Unreviewed correction to Test262 expectations following r244828.
[WebKit-https.git] / JSTests / ChangeLog
1 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2
3         Unreviewed correction to Test262 expectations following r244828.
4
5         * test262/expectations.yaml:
6
7 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
8
9         Add memory-limited skipping to some tests generating very large strings
10         https://bugs.webkit.org/show_bug.cgi?id=197437
11
12         Reviewed by Ross Kirsling.
13
14         * stress/StringObject-define-length-getter-rope-string-oom.js:
15         * stress/create-error-out-of-memory-rope-string.js:
16         * stress/string-16bit-repeat-overflow.js:
17
18 2019-04-30  Commit Queue  <commit-queue@webkit.org>
19
20         Unreviewed, rolling out r244806.
21         https://bugs.webkit.org/show_bug.cgi?id=197446
22
23         Causing Test262 and JSC test failures on multiple builds
24         (Requested by ShawnRoberts on #webkit).
25
26         Reverted changeset:
27
28         "TypeArrays should not store properties that are canonical
29         numeric indices"
30         https://bugs.webkit.org/show_bug.cgi?id=197228
31         https://trac.webkit.org/changeset/244806
32
33 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
34
35         TypeArrays should not store properties that are canonical numeric indices
36         https://bugs.webkit.org/show_bug.cgi?id=197228
37         <rdar://problem/49557381>
38
39         Reviewed by Darin Adler.
40
41         * stress/typed-array-canonical-numeric-index-string.js: Added.
42         (makeTest.assert):
43         (makeTest):
44         (const.testInvalidIndices.makeTest.set assert):
45         (const.testInvalidIndices.makeTest):
46         (const.testValidIndices.makeTest.set assert):
47         (const.testValidIndices.makeTest):
48
49 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
50
51         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
52         https://bugs.webkit.org/show_bug.cgi?id=197362
53
54         Reviewed by Saam Barati.
55
56         * stress/map-with-nan.js: Added.
57         (shouldBe):
58         (div):
59         (NaN1):
60         (NaN2):
61         (NaN3):
62         (NaN4):
63         (NaN1NoInline):
64         (NaN2NoInline):
65         (NaN3NoInline):
66         (NaN4NoInline):
67         (test1):
68         (test2):
69         (test3):
70         (test4):
71         * stress/set-with-nan.js: Added.
72         (shouldBe):
73         (div):
74         (NaN1):
75         (NaN2):
76         (NaN3):
77         (NaN4):
78         (NaN1NoInline):
79         (NaN2NoInline):
80         (NaN3NoInline):
81         (NaN4NoInline):
82         (test2):
83         (test4):
84
85 2019-04-26  Commit Queue  <commit-queue@webkit.org>
86
87         Unreviewed, rolling out r244708.
88         https://bugs.webkit.org/show_bug.cgi?id=197334
89
90         "Broke the debug build" (Requested by rmorisset on #webkit).
91
92         Reverted changeset:
93
94         "All prototypes should call didBecomePrototype()"
95         https://bugs.webkit.org/show_bug.cgi?id=196315
96         https://trac.webkit.org/changeset/244708
97
98 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
99
100         [JSC] linkPolymorphicCall now does GC
101         https://bugs.webkit.org/show_bug.cgi?id=197306
102
103         Reviewed by Saam Barati.
104
105         * stress/link-polymorphic-call-can-gc.js: Added.
106         (module):
107         (instance):
108
109 2019-04-26  Robin Morisset  <rmorisset@apple.com>
110
111         All prototypes should call didBecomePrototype()
112         https://bugs.webkit.org/show_bug.cgi?id=196315
113
114         Reviewed by Saam Barati.
115
116         * stress/function-prototype-indexed-accessor.js: Added.
117
118 2019-04-23  Saam Barati  <sbarati@apple.com>
119
120         LICM incorrectly assumes it'll never insert a node which provably OSR exits
121         https://bugs.webkit.org/show_bug.cgi?id=196721
122         <rdar://problem/49556479> 
123
124         Reviewed by Filip Pizlo.
125
126         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
127         (foo):
128
129 2019-04-19  Saam Barati  <sbarati@apple.com>
130
131         AbstractValue can represent more than int52
132         https://bugs.webkit.org/show_bug.cgi?id=197118
133         <rdar://problem/49969960>
134
135         Reviewed by Michael Saboff.
136
137         * stress/abstract-value-can-include-int52.js: Added.
138         (foo):
139         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
140
141 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
142
143         [WTF] StringBuilder should set correct m_is8Bit flag when merging
144         https://bugs.webkit.org/show_bug.cgi?id=197053
145
146         Reviewed by Saam Barati.
147
148         * stress/merge-string-builder-in-dfg.js: Added.
149         (foo):
150
151 2019-04-16  Caitlin Potter  <caitp@igalia.com>
152
153         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
154         https://bugs.webkit.org/show_bug.cgi?id=176810
155
156         Reviewed by Saam Barati.
157
158         Add tests for the DontEnum filtering, and variations of other tests
159         take the DontEnum-filtering path.
160
161         * stress/proxy-own-keys.js:
162         (i.catch):
163         (set assert):
164         (set add):
165         (let.set new):
166         (get let):
167
168 2019-04-15  Saam barati  <sbarati@apple.com>
169
170         Modify how we do SetArgument when we inline varargs calls
171         https://bugs.webkit.org/show_bug.cgi?id=196712
172         <rdar://problem/49605012>
173
174         Reviewed by Michael Saboff.
175
176         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
177         (foo):
178
179 2019-04-15  Saam barati  <sbarati@apple.com>
180
181         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
182         https://bugs.webkit.org/show_bug.cgi?id=196945
183         <rdar://problem/49802750>
184
185         Reviewed by Filip Pizlo.
186
187         * stress/get-by-offset-should-use-correct-child.js: Added.
188         (foo.bar):
189         (foo):
190
191 2019-04-15  Robin Morisset  <rmorisset@apple.com>
192
193         DFG should be able to constant fold Object.create() with a constant prototype operand
194         https://bugs.webkit.org/show_bug.cgi?id=196886
195
196         Reviewed by Yusuke Suzuki.
197
198         Note that this new benchmark does not currently see a speedup with inlining removed.
199         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
200
201         * microbenchmarks/object-create-constant-prototype.js: Added.
202         (test):
203
204 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
205
206         Incremental bytecode cache should not append function updates when loaded from memory
207         https://bugs.webkit.org/show_bug.cgi?id=196865
208
209         Reviewed by Filip Pizlo.
210
211         * stress/bytecode-cache-shared-code-block.js: Added.
212         (b):
213         (program):
214
215 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
216
217         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
218         https://bugs.webkit.org/show_bug.cgi?id=196880
219
220         Reviewed by Yusuke Suzuki.
221
222         * stress/bytecode-cache-syntax-error.js: Added.
223         (catch):
224
225 2019-04-12  Saam barati  <sbarati@apple.com>
226
227         r244079 logically broke shouldSpeculateInt52
228         https://bugs.webkit.org/show_bug.cgi?id=196884
229
230         Reviewed by Yusuke Suzuki.
231
232         * microbenchmarks/int52-rand-function.js: Added.
233         (Math.random):
234
235 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
236
237         [JSC] op_has_indexed_property should not assume subscript part is Uint32
238         https://bugs.webkit.org/show_bug.cgi?id=196850
239
240         Reviewed by Saam Barati.
241
242         * stress/has-indexed-property-should-accept-non-int32.js: Added.
243         (foo):
244
245 2019-04-11  Saam barati  <sbarati@apple.com>
246
247         Remove invalid assertion in operationInstanceOfCustom
248         https://bugs.webkit.org/show_bug.cgi?id=196842
249         <rdar://problem/49725493>
250
251         Reviewed by Michael Saboff.
252
253         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
254
255 2019-04-10  Saam Barati  <sbarati@apple.com>
256
257         AbstractValue::validateOSREntryValue is wrong for Int52 constants
258         https://bugs.webkit.org/show_bug.cgi?id=196801
259         <rdar://problem/49771122>
260
261         Reviewed by Yusuke Suzuki.
262
263         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
264
265 2019-04-10  Robin Morisset  <rmorisset@apple.com>
266
267         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
268         https://bugs.webkit.org/show_bug.cgi?id=196746
269
270         Reviewed by Yusuke Suzuki.
271
272         * stress/cyclic-define-properties.js: Added.
273         (foo):
274
275 2019-04-09  Saam barati  <sbarati@apple.com>
276
277         Clean up Int52 code and some bugs in it
278         https://bugs.webkit.org/show_bug.cgi?id=196639
279         <rdar://problem/49515757>
280
281         Reviewed by Yusuke Suzuki.
282
283         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
284
285 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
286
287         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
288         https://bugs.webkit.org/show_bug.cgi?id=196708
289         <rdar://problem/49556803>
290
291         Reviewed by Yusuke Suzuki.
292
293         * stress/proxy-getter-stack-overflow.js: Added.
294         (const.handler.get target):
295         (const.handler.has):
296         (try.with):
297         (catch):
298
299 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
300
301         [JSC] DFG should respect node's strict flag
302         https://bugs.webkit.org/show_bug.cgi?id=196617
303
304         Reviewed by Saam Barati.
305
306         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
307         (shouldEqual):
308         (makeUnwriteableUnconfigurableObject):
309         (runTest):
310         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
311         (shouldBe):
312         (shouldThrow):
313         (with.result):
314         (with.putValueStrict):
315         (with.putValueSloppy):
316
317 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
318
319         [JSC] isRope jump in StringSlice should not jump over register allocations
320         https://bugs.webkit.org/show_bug.cgi?id=196716
321
322         Reviewed by Saam Barati.
323
324         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
325         (foo.bar):
326         (foo):
327
328 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
329
330         [JSC] to_index_string should not assume incoming value is Uint32
331         https://bugs.webkit.org/show_bug.cgi?id=196713
332
333         Reviewed by Saam Barati.
334
335         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
336         (foo):
337
338 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
339
340         [JSC] Add more tests for r243966
341         https://bugs.webkit.org/show_bug.cgi?id=196711
342
343         Reviewed by Saam Barati.
344
345         Adding one more test for r243966 fix. The added test will not crash after r243966.
346
347         * stress/stress-cleared-calllinkinfo.js: Added.
348         (runNearStackLimit.t):
349         (runNearStackLimit):
350         (repeat):
351         (cls):
352         (let.item.of.array.runNearStackLimit):
353
354 2019-04-08  Saam Barati  <sbarati@apple.com>
355
356         WebAssembly.RuntimeError missing exception check
357         https://bugs.webkit.org/show_bug.cgi?id=196700
358         <rdar://problem/49693932>
359
360         Reviewed by Yusuke Suzuki.
361
362         * wasm/js-api/runtime-error-should-exception-check.js: Added.
363
364 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
365
366         Unreviewed, rolling in r243948 with test fix
367         https://bugs.webkit.org/show_bug.cgi?id=196486
368
369         * stress/arrow-function-and-use-strict-directive.js: Added.
370         * stress/arrow-function-syntax.js: Added.
371         (checkSyntax):
372         (checkSyntaxError):
373
374 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
375
376         Unreviewed, rolling out r243948.
377
378         Caused inspector/runtime/parse.html to fail
379
380         Reverted changeset:
381
382         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
383         https://bugs.webkit.org/show_bug.cgi?id=196486
384         https://trac.webkit.org/changeset/243948
385
386 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
387
388         Unreviewed, rolling out r243943.
389
390         Caused test262 failures.
391
392         Reverted changeset:
393
394         "[JSC] Filter DontEnum properties in
395         ProxyObject::getOwnPropertyNames()"
396         https://bugs.webkit.org/show_bug.cgi?id=176810
397         https://trac.webkit.org/changeset/243943
398
399 2019-04-07  Michael Saboff  <msaboff@apple.com>
400
401         REGRESSION (r243642): Crash in reddit.com page
402         https://bugs.webkit.org/show_bug.cgi?id=196684
403
404         Reviewed by Geoffrey Garen.
405
406         New regression test.
407
408         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
409
410 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
411
412         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
413         https://bugs.webkit.org/show_bug.cgi?id=196683
414
415         Reviewed by Saam Barati.
416
417         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
418         (foo):
419
420 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
421
422         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
423         https://bugs.webkit.org/show_bug.cgi?id=196582
424
425         Reviewed by Saam Barati.
426
427         * stress/add-overflow-check-with-three-same-registers.js: Added.
428         (foo):
429         (Number.prototype.valueOf):
430         (runWithNumber):
431
432 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
433
434         Unreviewed, rolling out r243665.
435
436         Caused iOS JSC tests to exit with an exception.
437
438         Reverted changeset:
439
440         "Assertion failed in JSC::createError"
441         https://bugs.webkit.org/show_bug.cgi?id=196305
442         https://trac.webkit.org/changeset/243665
443
444 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
445
446         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
447         https://bugs.webkit.org/show_bug.cgi?id=196486
448
449         Reviewed by Saam Barati.
450
451         * stress/arrow-function-and-use-strict-directive.js: Added.
452         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
453         (checkSyntax):
454         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
455
456 2019-04-05  Caitlin Potter  <caitp@igalia.com>
457
458         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
459         https://bugs.webkit.org/show_bug.cgi?id=176810
460
461         Reviewed by Saam Barati.
462
463         Add tests for the DontEnum filtering, and variations of other tests
464         take the DontEnum-filtering path.
465
466         * stress/proxy-own-keys.js:
467         (i.catch):
468         (set assert):
469         (set add):
470         (let.set new):
471         (get let):
472
473 2019-04-05  Caitlin Potter  <caitp@igalia.com>
474
475         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
476         https://bugs.webkit.org/show_bug.cgi?id=185211
477
478         Reviewed by Saam Barati.
479
480         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
481
482         This changes several assertions to expect a TypeError to be thrown (in some cases,
483         changing thee expected message).
484
485         * es6/Proxy_ownKeys_duplicates.js:
486         (handler):
487         (shouldThrow):
488         (test):
489         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
490         (shouldThrow):
491         * stress/proxy-own-keys.js:
492         (i.catch):
493         (assert):
494
495 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
496
497         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
498         https://bugs.webkit.org/show_bug.cgi?id=196631
499
500         Reviewed by Saam Barati.
501
502         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
503         (assert):
504         (test):
505         (foo):
506
507 2019-04-04  Saam Barati  <sbarati@apple.com>
508
509         Unreviewed. Make the test from r243906 catch the thrown exceptions.
510
511         * stress/inferred-types-regex-matches-array.js:
512
513 2019-04-04  Saam Barati  <sbarati@apple.com>
514
515         createRegExpMatchesArray does not respect inferred types
516         https://bugs.webkit.org/show_bug.cgi?id=193287
517
518         Reviewed by Yusuke Suzuki.
519
520         This checks in the test case for 193287. This issue was discovered by
521         Samuel GroƟ of Google Project Zero.
522
523         * stress/inferred-types-regex-matches-array.js: Added.
524
525 2019-04-04  Saam barati  <sbarati@apple.com>
526
527         Teach Call ICs how to call Wasm
528         https://bugs.webkit.org/show_bug.cgi?id=196387
529
530         Reviewed by Filip Pizlo.
531
532         * wasm/function-tests/stack-trace.js:
533
534 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
535
536         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
537         https://bugs.webkit.org/show_bug.cgi?id=194944
538
539         Reviewed by Keith Miller.
540
541         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
542
543 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
544
545         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
546         https://bugs.webkit.org/show_bug.cgi?id=196409
547
548         Reviewed by Saam Barati.
549
550         * stress/bytecode-cache-cached-string-impl.js: Added.
551         (f):
552         (g):
553         * stress/bytecode-cache-run-string.js: Added.
554
555 2019-04-03  Robin Morisset  <rmorisset@apple.com>
556
557         B3 should use associativity to optimize expression trees
558         https://bugs.webkit.org/show_bug.cgi?id=194081
559
560         Reviewed by Filip Pizlo.
561
562         Added three microbenchmarks:
563         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
564         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
565           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
566         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
567
568         * microbenchmarks/add-tree.js: Added.
569         * microbenchmarks/bit-or-tree.js: Added.
570         * microbenchmarks/bit-xor-tree.js: Added.
571
572 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
573
574         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
575         https://bugs.webkit.org/show_bug.cgi?id=196574
576
577         Reviewed by Saam Barati.
578
579         * stress/string-index-of-exception-check.js: Added.
580         (blurType):
581         (1.forEach):
582
583 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
584
585         Assertion failed in JSC::createError
586         https://bugs.webkit.org/show_bug.cgi?id=196305
587         <rdar://problem/49387382>
588
589         Reviewed by Saam Barati.
590
591         * stress/create-error-out-of-memory-rope-string-2.js: Added.
592         (assert):
593         (catch):
594
595 2019-03-28  Saam Barati  <sbarati@apple.com>
596
597         BackwardsGraph needs to consider back edges as the backward's root successor
598         https://bugs.webkit.org/show_bug.cgi?id=195991
599
600         Reviewed by Filip Pizlo.
601
602         * stress/map-b3-licm-infinite-loop.js: Added.
603
604 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
605
606         CodeBlock::jettison() should disallow repatching its own calls
607         https://bugs.webkit.org/show_bug.cgi?id=196359
608         <rdar://problem/48973663>
609
610         Reviewed by Saam Barati.
611
612         * stress/call-link-info-osrexit-repatch.js: Added.
613         (foo):
614
615 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
616
617         [JSC] imports-oom.js intermittently fails
618         https://bugs.webkit.org/show_bug.cgi?id=196373
619
620         Reviewed by Saam Barati.
621
622         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
623         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
624         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
625         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
626         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
627
628         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
629         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
630
631         * wasm/lowExecutableMemory/imports-oom.js:
632
633 2019-03-27  Saam Barati  <sbarati@apple.com>
634
635         validateOSREntryValue with Int52 should box the value being checked into double format
636         https://bugs.webkit.org/show_bug.cgi?id=196313
637         <rdar://problem/49306703>
638
639         Reviewed by Yusuke Suzuki.
640
641         * stress/validate-int-52-ai-state.js: Added.
642
643 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] Owner of watchpoints should validate at GC finalizing phase
646         https://bugs.webkit.org/show_bug.cgi?id=195827
647
648         Reviewed by Filip Pizlo.
649
650         * stress/gc-should-reap-dead-watchpoints.js: Added.
651         (foo):
652         (A.prototype.y):
653         (A):
654
655 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
656
657         Skip WebAssembly test on 32-bit systems
658         https://bugs.webkit.org/show_bug.cgi?id=196206
659
660         Reviewed by Saam Barati.
661
662         Invoking runDefault executes test immediately even though
663         that test should be skipped due to missing WASM support.
664         Therefore remove runDefault.
665
666         * wasm/regress/web-assembly-link-error-exception-check.js:
667
668 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
669
670         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
671         https://bugs.webkit.org/show_bug.cgi?id=196217
672
673         Reviewed by Saam Barati.
674
675         Re-enable all NaN tests for f32.min, f64.min and f64.max.
676
677         * wasm/spec-tests/f32.wast.js:
678         * wasm/spec-tests/f64.wast.js:
679         * wasm/wasm.json:
680
681 2019-03-25  Keith Miller  <keith_miller@apple.com>
682
683         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
684         https://bugs.webkit.org/show_bug.cgi?id=196176
685
686         Reviewed by Saam Barati.
687
688         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
689         (main.v10):
690         (main):
691
692 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
693
694         WebAssembly: f32.max with NaN generates incorrect result
695         https://bugs.webkit.org/show_bug.cgi?id=175691
696         <rdar://problem/33952228>
697
698         Reviewed by Saam Barati.
699
700         Enable all f32.max NaN tests
701
702         * wasm/spec-tests/f32.wast.js:
703         * wasm/wasm.json:
704
705 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
706
707         [JSC] Move test into directory for WASM tests
708         https://bugs.webkit.org/show_bug.cgi?id=196187
709
710         Reviewed by Mark Lam.
711
712         Move Test into wasm-directory. Otherwise this test
713         is also executed on systems without WASM support.
714
715         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
716
717 2019-03-23  Mark Lam  <mark.lam@apple.com>
718
719         Rolling out r243032 and r243071 because the fix is incorrect.
720         https://bugs.webkit.org/show_bug.cgi?id=195892
721         <rdar://problem/48981239>
722
723         Not reviewed.
724
725         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
726
727 2019-03-22  Mark Lam  <mark.lam@apple.com>
728
729         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
730         https://bugs.webkit.org/show_bug.cgi?id=196154
731         <rdar://problem/49145307>
732
733         Reviewed by Filip Pizlo.
734
735         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
736         There's no need to run this test on more than 1 test configuration.
737
738         * stress/typed-array-lastIndexOf-exception-check.js: Added.
739         * stress/web-assembly-link-error-exception-check.js:
740
741 2019-03-22  Mark Lam  <mark.lam@apple.com>
742
743         Placate exception check validation in constructJSWebAssemblyLinkError().
744         https://bugs.webkit.org/show_bug.cgi?id=196152
745         <rdar://problem/49145257>
746
747         Reviewed by Michael Saboff.
748
749         * stress/web-assembly-link-error-exception-check.js: Added.
750
751 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
752
753         Skip tests running out of memory on ARM/MIPS
754         https://bugs.webkit.org/show_bug.cgi?id=196131
755
756         Unreviewed. Skip test if memory is limited.
757
758         * microbenchmarks/put-by-val-direct-large-index.js:
759
760 2019-03-21  Mark Lam  <mark.lam@apple.com>
761
762         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
763         https://bugs.webkit.org/show_bug.cgi?id=196116
764         <rdar://problem/48976951>
765
766         Reviewed by Filip Pizlo.
767
768         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
769
770 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
771
772         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
773         https://bugs.webkit.org/show_bug.cgi?id=196078
774         <rdar://problem/35925380>
775
776         Reviewed by Mark Lam.
777
778         Add a new benchmark that allocates several objects and invokes put_by_val_direct
779         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
780
781         * microbenchmarks/put-by-val-direct-large-index.js: Added.
782
783 2019-03-21  Mark Lam  <mark.lam@apple.com>
784
785         Placate exception check validation in operationArrayIndexOfString().
786         https://bugs.webkit.org/show_bug.cgi?id=196067
787         <rdar://problem/49056572>
788
789         Reviewed by Michael Saboff.
790
791         * stress/string-equal-exception-check.js: Added.
792
793 2019-03-21  Mark Lam  <mark.lam@apple.com>
794
795         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
796         https://bugs.webkit.org/show_bug.cgi?id=196055
797         <rdar://problem/49067448>
798
799         Reviewed by Yusuke Suzuki.
800
801         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
802
803 2019-03-20  Saam Barati  <sbarati@apple.com>
804
805         typeOfDoubleSum is wrong for when NaN can be produced
806         https://bugs.webkit.org/show_bug.cgi?id=196030
807
808         Reviewed by Filip Pizlo.
809
810         * stress/double-add-sub-mul-can-produce-nan.js: Added.
811         (assert):
812         (noInline.sub):
813         (noInline):
814         (assert.mul):
815         (assert.add):
816
817 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         Update the test to ensure OutOfMemoryError is thrown as intended
820         https://bugs.webkit.org/show_bug.cgi?id=196032
821         <rdar://problem/46842740>
822
823         Rubber stamped by Saam Barati.
824
825         * stress/create-error-out-of-memory-rope-string.js:
826         (assert):
827         (catch):
828
829 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
830
831         JSC::createError needs to check for OOM in errorDescriptionForValue
832         https://bugs.webkit.org/show_bug.cgi?id=196032
833         <rdar://problem/46842740>
834
835         Reviewed by Mark Lam.
836
837         * stress/create-error-out-of-memory-rope-string.js: Added.
838
839 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
840
841         Unreviewed, reduce # of iterations to avoid timing out after r242991
842         https://bugs.webkit.org/show_bug.cgi?id=195791
843
844         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
845
846         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
847
848 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
849
850         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
851         https://bugs.webkit.org/show_bug.cgi?id=195950
852
853         Unreviewed, reducing the amount of memory used on this test to avoid
854         OOM on devices with memory restrictions.
855
856         * microbenchmarks/generate-multiple-llint-entrypoints.js:
857
858 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
859
860         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
861         https://bugs.webkit.org/show_bug.cgi?id=194648
862
863         Reviewed by Keith Miller.
864
865         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
866
867 2019-03-18  Mark Lam  <mark.lam@apple.com>
868
869         Missing a ThrowScope release in JSObject::toString().
870         https://bugs.webkit.org/show_bug.cgi?id=195893
871         <rdar://problem/48970986>
872
873         Reviewed by Michael Saboff.
874
875         * stress/to-string-exception-check-release.js: Added.
876
877 2019-03-18  Mark Lam  <mark.lam@apple.com>
878
879         Structure::flattenDictionary() should clear unused property slots.
880         https://bugs.webkit.org/show_bug.cgi?id=195871
881         <rdar://problem/48959497>
882
883         Reviewed by Michael Saboff.
884
885         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
886
887 2019-03-15  Mark Lam  <mark.lam@apple.com>
888
889         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
890         https://bugs.webkit.org/show_bug.cgi?id=195827
891         <rdar://problem/48845513>
892
893         Reviewed by Filip Pizlo.
894
895         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
896
897 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
898
899         [ARM,MIPS] Skip slow tests
900         https://bugs.webkit.org/show_bug.cgi?id=195799
901
902         Unreviewed, test does not finish on ARM and MIPS within the
903         timeout limit.
904
905         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
906
907 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
910         https://bugs.webkit.org/show_bug.cgi?id=195791
911         <rdar://problem/48806130>
912
913         Reviewed by Mark Lam.
914
915         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
916         (foo):
917
918 2019-03-14  Saam barati  <sbarati@apple.com>
919
920         We can't remove code after ForceOSRExit until after FixupPhase
921         https://bugs.webkit.org/show_bug.cgi?id=186916
922         <rdar://problem/41396612>
923
924         Reviewed by Yusuke Suzuki.
925
926         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
927         (foo):
928         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
929         (foo):
930
931 2019-03-13  Michael Saboff  <msaboff@apple.com>
932
933         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
934         https://bugs.webkit.org/show_bug.cgi?id=195735
935
936         Reviewed by Mark Lam.
937
938         New regression test.
939
940         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
941         (foo):
942         (bar):
943
944 2019-03-14  Saam barati  <sbarati@apple.com>
945
946         Fixup uses KnownInt32 incorrectly in some nodes
947         https://bugs.webkit.org/show_bug.cgi?id=195279
948         <rdar://problem/47915654>
949
950         Reviewed by Yusuke Suzuki.
951
952         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
953         (foo):
954
955 2019-03-14  Keith Miller  <keith_miller@apple.com>
956
957         DFG liveness can't skip tail caller inline frames
958         https://bugs.webkit.org/show_bug.cgi?id=195715
959
960         Reviewed by Saam Barati.
961
962         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
963         (i.foo):
964
965 2019-03-13  Mark Lam  <mark.lam@apple.com>
966
967         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
968         https://bugs.webkit.org/show_bug.cgi?id=195415
969
970         Not reviewed.
971
972         Changed these tests to only run the default configuration.
973         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
974         There's no strong need to run this test on that variant.
975
976         * stress/dfg-to-string-on-int-does-gc.js:
977         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
978
979 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
980
981         String overflow when using StringBuilder in JSC::createError
982         https://bugs.webkit.org/show_bug.cgi?id=194957
983
984         Reviewed by Mark Lam.
985
986         Add test string-overflow-createError-bulder.js that overflows
987         StringBuilder in notAFunctionSourceAppender. The second new test
988         string-overflow-createError-fit.js has an error message that doesn't
989         overflow, it still failed since the String's capacity can't be doubled.
990         Run test string-overflow-createError.js only in the default
991         configuration to reduce memory consumption when running the test
992         in all configurations on multiple CPUs in parallel.
993
994         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
995         (catch):
996         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
997         (catch):
998         * stress/string-overflow-createError.js:
999
1000 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1001
1002         [JSC] OSR entry should respect abstract values in addition to flush formats
1003         https://bugs.webkit.org/show_bug.cgi?id=195653
1004
1005         Reviewed by Mark Lam.
1006
1007         * stress/osr-entry-locals-none.js: Added.
1008
1009 2019-03-12  Michael Saboff  <msaboff@apple.com>
1010
1011         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1012         https://bugs.webkit.org/show_bug.cgi?id=195613
1013
1014         Reviewed by Mark Lam.
1015
1016         New regression test.
1017
1018         * stress/regexp-backref-inbounds.js: Added.
1019         (testRegExp):
1020
1021 2019-03-12  Mark Lam  <mark.lam@apple.com>
1022
1023         The HasIndexedProperty node does GC.
1024         https://bugs.webkit.org/show_bug.cgi?id=195559
1025         <rdar://problem/48767923>
1026
1027         Reviewed by Yusuke Suzuki.
1028
1029         * stress/HasIndexedProperty-does-gc.js: Added.
1030
1031 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
1032
1033         [ESNext][BigInt] Implement "~" unary operation
1034         https://bugs.webkit.org/show_bug.cgi?id=182216
1035
1036         Reviewed by Keith Miller.
1037
1038         * stress/big-int-bit-not-general.js: Added.
1039         * stress/big-int-bitwise-not-jit.js: Added.
1040         * stress/big-int-bitwise-not-wrapped-value.js: Added.
1041         * stress/bit-op-with-object-returning-int32.js:
1042         * stress/bitwise-not-fixup-rules.js: Added.
1043         * stress/value-bit-not-ai-rule.js: Added.
1044
1045 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
1046
1047         Invalid flags in a RegExp literal should be an early SyntaxError
1048         https://bugs.webkit.org/show_bug.cgi?id=195514
1049
1050         Reviewed by Darin Adler.
1051
1052         * test262/expectations.yaml:
1053         Mark 4 test cases as passing.
1054
1055         * stress/regexp-syntax-error-invalid-flags.js:
1056         * stress/regress-161995.js: Removed.
1057         Update existing test, merging in an older test for the same behavior.
1058
1059 2019-03-08  Mark Lam  <mark.lam@apple.com>
1060
1061         Stack overflow crash in JSC::JSObject::hasInstance.
1062         https://bugs.webkit.org/show_bug.cgi?id=195458
1063         <rdar://problem/48710195>
1064
1065         Reviewed by Yusuke Suzuki.
1066
1067         * stress/stack-overflow-in-custom-hasInstance.js: Added.
1068
1069 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
1070
1071         op_check_tdz does not def its argument
1072         https://bugs.webkit.org/show_bug.cgi?id=192880
1073         <rdar://problem/46221598>
1074
1075         Reviewed by Saam Barati.
1076
1077         * microbenchmarks/let-for-in.js: Added.
1078         (foo):
1079
1080 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
1081
1082         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
1083         https://bugs.webkit.org/show_bug.cgi?id=195429
1084
1085         Reviewed by Saam Barati.
1086
1087         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
1088         (foo):
1089         * stress/string-from-char-code-255.js: Added.
1090
1091 2019-03-06  Mark Lam  <mark.lam@apple.com>
1092
1093         Fix incorrect handling of try-finally completion values.
1094         https://bugs.webkit.org/show_bug.cgi?id=195131
1095         <rdar://problem/46222079>
1096
1097         Reviewed by Saam Barati and Yusuke Suzuki.
1098
1099         Added many permutations of new test case to test-finally.js.  test-finally.js has
1100         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1101         tests passes there as well.
1102
1103         * stress/test-finally.js:
1104
1105 2019-03-06  Saam Barati  <sbarati@apple.com>
1106
1107         Air::reportUsedRegisters must padInterference
1108         https://bugs.webkit.org/show_bug.cgi?id=195303
1109         <rdar://problem/48270343>
1110
1111         Reviewed by Keith Miller.
1112
1113         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1114
1115 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1116
1117         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1118         https://bugs.webkit.org/show_bug.cgi?id=195375
1119
1120         Reviewed by Saam Barati.
1121
1122         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1123         (let.array):
1124
1125 2019-03-05  Saam barati  <sbarati@apple.com>
1126
1127         op_switch_char broken for rope strings after JSRopeString layout rewrite
1128         https://bugs.webkit.org/show_bug.cgi?id=195339
1129         <rdar://problem/48592545>
1130
1131         Reviewed by Yusuke Suzuki.
1132
1133         * stress/switch-on-char-llint-rope.js: Added.
1134
1135 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1136
1137         [JSC] Store bits for JSRopeString in 3 stores
1138         https://bugs.webkit.org/show_bug.cgi?id=195234
1139
1140         Reviewed by Saam Barati.
1141
1142         * stress/null-rope-and-collectors.js: Added.
1143
1144 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1145
1146         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1147         https://bugs.webkit.org/show_bug.cgi?id=195207
1148
1149         Unreviewed. After test runtime was reduced in r242213, test can be
1150         run again on ARM/MIPS.
1151
1152         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1153
1154 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1155
1156         [JSC] sizeof(JSString) should be 16
1157         https://bugs.webkit.org/show_bug.cgi?id=194375
1158
1159         Reviewed by Saam Barati.
1160
1161         * microbenchmarks/make-rope.js: Added.
1162         (makeRope):
1163         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1164         (returnRope.helper): Deleted.
1165         (returnRope): Deleted.
1166
1167 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1168
1169         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1170         https://bugs.webkit.org/show_bug.cgi?id=195144
1171
1172         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1173         Change the number from 1e8 to 1e5.
1174
1175         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1176         (foo):
1177
1178 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1179
1180         Test times out on ARM/MIPS
1181         https://bugs.webkit.org/show_bug.cgi?id=195168
1182
1183         Unreviewed. Skip test on ARM/MIPS.
1184
1185         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1186
1187 2019-02-27  Mark Lam  <mark.lam@apple.com>
1188
1189         The parser is failing to record the token location of new in new.target.
1190         https://bugs.webkit.org/show_bug.cgi?id=195127
1191         <rdar://problem/39645578>
1192
1193         Reviewed by Yusuke Suzuki.
1194
1195         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1196
1197 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1198
1199         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1200         https://bugs.webkit.org/show_bug.cgi?id=195144
1201         <rdar://problem/47595961>
1202
1203         Reviewed by Mark Lam.
1204
1205         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1206         (bar):
1207         (foo):
1208         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1209         (bar):
1210         (foo):
1211
1212 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1213
1214         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1215         https://bugs.webkit.org/show_bug.cgi?id=194945
1216         <rdar://problem/48311657>
1217
1218         Reviewed by Mark Lam.
1219
1220         * stress/licm-dead-code.js: Added.
1221
1222 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1223
1224         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1225         https://bugs.webkit.org/show_bug.cgi?id=194677
1226         <rdar://problem/48112492>
1227
1228         Reviewed by Mark Lam.
1229
1230         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1231         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1232         it immediately fails due the large size.
1233
1234         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1235         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1236         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1237         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1238
1239         This patch changes the test to produce 16bit string from String.fromCharCode.
1240
1241         * stress/regress-178386.js:
1242
1243 2019-02-26  Mark Lam  <mark.lam@apple.com>
1244
1245         wasmToJS() should purify incoming NaNs.
1246         https://bugs.webkit.org/show_bug.cgi?id=194807
1247         <rdar://problem/48189132>
1248
1249         Reviewed by Saam Barati.
1250
1251         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1252
1253 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1254
1255         [JSC] Repeat string created from Array.prototype.join() take too much memory
1256         https://bugs.webkit.org/show_bug.cgi?id=193912
1257
1258         Reviewed by Saam Barati.
1259
1260         Added a test and a microbenchmark for corner cases of
1261         Array.prototype.join() with an uninitialized array.
1262
1263         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1264         * stress/array-prototype-join-uninitialized.js: Added.
1265         (testArray):
1266         (testABC):
1267         (B):
1268         (C):
1269
1270 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1271
1272         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1273         https://bugs.webkit.org/show_bug.cgi?id=194953
1274         <rdar://problem/47595253>
1275
1276         Reviewed by Saam Barati.
1277
1278         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1279
1280         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1281
1282 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1283
1284         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1285         https://bugs.webkit.org/show_bug.cgi?id=172848
1286         <rdar://problem/25709212>
1287
1288         Reviewed by Mark Lam.
1289
1290         * typeProfiler/inheritance.js:
1291         Rewrite the test slightly for clarity. The hoisting was confusing.
1292
1293         * heapProfiler/class-names.js: Added.
1294         (MyES5Class):
1295         (MyES6Class):
1296         (MyES6Subclass):
1297         Test object types and improved class names.
1298
1299         * heapProfiler/driver/driver.js:
1300         (CheapHeapSnapshotNode):
1301         (CheapHeapSnapshot):
1302         (createCheapHeapSnapshot):
1303         (HeapSnapshot):
1304         (createHeapSnapshot):
1305         Update snapshot parsing from version 1 to version 2.
1306
1307 2019-02-19  Truitt Savell  <tsavell@apple.com>
1308
1309         Unreviewed, rolling out r241784.
1310
1311         Broke all OpenSource builds.
1312
1313         Reverted changeset:
1314
1315         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1316         instances view"
1317         https://bugs.webkit.org/show_bug.cgi?id=172848
1318         https://trac.webkit.org/changeset/241784
1319
1320 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1321
1322         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1323         https://bugs.webkit.org/show_bug.cgi?id=172848
1324         <rdar://problem/25709212>
1325
1326         Reviewed by Mark Lam.
1327
1328         * typeProfiler/inheritance.js:
1329         Rewrite the test slightly for clarity. The hoisting was confusing.
1330
1331         * heapProfiler/class-names.js: Added.
1332         (MyES5Class):
1333         (MyES6Class):
1334         (MyES6Subclass):
1335         Test object types and improved class names.
1336
1337         * heapProfiler/driver/driver.js:
1338         (CheapHeapSnapshotNode):
1339         (CheapHeapSnapshot):
1340         (createCheapHeapSnapshot):
1341         (HeapSnapshot):
1342         (createHeapSnapshot):
1343         Update snapshot parsing from version 1 to version 2.
1344
1345 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1346
1347         [ARM] Fix crash with sampling profiler
1348         https://bugs.webkit.org/show_bug.cgi?id=194772
1349
1350         Reviewed by Mark Lam.
1351
1352         Do not skip test since crash with sampling profiler is now fixed.
1353
1354         * stress/sampling-profiler-richards.js:
1355
1356 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1357
1358         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1359         https://bugs.webkit.org/show_bug.cgi?id=194784
1360         <rdar://problem/48154820>
1361
1362         Reviewed by Mark Lam.
1363
1364         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1365         (getProperties):
1366         (getRandomProperty):
1367         (i.catch):
1368
1369 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1370
1371         [ARM] Test gardening: Test running out of executable memory
1372         https://bugs.webkit.org/show_bug.cgi?id=194771
1373
1374         Unreviewed. Do not run test without LLInt, test is running out of executable
1375         memory on ARM otherwise.
1376
1377         * stress/tagged-template-object-collect.js:
1378
1379 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1380
1381         Unreviewed, skip the test on platforms without sampling profiler
1382
1383         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1384         (platformSupportsSamplingProfiler.foo):
1385         (platformSupportsSamplingProfiler.test):
1386         (platformSupportsSamplingProfiler):
1387         (foo): Deleted.
1388         (test): Deleted.
1389
1390 2019-02-17  Saam Barati  <sbarati@apple.com>
1391
1392         Deadlock when adding a Structure property transition and then doing incremental marking
1393         https://bugs.webkit.org/show_bug.cgi?id=194767
1394
1395         Reviewed by Mark Lam.
1396
1397         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1398
1399 2019-02-15  Michael Saboff  <msaboff@apple.com>
1400
1401         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1402         https://bugs.webkit.org/show_bug.cgi?id=194558
1403
1404         Reviewed by Saam Barati.
1405
1406         New regression test.
1407
1408         * stress/regexp-unicode-within-string.js: Added.
1409
1410 2019-02-15  Mark Lam  <mark.lam@apple.com>
1411
1412         SamplingProfiler::stackTracesAsJSON() should escape strings.
1413         https://bugs.webkit.org/show_bug.cgi?id=194649
1414         <rdar://problem/48072386>
1415
1416         Reviewed by Saam Barati.
1417
1418         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1419         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1420         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1421         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1422
1423 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1424         CodeBlock::jettison should clear related watchpoints
1425         https://bugs.webkit.org/show_bug.cgi?id=194544
1426
1427         Reviewed by Mark Lam.
1428
1429         * stress/regexp-replace-double-watchpoint.js: Added.
1430         (foo):
1431
1432 2019-02-15  Saam barati  <sbarati@apple.com>
1433
1434         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1435         https://bugs.webkit.org/show_bug.cgi?id=194036
1436
1437         Reviewed by Yusuke Suzuki.
1438
1439         * stress/tail-call-many-arguments.js: Added.
1440         (foo):
1441         (bar):
1442
1443 2019-02-14  Saam Barati  <sbarati@apple.com>
1444
1445         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1446         https://bugs.webkit.org/show_bug.cgi?id=194583
1447         <rdar://problem/48028140>
1448
1449         Reviewed by Yusuke Suzuki.
1450
1451         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1452
1453 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1454
1455         [JSC] String.fromCharCode's slow path always generates 16bit string
1456         https://bugs.webkit.org/show_bug.cgi?id=194466
1457
1458         Reviewed by Keith Miller.
1459
1460         * stress/string-from-char-code-slow-path.js: Added.
1461         (shouldBe):
1462         (testWithLength):
1463
1464 2019-02-08  Saam barati  <sbarati@apple.com>
1465
1466         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1467         https://bugs.webkit.org/show_bug.cgi?id=194334
1468         <rdar://problem/47844327>
1469
1470         Reviewed by Mark Lam.
1471
1472         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1473         (func):
1474
1475 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1476
1477         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1478         https://bugs.webkit.org/show_bug.cgi?id=194369
1479         <rdar://problem/47813087>
1480
1481         Reviewed by Saam Barati.
1482
1483         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1484         (A):
1485
1486 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1487
1488         [JSC] PrivateName to PublicName hash table is wasteful
1489         https://bugs.webkit.org/show_bug.cgi?id=194277
1490
1491         Reviewed by Michael Saboff.
1492
1493         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1494
1495         * ChakraCore.yaml:
1496
1497 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1498
1499         [ARM] Test running out of executable memory
1500         https://bugs.webkit.org/show_bug.cgi?id=194285
1501
1502         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1503         executable memory otherwise.
1504
1505         * stress/class-subclassing-function.js:
1506
1507 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1508
1509         when lowering AssertNotEmpty, create the value before creating the patchpoint
1510         https://bugs.webkit.org/show_bug.cgi?id=194231
1511
1512         Reviewed by Saam Barati.
1513
1514         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1515         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1516         So even tiny changes to this test can change the path code taken.
1517
1518         * stress/assert-not-empty.js: Added.
1519         (foo):
1520
1521 2019-02-01  Mark Lam  <mark.lam@apple.com>
1522
1523         Remove invalid assertion in DFG's compileDoubleRep().
1524         https://bugs.webkit.org/show_bug.cgi?id=194130
1525         <rdar://problem/47699474>
1526
1527         Reviewed by Saam Barati.
1528
1529         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1530
1531 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1532
1533         Import latest Test262 updates.
1534
1535         Rubber-stamped by Keith Miller.
1536
1537         * test262.yaml: Deleted.
1538         * test262/config.yaml:
1539         * test262/expectations.yaml:
1540         * test262/latest-changes-summary.txt:
1541         * test262/test/:
1542         * test262/test262-Revision.txt:
1543
1544 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1545
1546         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1547         https://bugs.webkit.org/show_bug.cgi?id=194050
1548         <rdar://problem/47595592>
1549
1550         Reviewed by Yusuke Suzuki.
1551
1552         * stress/object-keys-osr-exit.js: Added.
1553         (foo):
1554         (catch):
1555
1556 2019-01-29  Mark Lam  <mark.lam@apple.com>
1557
1558         ValueRecovery::recover() should purify NaN values it recovers.
1559         https://bugs.webkit.org/show_bug.cgi?id=193978
1560         <rdar://problem/47625488>
1561
1562         Reviewed by Saam Barati.
1563
1564         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1565
1566 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1567
1568         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1569         https://bugs.webkit.org/show_bug.cgi?id=193713
1570
1571         * stress/try-get-by-id-should-spill-registers-dfg.js:
1572         (let.f.createBuiltin):
1573
1574 2019-01-28  Mark Lam  <mark.lam@apple.com>
1575
1576         ToString node actually does GC.
1577         https://bugs.webkit.org/show_bug.cgi?id=193920
1578         <rdar://problem/46695900>
1579
1580         Reviewed by Yusuke Suzuki.
1581
1582         * stress/dfg-to-string-on-int-does-gc.js: Added.
1583         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1584         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1585
1586 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1587
1588         [JSC] NativeErrorConstructor should not have own IsoSubspace
1589         https://bugs.webkit.org/show_bug.cgi?id=193713
1590
1591         Reviewed by Saam Barati.
1592
1593         Remove @Error use.
1594
1595         * stress/try-get-by-id-should-spill-registers-dfg.js:
1596         (let.f.createBuiltin):
1597
1598 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1599
1600         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1601         https://bugs.webkit.org/show_bug.cgi?id=190693
1602
1603         Reviewed by Michael Saboff.
1604
1605         * stress/regress-190693.js: Added.
1606         (truth):
1607         (assert):
1608         (shouldThrowInvalidConstAssignment):
1609         (taz):
1610
1611 2019-01-24  Saam Barati  <sbarati@apple.com>
1612
1613         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1614         https://bugs.webkit.org/show_bug.cgi?id=193751
1615         <rdar://problem/47280215>
1616
1617         Reviewed by Michael Saboff.
1618
1619         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1620         (let.thing):
1621         (foo.let.hello):
1622         (foo):
1623
1624 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1625
1626         [JSC] Reenable baseline JIT on mips
1627         https://bugs.webkit.org/show_bug.cgi?id=192983
1628
1629         Reviewed by Mark Lam.
1630
1631         Added a new test for a case that was triggering a RELEASE_ASSERT when
1632         testing.
1633         Disable some slow tests that were already disabled for arm and x86.
1634
1635         * stress/json-parse-big-object.js: Added.
1636         * stress/new-largeish-contiguous-array-with-size.js:
1637         * stress/op_add.js:
1638         * stress/op_bitand.js:
1639         * stress/op_bitor.js:
1640         * stress/op_bitxor.js:
1641         * stress/op_lshift-ConstVar.js:
1642         * stress/op_lshift-VarConst.js:
1643         * stress/op_lshift-VarVar.js:
1644         * stress/op_mod-ConstVar.js:
1645         * stress/op_mod-VarConst.js:
1646         * stress/op_mod-VarVar.js:
1647         * stress/op_mul-ConstVar.js:
1648         * stress/op_mul-VarConst.js:
1649         * stress/op_mul-VarVar.js:
1650         * stress/op_rshift-ConstVar.js:
1651         * stress/op_rshift-VarConst.js:
1652         * stress/op_rshift-VarVar.js:
1653         * stress/op_sub-ConstVar.js:
1654         * stress/op_sub-VarConst.js:
1655         * stress/op_sub-VarVar.js:
1656         * stress/op_urshift-ConstVar.js:
1657         * stress/op_urshift-VarConst.js:
1658         * stress/op_urshift-VarVar.js:
1659         * stress/sampling-profiler-richards.js:
1660         * stress/spread-forward-call-varargs-stack-overflow.js:
1661
1662 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1663
1664         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1665         https://bugs.webkit.org/show_bug.cgi?id=193711
1666         <rdar://problem/47250262>
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1671         (shouldBe):
1672         (foo):
1673         (bar):
1674         (baz):
1675
1676 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1677
1678         Unreviewed, fix initial global lexical binding epoch
1679         https://bugs.webkit.org/show_bug.cgi?id=193603
1680         <rdar://problem/47380869>
1681
1682         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1683         (f1.f2.f3.f4):
1684         (f1.f2.f3):
1685         (f1.f2):
1686         (f1):
1687
1688 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1689
1690         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1691         https://bugs.webkit.org/show_bug.cgi?id=193709
1692         <rdar://problem/47363838>
1693
1694         Unreviewed, rollout to watch the tests.
1695
1696         * stress/object-tostring-changed-proto.js: Removed.
1697         * stress/object-tostring-changed.js: Removed.
1698         * stress/object-tostring-misc.js: Removed.
1699         * stress/object-tostring-other.js: Removed.
1700         * stress/object-tostring-untyped.js: Removed.
1701
1702 2019-01-22  Saam Barati  <sbarati@apple.com>
1703
1704         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1705
1706         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1707         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1708         (testUncheckedLessThanZero):
1709         (testUncheckedLessThanOrEqualZero):
1710         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1711         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1712
1713 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1714
1715         [JSC] Invalidate old scope operations using global lexical binding epoch
1716         https://bugs.webkit.org/show_bug.cgi?id=193603
1717         <rdar://problem/47380869>
1718
1719         Reviewed by Saam Barati.
1720
1721         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1722         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1723         (shouldThrow):
1724         (bar):
1725         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1726         (shouldBe):
1727         (get1):
1728         (get2):
1729         (get1If):
1730         (get2If):
1731         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1732         (shouldThrow):
1733         (foo):
1734
1735 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1736
1737         Unreviewed, roll out r240220 due to date-format-xparb regression
1738         https://bugs.webkit.org/show_bug.cgi?id=193603
1739
1740         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1741         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1742         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1743         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1744
1745 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1746
1747         DoesGC rule is wrong for nodes with BigIntUse
1748         https://bugs.webkit.org/show_bug.cgi?id=193652
1749
1750         Reviewed by Saam Barati.
1751
1752         * stress/big-int-value-op-update-gc-rules.js: Added.
1753         (assert):
1754         (doesGCAdd):
1755         (doesGCSub):
1756         (doesGCDiv):
1757         (doesGCMul):
1758         (doesGCBitAnd):
1759         (doesGCBitOr):
1760         (doesGCBitXor):
1761
1762 2019-01-20  Saam Barati  <sbarati@apple.com>
1763
1764         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1765         https://bugs.webkit.org/show_bug.cgi?id=193644
1766         <rdar://problem/46209745>
1767
1768         Reviewed by Yusuke Suzuki.
1769
1770         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1771         (foo):
1772         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1773         (foo):
1774         (bar):
1775
1776 2019-01-20  Saam Barati  <sbarati@apple.com>
1777
1778         MovHint must merge NodeBytecodeUsesAsValue for its child
1779         https://bugs.webkit.org/show_bug.cgi?id=186916
1780         <rdar://problem/41396612>
1781
1782         Reviewed by Yusuke Suzuki.
1783
1784         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1785         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1786
1787 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1788
1789         [JSC] Invalidate old scope operations using global lexical binding epoch
1790         https://bugs.webkit.org/show_bug.cgi?id=193603
1791         <rdar://problem/47380869>
1792
1793         Reviewed by Saam Barati.
1794
1795         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1796         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1797         (shouldThrow):
1798         (bar):
1799         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1800         (shouldBe):
1801         (get1):
1802         (get2):
1803         (get1If):
1804         (get2If):
1805         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1806         (shouldThrow):
1807         (foo):
1808
1809 2019-01-17  Saam barati  <sbarati@apple.com>
1810
1811         StringObjectUse should not be a structure check for the original string object structure
1812         https://bugs.webkit.org/show_bug.cgi?id=193483
1813         <rdar://problem/47280522>
1814
1815         Reviewed by Yusuke Suzuki.
1816
1817         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1818         (foo):
1819         (a.valueOf.0):
1820
1821 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1822
1823         [JSC] ToThis omission in DFGByteCodeParser is wrong
1824         https://bugs.webkit.org/show_bug.cgi?id=193513
1825         <rdar://problem/45842236>
1826
1827         Reviewed by Saam Barati.
1828
1829         * stress/to-this-omission-with-different-strict-modes.js: Added.
1830         (thisA):
1831         (thisAStrictWrapper):
1832
1833 2019-01-15  Mark Lam  <mark.lam@apple.com>
1834
1835         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1836         https://bugs.webkit.org/show_bug.cgi?id=193423
1837         <rdar://problem/46209355>
1838
1839         Reviewed by Saam Barati.
1840
1841         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1842         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1843         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1844         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1845
1846 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1847
1848         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1849         https://bugs.webkit.org/show_bug.cgi?id=193438
1850         <rdar://problem/45581249>
1851
1852         Reviewed by Saam Barati and Keith Miller.
1853
1854         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1855         Then, GetByVal(String) crashed.
1856
1857         * stress/string-get-by-val-lowering.js: Added.
1858         (shouldBe):
1859         (test):
1860         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1861         (Hello):
1862         (foo):
1863
1864 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1865
1866         Unreviewed, skip JIT tests if it's not enabled
1867
1868         * stress/bit-op-with-object-returning-int32.js:
1869
1870 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1871
1872         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1873         https://bugs.webkit.org/show_bug.cgi?id=192966
1874
1875         Reviewed by Yusuke Suzuki.
1876
1877         * stress/bit-op-with-object-returning-int32.js: Added.
1878
1879 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1880
1881         Skip a slow test and a flakey test on arm
1882
1883         Unreviewed gardening.
1884
1885         * typeProfiler/getter-richards.js:
1886         this test always times out, it used to be always skipped on arm and
1887         mips, but got accidentally enabled by r237919 now that we have DFG on
1888         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1889
1890 2019-01-14  Keith Miller  <keith_miller@apple.com>
1891
1892         Skip type-check-hoisting-phase-hoist... with no jit
1893         https://bugs.webkit.org/show_bug.cgi?id=193421
1894
1895         Reviewed by Mark Lam.
1896
1897         It's timing out the 32-bit bots and takes 330 seconds
1898         on my machine when run by itself.
1899
1900         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1901
1902 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1903
1904         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1905         https://bugs.webkit.org/show_bug.cgi?id=193413
1906         <rdar://problem/46092389>
1907
1908         Reviewed by Keith Miller.
1909
1910         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1911         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1912         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1913         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1914
1915         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1916         (compareArray):
1917
1918 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1919
1920         [BigInt] Literal parsing is crashing when used inside a Object Literal
1921         https://bugs.webkit.org/show_bug.cgi?id=193404
1922
1923         Reviewed by Yusuke Suzuki.
1924
1925         * stress/big-int-literal-inside-literal-object.js: Added.
1926
1927 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1928
1929         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1930         https://bugs.webkit.org/show_bug.cgi?id=193372
1931
1932         Reviewed by Saam Barati.
1933
1934         * stress/typed-array-array-modes-profile.js: Added.
1935         (foo):
1936
1937 2019-01-14  Mark Lam  <mark.lam@apple.com>
1938
1939         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1940         https://bugs.webkit.org/show_bug.cgi?id=193402
1941         <rdar://problem/46012309>
1942
1943         Reviewed by Keith Miller.
1944
1945         * stress/regexp-compile-oom.js:
1946         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1947           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1948
1949 2019-01-11  Saam barati  <sbarati@apple.com>
1950
1951         DFG combined liveness can be wrong for terminal basic blocks
1952         https://bugs.webkit.org/show_bug.cgi?id=193304
1953         <rdar://problem/45268632>
1954
1955         Reviewed by Yusuke Suzuki.
1956
1957         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1958
1959 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1960
1961         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1962         https://bugs.webkit.org/show_bug.cgi?id=193308
1963         <rdar://problem/45546542>
1964
1965         Reviewed by Saam Barati.
1966
1967         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1968         (shouldThrow):
1969         (shouldBe):
1970         (foo):
1971         (get shouldThrow):
1972         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1973         (shouldThrow):
1974         (shouldBe):
1975         (foo):
1976         (get shouldBe):
1977         (get shouldThrow):
1978         (get return):
1979         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1980         (shouldThrow):
1981         (shouldBe):
1982         (foo):
1983         (get shouldBe):
1984         (get shouldThrow):
1985         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1986         (shouldThrow):
1987         (shouldBe):
1988         (foo):
1989         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1990         (shouldThrow):
1991         (shouldBe):
1992         (foo):
1993         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1994         (shouldThrow):
1995         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1996         (shouldThrow):
1997         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1998         (shouldThrow):
1999         (shouldBe):
2000         (foo):
2001         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2002         (shouldThrow):
2003         (shouldBe):
2004         (foo):
2005         (get shouldBe):
2006         (get shouldThrow):
2007         (get return):
2008         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2009         (shouldThrow):
2010         (shouldBe):
2011         (foo):
2012         (get shouldBe):
2013         (get shouldThrow):
2014         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2015         (shouldThrow):
2016         (shouldBe):
2017         (foo):
2018         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2019         (shouldThrow):
2020         (shouldBe):
2021         (foo):
2022
2023 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
2024
2025         Enable DFG on ARM/Linux again
2026         https://bugs.webkit.org/show_bug.cgi?id=192496
2027
2028         Reviewed by Yusuke Suzuki.
2029
2030         Test wasn't really skipped before moving the line with skip
2031         to the top.
2032
2033         * stress/regress-192717.js:
2034
2035 2019-01-10  Commit Queue  <commit-queue@webkit.org>
2036
2037         Unreviewed, rolling out r239825.
2038         https://bugs.webkit.org/show_bug.cgi?id=193330
2039
2040         Broke tests on armv7/linux bots (Requested by guijemont on
2041         #webkit).
2042
2043         Reverted changeset:
2044
2045         "Enable DFG on ARM/Linux again"
2046         https://bugs.webkit.org/show_bug.cgi?id=192496
2047         https://trac.webkit.org/changeset/239825
2048
2049 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
2050
2051         Enable DFG on ARM/Linux again
2052         https://bugs.webkit.org/show_bug.cgi?id=192496
2053
2054         Reviewed by Yusuke Suzuki.
2055
2056         Test wasn't really skipped before moving the line with skip
2057         to the top.
2058
2059         * stress/regress-192717.js:
2060
2061 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2062
2063         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
2064         https://bugs.webkit.org/show_bug.cgi?id=193127
2065
2066         Reviewed by Saam Barati.
2067
2068         * stress/array-species-create-should-handle-masquerader.js: Added.
2069         (shouldThrow):
2070         * stress/is-undefined-or-null-builtin.js: Added.
2071         (shouldBe):
2072         (isUndefinedOrNull.vm.createBuiltin):
2073
2074 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
2075
2076         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
2077         https://bugs.webkit.org/show_bug.cgi?id=193221
2078
2079         Reviewed by Mark Lam.
2080
2081         * stress/put-by-id-flags.js: Added.
2082         (f):
2083         (g):
2084         (numberOfDFGCompiles):
2085
2086 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2087
2088         Baseline version of get_by_id may corrupt metadata
2089         https://bugs.webkit.org/show_bug.cgi?id=193085
2090         <rdar://problem/23453006>
2091
2092         Reviewed by Saam Barati.
2093
2094         * stress/get-by-id-change-mode.js: Added.
2095         (forEach):
2096
2097 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2098
2099         [JSC] Optimize Object.prototype.toString
2100         https://bugs.webkit.org/show_bug.cgi?id=193031
2101
2102         Reviewed by Saam Barati.
2103
2104         * stress/object-tostring-changed-proto.js: Added.
2105         (shouldBe):
2106         (test):
2107         * stress/object-tostring-changed.js: Added.
2108         (shouldBe):
2109         (test):
2110         * stress/object-tostring-misc.js: Added.
2111         (shouldBe):
2112         (test):
2113         (i.switch):
2114         * stress/object-tostring-other.js: Added.
2115         (shouldBe):
2116         (test):
2117         * stress/object-tostring-untyped.js: Added.
2118         (shouldBe):
2119         (test):
2120         (i.switch):
2121
2122 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2123
2124         test262-runner misbehaves when test file YAML has a trailing space
2125         https://bugs.webkit.org/show_bug.cgi?id=193053
2126
2127         Reviewed by Yusuke Suzuki.
2128
2129         * test262/expectations.yaml:
2130         Mark two dozen tests as passing (and correct the output of another).
2131
2132 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2133
2134         Unreviewed, JSTests gardening with memoryLimited
2135
2136         * stress/string-overflow-createError.js:
2137
2138 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2139
2140         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2141         https://bugs.webkit.org/show_bug.cgi?id=193050
2142
2143         Reviewed by Yusuke Suzuki.
2144
2145         * test262.yaml:
2146         * test262/expectations.yaml:
2147         Mark 16 tests as passing.
2148
2149 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2150
2151         [BigInt] Support BigInt in JSON.stringify
2152         https://bugs.webkit.org/show_bug.cgi?id=192624
2153
2154         Reviewed by Saam Barati.
2155
2156         * stress/big-int-json-stringify-to-json.js: Added.
2157         (shouldBe):
2158         (shouldThrow):
2159         (BigInt.prototype.toJSON):
2160         (shouldBe.JSON.stringify):
2161         * stress/big-int-json-stringify.js: Added.
2162         (shouldBe):
2163         (shouldThrow):
2164
2165 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2166
2167         [JSC] Implement "well-formed JSON.stringify" proposal
2168         https://bugs.webkit.org/show_bug.cgi?id=191677
2169
2170         Reviewed by Darin Adler.
2171
2172         * stress/json-surrogate-pair.js: Added.
2173         (shouldBe):
2174         * test262/expectations.yaml:
2175
2176 2018-12-20  Keith Miller  <keith_miller@apple.com>
2177
2178         Add support for globalThis
2179         https://bugs.webkit.org/show_bug.cgi?id=165171
2180
2181         Reviewed by Mark Lam.
2182
2183         * test262/config.yaml:
2184
2185 2018-12-19  Keith Miller  <keith_miller@apple.com>
2186
2187         Update test262 configuration to not run tests dependent on ICU version.
2188         https://bugs.webkit.org/show_bug.cgi?id=192920
2189
2190         Reviewed by Saam Barati.
2191
2192         * test262/expectations.yaml:
2193
2194 2018-12-20  Mark Lam  <mark.lam@apple.com>
2195
2196         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2197         https://bugs.webkit.org/show_bug.cgi?id=192939
2198         <rdar://problem/46869516>
2199
2200         Reviewed by Keith Miller.
2201
2202         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2203
2204 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2205
2206         WTF::String and StringImpl overflow MaxLength
2207         https://bugs.webkit.org/show_bug.cgi?id=192853
2208         <rdar://problem/45726906>
2209
2210         Reviewed by Mark Lam.
2211
2212         * stress/string-16bit-repeat-overflow.js: Added.
2213         (catch):
2214
2215 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2216
2217         Unreviewed follow-up to r192914.
2218
2219         * test262/expectations.yaml:
2220         Add the last 20 missing expectations.
2221
2222 2018-12-19  Keith Miller  <keith_miller@apple.com>
2223
2224         Fix test262 expectations
2225         https://bugs.webkit.org/show_bug.cgi?id=192914
2226
2227         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2228
2229         * test262/expectations.yaml:
2230
2231 2018-12-19  Keith Miller  <keith_miller@apple.com>
2232
2233         Update test262 tests.
2234         https://bugs.webkit.org/show_bug.cgi?id=192907
2235
2236         Rubber stamped by Mark Lam.
2237
2238         * test262/*: Omitted because prepare-changelog crashes.
2239
2240 2018-12-19  Mark Lam  <mark.lam@apple.com>
2241
2242         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2243         https://bugs.webkit.org/show_bug.cgi?id=192464
2244         <rdar://problem/46519455>
2245
2246         Reviewed by Saam Barati.
2247
2248         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2249         microbenchmark.
2250
2251         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2252         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2253
2254 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2255
2256         String overflow in JSC::createError results in ASSERT in WTF::makeString
2257         https://bugs.webkit.org/show_bug.cgi?id=192833
2258         <rdar://problem/45706868>
2259
2260         Reviewed by Mark Lam.
2261
2262         * stress/string-overflow-createError.js: Added.
2263
2264 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2265
2266         Error message for `-x ** y` contains a typo.
2267         https://bugs.webkit.org/show_bug.cgi?id=192832
2268
2269         Reviewed by Saam Barati.
2270
2271         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2272         (assert.assert.return.throws):
2273         * stress/pow-expects-update-expression-on-lhs.js:
2274         (throw.new.Error):
2275         Update test expectations which match against the exact error message.
2276
2277 2018-12-18  Mark Lam  <mark.lam@apple.com>
2278
2279         Gardening: test options fix.
2280         https://bugs.webkit.org/show_bug.cgi?id=192822
2281
2282         Unreviewed.
2283
2284         * stress/json-stringify-string-builder-overflow.js:
2285
2286 2018-12-18  Mark Lam  <mark.lam@apple.com>
2287
2288         JSON.stringify() should throw OOM on StringBuilder overflows.
2289         https://bugs.webkit.org/show_bug.cgi?id=192822
2290         <rdar://problem/46670577>
2291
2292         Reviewed by Saam Barati.
2293
2294         * stress/json-stringify-string-builder-overflow.js: Added.
2295
2296 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2297
2298         Redeclaration of var over let/const/class should be a syntax error.
2299         https://bugs.webkit.org/show_bug.cgi?id=192298
2300
2301         Reviewed by Keith Miller.
2302
2303         * test262.yaml:
2304         * test262/expectations.yaml:
2305         Mark 46 tests as passing.
2306
2307         * stress/block-scope-redeclarations.js:
2308         Add some new tests.
2309
2310         * stress/for-in-invalidate-context-weird-assignments.js:
2311         * stress/for-in-tests.js:
2312         Replace tests for outdated behavior with tests for SyntaxError.
2313
2314         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2315         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2316         Update expectations.
2317
2318 2018-12-18  Mark Lam  <mark.lam@apple.com>
2319
2320         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2321         https://bugs.webkit.org/show_bug.cgi?id=191374
2322         <rdar://problem/46525447>
2323
2324         Reviewed by Yusuke Suzuki.
2325
2326         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2327
2328         * stress/elidable-new-object-roflcopter-then-exit.js:
2329
2330 2018-12-17  Mark Lam  <mark.lam@apple.com>
2331
2332         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2333         https://bugs.webkit.org/show_bug.cgi?id=192019
2334         <rdar://problem/46525456>
2335
2336         Reviewed by Yusuke Suzuki.
2337
2338         The test runs too slow on 32-bit.
2339
2340         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2341
2342 2018-12-17  Mark Lam  <mark.lam@apple.com>
2343
2344         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2345         https://bugs.webkit.org/show_bug.cgi?id=191373
2346         <rdar://problem/46525458>
2347
2348         Reviewed by Yusuke Suzuki.
2349
2350         The test is already slow running with a JIT on 64-bit.  It will always timeout
2351         on 32-bit without a JIT.
2352
2353         * stress/materialize-regexp-cyclic-regexp.js:
2354
2355 2018-12-17  Mark Lam  <mark.lam@apple.com>
2356
2357         Array unshift/shift should not race against the AI in the compiler thread.
2358         https://bugs.webkit.org/show_bug.cgi?id=192795
2359         <rdar://problem/46724263>
2360
2361         Reviewed by Saam Barati.
2362
2363         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2364
2365 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2366
2367         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2368         https://bugs.webkit.org/show_bug.cgi?id=190047
2369
2370         Reviewed by Saam Barati.
2371
2372         * stress/object-keys-cached-zero.js: Added.
2373         (shouldBe):
2374         (test):
2375         * stress/object-keys-changed-attribute.js: Added.
2376         (shouldBe):
2377         (test):
2378         * stress/object-keys-changed-index.js: Added.
2379         (shouldBe):
2380         (test):
2381         * stress/object-keys-changed.js: Added.
2382         (shouldBe):
2383         (test):
2384         * stress/object-keys-indexed-non-cache.js: Added.
2385         (shouldBe):
2386         (test):
2387         * stress/object-keys-overrides-get-property-names.js: Added.
2388         (shouldBe):
2389         (test):
2390         (noInline):
2391
2392 2018-12-17  Mark Lam  <mark.lam@apple.com>
2393
2394         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2395         https://bugs.webkit.org/show_bug.cgi?id=192779
2396         <rdar://problem/46775869>
2397
2398         Reviewed by Saam Barati.
2399
2400         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2401
2402 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2403
2404         Unreviewed test gardening, address a syntax error in a new test.
2405
2406         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2407
2408 2018-12-17  Mark Lam  <mark.lam@apple.com>
2409
2410         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2411         https://bugs.webkit.org/show_bug.cgi?id=192776
2412         <rdar://problem/46772368>
2413
2414         Reviewed by Keith Miller.
2415
2416         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2417
2418 2018-12-17  Mark Lam  <mark.lam@apple.com>
2419
2420         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2421         https://bugs.webkit.org/show_bug.cgi?id=192770
2422         <rdar://problem/46449037>
2423
2424         Reviewed by Keith Miller.
2425
2426         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2427
2428 2018-12-14  Mark Lam  <mark.lam@apple.com>
2429
2430         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2431         https://bugs.webkit.org/show_bug.cgi?id=192717
2432         <rdar://problem/46660677>
2433
2434         Reviewed by Saam Barati.
2435
2436         * stress/regress-192717.js: Added.
2437
2438 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2439
2440         Unreviewed, rolling out r239153, r239154, and r239155.
2441         https://bugs.webkit.org/show_bug.cgi?id=192715
2442
2443         Caused flaky GC-related crashes seen with layout tests
2444         (Requested by ryanhaddad on #webkit).
2445
2446         Reverted changesets:
2447
2448         "[JSC] Optimize Object.keys by caching own keys results in
2449         StructureRareData"
2450         https://bugs.webkit.org/show_bug.cgi?id=190047
2451         https://trac.webkit.org/changeset/239153
2452
2453         "Unreviewed, build fix after r239153"
2454         https://bugs.webkit.org/show_bug.cgi?id=190047
2455         https://trac.webkit.org/changeset/239154
2456
2457         "Unreviewed, build fix after r239153, part 2"
2458         https://bugs.webkit.org/show_bug.cgi?id=190047
2459         https://trac.webkit.org/changeset/239155
2460
2461 2018-12-14  Keith Miller  <keith_miller@apple.com>
2462
2463         Callers of JSString::getIndex should check for OOM exceptions
2464         https://bugs.webkit.org/show_bug.cgi?id=192709
2465
2466         Reviewed by Mark Lam.
2467
2468         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2469
2470 2018-12-13  Mark Lam  <mark.lam@apple.com>
2471
2472         Add a missing exception check.
2473         https://bugs.webkit.org/show_bug.cgi?id=192626
2474         <rdar://problem/46662163>
2475
2476         Reviewed by Keith Miller.
2477
2478         * stress/regress-192626.js: Added.
2479
2480 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2481
2482         [BigInt] Add ValueDiv into DFG
2483         https://bugs.webkit.org/show_bug.cgi?id=186178
2484
2485         Reviewed by Yusuke Suzuki.
2486
2487         * stress/big-int-div-jit-osr.js: Added.
2488         * stress/big-int-div-jit-untyped.js: Added.
2489         * stress/value-div-fixup-int32-big-int.js: Added.
2490
2491 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2492
2493         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2494         https://bugs.webkit.org/show_bug.cgi?id=190047
2495
2496         Reviewed by Keith Miller.
2497
2498         * stress/object-keys-cached-zero.js: Added.
2499         (shouldBe):
2500         (test):
2501         * stress/object-keys-changed-attribute.js: Added.
2502         (shouldBe):
2503         (test):
2504         * stress/object-keys-changed-index.js: Added.
2505         (shouldBe):
2506         (test):
2507         * stress/object-keys-changed.js: Added.
2508         (shouldBe):
2509         (test):
2510         * stress/object-keys-indexed-non-cache.js: Added.
2511         (shouldBe):
2512         (test):
2513         * stress/object-keys-overrides-get-property-names.js: Added.
2514         (shouldBe):
2515         (test):
2516         (noInline):
2517
2518 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2519
2520         [DFG][FTL] Add NewSymbol
2521         https://bugs.webkit.org/show_bug.cgi?id=192620
2522
2523         Reviewed by Saam Barati.
2524
2525         * microbenchmarks/symbol-creation.js: Added.
2526         (test):
2527         * stress/symbol-description-identity.js: Added.
2528         (shouldBe):
2529         (test):
2530         * stress/symbol-identity.js: Added.
2531         (shouldBe):
2532         (test):
2533         * stress/symbol-with-description-throw-error.js: Added.
2534         (shouldBe):
2535         (shouldThrow):
2536         (test):
2537         (object.toString):
2538
2539 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2540
2541         [BigInt] Implement DFG/FTL typeof for BigInt
2542         https://bugs.webkit.org/show_bug.cgi?id=192619
2543
2544         Reviewed by Keith Miller.
2545
2546         * stress/big-int-boolean-proven-type.js: Added.
2547         (assert):
2548         (bool):
2549         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2550         (assert):
2551         (typeOf):
2552         (i.switch):
2553         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2554         (assert):
2555         (typeOf):
2556         * stress/big-int-type-of.js:
2557         (typeOf):
2558         (func):
2559
2560 2018-12-10  Mark Lam  <mark.lam@apple.com>
2561
2562         PropertyAttribute needs a CustomValue bit.
2563         https://bugs.webkit.org/show_bug.cgi?id=191993
2564         <rdar://problem/46264467>
2565
2566         Reviewed by Saam Barati.
2567
2568         * stress/regress-191993.js: Added.
2569
2570 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2571
2572         [BigInt] Add ValueMul into DFG
2573         https://bugs.webkit.org/show_bug.cgi?id=186175
2574
2575         Reviewed by Yusuke Suzuki.
2576
2577         * stress/big-int-mul-jit-osr.js: Added.
2578         * stress/big-int-mul-jit-untyped.js: Added.
2579         * stress/value-mul-fixup-int32-big-int.js: Added.
2580
2581 2018-12-06  Keith Miller  <keith_miller@apple.com>
2582
2583         stress/big-wasm-memory tests failing on 32-bit JSC bot
2584         https://bugs.webkit.org/show_bug.cgi?id=192020
2585
2586         Reviewed by Saam Barati.
2587
2588         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2589         the wasm stress tests if the WebAssembly object does not exist.
2590
2591         * stress/big-wasm-memory-grow-no-max.js:
2592         (test.foo):
2593         (test):
2594         (foo): Deleted.
2595         (catch): Deleted.
2596         * stress/big-wasm-memory-grow.js:
2597         (test.foo):
2598         (test):
2599         (foo): Deleted.
2600         (catch): Deleted.
2601         * stress/big-wasm-memory.js:
2602         (test.foo):
2603         (test):
2604         (foo): Deleted.
2605         (catch): Deleted.
2606
2607 2018-12-05  Mark Lam  <mark.lam@apple.com>
2608
2609         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2610         https://bugs.webkit.org/show_bug.cgi?id=192441
2611         <rdar://problem/46480355>
2612
2613         Reviewed by Saam Barati.
2614
2615         * stress/regress-192441.js: Added.
2616
2617 2018-12-04  Mark Lam  <mark.lam@apple.com>
2618
2619         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2620         https://bugs.webkit.org/show_bug.cgi?id=192386
2621         <rdar://problem/46445516>
2622
2623         Reviewed by Saam Barati.
2624
2625         * stress/regress-192386.js: Added.
2626
2627 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2628
2629         [ESNext][BigInt] Support logic operations
2630         https://bugs.webkit.org/show_bug.cgi?id=179903
2631
2632         Reviewed by Yusuke Suzuki.
2633
2634         * stress/big-int-branch-usage.js: Added.
2635         * stress/big-int-logical-and.js: Added.
2636         * stress/big-int-logical-not.js: Added.
2637         * stress/big-int-logical-or.js: Added.
2638
2639 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2640
2641         Unreviewed, rolling out r238833.
2642
2643         Breaks macOS and iOS debug builds.
2644
2645         Reverted changeset:
2646
2647         "[ESNext][BigInt] Support logic operations"
2648         https://bugs.webkit.org/show_bug.cgi?id=179903
2649         https://trac.webkit.org/changeset/238833
2650
2651 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2652
2653         [ESNext][BigInt] Support logic operations
2654         https://bugs.webkit.org/show_bug.cgi?id=179903
2655
2656         Reviewed by Yusuke Suzuki.
2657
2658         * stress/big-int-branch-usage.js: Added.
2659         * stress/big-int-logical-and.js: Added.
2660         * stress/big-int-logical-not.js: Added.
2661         * stress/big-int-logical-or.js: Added.
2662
2663 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2664
2665         [ESNext][BigInt] Implement support for "<<" and ">>"
2666         https://bugs.webkit.org/show_bug.cgi?id=186233
2667
2668         Reviewed by Yusuke Suzuki.
2669
2670         * stress/big-int-left-shift-general.js: Added.
2671         * stress/big-int-left-shift-range-error.js: Added.
2672         * stress/big-int-left-shift-type-error.js: Added.
2673         * stress/big-int-left-shift-wrapped-value.js: Added.
2674         * stress/big-int-right-shift-general.js: Added.
2675         * stress/big-int-right-shift-type-error.js: Added.
2676         * stress/big-int-right-shift-wrapped-value.js: Added.
2677         * stress/left-shift-to-primitive-precedence.js: Added.
2678         * stress/right-shift-to-primitive-precedence.js: Added.
2679
2680 2018-11-30  Dean Jackson  <dino@apple.com>
2681
2682         Add first-class support for .mjs files in jsc binary
2683         https://bugs.webkit.org/show_bug.cgi?id=192190
2684         <rdar://problem/46375715>
2685
2686         Reviewed by Keith Miller.
2687
2688         * stress/simple-module.mjs: Added.
2689         * stress/simple-script.js: Added.
2690
2691 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2692
2693         [BigInt] Implement ValueBitXor into DFG
2694         https://bugs.webkit.org/show_bug.cgi?id=190264
2695
2696         Reviewed by Yusuke Suzuki.
2697
2698         * stress/big-int-bitwise-xor-jit.js: Added.
2699         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2700         * stress/big-int-bitwise-xor-untyped.js: Added.
2701
2702 2018-11-27  Saam barati  <sbarati@apple.com>
2703
2704         r238510 broke scopes of size zero
2705         https://bugs.webkit.org/show_bug.cgi?id=192033
2706         <rdar://problem/46281734>
2707
2708         Reviewed by Keith Miller.
2709
2710         * stress/r238510-bad-loop.js: Added.
2711         (foo):
2712
2713 2018-11-27  Mark Lam  <mark.lam@apple.com>
2714
2715         [Re-landing] NaNs read from Wasm code needs to be be purified.
2716         https://bugs.webkit.org/show_bug.cgi?id=191056
2717         <rdar://problem/45660341>
2718
2719         Reviewed by Filip Pizlo.
2720
2721         * wasm/regress/regress-191056.js: Added.
2722
2723 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2724
2725         Unreviewed, rolling out r238509.
2726
2727         Causes JSC tests to fail on iOS.
2728
2729         Reverted changeset:
2730
2731         "NaNs read from Wasm code needs to be be purified."
2732         https://bugs.webkit.org/show_bug.cgi?id=191056
2733         https://trac.webkit.org/changeset/238509
2734
2735 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2736
2737         Re-introduce op_bitnot
2738         https://bugs.webkit.org/show_bug.cgi?id=190923
2739
2740         Reviewed by Yusuke Suzuki.
2741
2742         * stress/bit-not-must-generate.js: Added.
2743         * stress/bitwise-not-no-int32.js: Added.
2744
2745 2018-11-26  Saam barati  <sbarati@apple.com>
2746
2747         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2748         https://bugs.webkit.org/show_bug.cgi?id=191956
2749         <rdar://problem/45665806>
2750
2751         Reviewed by Yusuke Suzuki.
2752
2753         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2754         (bar):
2755         (foo):
2756
2757 2018-11-26  Saam barati  <sbarati@apple.com>
2758
2759         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2760         https://bugs.webkit.org/show_bug.cgi?id=191958
2761         <rdar://problem/46221877>
2762
2763         Reviewed by Yusuke Suzuki.
2764
2765         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2766         (x):
2767         (foo):
2768
2769 2018-11-26  Mark Lam  <mark.lam@apple.com>
2770
2771         NaNs read from Wasm code needs to be be purified.
2772         https://bugs.webkit.org/show_bug.cgi?id=191056
2773         <rdar://problem/45660341>
2774
2775         Reviewed by Filip Pizlo.
2776
2777         * wasm/regress/regress-191056.js: Added.
2778
2779 2018-11-26  Michael Saboff  <msaboff@apple.com>
2780
2781         32-bit JSC test failure: stress/regexp-compile-oom.js
2782         https://bugs.webkit.org/show_bug.cgi?id=191375
2783
2784         Reviewed by Mark Lam.
2785
2786         Disabled the test for 32 bit platforms.
2787
2788         * stress/regexp-compile-oom.js:
2789
2790 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2791
2792         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2793         https://bugs.webkit.org/show_bug.cgi?id=191716
2794         <rdar://problem/45723878>
2795
2796         Reviewed by Saam Barati.
2797
2798         * stress/regress-187373.js: Added.
2799         (async.fn):
2800
2801 2018-11-21  Saam barati  <sbarati@apple.com>
2802
2803         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2804         https://bugs.webkit.org/show_bug.cgi?id=191897
2805         <rdar://problem/45871998>
2806
2807         Reviewed by Mark Lam.
2808
2809         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2810         (bar):
2811         (foo):
2812
2813 2018-11-21  Saam barati  <sbarati@apple.com>
2814
2815         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2816         https://bugs.webkit.org/show_bug.cgi?id=191895
2817         <rdar://problem/46167406>
2818
2819         Reviewed by Mark Lam.
2820
2821         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2822         (foo):
2823         (bar):
2824
2825 2018-11-21  Mark Lam  <mark.lam@apple.com>
2826
2827         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2828         https://bugs.webkit.org/show_bug.cgi?id=191776
2829         <rdar://problem/46152851>
2830
2831         Reviewed by Saam Barati.
2832
2833         * stress/big-wasm-memory-grow-no-max.js:
2834         * stress/big-wasm-memory-grow.js:
2835         * stress/big-wasm-memory.js:
2836         - updated these to expect an OutOfMemoryError.
2837
2838         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2839         (Binary.prototype.emit_u8):
2840         (Binary.prototype.emit_u32v):
2841         (Binary.prototype.emit_header):
2842         (Binary.prototype.emit_section):
2843         (Binary):
2844         (WasmModuleBuilder):
2845         (WasmModuleBuilder.prototype.addMemory):
2846         (WasmModuleBuilder.prototype.toArray):
2847         (WasmModuleBuilder.prototype.toBuffer):
2848         (WasmModuleBuilder.prototype.instantiate):
2849         (catch):
2850         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2851         (catch):
2852
2853 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2854
2855         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2856         https://bugs.webkit.org/show_bug.cgi?id=190836
2857
2858         Reviewed by Saam Barati and Yusuke Suzuki.
2859
2860         * stress/big-int-out-of-memory-tests.js: Added.
2861
2862 2018-11-20  Mark Lam  <mark.lam@apple.com>
2863
2864         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2865         https://bugs.webkit.org/show_bug.cgi?id=191856
2866         <rdar://problem/46089992>
2867
2868         Reviewed by Yusuke Suzuki.
2869
2870         * stress/regress-191856.js: Added.
2871         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2872
2873 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2874
2875         Enable JIT on ARM/Linux
2876         https://bugs.webkit.org/show_bug.cgi?id=191548
2877
2878         Reviewed by Yusuke Suzuki.
2879
2880         Disable test on system with limited memory. Program was killed by
2881         the OS before the exception was thrown.
2882
2883         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2884
2885 2018-11-20  Saam barati  <sbarati@apple.com>
2886
2887         Merging an IC variant may lead to the IC status containing overlapping structure sets
2888         https://bugs.webkit.org/show_bug.cgi?id=191869
2889         <rdar://problem/45403453>
2890
2891         Reviewed by Mark Lam.
2892
2893         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2894
2895 2018-11-19  Mark Lam  <mark.lam@apple.com>
2896
2897         globalFuncImportModule() should return a promise when it clears exceptions.
2898         https://bugs.webkit.org/show_bug.cgi?id=191792
2899         <rdar://problem/46090763>
2900
2901         Reviewed by Michael Saboff.
2902
2903         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2904
2905 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2906
2907         Skip new memory-hungry tests on memory limited devices
2908
2909         Unreviewed gardening.
2910
2911         * stress/big-wasm-memory-grow-no-max.js:
2912         * stress/big-wasm-memory-grow.js:
2913         * stress/big-wasm-memory.js:
2914
2915 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2916
2917         Unreviewed, rolling in the rest of r237254
2918         https://bugs.webkit.org/show_bug.cgi?id=190340
2919
2920         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2921         * stress/function-cache-with-parameters-end-position.js: Added.
2922         (shouldBe):
2923         (shouldThrow):
2924         (i.anonymous):
2925         * stress/function-constructor-name.js: Added.
2926         (shouldBe):
2927         (GeneratorFunction):
2928         (AsyncFunction.async):
2929         (AsyncGeneratorFunction.async):
2930         (anonymous):
2931         (async.anonymous):
2932         * test262/expectations.yaml:
2933
2934 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2935
2936         All users of ArrayBuffer should agree on the same max size
2937         https://bugs.webkit.org/show_bug.cgi?id=191771
2938
2939         Reviewed by Mark Lam.
2940
2941         * stress/big-wasm-memory-grow-no-max.js: Added.
2942         (foo):
2943         (catch):
2944         * stress/big-wasm-memory-grow.js: Added.
2945         (foo):
2946         (catch):
2947         * stress/big-wasm-memory.js: Added.
2948         (foo):
2949         (catch):
2950
2951 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2952
2953         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2954         run for each JSC config since they're regression tests for runtime bugs.
2955
2956         * stress/json-stringified-overflow-2.js:
2957         * stress/json-stringified-overflow.js:
2958
2959 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2960
2961         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2962         config since they're regression tests for runtime bugs.
2963
2964         * stress/large-unshift-splice.js:
2965         * stress/regress-185888.js:
2966
2967 2018-11-16  Saam Barati  <sbarati@apple.com>
2968
2969         KnownCellUse should also have SpecCellCheck as its type filter
2970         https://bugs.webkit.org/show_bug.cgi?id=191729
2971         <rdar://problem/45872852>
2972
2973         Reviewed by Filip Pizlo.
2974
2975         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2976         (C):
2977
2978 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2979
2980         Fix assertion failure on BytecodeGenerator::recordOpcode
2981         https://bugs.webkit.org/show_bug.cgi?id=191724
2982         <rdar://problem/45724395>
2983
2984         Reviewed by Saam Barati.
2985
2986         * stress/regress-187373-2.js: Added.
2987         (foo):
2988
2989 2018-11-15  Mark Lam  <mark.lam@apple.com>
2990
2991         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2992         https://bugs.webkit.org/show_bug.cgi?id=191730
2993         <rdar://problem/46048517>
2994
2995         Reviewed by Saam Barati.
2996
2997         * stress/regress-187006.js: Removed.
2998           - this test is invalid because its sole purpose is to test for the non-spec
2999             compliant behavior that we just fixed.
3000
3001         * stress/regress-191730.js: Added.
3002
3003 2018-11-15  Mark Lam  <mark.lam@apple.com>
3004
3005         RegExp operations should not take fast patch if lastIndex is not numeric.
3006         https://bugs.webkit.org/show_bug.cgi?id=191731
3007         <rdar://problem/46017305>
3008
3009         Reviewed by Saam Barati.
3010
3011         * stress/regress-191731.js: Added.
3012
3013 2018-11-13  Saam Barati  <sbarati@apple.com>
3014
3015         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
3016         https://bugs.webkit.org/show_bug.cgi?id=191600
3017
3018         Reviewed by Mark Lam.
3019
3020         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
3021         (foo):
3022         (test):
3023         (bar):
3024
3025 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
3026
3027         Unreviewed, rolling out r238132.
3028
3029         The test added with this change is timing out on Debug JSC
3030         bots.
3031
3032         Reverted changeset:
3033
3034         "[BigInt] JSBigInt::createWithLength should throw when length
3035         is greater than JSBigInt::maxLength"
3036         https://bugs.webkit.org/show_bug.cgi?id=190836
3037         https://trac.webkit.org/changeset/238132
3038
3039 2018-11-13  Mark Lam  <mark.lam@apple.com>
3040
3041         Add OOM detection to StringPrototype's substituteBackreferences().
3042         https://bugs.webkit.org/show_bug.cgi?id=191563
3043         <rdar://problem/45720428>
3044
3045         Reviewed by Saam Barati.
3046
3047         * stress/regress-191563.js: Added.
3048
3049 2018-11-13  Mark Lam  <mark.lam@apple.com>
3050
3051         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
3052         https://bugs.webkit.org/show_bug.cgi?id=191579
3053         <rdar://problem/45942472>
3054
3055         Reviewed by Saam Barati.
3056
3057         * stress/regress-191579.js: Added.
3058
3059 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
3060
3061         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3062         https://bugs.webkit.org/show_bug.cgi?id=190836
3063
3064         Reviewed by Saam Barati.
3065
3066         * stress/big-int-out-of-memory-tests.js: Added.
3067
3068 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
3069
3070         U+180E is no longer a whitespace character
3071         https://bugs.webkit.org/show_bug.cgi?id=191415
3072
3073         Reviewed by Saam Barati.
3074
3075         * ChakraCore/test/es5/regexSpace.baseline:
3076         * ChakraCore/test/es6/unicode_whitespace.js:
3077         Update tests to latest version.
3078         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
3079
3080         * test262.yaml:
3081         * test262/config.yaml:
3082         * test262/expectations.yaml:
3083         Update expectations.
3084
3085 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
3086
3087         [BigInt] Add support to BigInt into ValueAdd
3088         https://bugs.webkit.org/show_bug.cgi?id=186177
3089
3090         Reviewed by Keith Miller.
3091
3092         * stress/big-int-negate-jit.js:
3093         * stress/value-add-big-int-and-string.js: Added.
3094         * stress/value-add-big-int-prediction-propagation.js: Added.
3095         * stress/value-add-big-int-untyped.js: Added.
3096
3097 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3098
3099         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3100         https://bugs.webkit.org/show_bug.cgi?id=191184
3101
3102         Reviewed by Saam Barati.
3103
3104         Most tests were failing due to timeouts, since they are too slow to
3105         run on CLoop. The exceptions are:
3106
3107         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3108         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3109         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3110         to change the stack size since CLoop requires it to be page aligned.
3111
3112         * microbenchmarks/array-push-1.js:
3113         * microbenchmarks/array-push-2.js:
3114         * microbenchmarks/elidable-new-object-dag.js:
3115         * microbenchmarks/elidable-new-object-roflcopter.js:
3116         * microbenchmarks/elidable-new-object-tree.js:
3117         * microbenchmarks/getter-richards.js:
3118         * microbenchmarks/sinkable-new-object-dag.js:
3119         * microbenchmarks/string-concat-long-convert.js:
3120         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3121         * slowMicrobenchmarks/array-push-3.js:
3122         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3123         * slowMicrobenchmarks/spread-small-array.js:
3124         * slowMicrobenchmarks/undefined-property-access.js:
3125         * stress/activation-sink-default-value-tdz-error.js:
3126         * stress/activation-sink-default-value.js:
3127         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3128         * stress/activation-sink-osrexit-default-value.js:
3129         * stress/activation-sink-osrexit.js:
3130         * stress/activation-sink.js:
3131         * stress/allow-math-ic-b3-code-duplication.js:
3132         * stress/array-push-multiple-int32.js:
3133         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3134         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3135         * stress/arrowfunction-lexical-this-activation-sink.js:
3136         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3137         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3138         * stress/elide-new-object-dag-then-exit.js:
3139         * stress/materialize-regexp-cyclic.js:
3140         * stress/new-regex-inline.js:
3141         * stress/op_add.js:
3142         * stress/op_bitand.js:
3143         * stress/op_bitor.js:
3144         * stress/op_bitxor.js:
3145         * stress/op_div-ConstVar.js:
3146         * stress/op_div-VarConst.js:
3147         * stress/op_div-VarVar.js:
3148         * stress/op_lshift-ConstVar.js:
3149         * stress/op_lshift-VarConst.js:
3150         * stress/op_lshift-VarVar.js:
3151         * stress/op_mod-ConstVar.js:
3152         * stress/op_mod-VarConst.js:
3153         * stress/op_mod-VarVar.js:
3154         * stress/op_mul-ConstVar.js:
3155         * stress/op_mul-VarConst.js:
3156         * stress/op_mul-VarVar.js:
3157         * stress/op_rshift-ConstVar.js:
3158         * stress/op_rshift-VarConst.js:
3159         * stress/op_rshift-VarVar.js:
3160         * stress/op_sub-ConstVar.js:
3161         * stress/op_sub-VarConst.js:
3162         * stress/op_sub-VarVar.js:
3163         * stress/op_urshift-ConstVar.js:
3164         * stress/op_urshift-VarConst.js:
3165         * stress/op_urshift-VarVar.js:
3166         * stress/proxy-get-set-correct-receiver.js:
3167         * stress/regress-179562.js:
3168         * stress/rest-parameter-many-arguments.js:
3169         * stress/sampling-profiler-richards.js:
3170         * stress/splay-flash-access-1ms.js:
3171         * stress/tailCallForwardArguments.js:
3172         * stress/typed-array-get-by-val-profiling.js:
3173         * typeProfiler/getter-richards.js:
3174
3175 2018-11-06  Michael Saboff  <msaboff@apple.com>
3176
3177         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3178         https://bugs.webkit.org/show_bug.cgi?id=191271
3179
3180         Reviewed by Saam Barati.
3181
3182         Added more test cases and made all test cases run with the same deeply recursive stack
3183         instead of finding that same point for each test case.
3184
3185         * stress/regexp-compile-oom.js:
3186         (prototype.runTest):
3187         (recurseAndTest):
3188         (testList.push.new.TestAndExpectedException):
3189
3190 2018-11-05  Michael Saboff  <msaboff@apple.com>
3191
3192         Unreviewed build fix for linux.
3193
3194         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3195
3196 2018-11-02  Michael Saboff  <msaboff@apple.com>
3197
3198         Rolling in r237753 with unreviewed build fix.
3199
3200         Fixed issues with DECLARE_THROW_SCOPE placement.
3201
3202 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3203
3204         Unreviewed, rolling out r237753.
3205
3206         Introduced JSC test failures
3207
3208         Reverted changeset:
3209
3210         "Running out of stack space not properly handled in
3211         RegExp::compile() and its callers"
3212         https://bugs.webkit.org/show_bug.cgi?id=191206
3213         https://trac.webkit.org/changeset/237753
3214
3215 2018-11-02  Michael Saboff  <msaboff@apple.com>
3216
3217         Running out of stack space not properly handled in RegExp::compile() and its callers
3218         https://bugs.webkit.org/show_bug.cgi?id=191206
3219
3220         Reviewed by Filip Pizlo.
3221
3222         New regression test.
3223
3224         * stress/regexp-compile-oom.js: Added.
3225         (recurseAndTest):
3226
3227 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3228
3229         Skip tests on arm/mips that time out now we're running on CLoop
3230
3231         Unreviewed gardening.
3232
3233         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3234         time out on the bots and need to be disabled. There's more tests
3235         disabled on arm because the timeout is longer on the mips bot (as the
3236         device is slower to start with), so many of the tests don't time out
3237         there.
3238
3239         * microbenchmarks/getter-richards.js: disable on arm and mips.
3240         * stress/op_add.js: disable on arm.
3241         * stress/op_bitand.js: disable on arm.
3242         * stress/op_bitor.js: disable on arm.
3243         * stress/op_bitxor.js: disable on arm.
3244         * stress/op_lshift-ConstVar.js: disable on arm.
3245         * stress/op_lshift-VarConst.js: disable on arm.
3246         * stress/op_lshift-VarVar.js: disable on arm.
3247         * stress/op_mod-ConstVar.js: disable on arm.
3248         * stress/op_mod-VarConst.js: disable on arm.
3249         * stress/op_mod-VarVar.js: disable on arm.
3250         * stress/op_mul-ConstVar.js: disable on arm.
3251         * stress/op_mul-VarConst.js: disable on arm.
3252         * stress/op_mul-VarVar.js: disable on arm.
3253         * stress/op_rshift-ConstVar.js: disable on arm.
3254         * stress/op_rshift-VarConst.js: disable on arm.
3255         * stress/op_rshift-VarVar.js: disable on arm.
3256         * stress/op_sub-ConstVar.js: disable on arm.
3257         * stress/op_sub-VarConst.js: disable on arm.
3258         * stress/op_sub-VarVar.js: disable on arm.
3259         * stress/op_urshift-ConstVar.js: disable on arm.
3260         * stress/op_urshift-VarConst.js: disable on arm.
3261         * stress/op_urshift-VarVar.js: disable on arm.
3262         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3263         * stress/value-to-boolean.js: disable on arm and mips.
3264
3265 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3266
3267         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3268         https://bugs.webkit.org/show_bug.cgi?id=191108
3269         <rdar://problem/45690700>
3270
3271         Reviewed by Saam Barati.
3272
3273         * stress/wide-op_catch.js: Added.
3274         (catch):
3275
3276 2018-10-29  Mark Lam  <mark.lam@apple.com>
3277
3278         Correctly detect string overflow when using the 'Function' constructor.
3279         https://bugs.webkit.org/show_bug.cgi?id=184883
3280         <rdar://problem/36320331>
3281
3282         Reviewed by Saam Barati.
3283
3284         I've verified that this passes on 32-bit as well.
3285
3286         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3287
3288 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3289
3290         Add support for GetStack FlushedDouble
3291         https://bugs.webkit.org/show_bug.cgi?id=191012
3292         <rdar://problem/45265141>
3293
3294         Reviewed by Saam Barati.
3295
3296         * stress/get-stack-double.js: Added.
3297         (bar):
3298         (noInline):
3299
3300 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3301
3302         New bytecode format for JSC
3303         https://bugs.webkit.org/show_bug.cgi?id=187373
3304         <rdar://problem/44186758>
3305
3306         Reviewed by Filip Pizlo.
3307
3308         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3309
3310         * stress/maximum-inline-capacity.js: Added.
3311         (test1):
3312         (test3.Foo):
3313         (test3):
3314
3315 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3316
3317         Unreviewed, rolling out r237479 and r237484.
3318         https://bugs.webkit.org/show_bug.cgi?id=190978
3319
3320         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3321
3322         Reverted changesets:
3323
3324         "New bytecode format for JSC"
3325         https://bugs.webkit.org/show_bug.cgi?id=187373
3326         https://trac.webkit.org/changeset/237479
3327
3328         "Gardening: Build fix after r237479."
3329         https://bugs.webkit.org/show_bug.cgi?id=187373
3330         https://trac.webkit.org/changeset/237484
3331
3332 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3333
3334         New bytecode format for JSC
3335         https://bugs.webkit.org/show_bug.cgi?id=187373
3336         <rdar://problem/44186758>
3337
3338         Reviewed by Filip Pizlo.
3339
3340         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3341
3342         * stress/maximum-inline-capacity.js: Added.
3343         (test1):
3344         (test3.Foo):
3345         (test3):
3346
3347 2018-10-26  Mark Lam  <mark.lam@apple.com>
3348
3349         Fix missing edge cases with JSGlobalObjects having a bad time.
3350         https://bugs.webkit.org/show_bug.cgi?id=189028
3351         <rdar://problem/45204939>
3352
3353         Reviewed by Saam Barati.
3354
3355         * stress/regress-189028.js: Added.
3356
3357 2018-10-22  Mark Lam  <mark.lam@apple.com>
3358
3359         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3360         https://bugs.webkit.org/show_bug.cgi?id=190515
3361         <rdar://problem/45222379>
3362
3363         Rubber-stamped by Saam Barati.
3364
3365         Adding another test.
3366
3367         * stress/regress-190515-2.js: Added.
3368
3369 2018-10-22  Mark Lam  <mark.lam@apple.com>
3370
3371         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3372         https://bugs.webkit.org/show_bug.cgi?id=190515
3373         <rdar://problem/45222379>
3374
3375         Reviewed by Saam Barati.
3376
3377         * stress/regress-190515.js: Added.
3378
3379 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3380
3381         Unreviewed, rolling out r237254.
3382         https://bugs.webkit.org/show_bug.cgi?id=190760
3383
3384         "It regresses JetStream 2 by 5% on some iOS devices"
3385         (Requested by saamyjoon on #webkit).
3386
3387         Reverted changeset:
3388
3389         "[JSC] JSC should have "parseFunction" to optimize Function
3390         constructor"
3391         https://bugs.webkit.org/show_bug.cgi?id=190340
3392         https://trac.webkit.org/changeset/237254
3393
3394 2018-10-19  Saam Barati  <sbarati@apple.com>
3395
3396         vmCall should check if we exit before emitting an OSR exit due to exceptions
3397         https://bugs.webkit.org/show_bug.cgi?id=190740
3398         <rdar://problem/45220139>
3399
3400         Reviewed by Mark Lam.
3401
3402         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3403         (foo):
3404
3405 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3406
3407         [ESNext][BigInt] Implement support for "^"
3408         https://bugs.webkit.org/show_bug.cgi?id=186235
3409
3410         Reviewed by Yusuke Suzuki.
3411
3412         * stress/big-int-bitwise-xor-general.js: Added.
3413         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3414         * stress/big-int-bitwise-xor-type-error.js: Added.
3415         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3416
3417 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3418
3419         [BigInt] Add ValueSub into DFG
3420         https://bugs.webkit.org/show_bug.cgi?id=186176
3421
3422         Reviewed by Yusuke Suzuki.
3423
3424         * stress/big-int-subtraction-jit.js:
3425         * stress/value-sub-big-int-prediction-propagation.js: Added.
3426         * stress/value-sub-big-int-untyped.js: Added.
3427         * stress/value-sub-spec-none-case.js: Added.
3428
3429 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3430
3431         [JSC] JSC should have "parseFunction" to optimize Function constructor
3432         https://bugs.webkit.org/show_bug.cgi?id=190340
3433
3434         Reviewed by Mark Lam.
3435
3436         This patch fixes the line number of syntax errors raised by the Function constructor,
3437         since we now parse the final code only once. And we no longer use block statement
3438         for Function constructor's parsing.
3439
3440         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3441         * stress/function-cache-with-parameters-end-position.js: Added.
3442         (shouldBe):
3443         (shouldThrow):
3444         (i.anonymous):
3445         * stress/function-constructor-name.js: Added.
3446         (shouldBe):
3447         (GeneratorFunction):
3448         (AsyncFunction.async):
3449         (AsyncGeneratorFunction.async):
3450         (anonymous):
3451         (async.anonymous):
3452         * test262/expectations.yaml:
3453
3454 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3455
3456         Unreviewed, rolling out r237242.
3457         https://bugs.webkit.org/show_bug.cgi?id=190701
3458
3459         it breaks "stress/sampling-profiler-basic.js" (Requested by
3460         caiolima on #webkit).
3461
3462         Reverted changeset:
3463
3464         "[BigInt] Add ValueSub into DFG"
3465         https://bugs.webkit.org/show_bug.cgi?id=186176
3466         https://trac.webkit.org/changeset/237242
3467
3468 2018-10-17  Keith Miller  <keith_miller@apple.com>
3469
3470         AI does not clear Phantom allocation nodes.
3471         https://bugs.webkit.org/show_bug.cgi?id=190694
3472
3473         Reviewed by Saam Barati.
3474
3475         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3476         (Day):
3477         (DaysInYear):
3478         (TimeInYear):
3479         (TimeFromYear):
3480         (DayFromYear):
3481         (InLeapYear):
3482         (YearFromTime):
3483         (WeekDay):
3484         (DaylightSavingTA):
3485         (GetSecondSundayInMarch):
3486         (TimeInMonth):
3487
3488 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3489
3490         [BigInt] Add ValueSub into DFG
3491         https://bugs.webkit.org/show_bug.cgi?id=186176
3492
3493         Reviewed by Yusuke Suzuki.
3494
3495         * stress/big-int-subtraction-jit.js:
3496         * stress/value-sub-big-int-prediction-propagation.js: Added.
3497         * stress/value-sub-big-int-untyped.js: Added.
3498
3499 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3500
3501         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3502         https://bugs.webkit.org/show_bug.cgi?id=190611
3503
3504         Reviewed by Saam Barati.
3505
3506         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3507         to improve test runtime. On ARM/MIPS this test even timed out when running all
3508         tests.
3509
3510         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3511         (test):
3512
3513 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3514
3515         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3516
3517         Unreviewed gardening.
3518
3519         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3520
3521 2018-10-15  Saam barati  <sbarati@apple.com>
3522
3523         Emit fjcvtzs on ARM64E on Darwin
3524         https://bugs.webkit.org/show_bug.cgi?id=184023
3525
3526         Reviewed by Yusuke Suzuki and Filip Pizlo.
3527
3528         * stress/double-to-int32-NaN.js: Added.
3529         (assert):
3530         (foo):
3531
3532 2018-10-15  Saam Barati  <sbarati@apple.com>
3533
3534         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3535         https://bugs.webkit.org/show_bug.cgi?id=190262
3536         <rdar://problem/44986241>
3537
3538         Reviewed by Mark Lam.
3539
3540         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3541         (test):
3542         * stress/slice-array-storage-with-holes.js: Added.
3543         (main):
3544
3545 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3546
3547         Unreviewed, rolling out r237054.
3548         https://bugs.webkit.org/show_bug.cgi?id=190593
3549
3550         "this regressed JetStream 2 by 6% on iOS" (Requested by
3551         saamyjoon on #webkit).
3552
3553         Reverted changeset:
3554
3555         "[JSC] JSC should have "parseFunction" to optimize Function
3556         constructor"
3557         https://bugs.webkit.org/show_bug.cgi?id=190340
3558         https://trac.webkit.org/changeset/237054
3559
3560 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3561
3562         [JSC] JSON.stringify can accept call-with-no-arguments
3563         https://bugs.webkit.org/show_bug.cgi?id=190343
3564
3565         Reviewed by Mark Lam.
3566
3567         * stress/json-stringify-no-arguments.js: Added.
3568         (shouldBe):
3569
3570 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3571
3572         [JSC] JSC should have "parseFunction" to optimize Function constructor
3573         https://bugs.webkit.org/show_bug.cgi?id=190340
3574
3575         Reviewed by Mark Lam.
3576
3577         This patch fixes the line number of syntax errors raised by the Function constructor,
3578         since we now parse the final code only once. And we no longer use block statement
3579         for Function constructor's parsing.
3580
3581         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3582         * stress/function-cache-with-parameters-end-position.js: Added.
3583         (shouldBe):
3584         (shouldThrow):
3585         (i.anonymous):
3586         * stress/function-constructor-name.js: Added.
3587         (shouldBe):
3588         (GeneratorFunction):
3589         (AsyncFunction.async):
3590         (AsyncGeneratorFunction.async):
3591         (anonymous):
3592         (async.anonymous):
3593         * test262/expectations.yaml:
3594
3595 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3596
3597         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3598         https://bugs.webkit.org/show_bug.cgi?id=190426
3599
3600         Unreviewed gardening.
3601
3602         * stress/sampling-profiler-richards.js:
3603
3604 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3605
3606         [ESNext][BigInt] Implement support for "|"
3607         https://bugs.webkit.org/show_bug.cgi?id=186229
3608
3609         Reviewed by Yusuke Suzuki.
3610
3611         * stress/big-int-bitwise-and-jit.js:
3612         * stress/big-int-bitwise-or-general.js: Added.
3613         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3614         * stress/big-int-bitwise-or-jit.js: Added.
3615         * stress/big-int-bitwise-or-memory-stress.js: Added.
3616         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3617         * stress/big-int-bitwise-or-type-error.js: Added.
3618         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3619
3620 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3621
3622         Skip test on systems with limited memory
3623         https://bugs.webkit.org/show_bug.cgi?id=190310
3624
3625         Invoking runDefault adds test to runlist, skipping the test in the next
3626         line does not prevent the test from executing. Change order of lines such
3627         that runDefault is only executed if test is not executed.
3628
3629         Reviewed by Mark Lam.
3630
3631         * stress/regress-190187.js:
3632
3633 2018-10-03  Saam barati  <sbarati@apple.com>
3634
3635         lowXYZ in FTLLower should always filter the type of the incoming edge
3636         https://bugs.webkit.org/show_bug.cgi?id=189939
3637         <rdar://problem/44407030>
3638
3639         Reviewed by Michael Saboff.
3640
3641         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3642         (foo):
3643         (test):
3644
3645 2018-10-03  Mark Lam  <mark.lam@apple.com>
3646
3647         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3648         https://bugs.webkit.org/show_bug.cgi?id=190187
3649         <rdar://problem/42512909>
3650
3651         Reviewed by Michael Saboff.
3652
3653         * stress/regress-190187.js: Added.
3654
3655 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3656
3657         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3658         https://bugs.webkit.org/show_bug.cgi?id=190033
3659
3660         Reviewed by Yusuke Suzuki.
3661
3662         * stress/big-int-to-string.js:
3663
3664 2018-10-01  Mark Lam  <mark.lam@apple.com>
3665
3666         Function.toString() should also copy the source code Functions that are class definitions.
3667         https://bugs.webkit.org/show_bug.cgi?id=190186
3668         <rdar://problem/44733360>
3669
3670         Reviewed by Saam Barati.
3671
3672         * stress/regress-190186.js: Added.
3673
3674 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3675
3676         Split NaN-check into separate test
3677         https://bugs.webkit.org/show_bug.cgi?id=190010
3678
3679         Reviewed by Saam Barati.
3680
3681         DataView exposes NaN-representation, which is not necessarily the same on each
3682         architecture. Therefore move the check of the NaN-representation into its own
3683         file such that we can disable this test on MIPS where NaN-representation can be
3684         different on older CPUs.
3685
3686         * stress/dataview-jit-set-nan.js: Added.
3687         (assert):
3688         (test.storeLittleEndian):
3689         (test.storeBigEndian):
3690         (test.store):
3691         (test):
3692         * stress/dataview-jit-set.js:
3693         (test5):
3694
3695 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3696
3697         Unreviewed, rolling out r236647.
3698         https://bugs.webkit.org/show_bug.cgi?id=190124
3699
3700         Breaking test stress/big-int-to-string.js (Requested by
3701         caiolima_ on #webkit).
3702
3703         Reverted changeset:
3704
3705         "[BigInt] BigInt.proptotype.toString is broken when radix is
3706         power of 2"
3707         https://bugs.webkit.org/show_bug.cgi?id=190033
3708         https://trac.webkit.org/changeset/236647
3709
3710 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3711
3712         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3713         https://bugs.webkit.org/show_bug.cgi?id=190033
3714
3715         Reviewed by Yusuke Suzuki.
3716
3717         * stress/big-int-to-string.js:
3718
3719 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3720
3721         [ESNext][BigInt] Implement support for "&"
3722         https://bugs.webkit.org/show_bug.cgi?id=186228
3723
3724         Reviewed by Yusuke Suzuki.
3725
3726         * stress/big-int-bitwise-and-general.js: Added.
3727         (assert):
3728         (assert.sameValue):
3729         * stress/big-int-bitwise-and-jit.js: Added.
3730         (let.assert.sameValue):
3731         (bigIntBitAnd):
3732         * stress/big-int-bitwise-and-memory-stress.js: Added.
3733         (assert):
3734         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3735         (assert.sameValue):
3736         (let.o.Symbol.toPrimitive):
3737         (catch):
3738         * stress/big-int-bitwise-and-type-error.js: Added.
3739         (assert):
3740         (assertThrowTypeError):
3741         (let.o.valueOf):
3742         (o.valueOf):
3743         (o.toString):
3744         (o.Symbol.toPrimitive):
3745         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3746         (assert.sameValue):
3747         (testBitAnd):
3748         (let.o.Symbol.toPrimitive):
3749         (o.valueOf):
3750         (o.toString):
3751
3752 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3753
3754         JSC test stress/jsc-read.js doesn't support CRLF
3755         https://bugs.webkit.org/show_bug.cgi?id=190063
3756
3757         Reviewed by Yusuke Suzuki.
3758
3759         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3760
3761         * stress/jsc-read.js:
3762         (test):
3763
3764 2018-09-27  Saam barati  <sbarati@apple.com>
3765
3766         Verify the contents of AssemblerBuffer on arm64e
3767         https://bugs.webkit.org/show_bug.cgi?id=190057
3768         <rdar://problem/38916630>
3769
3770         Reviewed by Mark Lam.
3771
3772         * stress/regress-189132.js:
3773
3774 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3775
3776         Disable test without LLInt on ARMv7
3777         https://bugs.webkit.org/show_bug.cgi?id=190037
3778
3779         Reviewed by Mark Lam.
3780
3781         Test runs out of executable memory on ARMv7, do not run
3782         this test without LLInt enabled.
3783
3784         * stress/regress-169445.js:
3785
3786 2018-09-26  Keith Miller  <keith_miller@apple.com>
3787
3788         We should zero unused property storage when rebalancing array storage.
3789         https://bugs.webkit.org/show_bug.cgi?id=188151
3790
3791         Reviewed by Michael Saboff.
3792
3793         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3794
3795 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3796
3797         [JSC] Optimize Array#lastIndexOf
3798         https://bugs.webkit.org/show_bug.cgi?id=189780
3799
3800         Reviewed by Saam Barati.
3801
3802         * stress/array-lastindexof-array-prototype-trap.js: Added.
3803         (shouldBe):
3804         (AncestorArray.prototype.get 2):
3805         (AncestorArray):
3806         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3807         (shouldBe):
3808         * stress/array-lastindexof-hole-nan.js: Added.
3809         (shouldBe):
3810         (throw.new.Error):
3811         * stress/array-lastindexof-infinity.js: Added.
3812         (shouldBe):
3813         (throw.new.Error):
3814         * stress/array-lastindexof-negative-zero.js: Added.
3815         (shouldBe):
3816         (throw.new.Error):
3817         * stress/array-lastindexof-own-getter.js: Added.
3818         (shouldBe):
3819         (throw.new.Error.get array):
3820         (get array):
3821         * stress/array-lastindexof-prototype-trap.js: Added.
3822         (shouldBe):
3823         (DerivedArray.prototype.get 2):
3824         (DerivedArray):
3825
3826 2018-09-25  Saam Barati  <sbarati@apple.com>
3827
3828         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3829         https://bugs.webkit.org/show_bug.cgi?id=189940
3830         <rdar://problem/43640987>
3831
3832         Reviewed by Mark Lam.
3833
3834         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3835
3836 2018-09-24  Saam Barati  <sbarati@apple.com>
3837
3838         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3839         https://bugs.webkit.org/show_bug.cgi?id=189922
3840         <rdar://problem/44651275>
3841
3842         Reviewed by Mark Lam.
3843
3844         * stress/array-indexof-fast-path-effects.js: Added.
3845         * stress/array-indexof-cached-length.js: Added.
3846
3847 2018-09-24  Saam barati  <sbarati@apple.com>
3848
3849         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3850         https://bugs.webkit.org/show_bug.cgi?id=189682
3851         <rdar://problem/43557315>
3852
3853         Reviewed by Mark Lam.
3854
3855         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3856         (foo):
3857
3858 2018-09-22  Saam barati  <sbarati@apple.com>
3859
3860         The sampling should not use Strong<CodeBlock> in its machineLocation field
3861         https://bugs.webkit.org/show_bug.cgi?id=189319
3862
3863         Reviewed by Filip Pizlo.
3864
3865         * stress/sampling-profiler-richards.js: Added.
3866
3867 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3868
3869         [JSC] Optimize Array#indexOf in C++ runtime
3870         https://bugs.webkit.org/show_bug.cgi?id=189507
3871
3872         Reviewed by Saam Barati.
3873
3874         * stress/array-indexof-array-prototype-trap.js: Added.
3875         (shouldBe):
3876         (AncestorArray.prototype.get 2):
3877         (AncestorArray):
3878         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3879         (shouldBe):
3880         * stress/array-indexof-hole-nan.js: Added.
3881         (shouldBe):
3882         (throw.new.Error):
3883         * stress/array-indexof-infinity.js: Added.
3884         (shouldBe):
3885         (throw.new.Error):
3886         * stress/array-indexof-negative-zero.js: Added.
3887         (shouldBe):
3888         (throw.new.Error):
3889         * stress/array-indexof-own-getter.js: Added.
3890         (shouldBe):
3891         (throw.new.Error.get array):
3892         (get array):
3893         * stress/array-indexof-prototype-trap.js: Added.
3894         (shouldBe):
3895         (DerivedArray.prototype.get 2):
3896         (DerivedArray):
3897
3898 2018-09-19  Saam barati  <sbarati@apple.com>
3899
3900         AI rule for MultiPutByOffset executes its effects in the wrong order
3901         https://bugs.webkit.org/show_bug.cgi?id=189757
3902         <rdar://problem/43535257>
3903
3904         Reviewed by Michael Saboff.
3905
3906         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3907         (foo):
3908         (Foo):
3909         (g):
3910
3911 2018-09-17  Mark Lam  <mark.lam@apple.com>
3912
3913         Ensure that ForInContexts are invalidated if their loop local is over-written.
3914         https://bugs.webkit.org/show_bug.cgi?id=189571
3915         <rdar://problem/44402277>
3916
3917         Reviewed by Saam Barati.
3918
3919         * stress/regress-189571.js: Added.
3920
3921 2018-09-17  Saam barati  <sbarati@apple.com>
3922
3923         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3924         https://bugs.webkit.org/show_bug.cgi?id=189676
3925         <rdar://problem/39682897>
3926
3927         Reviewed by Michael Saboff.
3928
3929         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3930         (A):
3931         (K):
3932         (i.catch):
3933
3934 2018-09-14  Saam barati  <sbarati@apple.com>
3935
3936         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3937         https://bugs.webkit.org/show_bug.cgi?id=189628
3938         <rdar://problem/39481690>
3939
3940         Reviewed by Mark Lam.
3941
3942         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3943         (foo):
3944
3945 2018-09-11  Mark Lam  <mark.lam@apple.com>
3946
3947         Test for array initialization in arrayProtoFuncSplice.
3948         https://bugs.webkit.org/show_bug.cgi?id=170253
3949         <rdar://problem/31328773>
3950
3951         Rubber-stamped by Saam Barati.
3952
3953         * stress/regress-170253.js: Added.
3954
3955 2018-09-11  Mark Lam  <mark.lam@apple.com>
3956
3957         Test for IntlObject initialization.
3958         https://bugs.webkit.org/show_bug.cgi?id=170251
3959         <rdar://problem/31328419>
3960
3961         Rubber-stamped by Saam Barati.
3962
3963         * stress/regress-170251.js: Added.
3964
3965 2018-09-11  Mark Lam  <mark.lam@apple.com>
3966
3967         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3968         https://bugs.webkit.org/show_bug.cgi?id=169889
3969         <rdar://problem/31155607>
3970
3971         Reviewed by Saam Barati.
3972
3973         * stress/regress-169889-array-concat.js: Added.
3974         * stress/regress-169889-array-concat1.js: Added.
3975         * stress/regress-169889-array-slice.js: Added.
3976
3977 2018-09-11  Mark Lam  <mark.lam@apple.com>
3978
3979         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3980         https://bugs.webkit.org/show_bug.cgi?id=169445
3981         <rdar://problem/30957435>
3982
3983         Reviewed by Saam Barati.
3984
3985         * stress/regress-169445.js: Added.
3986         (let.gun.eval.A):
3987         (let.gun.eval.B.C):
3988         (let.gun.eval.B.C.prototype.trigger):
3989         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3990         (let.gun.eval.B):
3991         (let.gun.eval):
3992
3993 == Rolled over to ChangeLog-2018-09-11 ==