Teach Call ICs how to call Wasm
[WebKit-https.git] / JSTests / ChangeLog
1 2019-04-04  Saam barati  <sbarati@apple.com>
2
3         Teach Call ICs how to call Wasm
4         https://bugs.webkit.org/show_bug.cgi?id=196387
5
6         Reviewed by Filip Pizlo.
7
8         * wasm/function-tests/stack-trace.js:
9
10 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
11
12         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
13         https://bugs.webkit.org/show_bug.cgi?id=194944
14
15         Reviewed by Keith Miller.
16
17         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
18
19 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
20
21         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
22         https://bugs.webkit.org/show_bug.cgi?id=196409
23
24         Reviewed by Saam Barati.
25
26         * stress/bytecode-cache-cached-string-impl.js: Added.
27         (f):
28         (g):
29         * stress/bytecode-cache-run-string.js: Added.
30
31 2019-04-03  Robin Morisset  <rmorisset@apple.com>
32
33         B3 should use associativity to optimize expression trees
34         https://bugs.webkit.org/show_bug.cgi?id=194081
35
36         Reviewed by Filip Pizlo.
37
38         Added three microbenchmarks:
39         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
40         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
41           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
42         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
43
44         * microbenchmarks/add-tree.js: Added.
45         * microbenchmarks/bit-or-tree.js: Added.
46         * microbenchmarks/bit-xor-tree.js: Added.
47
48 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
49
50         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
51         https://bugs.webkit.org/show_bug.cgi?id=196574
52
53         Reviewed by Saam Barati.
54
55         * stress/string-index-of-exception-check.js: Added.
56         (blurType):
57         (1.forEach):
58
59 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
60
61         Assertion failed in JSC::createError
62         https://bugs.webkit.org/show_bug.cgi?id=196305
63         <rdar://problem/49387382>
64
65         Reviewed by Saam Barati.
66
67         * stress/create-error-out-of-memory-rope-string-2.js: Added.
68         (assert):
69         (catch):
70
71 2019-03-28  Saam Barati  <sbarati@apple.com>
72
73         BackwardsGraph needs to consider back edges as the backward's root successor
74         https://bugs.webkit.org/show_bug.cgi?id=195991
75
76         Reviewed by Filip Pizlo.
77
78         * stress/map-b3-licm-infinite-loop.js: Added.
79
80 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
81
82         CodeBlock::jettison() should disallow repatching its own calls
83         https://bugs.webkit.org/show_bug.cgi?id=196359
84         <rdar://problem/48973663>
85
86         Reviewed by Saam Barati.
87
88         * stress/call-link-info-osrexit-repatch.js: Added.
89         (foo):
90
91 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         [JSC] imports-oom.js intermittently fails
94         https://bugs.webkit.org/show_bug.cgi?id=196373
95
96         Reviewed by Saam Barati.
97
98         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
99         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
100         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
101         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
102         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
103
104         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
105         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
106
107         * wasm/lowExecutableMemory/imports-oom.js:
108
109 2019-03-27  Saam Barati  <sbarati@apple.com>
110
111         validateOSREntryValue with Int52 should box the value being checked into double format
112         https://bugs.webkit.org/show_bug.cgi?id=196313
113         <rdar://problem/49306703>
114
115         Reviewed by Yusuke Suzuki.
116
117         * stress/validate-int-52-ai-state.js: Added.
118
119 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
120
121         [JSC] Owner of watchpoints should validate at GC finalizing phase
122         https://bugs.webkit.org/show_bug.cgi?id=195827
123
124         Reviewed by Filip Pizlo.
125
126         * stress/gc-should-reap-dead-watchpoints.js: Added.
127         (foo):
128         (A.prototype.y):
129         (A):
130
131 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
132
133         Skip WebAssembly test on 32-bit systems
134         https://bugs.webkit.org/show_bug.cgi?id=196206
135
136         Reviewed by Saam Barati.
137
138         Invoking runDefault executes test immediately even though
139         that test should be skipped due to missing WASM support.
140         Therefore remove runDefault.
141
142         * wasm/regress/web-assembly-link-error-exception-check.js:
143
144 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
145
146         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
147         https://bugs.webkit.org/show_bug.cgi?id=196217
148
149         Reviewed by Saam Barati.
150
151         Re-enable all NaN tests for f32.min, f64.min and f64.max.
152
153         * wasm/spec-tests/f32.wast.js:
154         * wasm/spec-tests/f64.wast.js:
155         * wasm/wasm.json:
156
157 2019-03-25  Keith Miller  <keith_miller@apple.com>
158
159         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
160         https://bugs.webkit.org/show_bug.cgi?id=196176
161
162         Reviewed by Saam Barati.
163
164         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
165         (main.v10):
166         (main):
167
168 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
169
170         WebAssembly: f32.max with NaN generates incorrect result
171         https://bugs.webkit.org/show_bug.cgi?id=175691
172         <rdar://problem/33952228>
173
174         Reviewed by Saam Barati.
175
176         Enable all f32.max NaN tests
177
178         * wasm/spec-tests/f32.wast.js:
179         * wasm/wasm.json:
180
181 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
182
183         [JSC] Move test into directory for WASM tests
184         https://bugs.webkit.org/show_bug.cgi?id=196187
185
186         Reviewed by Mark Lam.
187
188         Move Test into wasm-directory. Otherwise this test
189         is also executed on systems without WASM support.
190
191         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
192
193 2019-03-23  Mark Lam  <mark.lam@apple.com>
194
195         Rolling out r243032 and r243071 because the fix is incorrect.
196         https://bugs.webkit.org/show_bug.cgi?id=195892
197         <rdar://problem/48981239>
198
199         Not reviewed.
200
201         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
202
203 2019-03-22  Mark Lam  <mark.lam@apple.com>
204
205         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
206         https://bugs.webkit.org/show_bug.cgi?id=196154
207         <rdar://problem/49145307>
208
209         Reviewed by Filip Pizlo.
210
211         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
212         There's no need to run this test on more than 1 test configuration.
213
214         * stress/typed-array-lastIndexOf-exception-check.js: Added.
215         * stress/web-assembly-link-error-exception-check.js:
216
217 2019-03-22  Mark Lam  <mark.lam@apple.com>
218
219         Placate exception check validation in constructJSWebAssemblyLinkError().
220         https://bugs.webkit.org/show_bug.cgi?id=196152
221         <rdar://problem/49145257>
222
223         Reviewed by Michael Saboff.
224
225         * stress/web-assembly-link-error-exception-check.js: Added.
226
227 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
228
229         Skip tests running out of memory on ARM/MIPS
230         https://bugs.webkit.org/show_bug.cgi?id=196131
231
232         Unreviewed. Skip test if memory is limited.
233
234         * microbenchmarks/put-by-val-direct-large-index.js:
235
236 2019-03-21  Mark Lam  <mark.lam@apple.com>
237
238         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
239         https://bugs.webkit.org/show_bug.cgi?id=196116
240         <rdar://problem/48976951>
241
242         Reviewed by Filip Pizlo.
243
244         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
245
246 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
247
248         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
249         https://bugs.webkit.org/show_bug.cgi?id=196078
250         <rdar://problem/35925380>
251
252         Reviewed by Mark Lam.
253
254         Add a new benchmark that allocates several objects and invokes put_by_val_direct
255         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
256
257         * microbenchmarks/put-by-val-direct-large-index.js: Added.
258
259 2019-03-21  Mark Lam  <mark.lam@apple.com>
260
261         Placate exception check validation in operationArrayIndexOfString().
262         https://bugs.webkit.org/show_bug.cgi?id=196067
263         <rdar://problem/49056572>
264
265         Reviewed by Michael Saboff.
266
267         * stress/string-equal-exception-check.js: Added.
268
269 2019-03-21  Mark Lam  <mark.lam@apple.com>
270
271         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
272         https://bugs.webkit.org/show_bug.cgi?id=196055
273         <rdar://problem/49067448>
274
275         Reviewed by Yusuke Suzuki.
276
277         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
278
279 2019-03-20  Saam Barati  <sbarati@apple.com>
280
281         typeOfDoubleSum is wrong for when NaN can be produced
282         https://bugs.webkit.org/show_bug.cgi?id=196030
283
284         Reviewed by Filip Pizlo.
285
286         * stress/double-add-sub-mul-can-produce-nan.js: Added.
287         (assert):
288         (noInline.sub):
289         (noInline):
290         (assert.mul):
291         (assert.add):
292
293 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
294
295         Update the test to ensure OutOfMemoryError is thrown as intended
296         https://bugs.webkit.org/show_bug.cgi?id=196032
297         <rdar://problem/46842740>
298
299         Rubber stamped by Saam Barati.
300
301         * stress/create-error-out-of-memory-rope-string.js:
302         (assert):
303         (catch):
304
305 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
306
307         JSC::createError needs to check for OOM in errorDescriptionForValue
308         https://bugs.webkit.org/show_bug.cgi?id=196032
309         <rdar://problem/46842740>
310
311         Reviewed by Mark Lam.
312
313         * stress/create-error-out-of-memory-rope-string.js: Added.
314
315 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
316
317         Unreviewed, reduce # of iterations to avoid timing out after r242991
318         https://bugs.webkit.org/show_bug.cgi?id=195791
319
320         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
321
322         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
323
324 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
325
326         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
327         https://bugs.webkit.org/show_bug.cgi?id=195950
328
329         Unreviewed, reducing the amount of memory used on this test to avoid
330         OOM on devices with memory restrictions.
331
332         * microbenchmarks/generate-multiple-llint-entrypoints.js:
333
334 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
335
336         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
337         https://bugs.webkit.org/show_bug.cgi?id=194648
338
339         Reviewed by Keith Miller.
340
341         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
342
343 2019-03-18  Mark Lam  <mark.lam@apple.com>
344
345         Missing a ThrowScope release in JSObject::toString().
346         https://bugs.webkit.org/show_bug.cgi?id=195893
347         <rdar://problem/48970986>
348
349         Reviewed by Michael Saboff.
350
351         * stress/to-string-exception-check-release.js: Added.
352
353 2019-03-18  Mark Lam  <mark.lam@apple.com>
354
355         Structure::flattenDictionary() should clear unused property slots.
356         https://bugs.webkit.org/show_bug.cgi?id=195871
357         <rdar://problem/48959497>
358
359         Reviewed by Michael Saboff.
360
361         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
362
363 2019-03-15  Mark Lam  <mark.lam@apple.com>
364
365         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
366         https://bugs.webkit.org/show_bug.cgi?id=195827
367         <rdar://problem/48845513>
368
369         Reviewed by Filip Pizlo.
370
371         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
372
373 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
374
375         [ARM,MIPS] Skip slow tests
376         https://bugs.webkit.org/show_bug.cgi?id=195799
377
378         Unreviewed, test does not finish on ARM and MIPS within the
379         timeout limit.
380
381         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
382
383 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
384
385         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
386         https://bugs.webkit.org/show_bug.cgi?id=195791
387         <rdar://problem/48806130>
388
389         Reviewed by Mark Lam.
390
391         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
392         (foo):
393
394 2019-03-14  Saam barati  <sbarati@apple.com>
395
396         We can't remove code after ForceOSRExit until after FixupPhase
397         https://bugs.webkit.org/show_bug.cgi?id=186916
398         <rdar://problem/41396612>
399
400         Reviewed by Yusuke Suzuki.
401
402         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
403         (foo):
404         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
405         (foo):
406
407 2019-03-13  Michael Saboff  <msaboff@apple.com>
408
409         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
410         https://bugs.webkit.org/show_bug.cgi?id=195735
411
412         Reviewed by Mark Lam.
413
414         New regression test.
415
416         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
417         (foo):
418         (bar):
419
420 2019-03-14  Saam barati  <sbarati@apple.com>
421
422         Fixup uses KnownInt32 incorrectly in some nodes
423         https://bugs.webkit.org/show_bug.cgi?id=195279
424         <rdar://problem/47915654>
425
426         Reviewed by Yusuke Suzuki.
427
428         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
429         (foo):
430
431 2019-03-14  Keith Miller  <keith_miller@apple.com>
432
433         DFG liveness can't skip tail caller inline frames
434         https://bugs.webkit.org/show_bug.cgi?id=195715
435
436         Reviewed by Saam Barati.
437
438         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
439         (i.foo):
440
441 2019-03-13  Mark Lam  <mark.lam@apple.com>
442
443         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
444         https://bugs.webkit.org/show_bug.cgi?id=195415
445
446         Not reviewed.
447
448         Changed these tests to only run the default configuration.
449         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
450         There's no strong need to run this test on that variant.
451
452         * stress/dfg-to-string-on-int-does-gc.js:
453         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
454
455 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
456
457         String overflow when using StringBuilder in JSC::createError
458         https://bugs.webkit.org/show_bug.cgi?id=194957
459
460         Reviewed by Mark Lam.
461
462         Add test string-overflow-createError-bulder.js that overflows
463         StringBuilder in notAFunctionSourceAppender. The second new test
464         string-overflow-createError-fit.js has an error message that doesn't
465         overflow, it still failed since the String's capacity can't be doubled.
466         Run test string-overflow-createError.js only in the default
467         configuration to reduce memory consumption when running the test
468         in all configurations on multiple CPUs in parallel.
469
470         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
471         (catch):
472         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
473         (catch):
474         * stress/string-overflow-createError.js:
475
476 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         [JSC] OSR entry should respect abstract values in addition to flush formats
479         https://bugs.webkit.org/show_bug.cgi?id=195653
480
481         Reviewed by Mark Lam.
482
483         * stress/osr-entry-locals-none.js: Added.
484
485 2019-03-12  Michael Saboff  <msaboff@apple.com>
486
487         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
488         https://bugs.webkit.org/show_bug.cgi?id=195613
489
490         Reviewed by Mark Lam.
491
492         New regression test.
493
494         * stress/regexp-backref-inbounds.js: Added.
495         (testRegExp):
496
497 2019-03-12  Mark Lam  <mark.lam@apple.com>
498
499         The HasIndexedProperty node does GC.
500         https://bugs.webkit.org/show_bug.cgi?id=195559
501         <rdar://problem/48767923>
502
503         Reviewed by Yusuke Suzuki.
504
505         * stress/HasIndexedProperty-does-gc.js: Added.
506
507 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
508
509         [ESNext][BigInt] Implement "~" unary operation
510         https://bugs.webkit.org/show_bug.cgi?id=182216
511
512         Reviewed by Keith Miller.
513
514         * stress/big-int-bit-not-general.js: Added.
515         * stress/big-int-bitwise-not-jit.js: Added.
516         * stress/big-int-bitwise-not-wrapped-value.js: Added.
517         * stress/bit-op-with-object-returning-int32.js:
518         * stress/bitwise-not-fixup-rules.js: Added.
519         * stress/value-bit-not-ai-rule.js: Added.
520
521 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
522
523         Invalid flags in a RegExp literal should be an early SyntaxError
524         https://bugs.webkit.org/show_bug.cgi?id=195514
525
526         Reviewed by Darin Adler.
527
528         * test262/expectations.yaml:
529         Mark 4 test cases as passing.
530
531         * stress/regexp-syntax-error-invalid-flags.js:
532         * stress/regress-161995.js: Removed.
533         Update existing test, merging in an older test for the same behavior.
534
535 2019-03-08  Mark Lam  <mark.lam@apple.com>
536
537         Stack overflow crash in JSC::JSObject::hasInstance.
538         https://bugs.webkit.org/show_bug.cgi?id=195458
539         <rdar://problem/48710195>
540
541         Reviewed by Yusuke Suzuki.
542
543         * stress/stack-overflow-in-custom-hasInstance.js: Added.
544
545 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
546
547         op_check_tdz does not def its argument
548         https://bugs.webkit.org/show_bug.cgi?id=192880
549         <rdar://problem/46221598>
550
551         Reviewed by Saam Barati.
552
553         * microbenchmarks/let-for-in.js: Added.
554         (foo):
555
556 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
557
558         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
559         https://bugs.webkit.org/show_bug.cgi?id=195429
560
561         Reviewed by Saam Barati.
562
563         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
564         (foo):
565         * stress/string-from-char-code-255.js: Added.
566
567 2019-03-06  Mark Lam  <mark.lam@apple.com>
568
569         Fix incorrect handling of try-finally completion values.
570         https://bugs.webkit.org/show_bug.cgi?id=195131
571         <rdar://problem/46222079>
572
573         Reviewed by Saam Barati and Yusuke Suzuki.
574
575         Added many permutations of new test case to test-finally.js.  test-finally.js has
576         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
577         tests passes there as well.
578
579         * stress/test-finally.js:
580
581 2019-03-06  Saam Barati  <sbarati@apple.com>
582
583         Air::reportUsedRegisters must padInterference
584         https://bugs.webkit.org/show_bug.cgi?id=195303
585         <rdar://problem/48270343>
586
587         Reviewed by Keith Miller.
588
589         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
590
591 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         [JSC] AI should not propagate AbstractValue relying on constant folding phase
594         https://bugs.webkit.org/show_bug.cgi?id=195375
595
596         Reviewed by Saam Barati.
597
598         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
599         (let.array):
600
601 2019-03-05  Saam barati  <sbarati@apple.com>
602
603         op_switch_char broken for rope strings after JSRopeString layout rewrite
604         https://bugs.webkit.org/show_bug.cgi?id=195339
605         <rdar://problem/48592545>
606
607         Reviewed by Yusuke Suzuki.
608
609         * stress/switch-on-char-llint-rope.js: Added.
610
611 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
612
613         [JSC] Store bits for JSRopeString in 3 stores
614         https://bugs.webkit.org/show_bug.cgi?id=195234
615
616         Reviewed by Saam Barati.
617
618         * stress/null-rope-and-collectors.js: Added.
619
620 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
621
622         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
623         https://bugs.webkit.org/show_bug.cgi?id=195207
624
625         Unreviewed. After test runtime was reduced in r242213, test can be
626         run again on ARM/MIPS.
627
628         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
629
630 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
631
632         [JSC] sizeof(JSString) should be 16
633         https://bugs.webkit.org/show_bug.cgi?id=194375
634
635         Reviewed by Saam Barati.
636
637         * microbenchmarks/make-rope.js: Added.
638         (makeRope):
639         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
640         (returnRope.helper): Deleted.
641         (returnRope): Deleted.
642
643 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
646         https://bugs.webkit.org/show_bug.cgi?id=195144
647
648         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
649         Change the number from 1e8 to 1e5.
650
651         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
652         (foo):
653
654 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
655
656         Test times out on ARM/MIPS
657         https://bugs.webkit.org/show_bug.cgi?id=195168
658
659         Unreviewed. Skip test on ARM/MIPS.
660
661         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
662
663 2019-02-27  Mark Lam  <mark.lam@apple.com>
664
665         The parser is failing to record the token location of new in new.target.
666         https://bugs.webkit.org/show_bug.cgi?id=195127
667         <rdar://problem/39645578>
668
669         Reviewed by Yusuke Suzuki.
670
671         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
672
673 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
674
675         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
676         https://bugs.webkit.org/show_bug.cgi?id=195144
677         <rdar://problem/47595961>
678
679         Reviewed by Mark Lam.
680
681         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
682         (bar):
683         (foo):
684         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
685         (bar):
686         (foo):
687
688 2019-02-27  Robin Morisset  <rmorisset@apple.com>
689
690         DFG: Loop-invariant code motion (LICM) should not hoist dead code
691         https://bugs.webkit.org/show_bug.cgi?id=194945
692         <rdar://problem/48311657>
693
694         Reviewed by Mark Lam.
695
696         * stress/licm-dead-code.js: Added.
697
698 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
699
700         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
701         https://bugs.webkit.org/show_bug.cgi?id=194677
702         <rdar://problem/48112492>
703
704         Reviewed by Mark Lam.
705
706         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
707         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
708         it immediately fails due the large size.
709
710         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
711         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
712         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
713         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
714
715         This patch changes the test to produce 16bit string from String.fromCharCode.
716
717         * stress/regress-178386.js:
718
719 2019-02-26  Mark Lam  <mark.lam@apple.com>
720
721         wasmToJS() should purify incoming NaNs.
722         https://bugs.webkit.org/show_bug.cgi?id=194807
723         <rdar://problem/48189132>
724
725         Reviewed by Saam Barati.
726
727         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
728
729 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
730
731         [JSC] Repeat string created from Array.prototype.join() take too much memory
732         https://bugs.webkit.org/show_bug.cgi?id=193912
733
734         Reviewed by Saam Barati.
735
736         Added a test and a microbenchmark for corner cases of
737         Array.prototype.join() with an uninitialized array.
738
739         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
740         * stress/array-prototype-join-uninitialized.js: Added.
741         (testArray):
742         (testABC):
743         (B):
744         (C):
745
746 2019-02-22  Robin Morisset  <rmorisset@apple.com>
747
748         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
749         https://bugs.webkit.org/show_bug.cgi?id=194953
750         <rdar://problem/47595253>
751
752         Reviewed by Saam Barati.
753
754         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
755
756         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
757
758 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
759
760         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
761         https://bugs.webkit.org/show_bug.cgi?id=172848
762         <rdar://problem/25709212>
763
764         Reviewed by Mark Lam.
765
766         * typeProfiler/inheritance.js:
767         Rewrite the test slightly for clarity. The hoisting was confusing.
768
769         * heapProfiler/class-names.js: Added.
770         (MyES5Class):
771         (MyES6Class):
772         (MyES6Subclass):
773         Test object types and improved class names.
774
775         * heapProfiler/driver/driver.js:
776         (CheapHeapSnapshotNode):
777         (CheapHeapSnapshot):
778         (createCheapHeapSnapshot):
779         (HeapSnapshot):
780         (createHeapSnapshot):
781         Update snapshot parsing from version 1 to version 2.
782
783 2019-02-19  Truitt Savell  <tsavell@apple.com>
784
785         Unreviewed, rolling out r241784.
786
787         Broke all OpenSource builds.
788
789         Reverted changeset:
790
791         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
792         instances view"
793         https://bugs.webkit.org/show_bug.cgi?id=172848
794         https://trac.webkit.org/changeset/241784
795
796 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
797
798         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
799         https://bugs.webkit.org/show_bug.cgi?id=172848
800         <rdar://problem/25709212>
801
802         Reviewed by Mark Lam.
803
804         * typeProfiler/inheritance.js:
805         Rewrite the test slightly for clarity. The hoisting was confusing.
806
807         * heapProfiler/class-names.js: Added.
808         (MyES5Class):
809         (MyES6Class):
810         (MyES6Subclass):
811         Test object types and improved class names.
812
813         * heapProfiler/driver/driver.js:
814         (CheapHeapSnapshotNode):
815         (CheapHeapSnapshot):
816         (createCheapHeapSnapshot):
817         (HeapSnapshot):
818         (createHeapSnapshot):
819         Update snapshot parsing from version 1 to version 2.
820
821 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
822
823         [ARM] Fix crash with sampling profiler
824         https://bugs.webkit.org/show_bug.cgi?id=194772
825
826         Reviewed by Mark Lam.
827
828         Do not skip test since crash with sampling profiler is now fixed.
829
830         * stress/sampling-profiler-richards.js:
831
832 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
833
834         [JSC] Add LazyClassStructure::getInitializedOnMainThread
835         https://bugs.webkit.org/show_bug.cgi?id=194784
836         <rdar://problem/48154820>
837
838         Reviewed by Mark Lam.
839
840         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
841         (getProperties):
842         (getRandomProperty):
843         (i.catch):
844
845 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
846
847         [ARM] Test gardening: Test running out of executable memory
848         https://bugs.webkit.org/show_bug.cgi?id=194771
849
850         Unreviewed. Do not run test without LLInt, test is running out of executable
851         memory on ARM otherwise.
852
853         * stress/tagged-template-object-collect.js:
854
855 2019-02-18  Tomas Popela  <tpopela@redhat.com>
856
857         Unreviewed, skip the test on platforms without sampling profiler
858
859         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
860         (platformSupportsSamplingProfiler.foo):
861         (platformSupportsSamplingProfiler.test):
862         (platformSupportsSamplingProfiler):
863         (foo): Deleted.
864         (test): Deleted.
865
866 2019-02-17  Saam Barati  <sbarati@apple.com>
867
868         Deadlock when adding a Structure property transition and then doing incremental marking
869         https://bugs.webkit.org/show_bug.cgi?id=194767
870
871         Reviewed by Mark Lam.
872
873         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
874
875 2019-02-15  Michael Saboff  <msaboff@apple.com>
876
877         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
878         https://bugs.webkit.org/show_bug.cgi?id=194558
879
880         Reviewed by Saam Barati.
881
882         New regression test.
883
884         * stress/regexp-unicode-within-string.js: Added.
885
886 2019-02-15  Mark Lam  <mark.lam@apple.com>
887
888         SamplingProfiler::stackTracesAsJSON() should escape strings.
889         https://bugs.webkit.org/show_bug.cgi?id=194649
890         <rdar://problem/48072386>
891
892         Reviewed by Saam Barati.
893
894         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
895         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
896         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
897         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
898
899 2019-02-15  Robin Morisset  <rmorisset@apple.com>
900         CodeBlock::jettison should clear related watchpoints
901         https://bugs.webkit.org/show_bug.cgi?id=194544
902
903         Reviewed by Mark Lam.
904
905         * stress/regexp-replace-double-watchpoint.js: Added.
906         (foo):
907
908 2019-02-15  Saam barati  <sbarati@apple.com>
909
910         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
911         https://bugs.webkit.org/show_bug.cgi?id=194036
912
913         Reviewed by Yusuke Suzuki.
914
915         * stress/tail-call-many-arguments.js: Added.
916         (foo):
917         (bar):
918
919 2019-02-14  Saam Barati  <sbarati@apple.com>
920
921         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
922         https://bugs.webkit.org/show_bug.cgi?id=194583
923         <rdar://problem/48028140>
924
925         Reviewed by Yusuke Suzuki.
926
927         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
928
929 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
930
931         [JSC] String.fromCharCode's slow path always generates 16bit string
932         https://bugs.webkit.org/show_bug.cgi?id=194466
933
934         Reviewed by Keith Miller.
935
936         * stress/string-from-char-code-slow-path.js: Added.
937         (shouldBe):
938         (testWithLength):
939
940 2019-02-08  Saam barati  <sbarati@apple.com>
941
942         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
943         https://bugs.webkit.org/show_bug.cgi?id=194334
944         <rdar://problem/47844327>
945
946         Reviewed by Mark Lam.
947
948         * stress/check-in-bounds-should-be-a-child-use.js: Added.
949         (func):
950
951 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
952
953         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
954         https://bugs.webkit.org/show_bug.cgi?id=194369
955         <rdar://problem/47813087>
956
957         Reviewed by Saam Barati.
958
959         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
960         (A):
961
962 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
963
964         [JSC] PrivateName to PublicName hash table is wasteful
965         https://bugs.webkit.org/show_bug.cgi?id=194277
966
967         Reviewed by Michael Saboff.
968
969         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
970
971         * ChakraCore.yaml:
972
973 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
974
975         [ARM] Test running out of executable memory
976         https://bugs.webkit.org/show_bug.cgi?id=194285
977
978         Unreviewed. Do no execute test with LLInt disabled, test runs out of
979         executable memory otherwise.
980
981         * stress/class-subclassing-function.js:
982
983 2019-02-04  Robin Morisset  <rmorisset@apple.com>
984
985         when lowering AssertNotEmpty, create the value before creating the patchpoint
986         https://bugs.webkit.org/show_bug.cgi?id=194231
987
988         Reviewed by Saam Barati.
989
990         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
991         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
992         So even tiny changes to this test can change the path code taken.
993
994         * stress/assert-not-empty.js: Added.
995         (foo):
996
997 2019-02-01  Mark Lam  <mark.lam@apple.com>
998
999         Remove invalid assertion in DFG's compileDoubleRep().
1000         https://bugs.webkit.org/show_bug.cgi?id=194130
1001         <rdar://problem/47699474>
1002
1003         Reviewed by Saam Barati.
1004
1005         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1006
1007 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1008
1009         Import latest Test262 updates.
1010
1011         Rubber-stamped by Keith Miller.
1012
1013         * test262.yaml: Deleted.
1014         * test262/config.yaml:
1015         * test262/expectations.yaml:
1016         * test262/latest-changes-summary.txt:
1017         * test262/test/:
1018         * test262/test262-Revision.txt:
1019
1020 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1021
1022         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1023         https://bugs.webkit.org/show_bug.cgi?id=194050
1024         <rdar://problem/47595592>
1025
1026         Reviewed by Yusuke Suzuki.
1027
1028         * stress/object-keys-osr-exit.js: Added.
1029         (foo):
1030         (catch):
1031
1032 2019-01-29  Mark Lam  <mark.lam@apple.com>
1033
1034         ValueRecovery::recover() should purify NaN values it recovers.
1035         https://bugs.webkit.org/show_bug.cgi?id=193978
1036         <rdar://problem/47625488>
1037
1038         Reviewed by Saam Barati.
1039
1040         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1041
1042 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1043
1044         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1045         https://bugs.webkit.org/show_bug.cgi?id=193713
1046
1047         * stress/try-get-by-id-should-spill-registers-dfg.js:
1048         (let.f.createBuiltin):
1049
1050 2019-01-28  Mark Lam  <mark.lam@apple.com>
1051
1052         ToString node actually does GC.
1053         https://bugs.webkit.org/show_bug.cgi?id=193920
1054         <rdar://problem/46695900>
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         * stress/dfg-to-string-on-int-does-gc.js: Added.
1059         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1060         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1061
1062 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1063
1064         [JSC] NativeErrorConstructor should not have own IsoSubspace
1065         https://bugs.webkit.org/show_bug.cgi?id=193713
1066
1067         Reviewed by Saam Barati.
1068
1069         Remove @Error use.
1070
1071         * stress/try-get-by-id-should-spill-registers-dfg.js:
1072         (let.f.createBuiltin):
1073
1074 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1075
1076         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1077         https://bugs.webkit.org/show_bug.cgi?id=190693
1078
1079         Reviewed by Michael Saboff.
1080
1081         * stress/regress-190693.js: Added.
1082         (truth):
1083         (assert):
1084         (shouldThrowInvalidConstAssignment):
1085         (taz):
1086
1087 2019-01-24  Saam Barati  <sbarati@apple.com>
1088
1089         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1090         https://bugs.webkit.org/show_bug.cgi?id=193751
1091         <rdar://problem/47280215>
1092
1093         Reviewed by Michael Saboff.
1094
1095         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1096         (let.thing):
1097         (foo.let.hello):
1098         (foo):
1099
1100 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1101
1102         [JSC] Reenable baseline JIT on mips
1103         https://bugs.webkit.org/show_bug.cgi?id=192983
1104
1105         Reviewed by Mark Lam.
1106
1107         Added a new test for a case that was triggering a RELEASE_ASSERT when
1108         testing.
1109         Disable some slow tests that were already disabled for arm and x86.
1110
1111         * stress/json-parse-big-object.js: Added.
1112         * stress/new-largeish-contiguous-array-with-size.js:
1113         * stress/op_add.js:
1114         * stress/op_bitand.js:
1115         * stress/op_bitor.js:
1116         * stress/op_bitxor.js:
1117         * stress/op_lshift-ConstVar.js:
1118         * stress/op_lshift-VarConst.js:
1119         * stress/op_lshift-VarVar.js:
1120         * stress/op_mod-ConstVar.js:
1121         * stress/op_mod-VarConst.js:
1122         * stress/op_mod-VarVar.js:
1123         * stress/op_mul-ConstVar.js:
1124         * stress/op_mul-VarConst.js:
1125         * stress/op_mul-VarVar.js:
1126         * stress/op_rshift-ConstVar.js:
1127         * stress/op_rshift-VarConst.js:
1128         * stress/op_rshift-VarVar.js:
1129         * stress/op_sub-ConstVar.js:
1130         * stress/op_sub-VarConst.js:
1131         * stress/op_sub-VarVar.js:
1132         * stress/op_urshift-ConstVar.js:
1133         * stress/op_urshift-VarConst.js:
1134         * stress/op_urshift-VarVar.js:
1135         * stress/sampling-profiler-richards.js:
1136         * stress/spread-forward-call-varargs-stack-overflow.js:
1137
1138 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1139
1140         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1141         https://bugs.webkit.org/show_bug.cgi?id=193711
1142         <rdar://problem/47250262>
1143
1144         Reviewed by Saam Barati.
1145
1146         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1147         (shouldBe):
1148         (foo):
1149         (bar):
1150         (baz):
1151
1152 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1153
1154         Unreviewed, fix initial global lexical binding epoch
1155         https://bugs.webkit.org/show_bug.cgi?id=193603
1156         <rdar://problem/47380869>
1157
1158         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1159         (f1.f2.f3.f4):
1160         (f1.f2.f3):
1161         (f1.f2):
1162         (f1):
1163
1164 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1165
1166         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1167         https://bugs.webkit.org/show_bug.cgi?id=193709
1168         <rdar://problem/47363838>
1169
1170         Unreviewed, rollout to watch the tests.
1171
1172         * stress/object-tostring-changed-proto.js: Removed.
1173         * stress/object-tostring-changed.js: Removed.
1174         * stress/object-tostring-misc.js: Removed.
1175         * stress/object-tostring-other.js: Removed.
1176         * stress/object-tostring-untyped.js: Removed.
1177
1178 2019-01-22  Saam Barati  <sbarati@apple.com>
1179
1180         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1181
1182         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1183         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1184         (testUncheckedLessThanZero):
1185         (testUncheckedLessThanOrEqualZero):
1186         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1187         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1188
1189 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1190
1191         [JSC] Invalidate old scope operations using global lexical binding epoch
1192         https://bugs.webkit.org/show_bug.cgi?id=193603
1193         <rdar://problem/47380869>
1194
1195         Reviewed by Saam Barati.
1196
1197         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1198         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1199         (shouldThrow):
1200         (bar):
1201         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1202         (shouldBe):
1203         (get1):
1204         (get2):
1205         (get1If):
1206         (get2If):
1207         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1208         (shouldThrow):
1209         (foo):
1210
1211 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1212
1213         Unreviewed, roll out r240220 due to date-format-xparb regression
1214         https://bugs.webkit.org/show_bug.cgi?id=193603
1215
1216         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1217         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1218         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1219         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1220
1221 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1222
1223         DoesGC rule is wrong for nodes with BigIntUse
1224         https://bugs.webkit.org/show_bug.cgi?id=193652
1225
1226         Reviewed by Saam Barati.
1227
1228         * stress/big-int-value-op-update-gc-rules.js: Added.
1229         (assert):
1230         (doesGCAdd):
1231         (doesGCSub):
1232         (doesGCDiv):
1233         (doesGCMul):
1234         (doesGCBitAnd):
1235         (doesGCBitOr):
1236         (doesGCBitXor):
1237
1238 2019-01-20  Saam Barati  <sbarati@apple.com>
1239
1240         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1241         https://bugs.webkit.org/show_bug.cgi?id=193644
1242         <rdar://problem/46209745>
1243
1244         Reviewed by Yusuke Suzuki.
1245
1246         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1247         (foo):
1248         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1249         (foo):
1250         (bar):
1251
1252 2019-01-20  Saam Barati  <sbarati@apple.com>
1253
1254         MovHint must merge NodeBytecodeUsesAsValue for its child
1255         https://bugs.webkit.org/show_bug.cgi?id=186916
1256         <rdar://problem/41396612>
1257
1258         Reviewed by Yusuke Suzuki.
1259
1260         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1261         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1262
1263 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1264
1265         [JSC] Invalidate old scope operations using global lexical binding epoch
1266         https://bugs.webkit.org/show_bug.cgi?id=193603
1267         <rdar://problem/47380869>
1268
1269         Reviewed by Saam Barati.
1270
1271         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1272         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1273         (shouldThrow):
1274         (bar):
1275         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1276         (shouldBe):
1277         (get1):
1278         (get2):
1279         (get1If):
1280         (get2If):
1281         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1282         (shouldThrow):
1283         (foo):
1284
1285 2019-01-17  Saam barati  <sbarati@apple.com>
1286
1287         StringObjectUse should not be a structure check for the original string object structure
1288         https://bugs.webkit.org/show_bug.cgi?id=193483
1289         <rdar://problem/47280522>
1290
1291         Reviewed by Yusuke Suzuki.
1292
1293         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1294         (foo):
1295         (a.valueOf.0):
1296
1297 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1298
1299         [JSC] ToThis omission in DFGByteCodeParser is wrong
1300         https://bugs.webkit.org/show_bug.cgi?id=193513
1301         <rdar://problem/45842236>
1302
1303         Reviewed by Saam Barati.
1304
1305         * stress/to-this-omission-with-different-strict-modes.js: Added.
1306         (thisA):
1307         (thisAStrictWrapper):
1308
1309 2019-01-15  Mark Lam  <mark.lam@apple.com>
1310
1311         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1312         https://bugs.webkit.org/show_bug.cgi?id=193423
1313         <rdar://problem/46209355>
1314
1315         Reviewed by Saam Barati.
1316
1317         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1318         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1319         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1320         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1321
1322 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1323
1324         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1325         https://bugs.webkit.org/show_bug.cgi?id=193438
1326         <rdar://problem/45581249>
1327
1328         Reviewed by Saam Barati and Keith Miller.
1329
1330         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1331         Then, GetByVal(String) crashed.
1332
1333         * stress/string-get-by-val-lowering.js: Added.
1334         (shouldBe):
1335         (test):
1336         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1337         (Hello):
1338         (foo):
1339
1340 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1341
1342         Unreviewed, skip JIT tests if it's not enabled
1343
1344         * stress/bit-op-with-object-returning-int32.js:
1345
1346 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1347
1348         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1349         https://bugs.webkit.org/show_bug.cgi?id=192966
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/bit-op-with-object-returning-int32.js: Added.
1354
1355 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1356
1357         Skip a slow test and a flakey test on arm
1358
1359         Unreviewed gardening.
1360
1361         * typeProfiler/getter-richards.js:
1362         this test always times out, it used to be always skipped on arm and
1363         mips, but got accidentally enabled by r237919 now that we have DFG on
1364         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1365
1366 2019-01-14  Keith Miller  <keith_miller@apple.com>
1367
1368         Skip type-check-hoisting-phase-hoist... with no jit
1369         https://bugs.webkit.org/show_bug.cgi?id=193421
1370
1371         Reviewed by Mark Lam.
1372
1373         It's timing out the 32-bit bots and takes 330 seconds
1374         on my machine when run by itself.
1375
1376         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1377
1378 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1379
1380         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1381         https://bugs.webkit.org/show_bug.cgi?id=193413
1382         <rdar://problem/46092389>
1383
1384         Reviewed by Keith Miller.
1385
1386         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1387         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1388         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1389         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1390
1391         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1392         (compareArray):
1393
1394 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1395
1396         [BigInt] Literal parsing is crashing when used inside a Object Literal
1397         https://bugs.webkit.org/show_bug.cgi?id=193404
1398
1399         Reviewed by Yusuke Suzuki.
1400
1401         * stress/big-int-literal-inside-literal-object.js: Added.
1402
1403 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1404
1405         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1406         https://bugs.webkit.org/show_bug.cgi?id=193372
1407
1408         Reviewed by Saam Barati.
1409
1410         * stress/typed-array-array-modes-profile.js: Added.
1411         (foo):
1412
1413 2019-01-14  Mark Lam  <mark.lam@apple.com>
1414
1415         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1416         https://bugs.webkit.org/show_bug.cgi?id=193402
1417         <rdar://problem/46012309>
1418
1419         Reviewed by Keith Miller.
1420
1421         * stress/regexp-compile-oom.js:
1422         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1423           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1424
1425 2019-01-11  Saam barati  <sbarati@apple.com>
1426
1427         DFG combined liveness can be wrong for terminal basic blocks
1428         https://bugs.webkit.org/show_bug.cgi?id=193304
1429         <rdar://problem/45268632>
1430
1431         Reviewed by Yusuke Suzuki.
1432
1433         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1434
1435 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1436
1437         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1438         https://bugs.webkit.org/show_bug.cgi?id=193308
1439         <rdar://problem/45546542>
1440
1441         Reviewed by Saam Barati.
1442
1443         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1444         (shouldThrow):
1445         (shouldBe):
1446         (foo):
1447         (get shouldThrow):
1448         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1449         (shouldThrow):
1450         (shouldBe):
1451         (foo):
1452         (get shouldBe):
1453         (get shouldThrow):
1454         (get return):
1455         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1456         (shouldThrow):
1457         (shouldBe):
1458         (foo):
1459         (get shouldBe):
1460         (get shouldThrow):
1461         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1462         (shouldThrow):
1463         (shouldBe):
1464         (foo):
1465         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1466         (shouldThrow):
1467         (shouldBe):
1468         (foo):
1469         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1470         (shouldThrow):
1471         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1472         (shouldThrow):
1473         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1474         (shouldThrow):
1475         (shouldBe):
1476         (foo):
1477         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1478         (shouldThrow):
1479         (shouldBe):
1480         (foo):
1481         (get shouldBe):
1482         (get shouldThrow):
1483         (get return):
1484         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1485         (shouldThrow):
1486         (shouldBe):
1487         (foo):
1488         (get shouldBe):
1489         (get shouldThrow):
1490         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1491         (shouldThrow):
1492         (shouldBe):
1493         (foo):
1494         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1495         (shouldThrow):
1496         (shouldBe):
1497         (foo):
1498
1499 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1500
1501         Enable DFG on ARM/Linux again
1502         https://bugs.webkit.org/show_bug.cgi?id=192496
1503
1504         Reviewed by Yusuke Suzuki.
1505
1506         Test wasn't really skipped before moving the line with skip
1507         to the top.
1508
1509         * stress/regress-192717.js:
1510
1511 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1512
1513         Unreviewed, rolling out r239825.
1514         https://bugs.webkit.org/show_bug.cgi?id=193330
1515
1516         Broke tests on armv7/linux bots (Requested by guijemont on
1517         #webkit).
1518
1519         Reverted changeset:
1520
1521         "Enable DFG on ARM/Linux again"
1522         https://bugs.webkit.org/show_bug.cgi?id=192496
1523         https://trac.webkit.org/changeset/239825
1524
1525 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1526
1527         Enable DFG on ARM/Linux again
1528         https://bugs.webkit.org/show_bug.cgi?id=192496
1529
1530         Reviewed by Yusuke Suzuki.
1531
1532         Test wasn't really skipped before moving the line with skip
1533         to the top.
1534
1535         * stress/regress-192717.js:
1536
1537 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1538
1539         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1540         https://bugs.webkit.org/show_bug.cgi?id=193127
1541
1542         Reviewed by Saam Barati.
1543
1544         * stress/array-species-create-should-handle-masquerader.js: Added.
1545         (shouldThrow):
1546         * stress/is-undefined-or-null-builtin.js: Added.
1547         (shouldBe):
1548         (isUndefinedOrNull.vm.createBuiltin):
1549
1550 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1551
1552         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1553         https://bugs.webkit.org/show_bug.cgi?id=193221
1554
1555         Reviewed by Mark Lam.
1556
1557         * stress/put-by-id-flags.js: Added.
1558         (f):
1559         (g):
1560         (numberOfDFGCompiles):
1561
1562 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1563
1564         Baseline version of get_by_id may corrupt metadata
1565         https://bugs.webkit.org/show_bug.cgi?id=193085
1566         <rdar://problem/23453006>
1567
1568         Reviewed by Saam Barati.
1569
1570         * stress/get-by-id-change-mode.js: Added.
1571         (forEach):
1572
1573 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1574
1575         [JSC] Optimize Object.prototype.toString
1576         https://bugs.webkit.org/show_bug.cgi?id=193031
1577
1578         Reviewed by Saam Barati.
1579
1580         * stress/object-tostring-changed-proto.js: Added.
1581         (shouldBe):
1582         (test):
1583         * stress/object-tostring-changed.js: Added.
1584         (shouldBe):
1585         (test):
1586         * stress/object-tostring-misc.js: Added.
1587         (shouldBe):
1588         (test):
1589         (i.switch):
1590         * stress/object-tostring-other.js: Added.
1591         (shouldBe):
1592         (test):
1593         * stress/object-tostring-untyped.js: Added.
1594         (shouldBe):
1595         (test):
1596         (i.switch):
1597
1598 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1599
1600         test262-runner misbehaves when test file YAML has a trailing space
1601         https://bugs.webkit.org/show_bug.cgi?id=193053
1602
1603         Reviewed by Yusuke Suzuki.
1604
1605         * test262/expectations.yaml:
1606         Mark two dozen tests as passing (and correct the output of another).
1607
1608 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1609
1610         Unreviewed, JSTests gardening with memoryLimited
1611
1612         * stress/string-overflow-createError.js:
1613
1614 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1615
1616         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1617         https://bugs.webkit.org/show_bug.cgi?id=193050
1618
1619         Reviewed by Yusuke Suzuki.
1620
1621         * test262.yaml:
1622         * test262/expectations.yaml:
1623         Mark 16 tests as passing.
1624
1625 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1626
1627         [BigInt] Support BigInt in JSON.stringify
1628         https://bugs.webkit.org/show_bug.cgi?id=192624
1629
1630         Reviewed by Saam Barati.
1631
1632         * stress/big-int-json-stringify-to-json.js: Added.
1633         (shouldBe):
1634         (shouldThrow):
1635         (BigInt.prototype.toJSON):
1636         (shouldBe.JSON.stringify):
1637         * stress/big-int-json-stringify.js: Added.
1638         (shouldBe):
1639         (shouldThrow):
1640
1641 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1642
1643         [JSC] Implement "well-formed JSON.stringify" proposal
1644         https://bugs.webkit.org/show_bug.cgi?id=191677
1645
1646         Reviewed by Darin Adler.
1647
1648         * stress/json-surrogate-pair.js: Added.
1649         (shouldBe):
1650         * test262/expectations.yaml:
1651
1652 2018-12-20  Keith Miller  <keith_miller@apple.com>
1653
1654         Add support for globalThis
1655         https://bugs.webkit.org/show_bug.cgi?id=165171
1656
1657         Reviewed by Mark Lam.
1658
1659         * test262/config.yaml:
1660
1661 2018-12-19  Keith Miller  <keith_miller@apple.com>
1662
1663         Update test262 configuration to not run tests dependent on ICU version.
1664         https://bugs.webkit.org/show_bug.cgi?id=192920
1665
1666         Reviewed by Saam Barati.
1667
1668         * test262/expectations.yaml:
1669
1670 2018-12-20  Mark Lam  <mark.lam@apple.com>
1671
1672         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1673         https://bugs.webkit.org/show_bug.cgi?id=192939
1674         <rdar://problem/46869516>
1675
1676         Reviewed by Keith Miller.
1677
1678         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1679
1680 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1681
1682         WTF::String and StringImpl overflow MaxLength
1683         https://bugs.webkit.org/show_bug.cgi?id=192853
1684         <rdar://problem/45726906>
1685
1686         Reviewed by Mark Lam.
1687
1688         * stress/string-16bit-repeat-overflow.js: Added.
1689         (catch):
1690
1691 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1692
1693         Unreviewed follow-up to r192914.
1694
1695         * test262/expectations.yaml:
1696         Add the last 20 missing expectations.
1697
1698 2018-12-19  Keith Miller  <keith_miller@apple.com>
1699
1700         Fix test262 expectations
1701         https://bugs.webkit.org/show_bug.cgi?id=192914
1702
1703         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1704
1705         * test262/expectations.yaml:
1706
1707 2018-12-19  Keith Miller  <keith_miller@apple.com>
1708
1709         Update test262 tests.
1710         https://bugs.webkit.org/show_bug.cgi?id=192907
1711
1712         Rubber stamped by Mark Lam.
1713
1714         * test262/*: Omitted because prepare-changelog crashes.
1715
1716 2018-12-19  Mark Lam  <mark.lam@apple.com>
1717
1718         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1719         https://bugs.webkit.org/show_bug.cgi?id=192464
1720         <rdar://problem/46519455>
1721
1722         Reviewed by Saam Barati.
1723
1724         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1725         microbenchmark.
1726
1727         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1728         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1729
1730 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1731
1732         String overflow in JSC::createError results in ASSERT in WTF::makeString
1733         https://bugs.webkit.org/show_bug.cgi?id=192833
1734         <rdar://problem/45706868>
1735
1736         Reviewed by Mark Lam.
1737
1738         * stress/string-overflow-createError.js: Added.
1739
1740 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1741
1742         Error message for `-x ** y` contains a typo.
1743         https://bugs.webkit.org/show_bug.cgi?id=192832
1744
1745         Reviewed by Saam Barati.
1746
1747         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1748         (assert.assert.return.throws):
1749         * stress/pow-expects-update-expression-on-lhs.js:
1750         (throw.new.Error):
1751         Update test expectations which match against the exact error message.
1752
1753 2018-12-18  Mark Lam  <mark.lam@apple.com>
1754
1755         Gardening: test options fix.
1756         https://bugs.webkit.org/show_bug.cgi?id=192822
1757
1758         Unreviewed.
1759
1760         * stress/json-stringify-string-builder-overflow.js:
1761
1762 2018-12-18  Mark Lam  <mark.lam@apple.com>
1763
1764         JSON.stringify() should throw OOM on StringBuilder overflows.
1765         https://bugs.webkit.org/show_bug.cgi?id=192822
1766         <rdar://problem/46670577>
1767
1768         Reviewed by Saam Barati.
1769
1770         * stress/json-stringify-string-builder-overflow.js: Added.
1771
1772 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1773
1774         Redeclaration of var over let/const/class should be a syntax error.
1775         https://bugs.webkit.org/show_bug.cgi?id=192298
1776
1777         Reviewed by Keith Miller.
1778
1779         * test262.yaml:
1780         * test262/expectations.yaml:
1781         Mark 46 tests as passing.
1782
1783         * stress/block-scope-redeclarations.js:
1784         Add some new tests.
1785
1786         * stress/for-in-invalidate-context-weird-assignments.js:
1787         * stress/for-in-tests.js:
1788         Replace tests for outdated behavior with tests for SyntaxError.
1789
1790         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1791         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1792         Update expectations.
1793
1794 2018-12-18  Mark Lam  <mark.lam@apple.com>
1795
1796         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1797         https://bugs.webkit.org/show_bug.cgi?id=191374
1798         <rdar://problem/46525447>
1799
1800         Reviewed by Yusuke Suzuki.
1801
1802         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1803
1804         * stress/elidable-new-object-roflcopter-then-exit.js:
1805
1806 2018-12-17  Mark Lam  <mark.lam@apple.com>
1807
1808         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1809         https://bugs.webkit.org/show_bug.cgi?id=192019
1810         <rdar://problem/46525456>
1811
1812         Reviewed by Yusuke Suzuki.
1813
1814         The test runs too slow on 32-bit.
1815
1816         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1817
1818 2018-12-17  Mark Lam  <mark.lam@apple.com>
1819
1820         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1821         https://bugs.webkit.org/show_bug.cgi?id=191373
1822         <rdar://problem/46525458>
1823
1824         Reviewed by Yusuke Suzuki.
1825
1826         The test is already slow running with a JIT on 64-bit.  It will always timeout
1827         on 32-bit without a JIT.
1828
1829         * stress/materialize-regexp-cyclic-regexp.js:
1830
1831 2018-12-17  Mark Lam  <mark.lam@apple.com>
1832
1833         Array unshift/shift should not race against the AI in the compiler thread.
1834         https://bugs.webkit.org/show_bug.cgi?id=192795
1835         <rdar://problem/46724263>
1836
1837         Reviewed by Saam Barati.
1838
1839         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1840
1841 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1842
1843         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1844         https://bugs.webkit.org/show_bug.cgi?id=190047
1845
1846         Reviewed by Saam Barati.
1847
1848         * stress/object-keys-cached-zero.js: Added.
1849         (shouldBe):
1850         (test):
1851         * stress/object-keys-changed-attribute.js: Added.
1852         (shouldBe):
1853         (test):
1854         * stress/object-keys-changed-index.js: Added.
1855         (shouldBe):
1856         (test):
1857         * stress/object-keys-changed.js: Added.
1858         (shouldBe):
1859         (test):
1860         * stress/object-keys-indexed-non-cache.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/object-keys-overrides-get-property-names.js: Added.
1864         (shouldBe):
1865         (test):
1866         (noInline):
1867
1868 2018-12-17  Mark Lam  <mark.lam@apple.com>
1869
1870         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1871         https://bugs.webkit.org/show_bug.cgi?id=192779
1872         <rdar://problem/46775869>
1873
1874         Reviewed by Saam Barati.
1875
1876         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1877
1878 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1879
1880         Unreviewed test gardening, address a syntax error in a new test.
1881
1882         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1883
1884 2018-12-17  Mark Lam  <mark.lam@apple.com>
1885
1886         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1887         https://bugs.webkit.org/show_bug.cgi?id=192776
1888         <rdar://problem/46772368>
1889
1890         Reviewed by Keith Miller.
1891
1892         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1893
1894 2018-12-17  Mark Lam  <mark.lam@apple.com>
1895
1896         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1897         https://bugs.webkit.org/show_bug.cgi?id=192770
1898         <rdar://problem/46449037>
1899
1900         Reviewed by Keith Miller.
1901
1902         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1903
1904 2018-12-14  Mark Lam  <mark.lam@apple.com>
1905
1906         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1907         https://bugs.webkit.org/show_bug.cgi?id=192717
1908         <rdar://problem/46660677>
1909
1910         Reviewed by Saam Barati.
1911
1912         * stress/regress-192717.js: Added.
1913
1914 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1915
1916         Unreviewed, rolling out r239153, r239154, and r239155.
1917         https://bugs.webkit.org/show_bug.cgi?id=192715
1918
1919         Caused flaky GC-related crashes seen with layout tests
1920         (Requested by ryanhaddad on #webkit).
1921
1922         Reverted changesets:
1923
1924         "[JSC] Optimize Object.keys by caching own keys results in
1925         StructureRareData"
1926         https://bugs.webkit.org/show_bug.cgi?id=190047
1927         https://trac.webkit.org/changeset/239153
1928
1929         "Unreviewed, build fix after r239153"
1930         https://bugs.webkit.org/show_bug.cgi?id=190047
1931         https://trac.webkit.org/changeset/239154
1932
1933         "Unreviewed, build fix after r239153, part 2"
1934         https://bugs.webkit.org/show_bug.cgi?id=190047
1935         https://trac.webkit.org/changeset/239155
1936
1937 2018-12-14  Keith Miller  <keith_miller@apple.com>
1938
1939         Callers of JSString::getIndex should check for OOM exceptions
1940         https://bugs.webkit.org/show_bug.cgi?id=192709
1941
1942         Reviewed by Mark Lam.
1943
1944         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1945
1946 2018-12-13  Mark Lam  <mark.lam@apple.com>
1947
1948         Add a missing exception check.
1949         https://bugs.webkit.org/show_bug.cgi?id=192626
1950         <rdar://problem/46662163>
1951
1952         Reviewed by Keith Miller.
1953
1954         * stress/regress-192626.js: Added.
1955
1956 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1957
1958         [BigInt] Add ValueDiv into DFG
1959         https://bugs.webkit.org/show_bug.cgi?id=186178
1960
1961         Reviewed by Yusuke Suzuki.
1962
1963         * stress/big-int-div-jit-osr.js: Added.
1964         * stress/big-int-div-jit-untyped.js: Added.
1965         * stress/value-div-fixup-int32-big-int.js: Added.
1966
1967 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1968
1969         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1970         https://bugs.webkit.org/show_bug.cgi?id=190047
1971
1972         Reviewed by Keith Miller.
1973
1974         * stress/object-keys-cached-zero.js: Added.
1975         (shouldBe):
1976         (test):
1977         * stress/object-keys-changed-attribute.js: Added.
1978         (shouldBe):
1979         (test):
1980         * stress/object-keys-changed-index.js: Added.
1981         (shouldBe):
1982         (test):
1983         * stress/object-keys-changed.js: Added.
1984         (shouldBe):
1985         (test):
1986         * stress/object-keys-indexed-non-cache.js: Added.
1987         (shouldBe):
1988         (test):
1989         * stress/object-keys-overrides-get-property-names.js: Added.
1990         (shouldBe):
1991         (test):
1992         (noInline):
1993
1994 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1995
1996         [DFG][FTL] Add NewSymbol
1997         https://bugs.webkit.org/show_bug.cgi?id=192620
1998
1999         Reviewed by Saam Barati.
2000
2001         * microbenchmarks/symbol-creation.js: Added.
2002         (test):
2003         * stress/symbol-description-identity.js: Added.
2004         (shouldBe):
2005         (test):
2006         * stress/symbol-identity.js: Added.
2007         (shouldBe):
2008         (test):
2009         * stress/symbol-with-description-throw-error.js: Added.
2010         (shouldBe):
2011         (shouldThrow):
2012         (test):
2013         (object.toString):
2014
2015 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2016
2017         [BigInt] Implement DFG/FTL typeof for BigInt
2018         https://bugs.webkit.org/show_bug.cgi?id=192619
2019
2020         Reviewed by Keith Miller.
2021
2022         * stress/big-int-boolean-proven-type.js: Added.
2023         (assert):
2024         (bool):
2025         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2026         (assert):
2027         (typeOf):
2028         (i.switch):
2029         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2030         (assert):
2031         (typeOf):
2032         * stress/big-int-type-of.js:
2033         (typeOf):
2034         (func):
2035
2036 2018-12-10  Mark Lam  <mark.lam@apple.com>
2037
2038         PropertyAttribute needs a CustomValue bit.
2039         https://bugs.webkit.org/show_bug.cgi?id=191993
2040         <rdar://problem/46264467>
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/regress-191993.js: Added.
2045
2046 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2047
2048         [BigInt] Add ValueMul into DFG
2049         https://bugs.webkit.org/show_bug.cgi?id=186175
2050
2051         Reviewed by Yusuke Suzuki.
2052
2053         * stress/big-int-mul-jit-osr.js: Added.
2054         * stress/big-int-mul-jit-untyped.js: Added.
2055         * stress/value-mul-fixup-int32-big-int.js: Added.
2056
2057 2018-12-06  Keith Miller  <keith_miller@apple.com>
2058
2059         stress/big-wasm-memory tests failing on 32-bit JSC bot
2060         https://bugs.webkit.org/show_bug.cgi?id=192020
2061
2062         Reviewed by Saam Barati.
2063
2064         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2065         the wasm stress tests if the WebAssembly object does not exist.
2066
2067         * stress/big-wasm-memory-grow-no-max.js:
2068         (test.foo):
2069         (test):
2070         (foo): Deleted.
2071         (catch): Deleted.
2072         * stress/big-wasm-memory-grow.js:
2073         (test.foo):
2074         (test):
2075         (foo): Deleted.
2076         (catch): Deleted.
2077         * stress/big-wasm-memory.js:
2078         (test.foo):
2079         (test):
2080         (foo): Deleted.
2081         (catch): Deleted.
2082
2083 2018-12-05  Mark Lam  <mark.lam@apple.com>
2084
2085         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2086         https://bugs.webkit.org/show_bug.cgi?id=192441
2087         <rdar://problem/46480355>
2088
2089         Reviewed by Saam Barati.
2090
2091         * stress/regress-192441.js: Added.
2092
2093 2018-12-04  Mark Lam  <mark.lam@apple.com>
2094
2095         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2096         https://bugs.webkit.org/show_bug.cgi?id=192386
2097         <rdar://problem/46445516>
2098
2099         Reviewed by Saam Barati.
2100
2101         * stress/regress-192386.js: Added.
2102
2103 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2104
2105         [ESNext][BigInt] Support logic operations
2106         https://bugs.webkit.org/show_bug.cgi?id=179903
2107
2108         Reviewed by Yusuke Suzuki.
2109
2110         * stress/big-int-branch-usage.js: Added.
2111         * stress/big-int-logical-and.js: Added.
2112         * stress/big-int-logical-not.js: Added.
2113         * stress/big-int-logical-or.js: Added.
2114
2115 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2116
2117         Unreviewed, rolling out r238833.
2118
2119         Breaks macOS and iOS debug builds.
2120
2121         Reverted changeset:
2122
2123         "[ESNext][BigInt] Support logic operations"
2124         https://bugs.webkit.org/show_bug.cgi?id=179903
2125         https://trac.webkit.org/changeset/238833
2126
2127 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2128
2129         [ESNext][BigInt] Support logic operations
2130         https://bugs.webkit.org/show_bug.cgi?id=179903
2131
2132         Reviewed by Yusuke Suzuki.
2133
2134         * stress/big-int-branch-usage.js: Added.
2135         * stress/big-int-logical-and.js: Added.
2136         * stress/big-int-logical-not.js: Added.
2137         * stress/big-int-logical-or.js: Added.
2138
2139 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2140
2141         [ESNext][BigInt] Implement support for "<<" and ">>"
2142         https://bugs.webkit.org/show_bug.cgi?id=186233
2143
2144         Reviewed by Yusuke Suzuki.
2145
2146         * stress/big-int-left-shift-general.js: Added.
2147         * stress/big-int-left-shift-range-error.js: Added.
2148         * stress/big-int-left-shift-type-error.js: Added.
2149         * stress/big-int-left-shift-wrapped-value.js: Added.
2150         * stress/big-int-right-shift-general.js: Added.
2151         * stress/big-int-right-shift-type-error.js: Added.
2152         * stress/big-int-right-shift-wrapped-value.js: Added.
2153         * stress/left-shift-to-primitive-precedence.js: Added.
2154         * stress/right-shift-to-primitive-precedence.js: Added.
2155
2156 2018-11-30  Dean Jackson  <dino@apple.com>
2157
2158         Add first-class support for .mjs files in jsc binary
2159         https://bugs.webkit.org/show_bug.cgi?id=192190
2160         <rdar://problem/46375715>
2161
2162         Reviewed by Keith Miller.
2163
2164         * stress/simple-module.mjs: Added.
2165         * stress/simple-script.js: Added.
2166
2167 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2168
2169         [BigInt] Implement ValueBitXor into DFG
2170         https://bugs.webkit.org/show_bug.cgi?id=190264
2171
2172         Reviewed by Yusuke Suzuki.
2173
2174         * stress/big-int-bitwise-xor-jit.js: Added.
2175         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2176         * stress/big-int-bitwise-xor-untyped.js: Added.
2177
2178 2018-11-27  Saam barati  <sbarati@apple.com>
2179
2180         r238510 broke scopes of size zero
2181         https://bugs.webkit.org/show_bug.cgi?id=192033
2182         <rdar://problem/46281734>
2183
2184         Reviewed by Keith Miller.
2185
2186         * stress/r238510-bad-loop.js: Added.
2187         (foo):
2188
2189 2018-11-27  Mark Lam  <mark.lam@apple.com>
2190
2191         [Re-landing] NaNs read from Wasm code needs to be be purified.
2192         https://bugs.webkit.org/show_bug.cgi?id=191056
2193         <rdar://problem/45660341>
2194
2195         Reviewed by Filip Pizlo.
2196
2197         * wasm/regress/regress-191056.js: Added.
2198
2199 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2200
2201         Unreviewed, rolling out r238509.
2202
2203         Causes JSC tests to fail on iOS.
2204
2205         Reverted changeset:
2206
2207         "NaNs read from Wasm code needs to be be purified."
2208         https://bugs.webkit.org/show_bug.cgi?id=191056
2209         https://trac.webkit.org/changeset/238509
2210
2211 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2212
2213         Re-introduce op_bitnot
2214         https://bugs.webkit.org/show_bug.cgi?id=190923
2215
2216         Reviewed by Yusuke Suzuki.
2217
2218         * stress/bit-not-must-generate.js: Added.
2219         * stress/bitwise-not-no-int32.js: Added.
2220
2221 2018-11-26  Saam barati  <sbarati@apple.com>
2222
2223         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2224         https://bugs.webkit.org/show_bug.cgi?id=191956
2225         <rdar://problem/45665806>
2226
2227         Reviewed by Yusuke Suzuki.
2228
2229         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2230         (bar):
2231         (foo):
2232
2233 2018-11-26  Saam barati  <sbarati@apple.com>
2234
2235         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2236         https://bugs.webkit.org/show_bug.cgi?id=191958
2237         <rdar://problem/46221877>
2238
2239         Reviewed by Yusuke Suzuki.
2240
2241         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2242         (x):
2243         (foo):
2244
2245 2018-11-26  Mark Lam  <mark.lam@apple.com>
2246
2247         NaNs read from Wasm code needs to be be purified.
2248         https://bugs.webkit.org/show_bug.cgi?id=191056
2249         <rdar://problem/45660341>
2250
2251         Reviewed by Filip Pizlo.
2252
2253         * wasm/regress/regress-191056.js: Added.
2254
2255 2018-11-26  Michael Saboff  <msaboff@apple.com>
2256
2257         32-bit JSC test failure: stress/regexp-compile-oom.js
2258         https://bugs.webkit.org/show_bug.cgi?id=191375
2259
2260         Reviewed by Mark Lam.
2261
2262         Disabled the test for 32 bit platforms.
2263
2264         * stress/regexp-compile-oom.js:
2265
2266 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2267
2268         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2269         https://bugs.webkit.org/show_bug.cgi?id=191716
2270         <rdar://problem/45723878>
2271
2272         Reviewed by Saam Barati.
2273
2274         * stress/regress-187373.js: Added.
2275         (async.fn):
2276
2277 2018-11-21  Saam barati  <sbarati@apple.com>
2278
2279         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2280         https://bugs.webkit.org/show_bug.cgi?id=191897
2281         <rdar://problem/45871998>
2282
2283         Reviewed by Mark Lam.
2284
2285         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2286         (bar):
2287         (foo):
2288
2289 2018-11-21  Saam barati  <sbarati@apple.com>
2290
2291         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2292         https://bugs.webkit.org/show_bug.cgi?id=191895
2293         <rdar://problem/46167406>
2294
2295         Reviewed by Mark Lam.
2296
2297         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2298         (foo):
2299         (bar):
2300
2301 2018-11-21  Mark Lam  <mark.lam@apple.com>
2302
2303         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2304         https://bugs.webkit.org/show_bug.cgi?id=191776
2305         <rdar://problem/46152851>
2306
2307         Reviewed by Saam Barati.
2308
2309         * stress/big-wasm-memory-grow-no-max.js:
2310         * stress/big-wasm-memory-grow.js:
2311         * stress/big-wasm-memory.js:
2312         - updated these to expect an OutOfMemoryError.
2313
2314         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2315         (Binary.prototype.emit_u8):
2316         (Binary.prototype.emit_u32v):
2317         (Binary.prototype.emit_header):
2318         (Binary.prototype.emit_section):
2319         (Binary):
2320         (WasmModuleBuilder):
2321         (WasmModuleBuilder.prototype.addMemory):
2322         (WasmModuleBuilder.prototype.toArray):
2323         (WasmModuleBuilder.prototype.toBuffer):
2324         (WasmModuleBuilder.prototype.instantiate):
2325         (catch):
2326         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2327         (catch):
2328
2329 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2330
2331         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2332         https://bugs.webkit.org/show_bug.cgi?id=190836
2333
2334         Reviewed by Saam Barati and Yusuke Suzuki.
2335
2336         * stress/big-int-out-of-memory-tests.js: Added.
2337
2338 2018-11-20  Mark Lam  <mark.lam@apple.com>
2339
2340         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2341         https://bugs.webkit.org/show_bug.cgi?id=191856
2342         <rdar://problem/46089992>
2343
2344         Reviewed by Yusuke Suzuki.
2345
2346         * stress/regress-191856.js: Added.
2347         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2348
2349 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2350
2351         Enable JIT on ARM/Linux
2352         https://bugs.webkit.org/show_bug.cgi?id=191548
2353
2354         Reviewed by Yusuke Suzuki.
2355
2356         Disable test on system with limited memory. Program was killed by
2357         the OS before the exception was thrown.
2358
2359         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2360
2361 2018-11-20  Saam barati  <sbarati@apple.com>
2362
2363         Merging an IC variant may lead to the IC status containing overlapping structure sets
2364         https://bugs.webkit.org/show_bug.cgi?id=191869
2365         <rdar://problem/45403453>
2366
2367         Reviewed by Mark Lam.
2368
2369         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2370
2371 2018-11-19  Mark Lam  <mark.lam@apple.com>
2372
2373         globalFuncImportModule() should return a promise when it clears exceptions.
2374         https://bugs.webkit.org/show_bug.cgi?id=191792
2375         <rdar://problem/46090763>
2376
2377         Reviewed by Michael Saboff.
2378
2379         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2380
2381 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2382
2383         Skip new memory-hungry tests on memory limited devices
2384
2385         Unreviewed gardening.
2386
2387         * stress/big-wasm-memory-grow-no-max.js:
2388         * stress/big-wasm-memory-grow.js:
2389         * stress/big-wasm-memory.js:
2390
2391 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2392
2393         Unreviewed, rolling in the rest of r237254
2394         https://bugs.webkit.org/show_bug.cgi?id=190340
2395
2396         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2397         * stress/function-cache-with-parameters-end-position.js: Added.
2398         (shouldBe):
2399         (shouldThrow):
2400         (i.anonymous):
2401         * stress/function-constructor-name.js: Added.
2402         (shouldBe):
2403         (GeneratorFunction):
2404         (AsyncFunction.async):
2405         (AsyncGeneratorFunction.async):
2406         (anonymous):
2407         (async.anonymous):
2408         * test262/expectations.yaml:
2409
2410 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2411
2412         All users of ArrayBuffer should agree on the same max size
2413         https://bugs.webkit.org/show_bug.cgi?id=191771
2414
2415         Reviewed by Mark Lam.
2416
2417         * stress/big-wasm-memory-grow-no-max.js: Added.
2418         (foo):
2419         (catch):
2420         * stress/big-wasm-memory-grow.js: Added.
2421         (foo):
2422         (catch):
2423         * stress/big-wasm-memory.js: Added.
2424         (foo):
2425         (catch):
2426
2427 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2428
2429         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2430         run for each JSC config since they're regression tests for runtime bugs.
2431
2432         * stress/json-stringified-overflow-2.js:
2433         * stress/json-stringified-overflow.js:
2434
2435 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2436
2437         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2438         config since they're regression tests for runtime bugs.
2439
2440         * stress/large-unshift-splice.js:
2441         * stress/regress-185888.js:
2442
2443 2018-11-16  Saam Barati  <sbarati@apple.com>
2444
2445         KnownCellUse should also have SpecCellCheck as its type filter
2446         https://bugs.webkit.org/show_bug.cgi?id=191729
2447         <rdar://problem/45872852>
2448
2449         Reviewed by Filip Pizlo.
2450
2451         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2452         (C):
2453
2454 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2455
2456         Fix assertion failure on BytecodeGenerator::recordOpcode
2457         https://bugs.webkit.org/show_bug.cgi?id=191724
2458         <rdar://problem/45724395>
2459
2460         Reviewed by Saam Barati.
2461
2462         * stress/regress-187373-2.js: Added.
2463         (foo):
2464
2465 2018-11-15  Mark Lam  <mark.lam@apple.com>
2466
2467         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2468         https://bugs.webkit.org/show_bug.cgi?id=191730
2469         <rdar://problem/46048517>
2470
2471         Reviewed by Saam Barati.
2472
2473         * stress/regress-187006.js: Removed.
2474           - this test is invalid because its sole purpose is to test for the non-spec
2475             compliant behavior that we just fixed.
2476
2477         * stress/regress-191730.js: Added.
2478
2479 2018-11-15  Mark Lam  <mark.lam@apple.com>
2480
2481         RegExp operations should not take fast patch if lastIndex is not numeric.
2482         https://bugs.webkit.org/show_bug.cgi?id=191731
2483         <rdar://problem/46017305>
2484
2485         Reviewed by Saam Barati.
2486
2487         * stress/regress-191731.js: Added.
2488
2489 2018-11-13  Saam Barati  <sbarati@apple.com>
2490
2491         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2492         https://bugs.webkit.org/show_bug.cgi?id=191600
2493
2494         Reviewed by Mark Lam.
2495
2496         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2497         (foo):
2498         (test):
2499         (bar):
2500
2501 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2502
2503         Unreviewed, rolling out r238132.
2504
2505         The test added with this change is timing out on Debug JSC
2506         bots.
2507
2508         Reverted changeset:
2509
2510         "[BigInt] JSBigInt::createWithLength should throw when length
2511         is greater than JSBigInt::maxLength"
2512         https://bugs.webkit.org/show_bug.cgi?id=190836
2513         https://trac.webkit.org/changeset/238132
2514
2515 2018-11-13  Mark Lam  <mark.lam@apple.com>
2516
2517         Add OOM detection to StringPrototype's substituteBackreferences().
2518         https://bugs.webkit.org/show_bug.cgi?id=191563
2519         <rdar://problem/45720428>
2520
2521         Reviewed by Saam Barati.
2522
2523         * stress/regress-191563.js: Added.
2524
2525 2018-11-13  Mark Lam  <mark.lam@apple.com>
2526
2527         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2528         https://bugs.webkit.org/show_bug.cgi?id=191579
2529         <rdar://problem/45942472>
2530
2531         Reviewed by Saam Barati.
2532
2533         * stress/regress-191579.js: Added.
2534
2535 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2536
2537         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2538         https://bugs.webkit.org/show_bug.cgi?id=190836
2539
2540         Reviewed by Saam Barati.
2541
2542         * stress/big-int-out-of-memory-tests.js: Added.
2543
2544 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2545
2546         U+180E is no longer a whitespace character
2547         https://bugs.webkit.org/show_bug.cgi?id=191415
2548
2549         Reviewed by Saam Barati.
2550
2551         * ChakraCore/test/es5/regexSpace.baseline:
2552         * ChakraCore/test/es6/unicode_whitespace.js:
2553         Update tests to latest version.
2554         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2555
2556         * test262.yaml:
2557         * test262/config.yaml:
2558         * test262/expectations.yaml:
2559         Update expectations.
2560
2561 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2562
2563         [BigInt] Add support to BigInt into ValueAdd
2564         https://bugs.webkit.org/show_bug.cgi?id=186177
2565
2566         Reviewed by Keith Miller.
2567
2568         * stress/big-int-negate-jit.js:
2569         * stress/value-add-big-int-and-string.js: Added.
2570         * stress/value-add-big-int-prediction-propagation.js: Added.
2571         * stress/value-add-big-int-untyped.js: Added.
2572
2573 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2574
2575         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2576         https://bugs.webkit.org/show_bug.cgi?id=191184
2577
2578         Reviewed by Saam Barati.
2579
2580         Most tests were failing due to timeouts, since they are too slow to
2581         run on CLoop. The exceptions are:
2582
2583         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2584         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2585         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2586         to change the stack size since CLoop requires it to be page aligned.
2587
2588         * microbenchmarks/array-push-1.js:
2589         * microbenchmarks/array-push-2.js:
2590         * microbenchmarks/elidable-new-object-dag.js:
2591         * microbenchmarks/elidable-new-object-roflcopter.js:
2592         * microbenchmarks/elidable-new-object-tree.js:
2593         * microbenchmarks/getter-richards.js:
2594         * microbenchmarks/sinkable-new-object-dag.js:
2595         * microbenchmarks/string-concat-long-convert.js:
2596         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2597         * slowMicrobenchmarks/array-push-3.js:
2598         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2599         * slowMicrobenchmarks/spread-small-array.js:
2600         * slowMicrobenchmarks/undefined-property-access.js:
2601         * stress/activation-sink-default-value-tdz-error.js:
2602         * stress/activation-sink-default-value.js:
2603         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2604         * stress/activation-sink-osrexit-default-value.js:
2605         * stress/activation-sink-osrexit.js:
2606         * stress/activation-sink.js:
2607         * stress/allow-math-ic-b3-code-duplication.js:
2608         * stress/array-push-multiple-int32.js:
2609         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2610         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2611         * stress/arrowfunction-lexical-this-activation-sink.js:
2612         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2613         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2614         * stress/elide-new-object-dag-then-exit.js:
2615         * stress/materialize-regexp-cyclic.js:
2616         * stress/new-regex-inline.js:
2617         * stress/op_add.js:
2618         * stress/op_bitand.js:
2619         * stress/op_bitor.js:
2620         * stress/op_bitxor.js:
2621         * stress/op_div-ConstVar.js:
2622         * stress/op_div-VarConst.js:
2623         * stress/op_div-VarVar.js:
2624         * stress/op_lshift-ConstVar.js:
2625         * stress/op_lshift-VarConst.js:
2626         * stress/op_lshift-VarVar.js:
2627         * stress/op_mod-ConstVar.js:
2628         * stress/op_mod-VarConst.js:
2629         * stress/op_mod-VarVar.js:
2630         * stress/op_mul-ConstVar.js:
2631         * stress/op_mul-VarConst.js:
2632         * stress/op_mul-VarVar.js:
2633         * stress/op_rshift-ConstVar.js:
2634         * stress/op_rshift-VarConst.js:
2635         * stress/op_rshift-VarVar.js:
2636         * stress/op_sub-ConstVar.js:
2637         * stress/op_sub-VarConst.js:
2638         * stress/op_sub-VarVar.js:
2639         * stress/op_urshift-ConstVar.js:
2640         * stress/op_urshift-VarConst.js:
2641         * stress/op_urshift-VarVar.js:
2642         * stress/proxy-get-set-correct-receiver.js:
2643         * stress/regress-179562.js:
2644         * stress/rest-parameter-many-arguments.js:
2645         * stress/sampling-profiler-richards.js:
2646         * stress/splay-flash-access-1ms.js:
2647         * stress/tailCallForwardArguments.js:
2648         * stress/typed-array-get-by-val-profiling.js:
2649         * typeProfiler/getter-richards.js:
2650
2651 2018-11-06  Michael Saboff  <msaboff@apple.com>
2652
2653         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2654         https://bugs.webkit.org/show_bug.cgi?id=191271
2655
2656         Reviewed by Saam Barati.
2657
2658         Added more test cases and made all test cases run with the same deeply recursive stack
2659         instead of finding that same point for each test case.
2660
2661         * stress/regexp-compile-oom.js:
2662         (prototype.runTest):
2663         (recurseAndTest):
2664         (testList.push.new.TestAndExpectedException):
2665
2666 2018-11-05  Michael Saboff  <msaboff@apple.com>
2667
2668         Unreviewed build fix for linux.
2669
2670         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2671
2672 2018-11-02  Michael Saboff  <msaboff@apple.com>
2673
2674         Rolling in r237753 with unreviewed build fix.
2675
2676         Fixed issues with DECLARE_THROW_SCOPE placement.
2677
2678 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2679
2680         Unreviewed, rolling out r237753.
2681
2682         Introduced JSC test failures
2683
2684         Reverted changeset:
2685
2686         "Running out of stack space not properly handled in
2687         RegExp::compile() and its callers"
2688         https://bugs.webkit.org/show_bug.cgi?id=191206
2689         https://trac.webkit.org/changeset/237753
2690
2691 2018-11-02  Michael Saboff  <msaboff@apple.com>
2692
2693         Running out of stack space not properly handled in RegExp::compile() and its callers
2694         https://bugs.webkit.org/show_bug.cgi?id=191206
2695
2696         Reviewed by Filip Pizlo.
2697
2698         New regression test.
2699
2700         * stress/regexp-compile-oom.js: Added.
2701         (recurseAndTest):
2702
2703 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2704
2705         Skip tests on arm/mips that time out now we're running on CLoop
2706
2707         Unreviewed gardening.
2708
2709         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2710         time out on the bots and need to be disabled. There's more tests
2711         disabled on arm because the timeout is longer on the mips bot (as the
2712         device is slower to start with), so many of the tests don't time out
2713         there.
2714
2715         * microbenchmarks/getter-richards.js: disable on arm and mips.
2716         * stress/op_add.js: disable on arm.
2717         * stress/op_bitand.js: disable on arm.
2718         * stress/op_bitor.js: disable on arm.
2719         * stress/op_bitxor.js: disable on arm.
2720         * stress/op_lshift-ConstVar.js: disable on arm.
2721         * stress/op_lshift-VarConst.js: disable on arm.
2722         * stress/op_lshift-VarVar.js: disable on arm.
2723         * stress/op_mod-ConstVar.js: disable on arm.
2724         * stress/op_mod-VarConst.js: disable on arm.
2725         * stress/op_mod-VarVar.js: disable on arm.
2726         * stress/op_mul-ConstVar.js: disable on arm.
2727         * stress/op_mul-VarConst.js: disable on arm.
2728         * stress/op_mul-VarVar.js: disable on arm.
2729         * stress/op_rshift-ConstVar.js: disable on arm.
2730         * stress/op_rshift-VarConst.js: disable on arm.
2731         * stress/op_rshift-VarVar.js: disable on arm.
2732         * stress/op_sub-ConstVar.js: disable on arm.
2733         * stress/op_sub-VarConst.js: disable on arm.
2734         * stress/op_sub-VarVar.js: disable on arm.
2735         * stress/op_urshift-ConstVar.js: disable on arm.
2736         * stress/op_urshift-VarConst.js: disable on arm.
2737         * stress/op_urshift-VarVar.js: disable on arm.
2738         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2739         * stress/value-to-boolean.js: disable on arm and mips.
2740
2741 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2742
2743         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2744         https://bugs.webkit.org/show_bug.cgi?id=191108
2745         <rdar://problem/45690700>
2746
2747         Reviewed by Saam Barati.
2748
2749         * stress/wide-op_catch.js: Added.
2750         (catch):
2751
2752 2018-10-29  Mark Lam  <mark.lam@apple.com>
2753
2754         Correctly detect string overflow when using the 'Function' constructor.
2755         https://bugs.webkit.org/show_bug.cgi?id=184883
2756         <rdar://problem/36320331>
2757
2758         Reviewed by Saam Barati.
2759
2760         I've verified that this passes on 32-bit as well.
2761
2762         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2763
2764 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2765
2766         Add support for GetStack FlushedDouble
2767         https://bugs.webkit.org/show_bug.cgi?id=191012
2768         <rdar://problem/45265141>
2769
2770         Reviewed by Saam Barati.
2771
2772         * stress/get-stack-double.js: Added.
2773         (bar):
2774         (noInline):
2775
2776 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2777
2778         New bytecode format for JSC
2779         https://bugs.webkit.org/show_bug.cgi?id=187373
2780         <rdar://problem/44186758>
2781
2782         Reviewed by Filip Pizlo.
2783
2784         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2785
2786         * stress/maximum-inline-capacity.js: Added.
2787         (test1):
2788         (test3.Foo):
2789         (test3):
2790
2791 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2792
2793         Unreviewed, rolling out r237479 and r237484.
2794         https://bugs.webkit.org/show_bug.cgi?id=190978
2795
2796         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2797
2798         Reverted changesets:
2799
2800         "New bytecode format for JSC"
2801         https://bugs.webkit.org/show_bug.cgi?id=187373
2802         https://trac.webkit.org/changeset/237479
2803
2804         "Gardening: Build fix after r237479."
2805         https://bugs.webkit.org/show_bug.cgi?id=187373
2806         https://trac.webkit.org/changeset/237484
2807
2808 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2809
2810         New bytecode format for JSC
2811         https://bugs.webkit.org/show_bug.cgi?id=187373
2812         <rdar://problem/44186758>
2813
2814         Reviewed by Filip Pizlo.
2815
2816         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2817
2818         * stress/maximum-inline-capacity.js: Added.
2819         (test1):
2820         (test3.Foo):
2821         (test3):
2822
2823 2018-10-26  Mark Lam  <mark.lam@apple.com>
2824
2825         Fix missing edge cases with JSGlobalObjects having a bad time.
2826         https://bugs.webkit.org/show_bug.cgi?id=189028
2827         <rdar://problem/45204939>
2828
2829         Reviewed by Saam Barati.
2830
2831         * stress/regress-189028.js: Added.
2832
2833 2018-10-22  Mark Lam  <mark.lam@apple.com>
2834
2835         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2836         https://bugs.webkit.org/show_bug.cgi?id=190515
2837         <rdar://problem/45222379>
2838
2839         Rubber-stamped by Saam Barati.
2840
2841         Adding another test.
2842
2843         * stress/regress-190515-2.js: Added.
2844
2845 2018-10-22  Mark Lam  <mark.lam@apple.com>
2846
2847         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2848         https://bugs.webkit.org/show_bug.cgi?id=190515
2849         <rdar://problem/45222379>
2850
2851         Reviewed by Saam Barati.
2852
2853         * stress/regress-190515.js: Added.
2854
2855 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2856
2857         Unreviewed, rolling out r237254.
2858         https://bugs.webkit.org/show_bug.cgi?id=190760
2859
2860         "It regresses JetStream 2 by 5% on some iOS devices"
2861         (Requested by saamyjoon on #webkit).
2862
2863         Reverted changeset:
2864
2865         "[JSC] JSC should have "parseFunction" to optimize Function
2866         constructor"
2867         https://bugs.webkit.org/show_bug.cgi?id=190340
2868         https://trac.webkit.org/changeset/237254
2869
2870 2018-10-19  Saam Barati  <sbarati@apple.com>
2871
2872         vmCall should check if we exit before emitting an OSR exit due to exceptions
2873         https://bugs.webkit.org/show_bug.cgi?id=190740
2874         <rdar://problem/45220139>
2875
2876         Reviewed by Mark Lam.
2877
2878         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2879         (foo):
2880
2881 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2882
2883         [ESNext][BigInt] Implement support for "^"
2884         https://bugs.webkit.org/show_bug.cgi?id=186235
2885
2886         Reviewed by Yusuke Suzuki.
2887
2888         * stress/big-int-bitwise-xor-general.js: Added.
2889         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2890         * stress/big-int-bitwise-xor-type-error.js: Added.
2891         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2892
2893 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2894
2895         [BigInt] Add ValueSub into DFG
2896         https://bugs.webkit.org/show_bug.cgi?id=186176
2897
2898         Reviewed by Yusuke Suzuki.
2899
2900         * stress/big-int-subtraction-jit.js:
2901         * stress/value-sub-big-int-prediction-propagation.js: Added.
2902         * stress/value-sub-big-int-untyped.js: Added.
2903         * stress/value-sub-spec-none-case.js: Added.
2904
2905 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2906
2907         [JSC] JSC should have "parseFunction" to optimize Function constructor
2908         https://bugs.webkit.org/show_bug.cgi?id=190340
2909
2910         Reviewed by Mark Lam.
2911
2912         This patch fixes the line number of syntax errors raised by the Function constructor,
2913         since we now parse the final code only once. And we no longer use block statement
2914         for Function constructor's parsing.
2915
2916         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2917         * stress/function-cache-with-parameters-end-position.js: Added.
2918         (shouldBe):
2919         (shouldThrow):
2920         (i.anonymous):
2921         * stress/function-constructor-name.js: Added.
2922         (shouldBe):
2923         (GeneratorFunction):
2924         (AsyncFunction.async):
2925         (AsyncGeneratorFunction.async):
2926         (anonymous):
2927         (async.anonymous):
2928         * test262/expectations.yaml:
2929
2930 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2931
2932         Unreviewed, rolling out r237242.
2933         https://bugs.webkit.org/show_bug.cgi?id=190701
2934
2935         it breaks "stress/sampling-profiler-basic.js" (Requested by
2936         caiolima on #webkit).
2937
2938         Reverted changeset:
2939
2940         "[BigInt] Add ValueSub into DFG"
2941         https://bugs.webkit.org/show_bug.cgi?id=186176
2942         https://trac.webkit.org/changeset/237242
2943
2944 2018-10-17  Keith Miller  <keith_miller@apple.com>
2945
2946         AI does not clear Phantom allocation nodes.
2947         https://bugs.webkit.org/show_bug.cgi?id=190694
2948
2949         Reviewed by Saam Barati.
2950
2951         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2952         (Day):
2953         (DaysInYear):
2954         (TimeInYear):
2955         (TimeFromYear):
2956         (DayFromYear):
2957         (InLeapYear):
2958         (YearFromTime):
2959         (WeekDay):
2960         (DaylightSavingTA):
2961         (GetSecondSundayInMarch):
2962         (TimeInMonth):
2963
2964 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2965
2966         [BigInt] Add ValueSub into DFG
2967         https://bugs.webkit.org/show_bug.cgi?id=186176
2968
2969         Reviewed by Yusuke Suzuki.
2970
2971         * stress/big-int-subtraction-jit.js:
2972         * stress/value-sub-big-int-prediction-propagation.js: Added.
2973         * stress/value-sub-big-int-untyped.js: Added.
2974
2975 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2976
2977         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2978         https://bugs.webkit.org/show_bug.cgi?id=190611
2979
2980         Reviewed by Saam Barati.
2981
2982         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2983         to improve test runtime. On ARM/MIPS this test even timed out when running all
2984         tests.
2985
2986         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2987         (test):
2988
2989 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2990
2991         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2992
2993         Unreviewed gardening.
2994
2995         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2996
2997 2018-10-15  Saam barati  <sbarati@apple.com>
2998
2999         Emit fjcvtzs on ARM64E on Darwin
3000         https://bugs.webkit.org/show_bug.cgi?id=184023
3001
3002         Reviewed by Yusuke Suzuki and Filip Pizlo.
3003
3004         * stress/double-to-int32-NaN.js: Added.
3005         (assert):
3006         (foo):
3007
3008 2018-10-15  Saam Barati  <sbarati@apple.com>
3009
3010         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3011         https://bugs.webkit.org/show_bug.cgi?id=190262
3012         <rdar://problem/44986241>
3013
3014         Reviewed by Mark Lam.
3015
3016         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3017         (test):
3018         * stress/slice-array-storage-with-holes.js: Added.
3019         (main):
3020
3021 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3022
3023         Unreviewed, rolling out r237054.
3024         https://bugs.webkit.org/show_bug.cgi?id=190593
3025
3026         "this regressed JetStream 2 by 6% on iOS" (Requested by
3027         saamyjoon on #webkit).
3028
3029         Reverted changeset:
3030
3031         "[JSC] JSC should have "parseFunction" to optimize Function
3032         constructor"
3033         https://bugs.webkit.org/show_bug.cgi?id=190340
3034         https://trac.webkit.org/changeset/237054
3035
3036 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3037
3038         [JSC] JSON.stringify can accept call-with-no-arguments
3039         https://bugs.webkit.org/show_bug.cgi?id=190343
3040
3041         Reviewed by Mark Lam.
3042
3043         * stress/json-stringify-no-arguments.js: Added.
3044         (shouldBe):
3045
3046 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3047
3048         [JSC] JSC should have "parseFunction" to optimize Function constructor
3049         https://bugs.webkit.org/show_bug.cgi?id=190340
3050
3051         Reviewed by Mark Lam.
3052
3053         This patch fixes the line number of syntax errors raised by the Function constructor,
3054         since we now parse the final code only once. And we no longer use block statement
3055         for Function constructor's parsing.
3056
3057         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3058         * stress/function-cache-with-parameters-end-position.js: Added.
3059         (shouldBe):
3060         (shouldThrow):
3061         (i.anonymous):
3062         * stress/function-constructor-name.js: Added.
3063         (shouldBe):
3064         (GeneratorFunction):
3065         (AsyncFunction.async):
3066         (AsyncGeneratorFunction.async):
3067         (anonymous):
3068         (async.anonymous):
3069         * test262/expectations.yaml:
3070
3071 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3072
3073         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3074         https://bugs.webkit.org/show_bug.cgi?id=190426
3075
3076         Unreviewed gardening.
3077
3078         * stress/sampling-profiler-richards.js:
3079
3080 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3081
3082         [ESNext][BigInt] Implement support for "|"
3083         https://bugs.webkit.org/show_bug.cgi?id=186229
3084
3085         Reviewed by Yusuke Suzuki.
3086
3087         * stress/big-int-bitwise-and-jit.js:
3088         * stress/big-int-bitwise-or-general.js: Added.
3089         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3090         * stress/big-int-bitwise-or-jit.js: Added.
3091         * stress/big-int-bitwise-or-memory-stress.js: Added.
3092         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3093         * stress/big-int-bitwise-or-type-error.js: Added.
3094         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3095
3096 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3097
3098         Skip test on systems with limited memory
3099         https://bugs.webkit.org/show_bug.cgi?id=190310
3100
3101         Invoking runDefault adds test to runlist, skipping the test in the next
3102         line does not prevent the test from executing. Change order of lines such
3103         that runDefault is only executed if test is not executed.
3104
3105         Reviewed by Mark Lam.
3106
3107         * stress/regress-190187.js:
3108
3109 2018-10-03  Saam barati  <sbarati@apple.com>
3110
3111         lowXYZ in FTLLower should always filter the type of the incoming edge
3112         https://bugs.webkit.org/show_bug.cgi?id=189939
3113         <rdar://problem/44407030>
3114
3115         Reviewed by Michael Saboff.
3116
3117         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3118         (foo):
3119         (test):
3120
3121 2018-10-03  Mark Lam  <mark.lam@apple.com>
3122
3123         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3124         https://bugs.webkit.org/show_bug.cgi?id=190187
3125         <rdar://problem/42512909>
3126
3127         Reviewed by Michael Saboff.
3128
3129         * stress/regress-190187.js: Added.
3130
3131 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3132
3133         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3134         https://bugs.webkit.org/show_bug.cgi?id=190033
3135
3136         Reviewed by Yusuke Suzuki.
3137
3138         * stress/big-int-to-string.js:
3139
3140 2018-10-01  Mark Lam  <mark.lam@apple.com>
3141
3142         Function.toString() should also copy the source code Functions that are class definitions.
3143         https://bugs.webkit.org/show_bug.cgi?id=190186
3144         <rdar://problem/44733360>
3145
3146         Reviewed by Saam Barati.
3147
3148         * stress/regress-190186.js: Added.
3149
3150 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3151
3152         Split NaN-check into separate test
3153         https://bugs.webkit.org/show_bug.cgi?id=190010
3154
3155         Reviewed by Saam Barati.
3156
3157         DataView exposes NaN-representation, which is not necessarily the same on each
3158         architecture. Therefore move the check of the NaN-representation into its own
3159         file such that we can disable this test on MIPS where NaN-representation can be
3160         different on older CPUs.
3161
3162         * stress/dataview-jit-set-nan.js: Added.
3163         (assert):
3164         (test.storeLittleEndian):
3165         (test.storeBigEndian):
3166         (test.store):
3167         (test):
3168         * stress/dataview-jit-set.js:
3169         (test5):
3170
3171 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3172
3173         Unreviewed, rolling out r236647.
3174         https://bugs.webkit.org/show_bug.cgi?id=190124
3175
3176         Breaking test stress/big-int-to-string.js (Requested by
3177         caiolima_ on #webkit).
3178
3179         Reverted changeset:
3180
3181         "[BigInt] BigInt.proptotype.toString is broken when radix is
3182         power of 2"
3183         https://bugs.webkit.org/show_bug.cgi?id=190033
3184         https://trac.webkit.org/changeset/236647
3185
3186 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3187
3188         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3189         https://bugs.webkit.org/show_bug.cgi?id=190033
3190
3191         Reviewed by Yusuke Suzuki.
3192
3193         * stress/big-int-to-string.js:
3194
3195 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3196
3197         [ESNext][BigInt] Implement support for "&"
3198         https://bugs.webkit.org/show_bug.cgi?id=186228
3199
3200         Reviewed by Yusuke Suzuki.
3201
3202         * stress/big-int-bitwise-and-general.js: Added.
3203         (assert):
3204         (assert.sameValue):
3205         * stress/big-int-bitwise-and-jit.js: Added.
3206         (let.assert.sameValue):
3207         (bigIntBitAnd):
3208         * stress/big-int-bitwise-and-memory-stress.js: Added.
3209         (assert):
3210         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3211         (assert.sameValue):
3212         (let.o.Symbol.toPrimitive):
3213         (catch):
3214         * stress/big-int-bitwise-and-type-error.js: Added.
3215         (assert):
3216         (assertThrowTypeError):
3217         (let.o.valueOf):
3218         (o.valueOf):
3219         (o.toString):
3220         (o.Symbol.toPrimitive):
3221         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3222         (assert.sameValue):
3223         (testBitAnd):
3224         (let.o.Symbol.toPrimitive):
3225         (o.valueOf):
3226         (o.toString):
3227
3228 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3229
3230         JSC test stress/jsc-read.js doesn't support CRLF
3231         https://bugs.webkit.org/show_bug.cgi?id=190063
3232
3233         Reviewed by Yusuke Suzuki.
3234
3235         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3236
3237         * stress/jsc-read.js:
3238         (test):
3239
3240 2018-09-27  Saam barati  <sbarati@apple.com>
3241
3242         Verify the contents of AssemblerBuffer on arm64e
3243         https://bugs.webkit.org/show_bug.cgi?id=190057
3244         <rdar://problem/38916630>
3245
3246         Reviewed by Mark Lam.
3247
3248         * stress/regress-189132.js:
3249
3250 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3251
3252         Disable test without LLInt on ARMv7
3253         https://bugs.webkit.org/show_bug.cgi?id=190037
3254
3255         Reviewed by Mark Lam.
3256
3257         Test runs out of executable memory on ARMv7, do not run
3258         this test without LLInt enabled.
3259
3260         * stress/regress-169445.js:
3261
3262 2018-09-26  Keith Miller  <keith_miller@apple.com>
3263
3264         We should zero unused property storage when rebalancing array storage.
3265         https://bugs.webkit.org/show_bug.cgi?id=188151
3266
3267         Reviewed by Michael Saboff.
3268
3269         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3270
3271 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3272
3273         [JSC] Optimize Array#lastIndexOf
3274         https://bugs.webkit.org/show_bug.cgi?id=189780
3275
3276         Reviewed by Saam Barati.
3277
3278         * stress/array-lastindexof-array-prototype-trap.js: Added.
3279         (shouldBe):
3280         (AncestorArray.prototype.get 2):
3281         (AncestorArray):
3282         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3283         (shouldBe):
3284         * stress/array-lastindexof-hole-nan.js: Added.
3285         (shouldBe):
3286         (throw.new.Error):
3287         * stress/array-lastindexof-infinity.js: Added.
3288         (shouldBe):
3289         (throw.new.Error):
3290         * stress/array-lastindexof-negative-zero.js: Added.
3291         (shouldBe):
3292         (throw.new.Error):
3293         * stress/array-lastindexof-own-getter.js: Added.
3294         (shouldBe):
3295         (throw.new.Error.get array):
3296         (get array):
3297         * stress/array-lastindexof-prototype-trap.js: Added.
3298         (shouldBe):
3299         (DerivedArray.prototype.get 2):
3300         (DerivedArray):
3301
3302 2018-09-25  Saam Barati  <sbarati@apple.com>
3303
3304         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3305         https://bugs.webkit.org/show_bug.cgi?id=189940
3306         <rdar://problem/43640987>
3307
3308         Reviewed by Mark Lam.
3309
3310         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3311
3312 2018-09-24  Saam Barati  <sbarati@apple.com>
3313
3314         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3315         https://bugs.webkit.org/show_bug.cgi?id=189922
3316         <rdar://problem/44651275>
3317
3318         Reviewed by Mark Lam.
3319
3320         * stress/array-indexof-fast-path-effects.js: Added.
3321         * stress/array-indexof-cached-length.js: Added.
3322
3323 2018-09-24  Saam barati  <sbarati@apple.com>
3324
3325         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3326         https://bugs.webkit.org/show_bug.cgi?id=189682
3327         <rdar://problem/43557315>
3328
3329         Reviewed by Mark Lam.
3330
3331         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3332         (foo):
3333
3334 2018-09-22  Saam barati  <sbarati@apple.com>
3335
3336         The sampling should not use Strong<CodeBlock> in its machineLocation field
3337         https://bugs.webkit.org/show_bug.cgi?id=189319
3338
3339         Reviewed by Filip Pizlo.
3340
3341         * stress/sampling-profiler-richards.js: Added.
3342
3343 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3344
3345         [JSC] Optimize Array#indexOf in C++ runtime
3346         https://bugs.webkit.org/show_bug.cgi?id=189507
3347
3348         Reviewed by Saam Barati.
3349
3350         * stress/array-indexof-array-prototype-trap.js: Added.
3351         (shouldBe):
3352         (AncestorArray.prototype.get 2):
3353         (AncestorArray):
3354         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3355         (shouldBe):
3356         * stress/array-indexof-hole-nan.js: Added.
3357         (shouldBe):
3358         (throw.new.Error):
3359         * stress/array-indexof-infinity.js: Added.
3360         (shouldBe):
3361         (throw.new.Error):
3362         * stress/array-indexof-negative-zero.js: Added.
3363         (shouldBe):
3364         (throw.new.Error):
3365         * stress/array-indexof-own-getter.js: Added.
3366         (shouldBe):
3367         (throw.new.Error.get array):
3368         (get array):
3369         * stress/array-indexof-prototype-trap.js: Added.
3370         (shouldBe):
3371         (DerivedArray.prototype.get 2):
3372         (DerivedArray):
3373
3374 2018-09-19  Saam barati  <sbarati@apple.com>
3375
3376         AI rule for MultiPutByOffset executes its effects in the wrong order
3377         https://bugs.webkit.org/show_bug.cgi?id=189757
3378         <rdar://problem/43535257>
3379
3380         Reviewed by Michael Saboff.
3381
3382         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3383         (foo):
3384         (Foo):
3385         (g):
3386
3387 2018-09-17  Mark Lam  <mark.lam@apple.com>
3388
3389         Ensure that ForInContexts are invalidated if their loop local is over-written.
3390         https://bugs.webkit.org/show_bug.cgi?id=189571
3391         <rdar://problem/44402277>
3392
3393         Reviewed by Saam Barati.
3394
3395         * stress/regress-189571.js: Added.
3396
3397 2018-09-17  Saam barati  <sbarati@apple.com>
3398
3399         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3400         https://bugs.webkit.org/show_bug.cgi?id=189676
3401         <rdar://problem/39682897>
3402
3403         Reviewed by Michael Saboff.
3404
3405         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3406         (A):
3407         (K):
3408         (i.catch):
3409
3410 2018-09-14  Saam barati  <sbarati@apple.com>
3411
3412         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3413         https://bugs.webkit.org/show_bug.cgi?id=189628
3414         <rdar://problem/39481690>
3415
3416         Reviewed by Mark Lam.
3417
3418         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3419         (foo):
3420
3421 2018-09-11  Mark Lam  <mark.lam@apple.com>
3422
3423         Test for array initialization in arrayProtoFuncSplice.
3424         https://bugs.webkit.org/show_bug.cgi?id=170253
3425         <rdar://problem/31328773>
3426
3427         Rubber-stamped by Saam Barati.
3428
3429         * stress/regress-170253.js: Added.
3430
3431 2018-09-11  Mark Lam  <mark.lam@apple.com>
3432
3433         Test for IntlObject initialization.
3434         https://bugs.webkit.org/show_bug.cgi?id=170251
3435         <rdar://problem/31328419>
3436
3437         Rubber-stamped by Saam Barati.
3438
3439         * stress/regress-170251.js: Added.
3440
3441 2018-09-11  Mark Lam  <mark.lam@apple.com>
3442
3443         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3444         https://bugs.webkit.org/show_bug.cgi?id=169889
3445         <rdar://problem/31155607>
3446
3447         Reviewed by Saam Barati.
3448
3449         * stress/regress-169889-array-concat.js: Added.
3450         * stress/regress-169889-array-concat1.js: Added.
3451         * stress/regress-169889-array-slice.js: Added.
3452
3453 2018-09-11  Mark Lam  <mark.lam@apple.com>
3454
3455         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3456         https://bugs.webkit.org/show_bug.cgi?id=169445
3457         <rdar://problem/30957435>
3458
3459         Reviewed by Saam Barati.
3460
3461         * stress/regress-169445.js: Added.
3462         (let.gun.eval.A):
3463         (let.gun.eval.B.C):
3464         (let.gun.eval.B.C.prototype.trigger):
3465         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3466         (let.gun.eval.B):
3467         (let.gun.eval):
3468
3469 == Rolled over to ChangeLog-2018-09-11 ==