WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
2
3         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
4         https://bugs.webkit.org/show_bug.cgi?id=196217
5
6         Reviewed by Saam Barati.
7
8         Re-enable all NaN tests for f32.min, f64.min and f64.max.
9
10         * wasm/spec-tests/f32.wast.js:
11         * wasm/spec-tests/f64.wast.js:
12         * wasm/wasm.json:
13
14 2019-03-25  Keith Miller  <keith_miller@apple.com>
15
16         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
17         https://bugs.webkit.org/show_bug.cgi?id=196176
18
19         Reviewed by Saam Barati.
20
21         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
22         (main.v10):
23         (main):
24
25 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
26
27         WebAssembly: f32.max with NaN generates incorrect result
28         https://bugs.webkit.org/show_bug.cgi?id=175691
29         <rdar://problem/33952228>
30
31         Reviewed by Saam Barati.
32
33         Enable all f32.max NaN tests
34
35         * wasm/spec-tests/f32.wast.js:
36         * wasm/wasm.json:
37
38 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
39
40         [JSC] Move test into directory for WASM tests
41         https://bugs.webkit.org/show_bug.cgi?id=196187
42
43         Reviewed by Mark Lam.
44
45         Move Test into wasm-directory. Otherwise this test
46         is also executed on systems without WASM support.
47
48         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
49
50 2019-03-23  Mark Lam  <mark.lam@apple.com>
51
52         Rolling out r243032 and r243071 because the fix is incorrect.
53         https://bugs.webkit.org/show_bug.cgi?id=195892
54         <rdar://problem/48981239>
55
56         Not reviewed.
57
58         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
59
60 2019-03-22  Mark Lam  <mark.lam@apple.com>
61
62         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
63         https://bugs.webkit.org/show_bug.cgi?id=196154
64         <rdar://problem/49145307>
65
66         Reviewed by Filip Pizlo.
67
68         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
69         There's no need to run this test on more than 1 test configuration.
70
71         * stress/typed-array-lastIndexOf-exception-check.js: Added.
72         * stress/web-assembly-link-error-exception-check.js:
73
74 2019-03-22  Mark Lam  <mark.lam@apple.com>
75
76         Placate exception check validation in constructJSWebAssemblyLinkError().
77         https://bugs.webkit.org/show_bug.cgi?id=196152
78         <rdar://problem/49145257>
79
80         Reviewed by Michael Saboff.
81
82         * stress/web-assembly-link-error-exception-check.js: Added.
83
84 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
85
86         Skip tests running out of memory on ARM/MIPS
87         https://bugs.webkit.org/show_bug.cgi?id=196131
88
89         Unreviewed. Skip test if memory is limited.
90
91         * microbenchmarks/put-by-val-direct-large-index.js:
92
93 2019-03-21  Mark Lam  <mark.lam@apple.com>
94
95         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
96         https://bugs.webkit.org/show_bug.cgi?id=196116
97         <rdar://problem/48976951>
98
99         Reviewed by Filip Pizlo.
100
101         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
102
103 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
104
105         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
106         https://bugs.webkit.org/show_bug.cgi?id=196078
107         <rdar://problem/35925380>
108
109         Reviewed by Mark Lam.
110
111         Add a new benchmark that allocates several objects and invokes put_by_val_direct
112         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
113
114         * microbenchmarks/put-by-val-direct-large-index.js: Added.
115
116 2019-03-21  Mark Lam  <mark.lam@apple.com>
117
118         Placate exception check validation in operationArrayIndexOfString().
119         https://bugs.webkit.org/show_bug.cgi?id=196067
120         <rdar://problem/49056572>
121
122         Reviewed by Michael Saboff.
123
124         * stress/string-equal-exception-check.js: Added.
125
126 2019-03-21  Mark Lam  <mark.lam@apple.com>
127
128         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
129         https://bugs.webkit.org/show_bug.cgi?id=196055
130         <rdar://problem/49067448>
131
132         Reviewed by Yusuke Suzuki.
133
134         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
135
136 2019-03-20  Saam Barati  <sbarati@apple.com>
137
138         typeOfDoubleSum is wrong for when NaN can be produced
139         https://bugs.webkit.org/show_bug.cgi?id=196030
140
141         Reviewed by Filip Pizlo.
142
143         * stress/double-add-sub-mul-can-produce-nan.js: Added.
144         (assert):
145         (noInline.sub):
146         (noInline):
147         (assert.mul):
148         (assert.add):
149
150 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         Update the test to ensure OutOfMemoryError is thrown as intended
153         https://bugs.webkit.org/show_bug.cgi?id=196032
154         <rdar://problem/46842740>
155
156         Rubber stamped by Saam Barati.
157
158         * stress/create-error-out-of-memory-rope-string.js:
159         (assert):
160         (catch):
161
162 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
163
164         JSC::createError needs to check for OOM in errorDescriptionForValue
165         https://bugs.webkit.org/show_bug.cgi?id=196032
166         <rdar://problem/46842740>
167
168         Reviewed by Mark Lam.
169
170         * stress/create-error-out-of-memory-rope-string.js: Added.
171
172 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         Unreviewed, reduce # of iterations to avoid timing out after r242991
175         https://bugs.webkit.org/show_bug.cgi?id=195791
176
177         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
178
179         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
180
181 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
182
183         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
184         https://bugs.webkit.org/show_bug.cgi?id=195950
185
186         Unreviewed, reducing the amount of memory used on this test to avoid
187         OOM on devices with memory restrictions.
188
189         * microbenchmarks/generate-multiple-llint-entrypoints.js:
190
191 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
192
193         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
194         https://bugs.webkit.org/show_bug.cgi?id=194648
195
196         Reviewed by Keith Miller.
197
198         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
199
200 2019-03-18  Mark Lam  <mark.lam@apple.com>
201
202         Missing a ThrowScope release in JSObject::toString().
203         https://bugs.webkit.org/show_bug.cgi?id=195893
204         <rdar://problem/48970986>
205
206         Reviewed by Michael Saboff.
207
208         * stress/to-string-exception-check-release.js: Added.
209
210 2019-03-18  Mark Lam  <mark.lam@apple.com>
211
212         Structure::flattenDictionary() should clear unused property slots.
213         https://bugs.webkit.org/show_bug.cgi?id=195871
214         <rdar://problem/48959497>
215
216         Reviewed by Michael Saboff.
217
218         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
219
220 2019-03-15  Mark Lam  <mark.lam@apple.com>
221
222         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
223         https://bugs.webkit.org/show_bug.cgi?id=195827
224         <rdar://problem/48845513>
225
226         Reviewed by Filip Pizlo.
227
228         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
229
230 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
231
232         [ARM,MIPS] Skip slow tests
233         https://bugs.webkit.org/show_bug.cgi?id=195799
234
235         Unreviewed, test does not finish on ARM and MIPS within the
236         timeout limit.
237
238         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
239
240 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
241
242         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
243         https://bugs.webkit.org/show_bug.cgi?id=195791
244         <rdar://problem/48806130>
245
246         Reviewed by Mark Lam.
247
248         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
249         (foo):
250
251 2019-03-14  Saam barati  <sbarati@apple.com>
252
253         We can't remove code after ForceOSRExit until after FixupPhase
254         https://bugs.webkit.org/show_bug.cgi?id=186916
255         <rdar://problem/41396612>
256
257         Reviewed by Yusuke Suzuki.
258
259         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
260         (foo):
261         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
262         (foo):
263
264 2019-03-13  Michael Saboff  <msaboff@apple.com>
265
266         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
267         https://bugs.webkit.org/show_bug.cgi?id=195735
268
269         Reviewed by Mark Lam.
270
271         New regression test.
272
273         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
274         (foo):
275         (bar):
276
277 2019-03-14  Saam barati  <sbarati@apple.com>
278
279         Fixup uses KnownInt32 incorrectly in some nodes
280         https://bugs.webkit.org/show_bug.cgi?id=195279
281         <rdar://problem/47915654>
282
283         Reviewed by Yusuke Suzuki.
284
285         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
286         (foo):
287
288 2019-03-14  Keith Miller  <keith_miller@apple.com>
289
290         DFG liveness can't skip tail caller inline frames
291         https://bugs.webkit.org/show_bug.cgi?id=195715
292
293         Reviewed by Saam Barati.
294
295         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
296         (i.foo):
297
298 2019-03-13  Mark Lam  <mark.lam@apple.com>
299
300         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
301         https://bugs.webkit.org/show_bug.cgi?id=195415
302
303         Not reviewed.
304
305         Changed these tests to only run the default configuration.
306         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
307         There's no strong need to run this test on that variant.
308
309         * stress/dfg-to-string-on-int-does-gc.js:
310         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
311
312 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
313
314         String overflow when using StringBuilder in JSC::createError
315         https://bugs.webkit.org/show_bug.cgi?id=194957
316
317         Reviewed by Mark Lam.
318
319         Add test string-overflow-createError-bulder.js that overflows
320         StringBuilder in notAFunctionSourceAppender. The second new test
321         string-overflow-createError-fit.js has an error message that doesn't
322         overflow, it still failed since the String's capacity can't be doubled.
323         Run test string-overflow-createError.js only in the default
324         configuration to reduce memory consumption when running the test
325         in all configurations on multiple CPUs in parallel.
326
327         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
328         (catch):
329         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
330         (catch):
331         * stress/string-overflow-createError.js:
332
333 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
334
335         [JSC] OSR entry should respect abstract values in addition to flush formats
336         https://bugs.webkit.org/show_bug.cgi?id=195653
337
338         Reviewed by Mark Lam.
339
340         * stress/osr-entry-locals-none.js: Added.
341
342 2019-03-12  Michael Saboff  <msaboff@apple.com>
343
344         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
345         https://bugs.webkit.org/show_bug.cgi?id=195613
346
347         Reviewed by Mark Lam.
348
349         New regression test.
350
351         * stress/regexp-backref-inbounds.js: Added.
352         (testRegExp):
353
354 2019-03-12  Mark Lam  <mark.lam@apple.com>
355
356         The HasIndexedProperty node does GC.
357         https://bugs.webkit.org/show_bug.cgi?id=195559
358         <rdar://problem/48767923>
359
360         Reviewed by Yusuke Suzuki.
361
362         * stress/HasIndexedProperty-does-gc.js: Added.
363
364 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
365
366         [ESNext][BigInt] Implement "~" unary operation
367         https://bugs.webkit.org/show_bug.cgi?id=182216
368
369         Reviewed by Keith Miller.
370
371         * stress/big-int-bit-not-general.js: Added.
372         * stress/big-int-bitwise-not-jit.js: Added.
373         * stress/big-int-bitwise-not-wrapped-value.js: Added.
374         * stress/bit-op-with-object-returning-int32.js:
375         * stress/bitwise-not-fixup-rules.js: Added.
376         * stress/value-bit-not-ai-rule.js: Added.
377
378 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
379
380         Invalid flags in a RegExp literal should be an early SyntaxError
381         https://bugs.webkit.org/show_bug.cgi?id=195514
382
383         Reviewed by Darin Adler.
384
385         * test262/expectations.yaml:
386         Mark 4 test cases as passing.
387
388         * stress/regexp-syntax-error-invalid-flags.js:
389         * stress/regress-161995.js: Removed.
390         Update existing test, merging in an older test for the same behavior.
391
392 2019-03-08  Mark Lam  <mark.lam@apple.com>
393
394         Stack overflow crash in JSC::JSObject::hasInstance.
395         https://bugs.webkit.org/show_bug.cgi?id=195458
396         <rdar://problem/48710195>
397
398         Reviewed by Yusuke Suzuki.
399
400         * stress/stack-overflow-in-custom-hasInstance.js: Added.
401
402 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
403
404         op_check_tdz does not def its argument
405         https://bugs.webkit.org/show_bug.cgi?id=192880
406         <rdar://problem/46221598>
407
408         Reviewed by Saam Barati.
409
410         * microbenchmarks/let-for-in.js: Added.
411         (foo):
412
413 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
414
415         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
416         https://bugs.webkit.org/show_bug.cgi?id=195429
417
418         Reviewed by Saam Barati.
419
420         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
421         (foo):
422         * stress/string-from-char-code-255.js: Added.
423
424 2019-03-06  Mark Lam  <mark.lam@apple.com>
425
426         Fix incorrect handling of try-finally completion values.
427         https://bugs.webkit.org/show_bug.cgi?id=195131
428         <rdar://problem/46222079>
429
430         Reviewed by Saam Barati and Yusuke Suzuki.
431
432         Added many permutations of new test case to test-finally.js.  test-finally.js has
433         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
434         tests passes there as well.
435
436         * stress/test-finally.js:
437
438 2019-03-06  Saam Barati  <sbarati@apple.com>
439
440         Air::reportUsedRegisters must padInterference
441         https://bugs.webkit.org/show_bug.cgi?id=195303
442         <rdar://problem/48270343>
443
444         Reviewed by Keith Miller.
445
446         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
447
448 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
449
450         [JSC] AI should not propagate AbstractValue relying on constant folding phase
451         https://bugs.webkit.org/show_bug.cgi?id=195375
452
453         Reviewed by Saam Barati.
454
455         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
456         (let.array):
457
458 2019-03-05  Saam barati  <sbarati@apple.com>
459
460         op_switch_char broken for rope strings after JSRopeString layout rewrite
461         https://bugs.webkit.org/show_bug.cgi?id=195339
462         <rdar://problem/48592545>
463
464         Reviewed by Yusuke Suzuki.
465
466         * stress/switch-on-char-llint-rope.js: Added.
467
468 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
469
470         [JSC] Store bits for JSRopeString in 3 stores
471         https://bugs.webkit.org/show_bug.cgi?id=195234
472
473         Reviewed by Saam Barati.
474
475         * stress/null-rope-and-collectors.js: Added.
476
477 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
478
479         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
480         https://bugs.webkit.org/show_bug.cgi?id=195207
481
482         Unreviewed. After test runtime was reduced in r242213, test can be
483         run again on ARM/MIPS.
484
485         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
486
487 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
488
489         [JSC] sizeof(JSString) should be 16
490         https://bugs.webkit.org/show_bug.cgi?id=194375
491
492         Reviewed by Saam Barati.
493
494         * microbenchmarks/make-rope.js: Added.
495         (makeRope):
496         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
497         (returnRope.helper): Deleted.
498         (returnRope): Deleted.
499
500 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
501
502         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
503         https://bugs.webkit.org/show_bug.cgi?id=195144
504
505         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
506         Change the number from 1e8 to 1e5.
507
508         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
509         (foo):
510
511 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
512
513         Test times out on ARM/MIPS
514         https://bugs.webkit.org/show_bug.cgi?id=195168
515
516         Unreviewed. Skip test on ARM/MIPS.
517
518         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
519
520 2019-02-27  Mark Lam  <mark.lam@apple.com>
521
522         The parser is failing to record the token location of new in new.target.
523         https://bugs.webkit.org/show_bug.cgi?id=195127
524         <rdar://problem/39645578>
525
526         Reviewed by Yusuke Suzuki.
527
528         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
529
530 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
531
532         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
533         https://bugs.webkit.org/show_bug.cgi?id=195144
534         <rdar://problem/47595961>
535
536         Reviewed by Mark Lam.
537
538         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
539         (bar):
540         (foo):
541         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
542         (bar):
543         (foo):
544
545 2019-02-27  Robin Morisset  <rmorisset@apple.com>
546
547         DFG: Loop-invariant code motion (LICM) should not hoist dead code
548         https://bugs.webkit.org/show_bug.cgi?id=194945
549         <rdar://problem/48311657>
550
551         Reviewed by Mark Lam.
552
553         * stress/licm-dead-code.js: Added.
554
555 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
556
557         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
558         https://bugs.webkit.org/show_bug.cgi?id=194677
559         <rdar://problem/48112492>
560
561         Reviewed by Mark Lam.
562
563         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
564         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
565         it immediately fails due the large size.
566
567         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
568         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
569         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
570         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
571
572         This patch changes the test to produce 16bit string from String.fromCharCode.
573
574         * stress/regress-178386.js:
575
576 2019-02-26  Mark Lam  <mark.lam@apple.com>
577
578         wasmToJS() should purify incoming NaNs.
579         https://bugs.webkit.org/show_bug.cgi?id=194807
580         <rdar://problem/48189132>
581
582         Reviewed by Saam Barati.
583
584         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
585
586 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
587
588         [JSC] Repeat string created from Array.prototype.join() take too much memory
589         https://bugs.webkit.org/show_bug.cgi?id=193912
590
591         Reviewed by Saam Barati.
592
593         Added a test and a microbenchmark for corner cases of
594         Array.prototype.join() with an uninitialized array.
595
596         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
597         * stress/array-prototype-join-uninitialized.js: Added.
598         (testArray):
599         (testABC):
600         (B):
601         (C):
602
603 2019-02-22  Robin Morisset  <rmorisset@apple.com>
604
605         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
606         https://bugs.webkit.org/show_bug.cgi?id=194953
607         <rdar://problem/47595253>
608
609         Reviewed by Saam Barati.
610
611         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
612
613         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
614
615 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
616
617         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
618         https://bugs.webkit.org/show_bug.cgi?id=172848
619         <rdar://problem/25709212>
620
621         Reviewed by Mark Lam.
622
623         * typeProfiler/inheritance.js:
624         Rewrite the test slightly for clarity. The hoisting was confusing.
625
626         * heapProfiler/class-names.js: Added.
627         (MyES5Class):
628         (MyES6Class):
629         (MyES6Subclass):
630         Test object types and improved class names.
631
632         * heapProfiler/driver/driver.js:
633         (CheapHeapSnapshotNode):
634         (CheapHeapSnapshot):
635         (createCheapHeapSnapshot):
636         (HeapSnapshot):
637         (createHeapSnapshot):
638         Update snapshot parsing from version 1 to version 2.
639
640 2019-02-19  Truitt Savell  <tsavell@apple.com>
641
642         Unreviewed, rolling out r241784.
643
644         Broke all OpenSource builds.
645
646         Reverted changeset:
647
648         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
649         instances view"
650         https://bugs.webkit.org/show_bug.cgi?id=172848
651         https://trac.webkit.org/changeset/241784
652
653 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
654
655         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
656         https://bugs.webkit.org/show_bug.cgi?id=172848
657         <rdar://problem/25709212>
658
659         Reviewed by Mark Lam.
660
661         * typeProfiler/inheritance.js:
662         Rewrite the test slightly for clarity. The hoisting was confusing.
663
664         * heapProfiler/class-names.js: Added.
665         (MyES5Class):
666         (MyES6Class):
667         (MyES6Subclass):
668         Test object types and improved class names.
669
670         * heapProfiler/driver/driver.js:
671         (CheapHeapSnapshotNode):
672         (CheapHeapSnapshot):
673         (createCheapHeapSnapshot):
674         (HeapSnapshot):
675         (createHeapSnapshot):
676         Update snapshot parsing from version 1 to version 2.
677
678 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
679
680         [ARM] Fix crash with sampling profiler
681         https://bugs.webkit.org/show_bug.cgi?id=194772
682
683         Reviewed by Mark Lam.
684
685         Do not skip test since crash with sampling profiler is now fixed.
686
687         * stress/sampling-profiler-richards.js:
688
689 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         [JSC] Add LazyClassStructure::getInitializedOnMainThread
692         https://bugs.webkit.org/show_bug.cgi?id=194784
693         <rdar://problem/48154820>
694
695         Reviewed by Mark Lam.
696
697         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
698         (getProperties):
699         (getRandomProperty):
700         (i.catch):
701
702 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
703
704         [ARM] Test gardening: Test running out of executable memory
705         https://bugs.webkit.org/show_bug.cgi?id=194771
706
707         Unreviewed. Do not run test without LLInt, test is running out of executable
708         memory on ARM otherwise.
709
710         * stress/tagged-template-object-collect.js:
711
712 2019-02-18  Tomas Popela  <tpopela@redhat.com>
713
714         Unreviewed, skip the test on platforms without sampling profiler
715
716         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
717         (platformSupportsSamplingProfiler.foo):
718         (platformSupportsSamplingProfiler.test):
719         (platformSupportsSamplingProfiler):
720         (foo): Deleted.
721         (test): Deleted.
722
723 2019-02-17  Saam Barati  <sbarati@apple.com>
724
725         Deadlock when adding a Structure property transition and then doing incremental marking
726         https://bugs.webkit.org/show_bug.cgi?id=194767
727
728         Reviewed by Mark Lam.
729
730         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
731
732 2019-02-15  Michael Saboff  <msaboff@apple.com>
733
734         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
735         https://bugs.webkit.org/show_bug.cgi?id=194558
736
737         Reviewed by Saam Barati.
738
739         New regression test.
740
741         * stress/regexp-unicode-within-string.js: Added.
742
743 2019-02-15  Mark Lam  <mark.lam@apple.com>
744
745         SamplingProfiler::stackTracesAsJSON() should escape strings.
746         https://bugs.webkit.org/show_bug.cgi?id=194649
747         <rdar://problem/48072386>
748
749         Reviewed by Saam Barati.
750
751         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
752         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
753         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
754         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
755
756 2019-02-15  Robin Morisset  <rmorisset@apple.com>
757         CodeBlock::jettison should clear related watchpoints
758         https://bugs.webkit.org/show_bug.cgi?id=194544
759
760         Reviewed by Mark Lam.
761
762         * stress/regexp-replace-double-watchpoint.js: Added.
763         (foo):
764
765 2019-02-15  Saam barati  <sbarati@apple.com>
766
767         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
768         https://bugs.webkit.org/show_bug.cgi?id=194036
769
770         Reviewed by Yusuke Suzuki.
771
772         * stress/tail-call-many-arguments.js: Added.
773         (foo):
774         (bar):
775
776 2019-02-14  Saam Barati  <sbarati@apple.com>
777
778         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
779         https://bugs.webkit.org/show_bug.cgi?id=194583
780         <rdar://problem/48028140>
781
782         Reviewed by Yusuke Suzuki.
783
784         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
785
786 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         [JSC] String.fromCharCode's slow path always generates 16bit string
789         https://bugs.webkit.org/show_bug.cgi?id=194466
790
791         Reviewed by Keith Miller.
792
793         * stress/string-from-char-code-slow-path.js: Added.
794         (shouldBe):
795         (testWithLength):
796
797 2019-02-08  Saam barati  <sbarati@apple.com>
798
799         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
800         https://bugs.webkit.org/show_bug.cgi?id=194334
801         <rdar://problem/47844327>
802
803         Reviewed by Mark Lam.
804
805         * stress/check-in-bounds-should-be-a-child-use.js: Added.
806         (func):
807
808 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
809
810         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
811         https://bugs.webkit.org/show_bug.cgi?id=194369
812         <rdar://problem/47813087>
813
814         Reviewed by Saam Barati.
815
816         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
817         (A):
818
819 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         [JSC] PrivateName to PublicName hash table is wasteful
822         https://bugs.webkit.org/show_bug.cgi?id=194277
823
824         Reviewed by Michael Saboff.
825
826         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
827
828         * ChakraCore.yaml:
829
830 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
831
832         [ARM] Test running out of executable memory
833         https://bugs.webkit.org/show_bug.cgi?id=194285
834
835         Unreviewed. Do no execute test with LLInt disabled, test runs out of
836         executable memory otherwise.
837
838         * stress/class-subclassing-function.js:
839
840 2019-02-04  Robin Morisset  <rmorisset@apple.com>
841
842         when lowering AssertNotEmpty, create the value before creating the patchpoint
843         https://bugs.webkit.org/show_bug.cgi?id=194231
844
845         Reviewed by Saam Barati.
846
847         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
848         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
849         So even tiny changes to this test can change the path code taken.
850
851         * stress/assert-not-empty.js: Added.
852         (foo):
853
854 2019-02-01  Mark Lam  <mark.lam@apple.com>
855
856         Remove invalid assertion in DFG's compileDoubleRep().
857         https://bugs.webkit.org/show_bug.cgi?id=194130
858         <rdar://problem/47699474>
859
860         Reviewed by Saam Barati.
861
862         * stress/constant-fold-double-rep-into-double-constant.js: Added.
863
864 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
865
866         Import latest Test262 updates.
867
868         Rubber-stamped by Keith Miller.
869
870         * test262.yaml: Deleted.
871         * test262/config.yaml:
872         * test262/expectations.yaml:
873         * test262/latest-changes-summary.txt:
874         * test262/test/:
875         * test262/test262-Revision.txt:
876
877 2019-01-30  Robin Morisset  <rmorisset@apple.com>
878
879         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
880         https://bugs.webkit.org/show_bug.cgi?id=194050
881         <rdar://problem/47595592>
882
883         Reviewed by Yusuke Suzuki.
884
885         * stress/object-keys-osr-exit.js: Added.
886         (foo):
887         (catch):
888
889 2019-01-29  Mark Lam  <mark.lam@apple.com>
890
891         ValueRecovery::recover() should purify NaN values it recovers.
892         https://bugs.webkit.org/show_bug.cgi?id=193978
893         <rdar://problem/47625488>
894
895         Reviewed by Saam Barati.
896
897         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
898
899 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
900
901         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
902         https://bugs.webkit.org/show_bug.cgi?id=193713
903
904         * stress/try-get-by-id-should-spill-registers-dfg.js:
905         (let.f.createBuiltin):
906
907 2019-01-28  Mark Lam  <mark.lam@apple.com>
908
909         ToString node actually does GC.
910         https://bugs.webkit.org/show_bug.cgi?id=193920
911         <rdar://problem/46695900>
912
913         Reviewed by Yusuke Suzuki.
914
915         * stress/dfg-to-string-on-int-does-gc.js: Added.
916         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
917         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
918
919 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         [JSC] NativeErrorConstructor should not have own IsoSubspace
922         https://bugs.webkit.org/show_bug.cgi?id=193713
923
924         Reviewed by Saam Barati.
925
926         Remove @Error use.
927
928         * stress/try-get-by-id-should-spill-registers-dfg.js:
929         (let.f.createBuiltin):
930
931 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
932
933         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
934         https://bugs.webkit.org/show_bug.cgi?id=190693
935
936         Reviewed by Michael Saboff.
937
938         * stress/regress-190693.js: Added.
939         (truth):
940         (assert):
941         (shouldThrowInvalidConstAssignment):
942         (taz):
943
944 2019-01-24  Saam Barati  <sbarati@apple.com>
945
946         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
947         https://bugs.webkit.org/show_bug.cgi?id=193751
948         <rdar://problem/47280215>
949
950         Reviewed by Michael Saboff.
951
952         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
953         (let.thing):
954         (foo.let.hello):
955         (foo):
956
957 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
958
959         [JSC] Reenable baseline JIT on mips
960         https://bugs.webkit.org/show_bug.cgi?id=192983
961
962         Reviewed by Mark Lam.
963
964         Added a new test for a case that was triggering a RELEASE_ASSERT when
965         testing.
966         Disable some slow tests that were already disabled for arm and x86.
967
968         * stress/json-parse-big-object.js: Added.
969         * stress/new-largeish-contiguous-array-with-size.js:
970         * stress/op_add.js:
971         * stress/op_bitand.js:
972         * stress/op_bitor.js:
973         * stress/op_bitxor.js:
974         * stress/op_lshift-ConstVar.js:
975         * stress/op_lshift-VarConst.js:
976         * stress/op_lshift-VarVar.js:
977         * stress/op_mod-ConstVar.js:
978         * stress/op_mod-VarConst.js:
979         * stress/op_mod-VarVar.js:
980         * stress/op_mul-ConstVar.js:
981         * stress/op_mul-VarConst.js:
982         * stress/op_mul-VarVar.js:
983         * stress/op_rshift-ConstVar.js:
984         * stress/op_rshift-VarConst.js:
985         * stress/op_rshift-VarVar.js:
986         * stress/op_sub-ConstVar.js:
987         * stress/op_sub-VarConst.js:
988         * stress/op_sub-VarVar.js:
989         * stress/op_urshift-ConstVar.js:
990         * stress/op_urshift-VarConst.js:
991         * stress/op_urshift-VarVar.js:
992         * stress/sampling-profiler-richards.js:
993         * stress/spread-forward-call-varargs-stack-overflow.js:
994
995 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
998         https://bugs.webkit.org/show_bug.cgi?id=193711
999         <rdar://problem/47250262>
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1004         (shouldBe):
1005         (foo):
1006         (bar):
1007         (baz):
1008
1009 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1010
1011         Unreviewed, fix initial global lexical binding epoch
1012         https://bugs.webkit.org/show_bug.cgi?id=193603
1013         <rdar://problem/47380869>
1014
1015         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1016         (f1.f2.f3.f4):
1017         (f1.f2.f3):
1018         (f1.f2):
1019         (f1):
1020
1021 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1022
1023         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1024         https://bugs.webkit.org/show_bug.cgi?id=193709
1025         <rdar://problem/47363838>
1026
1027         Unreviewed, rollout to watch the tests.
1028
1029         * stress/object-tostring-changed-proto.js: Removed.
1030         * stress/object-tostring-changed.js: Removed.
1031         * stress/object-tostring-misc.js: Removed.
1032         * stress/object-tostring-other.js: Removed.
1033         * stress/object-tostring-untyped.js: Removed.
1034
1035 2019-01-22  Saam Barati  <sbarati@apple.com>
1036
1037         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1038
1039         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1040         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1041         (testUncheckedLessThanZero):
1042         (testUncheckedLessThanOrEqualZero):
1043         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1044         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1045
1046 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1047
1048         [JSC] Invalidate old scope operations using global lexical binding epoch
1049         https://bugs.webkit.org/show_bug.cgi?id=193603
1050         <rdar://problem/47380869>
1051
1052         Reviewed by Saam Barati.
1053
1054         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1055         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1056         (shouldThrow):
1057         (bar):
1058         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1059         (shouldBe):
1060         (get1):
1061         (get2):
1062         (get1If):
1063         (get2If):
1064         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1065         (shouldThrow):
1066         (foo):
1067
1068 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1069
1070         Unreviewed, roll out r240220 due to date-format-xparb regression
1071         https://bugs.webkit.org/show_bug.cgi?id=193603
1072
1073         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1074         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1075         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1076         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1077
1078 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1079
1080         DoesGC rule is wrong for nodes with BigIntUse
1081         https://bugs.webkit.org/show_bug.cgi?id=193652
1082
1083         Reviewed by Saam Barati.
1084
1085         * stress/big-int-value-op-update-gc-rules.js: Added.
1086         (assert):
1087         (doesGCAdd):
1088         (doesGCSub):
1089         (doesGCDiv):
1090         (doesGCMul):
1091         (doesGCBitAnd):
1092         (doesGCBitOr):
1093         (doesGCBitXor):
1094
1095 2019-01-20  Saam Barati  <sbarati@apple.com>
1096
1097         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1098         https://bugs.webkit.org/show_bug.cgi?id=193644
1099         <rdar://problem/46209745>
1100
1101         Reviewed by Yusuke Suzuki.
1102
1103         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1104         (foo):
1105         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1106         (foo):
1107         (bar):
1108
1109 2019-01-20  Saam Barati  <sbarati@apple.com>
1110
1111         MovHint must merge NodeBytecodeUsesAsValue for its child
1112         https://bugs.webkit.org/show_bug.cgi?id=186916
1113         <rdar://problem/41396612>
1114
1115         Reviewed by Yusuke Suzuki.
1116
1117         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1118         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1119
1120 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1121
1122         [JSC] Invalidate old scope operations using global lexical binding epoch
1123         https://bugs.webkit.org/show_bug.cgi?id=193603
1124         <rdar://problem/47380869>
1125
1126         Reviewed by Saam Barati.
1127
1128         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1129         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1130         (shouldThrow):
1131         (bar):
1132         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1133         (shouldBe):
1134         (get1):
1135         (get2):
1136         (get1If):
1137         (get2If):
1138         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1139         (shouldThrow):
1140         (foo):
1141
1142 2019-01-17  Saam barati  <sbarati@apple.com>
1143
1144         StringObjectUse should not be a structure check for the original string object structure
1145         https://bugs.webkit.org/show_bug.cgi?id=193483
1146         <rdar://problem/47280522>
1147
1148         Reviewed by Yusuke Suzuki.
1149
1150         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1151         (foo):
1152         (a.valueOf.0):
1153
1154 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1155
1156         [JSC] ToThis omission in DFGByteCodeParser is wrong
1157         https://bugs.webkit.org/show_bug.cgi?id=193513
1158         <rdar://problem/45842236>
1159
1160         Reviewed by Saam Barati.
1161
1162         * stress/to-this-omission-with-different-strict-modes.js: Added.
1163         (thisA):
1164         (thisAStrictWrapper):
1165
1166 2019-01-15  Mark Lam  <mark.lam@apple.com>
1167
1168         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1169         https://bugs.webkit.org/show_bug.cgi?id=193423
1170         <rdar://problem/46209355>
1171
1172         Reviewed by Saam Barati.
1173
1174         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1175         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1176         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1177         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1178
1179 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1180
1181         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1182         https://bugs.webkit.org/show_bug.cgi?id=193438
1183         <rdar://problem/45581249>
1184
1185         Reviewed by Saam Barati and Keith Miller.
1186
1187         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1188         Then, GetByVal(String) crashed.
1189
1190         * stress/string-get-by-val-lowering.js: Added.
1191         (shouldBe):
1192         (test):
1193         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1194         (Hello):
1195         (foo):
1196
1197 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1198
1199         Unreviewed, skip JIT tests if it's not enabled
1200
1201         * stress/bit-op-with-object-returning-int32.js:
1202
1203 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1204
1205         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1206         https://bugs.webkit.org/show_bug.cgi?id=192966
1207
1208         Reviewed by Yusuke Suzuki.
1209
1210         * stress/bit-op-with-object-returning-int32.js: Added.
1211
1212 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1213
1214         Skip a slow test and a flakey test on arm
1215
1216         Unreviewed gardening.
1217
1218         * typeProfiler/getter-richards.js:
1219         this test always times out, it used to be always skipped on arm and
1220         mips, but got accidentally enabled by r237919 now that we have DFG on
1221         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1222
1223 2019-01-14  Keith Miller  <keith_miller@apple.com>
1224
1225         Skip type-check-hoisting-phase-hoist... with no jit
1226         https://bugs.webkit.org/show_bug.cgi?id=193421
1227
1228         Reviewed by Mark Lam.
1229
1230         It's timing out the 32-bit bots and takes 330 seconds
1231         on my machine when run by itself.
1232
1233         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1234
1235 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1236
1237         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1238         https://bugs.webkit.org/show_bug.cgi?id=193413
1239         <rdar://problem/46092389>
1240
1241         Reviewed by Keith Miller.
1242
1243         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1244         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1245         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1246         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1247
1248         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1249         (compareArray):
1250
1251 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1252
1253         [BigInt] Literal parsing is crashing when used inside a Object Literal
1254         https://bugs.webkit.org/show_bug.cgi?id=193404
1255
1256         Reviewed by Yusuke Suzuki.
1257
1258         * stress/big-int-literal-inside-literal-object.js: Added.
1259
1260 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1261
1262         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1263         https://bugs.webkit.org/show_bug.cgi?id=193372
1264
1265         Reviewed by Saam Barati.
1266
1267         * stress/typed-array-array-modes-profile.js: Added.
1268         (foo):
1269
1270 2019-01-14  Mark Lam  <mark.lam@apple.com>
1271
1272         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1273         https://bugs.webkit.org/show_bug.cgi?id=193402
1274         <rdar://problem/46012309>
1275
1276         Reviewed by Keith Miller.
1277
1278         * stress/regexp-compile-oom.js:
1279         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1280           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1281
1282 2019-01-11  Saam barati  <sbarati@apple.com>
1283
1284         DFG combined liveness can be wrong for terminal basic blocks
1285         https://bugs.webkit.org/show_bug.cgi?id=193304
1286         <rdar://problem/45268632>
1287
1288         Reviewed by Yusuke Suzuki.
1289
1290         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1291
1292 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1293
1294         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1295         https://bugs.webkit.org/show_bug.cgi?id=193308
1296         <rdar://problem/45546542>
1297
1298         Reviewed by Saam Barati.
1299
1300         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1301         (shouldThrow):
1302         (shouldBe):
1303         (foo):
1304         (get shouldThrow):
1305         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1306         (shouldThrow):
1307         (shouldBe):
1308         (foo):
1309         (get shouldBe):
1310         (get shouldThrow):
1311         (get return):
1312         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1313         (shouldThrow):
1314         (shouldBe):
1315         (foo):
1316         (get shouldBe):
1317         (get shouldThrow):
1318         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1319         (shouldThrow):
1320         (shouldBe):
1321         (foo):
1322         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1323         (shouldThrow):
1324         (shouldBe):
1325         (foo):
1326         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1327         (shouldThrow):
1328         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1329         (shouldThrow):
1330         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1331         (shouldThrow):
1332         (shouldBe):
1333         (foo):
1334         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1335         (shouldThrow):
1336         (shouldBe):
1337         (foo):
1338         (get shouldBe):
1339         (get shouldThrow):
1340         (get return):
1341         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1342         (shouldThrow):
1343         (shouldBe):
1344         (foo):
1345         (get shouldBe):
1346         (get shouldThrow):
1347         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1348         (shouldThrow):
1349         (shouldBe):
1350         (foo):
1351         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1352         (shouldThrow):
1353         (shouldBe):
1354         (foo):
1355
1356 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1357
1358         Enable DFG on ARM/Linux again
1359         https://bugs.webkit.org/show_bug.cgi?id=192496
1360
1361         Reviewed by Yusuke Suzuki.
1362
1363         Test wasn't really skipped before moving the line with skip
1364         to the top.
1365
1366         * stress/regress-192717.js:
1367
1368 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1369
1370         Unreviewed, rolling out r239825.
1371         https://bugs.webkit.org/show_bug.cgi?id=193330
1372
1373         Broke tests on armv7/linux bots (Requested by guijemont on
1374         #webkit).
1375
1376         Reverted changeset:
1377
1378         "Enable DFG on ARM/Linux again"
1379         https://bugs.webkit.org/show_bug.cgi?id=192496
1380         https://trac.webkit.org/changeset/239825
1381
1382 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1383
1384         Enable DFG on ARM/Linux again
1385         https://bugs.webkit.org/show_bug.cgi?id=192496
1386
1387         Reviewed by Yusuke Suzuki.
1388
1389         Test wasn't really skipped before moving the line with skip
1390         to the top.
1391
1392         * stress/regress-192717.js:
1393
1394 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1395
1396         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1397         https://bugs.webkit.org/show_bug.cgi?id=193127
1398
1399         Reviewed by Saam Barati.
1400
1401         * stress/array-species-create-should-handle-masquerader.js: Added.
1402         (shouldThrow):
1403         * stress/is-undefined-or-null-builtin.js: Added.
1404         (shouldBe):
1405         (isUndefinedOrNull.vm.createBuiltin):
1406
1407 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1408
1409         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1410         https://bugs.webkit.org/show_bug.cgi?id=193221
1411
1412         Reviewed by Mark Lam.
1413
1414         * stress/put-by-id-flags.js: Added.
1415         (f):
1416         (g):
1417         (numberOfDFGCompiles):
1418
1419 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1420
1421         Baseline version of get_by_id may corrupt metadata
1422         https://bugs.webkit.org/show_bug.cgi?id=193085
1423         <rdar://problem/23453006>
1424
1425         Reviewed by Saam Barati.
1426
1427         * stress/get-by-id-change-mode.js: Added.
1428         (forEach):
1429
1430 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1431
1432         [JSC] Optimize Object.prototype.toString
1433         https://bugs.webkit.org/show_bug.cgi?id=193031
1434
1435         Reviewed by Saam Barati.
1436
1437         * stress/object-tostring-changed-proto.js: Added.
1438         (shouldBe):
1439         (test):
1440         * stress/object-tostring-changed.js: Added.
1441         (shouldBe):
1442         (test):
1443         * stress/object-tostring-misc.js: Added.
1444         (shouldBe):
1445         (test):
1446         (i.switch):
1447         * stress/object-tostring-other.js: Added.
1448         (shouldBe):
1449         (test):
1450         * stress/object-tostring-untyped.js: Added.
1451         (shouldBe):
1452         (test):
1453         (i.switch):
1454
1455 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1456
1457         test262-runner misbehaves when test file YAML has a trailing space
1458         https://bugs.webkit.org/show_bug.cgi?id=193053
1459
1460         Reviewed by Yusuke Suzuki.
1461
1462         * test262/expectations.yaml:
1463         Mark two dozen tests as passing (and correct the output of another).
1464
1465 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1466
1467         Unreviewed, JSTests gardening with memoryLimited
1468
1469         * stress/string-overflow-createError.js:
1470
1471 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1472
1473         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1474         https://bugs.webkit.org/show_bug.cgi?id=193050
1475
1476         Reviewed by Yusuke Suzuki.
1477
1478         * test262.yaml:
1479         * test262/expectations.yaml:
1480         Mark 16 tests as passing.
1481
1482 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1483
1484         [BigInt] Support BigInt in JSON.stringify
1485         https://bugs.webkit.org/show_bug.cgi?id=192624
1486
1487         Reviewed by Saam Barati.
1488
1489         * stress/big-int-json-stringify-to-json.js: Added.
1490         (shouldBe):
1491         (shouldThrow):
1492         (BigInt.prototype.toJSON):
1493         (shouldBe.JSON.stringify):
1494         * stress/big-int-json-stringify.js: Added.
1495         (shouldBe):
1496         (shouldThrow):
1497
1498 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1499
1500         [JSC] Implement "well-formed JSON.stringify" proposal
1501         https://bugs.webkit.org/show_bug.cgi?id=191677
1502
1503         Reviewed by Darin Adler.
1504
1505         * stress/json-surrogate-pair.js: Added.
1506         (shouldBe):
1507         * test262/expectations.yaml:
1508
1509 2018-12-20  Keith Miller  <keith_miller@apple.com>
1510
1511         Add support for globalThis
1512         https://bugs.webkit.org/show_bug.cgi?id=165171
1513
1514         Reviewed by Mark Lam.
1515
1516         * test262/config.yaml:
1517
1518 2018-12-19  Keith Miller  <keith_miller@apple.com>
1519
1520         Update test262 configuration to not run tests dependent on ICU version.
1521         https://bugs.webkit.org/show_bug.cgi?id=192920
1522
1523         Reviewed by Saam Barati.
1524
1525         * test262/expectations.yaml:
1526
1527 2018-12-20  Mark Lam  <mark.lam@apple.com>
1528
1529         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1530         https://bugs.webkit.org/show_bug.cgi?id=192939
1531         <rdar://problem/46869516>
1532
1533         Reviewed by Keith Miller.
1534
1535         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1536
1537 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1538
1539         WTF::String and StringImpl overflow MaxLength
1540         https://bugs.webkit.org/show_bug.cgi?id=192853
1541         <rdar://problem/45726906>
1542
1543         Reviewed by Mark Lam.
1544
1545         * stress/string-16bit-repeat-overflow.js: Added.
1546         (catch):
1547
1548 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1549
1550         Unreviewed follow-up to r192914.
1551
1552         * test262/expectations.yaml:
1553         Add the last 20 missing expectations.
1554
1555 2018-12-19  Keith Miller  <keith_miller@apple.com>
1556
1557         Fix test262 expectations
1558         https://bugs.webkit.org/show_bug.cgi?id=192914
1559
1560         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1561
1562         * test262/expectations.yaml:
1563
1564 2018-12-19  Keith Miller  <keith_miller@apple.com>
1565
1566         Update test262 tests.
1567         https://bugs.webkit.org/show_bug.cgi?id=192907
1568
1569         Rubber stamped by Mark Lam.
1570
1571         * test262/*: Omitted because prepare-changelog crashes.
1572
1573 2018-12-19  Mark Lam  <mark.lam@apple.com>
1574
1575         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1576         https://bugs.webkit.org/show_bug.cgi?id=192464
1577         <rdar://problem/46519455>
1578
1579         Reviewed by Saam Barati.
1580
1581         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1582         microbenchmark.
1583
1584         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1585         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1586
1587 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1588
1589         String overflow in JSC::createError results in ASSERT in WTF::makeString
1590         https://bugs.webkit.org/show_bug.cgi?id=192833
1591         <rdar://problem/45706868>
1592
1593         Reviewed by Mark Lam.
1594
1595         * stress/string-overflow-createError.js: Added.
1596
1597 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1598
1599         Error message for `-x ** y` contains a typo.
1600         https://bugs.webkit.org/show_bug.cgi?id=192832
1601
1602         Reviewed by Saam Barati.
1603
1604         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1605         (assert.assert.return.throws):
1606         * stress/pow-expects-update-expression-on-lhs.js:
1607         (throw.new.Error):
1608         Update test expectations which match against the exact error message.
1609
1610 2018-12-18  Mark Lam  <mark.lam@apple.com>
1611
1612         Gardening: test options fix.
1613         https://bugs.webkit.org/show_bug.cgi?id=192822
1614
1615         Unreviewed.
1616
1617         * stress/json-stringify-string-builder-overflow.js:
1618
1619 2018-12-18  Mark Lam  <mark.lam@apple.com>
1620
1621         JSON.stringify() should throw OOM on StringBuilder overflows.
1622         https://bugs.webkit.org/show_bug.cgi?id=192822
1623         <rdar://problem/46670577>
1624
1625         Reviewed by Saam Barati.
1626
1627         * stress/json-stringify-string-builder-overflow.js: Added.
1628
1629 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1630
1631         Redeclaration of var over let/const/class should be a syntax error.
1632         https://bugs.webkit.org/show_bug.cgi?id=192298
1633
1634         Reviewed by Keith Miller.
1635
1636         * test262.yaml:
1637         * test262/expectations.yaml:
1638         Mark 46 tests as passing.
1639
1640         * stress/block-scope-redeclarations.js:
1641         Add some new tests.
1642
1643         * stress/for-in-invalidate-context-weird-assignments.js:
1644         * stress/for-in-tests.js:
1645         Replace tests for outdated behavior with tests for SyntaxError.
1646
1647         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1648         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1649         Update expectations.
1650
1651 2018-12-18  Mark Lam  <mark.lam@apple.com>
1652
1653         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1654         https://bugs.webkit.org/show_bug.cgi?id=191374
1655         <rdar://problem/46525447>
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1660
1661         * stress/elidable-new-object-roflcopter-then-exit.js:
1662
1663 2018-12-17  Mark Lam  <mark.lam@apple.com>
1664
1665         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1666         https://bugs.webkit.org/show_bug.cgi?id=192019
1667         <rdar://problem/46525456>
1668
1669         Reviewed by Yusuke Suzuki.
1670
1671         The test runs too slow on 32-bit.
1672
1673         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1674
1675 2018-12-17  Mark Lam  <mark.lam@apple.com>
1676
1677         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1678         https://bugs.webkit.org/show_bug.cgi?id=191373
1679         <rdar://problem/46525458>
1680
1681         Reviewed by Yusuke Suzuki.
1682
1683         The test is already slow running with a JIT on 64-bit.  It will always timeout
1684         on 32-bit without a JIT.
1685
1686         * stress/materialize-regexp-cyclic-regexp.js:
1687
1688 2018-12-17  Mark Lam  <mark.lam@apple.com>
1689
1690         Array unshift/shift should not race against the AI in the compiler thread.
1691         https://bugs.webkit.org/show_bug.cgi?id=192795
1692         <rdar://problem/46724263>
1693
1694         Reviewed by Saam Barati.
1695
1696         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1697
1698 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1699
1700         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1701         https://bugs.webkit.org/show_bug.cgi?id=190047
1702
1703         Reviewed by Saam Barati.
1704
1705         * stress/object-keys-cached-zero.js: Added.
1706         (shouldBe):
1707         (test):
1708         * stress/object-keys-changed-attribute.js: Added.
1709         (shouldBe):
1710         (test):
1711         * stress/object-keys-changed-index.js: Added.
1712         (shouldBe):
1713         (test):
1714         * stress/object-keys-changed.js: Added.
1715         (shouldBe):
1716         (test):
1717         * stress/object-keys-indexed-non-cache.js: Added.
1718         (shouldBe):
1719         (test):
1720         * stress/object-keys-overrides-get-property-names.js: Added.
1721         (shouldBe):
1722         (test):
1723         (noInline):
1724
1725 2018-12-17  Mark Lam  <mark.lam@apple.com>
1726
1727         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1728         https://bugs.webkit.org/show_bug.cgi?id=192779
1729         <rdar://problem/46775869>
1730
1731         Reviewed by Saam Barati.
1732
1733         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1734
1735 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1736
1737         Unreviewed test gardening, address a syntax error in a new test.
1738
1739         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1740
1741 2018-12-17  Mark Lam  <mark.lam@apple.com>
1742
1743         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1744         https://bugs.webkit.org/show_bug.cgi?id=192776
1745         <rdar://problem/46772368>
1746
1747         Reviewed by Keith Miller.
1748
1749         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1750
1751 2018-12-17  Mark Lam  <mark.lam@apple.com>
1752
1753         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1754         https://bugs.webkit.org/show_bug.cgi?id=192770
1755         <rdar://problem/46449037>
1756
1757         Reviewed by Keith Miller.
1758
1759         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1760
1761 2018-12-14  Mark Lam  <mark.lam@apple.com>
1762
1763         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1764         https://bugs.webkit.org/show_bug.cgi?id=192717
1765         <rdar://problem/46660677>
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/regress-192717.js: Added.
1770
1771 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1772
1773         Unreviewed, rolling out r239153, r239154, and r239155.
1774         https://bugs.webkit.org/show_bug.cgi?id=192715
1775
1776         Caused flaky GC-related crashes seen with layout tests
1777         (Requested by ryanhaddad on #webkit).
1778
1779         Reverted changesets:
1780
1781         "[JSC] Optimize Object.keys by caching own keys results in
1782         StructureRareData"
1783         https://bugs.webkit.org/show_bug.cgi?id=190047
1784         https://trac.webkit.org/changeset/239153
1785
1786         "Unreviewed, build fix after r239153"
1787         https://bugs.webkit.org/show_bug.cgi?id=190047
1788         https://trac.webkit.org/changeset/239154
1789
1790         "Unreviewed, build fix after r239153, part 2"
1791         https://bugs.webkit.org/show_bug.cgi?id=190047
1792         https://trac.webkit.org/changeset/239155
1793
1794 2018-12-14  Keith Miller  <keith_miller@apple.com>
1795
1796         Callers of JSString::getIndex should check for OOM exceptions
1797         https://bugs.webkit.org/show_bug.cgi?id=192709
1798
1799         Reviewed by Mark Lam.
1800
1801         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1802
1803 2018-12-13  Mark Lam  <mark.lam@apple.com>
1804
1805         Add a missing exception check.
1806         https://bugs.webkit.org/show_bug.cgi?id=192626
1807         <rdar://problem/46662163>
1808
1809         Reviewed by Keith Miller.
1810
1811         * stress/regress-192626.js: Added.
1812
1813 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1814
1815         [BigInt] Add ValueDiv into DFG
1816         https://bugs.webkit.org/show_bug.cgi?id=186178
1817
1818         Reviewed by Yusuke Suzuki.
1819
1820         * stress/big-int-div-jit-osr.js: Added.
1821         * stress/big-int-div-jit-untyped.js: Added.
1822         * stress/value-div-fixup-int32-big-int.js: Added.
1823
1824 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1825
1826         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1827         https://bugs.webkit.org/show_bug.cgi?id=190047
1828
1829         Reviewed by Keith Miller.
1830
1831         * stress/object-keys-cached-zero.js: Added.
1832         (shouldBe):
1833         (test):
1834         * stress/object-keys-changed-attribute.js: Added.
1835         (shouldBe):
1836         (test):
1837         * stress/object-keys-changed-index.js: Added.
1838         (shouldBe):
1839         (test):
1840         * stress/object-keys-changed.js: Added.
1841         (shouldBe):
1842         (test):
1843         * stress/object-keys-indexed-non-cache.js: Added.
1844         (shouldBe):
1845         (test):
1846         * stress/object-keys-overrides-get-property-names.js: Added.
1847         (shouldBe):
1848         (test):
1849         (noInline):
1850
1851 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1852
1853         [DFG][FTL] Add NewSymbol
1854         https://bugs.webkit.org/show_bug.cgi?id=192620
1855
1856         Reviewed by Saam Barati.
1857
1858         * microbenchmarks/symbol-creation.js: Added.
1859         (test):
1860         * stress/symbol-description-identity.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/symbol-identity.js: Added.
1864         (shouldBe):
1865         (test):
1866         * stress/symbol-with-description-throw-error.js: Added.
1867         (shouldBe):
1868         (shouldThrow):
1869         (test):
1870         (object.toString):
1871
1872 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1873
1874         [BigInt] Implement DFG/FTL typeof for BigInt
1875         https://bugs.webkit.org/show_bug.cgi?id=192619
1876
1877         Reviewed by Keith Miller.
1878
1879         * stress/big-int-boolean-proven-type.js: Added.
1880         (assert):
1881         (bool):
1882         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1883         (assert):
1884         (typeOf):
1885         (i.switch):
1886         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1887         (assert):
1888         (typeOf):
1889         * stress/big-int-type-of.js:
1890         (typeOf):
1891         (func):
1892
1893 2018-12-10  Mark Lam  <mark.lam@apple.com>
1894
1895         PropertyAttribute needs a CustomValue bit.
1896         https://bugs.webkit.org/show_bug.cgi?id=191993
1897         <rdar://problem/46264467>
1898
1899         Reviewed by Saam Barati.
1900
1901         * stress/regress-191993.js: Added.
1902
1903 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1904
1905         [BigInt] Add ValueMul into DFG
1906         https://bugs.webkit.org/show_bug.cgi?id=186175
1907
1908         Reviewed by Yusuke Suzuki.
1909
1910         * stress/big-int-mul-jit-osr.js: Added.
1911         * stress/big-int-mul-jit-untyped.js: Added.
1912         * stress/value-mul-fixup-int32-big-int.js: Added.
1913
1914 2018-12-06  Keith Miller  <keith_miller@apple.com>
1915
1916         stress/big-wasm-memory tests failing on 32-bit JSC bot
1917         https://bugs.webkit.org/show_bug.cgi?id=192020
1918
1919         Reviewed by Saam Barati.
1920
1921         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1922         the wasm stress tests if the WebAssembly object does not exist.
1923
1924         * stress/big-wasm-memory-grow-no-max.js:
1925         (test.foo):
1926         (test):
1927         (foo): Deleted.
1928         (catch): Deleted.
1929         * stress/big-wasm-memory-grow.js:
1930         (test.foo):
1931         (test):
1932         (foo): Deleted.
1933         (catch): Deleted.
1934         * stress/big-wasm-memory.js:
1935         (test.foo):
1936         (test):
1937         (foo): Deleted.
1938         (catch): Deleted.
1939
1940 2018-12-05  Mark Lam  <mark.lam@apple.com>
1941
1942         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1943         https://bugs.webkit.org/show_bug.cgi?id=192441
1944         <rdar://problem/46480355>
1945
1946         Reviewed by Saam Barati.
1947
1948         * stress/regress-192441.js: Added.
1949
1950 2018-12-04  Mark Lam  <mark.lam@apple.com>
1951
1952         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1953         https://bugs.webkit.org/show_bug.cgi?id=192386
1954         <rdar://problem/46445516>
1955
1956         Reviewed by Saam Barati.
1957
1958         * stress/regress-192386.js: Added.
1959
1960 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1961
1962         [ESNext][BigInt] Support logic operations
1963         https://bugs.webkit.org/show_bug.cgi?id=179903
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * stress/big-int-branch-usage.js: Added.
1968         * stress/big-int-logical-and.js: Added.
1969         * stress/big-int-logical-not.js: Added.
1970         * stress/big-int-logical-or.js: Added.
1971
1972 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1973
1974         Unreviewed, rolling out r238833.
1975
1976         Breaks macOS and iOS debug builds.
1977
1978         Reverted changeset:
1979
1980         "[ESNext][BigInt] Support logic operations"
1981         https://bugs.webkit.org/show_bug.cgi?id=179903
1982         https://trac.webkit.org/changeset/238833
1983
1984 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1985
1986         [ESNext][BigInt] Support logic operations
1987         https://bugs.webkit.org/show_bug.cgi?id=179903
1988
1989         Reviewed by Yusuke Suzuki.
1990
1991         * stress/big-int-branch-usage.js: Added.
1992         * stress/big-int-logical-and.js: Added.
1993         * stress/big-int-logical-not.js: Added.
1994         * stress/big-int-logical-or.js: Added.
1995
1996 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1997
1998         [ESNext][BigInt] Implement support for "<<" and ">>"
1999         https://bugs.webkit.org/show_bug.cgi?id=186233
2000
2001         Reviewed by Yusuke Suzuki.
2002
2003         * stress/big-int-left-shift-general.js: Added.
2004         * stress/big-int-left-shift-range-error.js: Added.
2005         * stress/big-int-left-shift-type-error.js: Added.
2006         * stress/big-int-left-shift-wrapped-value.js: Added.
2007         * stress/big-int-right-shift-general.js: Added.
2008         * stress/big-int-right-shift-type-error.js: Added.
2009         * stress/big-int-right-shift-wrapped-value.js: Added.
2010         * stress/left-shift-to-primitive-precedence.js: Added.
2011         * stress/right-shift-to-primitive-precedence.js: Added.
2012
2013 2018-11-30  Dean Jackson  <dino@apple.com>
2014
2015         Add first-class support for .mjs files in jsc binary
2016         https://bugs.webkit.org/show_bug.cgi?id=192190
2017         <rdar://problem/46375715>
2018
2019         Reviewed by Keith Miller.
2020
2021         * stress/simple-module.mjs: Added.
2022         * stress/simple-script.js: Added.
2023
2024 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2025
2026         [BigInt] Implement ValueBitXor into DFG
2027         https://bugs.webkit.org/show_bug.cgi?id=190264
2028
2029         Reviewed by Yusuke Suzuki.
2030
2031         * stress/big-int-bitwise-xor-jit.js: Added.
2032         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2033         * stress/big-int-bitwise-xor-untyped.js: Added.
2034
2035 2018-11-27  Saam barati  <sbarati@apple.com>
2036
2037         r238510 broke scopes of size zero
2038         https://bugs.webkit.org/show_bug.cgi?id=192033
2039         <rdar://problem/46281734>
2040
2041         Reviewed by Keith Miller.
2042
2043         * stress/r238510-bad-loop.js: Added.
2044         (foo):
2045
2046 2018-11-27  Mark Lam  <mark.lam@apple.com>
2047
2048         [Re-landing] NaNs read from Wasm code needs to be be purified.
2049         https://bugs.webkit.org/show_bug.cgi?id=191056
2050         <rdar://problem/45660341>
2051
2052         Reviewed by Filip Pizlo.
2053
2054         * wasm/regress/regress-191056.js: Added.
2055
2056 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2057
2058         Unreviewed, rolling out r238509.
2059
2060         Causes JSC tests to fail on iOS.
2061
2062         Reverted changeset:
2063
2064         "NaNs read from Wasm code needs to be be purified."
2065         https://bugs.webkit.org/show_bug.cgi?id=191056
2066         https://trac.webkit.org/changeset/238509
2067
2068 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2069
2070         Re-introduce op_bitnot
2071         https://bugs.webkit.org/show_bug.cgi?id=190923
2072
2073         Reviewed by Yusuke Suzuki.
2074
2075         * stress/bit-not-must-generate.js: Added.
2076         * stress/bitwise-not-no-int32.js: Added.
2077
2078 2018-11-26  Saam barati  <sbarati@apple.com>
2079
2080         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2081         https://bugs.webkit.org/show_bug.cgi?id=191956
2082         <rdar://problem/45665806>
2083
2084         Reviewed by Yusuke Suzuki.
2085
2086         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2087         (bar):
2088         (foo):
2089
2090 2018-11-26  Saam barati  <sbarati@apple.com>
2091
2092         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2093         https://bugs.webkit.org/show_bug.cgi?id=191958
2094         <rdar://problem/46221877>
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2099         (x):
2100         (foo):
2101
2102 2018-11-26  Mark Lam  <mark.lam@apple.com>
2103
2104         NaNs read from Wasm code needs to be be purified.
2105         https://bugs.webkit.org/show_bug.cgi?id=191056
2106         <rdar://problem/45660341>
2107
2108         Reviewed by Filip Pizlo.
2109
2110         * wasm/regress/regress-191056.js: Added.
2111
2112 2018-11-26  Michael Saboff  <msaboff@apple.com>
2113
2114         32-bit JSC test failure: stress/regexp-compile-oom.js
2115         https://bugs.webkit.org/show_bug.cgi?id=191375
2116
2117         Reviewed by Mark Lam.
2118
2119         Disabled the test for 32 bit platforms.
2120
2121         * stress/regexp-compile-oom.js:
2122
2123 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2124
2125         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2126         https://bugs.webkit.org/show_bug.cgi?id=191716
2127         <rdar://problem/45723878>
2128
2129         Reviewed by Saam Barati.
2130
2131         * stress/regress-187373.js: Added.
2132         (async.fn):
2133
2134 2018-11-21  Saam barati  <sbarati@apple.com>
2135
2136         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2137         https://bugs.webkit.org/show_bug.cgi?id=191897
2138         <rdar://problem/45871998>
2139
2140         Reviewed by Mark Lam.
2141
2142         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2143         (bar):
2144         (foo):
2145
2146 2018-11-21  Saam barati  <sbarati@apple.com>
2147
2148         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2149         https://bugs.webkit.org/show_bug.cgi?id=191895
2150         <rdar://problem/46167406>
2151
2152         Reviewed by Mark Lam.
2153
2154         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2155         (foo):
2156         (bar):
2157
2158 2018-11-21  Mark Lam  <mark.lam@apple.com>
2159
2160         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2161         https://bugs.webkit.org/show_bug.cgi?id=191776
2162         <rdar://problem/46152851>
2163
2164         Reviewed by Saam Barati.
2165
2166         * stress/big-wasm-memory-grow-no-max.js:
2167         * stress/big-wasm-memory-grow.js:
2168         * stress/big-wasm-memory.js:
2169         - updated these to expect an OutOfMemoryError.
2170
2171         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2172         (Binary.prototype.emit_u8):
2173         (Binary.prototype.emit_u32v):
2174         (Binary.prototype.emit_header):
2175         (Binary.prototype.emit_section):
2176         (Binary):
2177         (WasmModuleBuilder):
2178         (WasmModuleBuilder.prototype.addMemory):
2179         (WasmModuleBuilder.prototype.toArray):
2180         (WasmModuleBuilder.prototype.toBuffer):
2181         (WasmModuleBuilder.prototype.instantiate):
2182         (catch):
2183         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2184         (catch):
2185
2186 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2187
2188         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2189         https://bugs.webkit.org/show_bug.cgi?id=190836
2190
2191         Reviewed by Saam Barati and Yusuke Suzuki.
2192
2193         * stress/big-int-out-of-memory-tests.js: Added.
2194
2195 2018-11-20  Mark Lam  <mark.lam@apple.com>
2196
2197         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2198         https://bugs.webkit.org/show_bug.cgi?id=191856
2199         <rdar://problem/46089992>
2200
2201         Reviewed by Yusuke Suzuki.
2202
2203         * stress/regress-191856.js: Added.
2204         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2205
2206 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2207
2208         Enable JIT on ARM/Linux
2209         https://bugs.webkit.org/show_bug.cgi?id=191548
2210
2211         Reviewed by Yusuke Suzuki.
2212
2213         Disable test on system with limited memory. Program was killed by
2214         the OS before the exception was thrown.
2215
2216         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2217
2218 2018-11-20  Saam barati  <sbarati@apple.com>
2219
2220         Merging an IC variant may lead to the IC status containing overlapping structure sets
2221         https://bugs.webkit.org/show_bug.cgi?id=191869
2222         <rdar://problem/45403453>
2223
2224         Reviewed by Mark Lam.
2225
2226         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2227
2228 2018-11-19  Mark Lam  <mark.lam@apple.com>
2229
2230         globalFuncImportModule() should return a promise when it clears exceptions.
2231         https://bugs.webkit.org/show_bug.cgi?id=191792
2232         <rdar://problem/46090763>
2233
2234         Reviewed by Michael Saboff.
2235
2236         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2237
2238 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2239
2240         Skip new memory-hungry tests on memory limited devices
2241
2242         Unreviewed gardening.
2243
2244         * stress/big-wasm-memory-grow-no-max.js:
2245         * stress/big-wasm-memory-grow.js:
2246         * stress/big-wasm-memory.js:
2247
2248 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2249
2250         Unreviewed, rolling in the rest of r237254
2251         https://bugs.webkit.org/show_bug.cgi?id=190340
2252
2253         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2254         * stress/function-cache-with-parameters-end-position.js: Added.
2255         (shouldBe):
2256         (shouldThrow):
2257         (i.anonymous):
2258         * stress/function-constructor-name.js: Added.
2259         (shouldBe):
2260         (GeneratorFunction):
2261         (AsyncFunction.async):
2262         (AsyncGeneratorFunction.async):
2263         (anonymous):
2264         (async.anonymous):
2265         * test262/expectations.yaml:
2266
2267 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2268
2269         All users of ArrayBuffer should agree on the same max size
2270         https://bugs.webkit.org/show_bug.cgi?id=191771
2271
2272         Reviewed by Mark Lam.
2273
2274         * stress/big-wasm-memory-grow-no-max.js: Added.
2275         (foo):
2276         (catch):
2277         * stress/big-wasm-memory-grow.js: Added.
2278         (foo):
2279         (catch):
2280         * stress/big-wasm-memory.js: Added.
2281         (foo):
2282         (catch):
2283
2284 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2285
2286         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2287         run for each JSC config since they're regression tests for runtime bugs.
2288
2289         * stress/json-stringified-overflow-2.js:
2290         * stress/json-stringified-overflow.js:
2291
2292 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2293
2294         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2295         config since they're regression tests for runtime bugs.
2296
2297         * stress/large-unshift-splice.js:
2298         * stress/regress-185888.js:
2299
2300 2018-11-16  Saam Barati  <sbarati@apple.com>
2301
2302         KnownCellUse should also have SpecCellCheck as its type filter
2303         https://bugs.webkit.org/show_bug.cgi?id=191729
2304         <rdar://problem/45872852>
2305
2306         Reviewed by Filip Pizlo.
2307
2308         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2309         (C):
2310
2311 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2312
2313         Fix assertion failure on BytecodeGenerator::recordOpcode
2314         https://bugs.webkit.org/show_bug.cgi?id=191724
2315         <rdar://problem/45724395>
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/regress-187373-2.js: Added.
2320         (foo):
2321
2322 2018-11-15  Mark Lam  <mark.lam@apple.com>
2323
2324         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2325         https://bugs.webkit.org/show_bug.cgi?id=191730
2326         <rdar://problem/46048517>
2327
2328         Reviewed by Saam Barati.
2329
2330         * stress/regress-187006.js: Removed.
2331           - this test is invalid because its sole purpose is to test for the non-spec
2332             compliant behavior that we just fixed.
2333
2334         * stress/regress-191730.js: Added.
2335
2336 2018-11-15  Mark Lam  <mark.lam@apple.com>
2337
2338         RegExp operations should not take fast patch if lastIndex is not numeric.
2339         https://bugs.webkit.org/show_bug.cgi?id=191731
2340         <rdar://problem/46017305>
2341
2342         Reviewed by Saam Barati.
2343
2344         * stress/regress-191731.js: Added.
2345
2346 2018-11-13  Saam Barati  <sbarati@apple.com>
2347
2348         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2349         https://bugs.webkit.org/show_bug.cgi?id=191600
2350
2351         Reviewed by Mark Lam.
2352
2353         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2354         (foo):
2355         (test):
2356         (bar):
2357
2358 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2359
2360         Unreviewed, rolling out r238132.
2361
2362         The test added with this change is timing out on Debug JSC
2363         bots.
2364
2365         Reverted changeset:
2366
2367         "[BigInt] JSBigInt::createWithLength should throw when length
2368         is greater than JSBigInt::maxLength"
2369         https://bugs.webkit.org/show_bug.cgi?id=190836
2370         https://trac.webkit.org/changeset/238132
2371
2372 2018-11-13  Mark Lam  <mark.lam@apple.com>
2373
2374         Add OOM detection to StringPrototype's substituteBackreferences().
2375         https://bugs.webkit.org/show_bug.cgi?id=191563
2376         <rdar://problem/45720428>
2377
2378         Reviewed by Saam Barati.
2379
2380         * stress/regress-191563.js: Added.
2381
2382 2018-11-13  Mark Lam  <mark.lam@apple.com>
2383
2384         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2385         https://bugs.webkit.org/show_bug.cgi?id=191579
2386         <rdar://problem/45942472>
2387
2388         Reviewed by Saam Barati.
2389
2390         * stress/regress-191579.js: Added.
2391
2392 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2393
2394         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2395         https://bugs.webkit.org/show_bug.cgi?id=190836
2396
2397         Reviewed by Saam Barati.
2398
2399         * stress/big-int-out-of-memory-tests.js: Added.
2400
2401 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2402
2403         U+180E is no longer a whitespace character
2404         https://bugs.webkit.org/show_bug.cgi?id=191415
2405
2406         Reviewed by Saam Barati.
2407
2408         * ChakraCore/test/es5/regexSpace.baseline:
2409         * ChakraCore/test/es6/unicode_whitespace.js:
2410         Update tests to latest version.
2411         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2412
2413         * test262.yaml:
2414         * test262/config.yaml:
2415         * test262/expectations.yaml:
2416         Update expectations.
2417
2418 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2419
2420         [BigInt] Add support to BigInt into ValueAdd
2421         https://bugs.webkit.org/show_bug.cgi?id=186177
2422
2423         Reviewed by Keith Miller.
2424
2425         * stress/big-int-negate-jit.js:
2426         * stress/value-add-big-int-and-string.js: Added.
2427         * stress/value-add-big-int-prediction-propagation.js: Added.
2428         * stress/value-add-big-int-untyped.js: Added.
2429
2430 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2431
2432         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2433         https://bugs.webkit.org/show_bug.cgi?id=191184
2434
2435         Reviewed by Saam Barati.
2436
2437         Most tests were failing due to timeouts, since they are too slow to
2438         run on CLoop. The exceptions are:
2439
2440         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2441         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2442         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2443         to change the stack size since CLoop requires it to be page aligned.
2444
2445         * microbenchmarks/array-push-1.js:
2446         * microbenchmarks/array-push-2.js:
2447         * microbenchmarks/elidable-new-object-dag.js:
2448         * microbenchmarks/elidable-new-object-roflcopter.js:
2449         * microbenchmarks/elidable-new-object-tree.js:
2450         * microbenchmarks/getter-richards.js:
2451         * microbenchmarks/sinkable-new-object-dag.js:
2452         * microbenchmarks/string-concat-long-convert.js:
2453         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2454         * slowMicrobenchmarks/array-push-3.js:
2455         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2456         * slowMicrobenchmarks/spread-small-array.js:
2457         * slowMicrobenchmarks/undefined-property-access.js:
2458         * stress/activation-sink-default-value-tdz-error.js:
2459         * stress/activation-sink-default-value.js:
2460         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2461         * stress/activation-sink-osrexit-default-value.js:
2462         * stress/activation-sink-osrexit.js:
2463         * stress/activation-sink.js:
2464         * stress/allow-math-ic-b3-code-duplication.js:
2465         * stress/array-push-multiple-int32.js:
2466         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2467         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2468         * stress/arrowfunction-lexical-this-activation-sink.js:
2469         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2470         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2471         * stress/elide-new-object-dag-then-exit.js:
2472         * stress/materialize-regexp-cyclic.js:
2473         * stress/new-regex-inline.js:
2474         * stress/op_add.js:
2475         * stress/op_bitand.js:
2476         * stress/op_bitor.js:
2477         * stress/op_bitxor.js:
2478         * stress/op_div-ConstVar.js:
2479         * stress/op_div-VarConst.js:
2480         * stress/op_div-VarVar.js:
2481         * stress/op_lshift-ConstVar.js:
2482         * stress/op_lshift-VarConst.js:
2483         * stress/op_lshift-VarVar.js:
2484         * stress/op_mod-ConstVar.js:
2485         * stress/op_mod-VarConst.js:
2486         * stress/op_mod-VarVar.js:
2487         * stress/op_mul-ConstVar.js:
2488         * stress/op_mul-VarConst.js:
2489         * stress/op_mul-VarVar.js:
2490         * stress/op_rshift-ConstVar.js:
2491         * stress/op_rshift-VarConst.js:
2492         * stress/op_rshift-VarVar.js:
2493         * stress/op_sub-ConstVar.js:
2494         * stress/op_sub-VarConst.js:
2495         * stress/op_sub-VarVar.js:
2496         * stress/op_urshift-ConstVar.js:
2497         * stress/op_urshift-VarConst.js:
2498         * stress/op_urshift-VarVar.js:
2499         * stress/proxy-get-set-correct-receiver.js:
2500         * stress/regress-179562.js:
2501         * stress/rest-parameter-many-arguments.js:
2502         * stress/sampling-profiler-richards.js:
2503         * stress/splay-flash-access-1ms.js:
2504         * stress/tailCallForwardArguments.js:
2505         * stress/typed-array-get-by-val-profiling.js:
2506         * typeProfiler/getter-richards.js:
2507
2508 2018-11-06  Michael Saboff  <msaboff@apple.com>
2509
2510         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2511         https://bugs.webkit.org/show_bug.cgi?id=191271
2512
2513         Reviewed by Saam Barati.
2514
2515         Added more test cases and made all test cases run with the same deeply recursive stack
2516         instead of finding that same point for each test case.
2517
2518         * stress/regexp-compile-oom.js:
2519         (prototype.runTest):
2520         (recurseAndTest):
2521         (testList.push.new.TestAndExpectedException):
2522
2523 2018-11-05  Michael Saboff  <msaboff@apple.com>
2524
2525         Unreviewed build fix for linux.
2526
2527         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2528
2529 2018-11-02  Michael Saboff  <msaboff@apple.com>
2530
2531         Rolling in r237753 with unreviewed build fix.
2532
2533         Fixed issues with DECLARE_THROW_SCOPE placement.
2534
2535 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2536
2537         Unreviewed, rolling out r237753.
2538
2539         Introduced JSC test failures
2540
2541         Reverted changeset:
2542
2543         "Running out of stack space not properly handled in
2544         RegExp::compile() and its callers"
2545         https://bugs.webkit.org/show_bug.cgi?id=191206
2546         https://trac.webkit.org/changeset/237753
2547
2548 2018-11-02  Michael Saboff  <msaboff@apple.com>
2549
2550         Running out of stack space not properly handled in RegExp::compile() and its callers
2551         https://bugs.webkit.org/show_bug.cgi?id=191206
2552
2553         Reviewed by Filip Pizlo.
2554
2555         New regression test.
2556
2557         * stress/regexp-compile-oom.js: Added.
2558         (recurseAndTest):
2559
2560 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2561
2562         Skip tests on arm/mips that time out now we're running on CLoop
2563
2564         Unreviewed gardening.
2565
2566         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2567         time out on the bots and need to be disabled. There's more tests
2568         disabled on arm because the timeout is longer on the mips bot (as the
2569         device is slower to start with), so many of the tests don't time out
2570         there.
2571
2572         * microbenchmarks/getter-richards.js: disable on arm and mips.
2573         * stress/op_add.js: disable on arm.
2574         * stress/op_bitand.js: disable on arm.
2575         * stress/op_bitor.js: disable on arm.
2576         * stress/op_bitxor.js: disable on arm.
2577         * stress/op_lshift-ConstVar.js: disable on arm.
2578         * stress/op_lshift-VarConst.js: disable on arm.
2579         * stress/op_lshift-VarVar.js: disable on arm.
2580         * stress/op_mod-ConstVar.js: disable on arm.
2581         * stress/op_mod-VarConst.js: disable on arm.
2582         * stress/op_mod-VarVar.js: disable on arm.
2583         * stress/op_mul-ConstVar.js: disable on arm.
2584         * stress/op_mul-VarConst.js: disable on arm.
2585         * stress/op_mul-VarVar.js: disable on arm.
2586         * stress/op_rshift-ConstVar.js: disable on arm.
2587         * stress/op_rshift-VarConst.js: disable on arm.
2588         * stress/op_rshift-VarVar.js: disable on arm.
2589         * stress/op_sub-ConstVar.js: disable on arm.
2590         * stress/op_sub-VarConst.js: disable on arm.
2591         * stress/op_sub-VarVar.js: disable on arm.
2592         * stress/op_urshift-ConstVar.js: disable on arm.
2593         * stress/op_urshift-VarConst.js: disable on arm.
2594         * stress/op_urshift-VarVar.js: disable on arm.
2595         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2596         * stress/value-to-boolean.js: disable on arm and mips.
2597
2598 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2599
2600         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2601         https://bugs.webkit.org/show_bug.cgi?id=191108
2602         <rdar://problem/45690700>
2603
2604         Reviewed by Saam Barati.
2605
2606         * stress/wide-op_catch.js: Added.
2607         (catch):
2608
2609 2018-10-29  Mark Lam  <mark.lam@apple.com>
2610
2611         Correctly detect string overflow when using the 'Function' constructor.
2612         https://bugs.webkit.org/show_bug.cgi?id=184883
2613         <rdar://problem/36320331>
2614
2615         Reviewed by Saam Barati.
2616
2617         I've verified that this passes on 32-bit as well.
2618
2619         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2620
2621 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2622
2623         Add support for GetStack FlushedDouble
2624         https://bugs.webkit.org/show_bug.cgi?id=191012
2625         <rdar://problem/45265141>
2626
2627         Reviewed by Saam Barati.
2628
2629         * stress/get-stack-double.js: Added.
2630         (bar):
2631         (noInline):
2632
2633 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2634
2635         New bytecode format for JSC
2636         https://bugs.webkit.org/show_bug.cgi?id=187373
2637         <rdar://problem/44186758>
2638
2639         Reviewed by Filip Pizlo.
2640
2641         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2642
2643         * stress/maximum-inline-capacity.js: Added.
2644         (test1):
2645         (test3.Foo):
2646         (test3):
2647
2648 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2649
2650         Unreviewed, rolling out r237479 and r237484.
2651         https://bugs.webkit.org/show_bug.cgi?id=190978
2652
2653         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2654
2655         Reverted changesets:
2656
2657         "New bytecode format for JSC"
2658         https://bugs.webkit.org/show_bug.cgi?id=187373
2659         https://trac.webkit.org/changeset/237479
2660
2661         "Gardening: Build fix after r237479."
2662         https://bugs.webkit.org/show_bug.cgi?id=187373
2663         https://trac.webkit.org/changeset/237484
2664
2665 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2666
2667         New bytecode format for JSC
2668         https://bugs.webkit.org/show_bug.cgi?id=187373
2669         <rdar://problem/44186758>
2670
2671         Reviewed by Filip Pizlo.
2672
2673         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2674
2675         * stress/maximum-inline-capacity.js: Added.
2676         (test1):
2677         (test3.Foo):
2678         (test3):
2679
2680 2018-10-26  Mark Lam  <mark.lam@apple.com>
2681
2682         Fix missing edge cases with JSGlobalObjects having a bad time.
2683         https://bugs.webkit.org/show_bug.cgi?id=189028
2684         <rdar://problem/45204939>
2685
2686         Reviewed by Saam Barati.
2687
2688         * stress/regress-189028.js: Added.
2689
2690 2018-10-22  Mark Lam  <mark.lam@apple.com>
2691
2692         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2693         https://bugs.webkit.org/show_bug.cgi?id=190515
2694         <rdar://problem/45222379>
2695
2696         Rubber-stamped by Saam Barati.
2697
2698         Adding another test.
2699
2700         * stress/regress-190515-2.js: Added.
2701
2702 2018-10-22  Mark Lam  <mark.lam@apple.com>
2703
2704         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2705         https://bugs.webkit.org/show_bug.cgi?id=190515
2706         <rdar://problem/45222379>
2707
2708         Reviewed by Saam Barati.
2709
2710         * stress/regress-190515.js: Added.
2711
2712 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2713
2714         Unreviewed, rolling out r237254.
2715         https://bugs.webkit.org/show_bug.cgi?id=190760
2716
2717         "It regresses JetStream 2 by 5% on some iOS devices"
2718         (Requested by saamyjoon on #webkit).
2719
2720         Reverted changeset:
2721
2722         "[JSC] JSC should have "parseFunction" to optimize Function
2723         constructor"
2724         https://bugs.webkit.org/show_bug.cgi?id=190340
2725         https://trac.webkit.org/changeset/237254
2726
2727 2018-10-19  Saam Barati  <sbarati@apple.com>
2728
2729         vmCall should check if we exit before emitting an OSR exit due to exceptions
2730         https://bugs.webkit.org/show_bug.cgi?id=190740
2731         <rdar://problem/45220139>
2732
2733         Reviewed by Mark Lam.
2734
2735         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2736         (foo):
2737
2738 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2739
2740         [ESNext][BigInt] Implement support for "^"
2741         https://bugs.webkit.org/show_bug.cgi?id=186235
2742
2743         Reviewed by Yusuke Suzuki.
2744
2745         * stress/big-int-bitwise-xor-general.js: Added.
2746         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2747         * stress/big-int-bitwise-xor-type-error.js: Added.
2748         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2749
2750 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2751
2752         [BigInt] Add ValueSub into DFG
2753         https://bugs.webkit.org/show_bug.cgi?id=186176
2754
2755         Reviewed by Yusuke Suzuki.
2756
2757         * stress/big-int-subtraction-jit.js:
2758         * stress/value-sub-big-int-prediction-propagation.js: Added.
2759         * stress/value-sub-big-int-untyped.js: Added.
2760         * stress/value-sub-spec-none-case.js: Added.
2761
2762 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2763
2764         [JSC] JSC should have "parseFunction" to optimize Function constructor
2765         https://bugs.webkit.org/show_bug.cgi?id=190340
2766
2767         Reviewed by Mark Lam.
2768
2769         This patch fixes the line number of syntax errors raised by the Function constructor,
2770         since we now parse the final code only once. And we no longer use block statement
2771         for Function constructor's parsing.
2772
2773         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2774         * stress/function-cache-with-parameters-end-position.js: Added.
2775         (shouldBe):
2776         (shouldThrow):
2777         (i.anonymous):
2778         * stress/function-constructor-name.js: Added.
2779         (shouldBe):
2780         (GeneratorFunction):
2781         (AsyncFunction.async):
2782         (AsyncGeneratorFunction.async):
2783         (anonymous):
2784         (async.anonymous):
2785         * test262/expectations.yaml:
2786
2787 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2788
2789         Unreviewed, rolling out r237242.
2790         https://bugs.webkit.org/show_bug.cgi?id=190701
2791
2792         it breaks "stress/sampling-profiler-basic.js" (Requested by
2793         caiolima on #webkit).
2794
2795         Reverted changeset:
2796
2797         "[BigInt] Add ValueSub into DFG"
2798         https://bugs.webkit.org/show_bug.cgi?id=186176
2799         https://trac.webkit.org/changeset/237242
2800
2801 2018-10-17  Keith Miller  <keith_miller@apple.com>
2802
2803         AI does not clear Phantom allocation nodes.
2804         https://bugs.webkit.org/show_bug.cgi?id=190694
2805
2806         Reviewed by Saam Barati.
2807
2808         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2809         (Day):
2810         (DaysInYear):
2811         (TimeInYear):
2812         (TimeFromYear):
2813         (DayFromYear):
2814         (InLeapYear):
2815         (YearFromTime):
2816         (WeekDay):
2817         (DaylightSavingTA):
2818         (GetSecondSundayInMarch):
2819         (TimeInMonth):
2820
2821 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2822
2823         [BigInt] Add ValueSub into DFG
2824         https://bugs.webkit.org/show_bug.cgi?id=186176
2825
2826         Reviewed by Yusuke Suzuki.
2827
2828         * stress/big-int-subtraction-jit.js:
2829         * stress/value-sub-big-int-prediction-propagation.js: Added.
2830         * stress/value-sub-big-int-untyped.js: Added.
2831
2832 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2833
2834         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2835         https://bugs.webkit.org/show_bug.cgi?id=190611
2836
2837         Reviewed by Saam Barati.
2838
2839         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2840         to improve test runtime. On ARM/MIPS this test even timed out when running all
2841         tests.
2842
2843         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2844         (test):
2845
2846 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2847
2848         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2849
2850         Unreviewed gardening.
2851
2852         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2853
2854 2018-10-15  Saam barati  <sbarati@apple.com>
2855
2856         Emit fjcvtzs on ARM64E on Darwin
2857         https://bugs.webkit.org/show_bug.cgi?id=184023
2858
2859         Reviewed by Yusuke Suzuki and Filip Pizlo.
2860
2861         * stress/double-to-int32-NaN.js: Added.
2862         (assert):
2863         (foo):
2864
2865 2018-10-15  Saam Barati  <sbarati@apple.com>
2866
2867         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2868         https://bugs.webkit.org/show_bug.cgi?id=190262
2869         <rdar://problem/44986241>
2870
2871         Reviewed by Mark Lam.
2872
2873         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2874         (test):
2875         * stress/slice-array-storage-with-holes.js: Added.
2876         (main):
2877
2878 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2879
2880         Unreviewed, rolling out r237054.
2881         https://bugs.webkit.org/show_bug.cgi?id=190593
2882
2883         "this regressed JetStream 2 by 6% on iOS" (Requested by
2884         saamyjoon on #webkit).
2885
2886         Reverted changeset:
2887
2888         "[JSC] JSC should have "parseFunction" to optimize Function
2889         constructor"
2890         https://bugs.webkit.org/show_bug.cgi?id=190340
2891         https://trac.webkit.org/changeset/237054
2892
2893 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2894
2895         [JSC] JSON.stringify can accept call-with-no-arguments
2896         https://bugs.webkit.org/show_bug.cgi?id=190343
2897
2898         Reviewed by Mark Lam.
2899
2900         * stress/json-stringify-no-arguments.js: Added.
2901         (shouldBe):
2902
2903 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2904
2905         [JSC] JSC should have "parseFunction" to optimize Function constructor
2906         https://bugs.webkit.org/show_bug.cgi?id=190340
2907
2908         Reviewed by Mark Lam.
2909
2910         This patch fixes the line number of syntax errors raised by the Function constructor,
2911         since we now parse the final code only once. And we no longer use block statement
2912         for Function constructor's parsing.
2913
2914         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2915         * stress/function-cache-with-parameters-end-position.js: Added.
2916         (shouldBe):
2917         (shouldThrow):
2918         (i.anonymous):
2919         * stress/function-constructor-name.js: Added.
2920         (shouldBe):
2921         (GeneratorFunction):
2922         (AsyncFunction.async):
2923         (AsyncGeneratorFunction.async):
2924         (anonymous):
2925         (async.anonymous):
2926         * test262/expectations.yaml:
2927
2928 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2929
2930         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2931         https://bugs.webkit.org/show_bug.cgi?id=190426
2932
2933         Unreviewed gardening.
2934
2935         * stress/sampling-profiler-richards.js:
2936
2937 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2938
2939         [ESNext][BigInt] Implement support for "|"
2940         https://bugs.webkit.org/show_bug.cgi?id=186229
2941
2942         Reviewed by Yusuke Suzuki.
2943
2944         * stress/big-int-bitwise-and-jit.js:
2945         * stress/big-int-bitwise-or-general.js: Added.
2946         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2947         * stress/big-int-bitwise-or-jit.js: Added.
2948         * stress/big-int-bitwise-or-memory-stress.js: Added.
2949         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2950         * stress/big-int-bitwise-or-type-error.js: Added.
2951         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2952
2953 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2954
2955         Skip test on systems with limited memory
2956         https://bugs.webkit.org/show_bug.cgi?id=190310
2957
2958         Invoking runDefault adds test to runlist, skipping the test in the next
2959         line does not prevent the test from executing. Change order of lines such
2960         that runDefault is only executed if test is not executed.
2961
2962         Reviewed by Mark Lam.
2963
2964         * stress/regress-190187.js:
2965
2966 2018-10-03  Saam barati  <sbarati@apple.com>
2967
2968         lowXYZ in FTLLower should always filter the type of the incoming edge
2969         https://bugs.webkit.org/show_bug.cgi?id=189939
2970         <rdar://problem/44407030>
2971
2972         Reviewed by Michael Saboff.
2973
2974         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2975         (foo):
2976         (test):
2977
2978 2018-10-03  Mark Lam  <mark.lam@apple.com>
2979
2980         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2981         https://bugs.webkit.org/show_bug.cgi?id=190187
2982         <rdar://problem/42512909>
2983
2984         Reviewed by Michael Saboff.
2985
2986         * stress/regress-190187.js: Added.
2987
2988 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2989
2990         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2991         https://bugs.webkit.org/show_bug.cgi?id=190033
2992
2993         Reviewed by Yusuke Suzuki.
2994
2995         * stress/big-int-to-string.js:
2996
2997 2018-10-01  Mark Lam  <mark.lam@apple.com>
2998
2999         Function.toString() should also copy the source code Functions that are class definitions.
3000         https://bugs.webkit.org/show_bug.cgi?id=190186
3001         <rdar://problem/44733360>
3002
3003         Reviewed by Saam Barati.
3004
3005         * stress/regress-190186.js: Added.
3006
3007 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3008
3009         Split NaN-check into separate test
3010         https://bugs.webkit.org/show_bug.cgi?id=190010
3011
3012         Reviewed by Saam Barati.
3013
3014         DataView exposes NaN-representation, which is not necessarily the same on each
3015         architecture. Therefore move the check of the NaN-representation into its own
3016         file such that we can disable this test on MIPS where NaN-representation can be
3017         different on older CPUs.
3018
3019         * stress/dataview-jit-set-nan.js: Added.
3020         (assert):
3021         (test.storeLittleEndian):
3022         (test.storeBigEndian):
3023         (test.store):
3024         (test):
3025         * stress/dataview-jit-set.js:
3026         (test5):
3027
3028 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3029
3030         Unreviewed, rolling out r236647.
3031         https://bugs.webkit.org/show_bug.cgi?id=190124
3032
3033         Breaking test stress/big-int-to-string.js (Requested by
3034         caiolima_ on #webkit).
3035
3036         Reverted changeset:
3037
3038         "[BigInt] BigInt.proptotype.toString is broken when radix is
3039         power of 2"
3040         https://bugs.webkit.org/show_bug.cgi?id=190033
3041         https://trac.webkit.org/changeset/236647
3042
3043 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3044
3045         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3046         https://bugs.webkit.org/show_bug.cgi?id=190033
3047
3048         Reviewed by Yusuke Suzuki.
3049
3050         * stress/big-int-to-string.js:
3051
3052 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3053
3054         [ESNext][BigInt] Implement support for "&"
3055         https://bugs.webkit.org/show_bug.cgi?id=186228
3056
3057         Reviewed by Yusuke Suzuki.
3058
3059         * stress/big-int-bitwise-and-general.js: Added.
3060         (assert):
3061         (assert.sameValue):
3062         * stress/big-int-bitwise-and-jit.js: Added.
3063         (let.assert.sameValue):
3064         (bigIntBitAnd):
3065         * stress/big-int-bitwise-and-memory-stress.js: Added.
3066         (assert):
3067         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3068         (assert.sameValue):
3069         (let.o.Symbol.toPrimitive):
3070         (catch):
3071         * stress/big-int-bitwise-and-type-error.js: Added.
3072         (assert):
3073         (assertThrowTypeError):
3074         (let.o.valueOf):
3075         (o.valueOf):
3076         (o.toString):
3077         (o.Symbol.toPrimitive):
3078         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3079         (assert.sameValue):
3080         (testBitAnd):
3081         (let.o.Symbol.toPrimitive):
3082         (o.valueOf):
3083         (o.toString):
3084
3085 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3086
3087         JSC test stress/jsc-read.js doesn't support CRLF
3088         https://bugs.webkit.org/show_bug.cgi?id=190063
3089
3090         Reviewed by Yusuke Suzuki.
3091
3092         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3093
3094         * stress/jsc-read.js:
3095         (test):
3096
3097 2018-09-27  Saam barati  <sbarati@apple.com>
3098
3099         Verify the contents of AssemblerBuffer on arm64e
3100         https://bugs.webkit.org/show_bug.cgi?id=190057
3101         <rdar://problem/38916630>
3102
3103         Reviewed by Mark Lam.
3104
3105         * stress/regress-189132.js:
3106
3107 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3108
3109         Disable test without LLInt on ARMv7
3110         https://bugs.webkit.org/show_bug.cgi?id=190037
3111
3112         Reviewed by Mark Lam.
3113
3114         Test runs out of executable memory on ARMv7, do not run
3115         this test without LLInt enabled.
3116
3117         * stress/regress-169445.js:
3118
3119 2018-09-26  Keith Miller  <keith_miller@apple.com>
3120
3121         We should zero unused property storage when rebalancing array storage.
3122         https://bugs.webkit.org/show_bug.cgi?id=188151
3123
3124         Reviewed by Michael Saboff.
3125
3126         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3127
3128 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3129
3130         [JSC] Optimize Array#lastIndexOf
3131         https://bugs.webkit.org/show_bug.cgi?id=189780
3132
3133         Reviewed by Saam Barati.
3134
3135         * stress/array-lastindexof-array-prototype-trap.js: Added.
3136         (shouldBe):
3137         (AncestorArray.prototype.get 2):
3138         (AncestorArray):
3139         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3140         (shouldBe):
3141         * stress/array-lastindexof-hole-nan.js: Added.
3142         (shouldBe):
3143         (throw.new.Error):
3144         * stress/array-lastindexof-infinity.js: Added.
3145         (shouldBe):
3146         (throw.new.Error):
3147         * stress/array-lastindexof-negative-zero.js: Added.
3148         (shouldBe):
3149         (throw.new.Error):
3150         * stress/array-lastindexof-own-getter.js: Added.
3151         (shouldBe):
3152         (throw.new.Error.get array):
3153         (get array):
3154         * stress/array-lastindexof-prototype-trap.js: Added.
3155         (shouldBe):
3156         (DerivedArray.prototype.get 2):
3157         (DerivedArray):
3158
3159 2018-09-25  Saam Barati  <sbarati@apple.com>
3160
3161         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3162         https://bugs.webkit.org/show_bug.cgi?id=189940
3163         <rdar://problem/43640987>
3164
3165         Reviewed by Mark Lam.
3166
3167         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3168
3169 2018-09-24  Saam Barati  <sbarati@apple.com>
3170
3171         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3172         https://bugs.webkit.org/show_bug.cgi?id=189922
3173         <rdar://problem/44651275>
3174
3175         Reviewed by Mark Lam.
3176
3177         * stress/array-indexof-fast-path-effects.js: Added.
3178         * stress/array-indexof-cached-length.js: Added.
3179
3180 2018-09-24  Saam barati  <sbarati@apple.com>
3181
3182         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3183         https://bugs.webkit.org/show_bug.cgi?id=189682
3184         <rdar://problem/43557315>
3185
3186         Reviewed by Mark Lam.
3187
3188         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3189         (foo):
3190
3191 2018-09-22  Saam barati  <sbarati@apple.com>
3192
3193         The sampling should not use Strong<CodeBlock> in its machineLocation field
3194         https://bugs.webkit.org/show_bug.cgi?id=189319
3195
3196         Reviewed by Filip Pizlo.
3197
3198         * stress/sampling-profiler-richards.js: Added.
3199
3200 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3201
3202         [JSC] Optimize Array#indexOf in C++ runtime
3203         https://bugs.webkit.org/show_bug.cgi?id=189507
3204
3205         Reviewed by Saam Barati.
3206
3207         * stress/array-indexof-array-prototype-trap.js: Added.
3208         (shouldBe):
3209         (AncestorArray.prototype.get 2):
3210         (AncestorArray):
3211         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3212         (shouldBe):
3213         * stress/array-indexof-hole-nan.js: Added.
3214         (shouldBe):
3215         (throw.new.Error):
3216         * stress/array-indexof-infinity.js: Added.
3217         (shouldBe):
3218         (throw.new.Error):
3219         * stress/array-indexof-negative-zero.js: Added.
3220         (shouldBe):
3221         (throw.new.Error):
3222         * stress/array-indexof-own-getter.js: Added.
3223         (shouldBe):
3224         (throw.new.Error.get array):
3225         (get array):
3226         * stress/array-indexof-prototype-trap.js: Added.
3227         (shouldBe):
3228         (DerivedArray.prototype.get 2):
3229         (DerivedArray):
3230
3231 2018-09-19  Saam barati  <sbarati@apple.com>
3232
3233         AI rule for MultiPutByOffset executes its effects in the wrong order
3234         https://bugs.webkit.org/show_bug.cgi?id=189757
3235         <rdar://problem/43535257>
3236
3237         Reviewed by Michael Saboff.
3238
3239         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3240         (foo):
3241         (Foo):
3242         (g):
3243
3244 2018-09-17  Mark Lam  <mark.lam@apple.com>
3245
3246         Ensure that ForInContexts are invalidated if their loop local is over-written.
3247         https://bugs.webkit.org/show_bug.cgi?id=189571
3248         <rdar://problem/44402277>
3249
3250         Reviewed by Saam Barati.
3251
3252         * stress/regress-189571.js: Added.
3253
3254 2018-09-17  Saam barati  <sbarati@apple.com>
3255
3256         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3257         https://bugs.webkit.org/show_bug.cgi?id=189676
3258         <rdar://problem/39682897>
3259
3260         Reviewed by Michael Saboff.
3261
3262         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3263         (A):
3264         (K):
3265         (i.catch):
3266
3267 2018-09-14  Saam barati  <sbarati@apple.com>
3268
3269         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3270         https://bugs.webkit.org/show_bug.cgi?id=189628
3271         <rdar://problem/39481690>
3272
3273         Reviewed by Mark Lam.
3274
3275         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3276         (foo):
3277
3278 2018-09-11  Mark Lam  <mark.lam@apple.com>
3279
3280         Test for array initialization in arrayProtoFuncSplice.
3281         https://bugs.webkit.org/show_bug.cgi?id=170253
3282         <rdar://problem/31328773>
3283
3284         Rubber-stamped by Saam Barati.
3285
3286         * stress/regress-170253.js: Added.
3287
3288 2018-09-11  Mark Lam  <mark.lam@apple.com>
3289
3290         Test for IntlObject initialization.
3291         https://bugs.webkit.org/show_bug.cgi?id=170251
3292         <rdar://problem/31328419>
3293
3294         Rubber-stamped by Saam Barati.
3295
3296         * stress/regress-170251.js: Added.
3297
3298 2018-09-11  Mark Lam  <mark.lam@apple.com>
3299
3300         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3301         https://bugs.webkit.org/show_bug.cgi?id=169889
3302         <rdar://problem/31155607>
3303
3304         Reviewed by Saam Barati.
3305
3306         * stress/regress-169889-array-concat.js: Added.
3307         * stress/regress-169889-array-concat1.js: Added.
3308         * stress/regress-169889-array-slice.js: Added.
3309
3310 2018-09-11  Mark Lam  <mark.lam@apple.com>
3311
3312         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3313         https://bugs.webkit.org/show_bug.cgi?id=169445
3314         <rdar://problem/30957435>
3315
3316         Reviewed by Saam Barati.
3317
3318         * stress/regress-169445.js: Added.
3319         (let.gun.eval.A):
3320         (let.gun.eval.B.C):
3321         (let.gun.eval.B.C.prototype.trigger):
3322         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3323         (let.gun.eval.B):
3324         (let.gun.eval):
3325
3326 == Rolled over to ChangeLog-2018-09-11 ==