SamplingProfiler's isValidFramePointer() should reject address at stack origin.
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-17  Mark Lam  <mark.lam@apple.com>
2
3         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
4         https://bugs.webkit.org/show_bug.cgi?id=192779
5         <rdar://problem/46775869>
6
7         Reviewed by Saam Barati.
8
9         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
10
11 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
12
13         Unreviewed test gardening, address a syntax error in a new test.
14
15         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
16
17 2018-12-17  Mark Lam  <mark.lam@apple.com>
18
19         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
20         https://bugs.webkit.org/show_bug.cgi?id=192776
21         <rdar://problem/46772368>
22
23         Reviewed by Keith Miller.
24
25         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
26
27 2018-12-17  Mark Lam  <mark.lam@apple.com>
28
29         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
30         https://bugs.webkit.org/show_bug.cgi?id=192770
31         <rdar://problem/46449037>
32
33         Reviewed by Keith Miller.
34
35         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
36
37 2018-12-14  Mark Lam  <mark.lam@apple.com>
38
39         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
40         https://bugs.webkit.org/show_bug.cgi?id=192717
41         <rdar://problem/46660677>
42
43         Reviewed by Saam Barati.
44
45         * stress/regress-192717.js: Added.
46
47 2018-12-14  Commit Queue  <commit-queue@webkit.org>
48
49         Unreviewed, rolling out r239153, r239154, and r239155.
50         https://bugs.webkit.org/show_bug.cgi?id=192715
51
52         Caused flaky GC-related crashes seen with layout tests
53         (Requested by ryanhaddad on #webkit).
54
55         Reverted changesets:
56
57         "[JSC] Optimize Object.keys by caching own keys results in
58         StructureRareData"
59         https://bugs.webkit.org/show_bug.cgi?id=190047
60         https://trac.webkit.org/changeset/239153
61
62         "Unreviewed, build fix after r239153"
63         https://bugs.webkit.org/show_bug.cgi?id=190047
64         https://trac.webkit.org/changeset/239154
65
66         "Unreviewed, build fix after r239153, part 2"
67         https://bugs.webkit.org/show_bug.cgi?id=190047
68         https://trac.webkit.org/changeset/239155
69
70 2018-12-14  Keith Miller  <keith_miller@apple.com>
71
72         Callers of JSString::getIndex should check for OOM exceptions
73         https://bugs.webkit.org/show_bug.cgi?id=192709
74
75         Reviewed by Mark Lam.
76
77         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
78
79 2018-12-13  Mark Lam  <mark.lam@apple.com>
80
81         Add a missing exception check.
82         https://bugs.webkit.org/show_bug.cgi?id=192626
83         <rdar://problem/46662163>
84
85         Reviewed by Keith Miller.
86
87         * stress/regress-192626.js: Added.
88
89 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
90
91         [BigInt] Add ValueDiv into DFG
92         https://bugs.webkit.org/show_bug.cgi?id=186178
93
94         Reviewed by Yusuke Suzuki.
95
96         * stress/big-int-div-jit-osr.js: Added.
97         * stress/big-int-div-jit-untyped.js: Added.
98         * stress/value-div-fixup-int32-big-int.js: Added.
99
100 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
101
102         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
103         https://bugs.webkit.org/show_bug.cgi?id=190047
104
105         Reviewed by Keith Miller.
106
107         * stress/object-keys-cached-zero.js: Added.
108         (shouldBe):
109         (test):
110         * stress/object-keys-changed-attribute.js: Added.
111         (shouldBe):
112         (test):
113         * stress/object-keys-changed-index.js: Added.
114         (shouldBe):
115         (test):
116         * stress/object-keys-changed.js: Added.
117         (shouldBe):
118         (test):
119         * stress/object-keys-indexed-non-cache.js: Added.
120         (shouldBe):
121         (test):
122         * stress/object-keys-overrides-get-property-names.js: Added.
123         (shouldBe):
124         (test):
125         (noInline):
126
127 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
128
129         [DFG][FTL] Add NewSymbol
130         https://bugs.webkit.org/show_bug.cgi?id=192620
131
132         Reviewed by Saam Barati.
133
134         * microbenchmarks/symbol-creation.js: Added.
135         (test):
136         * stress/symbol-description-identity.js: Added.
137         (shouldBe):
138         (test):
139         * stress/symbol-identity.js: Added.
140         (shouldBe):
141         (test):
142         * stress/symbol-with-description-throw-error.js: Added.
143         (shouldBe):
144         (shouldThrow):
145         (test):
146         (object.toString):
147
148 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
149
150         [BigInt] Implement DFG/FTL typeof for BigInt
151         https://bugs.webkit.org/show_bug.cgi?id=192619
152
153         Reviewed by Keith Miller.
154
155         * stress/big-int-boolean-proven-type.js: Added.
156         (assert):
157         (bool):
158         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
159         (assert):
160         (typeOf):
161         (i.switch):
162         * stress/big-int-type-of-proven-type-non-constant.js: Added.
163         (assert):
164         (typeOf):
165         * stress/big-int-type-of.js:
166         (typeOf):
167         (func):
168
169 2018-12-10  Mark Lam  <mark.lam@apple.com>
170
171         PropertyAttribute needs a CustomValue bit.
172         https://bugs.webkit.org/show_bug.cgi?id=191993
173         <rdar://problem/46264467>
174
175         Reviewed by Saam Barati.
176
177         * stress/regress-191993.js: Added.
178
179 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
180
181         [BigInt] Add ValueMul into DFG
182         https://bugs.webkit.org/show_bug.cgi?id=186175
183
184         Reviewed by Yusuke Suzuki.
185
186         * stress/big-int-mul-jit-osr.js: Added.
187         * stress/big-int-mul-jit-untyped.js: Added.
188         * stress/value-mul-fixup-int32-big-int.js: Added.
189
190 2018-12-06  Keith Miller  <keith_miller@apple.com>
191
192         stress/big-wasm-memory tests failing on 32-bit JSC bot
193         https://bugs.webkit.org/show_bug.cgi?id=192020
194
195         Reviewed by Saam Barati.
196
197         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
198         the wasm stress tests if the WebAssembly object does not exist.
199
200         * stress/big-wasm-memory-grow-no-max.js:
201         (test.foo):
202         (test):
203         (foo): Deleted.
204         (catch): Deleted.
205         * stress/big-wasm-memory-grow.js:
206         (test.foo):
207         (test):
208         (foo): Deleted.
209         (catch): Deleted.
210         * stress/big-wasm-memory.js:
211         (test.foo):
212         (test):
213         (foo): Deleted.
214         (catch): Deleted.
215
216 2018-12-05  Mark Lam  <mark.lam@apple.com>
217
218         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
219         https://bugs.webkit.org/show_bug.cgi?id=192441
220         <rdar://problem/46480355>
221
222         Reviewed by Saam Barati.
223
224         * stress/regress-192441.js: Added.
225
226 2018-12-04  Mark Lam  <mark.lam@apple.com>
227
228         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
229         https://bugs.webkit.org/show_bug.cgi?id=192386
230         <rdar://problem/46445516>
231
232         Reviewed by Saam Barati.
233
234         * stress/regress-192386.js: Added.
235
236 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
237
238         [ESNext][BigInt] Support logic operations
239         https://bugs.webkit.org/show_bug.cgi?id=179903
240
241         Reviewed by Yusuke Suzuki.
242
243         * stress/big-int-branch-usage.js: Added.
244         * stress/big-int-logical-and.js: Added.
245         * stress/big-int-logical-not.js: Added.
246         * stress/big-int-logical-or.js: Added.
247
248 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
249
250         Unreviewed, rolling out r238833.
251
252         Breaks macOS and iOS debug builds.
253
254         Reverted changeset:
255
256         "[ESNext][BigInt] Support logic operations"
257         https://bugs.webkit.org/show_bug.cgi?id=179903
258         https://trac.webkit.org/changeset/238833
259
260 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
261
262         [ESNext][BigInt] Support logic operations
263         https://bugs.webkit.org/show_bug.cgi?id=179903
264
265         Reviewed by Yusuke Suzuki.
266
267         * stress/big-int-branch-usage.js: Added.
268         * stress/big-int-logical-and.js: Added.
269         * stress/big-int-logical-not.js: Added.
270         * stress/big-int-logical-or.js: Added.
271
272 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
273
274         [ESNext][BigInt] Implement support for "<<" and ">>"
275         https://bugs.webkit.org/show_bug.cgi?id=186233
276
277         Reviewed by Yusuke Suzuki.
278
279         * stress/big-int-left-shift-general.js: Added.
280         * stress/big-int-left-shift-range-error.js: Added.
281         * stress/big-int-left-shift-type-error.js: Added.
282         * stress/big-int-left-shift-wrapped-value.js: Added.
283         * stress/big-int-right-shift-general.js: Added.
284         * stress/big-int-right-shift-type-error.js: Added.
285         * stress/big-int-right-shift-wrapped-value.js: Added.
286         * stress/left-shift-to-primitive-precedence.js: Added.
287         * stress/right-shift-to-primitive-precedence.js: Added.
288
289 2018-11-30  Dean Jackson  <dino@apple.com>
290
291         Add first-class support for .mjs files in jsc binary
292         https://bugs.webkit.org/show_bug.cgi?id=192190
293         <rdar://problem/46375715>
294
295         Reviewed by Keith Miller.
296
297         * stress/simple-module.mjs: Added.
298         * stress/simple-script.js: Added.
299
300 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
301
302         [BigInt] Implement ValueBitXor into DFG
303         https://bugs.webkit.org/show_bug.cgi?id=190264
304
305         Reviewed by Yusuke Suzuki.
306
307         * stress/big-int-bitwise-xor-jit.js: Added.
308         * stress/big-int-bitwise-xor-memory-stress.js: Added.
309         * stress/big-int-bitwise-xor-untyped.js: Added.
310
311 2018-11-27  Saam barati  <sbarati@apple.com>
312
313         r238510 broke scopes of size zero
314         https://bugs.webkit.org/show_bug.cgi?id=192033
315         <rdar://problem/46281734>
316
317         Reviewed by Keith Miller.
318
319         * stress/r238510-bad-loop.js: Added.
320         (foo):
321
322 2018-11-27  Mark Lam  <mark.lam@apple.com>
323
324         [Re-landing] NaNs read from Wasm code needs to be be purified.
325         https://bugs.webkit.org/show_bug.cgi?id=191056
326         <rdar://problem/45660341>
327
328         Reviewed by Filip Pizlo.
329
330         * wasm/regress/regress-191056.js: Added.
331
332 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
333
334         Unreviewed, rolling out r238509.
335
336         Causes JSC tests to fail on iOS.
337
338         Reverted changeset:
339
340         "NaNs read from Wasm code needs to be be purified."
341         https://bugs.webkit.org/show_bug.cgi?id=191056
342         https://trac.webkit.org/changeset/238509
343
344 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
345
346         Re-introduce op_bitnot
347         https://bugs.webkit.org/show_bug.cgi?id=190923
348
349         Reviewed by Yusuke Suzuki.
350
351         * stress/bit-not-must-generate.js: Added.
352         * stress/bitwise-not-no-int32.js: Added.
353
354 2018-11-26  Saam barati  <sbarati@apple.com>
355
356         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
357         https://bugs.webkit.org/show_bug.cgi?id=191956
358         <rdar://problem/45665806>
359
360         Reviewed by Yusuke Suzuki.
361
362         * stress/end-basic-block-set-local-should-filter-type.js: Added.
363         (bar):
364         (foo):
365
366 2018-11-26  Saam barati  <sbarati@apple.com>
367
368         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
369         https://bugs.webkit.org/show_bug.cgi?id=191958
370         <rdar://problem/46221877>
371
372         Reviewed by Yusuke Suzuki.
373
374         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
375         (x):
376         (foo):
377
378 2018-11-26  Mark Lam  <mark.lam@apple.com>
379
380         NaNs read from Wasm code needs to be be purified.
381         https://bugs.webkit.org/show_bug.cgi?id=191056
382         <rdar://problem/45660341>
383
384         Reviewed by Filip Pizlo.
385
386         * wasm/regress/regress-191056.js: Added.
387
388 2018-11-26  Michael Saboff  <msaboff@apple.com>
389
390         32-bit JSC test failure: stress/regexp-compile-oom.js
391         https://bugs.webkit.org/show_bug.cgi?id=191375
392
393         Reviewed by Mark Lam.
394
395         Disabled the test for 32 bit platforms.
396
397         * stress/regexp-compile-oom.js:
398
399 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
400
401         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
402         https://bugs.webkit.org/show_bug.cgi?id=191716
403         <rdar://problem/45723878>
404
405         Reviewed by Saam Barati.
406
407         * stress/regress-187373.js: Added.
408         (async.fn):
409
410 2018-11-21  Saam barati  <sbarati@apple.com>
411
412         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
413         https://bugs.webkit.org/show_bug.cgi?id=191897
414         <rdar://problem/45871998>
415
416         Reviewed by Mark Lam.
417
418         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
419         (bar):
420         (foo):
421
422 2018-11-21  Saam barati  <sbarati@apple.com>
423
424         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
425         https://bugs.webkit.org/show_bug.cgi?id=191895
426         <rdar://problem/46167406>
427
428         Reviewed by Mark Lam.
429
430         * stress/known-cell-use-needs-type-check-assertion.js: Added.
431         (foo):
432         (bar):
433
434 2018-11-21  Mark Lam  <mark.lam@apple.com>
435
436         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
437         https://bugs.webkit.org/show_bug.cgi?id=191776
438         <rdar://problem/46152851>
439
440         Reviewed by Saam Barati.
441
442         * stress/big-wasm-memory-grow-no-max.js:
443         * stress/big-wasm-memory-grow.js:
444         * stress/big-wasm-memory.js:
445         - updated these to expect an OutOfMemoryError.
446
447         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
448         (Binary.prototype.emit_u8):
449         (Binary.prototype.emit_u32v):
450         (Binary.prototype.emit_header):
451         (Binary.prototype.emit_section):
452         (Binary):
453         (WasmModuleBuilder):
454         (WasmModuleBuilder.prototype.addMemory):
455         (WasmModuleBuilder.prototype.toArray):
456         (WasmModuleBuilder.prototype.toBuffer):
457         (WasmModuleBuilder.prototype.instantiate):
458         (catch):
459         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
460         (catch):
461
462 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
463
464         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
465         https://bugs.webkit.org/show_bug.cgi?id=190836
466
467         Reviewed by Saam Barati and Yusuke Suzuki.
468
469         * stress/big-int-out-of-memory-tests.js: Added.
470
471 2018-11-20  Mark Lam  <mark.lam@apple.com>
472
473         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
474         https://bugs.webkit.org/show_bug.cgi?id=191856
475         <rdar://problem/46089992>
476
477         Reviewed by Yusuke Suzuki.
478
479         * stress/regress-191856.js: Added.
480         - this test is skipped for now until we have a fix for webkit.org/b/191855.
481
482 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
483
484         Enable JIT on ARM/Linux
485         https://bugs.webkit.org/show_bug.cgi?id=191548
486
487         Reviewed by Yusuke Suzuki.
488
489         Disable test on system with limited memory. Program was killed by
490         the OS before the exception was thrown.
491
492         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
493
494 2018-11-20  Saam barati  <sbarati@apple.com>
495
496         Merging an IC variant may lead to the IC status containing overlapping structure sets
497         https://bugs.webkit.org/show_bug.cgi?id=191869
498         <rdar://problem/45403453>
499
500         Reviewed by Mark Lam.
501
502         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
503
504 2018-11-19  Mark Lam  <mark.lam@apple.com>
505
506         globalFuncImportModule() should return a promise when it clears exceptions.
507         https://bugs.webkit.org/show_bug.cgi?id=191792
508         <rdar://problem/46090763>
509
510         Reviewed by Michael Saboff.
511
512         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
513
514 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
515
516         Skip new memory-hungry tests on memory limited devices
517
518         Unreviewed gardening.
519
520         * stress/big-wasm-memory-grow-no-max.js:
521         * stress/big-wasm-memory-grow.js:
522         * stress/big-wasm-memory.js:
523
524 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
525
526         Unreviewed, rolling in the rest of r237254
527         https://bugs.webkit.org/show_bug.cgi?id=190340
528
529         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
530         * stress/function-cache-with-parameters-end-position.js: Added.
531         (shouldBe):
532         (shouldThrow):
533         (i.anonymous):
534         * stress/function-constructor-name.js: Added.
535         (shouldBe):
536         (GeneratorFunction):
537         (AsyncFunction.async):
538         (AsyncGeneratorFunction.async):
539         (anonymous):
540         (async.anonymous):
541         * test262/expectations.yaml:
542
543 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
544
545         All users of ArrayBuffer should agree on the same max size
546         https://bugs.webkit.org/show_bug.cgi?id=191771
547
548         Reviewed by Mark Lam.
549
550         * stress/big-wasm-memory-grow-no-max.js: Added.
551         (foo):
552         (catch):
553         * stress/big-wasm-memory-grow.js: Added.
554         (foo):
555         (catch):
556         * stress/big-wasm-memory.js: Added.
557         (foo):
558         (catch):
559
560 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
561
562         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
563         run for each JSC config since they're regression tests for runtime bugs.
564
565         * stress/json-stringified-overflow-2.js:
566         * stress/json-stringified-overflow.js:
567
568 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
569
570         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
571         config since they're regression tests for runtime bugs.
572
573         * stress/large-unshift-splice.js:
574         * stress/regress-185888.js:
575
576 2018-11-16  Saam Barati  <sbarati@apple.com>
577
578         KnownCellUse should also have SpecCellCheck as its type filter
579         https://bugs.webkit.org/show_bug.cgi?id=191729
580         <rdar://problem/45872852>
581
582         Reviewed by Filip Pizlo.
583
584         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
585         (C):
586
587 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
588
589         Fix assertion failure on BytecodeGenerator::recordOpcode
590         https://bugs.webkit.org/show_bug.cgi?id=191724
591         <rdar://problem/45724395>
592
593         Reviewed by Saam Barati.
594
595         * stress/regress-187373-2.js: Added.
596         (foo):
597
598 2018-11-15  Mark Lam  <mark.lam@apple.com>
599
600         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
601         https://bugs.webkit.org/show_bug.cgi?id=191730
602         <rdar://problem/46048517>
603
604         Reviewed by Saam Barati.
605
606         * stress/regress-187006.js: Removed.
607           - this test is invalid because its sole purpose is to test for the non-spec
608             compliant behavior that we just fixed.
609
610         * stress/regress-191730.js: Added.
611
612 2018-11-15  Mark Lam  <mark.lam@apple.com>
613
614         RegExp operations should not take fast patch if lastIndex is not numeric.
615         https://bugs.webkit.org/show_bug.cgi?id=191731
616         <rdar://problem/46017305>
617
618         Reviewed by Saam Barati.
619
620         * stress/regress-191731.js: Added.
621
622 2018-11-13  Saam Barati  <sbarati@apple.com>
623
624         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
625         https://bugs.webkit.org/show_bug.cgi?id=191600
626
627         Reviewed by Mark Lam.
628
629         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
630         (foo):
631         (test):
632         (bar):
633
634 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
635
636         Unreviewed, rolling out r238132.
637
638         The test added with this change is timing out on Debug JSC
639         bots.
640
641         Reverted changeset:
642
643         "[BigInt] JSBigInt::createWithLength should throw when length
644         is greater than JSBigInt::maxLength"
645         https://bugs.webkit.org/show_bug.cgi?id=190836
646         https://trac.webkit.org/changeset/238132
647
648 2018-11-13  Mark Lam  <mark.lam@apple.com>
649
650         Add OOM detection to StringPrototype's substituteBackreferences().
651         https://bugs.webkit.org/show_bug.cgi?id=191563
652         <rdar://problem/45720428>
653
654         Reviewed by Saam Barati.
655
656         * stress/regress-191563.js: Added.
657
658 2018-11-13  Mark Lam  <mark.lam@apple.com>
659
660         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
661         https://bugs.webkit.org/show_bug.cgi?id=191579
662         <rdar://problem/45942472>
663
664         Reviewed by Saam Barati.
665
666         * stress/regress-191579.js: Added.
667
668 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
669
670         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
671         https://bugs.webkit.org/show_bug.cgi?id=190836
672
673         Reviewed by Saam Barati.
674
675         * stress/big-int-out-of-memory-tests.js: Added.
676
677 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
678
679         U+180E is no longer a whitespace character
680         https://bugs.webkit.org/show_bug.cgi?id=191415
681
682         Reviewed by Saam Barati.
683
684         * ChakraCore/test/es5/regexSpace.baseline:
685         * ChakraCore/test/es6/unicode_whitespace.js:
686         Update tests to latest version.
687         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
688
689         * test262.yaml:
690         * test262/config.yaml:
691         * test262/expectations.yaml:
692         Update expectations.
693
694 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
695
696         [BigInt] Add support to BigInt into ValueAdd
697         https://bugs.webkit.org/show_bug.cgi?id=186177
698
699         Reviewed by Keith Miller.
700
701         * stress/big-int-negate-jit.js:
702         * stress/value-add-big-int-and-string.js: Added.
703         * stress/value-add-big-int-prediction-propagation.js: Added.
704         * stress/value-add-big-int-untyped.js: Added.
705
706 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
707
708         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
709         https://bugs.webkit.org/show_bug.cgi?id=191184
710
711         Reviewed by Saam Barati.
712
713         Most tests were failing due to timeouts, since they are too slow to
714         run on CLoop. The exceptions are:
715
716         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
717         dont-crash-on-stack-overflow-when-parsing-builtin.js and
718         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
719         to change the stack size since CLoop requires it to be page aligned.
720
721         * microbenchmarks/array-push-1.js:
722         * microbenchmarks/array-push-2.js:
723         * microbenchmarks/elidable-new-object-dag.js:
724         * microbenchmarks/elidable-new-object-roflcopter.js:
725         * microbenchmarks/elidable-new-object-tree.js:
726         * microbenchmarks/getter-richards.js:
727         * microbenchmarks/sinkable-new-object-dag.js:
728         * microbenchmarks/string-concat-long-convert.js:
729         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
730         * slowMicrobenchmarks/array-push-3.js:
731         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
732         * slowMicrobenchmarks/spread-small-array.js:
733         * slowMicrobenchmarks/undefined-property-access.js:
734         * stress/activation-sink-default-value-tdz-error.js:
735         * stress/activation-sink-default-value.js:
736         * stress/activation-sink-osrexit-default-value-tdz-error.js:
737         * stress/activation-sink-osrexit-default-value.js:
738         * stress/activation-sink-osrexit.js:
739         * stress/activation-sink.js:
740         * stress/allow-math-ic-b3-code-duplication.js:
741         * stress/array-push-multiple-int32.js:
742         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
743         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
744         * stress/arrowfunction-lexical-this-activation-sink.js:
745         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
746         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
747         * stress/elide-new-object-dag-then-exit.js:
748         * stress/materialize-regexp-cyclic.js:
749         * stress/new-regex-inline.js:
750         * stress/op_add.js:
751         * stress/op_bitand.js:
752         * stress/op_bitor.js:
753         * stress/op_bitxor.js:
754         * stress/op_div-ConstVar.js:
755         * stress/op_div-VarConst.js:
756         * stress/op_div-VarVar.js:
757         * stress/op_lshift-ConstVar.js:
758         * stress/op_lshift-VarConst.js:
759         * stress/op_lshift-VarVar.js:
760         * stress/op_mod-ConstVar.js:
761         * stress/op_mod-VarConst.js:
762         * stress/op_mod-VarVar.js:
763         * stress/op_mul-ConstVar.js:
764         * stress/op_mul-VarConst.js:
765         * stress/op_mul-VarVar.js:
766         * stress/op_rshift-ConstVar.js:
767         * stress/op_rshift-VarConst.js:
768         * stress/op_rshift-VarVar.js:
769         * stress/op_sub-ConstVar.js:
770         * stress/op_sub-VarConst.js:
771         * stress/op_sub-VarVar.js:
772         * stress/op_urshift-ConstVar.js:
773         * stress/op_urshift-VarConst.js:
774         * stress/op_urshift-VarVar.js:
775         * stress/proxy-get-set-correct-receiver.js:
776         * stress/regress-179562.js:
777         * stress/rest-parameter-many-arguments.js:
778         * stress/sampling-profiler-richards.js:
779         * stress/splay-flash-access-1ms.js:
780         * stress/tailCallForwardArguments.js:
781         * stress/typed-array-get-by-val-profiling.js:
782         * typeProfiler/getter-richards.js:
783
784 2018-11-06  Michael Saboff  <msaboff@apple.com>
785
786         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
787         https://bugs.webkit.org/show_bug.cgi?id=191271
788
789         Reviewed by Saam Barati.
790
791         Added more test cases and made all test cases run with the same deeply recursive stack
792         instead of finding that same point for each test case.
793
794         * stress/regexp-compile-oom.js:
795         (prototype.runTest):
796         (recurseAndTest):
797         (testList.push.new.TestAndExpectedException):
798
799 2018-11-05  Michael Saboff  <msaboff@apple.com>
800
801         Unreviewed build fix for linux.
802
803         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
804
805 2018-11-02  Michael Saboff  <msaboff@apple.com>
806
807         Rolling in r237753 with unreviewed build fix.
808
809         Fixed issues with DECLARE_THROW_SCOPE placement.
810
811 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
812
813         Unreviewed, rolling out r237753.
814
815         Introduced JSC test failures
816
817         Reverted changeset:
818
819         "Running out of stack space not properly handled in
820         RegExp::compile() and its callers"
821         https://bugs.webkit.org/show_bug.cgi?id=191206
822         https://trac.webkit.org/changeset/237753
823
824 2018-11-02  Michael Saboff  <msaboff@apple.com>
825
826         Running out of stack space not properly handled in RegExp::compile() and its callers
827         https://bugs.webkit.org/show_bug.cgi?id=191206
828
829         Reviewed by Filip Pizlo.
830
831         New regression test.
832
833         * stress/regexp-compile-oom.js: Added.
834         (recurseAndTest):
835
836 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
837
838         Skip tests on arm/mips that time out now we're running on CLoop
839
840         Unreviewed gardening.
841
842         Since the JIT is temporarily disabled on 32-bit platforms, these tests
843         time out on the bots and need to be disabled. There's more tests
844         disabled on arm because the timeout is longer on the mips bot (as the
845         device is slower to start with), so many of the tests don't time out
846         there.
847
848         * microbenchmarks/getter-richards.js: disable on arm and mips.
849         * stress/op_add.js: disable on arm.
850         * stress/op_bitand.js: disable on arm.
851         * stress/op_bitor.js: disable on arm.
852         * stress/op_bitxor.js: disable on arm.
853         * stress/op_lshift-ConstVar.js: disable on arm.
854         * stress/op_lshift-VarConst.js: disable on arm.
855         * stress/op_lshift-VarVar.js: disable on arm.
856         * stress/op_mod-ConstVar.js: disable on arm.
857         * stress/op_mod-VarConst.js: disable on arm.
858         * stress/op_mod-VarVar.js: disable on arm.
859         * stress/op_mul-ConstVar.js: disable on arm.
860         * stress/op_mul-VarConst.js: disable on arm.
861         * stress/op_mul-VarVar.js: disable on arm.
862         * stress/op_rshift-ConstVar.js: disable on arm.
863         * stress/op_rshift-VarConst.js: disable on arm.
864         * stress/op_rshift-VarVar.js: disable on arm.
865         * stress/op_sub-ConstVar.js: disable on arm.
866         * stress/op_sub-VarConst.js: disable on arm.
867         * stress/op_sub-VarVar.js: disable on arm.
868         * stress/op_urshift-ConstVar.js: disable on arm.
869         * stress/op_urshift-VarConst.js: disable on arm.
870         * stress/op_urshift-VarVar.js: disable on arm.
871         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
872         * stress/value-to-boolean.js: disable on arm and mips.
873
874 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
875
876         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
877         https://bugs.webkit.org/show_bug.cgi?id=191108
878         <rdar://problem/45690700>
879
880         Reviewed by Saam Barati.
881
882         * stress/wide-op_catch.js: Added.
883         (catch):
884
885 2018-10-29  Mark Lam  <mark.lam@apple.com>
886
887         Correctly detect string overflow when using the 'Function' constructor.
888         https://bugs.webkit.org/show_bug.cgi?id=184883
889         <rdar://problem/36320331>
890
891         Reviewed by Saam Barati.
892
893         I've verified that this passes on 32-bit as well.
894
895         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
896
897 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
898
899         Add support for GetStack FlushedDouble
900         https://bugs.webkit.org/show_bug.cgi?id=191012
901         <rdar://problem/45265141>
902
903         Reviewed by Saam Barati.
904
905         * stress/get-stack-double.js: Added.
906         (bar):
907         (noInline):
908
909 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
910
911         New bytecode format for JSC
912         https://bugs.webkit.org/show_bug.cgi?id=187373
913         <rdar://problem/44186758>
914
915         Reviewed by Filip Pizlo.
916
917         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
918
919         * stress/maximum-inline-capacity.js: Added.
920         (test1):
921         (test3.Foo):
922         (test3):
923
924 2018-10-26  Commit Queue  <commit-queue@webkit.org>
925
926         Unreviewed, rolling out r237479 and r237484.
927         https://bugs.webkit.org/show_bug.cgi?id=190978
928
929         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
930
931         Reverted changesets:
932
933         "New bytecode format for JSC"
934         https://bugs.webkit.org/show_bug.cgi?id=187373
935         https://trac.webkit.org/changeset/237479
936
937         "Gardening: Build fix after r237479."
938         https://bugs.webkit.org/show_bug.cgi?id=187373
939         https://trac.webkit.org/changeset/237484
940
941 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
942
943         New bytecode format for JSC
944         https://bugs.webkit.org/show_bug.cgi?id=187373
945         <rdar://problem/44186758>
946
947         Reviewed by Filip Pizlo.
948
949         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
950
951         * stress/maximum-inline-capacity.js: Added.
952         (test1):
953         (test3.Foo):
954         (test3):
955
956 2018-10-26  Mark Lam  <mark.lam@apple.com>
957
958         Fix missing edge cases with JSGlobalObjects having a bad time.
959         https://bugs.webkit.org/show_bug.cgi?id=189028
960         <rdar://problem/45204939>
961
962         Reviewed by Saam Barati.
963
964         * stress/regress-189028.js: Added.
965
966 2018-10-22  Mark Lam  <mark.lam@apple.com>
967
968         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
969         https://bugs.webkit.org/show_bug.cgi?id=190515
970         <rdar://problem/45222379>
971
972         Rubber-stamped by Saam Barati.
973
974         Adding another test.
975
976         * stress/regress-190515-2.js: Added.
977
978 2018-10-22  Mark Lam  <mark.lam@apple.com>
979
980         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
981         https://bugs.webkit.org/show_bug.cgi?id=190515
982         <rdar://problem/45222379>
983
984         Reviewed by Saam Barati.
985
986         * stress/regress-190515.js: Added.
987
988 2018-10-19  Commit Queue  <commit-queue@webkit.org>
989
990         Unreviewed, rolling out r237254.
991         https://bugs.webkit.org/show_bug.cgi?id=190760
992
993         "It regresses JetStream 2 by 5% on some iOS devices"
994         (Requested by saamyjoon on #webkit).
995
996         Reverted changeset:
997
998         "[JSC] JSC should have "parseFunction" to optimize Function
999         constructor"
1000         https://bugs.webkit.org/show_bug.cgi?id=190340
1001         https://trac.webkit.org/changeset/237254
1002
1003 2018-10-19  Saam Barati  <sbarati@apple.com>
1004
1005         vmCall should check if we exit before emitting an OSR exit due to exceptions
1006         https://bugs.webkit.org/show_bug.cgi?id=190740
1007         <rdar://problem/45220139>
1008
1009         Reviewed by Mark Lam.
1010
1011         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
1012         (foo):
1013
1014 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1015
1016         [ESNext][BigInt] Implement support for "^"
1017         https://bugs.webkit.org/show_bug.cgi?id=186235
1018
1019         Reviewed by Yusuke Suzuki.
1020
1021         * stress/big-int-bitwise-xor-general.js: Added.
1022         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
1023         * stress/big-int-bitwise-xor-type-error.js: Added.
1024         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
1025
1026 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
1027
1028         [BigInt] Add ValueSub into DFG
1029         https://bugs.webkit.org/show_bug.cgi?id=186176
1030
1031         Reviewed by Yusuke Suzuki.
1032
1033         * stress/big-int-subtraction-jit.js:
1034         * stress/value-sub-big-int-prediction-propagation.js: Added.
1035         * stress/value-sub-big-int-untyped.js: Added.
1036         * stress/value-sub-spec-none-case.js: Added.
1037
1038 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1039
1040         [JSC] JSC should have "parseFunction" to optimize Function constructor
1041         https://bugs.webkit.org/show_bug.cgi?id=190340
1042
1043         Reviewed by Mark Lam.
1044
1045         This patch fixes the line number of syntax errors raised by the Function constructor,
1046         since we now parse the final code only once. And we no longer use block statement
1047         for Function constructor's parsing.
1048
1049         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1050         * stress/function-cache-with-parameters-end-position.js: Added.
1051         (shouldBe):
1052         (shouldThrow):
1053         (i.anonymous):
1054         * stress/function-constructor-name.js: Added.
1055         (shouldBe):
1056         (GeneratorFunction):
1057         (AsyncFunction.async):
1058         (AsyncGeneratorFunction.async):
1059         (anonymous):
1060         (async.anonymous):
1061         * test262/expectations.yaml:
1062
1063 2018-10-18  Commit Queue  <commit-queue@webkit.org>
1064
1065         Unreviewed, rolling out r237242.
1066         https://bugs.webkit.org/show_bug.cgi?id=190701
1067
1068         it breaks "stress/sampling-profiler-basic.js" (Requested by
1069         caiolima on #webkit).
1070
1071         Reverted changeset:
1072
1073         "[BigInt] Add ValueSub into DFG"
1074         https://bugs.webkit.org/show_bug.cgi?id=186176
1075         https://trac.webkit.org/changeset/237242
1076
1077 2018-10-17  Keith Miller  <keith_miller@apple.com>
1078
1079         AI does not clear Phantom allocation nodes.
1080         https://bugs.webkit.org/show_bug.cgi?id=190694
1081
1082         Reviewed by Saam Barati.
1083
1084         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1085         (Day):
1086         (DaysInYear):
1087         (TimeInYear):
1088         (TimeFromYear):
1089         (DayFromYear):
1090         (InLeapYear):
1091         (YearFromTime):
1092         (WeekDay):
1093         (DaylightSavingTA):
1094         (GetSecondSundayInMarch):
1095         (TimeInMonth):
1096
1097 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1098
1099         [BigInt] Add ValueSub into DFG
1100         https://bugs.webkit.org/show_bug.cgi?id=186176
1101
1102         Reviewed by Yusuke Suzuki.
1103
1104         * stress/big-int-subtraction-jit.js:
1105         * stress/value-sub-big-int-prediction-propagation.js: Added.
1106         * stress/value-sub-big-int-untyped.js: Added.
1107
1108 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1109
1110         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1111         https://bugs.webkit.org/show_bug.cgi?id=190611
1112
1113         Reviewed by Saam Barati.
1114
1115         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1116         to improve test runtime. On ARM/MIPS this test even timed out when running all
1117         tests.
1118
1119         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1120         (test):
1121
1122 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1123
1124         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1125
1126         Unreviewed gardening.
1127
1128         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1129
1130 2018-10-15  Saam barati  <sbarati@apple.com>
1131
1132         Emit fjcvtzs on ARM64E on Darwin
1133         https://bugs.webkit.org/show_bug.cgi?id=184023
1134
1135         Reviewed by Yusuke Suzuki and Filip Pizlo.
1136
1137         * stress/double-to-int32-NaN.js: Added.
1138         (assert):
1139         (foo):
1140
1141 2018-10-15  Saam Barati  <sbarati@apple.com>
1142
1143         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1144         https://bugs.webkit.org/show_bug.cgi?id=190262
1145         <rdar://problem/44986241>
1146
1147         Reviewed by Mark Lam.
1148
1149         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1150         (test):
1151         * stress/slice-array-storage-with-holes.js: Added.
1152         (main):
1153
1154 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1155
1156         Unreviewed, rolling out r237054.
1157         https://bugs.webkit.org/show_bug.cgi?id=190593
1158
1159         "this regressed JetStream 2 by 6% on iOS" (Requested by
1160         saamyjoon on #webkit).
1161
1162         Reverted changeset:
1163
1164         "[JSC] JSC should have "parseFunction" to optimize Function
1165         constructor"
1166         https://bugs.webkit.org/show_bug.cgi?id=190340
1167         https://trac.webkit.org/changeset/237054
1168
1169 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1170
1171         [JSC] JSON.stringify can accept call-with-no-arguments
1172         https://bugs.webkit.org/show_bug.cgi?id=190343
1173
1174         Reviewed by Mark Lam.
1175
1176         * stress/json-stringify-no-arguments.js: Added.
1177         (shouldBe):
1178
1179 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1180
1181         [JSC] JSC should have "parseFunction" to optimize Function constructor
1182         https://bugs.webkit.org/show_bug.cgi?id=190340
1183
1184         Reviewed by Mark Lam.
1185
1186         This patch fixes the line number of syntax errors raised by the Function constructor,
1187         since we now parse the final code only once. And we no longer use block statement
1188         for Function constructor's parsing.
1189
1190         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1191         * stress/function-cache-with-parameters-end-position.js: Added.
1192         (shouldBe):
1193         (shouldThrow):
1194         (i.anonymous):
1195         * stress/function-constructor-name.js: Added.
1196         (shouldBe):
1197         (GeneratorFunction):
1198         (AsyncFunction.async):
1199         (AsyncGeneratorFunction.async):
1200         (anonymous):
1201         (async.anonymous):
1202         * test262/expectations.yaml:
1203
1204 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1205
1206         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1207         https://bugs.webkit.org/show_bug.cgi?id=190426
1208
1209         Unreviewed gardening.
1210
1211         * stress/sampling-profiler-richards.js:
1212
1213 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1214
1215         [ESNext][BigInt] Implement support for "|"
1216         https://bugs.webkit.org/show_bug.cgi?id=186229
1217
1218         Reviewed by Yusuke Suzuki.
1219
1220         * stress/big-int-bitwise-and-jit.js:
1221         * stress/big-int-bitwise-or-general.js: Added.
1222         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1223         * stress/big-int-bitwise-or-jit.js: Added.
1224         * stress/big-int-bitwise-or-memory-stress.js: Added.
1225         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1226         * stress/big-int-bitwise-or-type-error.js: Added.
1227         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1228
1229 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1230
1231         Skip test on systems with limited memory
1232         https://bugs.webkit.org/show_bug.cgi?id=190310
1233
1234         Invoking runDefault adds test to runlist, skipping the test in the next
1235         line does not prevent the test from executing. Change order of lines such
1236         that runDefault is only executed if test is not executed.
1237
1238         Reviewed by Mark Lam.
1239
1240         * stress/regress-190187.js:
1241
1242 2018-10-03  Saam barati  <sbarati@apple.com>
1243
1244         lowXYZ in FTLLower should always filter the type of the incoming edge
1245         https://bugs.webkit.org/show_bug.cgi?id=189939
1246         <rdar://problem/44407030>
1247
1248         Reviewed by Michael Saboff.
1249
1250         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1251         (foo):
1252         (test):
1253
1254 2018-10-03  Mark Lam  <mark.lam@apple.com>
1255
1256         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1257         https://bugs.webkit.org/show_bug.cgi?id=190187
1258         <rdar://problem/42512909>
1259
1260         Reviewed by Michael Saboff.
1261
1262         * stress/regress-190187.js: Added.
1263
1264 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1265
1266         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1267         https://bugs.webkit.org/show_bug.cgi?id=190033
1268
1269         Reviewed by Yusuke Suzuki.
1270
1271         * stress/big-int-to-string.js:
1272
1273 2018-10-01  Mark Lam  <mark.lam@apple.com>
1274
1275         Function.toString() should also copy the source code Functions that are class definitions.
1276         https://bugs.webkit.org/show_bug.cgi?id=190186
1277         <rdar://problem/44733360>
1278
1279         Reviewed by Saam Barati.
1280
1281         * stress/regress-190186.js: Added.
1282
1283 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1284
1285         Split NaN-check into separate test
1286         https://bugs.webkit.org/show_bug.cgi?id=190010
1287
1288         Reviewed by Saam Barati.
1289
1290         DataView exposes NaN-representation, which is not necessarily the same on each
1291         architecture. Therefore move the check of the NaN-representation into its own
1292         file such that we can disable this test on MIPS where NaN-representation can be
1293         different on older CPUs.
1294
1295         * stress/dataview-jit-set-nan.js: Added.
1296         (assert):
1297         (test.storeLittleEndian):
1298         (test.storeBigEndian):
1299         (test.store):
1300         (test):
1301         * stress/dataview-jit-set.js:
1302         (test5):
1303
1304 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1305
1306         Unreviewed, rolling out r236647.
1307         https://bugs.webkit.org/show_bug.cgi?id=190124
1308
1309         Breaking test stress/big-int-to-string.js (Requested by
1310         caiolima_ on #webkit).
1311
1312         Reverted changeset:
1313
1314         "[BigInt] BigInt.proptotype.toString is broken when radix is
1315         power of 2"
1316         https://bugs.webkit.org/show_bug.cgi?id=190033
1317         https://trac.webkit.org/changeset/236647
1318
1319 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1320
1321         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1322         https://bugs.webkit.org/show_bug.cgi?id=190033
1323
1324         Reviewed by Yusuke Suzuki.
1325
1326         * stress/big-int-to-string.js:
1327
1328 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1329
1330         [ESNext][BigInt] Implement support for "&"
1331         https://bugs.webkit.org/show_bug.cgi?id=186228
1332
1333         Reviewed by Yusuke Suzuki.
1334
1335         * stress/big-int-bitwise-and-general.js: Added.
1336         (assert):
1337         (assert.sameValue):
1338         * stress/big-int-bitwise-and-jit.js: Added.
1339         (let.assert.sameValue):
1340         (bigIntBitAnd):
1341         * stress/big-int-bitwise-and-memory-stress.js: Added.
1342         (assert):
1343         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1344         (assert.sameValue):
1345         (let.o.Symbol.toPrimitive):
1346         (catch):
1347         * stress/big-int-bitwise-and-type-error.js: Added.
1348         (assert):
1349         (assertThrowTypeError):
1350         (let.o.valueOf):
1351         (o.valueOf):
1352         (o.toString):
1353         (o.Symbol.toPrimitive):
1354         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1355         (assert.sameValue):
1356         (testBitAnd):
1357         (let.o.Symbol.toPrimitive):
1358         (o.valueOf):
1359         (o.toString):
1360
1361 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1362
1363         JSC test stress/jsc-read.js doesn't support CRLF
1364         https://bugs.webkit.org/show_bug.cgi?id=190063
1365
1366         Reviewed by Yusuke Suzuki.
1367
1368         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1369
1370         * stress/jsc-read.js:
1371         (test):
1372
1373 2018-09-27  Saam barati  <sbarati@apple.com>
1374
1375         Verify the contents of AssemblerBuffer on arm64e
1376         https://bugs.webkit.org/show_bug.cgi?id=190057
1377         <rdar://problem/38916630>
1378
1379         Reviewed by Mark Lam.
1380
1381         * stress/regress-189132.js:
1382
1383 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1384
1385         Disable test without LLInt on ARMv7
1386         https://bugs.webkit.org/show_bug.cgi?id=190037
1387
1388         Reviewed by Mark Lam.
1389
1390         Test runs out of executable memory on ARMv7, do not run
1391         this test without LLInt enabled.
1392
1393         * stress/regress-169445.js:
1394
1395 2018-09-26  Keith Miller  <keith_miller@apple.com>
1396
1397         We should zero unused property storage when rebalancing array storage.
1398         https://bugs.webkit.org/show_bug.cgi?id=188151
1399
1400         Reviewed by Michael Saboff.
1401
1402         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1403
1404 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1405
1406         [JSC] Optimize Array#lastIndexOf
1407         https://bugs.webkit.org/show_bug.cgi?id=189780
1408
1409         Reviewed by Saam Barati.
1410
1411         * stress/array-lastindexof-array-prototype-trap.js: Added.
1412         (shouldBe):
1413         (AncestorArray.prototype.get 2):
1414         (AncestorArray):
1415         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1416         (shouldBe):
1417         * stress/array-lastindexof-hole-nan.js: Added.
1418         (shouldBe):
1419         (throw.new.Error):
1420         * stress/array-lastindexof-infinity.js: Added.
1421         (shouldBe):
1422         (throw.new.Error):
1423         * stress/array-lastindexof-negative-zero.js: Added.
1424         (shouldBe):
1425         (throw.new.Error):
1426         * stress/array-lastindexof-own-getter.js: Added.
1427         (shouldBe):
1428         (throw.new.Error.get array):
1429         (get array):
1430         * stress/array-lastindexof-prototype-trap.js: Added.
1431         (shouldBe):
1432         (DerivedArray.prototype.get 2):
1433         (DerivedArray):
1434
1435 2018-09-25  Saam Barati  <sbarati@apple.com>
1436
1437         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1438         https://bugs.webkit.org/show_bug.cgi?id=189940
1439         <rdar://problem/43640987>
1440
1441         Reviewed by Mark Lam.
1442
1443         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1444
1445 2018-09-24  Saam Barati  <sbarati@apple.com>
1446
1447         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1448         https://bugs.webkit.org/show_bug.cgi?id=189922
1449         <rdar://problem/44651275>
1450
1451         Reviewed by Mark Lam.
1452
1453         * stress/array-indexof-fast-path-effects.js: Added.
1454         * stress/array-indexof-cached-length.js: Added.
1455
1456 2018-09-24  Saam barati  <sbarati@apple.com>
1457
1458         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1459         https://bugs.webkit.org/show_bug.cgi?id=189682
1460         <rdar://problem/43557315>
1461
1462         Reviewed by Mark Lam.
1463
1464         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1465         (foo):
1466
1467 2018-09-22  Saam barati  <sbarati@apple.com>
1468
1469         The sampling should not use Strong<CodeBlock> in its machineLocation field
1470         https://bugs.webkit.org/show_bug.cgi?id=189319
1471
1472         Reviewed by Filip Pizlo.
1473
1474         * stress/sampling-profiler-richards.js: Added.
1475
1476 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1477
1478         [JSC] Optimize Array#indexOf in C++ runtime
1479         https://bugs.webkit.org/show_bug.cgi?id=189507
1480
1481         Reviewed by Saam Barati.
1482
1483         * stress/array-indexof-array-prototype-trap.js: Added.
1484         (shouldBe):
1485         (AncestorArray.prototype.get 2):
1486         (AncestorArray):
1487         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1488         (shouldBe):
1489         * stress/array-indexof-hole-nan.js: Added.
1490         (shouldBe):
1491         (throw.new.Error):
1492         * stress/array-indexof-infinity.js: Added.
1493         (shouldBe):
1494         (throw.new.Error):
1495         * stress/array-indexof-negative-zero.js: Added.
1496         (shouldBe):
1497         (throw.new.Error):
1498         * stress/array-indexof-own-getter.js: Added.
1499         (shouldBe):
1500         (throw.new.Error.get array):
1501         (get array):
1502         * stress/array-indexof-prototype-trap.js: Added.
1503         (shouldBe):
1504         (DerivedArray.prototype.get 2):
1505         (DerivedArray):
1506
1507 2018-09-19  Saam barati  <sbarati@apple.com>
1508
1509         AI rule for MultiPutByOffset executes its effects in the wrong order
1510         https://bugs.webkit.org/show_bug.cgi?id=189757
1511         <rdar://problem/43535257>
1512
1513         Reviewed by Michael Saboff.
1514
1515         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1516         (foo):
1517         (Foo):
1518         (g):
1519
1520 2018-09-17  Mark Lam  <mark.lam@apple.com>
1521
1522         Ensure that ForInContexts are invalidated if their loop local is over-written.
1523         https://bugs.webkit.org/show_bug.cgi?id=189571
1524         <rdar://problem/44402277>
1525
1526         Reviewed by Saam Barati.
1527
1528         * stress/regress-189571.js: Added.
1529
1530 2018-09-17  Saam barati  <sbarati@apple.com>
1531
1532         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1533         https://bugs.webkit.org/show_bug.cgi?id=189676
1534         <rdar://problem/39682897>
1535
1536         Reviewed by Michael Saboff.
1537
1538         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1539         (A):
1540         (K):
1541         (i.catch):
1542
1543 2018-09-14  Saam barati  <sbarati@apple.com>
1544
1545         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1546         https://bugs.webkit.org/show_bug.cgi?id=189628
1547         <rdar://problem/39481690>
1548
1549         Reviewed by Mark Lam.
1550
1551         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1552         (foo):
1553
1554 2018-09-11  Mark Lam  <mark.lam@apple.com>
1555
1556         Test for array initialization in arrayProtoFuncSplice.
1557         https://bugs.webkit.org/show_bug.cgi?id=170253
1558         <rdar://problem/31328773>
1559
1560         Rubber-stamped by Saam Barati.
1561
1562         * stress/regress-170253.js: Added.
1563
1564 2018-09-11  Mark Lam  <mark.lam@apple.com>
1565
1566         Test for IntlObject initialization.
1567         https://bugs.webkit.org/show_bug.cgi?id=170251
1568         <rdar://problem/31328419>
1569
1570         Rubber-stamped by Saam Barati.
1571
1572         * stress/regress-170251.js: Added.
1573
1574 2018-09-11  Mark Lam  <mark.lam@apple.com>
1575
1576         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1577         https://bugs.webkit.org/show_bug.cgi?id=169889
1578         <rdar://problem/31155607>
1579
1580         Reviewed by Saam Barati.
1581
1582         * stress/regress-169889-array-concat.js: Added.
1583         * stress/regress-169889-array-concat1.js: Added.
1584         * stress/regress-169889-array-slice.js: Added.
1585
1586 2018-09-11  Mark Lam  <mark.lam@apple.com>
1587
1588         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1589         https://bugs.webkit.org/show_bug.cgi?id=169445
1590         <rdar://problem/30957435>
1591
1592         Reviewed by Saam Barati.
1593
1594         * stress/regress-169445.js: Added.
1595         (let.gun.eval.A):
1596         (let.gun.eval.B.C):
1597         (let.gun.eval.B.C.prototype.trigger):
1598         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1599         (let.gun.eval.B):
1600         (let.gun.eval):
1601
1602 == Rolled over to ChangeLog-2018-09-11 ==