1673
1674 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1675
1676         [BigInt] Literal parsing is crashing when used inside a Object Literal
1677         https://bugs.webkit.org/show_bug.cgi?id=193404
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         * stress/big-int-literal-inside-literal-object.js: Added.
1682
1683 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1684
1685         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1686         https://bugs.webkit.org/show_bug.cgi?id=193372
1687
1688         Reviewed by Saam Barati.
1689
1690         * stress/typed-array-array-modes-profile.js: Added.
1691         (foo):
1692
1693 2019-01-14  Mark Lam  <mark.lam@apple.com>
1694
1695         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1696         https://bugs.webkit.org/show_bug.cgi?id=193402
1697         <rdar://problem/46012309>
1698
1699         Reviewed by Keith Miller.
1700
1701         * stress/regexp-compile-oom.js:
1702         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1703           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1704
1705 2019-01-11  Saam barati  <sbarati@apple.com>
1706
1707         DFG combined liveness can be wrong for terminal basic blocks
1708         https://bugs.webkit.org/show_bug.cgi?id=193304
1709         <rdar://problem/45268632>
1710
1711         Reviewed by Yusuke Suzuki.
1712
1713         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1714
1715 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1716
1717         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1718         https://bugs.webkit.org/show_bug.cgi?id=193308
1719         <rdar://problem/45546542>
1720
1721         Reviewed by Saam Barati.
1722
1723         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1724         (shouldThrow):
1725         (shouldBe):
1726         (foo):
1727         (get shouldThrow):
1728         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1729         (shouldThrow):
1730         (shouldBe):
1731         (foo):
1732         (get shouldBe):
1733         (get shouldThrow):
1734         (get return):
1735         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1736         (shouldThrow):
1737         (shouldBe):
1738         (foo):
1739         (get shouldBe):
1740         (get shouldThrow):
1741         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1742         (shouldThrow):
1743         (shouldBe):
1744         (foo):
1745         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1746         (shouldThrow):
1747         (shouldBe):
1748         (foo):
1749         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1750         (shouldThrow):
1751         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1752         (shouldThrow):
1753         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1754         (shouldThrow):
1755         (shouldBe):
1756         (foo):
1757         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1758         (shouldThrow):
1759         (shouldBe):
1760         (foo):
1761         (get shouldBe):
1762         (get shouldThrow):
1763         (get return):
1764         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1765         (shouldThrow):
1766         (shouldBe):
1767         (foo):
1768         (get shouldBe):
1769         (get shouldThrow):
1770         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1771         (shouldThrow):
1772         (shouldBe):
1773         (foo):
1774         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1775         (shouldThrow):
1776         (shouldBe):
1777         (foo):
1778
1779 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1780
1781         Enable DFG on ARM/Linux again
1782         https://bugs.webkit.org/show_bug.cgi?id=192496
1783
1784         Reviewed by Yusuke Suzuki.
1785
1786         Test wasn't really skipped before moving the line with skip
1787         to the top.
1788
1789         * stress/regress-192717.js:
1790
1791 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1792
1793         Unreviewed, rolling out r239825.
1794         https://bugs.webkit.org/show_bug.cgi?id=193330
1795
1796         Broke tests on armv7/linux bots (Requested by guijemont on
1797         #webkit).
1798
1799         Reverted changeset:
1800
1801         "Enable DFG on ARM/Linux again"
1802         https://bugs.webkit.org/show_bug.cgi?id=192496
1803         https://trac.webkit.org/changeset/239825
1804
1805 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1806
1807         Enable DFG on ARM/Linux again
1808         https://bugs.webkit.org/show_bug.cgi?id=192496
1809
1810         Reviewed by Yusuke Suzuki.
1811
1812         Test wasn't really skipped before moving the line with skip
1813         to the top.
1814
1815         * stress/regress-192717.js:
1816
1817 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1818
1819         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1820         https://bugs.webkit.org/show_bug.cgi?id=193127
1821
1822         Reviewed by Saam Barati.
1823
1824         * stress/array-species-create-should-handle-masquerader.js: Added.
1825         (shouldThrow):
1826         * stress/is-undefined-or-null-builtin.js: Added.
1827         (shouldBe):
1828         (isUndefinedOrNull.vm.createBuiltin):
1829
1830 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1831
1832         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1833         https://bugs.webkit.org/show_bug.cgi?id=193221
1834
1835         Reviewed by Mark Lam.
1836
1837         * stress/put-by-id-flags.js: Added.
1838         (f):
1839         (g):
1840         (numberOfDFGCompiles):
1841
1842 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1843
1844         Baseline version of get_by_id may corrupt metadata
1845         https://bugs.webkit.org/show_bug.cgi?id=193085
1846         <rdar://problem/23453006>
1847
1848         Reviewed by Saam Barati.
1849
1850         * stress/get-by-id-change-mode.js: Added.
1851         (forEach):
1852
1853 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1854
1855         [JSC] Optimize Object.prototype.toString
1856         https://bugs.webkit.org/show_bug.cgi?id=193031
1857
1858         Reviewed by Saam Barati.
1859
1860         * stress/object-tostring-changed-proto.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/object-tostring-changed.js: Added.
1864         (shouldBe):
1865         (test):
1866         * stress/object-tostring-misc.js: Added.
1867         (shouldBe):
1868         (test):
1869         (i.switch):
1870         * stress/object-tostring-other.js: Added.
1871         (shouldBe):
1872         (test):
1873         * stress/object-tostring-untyped.js: Added.
1874         (shouldBe):
1875         (test):
1876         (i.switch):
1877
1878 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1879
1880         test262-runner misbehaves when test file YAML has a trailing space
1881         https://bugs.webkit.org/show_bug.cgi?id=193053
1882
1883         Reviewed by Yusuke Suzuki.
1884
1885         * test262/expectations.yaml:
1886         Mark two dozen tests as passing (and correct the output of another).
1887
1888 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1889
1890         Unreviewed, JSTests gardening with memoryLimited
1891
1892         * stress/string-overflow-createError.js:
1893
1894 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1895
1896         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1897         https://bugs.webkit.org/show_bug.cgi?id=193050
1898
1899         Reviewed by Yusuke Suzuki.
1900
1901         * test262.yaml:
1902         * test262/expectations.yaml:
1903         Mark 16 tests as passing.
1904
1905 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1906
1907         [BigInt] Support BigInt in JSON.stringify
1908         https://bugs.webkit.org/show_bug.cgi?id=192624
1909
1910         Reviewed by Saam Barati.
1911
1912         * stress/big-int-json-stringify-to-json.js: Added.
1913         (shouldBe):
1914         (shouldThrow):
1915         (BigInt.prototype.toJSON):
1916         (shouldBe.JSON.stringify):
1917         * stress/big-int-json-stringify.js: Added.
1918         (shouldBe):
1919         (shouldThrow):
1920
1921 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1922
1923         [JSC] Implement "well-formed JSON.stringify" proposal
1924         https://bugs.webkit.org/show_bug.cgi?id=191677
1925
1926         Reviewed by Darin Adler.
1927
1928         * stress/json-surrogate-pair.js: Added.
1929         (shouldBe):
1930         * test262/expectations.yaml:
1931
1932 2018-12-20  Keith Miller  <keith_miller@apple.com>
1933
1934         Add support for globalThis
1935         https://bugs.webkit.org/show_bug.cgi?id=165171
1936
1937         Reviewed by Mark Lam.
1938
1939         * test262/config.yaml:
1940
1941 2018-12-19  Keith Miller  <keith_miller@apple.com>
1942
1943         Update test262 configuration to not run tests dependent on ICU version.
1944         https://bugs.webkit.org/show_bug.cgi?id=192920
1945
1946         Reviewed by Saam Barati.
1947
1948         * test262/expectations.yaml:
1949
1950 2018-12-20  Mark Lam  <mark.lam@apple.com>
1951
1952         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1953         https://bugs.webkit.org/show_bug.cgi?id=192939
1954         <rdar://problem/46869516>
1955
1956         Reviewed by Keith Miller.
1957
1958         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1959
1960 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1961
1962         WTF::String and StringImpl overflow MaxLength
1963         https://bugs.webkit.org/show_bug.cgi?id=192853
1964         <rdar://problem/45726906>
1965
1966         Reviewed by Mark Lam.
1967
1968         * stress/string-16bit-repeat-overflow.js: Added.
1969         (catch):
1970
1971 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1972
1973         Unreviewed follow-up to r192914.
1974
1975         * test262/expectations.yaml:
1976         Add the last 20 missing expectations.
1977
1978 2018-12-19  Keith Miller  <keith_miller@apple.com>
1979
1980         Fix test262 expectations
1981         https://bugs.webkit.org/show_bug.cgi?id=192914
1982
1983         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1984
1985         * test262/expectations.yaml:
1986
1987 2018-12-19  Keith Miller  <keith_miller@apple.com>
1988
1989         Update test262 tests.
1990         https://bugs.webkit.org/show_bug.cgi?id=192907
1991
1992         Rubber stamped by Mark Lam.
1993
1994         * test262/*: Omitted because prepare-changelog crashes.
1995
1996 2018-12-19  Mark Lam  <mark.lam@apple.com>
1997
1998         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1999         https://bugs.webkit.org/show_bug.cgi?id=192464
2000         <rdar://problem/46519455>
2001
2002         Reviewed by Saam Barati.
2003
2004         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2005         microbenchmark.
2006
2007         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2008         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2009
2010 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2011
2012         String overflow in JSC::createError results in ASSERT in WTF::makeString
2013         https://bugs.webkit.org/show_bug.cgi?id=192833
2014         <rdar://problem/45706868>
2015
2016         Reviewed by Mark Lam.
2017
2018         * stress/string-overflow-createError.js: Added.
2019
2020 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2021
2022         Error message for `-x ** y` contains a typo.
2023         https://bugs.webkit.org/show_bug.cgi?id=192832
2024
2025         Reviewed by Saam Barati.
2026
2027         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2028         (assert.assert.return.throws):
2029         * stress/pow-expects-update-expression-on-lhs.js:
2030         (throw.new.Error):
2031         Update test expectations which match against the exact error message.
2032
2033 2018-12-18  Mark Lam  <mark.lam@apple.com>
2034
2035         Gardening: test options fix.
2036         https://bugs.webkit.org/show_bug.cgi?id=192822
2037
2038         Unreviewed.
2039
2040         * stress/json-stringify-string-builder-overflow.js:
2041
2042 2018-12-18  Mark Lam  <mark.lam@apple.com>
2043
2044         JSON.stringify() should throw OOM on StringBuilder overflows.
2045         https://bugs.webkit.org/show_bug.cgi?id=192822
2046         <rdar://problem/46670577>
2047
2048         Reviewed by Saam Barati.
2049
2050         * stress/json-stringify-string-builder-overflow.js: Added.
2051
2052 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2053
2054         Redeclaration of var over let/const/class should be a syntax error.
2055         https://bugs.webkit.org/show_bug.cgi?id=192298
2056
2057         Reviewed by Keith Miller.
2058
2059         * test262.yaml:
2060         * test262/expectations.yaml:
2061         Mark 46 tests as passing.
2062
2063         * stress/block-scope-redeclarations.js:
2064         Add some new tests.
2065
2066         * stress/for-in-invalidate-context-weird-assignments.js:
2067         * stress/for-in-tests.js:
2068         Replace tests for outdated behavior with tests for SyntaxError.
2069
2070         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2071         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2072         Update expectations.
2073
2074 2018-12-18  Mark Lam  <mark.lam@apple.com>
2075
2076         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2077         https://bugs.webkit.org/show_bug.cgi?id=191374
2078         <rdar://problem/46525447>
2079
2080         Reviewed by Yusuke Suzuki.
2081
2082         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2083
2084         * stress/elidable-new-object-roflcopter-then-exit.js:
2085
2086 2018-12-17  Mark Lam  <mark.lam@apple.com>
2087
2088         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2089         https://bugs.webkit.org/show_bug.cgi?id=192019
2090         <rdar://problem/46525456>
2091
2092         Reviewed by Yusuke Suzuki.
2093
2094         The test runs too slow on 32-bit.
2095
2096         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2097
2098 2018-12-17  Mark Lam  <mark.lam@apple.com>
2099
2100         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2101         https://bugs.webkit.org/show_bug.cgi?id=191373
2102         <rdar://problem/46525458>
2103
2104         Reviewed by Yusuke Suzuki.
2105
2106         The test is already slow running with a JIT on 64-bit.  It will always timeout
2107         on 32-bit without a JIT.
2108
2109         * stress/materialize-regexp-cyclic-regexp.js:
2110
2111 2018-12-17  Mark Lam  <mark.lam@apple.com>
2112
2113         Array unshift/shift should not race against the AI in the compiler thread.
2114         https://bugs.webkit.org/show_bug.cgi?id=192795
2115         <rdar://problem/46724263>
2116
2117         Reviewed by Saam Barati.
2118
2119         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2120
2121 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2122
2123         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2124         https://bugs.webkit.org/show_bug.cgi?id=190047
2125
2126         Reviewed by Saam Barati.
2127
2128         * stress/object-keys-cached-zero.js: Added.
2129         (shouldBe):
2130         (test):
2131         * stress/object-keys-changed-attribute.js: Added.
2132         (shouldBe):
2133         (test):
2134         * stress/object-keys-changed-index.js: Added.
2135         (shouldBe):
2136         (test):
2137         * stress/object-keys-changed.js: Added.
2138         (shouldBe):
2139         (test):
2140         * stress/object-keys-indexed-non-cache.js: Added.
2141         (shouldBe):
2142         (test):
2143         * stress/object-keys-overrides-get-property-names.js: Added.
2144         (shouldBe):
2145         (test):
2146         (noInline):
2147
2148 2018-12-17  Mark Lam  <mark.lam@apple.com>
2149
2150         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2151         https://bugs.webkit.org/show_bug.cgi?id=192779
2152         <rdar://problem/46775869>
2153
2154         Reviewed by Saam Barati.
2155
2156         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2157
2158 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2159
2160         Unreviewed test gardening, address a syntax error in a new test.
2161
2162         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2163
2164 2018-12-17  Mark Lam  <mark.lam@apple.com>
2165
2166         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2167         https://bugs.webkit.org/show_bug.cgi?id=192776
2168         <rdar://problem/46772368>
2169
2170         Reviewed by Keith Miller.
2171
2172         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2173
2174 2018-12-17  Mark Lam  <mark.lam@apple.com>
2175
2176         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2177         https://bugs.webkit.org/show_bug.cgi?id=192770
2178         <rdar://problem/46449037>
2179
2180         Reviewed by Keith Miller.
2181
2182         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2183
2184 2018-12-14  Mark Lam  <mark.lam@apple.com>
2185
2186         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2187         https://bugs.webkit.org/show_bug.cgi?id=192717
2188         <rdar://problem/46660677>
2189
2190         Reviewed by Saam Barati.
2191
2192         * stress/regress-192717.js: Added.
2193
2194 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2195
2196         Unreviewed, rolling out r239153, r239154, and r239155.
2197         https://bugs.webkit.org/show_bug.cgi?id=192715
2198
2199         Caused flaky GC-related crashes seen with layout tests
2200         (Requested by ryanhaddad on #webkit).
2201
2202         Reverted changesets:
2203
2204         "[JSC] Optimize Object.keys by caching own keys results in
2205         StructureRareData"
2206         https://bugs.webkit.org/show_bug.cgi?id=190047
2207         https://trac.webkit.org/changeset/239153
2208
2209         "Unreviewed, build fix after r239153"
2210         https://bugs.webkit.org/show_bug.cgi?id=190047
2211         https://trac.webkit.org/changeset/239154
2212
2213         "Unreviewed, build fix after r239153, part 2"
2214         https://bugs.webkit.org/show_bug.cgi?id=190047
2215         https://trac.webkit.org/changeset/239155
2216
2217 2018-12-14  Keith Miller  <keith_miller@apple.com>
2218
2219         Callers of JSString::getIndex should check for OOM exceptions
2220         https://bugs.webkit.org/show_bug.cgi?id=192709
2221
2222         Reviewed by Mark Lam.
2223
2224         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2225
2226 2018-12-13  Mark Lam  <mark.lam@apple.com>
2227
2228         Add a missing exception check.
2229         https://bugs.webkit.org/show_bug.cgi?id=192626
2230         <rdar://problem/46662163>
2231
2232         Reviewed by Keith Miller.
2233
2234         * stress/regress-192626.js: Added.
2235
2236 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2237
2238         [BigInt] Add ValueDiv into DFG
2239         https://bugs.webkit.org/show_bug.cgi?id=186178
2240
2241         Reviewed by Yusuke Suzuki.
2242
2243         * stress/big-int-div-jit-osr.js: Added.
2244         * stress/big-int-div-jit-untyped.js: Added.
2245         * stress/value-div-fixup-int32-big-int.js: Added.
2246
2247 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2248
2249         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2250         https://bugs.webkit.org/show_bug.cgi?id=190047
2251
2252         Reviewed by Keith Miller.
2253
2254         * stress/object-keys-cached-zero.js: Added.
2255         (shouldBe):
2256         (test):
2257         * stress/object-keys-changed-attribute.js: Added.
2258         (shouldBe):
2259         (test):
2260         * stress/object-keys-changed-index.js: Added.
2261         (shouldBe):
2262         (test):
2263         * stress/object-keys-changed.js: Added.
2264         (shouldBe):
2265         (test):
2266         * stress/object-keys-indexed-non-cache.js: Added.
2267         (shouldBe):
2268         (test):
2269         * stress/object-keys-overrides-get-property-names.js: Added.
2270         (shouldBe):
2271         (test):
2272         (noInline):
2273
2274 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2275
2276         [DFG][FTL] Add NewSymbol
2277         https://bugs.webkit.org/show_bug.cgi?id=192620
2278
2279         Reviewed by Saam Barati.
2280
2281         * microbenchmarks/symbol-creation.js: Added.
2282         (test):
2283         * stress/symbol-description-identity.js: Added.
2284         (shouldBe):
2285         (test):
2286         * stress/symbol-identity.js: Added.
2287         (shouldBe):
2288         (test):
2289         * stress/symbol-with-description-throw-error.js: Added.
2290         (shouldBe):
2291         (shouldThrow):
2292         (test):
2293         (object.toString):
2294
2295 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2296
2297         [BigInt] Implement DFG/FTL typeof for BigInt
2298         https://bugs.webkit.org/show_bug.cgi?id=192619
2299
2300         Reviewed by Keith Miller.
2301
2302         * stress/big-int-boolean-proven-type.js: Added.
2303         (assert):
2304         (bool):
2305         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2306         (assert):
2307         (typeOf):
2308         (i.switch):
2309         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2310         (assert):
2311         (typeOf):
2312         * stress/big-int-type-of.js:
2313         (typeOf):
2314         (func):
2315
2316 2018-12-10  Mark Lam  <mark.lam@apple.com>
2317
2318         PropertyAttribute needs a CustomValue bit.
2319         https://bugs.webkit.org/show_bug.cgi?id=191993
2320         <rdar://problem/46264467>
2321
2322         Reviewed by Saam Barati.
2323
2324         * stress/regress-191993.js: Added.
2325
2326 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2327
2328         [BigInt] Add ValueMul into DFG
2329         https://bugs.webkit.org/show_bug.cgi?id=186175
2330
2331         Reviewed by Yusuke Suzuki.
2332
2333         * stress/big-int-mul-jit-osr.js: Added.
2334         * stress/big-int-mul-jit-untyped.js: Added.
2335         * stress/value-mul-fixup-int32-big-int.js: Added.
2336
2337 2018-12-06  Keith Miller  <keith_miller@apple.com>
2338
2339         stress/big-wasm-memory tests failing on 32-bit JSC bot
2340         https://bugs.webkit.org/show_bug.cgi?id=192020
2341
2342         Reviewed by Saam Barati.
2343
2344         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2345         the wasm stress tests if the WebAssembly object does not exist.
2346
2347         * stress/big-wasm-memory-grow-no-max.js:
2348         (test.foo):
2349         (test):
2350         (foo): Deleted.
2351         (catch): Deleted.
2352         * stress/big-wasm-memory-grow.js:
2353         (test.foo):
2354         (test):
2355         (foo): Deleted.
2356         (catch): Deleted.
2357         * stress/big-wasm-memory.js:
2358         (test.foo):
2359         (test):
2360         (foo): Deleted.
2361         (catch): Deleted.
2362
2363 2018-12-05  Mark Lam  <mark.lam@apple.com>
2364
2365         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2366         https://bugs.webkit.org/show_bug.cgi?id=192441
2367         <rdar://problem/46480355>
2368
2369         Reviewed by Saam Barati.
2370
2371         * stress/regress-192441.js: Added.
2372
2373 2018-12-04  Mark Lam  <mark.lam@apple.com>
2374
2375         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2376         https://bugs.webkit.org/show_bug.cgi?id=192386
2377         <rdar://problem/46445516>
2378
2379         Reviewed by Saam Barati.
2380
2381         * stress/regress-192386.js: Added.
2382
2383 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2384
2385         [ESNext][BigInt] Support logic operations
2386         https://bugs.webkit.org/show_bug.cgi?id=179903
2387
2388         Reviewed by Yusuke Suzuki.
2389
2390         * stress/big-int-branch-usage.js: Added.
2391         * stress/big-int-logical-and.js: Added.
2392         * stress/big-int-logical-not.js: Added.
2393         * stress/big-int-logical-or.js: Added.
2394
2395 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2396
2397         Unreviewed, rolling out r238833.
2398
2399         Breaks macOS and iOS debug builds.
2400
2401         Reverted changeset:
2402
2403         "[ESNext][BigInt] Support logic operations"
2404         https://bugs.webkit.org/show_bug.cgi?id=179903
2405         https://trac.webkit.org/changeset/238833
2406
2407 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2408
2409         [ESNext][BigInt] Support logic operations
2410         https://bugs.webkit.org/show_bug.cgi?id=179903
2411
2412         Reviewed by Yusuke Suzuki.
2413
2414         * stress/big-int-branch-usage.js: Added.
2415         * stress/big-int-logical-and.js: Added.
2416         * stress/big-int-logical-not.js: Added.
2417         * stress/big-int-logical-or.js: Added.
2418
2419 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2420
2421         [ESNext][BigInt] Implement support for "<<" and ">>"
2422         https://bugs.webkit.org/show_bug.cgi?id=186233
2423
2424         Reviewed by Yusuke Suzuki.
2425
2426         * stress/big-int-left-shift-general.js: Added.
2427         * stress/big-int-left-shift-range-error.js: Added.
2428         * stress/big-int-left-shift-type-error.js: Added.
2429         * stress/big-int-left-shift-wrapped-value.js: Added.
2430         * stress/big-int-right-shift-general.js: Added.
2431         * stress/big-int-right-shift-type-error.js: Added.
2432         * stress/big-int-right-shift-wrapped-value.js: Added.
2433         * stress/left-shift-to-primitive-precedence.js: Added.
2434         * stress/right-shift-to-primitive-precedence.js: Added.
2435
2436 2018-11-30  Dean Jackson  <dino@apple.com>
2437
2438         Add first-class support for .mjs files in jsc binary
2439         https://bugs.webkit.org/show_bug.cgi?id=192190
2440         <rdar://problem/46375715>
2441
2442         Reviewed by Keith Miller.
2443
2444         * stress/simple-module.mjs: Added.
2445         * stress/simple-script.js: Added.
2446
2447 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2448
2449         [BigInt] Implement ValueBitXor into DFG
2450         https://bugs.webkit.org/show_bug.cgi?id=190264
2451
2452         Reviewed by Yusuke Suzuki.
2453
2454         * stress/big-int-bitwise-xor-jit.js: Added.
2455         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2456         * stress/big-int-bitwise-xor-untyped.js: Added.
2457
2458 2018-11-27  Saam barati  <sbarati@apple.com>
2459
2460         r238510 broke scopes of size zero
2461         https://bugs.webkit.org/show_bug.cgi?id=192033
2462         <rdar://problem/46281734>
2463
2464         Reviewed by Keith Miller.
2465
2466         * stress/r238510-bad-loop.js: Added.
2467         (foo):
2468
2469 2018-11-27  Mark Lam  <mark.lam@apple.com>
2470
2471         [Re-landing] NaNs read from Wasm code needs to be be purified.
2472         https://bugs.webkit.org/show_bug.cgi?id=191056
2473         <rdar://problem/45660341>
2474
2475         Reviewed by Filip Pizlo.
2476
2477         * wasm/regress/regress-191056.js: Added.
2478
2479 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2480
2481         Unreviewed, rolling out r238509.
2482
2483         Causes JSC tests to fail on iOS.
2484
2485         Reverted changeset:
2486
2487         "NaNs read from Wasm code needs to be be purified."
2488         https://bugs.webkit.org/show_bug.cgi?id=191056
2489         https://trac.webkit.org/changeset/238509
2490
2491 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2492
2493         Re-introduce op_bitnot
2494         https://bugs.webkit.org/show_bug.cgi?id=190923
2495
2496         Reviewed by Yusuke Suzuki.
2497
2498         * stress/bit-not-must-generate.js: Added.
2499         * stress/bitwise-not-no-int32.js: Added.
2500
2501 2018-11-26  Saam barati  <sbarati@apple.com>
2502
2503         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2504         https://bugs.webkit.org/show_bug.cgi?id=191956
2505         <rdar://problem/45665806>
2506
2507         Reviewed by Yusuke Suzuki.
2508
2509         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2510         (bar):
2511         (foo):
2512
2513 2018-11-26  Saam barati  <sbarati@apple.com>
2514
2515         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2516         https://bugs.webkit.org/show_bug.cgi?id=191958
2517         <rdar://problem/46221877>
2518
2519         Reviewed by Yusuke Suzuki.
2520
2521         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2522         (x):
2523         (foo):
2524
2525 2018-11-26  Mark Lam  <mark.lam@apple.com>
2526
2527         NaNs read from Wasm code needs to be be purified.
2528         https://bugs.webkit.org/show_bug.cgi?id=191056
2529         <rdar://problem/45660341>
2530
2531         Reviewed by Filip Pizlo.
2532
2533         * wasm/regress/regress-191056.js: Added.
2534
2535 2018-11-26  Michael Saboff  <msaboff@apple.com>
2536
2537         32-bit JSC test failure: stress/regexp-compile-oom.js
2538         https://bugs.webkit.org/show_bug.cgi?id=191375
2539
2540         Reviewed by Mark Lam.
2541
2542         Disabled the test for 32 bit platforms.
2543
2544         * stress/regexp-compile-oom.js:
2545
2546 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2547
2548         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2549         https://bugs.webkit.org/show_bug.cgi?id=191716
2550         <rdar://problem/45723878>
2551
2552         Reviewed by Saam Barati.
2553
2554         * stress/regress-187373.js: Added.
2555         (async.fn):
2556
2557 2018-11-21  Saam barati  <sbarati@apple.com>
2558
2559         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2560         https://bugs.webkit.org/show_bug.cgi?id=191897
2561         <rdar://problem/45871998>
2562
2563         Reviewed by Mark Lam.
2564
2565         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2566         (bar):
2567         (foo):
2568
2569 2018-11-21  Saam barati  <sbarati@apple.com>
2570
2571         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2572         https://bugs.webkit.org/show_bug.cgi?id=191895
2573         <rdar://problem/46167406>
2574
2575         Reviewed by Mark Lam.
2576
2577         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2578         (foo):
2579         (bar):
2580
2581 2018-11-21  Mark Lam  <mark.lam@apple.com>
2582
2583         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2584         https://bugs.webkit.org/show_bug.cgi?id=191776
2585         <rdar://problem/46152851>
2586
2587         Reviewed by Saam Barati.
2588
2589         * stress/big-wasm-memory-grow-no-max.js:
2590         * stress/big-wasm-memory-grow.js:
2591         * stress/big-wasm-memory.js:
2592         - updated these to expect an OutOfMemoryError.
2593
2594         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2595         (Binary.prototype.emit_u8):
2596         (Binary.prototype.emit_u32v):
2597         (Binary.prototype.emit_header):
2598         (Binary.prototype.emit_section):
2599         (Binary):
2600         (WasmModuleBuilder):
2601         (WasmModuleBuilder.prototype.addMemory):
2602         (WasmModuleBuilder.prototype.toArray):
2603         (WasmModuleBuilder.prototype.toBuffer):
2604         (WasmModuleBuilder.prototype.instantiate):
2605         (catch):
2606         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2607         (catch):
2608
2609 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2610
2611         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2612         https://bugs.webkit.org/show_bug.cgi?id=190836
2613
2614         Reviewed by Saam Barati and Yusuke Suzuki.
2615
2616         * stress/big-int-out-of-memory-tests.js: Added.
2617
2618 2018-11-20  Mark Lam  <mark.lam@apple.com>
2619
2620         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2621         https://bugs.webkit.org/show_bug.cgi?id=191856
2622         <rdar://problem/46089992>
2623
2624         Reviewed by Yusuke Suzuki.
2625
2626         * stress/regress-191856.js: Added.
2627         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2628
2629 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2630
2631         Enable JIT on ARM/Linux
2632         https://bugs.webkit.org/show_bug.cgi?id=191548
2633
2634         Reviewed by Yusuke Suzuki.
2635
2636         Disable test on system with limited memory. Program was killed by
2637         the OS before the exception was thrown.
2638
2639         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2640
2641 2018-11-20  Saam barati  <sbarati@apple.com>
2642
2643         Merging an IC variant may lead to the IC status containing overlapping structure sets
2644         https://bugs.webkit.org/show_bug.cgi?id=191869
2645         <rdar://problem/45403453>
2646
2647         Reviewed by Mark Lam.
2648
2649         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2650
2651 2018-11-19  Mark Lam  <mark.lam@apple.com>
2652
2653         globalFuncImportModule() should return a promise when it clears exceptions.
2654         https://bugs.webkit.org/show_bug.cgi?id=191792
2655         <rdar://problem/46090763>
2656
2657         Reviewed by Michael Saboff.
2658
2659         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2660
2661 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2662
2663         Skip new memory-hungry tests on memory limited devices
2664
2665         Unreviewed gardening.
2666
2667         * stress/big-wasm-memory-grow-no-max.js:
2668         * stress/big-wasm-memory-grow.js:
2669         * stress/big-wasm-memory.js:
2670
2671 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2672
2673         Unreviewed, rolling in the rest of r237254
2674         https://bugs.webkit.org/show_bug.cgi?id=190340
2675
2676         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2677         * stress/function-cache-with-parameters-end-position.js: Added.
2678         (shouldBe):
2679         (shouldThrow):
2680         (i.anonymous):
2681         * stress/function-constructor-name.js: Added.
2682         (shouldBe):
2683         (GeneratorFunction):
2684         (AsyncFunction.async):
2685         (AsyncGeneratorFunction.async):
2686         (anonymous):
2687         (async.anonymous):
2688         * test262/expectations.yaml:
2689
2690 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2691
2692         All users of ArrayBuffer should agree on the same max size
2693         https://bugs.webkit.org/show_bug.cgi?id=191771
2694
2695         Reviewed by Mark Lam.
2696
2697         * stress/big-wasm-memory-grow-no-max.js: Added.
2698         (foo):
2699         (catch):
2700         * stress/big-wasm-memory-grow.js: Added.
2701         (foo):
2702         (catch):
2703         * stress/big-wasm-memory.js: Added.
2704         (foo):
2705         (catch):
2706
2707 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2708
2709         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2710         run for each JSC config since they're regression tests for runtime bugs.
2711
2712         * stress/json-stringified-overflow-2.js:
2713         * stress/json-stringified-overflow.js:
2714
2715 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2716
2717         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2718         config since they're regression tests for runtime bugs.
2719
2720         * stress/large-unshift-splice.js:
2721         * stress/regress-185888.js:
2722
2723 2018-11-16  Saam Barati  <sbarati@apple.com>
2724
2725         KnownCellUse should also have SpecCellCheck as its type filter
2726         https://bugs.webkit.org/show_bug.cgi?id=191729
2727         <rdar://problem/45872852>
2728
2729         Reviewed by Filip Pizlo.
2730
2731         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2732         (C):
2733
2734 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2735
2736         Fix assertion failure on BytecodeGenerator::recordOpcode
2737         https://bugs.webkit.org/show_bug.cgi?id=191724
2738         <rdar://problem/45724395>
2739
2740         Reviewed by Saam Barati.
2741
2742         * stress/regress-187373-2.js: Added.
2743         (foo):
2744
2745 2018-11-15  Mark Lam  <mark.lam@apple.com>
2746
2747         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2748         https://bugs.webkit.org/show_bug.cgi?id=191730
2749         <rdar://problem/46048517>
2750
2751         Reviewed by Saam Barati.
2752
2753         * stress/regress-187006.js: Removed.
2754           - this test is invalid because its sole purpose is to test for the non-spec
2755             compliant behavior that we just fixed.
2756
2757         * stress/regress-191730.js: Added.
2758
2759 2018-11-15  Mark Lam  <mark.lam@apple.com>
2760
2761         RegExp operations should not take fast patch if lastIndex is not numeric.
2762         https://bugs.webkit.org/show_bug.cgi?id=191731
2763         <rdar://problem/46017305>
2764
2765         Reviewed by Saam Barati.
2766
2767         * stress/regress-191731.js: Added.
2768
2769 2018-11-13  Saam Barati  <sbarati@apple.com>
2770
2771         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2772         https://bugs.webkit.org/show_bug.cgi?id=191600
2773
2774         Reviewed by Mark Lam.
2775
2776         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2777         (foo):
2778         (test):
2779         (bar):
2780
2781 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2782
2783         Unreviewed, rolling out r238132.
2784
2785         The test added with this change is timing out on Debug JSC
2786         bots.
2787
2788         Reverted changeset:
2789
2790         "[BigInt] JSBigInt::createWithLength should throw when length
2791         is greater than JSBigInt::maxLength"
2792         https://bugs.webkit.org/show_bug.cgi?id=190836
2793         https://trac.webkit.org/changeset/238132
2794
2795 2018-11-13  Mark Lam  <mark.lam@apple.com>
2796
2797         Add OOM detection to StringPrototype's substituteBackreferences().
2798         https://bugs.webkit.org/show_bug.cgi?id=191563
2799         <rdar://problem/45720428>
2800
2801         Reviewed by Saam Barati.
2802
2803         * stress/regress-191563.js: Added.
2804
2805 2018-11-13  Mark Lam  <mark.lam@apple.com>
2806
2807         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2808         https://bugs.webkit.org/show_bug.cgi?id=191579
2809         <rdar://problem/45942472>
2810
2811         Reviewed by Saam Barati.
2812
2813         * stress/regress-191579.js: Added.
2814
2815 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2816
2817         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2818         https://bugs.webkit.org/show_bug.cgi?id=190836
2819
2820         Reviewed by Saam Barati.
2821
2822         * stress/big-int-out-of-memory-tests.js: Added.
2823
2824 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2825
2826         U+180E is no longer a whitespace character
2827         https://bugs.webkit.org/show_bug.cgi?id=191415
2828
2829         Reviewed by Saam Barati.
2830
2831         * ChakraCore/test/es5/regexSpace.baseline:
2832         * ChakraCore/test/es6/unicode_whitespace.js:
2833         Update tests to latest version.
2834         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2835
2836         * test262.yaml:
2837         * test262/config.yaml:
2838         * test262/expectations.yaml:
2839         Update expectations.
2840
2841 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2842
2843         [BigInt] Add support to BigInt into ValueAdd
2844         https://bugs.webkit.org/show_bug.cgi?id=186177
2845
2846         Reviewed by Keith Miller.
2847
2848         * stress/big-int-negate-jit.js:
2849         * stress/value-add-big-int-and-string.js: Added.
2850         * stress/value-add-big-int-prediction-propagation.js: Added.
2851         * stress/value-add-big-int-untyped.js: Added.
2852
2853 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2854
2855         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2856         https://bugs.webkit.org/show_bug.cgi?id=191184
2857
2858         Reviewed by Saam Barati.
2859
2860         Most tests were failing due to timeouts, since they are too slow to
2861         run on CLoop. The exceptions are:
2862
2863         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2864         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2865         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2866         to change the stack size since CLoop requires it to be page aligned.
2867
2868         * microbenchmarks/array-push-1.js:
2869         * microbenchmarks/array-push-2.js:
2870         * microbenchmarks/elidable-new-object-dag.js:
2871         * microbenchmarks/elidable-new-object-roflcopter.js:
2872         * microbenchmarks/elidable-new-object-tree.js:
2873         * microbenchmarks/getter-richards.js:
2874         * microbenchmarks/sinkable-new-object-dag.js:
2875         * microbenchmarks/string-concat-long-convert.js:
2876         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2877         * slowMicrobenchmarks/array-push-3.js:
2878         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2879         * slowMicrobenchmarks/spread-small-array.js:
2880         * slowMicrobenchmarks/undefined-property-access.js:
2881         * stress/activation-sink-default-value-tdz-error.js:
2882         * stress/activation-sink-default-value.js:
2883         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2884         * stress/activation-sink-osrexit-default-value.js:
2885         * stress/activation-sink-osrexit.js:
2886         * stress/activation-sink.js:
2887         * stress/allow-math-ic-b3-code-duplication.js:
2888         * stress/array-push-multiple-int32.js:
2889         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2890         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2891         * stress/arrowfunction-lexical-this-activation-sink.js:
2892         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2893         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2894         * stress/elide-new-object-dag-then-exit.js:
2895         * stress/materialize-regexp-cyclic.js:
2896         * stress/new-regex-inline.js:
2897         * stress/op_add.js:
2898         * stress/op_bitand.js:
2899         * stress/op_bitor.js:
2900         * stress/op_bitxor.js:
2901         * stress/op_div-ConstVar.js:
2902         * stress/op_div-VarConst.js:
2903         * stress/op_div-VarVar.js:
2904         * stress/op_lshift-ConstVar.js:
2905         * stress/op_lshift-VarConst.js:
2906         * stress/op_lshift-VarVar.js:
2907         * stress/op_mod-ConstVar.js:
2908         * stress/op_mod-VarConst.js:
2909         * stress/op_mod-VarVar.js:
2910         * stress/op_mul-ConstVar.js:
2911         * stress/op_mul-VarConst.js:
2912         * stress/op_mul-VarVar.js:
2913         * stress/op_rshift-ConstVar.js:
2914         * stress/op_rshift-VarConst.js:
2915         * stress/op_rshift-VarVar.js:
2916         * stress/op_sub-ConstVar.js:
2917         * stress/op_sub-VarConst.js:
2918         * stress/op_sub-VarVar.js:
2919         * stress/op_urshift-ConstVar.js:
2920         * stress/op_urshift-VarConst.js:
2921         * stress/op_urshift-VarVar.js:
2922         * stress/proxy-get-set-correct-receiver.js:
2923         * stress/regress-179562.js:
2924         * stress/rest-parameter-many-arguments.js:
2925         * stress/sampling-profiler-richards.js:
2926         * stress/splay-flash-access-1ms.js:
2927         * stress/tailCallForwardArguments.js:
2928         * stress/typed-array-get-by-val-profiling.js:
2929         * typeProfiler/getter-richards.js:
2930
2931 2018-11-06  Michael Saboff  <msaboff@apple.com>
2932
2933         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2934         https://bugs.webkit.org/show_bug.cgi?id=191271
2935
2936         Reviewed by Saam Barati.
2937
2938         Added more test cases and made all test cases run with the same deeply recursive stack
2939         instead of finding that same point for each test case.
2940
2941         * stress/regexp-compile-oom.js:
2942         (prototype.runTest):
2943         (recurseAndTest):
2944         (testList.push.new.TestAndExpectedException):
2945
2946 2018-11-05  Michael Saboff  <msaboff@apple.com>
2947
2948         Unreviewed build fix for linux.
2949
2950         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2951
2952 2018-11-02  Michael Saboff  <msaboff@apple.com>
2953
2954         Rolling in r237753 with unreviewed build fix.
2955
2956         Fixed issues with DECLARE_THROW_SCOPE placement.
2957
2958 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2959
2960         Unreviewed, rolling out r237753.
2961
2962         Introduced JSC test failures
2963
2964         Reverted changeset:
2965
2966         "Running out of stack space not properly handled in
2967         RegExp::compile() and its callers"
2968         https://bugs.webkit.org/show_bug.cgi?id=191206
2969         https://trac.webkit.org/changeset/237753
2970
2971 2018-11-02  Michael Saboff  <msaboff@apple.com>
2972
2973         Running out of stack space not properly handled in RegExp::compile() and its callers
2974         https://bugs.webkit.org/show_bug.cgi?id=191206
2975
2976         Reviewed by Filip Pizlo.
2977
2978         New regression test.
2979
2980         * stress/regexp-compile-oom.js: Added.
2981         (recurseAndTest):
2982
2983 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2984
2985         Skip tests on arm/mips that time out now we're running on CLoop
2986
2987         Unreviewed gardening.
2988
2989         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2990         time out on the bots and need to be disabled. There's more tests
2991         disabled on arm because the timeout is longer on the mips bot (as the
2992         device is slower to start with), so many of the tests don't time out
2993         there.
2994
2995         * microbenchmarks/getter-richards.js: disable on arm and mips.
2996         * stress/op_add.js: disable on arm.
2997         * stress/op_bitand.js: disable on arm.
2998         * stress/op_bitor.js: disable on arm.
2999         * stress/op_bitxor.js: disable on arm.
3000         * stress/op_lshift-ConstVar.js: disable on arm.
3001         * stress/op_lshift-VarConst.js: disable on arm.
3002         * stress/op_lshift-VarVar.js: disable on arm.
3003         * stress/op_mod-ConstVar.js: disable on arm.
3004         * stress/op_mod-VarConst.js: disable on arm.
3005         * stress/op_mod-VarVar.js: disable on arm.
3006         * stress/op_mul-ConstVar.js: disable on arm.
3007         * stress/op_mul-VarConst.js: disable on arm.
3008         * stress/op_mul-VarVar.js: disable on arm.
3009         * stress/op_rshift-ConstVar.js: disable on arm.
3010         * stress/op_rshift-VarConst.js: disable on arm.
3011         * stress/op_rshift-VarVar.js: disable on arm.
3012         * stress/op_sub-ConstVar.js: disable on arm.
3013         * stress/op_sub-VarConst.js: disable on arm.
3014         * stress/op_sub-VarVar.js: disable on arm.
3015         * stress/op_urshift-ConstVar.js: disable on arm.
3016         * stress/op_urshift-VarConst.js: disable on arm.
3017         * stress/op_urshift-VarVar.js: disable on arm.
3018         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3019         * stress/value-to-boolean.js: disable on arm and mips.
3020
3021 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3022
3023         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3024         https://bugs.webkit.org/show_bug.cgi?id=191108
3025         <rdar://problem/45690700>
3026
3027         Reviewed by Saam Barati.
3028
3029         * stress/wide-op_catch.js: Added.
3030         (catch):
3031
3032 2018-10-29  Mark Lam  <mark.lam@apple.com>
3033
3034         Correctly detect string overflow when using the 'Function' constructor.
3035         https://bugs.webkit.org/show_bug.cgi?id=184883
3036         <rdar://problem/36320331>
3037
3038         Reviewed by Saam Barati.
3039
3040         I've verified that this passes on 32-bit as well.
3041
3042         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3043
3044 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3045
3046         Add support for GetStack FlushedDouble
3047         https://bugs.webkit.org/show_bug.cgi?id=191012
3048         <rdar://problem/45265141>
3049
3050         Reviewed by Saam Barati.
3051
3052         * stress/get-stack-double.js: Added.
3053         (bar):
3054         (noInline):
3055
3056 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3057
3058         New bytecode format for JSC
3059         https://bugs.webkit.org/show_bug.cgi?id=187373
3060         <rdar://problem/44186758>
3061
3062         Reviewed by Filip Pizlo.
3063
3064         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3065
3066         * stress/maximum-inline-capacity.js: Added.
3067         (test1):
3068         (test3.Foo):
3069         (test3):
3070
3071 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3072
3073         Unreviewed, rolling out r237479 and r237484.
3074         https://bugs.webkit.org/show_bug.cgi?id=190978
3075
3076         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3077
3078         Reverted changesets:
3079
3080         "New bytecode format for JSC"
3081         https://bugs.webkit.org/show_bug.cgi?id=187373
3082         https://trac.webkit.org/changeset/237479
3083
3084         "Gardening: Build fix after r237479."
3085         https://bugs.webkit.org/show_bug.cgi?id=187373
3086         https://trac.webkit.org/changeset/237484
3087
3088 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3089
3090         New bytecode format for JSC
3091         https://bugs.webkit.org/show_bug.cgi?id=187373
3092         <rdar://problem/44186758>
3093
3094         Reviewed by Filip Pizlo.
3095
3096         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3097
3098         * stress/maximum-inline-capacity.js: Added.
3099         (test1):
3100         (test3.Foo):
3101         (test3):
3102
3103 2018-10-26  Mark Lam  <mark.lam@apple.com>
3104
3105         Fix missing edge cases with JSGlobalObjects having a bad time.
3106         https://bugs.webkit.org/show_bug.cgi?id=189028
3107         <rdar://problem/45204939>
3108
3109         Reviewed by Saam Barati.
3110
3111         * stress/regress-189028.js: Added.
3112
3113 2018-10-22  Mark Lam  <mark.lam@apple.com>
3114
3115         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3116         https://bugs.webkit.org/show_bug.cgi?id=190515
3117         <rdar://problem/45222379>
3118
3119         Rubber-stamped by Saam Barati.
3120
3121         Adding another test.
3122
3123         * stress/regress-190515-2.js: Added.
3124
3125 2018-10-22  Mark Lam  <mark.lam@apple.com>
3126
3127         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3128         https://bugs.webkit.org/show_bug.cgi?id=190515
3129         <rdar://problem/45222379>
3130
3131         Reviewed by Saam Barati.
3132
3133         * stress/regress-190515.js: Added.
3134
3135 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3136
3137         Unreviewed, rolling out r237254.
3138         https://bugs.webkit.org/show_bug.cgi?id=190760
3139
3140         "It regresses JetStream 2 by 5% on some iOS devices"
3141         (Requested by saamyjoon on #webkit).
3142
3143         Reverted changeset:
3144
3145         "[JSC] JSC should have "parseFunction" to optimize Function
3146         constructor"
3147         https://bugs.webkit.org/show_bug.cgi?id=190340
3148         https://trac.webkit.org/changeset/237254
3149
3150 2018-10-19  Saam Barati  <sbarati@apple.com>
3151
3152         vmCall should check if we exit before emitting an OSR exit due to exceptions
3153         https://bugs.webkit.org/show_bug.cgi?id=190740
3154         <rdar://problem/45220139>
3155
3156         Reviewed by Mark Lam.
3157
3158         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3159         (foo):
3160
3161 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3162
3163         [ESNext][BigInt] Implement support for "^"
3164         https://bugs.webkit.org/show_bug.cgi?id=186235
3165
3166         Reviewed by Yusuke Suzuki.
3167
3168         * stress/big-int-bitwise-xor-general.js: Added.
3169         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3170         * stress/big-int-bitwise-xor-type-error.js: Added.
3171         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3172
3173 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3174
3175         [BigInt] Add ValueSub into DFG
3176         https://bugs.webkit.org/show_bug.cgi?id=186176
3177
3178         Reviewed by Yusuke Suzuki.
3179
3180         * stress/big-int-subtraction-jit.js:
3181         * stress/value-sub-big-int-prediction-propagation.js: Added.
3182         * stress/value-sub-big-int-untyped.js: Added.
3183         * stress/value-sub-spec-none-case.js: Added.
3184
3185 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3186
3187         [JSC] JSC should have "parseFunction" to optimize Function constructor
3188         https://bugs.webkit.org/show_bug.cgi?id=190340
3189
3190         Reviewed by Mark Lam.
3191
3192         This patch fixes the line number of syntax errors raised by the Function constructor,
3193         since we now parse the final code only once. And we no longer use block statement
3194         for Function constructor's parsing.
3195
3196         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3197         * stress/function-cache-with-parameters-end-position.js: Added.
3198         (shouldBe):
3199         (shouldThrow):
3200         (i.anonymous):
3201         * stress/function-constructor-name.js: Added.
3202         (shouldBe):
3203         (GeneratorFunction):
3204         (AsyncFunction.async):
3205         (AsyncGeneratorFunction.async):
3206         (anonymous):
3207         (async.anonymous):
3208         * test262/expectations.yaml:
3209
3210 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3211
3212         Unreviewed, rolling out r237242.
3213         https://bugs.webkit.org/show_bug.cgi?id=190701
3214
3215         it breaks "stress/sampling-profiler-basic.js" (Requested by
3216         caiolima on #webkit).
3217
3218         Reverted changeset:
3219
3220         "[BigInt] Add ValueSub into DFG"
3221         https://bugs.webkit.org/show_bug.cgi?id=186176
3222         https://trac.webkit.org/changeset/237242
3223
3224 2018-10-17  Keith Miller  <keith_miller@apple.com>
3225
3226         AI does not clear Phantom allocation nodes.
3227         https://bugs.webkit.org/show_bug.cgi?id=190694
3228
3229         Reviewed by Saam Barati.
3230
3231         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3232         (Day):
3233         (DaysInYear):
3234         (TimeInYear):
3235         (TimeFromYear):
3236         (DayFromYear):
3237         (InLeapYear):
3238         (YearFromTime):
3239         (WeekDay):
3240         (DaylightSavingTA):
3241         (GetSecondSundayInMarch):
3242         (TimeInMonth):
3243
3244 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3245
3246         [BigInt] Add ValueSub into DFG
3247         https://bugs.webkit.org/show_bug.cgi?id=186176
3248
3249         Reviewed by Yusuke Suzuki.
3250
3251         * stress/big-int-subtraction-jit.js:
3252         * stress/value-sub-big-int-prediction-propagation.js: Added.
3253         * stress/value-sub-big-int-untyped.js: Added.
3254
3255 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3256
3257         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3258         https://bugs.webkit.org/show_bug.cgi?id=190611
3259
3260         Reviewed by Saam Barati.
3261
3262         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3263         to improve test runtime. On ARM/MIPS this test even timed out when running all
3264         tests.
3265
3266         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3267         (test):
3268
3269 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3270
3271         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3272
3273         Unreviewed gardening.
3274
3275         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3276
3277 2018-10-15  Saam barati  <sbarati@apple.com>
3278
3279         Emit fjcvtzs on ARM64E on Darwin
3280         https://bugs.webkit.org/show_bug.cgi?id=184023
3281
3282         Reviewed by Yusuke Suzuki and Filip Pizlo.
3283
3284         * stress/double-to-int32-NaN.js: Added.
3285         (assert):
3286         (foo):
3287
3288 2018-10-15  Saam Barati  <sbarati@apple.com>
3289
3290         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3291         https://bugs.webkit.org/show_bug.cgi?id=190262
3292         <rdar://problem/44986241>
3293
3294         Reviewed by Mark Lam.
3295
3296         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3297         (test):
3298         * stress/slice-array-storage-with-holes.js: Added.
3299         (main):
3300
3301 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3302
3303         Unreviewed, rolling out r237054.
3304         https://bugs.webkit.org/show_bug.cgi?id=190593
3305
3306         "this regressed JetStream 2 by 6% on iOS" (Requested by
3307         saamyjoon on #webkit).
3308
3309         Reverted changeset:
3310
3311         "[JSC] JSC should have "parseFunction" to optimize Function
3312         constructor"
3313         https://bugs.webkit.org/show_bug.cgi?id=190340
3314         https://trac.webkit.org/changeset/237054
3315
3316 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3317
3318         [JSC] JSON.stringify can accept call-with-no-arguments
3319         https://bugs.webkit.org/show_bug.cgi?id=190343
3320
3321         Reviewed by Mark Lam.
3322
3323         * stress/json-stringify-no-arguments.js: Added.
3324         (shouldBe):
3325
3326 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3327
3328         [JSC] JSC should have "parseFunction" to optimize Function constructor
3329         https://bugs.webkit.org/show_bug.cgi?id=190340
3330
3331         Reviewed by Mark Lam.
3332
3333         This patch fixes the line number of syntax errors raised by the Function constructor,
3334         since we now parse the final code only once. And we no longer use block statement
3335         for Function constructor's parsing.
3336
3337         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3338         * stress/function-cache-with-parameters-end-position.js: Added.
3339         (shouldBe):
3340         (shouldThrow):
3341         (i.anonymous):
3342         * stress/function-constructor-name.js: Added.
3343         (shouldBe):
3344         (GeneratorFunction):
3345         (AsyncFunction.async):
3346         (AsyncGeneratorFunction.async):
3347         (anonymous):
3348         (async.anonymous):
3349         * test262/expectations.yaml:
3350
3351 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3352
3353         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3354         https://bugs.webkit.org/show_bug.cgi?id=190426
3355
3356         Unreviewed gardening.
3357
3358         * stress/sampling-profiler-richards.js:
3359
3360 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3361
3362         [ESNext][BigInt] Implement support for "|"
3363         https://bugs.webkit.org/show_bug.cgi?id=186229
3364
3365         Reviewed by Yusuke Suzuki.
3366
3367         * stress/big-int-bitwise-and-jit.js:
3368         * stress/big-int-bitwise-or-general.js: Added.
3369         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3370         * stress/big-int-bitwise-or-jit.js: Added.
3371         * stress/big-int-bitwise-or-memory-stress.js: Added.
3372         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3373         * stress/big-int-bitwise-or-type-error.js: Added.
3374         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3375
3376 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3377
3378         Skip test on systems with limited memory
3379         https://bugs.webkit.org/show_bug.cgi?id=190310
3380
3381         Invoking runDefault adds test to runlist, skipping the test in the next
3382         line does not prevent the test from executing. Change order of lines such
3383         that runDefault is only executed if test is not executed.
3384
3385         Reviewed by Mark Lam.
3386
3387         * stress/regress-190187.js:
3388
3389 2018-10-03  Saam barati  <sbarati@apple.com>
3390
3391         lowXYZ in FTLLower should always filter the type of the incoming edge
3392         https://bugs.webkit.org/show_bug.cgi?id=189939
3393         <rdar://problem/44407030>
3394
3395         Reviewed by Michael Saboff.
3396
3397         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3398         (foo):
3399         (test):
3400
3401 2018-10-03  Mark Lam  <mark.lam@apple.com>
3402
3403         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3404         https://bugs.webkit.org/show_bug.cgi?id=190187
3405         <rdar://problem/42512909>
3406
3407         Reviewed by Michael Saboff.
3408
3409         * stress/regress-190187.js: Added.
3410
3411 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3412
3413         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3414         https://bugs.webkit.org/show_bug.cgi?id=190033
3415
3416         Reviewed by Yusuke Suzuki.
3417
3418         * stress/big-int-to-string.js:
3419
3420 2018-10-01  Mark Lam  <mark.lam@apple.com>
3421
3422         Function.toString() should also copy the source code Functions that are class definitions.
3423         https://bugs.webkit.org/show_bug.cgi?id=190186
3424         <rdar://problem/44733360>
3425
3426         Reviewed by Saam Barati.
3427
3428         * stress/regress-190186.js: Added.
3429
3430 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3431
3432         Split NaN-check into separate test
3433         https://bugs.webkit.org/show_bug.cgi?id=190010
3434
3435         Reviewed by Saam Barati.
3436
3437         DataView exposes NaN-representation, which is not necessarily the same on each
3438         architecture. Therefore move the check of the NaN-representation into its own
3439         file such that we can disable this test on MIPS where NaN-representation can be
3440         different on older CPUs.
3441
3442         * stress/dataview-jit-set-nan.js: Added.
3443         (assert):
3444         (test.storeLittleEndian):
3445         (test.storeBigEndian):
3446         (test.store):
3447         (test):
3448         * stress/dataview-jit-set.js:
3449         (test5):
3450
3451 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3452
3453         Unreviewed, rolling out r236647.
3454         https://bugs.webkit.org/show_bug.cgi?id=190124
3455
3456         Breaking test stress/big-int-to-string.js (Requested by
3457         caiolima_ on #webkit).
3458
3459         Reverted changeset:
3460
3461         "[BigInt] BigInt.proptotype.toString is broken when radix is
3462         power of 2"
3463         https://bugs.webkit.org/show_bug.cgi?id=190033
3464         https://trac.webkit.org/changeset/236647
3465
3466 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3467
3468         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3469         https://bugs.webkit.org/show_bug.cgi?id=190033
3470
3471         Reviewed by Yusuke Suzuki.
3472
3473         * stress/big-int-to-string.js:
3474
3475 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3476
3477         [ESNext][BigInt] Implement support for "&"
3478         https://bugs.webkit.org/show_bug.cgi?id=186228
3479
3480         Reviewed by Yusuke Suzuki.
3481
3482         * stress/big-int-bitwise-and-general.js: Added.
3483         (assert):
3484         (assert.sameValue):
3485         * stress/big-int-bitwise-and-jit.js: Added.
3486         (let.assert.sameValue):
3487         (bigIntBitAnd):
3488         * stress/big-int-bitwise-and-memory-stress.js: Added.
3489         (assert):
3490         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3491         (assert.sameValue):
3492         (let.o.Symbol.toPrimitive):
3493         (catch):
3494         * stress/big-int-bitwise-and-type-error.js: Added.
3495         (assert):
3496         (assertThrowTypeError):
3497         (let.o.valueOf):
3498         (o.valueOf):
3499         (o.toString):
3500         (o.Symbol.toPrimitive):
3501         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3502         (assert.sameValue):
3503         (testBitAnd):
3504         (let.o.Symbol.toPrimitive):
3505         (o.valueOf):
3506         (o.toString):
3507
3508 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3509
3510         JSC test stress/jsc-read.js doesn't support CRLF
3511         https://bugs.webkit.org/show_bug.cgi?id=190063
3512
3513         Reviewed by Yusuke Suzuki.
3514
3515         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3516
3517         * stress/jsc-read.js:
3518         (test):
3519
3520 2018-09-27  Saam barati  <sbarati@apple.com>
3521
3522         Verify the contents of AssemblerBuffer on arm64e
3523         https://bugs.webkit.org/show_bug.cgi?id=190057
3524         <rdar://problem/38916630>
3525
3526         Reviewed by Mark Lam.
3527
3528         * stress/regress-189132.js:
3529
3530 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3531
3532         Disable test without LLInt on ARMv7
3533         https://bugs.webkit.org/show_bug.cgi?id=190037
3534
3535         Reviewed by Mark Lam.
3536
3537         Test runs out of executable memory on ARMv7, do not run
3538         this test without LLInt enabled.
3539
3540         * stress/regress-169445.js:
3541
3542 2018-09-26  Keith Miller  <keith_miller@apple.com>
3543
3544         We should zero unused property storage when rebalancing array storage.
3545         https://bugs.webkit.org/show_bug.cgi?id=188151
3546
3547         Reviewed by Michael Saboff.
3548
3549         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3550
3551 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3552
3553         [JSC] Optimize Array#lastIndexOf
3554         https://bugs.webkit.org/show_bug.cgi?id=189780
3555
3556         Reviewed by Saam Barati.
3557
3558         * stress/array-lastindexof-array-prototype-trap.js: Added.
3559         (shouldBe):
3560         (AncestorArray.prototype.get 2):
3561         (AncestorArray):
3562         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3563         (shouldBe):
3564         * stress/array-lastindexof-hole-nan.js: Added.
3565         (shouldBe):
3566         (throw.new.Error):
3567         * stress/array-lastindexof-infinity.js: Added.
3568         (shouldBe):
3569         (throw.new.Error):
3570         * stress/array-lastindexof-negative-zero.js: Added.
3571         (shouldBe):
3572         (throw.new.Error):
3573         * stress/array-lastindexof-own-getter.js: Added.
3574         (shouldBe):
3575         (throw.new.Error.get array):
3576         (get array):
3577         * stress/array-lastindexof-prototype-trap.js: Added.
3578         (shouldBe):
3579         (DerivedArray.prototype.get 2):
3580         (DerivedArray):
3581
3582 2018-09-25  Saam Barati  <sbarati@apple.com>
3583
3584         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3585         https://bugs.webkit.org/show_bug.cgi?id=189940
3586         <rdar://problem/43640987>
3587
3588         Reviewed by Mark Lam.
3589
3590         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3591
3592 2018-09-24  Saam Barati  <sbarati@apple.com>
3593
3594         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3595         https://bugs.webkit.org/show_bug.cgi?id=189922
3596         <rdar://problem/44651275>
3597
3598         Reviewed by Mark Lam.
3599
3600         * stress/array-indexof-fast-path-effects.js: Added.
3601         * stress/array-indexof-cached-length.js: Added.
3602
3603 2018-09-24  Saam barati  <sbarati@apple.com>
3604
3605         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3606         https://bugs.webkit.org/show_bug.cgi?id=189682
3607         <rdar://problem/43557315>
3608
3609         Reviewed by Mark Lam.
3610
3611         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3612         (foo):
3613
3614 2018-09-22  Saam barati  <sbarati@apple.com>
3615
3616         The sampling should not use Strong<CodeBlock> in its machineLocation field
3617         https://bugs.webkit.org/show_bug.cgi?id=189319
3618
3619         Reviewed by Filip Pizlo.
3620
3621         * stress/sampling-profiler-richards.js: Added.
3622
3623 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3624
3625         [JSC] Optimize Array#indexOf in C++ runtime
3626         https://bugs.webkit.org/show_bug.cgi?id=189507
3627
3628         Reviewed by Saam Barati.
3629
3630         * stress/array-indexof-array-prototype-trap.js: Added.
3631         (shouldBe):
3632         (AncestorArray.prototype.get 2):
3633         (AncestorArray):
3634         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3635         (shouldBe):
3636         * stress/array-indexof-hole-nan.js: Added.
3637         (shouldBe):
3638         (throw.new.Error):
3639         * stress/array-indexof-infinity.js: Added.
3640         (shouldBe):
3641         (throw.new.Error):
3642         * stress/array-indexof-negative-zero.js: Added.
3643         (shouldBe):
3644         (throw.new.Error):
3645         * stress/array-indexof-own-getter.js: Added.
3646         (shouldBe):
3647         (throw.new.Error.get array):
3648         (get array):
3649         * stress/array-indexof-prototype-trap.js: Added.
3650         (shouldBe):
3651         (DerivedArray.prototype.get 2):
3652         (DerivedArray):
3653
3654 2018-09-19  Saam barati  <sbarati@apple.com>
3655
3656         AI rule for MultiPutByOffset executes its effects in the wrong order
3657         https://bugs.webkit.org/show_bug.cgi?id=189757
3658         <rdar://problem/43535257>
3659
3660         Reviewed by Michael Saboff.
3661
3662         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3663         (foo):
3664         (Foo):
3665         (g):
3666
3667 2018-09-17  Mark Lam  <mark.lam@apple.com>
3668
3669         Ensure that ForInContexts are invalidated if their loop local is over-written.
3670         https://bugs.webkit.org/show_bug.cgi?id=189571
3671         <rdar://problem/44402277>
3672
3673         Reviewed by Saam Barati.
3674
3675         * stress/regress-189571.js: Added.
3676
3677 2018-09-17  Saam barati  <sbarati@apple.com>
3678
3679         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3680         https://bugs.webkit.org/show_bug.cgi?id=189676
3681         <rdar://problem/39682897>
3682
3683         Reviewed by Michael Saboff.
3684
3685         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3686         (A):
3687         (K):
3688         (i.catch):
3689
3690 2018-09-14  Saam barati  <sbarati@apple.com>
3691
3692         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3693         https://bugs.webkit.org/show_bug.cgi?id=189628
3694         <rdar://problem/39481690>
3695
3696         Reviewed by Mark Lam.
3697
3698         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3699         (foo):
3700
3701 2018-09-11  Mark Lam  <mark.lam@apple.com>
3702
3703         Test for array initialization in arrayProtoFuncSplice.
3704         https://bugs.webkit.org/show_bug.cgi?id=170253
3705         <rdar://problem/31328773>
3706
3707         Rubber-stamped by Saam Barati.
3708
3709         * stress/regress-170253.js: Added.
3710
3711 2018-09-11  Mark Lam  <mark.lam@apple.com>
3712
3713         Test for IntlObject initialization.
3714         https://bugs.webkit.org/show_bug.cgi?id=170251
3715         <rdar://problem/31328419>
3716
3717         Rubber-stamped by Saam Barati.
3718
3719         * stress/regress-170251.js: Added.
3720
3721 2018-09-11  Mark Lam  <mark.lam@apple.com>
3722
3723         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3724         https://bugs.webkit.org/show_bug.cgi?id=169889
3725         <rdar://problem/31155607>
3726
3727         Reviewed by Saam Barati.
3728
3729         * stress/regress-169889-array-concat.js: Added.
3730         * stress/regress-169889-array-concat1.js: Added.
3731         * stress/regress-169889-array-slice.js: Added.
3732
3733 2018-09-11  Mark Lam  <mark.lam@apple.com>
3734
3735         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3736         https://bugs.webkit.org/show_bug.cgi?id=169445
3737         <rdar://problem/30957435>
3738
3739         Reviewed by Saam Barati.
3740
3741         * stress/regress-169445.js: Added.
3742         (let.gun.eval.A):
3743         (let.gun.eval.B.C):
3744         (let.gun.eval.B.C.prototype.trigger):
3745         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3746         (let.gun.eval.B):
3747         (let.gun.eval):
3748
3749 == Rolled over to ChangeLog-2018-09-11 ==