ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-05-01  Michael Saboff  <msaboff@apple.com>
2
3         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
4         https://bugs.webkit.org/show_bug.cgi?id=197485
5
6         Reviewed by Saam Barati.
7
8         New test.
9
10         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
11         (foo):
12
13 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
14
15         Unreviewed correction to Test262 expectations following r244828.
16
17         * test262/expectations.yaml:
18
19 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
20
21         Add memory-limited skipping to some tests generating very large strings
22         https://bugs.webkit.org/show_bug.cgi?id=197437
23
24         Reviewed by Ross Kirsling.
25
26         * stress/StringObject-define-length-getter-rope-string-oom.js:
27         * stress/create-error-out-of-memory-rope-string.js:
28         * stress/string-16bit-repeat-overflow.js:
29
30 2019-04-30  Commit Queue  <commit-queue@webkit.org>
31
32         Unreviewed, rolling out r244806.
33         https://bugs.webkit.org/show_bug.cgi?id=197446
34
35         Causing Test262 and JSC test failures on multiple builds
36         (Requested by ShawnRoberts on #webkit).
37
38         Reverted changeset:
39
40         "TypeArrays should not store properties that are canonical
41         numeric indices"
42         https://bugs.webkit.org/show_bug.cgi?id=197228
43         https://trac.webkit.org/changeset/244806
44
45 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
46
47         TypeArrays should not store properties that are canonical numeric indices
48         https://bugs.webkit.org/show_bug.cgi?id=197228
49         <rdar://problem/49557381>
50
51         Reviewed by Darin Adler.
52
53         * stress/typed-array-canonical-numeric-index-string.js: Added.
54         (makeTest.assert):
55         (makeTest):
56         (const.testInvalidIndices.makeTest.set assert):
57         (const.testInvalidIndices.makeTest):
58         (const.testValidIndices.makeTest.set assert):
59         (const.testValidIndices.makeTest):
60
61 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
62
63         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
64         https://bugs.webkit.org/show_bug.cgi?id=197362
65
66         Reviewed by Saam Barati.
67
68         * stress/map-with-nan.js: Added.
69         (shouldBe):
70         (div):
71         (NaN1):
72         (NaN2):
73         (NaN3):
74         (NaN4):
75         (NaN1NoInline):
76         (NaN2NoInline):
77         (NaN3NoInline):
78         (NaN4NoInline):
79         (test1):
80         (test2):
81         (test3):
82         (test4):
83         * stress/set-with-nan.js: Added.
84         (shouldBe):
85         (div):
86         (NaN1):
87         (NaN2):
88         (NaN3):
89         (NaN4):
90         (NaN1NoInline):
91         (NaN2NoInline):
92         (NaN3NoInline):
93         (NaN4NoInline):
94         (test2):
95         (test4):
96
97 2019-04-26  Commit Queue  <commit-queue@webkit.org>
98
99         Unreviewed, rolling out r244708.
100         https://bugs.webkit.org/show_bug.cgi?id=197334
101
102         "Broke the debug build" (Requested by rmorisset on #webkit).
103
104         Reverted changeset:
105
106         "All prototypes should call didBecomePrototype()"
107         https://bugs.webkit.org/show_bug.cgi?id=196315
108         https://trac.webkit.org/changeset/244708
109
110 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] linkPolymorphicCall now does GC
113         https://bugs.webkit.org/show_bug.cgi?id=197306
114
115         Reviewed by Saam Barati.
116
117         * stress/link-polymorphic-call-can-gc.js: Added.
118         (module):
119         (instance):
120
121 2019-04-26  Robin Morisset  <rmorisset@apple.com>
122
123         All prototypes should call didBecomePrototype()
124         https://bugs.webkit.org/show_bug.cgi?id=196315
125
126         Reviewed by Saam Barati.
127
128         * stress/function-prototype-indexed-accessor.js: Added.
129
130 2019-04-23  Saam Barati  <sbarati@apple.com>
131
132         LICM incorrectly assumes it'll never insert a node which provably OSR exits
133         https://bugs.webkit.org/show_bug.cgi?id=196721
134         <rdar://problem/49556479> 
135
136         Reviewed by Filip Pizlo.
137
138         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
139         (foo):
140
141 2019-04-19  Saam Barati  <sbarati@apple.com>
142
143         AbstractValue can represent more than int52
144         https://bugs.webkit.org/show_bug.cgi?id=197118
145         <rdar://problem/49969960>
146
147         Reviewed by Michael Saboff.
148
149         * stress/abstract-value-can-include-int52.js: Added.
150         (foo):
151         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
152
153 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
154
155         [WTF] StringBuilder should set correct m_is8Bit flag when merging
156         https://bugs.webkit.org/show_bug.cgi?id=197053
157
158         Reviewed by Saam Barati.
159
160         * stress/merge-string-builder-in-dfg.js: Added.
161         (foo):
162
163 2019-04-16  Caitlin Potter  <caitp@igalia.com>
164
165         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
166         https://bugs.webkit.org/show_bug.cgi?id=176810
167
168         Reviewed by Saam Barati.
169
170         Add tests for the DontEnum filtering, and variations of other tests
171         take the DontEnum-filtering path.
172
173         * stress/proxy-own-keys.js:
174         (i.catch):
175         (set assert):
176         (set add):
177         (let.set new):
178         (get let):
179
180 2019-04-15  Saam barati  <sbarati@apple.com>
181
182         Modify how we do SetArgument when we inline varargs calls
183         https://bugs.webkit.org/show_bug.cgi?id=196712
184         <rdar://problem/49605012>
185
186         Reviewed by Michael Saboff.
187
188         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
189         (foo):
190
191 2019-04-15  Saam barati  <sbarati@apple.com>
192
193         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
194         https://bugs.webkit.org/show_bug.cgi?id=196945
195         <rdar://problem/49802750>
196
197         Reviewed by Filip Pizlo.
198
199         * stress/get-by-offset-should-use-correct-child.js: Added.
200         (foo.bar):
201         (foo):
202
203 2019-04-15  Robin Morisset  <rmorisset@apple.com>
204
205         DFG should be able to constant fold Object.create() with a constant prototype operand
206         https://bugs.webkit.org/show_bug.cgi?id=196886
207
208         Reviewed by Yusuke Suzuki.
209
210         Note that this new benchmark does not currently see a speedup with inlining removed.
211         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
212
213         * microbenchmarks/object-create-constant-prototype.js: Added.
214         (test):
215
216 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
217
218         Incremental bytecode cache should not append function updates when loaded from memory
219         https://bugs.webkit.org/show_bug.cgi?id=196865
220
221         Reviewed by Filip Pizlo.
222
223         * stress/bytecode-cache-shared-code-block.js: Added.
224         (b):
225         (program):
226
227 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
228
229         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
230         https://bugs.webkit.org/show_bug.cgi?id=196880
231
232         Reviewed by Yusuke Suzuki.
233
234         * stress/bytecode-cache-syntax-error.js: Added.
235         (catch):
236
237 2019-04-12  Saam barati  <sbarati@apple.com>
238
239         r244079 logically broke shouldSpeculateInt52
240         https://bugs.webkit.org/show_bug.cgi?id=196884
241
242         Reviewed by Yusuke Suzuki.
243
244         * microbenchmarks/int52-rand-function.js: Added.
245         (Math.random):
246
247 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
248
249         [JSC] op_has_indexed_property should not assume subscript part is Uint32
250         https://bugs.webkit.org/show_bug.cgi?id=196850
251
252         Reviewed by Saam Barati.
253
254         * stress/has-indexed-property-should-accept-non-int32.js: Added.
255         (foo):
256
257 2019-04-11  Saam barati  <sbarati@apple.com>
258
259         Remove invalid assertion in operationInstanceOfCustom
260         https://bugs.webkit.org/show_bug.cgi?id=196842
261         <rdar://problem/49725493>
262
263         Reviewed by Michael Saboff.
264
265         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
266
267 2019-04-10  Saam Barati  <sbarati@apple.com>
268
269         AbstractValue::validateOSREntryValue is wrong for Int52 constants
270         https://bugs.webkit.org/show_bug.cgi?id=196801
271         <rdar://problem/49771122>
272
273         Reviewed by Yusuke Suzuki.
274
275         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
276
277 2019-04-10  Robin Morisset  <rmorisset@apple.com>
278
279         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
280         https://bugs.webkit.org/show_bug.cgi?id=196746
281
282         Reviewed by Yusuke Suzuki.
283
284         * stress/cyclic-define-properties.js: Added.
285         (foo):
286
287 2019-04-09  Saam barati  <sbarati@apple.com>
288
289         Clean up Int52 code and some bugs in it
290         https://bugs.webkit.org/show_bug.cgi?id=196639
291         <rdar://problem/49515757>
292
293         Reviewed by Yusuke Suzuki.
294
295         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
296
297 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
298
299         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
300         https://bugs.webkit.org/show_bug.cgi?id=196708
301         <rdar://problem/49556803>
302
303         Reviewed by Yusuke Suzuki.
304
305         * stress/proxy-getter-stack-overflow.js: Added.
306         (const.handler.get target):
307         (const.handler.has):
308         (try.with):
309         (catch):
310
311 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         [JSC] DFG should respect node's strict flag
314         https://bugs.webkit.org/show_bug.cgi?id=196617
315
316         Reviewed by Saam Barati.
317
318         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
319         (shouldEqual):
320         (makeUnwriteableUnconfigurableObject):
321         (runTest):
322         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
323         (shouldBe):
324         (shouldThrow):
325         (with.result):
326         (with.putValueStrict):
327         (with.putValueSloppy):
328
329 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
330
331         [JSC] isRope jump in StringSlice should not jump over register allocations
332         https://bugs.webkit.org/show_bug.cgi?id=196716
333
334         Reviewed by Saam Barati.
335
336         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
337         (foo.bar):
338         (foo):
339
340 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
341
342         [JSC] to_index_string should not assume incoming value is Uint32
343         https://bugs.webkit.org/show_bug.cgi?id=196713
344
345         Reviewed by Saam Barati.
346
347         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
348         (foo):
349
350 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
351
352         [JSC] Add more tests for r243966
353         https://bugs.webkit.org/show_bug.cgi?id=196711
354
355         Reviewed by Saam Barati.
356
357         Adding one more test for r243966 fix. The added test will not crash after r243966.
358
359         * stress/stress-cleared-calllinkinfo.js: Added.
360         (runNearStackLimit.t):
361         (runNearStackLimit):
362         (repeat):
363         (cls):
364         (let.item.of.array.runNearStackLimit):
365
366 2019-04-08  Saam Barati  <sbarati@apple.com>
367
368         WebAssembly.RuntimeError missing exception check
369         https://bugs.webkit.org/show_bug.cgi?id=196700
370         <rdar://problem/49693932>
371
372         Reviewed by Yusuke Suzuki.
373
374         * wasm/js-api/runtime-error-should-exception-check.js: Added.
375
376 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
377
378         Unreviewed, rolling in r243948 with test fix
379         https://bugs.webkit.org/show_bug.cgi?id=196486
380
381         * stress/arrow-function-and-use-strict-directive.js: Added.
382         * stress/arrow-function-syntax.js: Added.
383         (checkSyntax):
384         (checkSyntaxError):
385
386 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
387
388         Unreviewed, rolling out r243948.
389
390         Caused inspector/runtime/parse.html to fail
391
392         Reverted changeset:
393
394         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
395         https://bugs.webkit.org/show_bug.cgi?id=196486
396         https://trac.webkit.org/changeset/243948
397
398 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
399
400         Unreviewed, rolling out r243943.
401
402         Caused test262 failures.
403
404         Reverted changeset:
405
406         "[JSC] Filter DontEnum properties in
407         ProxyObject::getOwnPropertyNames()"
408         https://bugs.webkit.org/show_bug.cgi?id=176810
409         https://trac.webkit.org/changeset/243943
410
411 2019-04-07  Michael Saboff  <msaboff@apple.com>
412
413         REGRESSION (r243642): Crash in reddit.com page
414         https://bugs.webkit.org/show_bug.cgi?id=196684
415
416         Reviewed by Geoffrey Garen.
417
418         New regression test.
419
420         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
421
422 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
423
424         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
425         https://bugs.webkit.org/show_bug.cgi?id=196683
426
427         Reviewed by Saam Barati.
428
429         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
430         (foo):
431
432 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
435         https://bugs.webkit.org/show_bug.cgi?id=196582
436
437         Reviewed by Saam Barati.
438
439         * stress/add-overflow-check-with-three-same-registers.js: Added.
440         (foo):
441         (Number.prototype.valueOf):
442         (runWithNumber):
443
444 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
445
446         Unreviewed, rolling out r243665.
447
448         Caused iOS JSC tests to exit with an exception.
449
450         Reverted changeset:
451
452         "Assertion failed in JSC::createError"
453         https://bugs.webkit.org/show_bug.cgi?id=196305
454         https://trac.webkit.org/changeset/243665
455
456 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
457
458         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
459         https://bugs.webkit.org/show_bug.cgi?id=196486
460
461         Reviewed by Saam Barati.
462
463         * stress/arrow-function-and-use-strict-directive.js: Added.
464         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
465         (checkSyntax):
466         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
467
468 2019-04-05  Caitlin Potter  <caitp@igalia.com>
469
470         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
471         https://bugs.webkit.org/show_bug.cgi?id=176810
472
473         Reviewed by Saam Barati.
474
475         Add tests for the DontEnum filtering, and variations of other tests
476         take the DontEnum-filtering path.
477
478         * stress/proxy-own-keys.js:
479         (i.catch):
480         (set assert):
481         (set add):
482         (let.set new):
483         (get let):
484
485 2019-04-05  Caitlin Potter  <caitp@igalia.com>
486
487         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
488         https://bugs.webkit.org/show_bug.cgi?id=185211
489
490         Reviewed by Saam Barati.
491
492         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
493
494         This changes several assertions to expect a TypeError to be thrown (in some cases,
495         changing thee expected message).
496
497         * es6/Proxy_ownKeys_duplicates.js:
498         (handler):
499         (shouldThrow):
500         (test):
501         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
502         (shouldThrow):
503         * stress/proxy-own-keys.js:
504         (i.catch):
505         (assert):
506
507 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
508
509         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
510         https://bugs.webkit.org/show_bug.cgi?id=196631
511
512         Reviewed by Saam Barati.
513
514         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
515         (assert):
516         (test):
517         (foo):
518
519 2019-04-04  Saam Barati  <sbarati@apple.com>
520
521         Unreviewed. Make the test from r243906 catch the thrown exceptions.
522
523         * stress/inferred-types-regex-matches-array.js:
524
525 2019-04-04  Saam Barati  <sbarati@apple.com>
526
527         createRegExpMatchesArray does not respect inferred types
528         https://bugs.webkit.org/show_bug.cgi?id=193287
529
530         Reviewed by Yusuke Suzuki.
531
532         This checks in the test case for 193287. This issue was discovered by
533         Samuel GroƟ of Google Project Zero.
534
535         * stress/inferred-types-regex-matches-array.js: Added.
536
537 2019-04-04  Saam barati  <sbarati@apple.com>
538
539         Teach Call ICs how to call Wasm
540         https://bugs.webkit.org/show_bug.cgi?id=196387
541
542         Reviewed by Filip Pizlo.
543
544         * wasm/function-tests/stack-trace.js:
545
546 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
547
548         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
549         https://bugs.webkit.org/show_bug.cgi?id=194944
550
551         Reviewed by Keith Miller.
552
553         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
554
555 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
556
557         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
558         https://bugs.webkit.org/show_bug.cgi?id=196409
559
560         Reviewed by Saam Barati.
561
562         * stress/bytecode-cache-cached-string-impl.js: Added.
563         (f):
564         (g):
565         * stress/bytecode-cache-run-string.js: Added.
566
567 2019-04-03  Robin Morisset  <rmorisset@apple.com>
568
569         B3 should use associativity to optimize expression trees
570         https://bugs.webkit.org/show_bug.cgi?id=194081
571
572         Reviewed by Filip Pizlo.
573
574         Added three microbenchmarks:
575         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
576         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
577           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
578         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
579
580         * microbenchmarks/add-tree.js: Added.
581         * microbenchmarks/bit-or-tree.js: Added.
582         * microbenchmarks/bit-xor-tree.js: Added.
583
584 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
585
586         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
587         https://bugs.webkit.org/show_bug.cgi?id=196574
588
589         Reviewed by Saam Barati.
590
591         * stress/string-index-of-exception-check.js: Added.
592         (blurType):
593         (1.forEach):
594
595 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
596
597         Assertion failed in JSC::createError
598         https://bugs.webkit.org/show_bug.cgi?id=196305
599         <rdar://problem/49387382>
600
601         Reviewed by Saam Barati.
602
603         * stress/create-error-out-of-memory-rope-string-2.js: Added.
604         (assert):
605         (catch):
606
607 2019-03-28  Saam Barati  <sbarati@apple.com>
608
609         BackwardsGraph needs to consider back edges as the backward's root successor
610         https://bugs.webkit.org/show_bug.cgi?id=195991
611
612         Reviewed by Filip Pizlo.
613
614         * stress/map-b3-licm-infinite-loop.js: Added.
615
616 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
617
618         CodeBlock::jettison() should disallow repatching its own calls
619         https://bugs.webkit.org/show_bug.cgi?id=196359
620         <rdar://problem/48973663>
621
622         Reviewed by Saam Barati.
623
624         * stress/call-link-info-osrexit-repatch.js: Added.
625         (foo):
626
627 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
628
629         [JSC] imports-oom.js intermittently fails
630         https://bugs.webkit.org/show_bug.cgi?id=196373
631
632         Reviewed by Saam Barati.
633
634         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
635         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
636         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
637         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
638         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
639
640         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
641         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
642
643         * wasm/lowExecutableMemory/imports-oom.js:
644
645 2019-03-27  Saam Barati  <sbarati@apple.com>
646
647         validateOSREntryValue with Int52 should box the value being checked into double format
648         https://bugs.webkit.org/show_bug.cgi?id=196313
649         <rdar://problem/49306703>
650
651         Reviewed by Yusuke Suzuki.
652
653         * stress/validate-int-52-ai-state.js: Added.
654
655 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
656
657         [JSC] Owner of watchpoints should validate at GC finalizing phase
658         https://bugs.webkit.org/show_bug.cgi?id=195827
659
660         Reviewed by Filip Pizlo.
661
662         * stress/gc-should-reap-dead-watchpoints.js: Added.
663         (foo):
664         (A.prototype.y):
665         (A):
666
667 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
668
669         Skip WebAssembly test on 32-bit systems
670         https://bugs.webkit.org/show_bug.cgi?id=196206
671
672         Reviewed by Saam Barati.
673
674         Invoking runDefault executes test immediately even though
675         that test should be skipped due to missing WASM support.
676         Therefore remove runDefault.
677
678         * wasm/regress/web-assembly-link-error-exception-check.js:
679
680 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
681
682         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
683         https://bugs.webkit.org/show_bug.cgi?id=196217
684
685         Reviewed by Saam Barati.
686
687         Re-enable all NaN tests for f32.min, f64.min and f64.max.
688
689         * wasm/spec-tests/f32.wast.js:
690         * wasm/spec-tests/f64.wast.js:
691         * wasm/wasm.json:
692
693 2019-03-25  Keith Miller  <keith_miller@apple.com>
694
695         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
696         https://bugs.webkit.org/show_bug.cgi?id=196176
697
698         Reviewed by Saam Barati.
699
700         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
701         (main.v10):
702         (main):
703
704 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
705
706         WebAssembly: f32.max with NaN generates incorrect result
707         https://bugs.webkit.org/show_bug.cgi?id=175691
708         <rdar://problem/33952228>
709
710         Reviewed by Saam Barati.
711
712         Enable all f32.max NaN tests
713
714         * wasm/spec-tests/f32.wast.js:
715         * wasm/wasm.json:
716
717 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
718
719         [JSC] Move test into directory for WASM tests
720         https://bugs.webkit.org/show_bug.cgi?id=196187
721
722         Reviewed by Mark Lam.
723
724         Move Test into wasm-directory. Otherwise this test
725         is also executed on systems without WASM support.
726
727         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
728
729 2019-03-23  Mark Lam  <mark.lam@apple.com>
730
731         Rolling out r243032 and r243071 because the fix is incorrect.
732         https://bugs.webkit.org/show_bug.cgi?id=195892
733         <rdar://problem/48981239>
734
735         Not reviewed.
736
737         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
738
739 2019-03-22  Mark Lam  <mark.lam@apple.com>
740
741         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
742         https://bugs.webkit.org/show_bug.cgi?id=196154
743         <rdar://problem/49145307>
744
745         Reviewed by Filip Pizlo.
746
747         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
748         There's no need to run this test on more than 1 test configuration.
749
750         * stress/typed-array-lastIndexOf-exception-check.js: Added.
751         * stress/web-assembly-link-error-exception-check.js:
752
753 2019-03-22  Mark Lam  <mark.lam@apple.com>
754
755         Placate exception check validation in constructJSWebAssemblyLinkError().
756         https://bugs.webkit.org/show_bug.cgi?id=196152
757         <rdar://problem/49145257>
758
759         Reviewed by Michael Saboff.
760
761         * stress/web-assembly-link-error-exception-check.js: Added.
762
763 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
764
765         Skip tests running out of memory on ARM/MIPS
766         https://bugs.webkit.org/show_bug.cgi?id=196131
767
768         Unreviewed. Skip test if memory is limited.
769
770         * microbenchmarks/put-by-val-direct-large-index.js:
771
772 2019-03-21  Mark Lam  <mark.lam@apple.com>
773
774         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
775         https://bugs.webkit.org/show_bug.cgi?id=196116
776         <rdar://problem/48976951>
777
778         Reviewed by Filip Pizlo.
779
780         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
781
782 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
783
784         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
785         https://bugs.webkit.org/show_bug.cgi?id=196078
786         <rdar://problem/35925380>
787
788         Reviewed by Mark Lam.
789
790         Add a new benchmark that allocates several objects and invokes put_by_val_direct
791         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
792
793         * microbenchmarks/put-by-val-direct-large-index.js: Added.
794
795 2019-03-21  Mark Lam  <mark.lam@apple.com>
796
797         Placate exception check validation in operationArrayIndexOfString().
798         https://bugs.webkit.org/show_bug.cgi?id=196067
799         <rdar://problem/49056572>
800
801         Reviewed by Michael Saboff.
802
803         * stress/string-equal-exception-check.js: Added.
804
805 2019-03-21  Mark Lam  <mark.lam@apple.com>
806
807         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
808         https://bugs.webkit.org/show_bug.cgi?id=196055
809         <rdar://problem/49067448>
810
811         Reviewed by Yusuke Suzuki.
812
813         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
814
815 2019-03-20  Saam Barati  <sbarati@apple.com>
816
817         typeOfDoubleSum is wrong for when NaN can be produced
818         https://bugs.webkit.org/show_bug.cgi?id=196030
819
820         Reviewed by Filip Pizlo.
821
822         * stress/double-add-sub-mul-can-produce-nan.js: Added.
823         (assert):
824         (noInline.sub):
825         (noInline):
826         (assert.mul):
827         (assert.add):
828
829 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         Update the test to ensure OutOfMemoryError is thrown as intended
832         https://bugs.webkit.org/show_bug.cgi?id=196032
833         <rdar://problem/46842740>
834
835         Rubber stamped by Saam Barati.
836
837         * stress/create-error-out-of-memory-rope-string.js:
838         (assert):
839         (catch):
840
841 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
842
843         JSC::createError needs to check for OOM in errorDescriptionForValue
844         https://bugs.webkit.org/show_bug.cgi?id=196032
845         <rdar://problem/46842740>
846
847         Reviewed by Mark Lam.
848
849         * stress/create-error-out-of-memory-rope-string.js: Added.
850
851 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
852
853         Unreviewed, reduce # of iterations to avoid timing out after r242991
854         https://bugs.webkit.org/show_bug.cgi?id=195791
855
856         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
857
858         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
859
860 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
861
862         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
863         https://bugs.webkit.org/show_bug.cgi?id=195950
864
865         Unreviewed, reducing the amount of memory used on this test to avoid
866         OOM on devices with memory restrictions.
867
868         * microbenchmarks/generate-multiple-llint-entrypoints.js:
869
870 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
871
872         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
873         https://bugs.webkit.org/show_bug.cgi?id=194648
874
875         Reviewed by Keith Miller.
876
877         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
878
879 2019-03-18  Mark Lam  <mark.lam@apple.com>
880
881         Missing a ThrowScope release in JSObject::toString().
882         https://bugs.webkit.org/show_bug.cgi?id=195893
883         <rdar://problem/48970986>
884
885         Reviewed by Michael Saboff.
886
887         * stress/to-string-exception-check-release.js: Added.
888
889 2019-03-18  Mark Lam  <mark.lam@apple.com>
890
891         Structure::flattenDictionary() should clear unused property slots.
892         https://bugs.webkit.org/show_bug.cgi?id=195871
893         <rdar://problem/48959497>
894
895         Reviewed by Michael Saboff.
896
897         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
898
899 2019-03-15  Mark Lam  <mark.lam@apple.com>
900
901         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
902         https://bugs.webkit.org/show_bug.cgi?id=195827
903         <rdar://problem/48845513>
904
905         Reviewed by Filip Pizlo.
906
907         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
908
909 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
910
911         [ARM,MIPS] Skip slow tests
912         https://bugs.webkit.org/show_bug.cgi?id=195799
913
914         Unreviewed, test does not finish on ARM and MIPS within the
915         timeout limit.
916
917         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
918
919 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
922         https://bugs.webkit.org/show_bug.cgi?id=195791
923         <rdar://problem/48806130>
924
925         Reviewed by Mark Lam.
926
927         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
928         (foo):
929
930 2019-03-14  Saam barati  <sbarati@apple.com>
931
932         We can't remove code after ForceOSRExit until after FixupPhase
933         https://bugs.webkit.org/show_bug.cgi?id=186916
934         <rdar://problem/41396612>
935
936         Reviewed by Yusuke Suzuki.
937
938         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
939         (foo):
940         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
941         (foo):
942
943 2019-03-13  Michael Saboff  <msaboff@apple.com>
944
945         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
946         https://bugs.webkit.org/show_bug.cgi?id=195735
947
948         Reviewed by Mark Lam.
949
950         New regression test.
951
952         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
953         (foo):
954         (bar):
955
956 2019-03-14  Saam barati  <sbarati@apple.com>
957
958         Fixup uses KnownInt32 incorrectly in some nodes
959         https://bugs.webkit.org/show_bug.cgi?id=195279
960         <rdar://problem/47915654>
961
962         Reviewed by Yusuke Suzuki.
963
964         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
965         (foo):
966
967 2019-03-14  Keith Miller  <keith_miller@apple.com>
968
969         DFG liveness can't skip tail caller inline frames
970         https://bugs.webkit.org/show_bug.cgi?id=195715
971
972         Reviewed by Saam Barati.
973
974         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
975         (i.foo):
976
977 2019-03-13  Mark Lam  <mark.lam@apple.com>
978
979         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
980         https://bugs.webkit.org/show_bug.cgi?id=195415
981
982         Not reviewed.
983
984         Changed these tests to only run the default configuration.
985         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
986         There's no strong need to run this test on that variant.
987
988         * stress/dfg-to-string-on-int-does-gc.js:
989         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
990
991 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
992
993         String overflow when using StringBuilder in JSC::createError
994         https://bugs.webkit.org/show_bug.cgi?id=194957
995
996         Reviewed by Mark Lam.
997
998         Add test string-overflow-createError-bulder.js that overflows
999         StringBuilder in notAFunctionSourceAppender. The second new test
1000         string-overflow-createError-fit.js has an error message that doesn't
1001         overflow, it still failed since the String's capacity can't be doubled.
1002         Run test string-overflow-createError.js only in the default
1003         configuration to reduce memory consumption when running the test
1004         in all configurations on multiple CPUs in parallel.
1005
1006         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
1007         (catch):
1008         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
1009         (catch):
1010         * stress/string-overflow-createError.js:
1011
1012 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
1013
1014         [JSC] OSR entry should respect abstract values in addition to flush formats
1015         https://bugs.webkit.org/show_bug.cgi?id=195653
1016
1017         Reviewed by Mark Lam.
1018
1019         * stress/osr-entry-locals-none.js: Added.
1020
1021 2019-03-12  Michael Saboff  <msaboff@apple.com>
1022
1023         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
1024         https://bugs.webkit.org/show_bug.cgi?id=195613
1025
1026         Reviewed by Mark Lam.
1027
1028         New regression test.
1029
1030         * stress/regexp-backref-inbounds.js: Added.
1031         (testRegExp):
1032
1033 2019-03-12  Mark Lam  <mark.lam@apple.com>
1034
1035         The HasIndexedProperty node does GC.
1036         https://bugs.webkit.org/show_bug.cgi?id=195559
1037         <rdar://problem/48767923>
1038
1039         Reviewed by Yusuke Suzuki.
1040
1041         * stress/HasIndexedProperty-does-gc.js: Added.
1042
1043 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
1044
1045         [ESNext][BigInt] Implement "~" unary operation
1046         https://bugs.webkit.org/show_bug.cgi?id=182216
1047
1048         Reviewed by Keith Miller.
1049
1050         * stress/big-int-bit-not-general.js: Added.
1051         * stress/big-int-bitwise-not-jit.js: Added.
1052         * stress/big-int-bitwise-not-wrapped-value.js: Added.
1053         * stress/bit-op-with-object-returning-int32.js:
1054         * stress/bitwise-not-fixup-rules.js: Added.
1055         * stress/value-bit-not-ai-rule.js: Added.
1056
1057 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
1058
1059         Invalid flags in a RegExp literal should be an early SyntaxError
1060         https://bugs.webkit.org/show_bug.cgi?id=195514
1061
1062         Reviewed by Darin Adler.
1063
1064         * test262/expectations.yaml:
1065         Mark 4 test cases as passing.
1066
1067         * stress/regexp-syntax-error-invalid-flags.js:
1068         * stress/regress-161995.js: Removed.
1069         Update existing test, merging in an older test for the same behavior.
1070
1071 2019-03-08  Mark Lam  <mark.lam@apple.com>
1072
1073         Stack overflow crash in JSC::JSObject::hasInstance.
1074         https://bugs.webkit.org/show_bug.cgi?id=195458
1075         <rdar://problem/48710195>
1076
1077         Reviewed by Yusuke Suzuki.
1078
1079         * stress/stack-overflow-in-custom-hasInstance.js: Added.
1080
1081 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
1082
1083         op_check_tdz does not def its argument
1084         https://bugs.webkit.org/show_bug.cgi?id=192880
1085         <rdar://problem/46221598>
1086
1087         Reviewed by Saam Barati.
1088
1089         * microbenchmarks/let-for-in.js: Added.
1090         (foo):
1091
1092 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
1095         https://bugs.webkit.org/show_bug.cgi?id=195429
1096
1097         Reviewed by Saam Barati.
1098
1099         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
1100         (foo):
1101         * stress/string-from-char-code-255.js: Added.
1102
1103 2019-03-06  Mark Lam  <mark.lam@apple.com>
1104
1105         Fix incorrect handling of try-finally completion values.
1106         https://bugs.webkit.org/show_bug.cgi?id=195131
1107         <rdar://problem/46222079>
1108
1109         Reviewed by Saam Barati and Yusuke Suzuki.
1110
1111         Added many permutations of new test case to test-finally.js.  test-finally.js has
1112         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
1113         tests passes there as well.
1114
1115         * stress/test-finally.js:
1116
1117 2019-03-06  Saam Barati  <sbarati@apple.com>
1118
1119         Air::reportUsedRegisters must padInterference
1120         https://bugs.webkit.org/show_bug.cgi?id=195303
1121         <rdar://problem/48270343>
1122
1123         Reviewed by Keith Miller.
1124
1125         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
1126
1127 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
1128
1129         [JSC] AI should not propagate AbstractValue relying on constant folding phase
1130         https://bugs.webkit.org/show_bug.cgi?id=195375
1131
1132         Reviewed by Saam Barati.
1133
1134         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
1135         (let.array):
1136
1137 2019-03-05  Saam barati  <sbarati@apple.com>
1138
1139         op_switch_char broken for rope strings after JSRopeString layout rewrite
1140         https://bugs.webkit.org/show_bug.cgi?id=195339
1141         <rdar://problem/48592545>
1142
1143         Reviewed by Yusuke Suzuki.
1144
1145         * stress/switch-on-char-llint-rope.js: Added.
1146
1147 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
1148
1149         [JSC] Store bits for JSRopeString in 3 stores
1150         https://bugs.webkit.org/show_bug.cgi?id=195234
1151
1152         Reviewed by Saam Barati.
1153
1154         * stress/null-rope-and-collectors.js: Added.
1155
1156 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
1157
1158         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
1159         https://bugs.webkit.org/show_bug.cgi?id=195207
1160
1161         Unreviewed. After test runtime was reduced in r242213, test can be
1162         run again on ARM/MIPS.
1163
1164         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1165
1166 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1167
1168         [JSC] sizeof(JSString) should be 16
1169         https://bugs.webkit.org/show_bug.cgi?id=194375
1170
1171         Reviewed by Saam Barati.
1172
1173         * microbenchmarks/make-rope.js: Added.
1174         (makeRope):
1175         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
1176         (returnRope.helper): Deleted.
1177         (returnRope): Deleted.
1178
1179 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
1180
1181         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
1182         https://bugs.webkit.org/show_bug.cgi?id=195144
1183
1184         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
1185         Change the number from 1e8 to 1e5.
1186
1187         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1188         (foo):
1189
1190 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
1191
1192         Test times out on ARM/MIPS
1193         https://bugs.webkit.org/show_bug.cgi?id=195168
1194
1195         Unreviewed. Skip test on ARM/MIPS.
1196
1197         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1198
1199 2019-02-27  Mark Lam  <mark.lam@apple.com>
1200
1201         The parser is failing to record the token location of new in new.target.
1202         https://bugs.webkit.org/show_bug.cgi?id=195127
1203         <rdar://problem/39645578>
1204
1205         Reviewed by Yusuke Suzuki.
1206
1207         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
1208
1209 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
1210
1211         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
1212         https://bugs.webkit.org/show_bug.cgi?id=195144
1213         <rdar://problem/47595961>
1214
1215         Reviewed by Mark Lam.
1216
1217         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
1218         (bar):
1219         (foo):
1220         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
1221         (bar):
1222         (foo):
1223
1224 2019-02-27  Robin Morisset  <rmorisset@apple.com>
1225
1226         DFG: Loop-invariant code motion (LICM) should not hoist dead code
1227         https://bugs.webkit.org/show_bug.cgi?id=194945
1228         <rdar://problem/48311657>
1229
1230         Reviewed by Mark Lam.
1231
1232         * stress/licm-dead-code.js: Added.
1233
1234 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
1235
1236         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
1237         https://bugs.webkit.org/show_bug.cgi?id=194677
1238         <rdar://problem/48112492>
1239
1240         Reviewed by Mark Lam.
1241
1242         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
1243         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
1244         it immediately fails due the large size.
1245
1246         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
1247         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
1248         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
1249         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
1250
1251         This patch changes the test to produce 16bit string from String.fromCharCode.
1252
1253         * stress/regress-178386.js:
1254
1255 2019-02-26  Mark Lam  <mark.lam@apple.com>
1256
1257         wasmToJS() should purify incoming NaNs.
1258         https://bugs.webkit.org/show_bug.cgi?id=194807
1259         <rdar://problem/48189132>
1260
1261         Reviewed by Saam Barati.
1262
1263         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
1264
1265 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
1266
1267         [JSC] Repeat string created from Array.prototype.join() take too much memory
1268         https://bugs.webkit.org/show_bug.cgi?id=193912
1269
1270         Reviewed by Saam Barati.
1271
1272         Added a test and a microbenchmark for corner cases of
1273         Array.prototype.join() with an uninitialized array.
1274
1275         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
1276         * stress/array-prototype-join-uninitialized.js: Added.
1277         (testArray):
1278         (testABC):
1279         (B):
1280         (C):
1281
1282 2019-02-22  Robin Morisset  <rmorisset@apple.com>
1283
1284         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
1285         https://bugs.webkit.org/show_bug.cgi?id=194953
1286         <rdar://problem/47595253>
1287
1288         Reviewed by Saam Barati.
1289
1290         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
1291
1292         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
1293
1294 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1295
1296         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1297         https://bugs.webkit.org/show_bug.cgi?id=172848
1298         <rdar://problem/25709212>
1299
1300         Reviewed by Mark Lam.
1301
1302         * typeProfiler/inheritance.js:
1303         Rewrite the test slightly for clarity. The hoisting was confusing.
1304
1305         * heapProfiler/class-names.js: Added.
1306         (MyES5Class):
1307         (MyES6Class):
1308         (MyES6Subclass):
1309         Test object types and improved class names.
1310
1311         * heapProfiler/driver/driver.js:
1312         (CheapHeapSnapshotNode):
1313         (CheapHeapSnapshot):
1314         (createCheapHeapSnapshot):
1315         (HeapSnapshot):
1316         (createHeapSnapshot):
1317         Update snapshot parsing from version 1 to version 2.
1318
1319 2019-02-19  Truitt Savell  <tsavell@apple.com>
1320
1321         Unreviewed, rolling out r241784.
1322
1323         Broke all OpenSource builds.
1324
1325         Reverted changeset:
1326
1327         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
1328         instances view"
1329         https://bugs.webkit.org/show_bug.cgi?id=172848
1330         https://trac.webkit.org/changeset/241784
1331
1332 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1333
1334         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1335         https://bugs.webkit.org/show_bug.cgi?id=172848
1336         <rdar://problem/25709212>
1337
1338         Reviewed by Mark Lam.
1339
1340         * typeProfiler/inheritance.js:
1341         Rewrite the test slightly for clarity. The hoisting was confusing.
1342
1343         * heapProfiler/class-names.js: Added.
1344         (MyES5Class):
1345         (MyES6Class):
1346         (MyES6Subclass):
1347         Test object types and improved class names.
1348
1349         * heapProfiler/driver/driver.js:
1350         (CheapHeapSnapshotNode):
1351         (CheapHeapSnapshot):
1352         (createCheapHeapSnapshot):
1353         (HeapSnapshot):
1354         (createHeapSnapshot):
1355         Update snapshot parsing from version 1 to version 2.
1356
1357 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1358
1359         [ARM] Fix crash with sampling profiler
1360         https://bugs.webkit.org/show_bug.cgi?id=194772
1361
1362         Reviewed by Mark Lam.
1363
1364         Do not skip test since crash with sampling profiler is now fixed.
1365
1366         * stress/sampling-profiler-richards.js:
1367
1368 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
1369
1370         [JSC] Add LazyClassStructure::getInitializedOnMainThread
1371         https://bugs.webkit.org/show_bug.cgi?id=194784
1372         <rdar://problem/48154820>
1373
1374         Reviewed by Mark Lam.
1375
1376         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
1377         (getProperties):
1378         (getRandomProperty):
1379         (i.catch):
1380
1381 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
1382
1383         [ARM] Test gardening: Test running out of executable memory
1384         https://bugs.webkit.org/show_bug.cgi?id=194771
1385
1386         Unreviewed. Do not run test without LLInt, test is running out of executable
1387         memory on ARM otherwise.
1388
1389         * stress/tagged-template-object-collect.js:
1390
1391 2019-02-18  Tomas Popela  <tpopela@redhat.com>
1392
1393         Unreviewed, skip the test on platforms without sampling profiler
1394
1395         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
1396         (platformSupportsSamplingProfiler.foo):
1397         (platformSupportsSamplingProfiler.test):
1398         (platformSupportsSamplingProfiler):
1399         (foo): Deleted.
1400         (test): Deleted.
1401
1402 2019-02-17  Saam Barati  <sbarati@apple.com>
1403
1404         Deadlock when adding a Structure property transition and then doing incremental marking
1405         https://bugs.webkit.org/show_bug.cgi?id=194767
1406
1407         Reviewed by Mark Lam.
1408
1409         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
1410
1411 2019-02-15  Michael Saboff  <msaboff@apple.com>
1412
1413         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
1414         https://bugs.webkit.org/show_bug.cgi?id=194558
1415
1416         Reviewed by Saam Barati.
1417
1418         New regression test.
1419
1420         * stress/regexp-unicode-within-string.js: Added.
1421
1422 2019-02-15  Mark Lam  <mark.lam@apple.com>
1423
1424         SamplingProfiler::stackTracesAsJSON() should escape strings.
1425         https://bugs.webkit.org/show_bug.cgi?id=194649
1426         <rdar://problem/48072386>
1427
1428         Reviewed by Saam Barati.
1429
1430         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
1431         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
1432         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
1433         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
1434
1435 2019-02-15  Robin Morisset  <rmorisset@apple.com>
1436         CodeBlock::jettison should clear related watchpoints
1437         https://bugs.webkit.org/show_bug.cgi?id=194544
1438
1439         Reviewed by Mark Lam.
1440
1441         * stress/regexp-replace-double-watchpoint.js: Added.
1442         (foo):
1443
1444 2019-02-15  Saam barati  <sbarati@apple.com>
1445
1446         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
1447         https://bugs.webkit.org/show_bug.cgi?id=194036
1448
1449         Reviewed by Yusuke Suzuki.
1450
1451         * stress/tail-call-many-arguments.js: Added.
1452         (foo):
1453         (bar):
1454
1455 2019-02-14  Saam Barati  <sbarati@apple.com>
1456
1457         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
1458         https://bugs.webkit.org/show_bug.cgi?id=194583
1459         <rdar://problem/48028140>
1460
1461         Reviewed by Yusuke Suzuki.
1462
1463         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
1464
1465 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1466
1467         [JSC] String.fromCharCode's slow path always generates 16bit string
1468         https://bugs.webkit.org/show_bug.cgi?id=194466
1469
1470         Reviewed by Keith Miller.
1471
1472         * stress/string-from-char-code-slow-path.js: Added.
1473         (shouldBe):
1474         (testWithLength):
1475
1476 2019-02-08  Saam barati  <sbarati@apple.com>
1477
1478         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1479         https://bugs.webkit.org/show_bug.cgi?id=194334
1480         <rdar://problem/47844327>
1481
1482         Reviewed by Mark Lam.
1483
1484         * stress/check-in-bounds-should-be-a-child-use.js: Added.
1485         (func):
1486
1487 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1488
1489         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1490         https://bugs.webkit.org/show_bug.cgi?id=194369
1491         <rdar://problem/47813087>
1492
1493         Reviewed by Saam Barati.
1494
1495         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
1496         (A):
1497
1498 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1499
1500         [JSC] PrivateName to PublicName hash table is wasteful
1501         https://bugs.webkit.org/show_bug.cgi?id=194277
1502
1503         Reviewed by Michael Saboff.
1504
1505         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
1506
1507         * ChakraCore.yaml:
1508
1509 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
1510
1511         [ARM] Test running out of executable memory
1512         https://bugs.webkit.org/show_bug.cgi?id=194285
1513
1514         Unreviewed. Do no execute test with LLInt disabled, test runs out of
1515         executable memory otherwise.
1516
1517         * stress/class-subclassing-function.js:
1518
1519 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1520
1521         when lowering AssertNotEmpty, create the value before creating the patchpoint
1522         https://bugs.webkit.org/show_bug.cgi?id=194231
1523
1524         Reviewed by Saam Barati.
1525
1526         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
1527         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
1528         So even tiny changes to this test can change the path code taken.
1529
1530         * stress/assert-not-empty.js: Added.
1531         (foo):
1532
1533 2019-02-01  Mark Lam  <mark.lam@apple.com>
1534
1535         Remove invalid assertion in DFG's compileDoubleRep().
1536         https://bugs.webkit.org/show_bug.cgi?id=194130
1537         <rdar://problem/47699474>
1538
1539         Reviewed by Saam Barati.
1540
1541         * stress/constant-fold-double-rep-into-double-constant.js: Added.
1542
1543 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
1544
1545         Import latest Test262 updates.
1546
1547         Rubber-stamped by Keith Miller.
1548
1549         * test262.yaml: Deleted.
1550         * test262/config.yaml:
1551         * test262/expectations.yaml:
1552         * test262/latest-changes-summary.txt:
1553         * test262/test/:
1554         * test262/test262-Revision.txt:
1555
1556 2019-01-30  Robin Morisset  <rmorisset@apple.com>
1557
1558         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
1559         https://bugs.webkit.org/show_bug.cgi?id=194050
1560         <rdar://problem/47595592>
1561
1562         Reviewed by Yusuke Suzuki.
1563
1564         * stress/object-keys-osr-exit.js: Added.
1565         (foo):
1566         (catch):
1567
1568 2019-01-29  Mark Lam  <mark.lam@apple.com>
1569
1570         ValueRecovery::recover() should purify NaN values it recovers.
1571         https://bugs.webkit.org/show_bug.cgi?id=193978
1572         <rdar://problem/47625488>
1573
1574         Reviewed by Saam Barati.
1575
1576         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
1577
1578 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
1579
1580         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
1581         https://bugs.webkit.org/show_bug.cgi?id=193713
1582
1583         * stress/try-get-by-id-should-spill-registers-dfg.js:
1584         (let.f.createBuiltin):
1585
1586 2019-01-28  Mark Lam  <mark.lam@apple.com>
1587
1588         ToString node actually does GC.
1589         https://bugs.webkit.org/show_bug.cgi?id=193920
1590         <rdar://problem/46695900>
1591
1592         Reviewed by Yusuke Suzuki.
1593
1594         * stress/dfg-to-string-on-int-does-gc.js: Added.
1595         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
1596         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
1597
1598 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
1599
1600         [JSC] NativeErrorConstructor should not have own IsoSubspace
1601         https://bugs.webkit.org/show_bug.cgi?id=193713
1602
1603         Reviewed by Saam Barati.
1604
1605         Remove @Error use.
1606
1607         * stress/try-get-by-id-should-spill-registers-dfg.js:
1608         (let.f.createBuiltin):
1609
1610 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
1611
1612         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
1613         https://bugs.webkit.org/show_bug.cgi?id=190693
1614
1615         Reviewed by Michael Saboff.
1616
1617         * stress/regress-190693.js: Added.
1618         (truth):
1619         (assert):
1620         (shouldThrowInvalidConstAssignment):
1621         (taz):
1622
1623 2019-01-24  Saam Barati  <sbarati@apple.com>
1624
1625         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
1626         https://bugs.webkit.org/show_bug.cgi?id=193751
1627         <rdar://problem/47280215>
1628
1629         Reviewed by Michael Saboff.
1630
1631         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
1632         (let.thing):
1633         (foo.let.hello):
1634         (foo):
1635
1636 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
1637
1638         [JSC] Reenable baseline JIT on mips
1639         https://bugs.webkit.org/show_bug.cgi?id=192983
1640
1641         Reviewed by Mark Lam.
1642
1643         Added a new test for a case that was triggering a RELEASE_ASSERT when
1644         testing.
1645         Disable some slow tests that were already disabled for arm and x86.
1646
1647         * stress/json-parse-big-object.js: Added.
1648         * stress/new-largeish-contiguous-array-with-size.js:
1649         * stress/op_add.js:
1650         * stress/op_bitand.js:
1651         * stress/op_bitor.js:
1652         * stress/op_bitxor.js:
1653         * stress/op_lshift-ConstVar.js:
1654         * stress/op_lshift-VarConst.js:
1655         * stress/op_lshift-VarVar.js:
1656         * stress/op_mod-ConstVar.js:
1657         * stress/op_mod-VarConst.js:
1658         * stress/op_mod-VarVar.js:
1659         * stress/op_mul-ConstVar.js:
1660         * stress/op_mul-VarConst.js:
1661         * stress/op_mul-VarVar.js:
1662         * stress/op_rshift-ConstVar.js:
1663         * stress/op_rshift-VarConst.js:
1664         * stress/op_rshift-VarVar.js:
1665         * stress/op_sub-ConstVar.js:
1666         * stress/op_sub-VarConst.js:
1667         * stress/op_sub-VarVar.js:
1668         * stress/op_urshift-ConstVar.js:
1669         * stress/op_urshift-VarConst.js:
1670         * stress/op_urshift-VarVar.js:
1671         * stress/sampling-profiler-richards.js:
1672         * stress/spread-forward-call-varargs-stack-overflow.js:
1673
1674 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
1675
1676         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
1677         https://bugs.webkit.org/show_bug.cgi?id=193711
1678         <rdar://problem/47250262>
1679
1680         Reviewed by Saam Barati.
1681
1682         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
1683         (shouldBe):
1684         (foo):
1685         (bar):
1686         (baz):
1687
1688 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1689
1690         Unreviewed, fix initial global lexical binding epoch
1691         https://bugs.webkit.org/show_bug.cgi?id=193603
1692         <rdar://problem/47380869>
1693
1694         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
1695         (f1.f2.f3.f4):
1696         (f1.f2.f3):
1697         (f1.f2):
1698         (f1):
1699
1700 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1701
1702         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1703         https://bugs.webkit.org/show_bug.cgi?id=193709
1704         <rdar://problem/47363838>
1705
1706         Unreviewed, rollout to watch the tests.
1707
1708         * stress/object-tostring-changed-proto.js: Removed.
1709         * stress/object-tostring-changed.js: Removed.
1710         * stress/object-tostring-misc.js: Removed.
1711         * stress/object-tostring-other.js: Removed.
1712         * stress/object-tostring-untyped.js: Removed.
1713
1714 2019-01-22  Saam Barati  <sbarati@apple.com>
1715
1716         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1717
1718         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1719         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1720         (testUncheckedLessThanZero):
1721         (testUncheckedLessThanOrEqualZero):
1722         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1723         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1724
1725 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1726
1727         [JSC] Invalidate old scope operations using global lexical binding epoch
1728         https://bugs.webkit.org/show_bug.cgi?id=193603
1729         <rdar://problem/47380869>
1730
1731         Reviewed by Saam Barati.
1732
1733         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1734         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1735         (shouldThrow):
1736         (bar):
1737         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1738         (shouldBe):
1739         (get1):
1740         (get2):
1741         (get1If):
1742         (get2If):
1743         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1744         (shouldThrow):
1745         (foo):
1746
1747 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1748
1749         Unreviewed, roll out r240220 due to date-format-xparb regression
1750         https://bugs.webkit.org/show_bug.cgi?id=193603
1751
1752         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1753         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1754         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1755         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1756
1757 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1758
1759         DoesGC rule is wrong for nodes with BigIntUse
1760         https://bugs.webkit.org/show_bug.cgi?id=193652
1761
1762         Reviewed by Saam Barati.
1763
1764         * stress/big-int-value-op-update-gc-rules.js: Added.
1765         (assert):
1766         (doesGCAdd):
1767         (doesGCSub):
1768         (doesGCDiv):
1769         (doesGCMul):
1770         (doesGCBitAnd):
1771         (doesGCBitOr):
1772         (doesGCBitXor):
1773
1774 2019-01-20  Saam Barati  <sbarati@apple.com>
1775
1776         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1777         https://bugs.webkit.org/show_bug.cgi?id=193644
1778         <rdar://problem/46209745>
1779
1780         Reviewed by Yusuke Suzuki.
1781
1782         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1783         (foo):
1784         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1785         (foo):
1786         (bar):
1787
1788 2019-01-20  Saam Barati  <sbarati@apple.com>
1789
1790         MovHint must merge NodeBytecodeUsesAsValue for its child
1791         https://bugs.webkit.org/show_bug.cgi?id=186916
1792         <rdar://problem/41396612>
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1797         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1798
1799 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1800
1801         [JSC] Invalidate old scope operations using global lexical binding epoch
1802         https://bugs.webkit.org/show_bug.cgi?id=193603
1803         <rdar://problem/47380869>
1804
1805         Reviewed by Saam Barati.
1806
1807         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1808         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1809         (shouldThrow):
1810         (bar):
1811         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1812         (shouldBe):
1813         (get1):
1814         (get2):
1815         (get1If):
1816         (get2If):
1817         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1818         (shouldThrow):
1819         (foo):
1820
1821 2019-01-17  Saam barati  <sbarati@apple.com>
1822
1823         StringObjectUse should not be a structure check for the original string object structure
1824         https://bugs.webkit.org/show_bug.cgi?id=193483
1825         <rdar://problem/47280522>
1826
1827         Reviewed by Yusuke Suzuki.
1828
1829         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1830         (foo):
1831         (a.valueOf.0):
1832
1833 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1834
1835         [JSC] ToThis omission in DFGByteCodeParser is wrong
1836         https://bugs.webkit.org/show_bug.cgi?id=193513
1837         <rdar://problem/45842236>
1838
1839         Reviewed by Saam Barati.
1840
1841         * stress/to-this-omission-with-different-strict-modes.js: Added.
1842         (thisA):
1843         (thisAStrictWrapper):
1844
1845 2019-01-15  Mark Lam  <mark.lam@apple.com>
1846
1847         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1848         https://bugs.webkit.org/show_bug.cgi?id=193423
1849         <rdar://problem/46209355>
1850
1851         Reviewed by Saam Barati.
1852
1853         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1854         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1855         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1856         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1857
1858 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1859
1860         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1861         https://bugs.webkit.org/show_bug.cgi?id=193438
1862         <rdar://problem/45581249>
1863
1864         Reviewed by Saam Barati and Keith Miller.
1865
1866         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1867         Then, GetByVal(String) crashed.
1868
1869         * stress/string-get-by-val-lowering.js: Added.
1870         (shouldBe):
1871         (test):
1872         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1873         (Hello):
1874         (foo):
1875
1876 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1877
1878         Unreviewed, skip JIT tests if it's not enabled
1879
1880         * stress/bit-op-with-object-returning-int32.js:
1881
1882 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1883
1884         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1885         https://bugs.webkit.org/show_bug.cgi?id=192966
1886
1887         Reviewed by Yusuke Suzuki.
1888
1889         * stress/bit-op-with-object-returning-int32.js: Added.
1890
1891 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1892
1893         Skip a slow test and a flakey test on arm
1894
1895         Unreviewed gardening.
1896
1897         * typeProfiler/getter-richards.js:
1898         this test always times out, it used to be always skipped on arm and
1899         mips, but got accidentally enabled by r237919 now that we have DFG on
1900         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1901
1902 2019-01-14  Keith Miller  <keith_miller@apple.com>
1903
1904         Skip type-check-hoisting-phase-hoist... with no jit
1905         https://bugs.webkit.org/show_bug.cgi?id=193421
1906
1907         Reviewed by Mark Lam.
1908
1909         It's timing out the 32-bit bots and takes 330 seconds
1910         on my machine when run by itself.
1911
1912         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1913
1914 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1915
1916         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1917         https://bugs.webkit.org/show_bug.cgi?id=193413
1918         <rdar://problem/46092389>
1919
1920         Reviewed by Keith Miller.
1921
1922         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1923         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1924         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1925         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1926
1927         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1928         (compareArray):
1929
1930 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1931
1932         [BigInt] Literal parsing is crashing when used inside a Object Literal
1933         https://bugs.webkit.org/show_bug.cgi?id=193404
1934
1935         Reviewed by Yusuke Suzuki.
1936
1937         * stress/big-int-literal-inside-literal-object.js: Added.
1938
1939 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1940
1941         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1942         https://bugs.webkit.org/show_bug.cgi?id=193372
1943
1944         Reviewed by Saam Barati.
1945
1946         * stress/typed-array-array-modes-profile.js: Added.
1947         (foo):
1948
1949 2019-01-14  Mark Lam  <mark.lam@apple.com>
1950
1951         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1952         https://bugs.webkit.org/show_bug.cgi?id=193402
1953         <rdar://problem/46012309>
1954
1955         Reviewed by Keith Miller.
1956
1957         * stress/regexp-compile-oom.js:
1958         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1959           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1960
1961 2019-01-11  Saam barati  <sbarati@apple.com>
1962
1963         DFG combined liveness can be wrong for terminal basic blocks
1964         https://bugs.webkit.org/show_bug.cgi?id=193304
1965         <rdar://problem/45268632>
1966
1967         Reviewed by Yusuke Suzuki.
1968
1969         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1970
1971 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1972
1973         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1974         https://bugs.webkit.org/show_bug.cgi?id=193308
1975         <rdar://problem/45546542>
1976
1977         Reviewed by Saam Barati.
1978
1979         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1980         (shouldThrow):
1981         (shouldBe):
1982         (foo):
1983         (get shouldThrow):
1984         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1985         (shouldThrow):
1986         (shouldBe):
1987         (foo):
1988         (get shouldBe):
1989         (get shouldThrow):
1990         (get return):
1991         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1992         (shouldThrow):
1993         (shouldBe):
1994         (foo):
1995         (get shouldBe):
1996         (get shouldThrow):
1997         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1998         (shouldThrow):
1999         (shouldBe):
2000         (foo):
2001         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2002         (shouldThrow):
2003         (shouldBe):
2004         (foo):
2005         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
2006         (shouldThrow):
2007         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
2008         (shouldThrow):
2009         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
2010         (shouldThrow):
2011         (shouldBe):
2012         (foo):
2013         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
2014         (shouldThrow):
2015         (shouldBe):
2016         (foo):
2017         (get shouldBe):
2018         (get shouldThrow):
2019         (get return):
2020         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
2021         (shouldThrow):
2022         (shouldBe):
2023         (foo):
2024         (get shouldBe):
2025         (get shouldThrow):
2026         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
2027         (shouldThrow):
2028         (shouldBe):
2029         (foo):
2030         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
2031         (shouldThrow):
2032         (shouldBe):
2033         (foo):
2034
2035 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
2036
2037         Enable DFG on ARM/Linux again
2038         https://bugs.webkit.org/show_bug.cgi?id=192496
2039
2040         Reviewed by Yusuke Suzuki.
2041
2042         Test wasn't really skipped before moving the line with skip
2043         to the top.
2044
2045         * stress/regress-192717.js:
2046
2047 2019-01-10  Commit Queue  <commit-queue@webkit.org>
2048
2049         Unreviewed, rolling out r239825.
2050         https://bugs.webkit.org/show_bug.cgi?id=193330
2051
2052         Broke tests on armv7/linux bots (Requested by guijemont on
2053         #webkit).
2054
2055         Reverted changeset:
2056
2057         "Enable DFG on ARM/Linux again"
2058         https://bugs.webkit.org/show_bug.cgi?id=192496
2059         https://trac.webkit.org/changeset/239825
2060
2061 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
2062
2063         Enable DFG on ARM/Linux again
2064         https://bugs.webkit.org/show_bug.cgi?id=192496
2065
2066         Reviewed by Yusuke Suzuki.
2067
2068         Test wasn't really skipped before moving the line with skip
2069         to the top.
2070
2071         * stress/regress-192717.js:
2072
2073 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2074
2075         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
2076         https://bugs.webkit.org/show_bug.cgi?id=193127
2077
2078         Reviewed by Saam Barati.
2079
2080         * stress/array-species-create-should-handle-masquerader.js: Added.
2081         (shouldThrow):
2082         * stress/is-undefined-or-null-builtin.js: Added.
2083         (shouldBe):
2084         (isUndefinedOrNull.vm.createBuiltin):
2085
2086 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
2087
2088         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
2089         https://bugs.webkit.org/show_bug.cgi?id=193221
2090
2091         Reviewed by Mark Lam.
2092
2093         * stress/put-by-id-flags.js: Added.
2094         (f):
2095         (g):
2096         (numberOfDFGCompiles):
2097
2098 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
2099
2100         Baseline version of get_by_id may corrupt metadata
2101         https://bugs.webkit.org/show_bug.cgi?id=193085
2102         <rdar://problem/23453006>
2103
2104         Reviewed by Saam Barati.
2105
2106         * stress/get-by-id-change-mode.js: Added.
2107         (forEach):
2108
2109 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2110
2111         [JSC] Optimize Object.prototype.toString
2112         https://bugs.webkit.org/show_bug.cgi?id=193031
2113
2114         Reviewed by Saam Barati.
2115
2116         * stress/object-tostring-changed-proto.js: Added.
2117         (shouldBe):
2118         (test):
2119         * stress/object-tostring-changed.js: Added.
2120         (shouldBe):
2121         (test):
2122         * stress/object-tostring-misc.js: Added.
2123         (shouldBe):
2124         (test):
2125         (i.switch):
2126         * stress/object-tostring-other.js: Added.
2127         (shouldBe):
2128         (test):
2129         * stress/object-tostring-untyped.js: Added.
2130         (shouldBe):
2131         (test):
2132         (i.switch):
2133
2134 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
2135
2136         test262-runner misbehaves when test file YAML has a trailing space
2137         https://bugs.webkit.org/show_bug.cgi?id=193053
2138
2139         Reviewed by Yusuke Suzuki.
2140
2141         * test262/expectations.yaml:
2142         Mark two dozen tests as passing (and correct the output of another).
2143
2144 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2145
2146         Unreviewed, JSTests gardening with memoryLimited
2147
2148         * stress/string-overflow-createError.js:
2149
2150 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
2151
2152         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
2153         https://bugs.webkit.org/show_bug.cgi?id=193050
2154
2155         Reviewed by Yusuke Suzuki.
2156
2157         * test262.yaml:
2158         * test262/expectations.yaml:
2159         Mark 16 tests as passing.
2160
2161 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2162
2163         [BigInt] Support BigInt in JSON.stringify
2164         https://bugs.webkit.org/show_bug.cgi?id=192624
2165
2166         Reviewed by Saam Barati.
2167
2168         * stress/big-int-json-stringify-to-json.js: Added.
2169         (shouldBe):
2170         (shouldThrow):
2171         (BigInt.prototype.toJSON):
2172         (shouldBe.JSON.stringify):
2173         * stress/big-int-json-stringify.js: Added.
2174         (shouldBe):
2175         (shouldThrow):
2176
2177 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2178
2179         [JSC] Implement "well-formed JSON.stringify" proposal
2180         https://bugs.webkit.org/show_bug.cgi?id=191677
2181
2182         Reviewed by Darin Adler.
2183
2184         * stress/json-surrogate-pair.js: Added.
2185         (shouldBe):
2186         * test262/expectations.yaml:
2187
2188 2018-12-20  Keith Miller  <keith_miller@apple.com>
2189
2190         Add support for globalThis
2191         https://bugs.webkit.org/show_bug.cgi?id=165171
2192
2193         Reviewed by Mark Lam.
2194
2195         * test262/config.yaml:
2196
2197 2018-12-19  Keith Miller  <keith_miller@apple.com>
2198
2199         Update test262 configuration to not run tests dependent on ICU version.
2200         https://bugs.webkit.org/show_bug.cgi?id=192920
2201
2202         Reviewed by Saam Barati.
2203
2204         * test262/expectations.yaml:
2205
2206 2018-12-20  Mark Lam  <mark.lam@apple.com>
2207
2208         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
2209         https://bugs.webkit.org/show_bug.cgi?id=192939
2210         <rdar://problem/46869516>
2211
2212         Reviewed by Keith Miller.
2213
2214         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2215
2216 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
2217
2218         WTF::String and StringImpl overflow MaxLength
2219         https://bugs.webkit.org/show_bug.cgi?id=192853
2220         <rdar://problem/45726906>
2221
2222         Reviewed by Mark Lam.
2223
2224         * stress/string-16bit-repeat-overflow.js: Added.
2225         (catch):
2226
2227 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
2228
2229         Unreviewed follow-up to r192914.
2230
2231         * test262/expectations.yaml:
2232         Add the last 20 missing expectations.
2233
2234 2018-12-19  Keith Miller  <keith_miller@apple.com>
2235
2236         Fix test262 expectations
2237         https://bugs.webkit.org/show_bug.cgi?id=192914
2238
2239         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
2240
2241         * test262/expectations.yaml:
2242
2243 2018-12-19  Keith Miller  <keith_miller@apple.com>
2244
2245         Update test262 tests.
2246         https://bugs.webkit.org/show_bug.cgi?id=192907
2247
2248         Rubber stamped by Mark Lam.
2249
2250         * test262/*: Omitted because prepare-changelog crashes.
2251
2252 2018-12-19  Mark Lam  <mark.lam@apple.com>
2253
2254         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
2255         https://bugs.webkit.org/show_bug.cgi?id=192464
2256         <rdar://problem/46519455>
2257
2258         Reviewed by Saam Barati.
2259
2260         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
2261         microbenchmark.
2262
2263         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
2264         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2265
2266 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
2267
2268         String overflow in JSC::createError results in ASSERT in WTF::makeString
2269         https://bugs.webkit.org/show_bug.cgi?id=192833
2270         <rdar://problem/45706868>
2271
2272         Reviewed by Mark Lam.
2273
2274         * stress/string-overflow-createError.js: Added.
2275
2276 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2277
2278         Error message for `-x ** y` contains a typo.
2279         https://bugs.webkit.org/show_bug.cgi?id=192832
2280
2281         Reviewed by Saam Barati.
2282
2283         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
2284         (assert.assert.return.throws):
2285         * stress/pow-expects-update-expression-on-lhs.js:
2286         (throw.new.Error):
2287         Update test expectations which match against the exact error message.
2288
2289 2018-12-18  Mark Lam  <mark.lam@apple.com>
2290
2291         Gardening: test options fix.
2292         https://bugs.webkit.org/show_bug.cgi?id=192822
2293
2294         Unreviewed.
2295
2296         * stress/json-stringify-string-builder-overflow.js:
2297
2298 2018-12-18  Mark Lam  <mark.lam@apple.com>
2299
2300         JSON.stringify() should throw OOM on StringBuilder overflows.
2301         https://bugs.webkit.org/show_bug.cgi?id=192822
2302         <rdar://problem/46670577>
2303
2304         Reviewed by Saam Barati.
2305
2306         * stress/json-stringify-string-builder-overflow.js: Added.
2307
2308 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
2309
2310         Redeclaration of var over let/const/class should be a syntax error.
2311         https://bugs.webkit.org/show_bug.cgi?id=192298
2312
2313         Reviewed by Keith Miller.
2314
2315         * test262.yaml:
2316         * test262/expectations.yaml:
2317         Mark 46 tests as passing.
2318
2319         * stress/block-scope-redeclarations.js:
2320         Add some new tests.
2321
2322         * stress/for-in-invalidate-context-weird-assignments.js:
2323         * stress/for-in-tests.js:
2324         Replace tests for outdated behavior with tests for SyntaxError.
2325
2326         * ChakraCore/test/LetConst/defer3.baseline-jsc:
2327         * ChakraCore/test/LetConst/letvar.baseline-jsc:
2328         Update expectations.
2329
2330 2018-12-18  Mark Lam  <mark.lam@apple.com>
2331
2332         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
2333         https://bugs.webkit.org/show_bug.cgi?id=191374
2334         <rdar://problem/46525447>
2335
2336         Reviewed by Yusuke Suzuki.
2337
2338         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
2339
2340         * stress/elidable-new-object-roflcopter-then-exit.js:
2341
2342 2018-12-17  Mark Lam  <mark.lam@apple.com>
2343
2344         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
2345         https://bugs.webkit.org/show_bug.cgi?id=192019
2346         <rdar://problem/46525456>
2347
2348         Reviewed by Yusuke Suzuki.
2349
2350         The test runs too slow on 32-bit.
2351
2352         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2353
2354 2018-12-17  Mark Lam  <mark.lam@apple.com>
2355
2356         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
2357         https://bugs.webkit.org/show_bug.cgi?id=191373
2358         <rdar://problem/46525458>
2359
2360         Reviewed by Yusuke Suzuki.
2361
2362         The test is already slow running with a JIT on 64-bit.  It will always timeout
2363         on 32-bit without a JIT.
2364
2365         * stress/materialize-regexp-cyclic-regexp.js:
2366
2367 2018-12-17  Mark Lam  <mark.lam@apple.com>
2368
2369         Array unshift/shift should not race against the AI in the compiler thread.
2370         https://bugs.webkit.org/show_bug.cgi?id=192795
2371         <rdar://problem/46724263>
2372
2373         Reviewed by Saam Barati.
2374
2375         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2376
2377 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2378
2379         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2380         https://bugs.webkit.org/show_bug.cgi?id=190047
2381
2382         Reviewed by Saam Barati.
2383
2384         * stress/object-keys-cached-zero.js: Added.
2385         (shouldBe):
2386         (test):
2387         * stress/object-keys-changed-attribute.js: Added.
2388         (shouldBe):
2389         (test):
2390         * stress/object-keys-changed-index.js: Added.
2391         (shouldBe):
2392         (test):
2393         * stress/object-keys-changed.js: Added.
2394         (shouldBe):
2395         (test):
2396         * stress/object-keys-indexed-non-cache.js: Added.
2397         (shouldBe):
2398         (test):
2399         * stress/object-keys-overrides-get-property-names.js: Added.
2400         (shouldBe):
2401         (test):
2402         (noInline):
2403
2404 2018-12-17  Mark Lam  <mark.lam@apple.com>
2405
2406         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
2407         https://bugs.webkit.org/show_bug.cgi?id=192779
2408         <rdar://problem/46775869>
2409
2410         Reviewed by Saam Barati.
2411
2412         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2413
2414 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
2415
2416         Unreviewed test gardening, address a syntax error in a new test.
2417
2418         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2419
2420 2018-12-17  Mark Lam  <mark.lam@apple.com>
2421
2422         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
2423         https://bugs.webkit.org/show_bug.cgi?id=192776
2424         <rdar://problem/46772368>
2425
2426         Reviewed by Keith Miller.
2427
2428         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2429
2430 2018-12-17  Mark Lam  <mark.lam@apple.com>
2431
2432         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
2433         https://bugs.webkit.org/show_bug.cgi?id=192770
2434         <rdar://problem/46449037>
2435
2436         Reviewed by Keith Miller.
2437
2438         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2439
2440 2018-12-14  Mark Lam  <mark.lam@apple.com>
2441
2442         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
2443         https://bugs.webkit.org/show_bug.cgi?id=192717
2444         <rdar://problem/46660677>
2445
2446         Reviewed by Saam Barati.
2447
2448         * stress/regress-192717.js: Added.
2449
2450 2018-12-14  Commit Queue  <commit-queue@webkit.org>
2451
2452         Unreviewed, rolling out r239153, r239154, and r239155.
2453         https://bugs.webkit.org/show_bug.cgi?id=192715
2454
2455         Caused flaky GC-related crashes seen with layout tests
2456         (Requested by ryanhaddad on #webkit).
2457
2458         Reverted changesets:
2459
2460         "[JSC] Optimize Object.keys by caching own keys results in
2461         StructureRareData"
2462         https://bugs.webkit.org/show_bug.cgi?id=190047
2463         https://trac.webkit.org/changeset/239153
2464
2465         "Unreviewed, build fix after r239153"
2466         https://bugs.webkit.org/show_bug.cgi?id=190047
2467         https://trac.webkit.org/changeset/239154
2468
2469         "Unreviewed, build fix after r239153, part 2"
2470         https://bugs.webkit.org/show_bug.cgi?id=190047
2471         https://trac.webkit.org/changeset/239155
2472
2473 2018-12-14  Keith Miller  <keith_miller@apple.com>
2474
2475         Callers of JSString::getIndex should check for OOM exceptions
2476         https://bugs.webkit.org/show_bug.cgi?id=192709
2477
2478         Reviewed by Mark Lam.
2479
2480         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2481
2482 2018-12-13  Mark Lam  <mark.lam@apple.com>
2483
2484         Add a missing exception check.
2485         https://bugs.webkit.org/show_bug.cgi?id=192626
2486         <rdar://problem/46662163>
2487
2488         Reviewed by Keith Miller.
2489
2490         * stress/regress-192626.js: Added.
2491
2492 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
2493
2494         [BigInt] Add ValueDiv into DFG
2495         https://bugs.webkit.org/show_bug.cgi?id=186178
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * stress/big-int-div-jit-osr.js: Added.
2500         * stress/big-int-div-jit-untyped.js: Added.
2501         * stress/value-div-fixup-int32-big-int.js: Added.
2502
2503 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2504
2505         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
2506         https://bugs.webkit.org/show_bug.cgi?id=190047
2507
2508         Reviewed by Keith Miller.
2509
2510         * stress/object-keys-cached-zero.js: Added.
2511         (shouldBe):
2512         (test):
2513         * stress/object-keys-changed-attribute.js: Added.
2514         (shouldBe):
2515         (test):
2516         * stress/object-keys-changed-index.js: Added.
2517         (shouldBe):
2518         (test):
2519         * stress/object-keys-changed.js: Added.
2520         (shouldBe):
2521         (test):
2522         * stress/object-keys-indexed-non-cache.js: Added.
2523         (shouldBe):
2524         (test):
2525         * stress/object-keys-overrides-get-property-names.js: Added.
2526         (shouldBe):
2527         (test):
2528         (noInline):
2529
2530 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2531
2532         [DFG][FTL] Add NewSymbol
2533         https://bugs.webkit.org/show_bug.cgi?id=192620
2534
2535         Reviewed by Saam Barati.
2536
2537         * microbenchmarks/symbol-creation.js: Added.
2538         (test):
2539         * stress/symbol-description-identity.js: Added.
2540         (shouldBe):
2541         (test):
2542         * stress/symbol-identity.js: Added.
2543         (shouldBe):
2544         (test):
2545         * stress/symbol-with-description-throw-error.js: Added.
2546         (shouldBe):
2547         (shouldThrow):
2548         (test):
2549         (object.toString):
2550
2551 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2552
2553         [BigInt] Implement DFG/FTL typeof for BigInt
2554         https://bugs.webkit.org/show_bug.cgi?id=192619
2555
2556         Reviewed by Keith Miller.
2557
2558         * stress/big-int-boolean-proven-type.js: Added.
2559         (assert):
2560         (bool):
2561         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
2562         (assert):
2563         (typeOf):
2564         (i.switch):
2565         * stress/big-int-type-of-proven-type-non-constant.js: Added.
2566         (assert):
2567         (typeOf):
2568         * stress/big-int-type-of.js:
2569         (typeOf):
2570         (func):
2571
2572 2018-12-10  Mark Lam  <mark.lam@apple.com>
2573
2574         PropertyAttribute needs a CustomValue bit.
2575         https://bugs.webkit.org/show_bug.cgi?id=191993
2576         <rdar://problem/46264467>
2577
2578         Reviewed by Saam Barati.
2579
2580         * stress/regress-191993.js: Added.
2581
2582 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
2583
2584         [BigInt] Add ValueMul into DFG
2585         https://bugs.webkit.org/show_bug.cgi?id=186175
2586
2587         Reviewed by Yusuke Suzuki.
2588
2589         * stress/big-int-mul-jit-osr.js: Added.
2590         * stress/big-int-mul-jit-untyped.js: Added.
2591         * stress/value-mul-fixup-int32-big-int.js: Added.
2592
2593 2018-12-06  Keith Miller  <keith_miller@apple.com>
2594
2595         stress/big-wasm-memory tests failing on 32-bit JSC bot
2596         https://bugs.webkit.org/show_bug.cgi?id=192020
2597
2598         Reviewed by Saam Barati.
2599
2600         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
2601         the wasm stress tests if the WebAssembly object does not exist.
2602
2603         * stress/big-wasm-memory-grow-no-max.js:
2604         (test.foo):
2605         (test):
2606         (foo): Deleted.
2607         (catch): Deleted.
2608         * stress/big-wasm-memory-grow.js:
2609         (test.foo):
2610         (test):
2611         (foo): Deleted.
2612         (catch): Deleted.
2613         * stress/big-wasm-memory.js:
2614         (test.foo):
2615         (test):
2616         (foo): Deleted.
2617         (catch): Deleted.
2618
2619 2018-12-05  Mark Lam  <mark.lam@apple.com>
2620
2621         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
2622         https://bugs.webkit.org/show_bug.cgi?id=192441
2623         <rdar://problem/46480355>
2624
2625         Reviewed by Saam Barati.
2626
2627         * stress/regress-192441.js: Added.
2628
2629 2018-12-04  Mark Lam  <mark.lam@apple.com>
2630
2631         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
2632         https://bugs.webkit.org/show_bug.cgi?id=192386
2633         <rdar://problem/46445516>
2634
2635         Reviewed by Saam Barati.
2636
2637         * stress/regress-192386.js: Added.
2638
2639 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
2640
2641         [ESNext][BigInt] Support logic operations
2642         https://bugs.webkit.org/show_bug.cgi?id=179903
2643
2644         Reviewed by Yusuke Suzuki.
2645
2646         * stress/big-int-branch-usage.js: Added.
2647         * stress/big-int-logical-and.js: Added.
2648         * stress/big-int-logical-not.js: Added.
2649         * stress/big-int-logical-or.js: Added.
2650
2651 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
2652
2653         Unreviewed, rolling out r238833.
2654
2655         Breaks macOS and iOS debug builds.
2656
2657         Reverted changeset:
2658
2659         "[ESNext][BigInt] Support logic operations"
2660         https://bugs.webkit.org/show_bug.cgi?id=179903
2661         https://trac.webkit.org/changeset/238833
2662
2663 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
2664
2665         [ESNext][BigInt] Support logic operations
2666         https://bugs.webkit.org/show_bug.cgi?id=179903
2667
2668         Reviewed by Yusuke Suzuki.
2669
2670         * stress/big-int-branch-usage.js: Added.
2671         * stress/big-int-logical-and.js: Added.
2672         * stress/big-int-logical-not.js: Added.
2673         * stress/big-int-logical-or.js: Added.
2674
2675 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
2676
2677         [ESNext][BigInt] Implement support for "<<" and ">>"
2678         https://bugs.webkit.org/show_bug.cgi?id=186233
2679
2680         Reviewed by Yusuke Suzuki.
2681
2682         * stress/big-int-left-shift-general.js: Added.
2683         * stress/big-int-left-shift-range-error.js: Added.
2684         * stress/big-int-left-shift-type-error.js: Added.
2685         * stress/big-int-left-shift-wrapped-value.js: Added.
2686         * stress/big-int-right-shift-general.js: Added.
2687         * stress/big-int-right-shift-type-error.js: Added.
2688         * stress/big-int-right-shift-wrapped-value.js: Added.
2689         * stress/left-shift-to-primitive-precedence.js: Added.
2690         * stress/right-shift-to-primitive-precedence.js: Added.
2691
2692 2018-11-30  Dean Jackson  <dino@apple.com>
2693
2694         Add first-class support for .mjs files in jsc binary
2695         https://bugs.webkit.org/show_bug.cgi?id=192190
2696         <rdar://problem/46375715>
2697
2698         Reviewed by Keith Miller.
2699
2700         * stress/simple-module.mjs: Added.
2701         * stress/simple-script.js: Added.
2702
2703 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2704
2705         [BigInt] Implement ValueBitXor into DFG
2706         https://bugs.webkit.org/show_bug.cgi?id=190264
2707
2708         Reviewed by Yusuke Suzuki.
2709
2710         * stress/big-int-bitwise-xor-jit.js: Added.
2711         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2712         * stress/big-int-bitwise-xor-untyped.js: Added.
2713
2714 2018-11-27  Saam barati  <sbarati@apple.com>
2715
2716         r238510 broke scopes of size zero
2717         https://bugs.webkit.org/show_bug.cgi?id=192033
2718         <rdar://problem/46281734>
2719
2720         Reviewed by Keith Miller.
2721
2722         * stress/r238510-bad-loop.js: Added.
2723         (foo):
2724
2725 2018-11-27  Mark Lam  <mark.lam@apple.com>
2726
2727         [Re-landing] NaNs read from Wasm code needs to be be purified.
2728         https://bugs.webkit.org/show_bug.cgi?id=191056
2729         <rdar://problem/45660341>
2730
2731         Reviewed by Filip Pizlo.
2732
2733         * wasm/regress/regress-191056.js: Added.
2734
2735 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2736
2737         Unreviewed, rolling out r238509.
2738
2739         Causes JSC tests to fail on iOS.
2740
2741         Reverted changeset:
2742
2743         "NaNs read from Wasm code needs to be be purified."
2744         https://bugs.webkit.org/show_bug.cgi?id=191056
2745         https://trac.webkit.org/changeset/238509
2746
2747 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2748
2749         Re-introduce op_bitnot
2750         https://bugs.webkit.org/show_bug.cgi?id=190923
2751
2752         Reviewed by Yusuke Suzuki.
2753
2754         * stress/bit-not-must-generate.js: Added.
2755         * stress/bitwise-not-no-int32.js: Added.
2756
2757 2018-11-26  Saam barati  <sbarati@apple.com>
2758
2759         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2760         https://bugs.webkit.org/show_bug.cgi?id=191956
2761         <rdar://problem/45665806>
2762
2763         Reviewed by Yusuke Suzuki.
2764
2765         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2766         (bar):
2767         (foo):
2768
2769 2018-11-26  Saam barati  <sbarati@apple.com>
2770
2771         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2772         https://bugs.webkit.org/show_bug.cgi?id=191958
2773         <rdar://problem/46221877>
2774
2775         Reviewed by Yusuke Suzuki.
2776
2777         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2778         (x):
2779         (foo):
2780
2781 2018-11-26  Mark Lam  <mark.lam@apple.com>
2782
2783         NaNs read from Wasm code needs to be be purified.
2784         https://bugs.webkit.org/show_bug.cgi?id=191056
2785         <rdar://problem/45660341>
2786
2787         Reviewed by Filip Pizlo.
2788
2789         * wasm/regress/regress-191056.js: Added.
2790
2791 2018-11-26  Michael Saboff  <msaboff@apple.com>
2792
2793         32-bit JSC test failure: stress/regexp-compile-oom.js
2794         https://bugs.webkit.org/show_bug.cgi?id=191375
2795
2796         Reviewed by Mark Lam.
2797
2798         Disabled the test for 32 bit platforms.
2799
2800         * stress/regexp-compile-oom.js:
2801
2802 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2803
2804         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2805         https://bugs.webkit.org/show_bug.cgi?id=191716
2806         <rdar://problem/45723878>
2807
2808         Reviewed by Saam Barati.
2809
2810         * stress/regress-187373.js: Added.
2811         (async.fn):
2812
2813 2018-11-21  Saam barati  <sbarati@apple.com>
2814
2815         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2816         https://bugs.webkit.org/show_bug.cgi?id=191897
2817         <rdar://problem/45871998>
2818
2819         Reviewed by Mark Lam.
2820
2821         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2822         (bar):
2823         (foo):
2824
2825 2018-11-21  Saam barati  <sbarati@apple.com>
2826
2827         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2828         https://bugs.webkit.org/show_bug.cgi?id=191895
2829         <rdar://problem/46167406>
2830
2831         Reviewed by Mark Lam.
2832
2833         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2834         (foo):
2835         (bar):
2836
2837 2018-11-21  Mark Lam  <mark.lam@apple.com>
2838
2839         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2840         https://bugs.webkit.org/show_bug.cgi?id=191776
2841         <rdar://problem/46152851>
2842
2843         Reviewed by Saam Barati.
2844
2845         * stress/big-wasm-memory-grow-no-max.js:
2846         * stress/big-wasm-memory-grow.js:
2847         * stress/big-wasm-memory.js:
2848         - updated these to expect an OutOfMemoryError.
2849
2850         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2851         (Binary.prototype.emit_u8):
2852         (Binary.prototype.emit_u32v):
2853         (Binary.prototype.emit_header):
2854         (Binary.prototype.emit_section):
2855         (Binary):
2856         (WasmModuleBuilder):
2857         (WasmModuleBuilder.prototype.addMemory):
2858         (WasmModuleBuilder.prototype.toArray):
2859         (WasmModuleBuilder.prototype.toBuffer):
2860         (WasmModuleBuilder.prototype.instantiate):
2861         (catch):
2862         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2863         (catch):
2864
2865 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2866
2867         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2868         https://bugs.webkit.org/show_bug.cgi?id=190836
2869
2870         Reviewed by Saam Barati and Yusuke Suzuki.
2871
2872         * stress/big-int-out-of-memory-tests.js: Added.
2873
2874 2018-11-20  Mark Lam  <mark.lam@apple.com>
2875
2876         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2877         https://bugs.webkit.org/show_bug.cgi?id=191856
2878         <rdar://problem/46089992>
2879
2880         Reviewed by Yusuke Suzuki.
2881
2882         * stress/regress-191856.js: Added.
2883         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2884
2885 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2886
2887         Enable JIT on ARM/Linux
2888         https://bugs.webkit.org/show_bug.cgi?id=191548
2889
2890         Reviewed by Yusuke Suzuki.
2891
2892         Disable test on system with limited memory. Program was killed by
2893         the OS before the exception was thrown.
2894
2895         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2896
2897 2018-11-20  Saam barati  <sbarati@apple.com>
2898
2899         Merging an IC variant may lead to the IC status containing overlapping structure sets
2900         https://bugs.webkit.org/show_bug.cgi?id=191869
2901         <rdar://problem/45403453>
2902
2903         Reviewed by Mark Lam.
2904
2905         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2906
2907 2018-11-19  Mark Lam  <mark.lam@apple.com>
2908
2909         globalFuncImportModule() should return a promise when it clears exceptions.
2910         https://bugs.webkit.org/show_bug.cgi?id=191792
2911         <rdar://problem/46090763>
2912
2913         Reviewed by Michael Saboff.
2914
2915         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2916
2917 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2918
2919         Skip new memory-hungry tests on memory limited devices
2920
2921         Unreviewed gardening.
2922
2923         * stress/big-wasm-memory-grow-no-max.js:
2924         * stress/big-wasm-memory-grow.js:
2925         * stress/big-wasm-memory.js:
2926
2927 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2928
2929         Unreviewed, rolling in the rest of r237254
2930         https://bugs.webkit.org/show_bug.cgi?id=190340
2931
2932         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2933         * stress/function-cache-with-parameters-end-position.js: Added.
2934         (shouldBe):
2935         (shouldThrow):
2936         (i.anonymous):
2937         * stress/function-constructor-name.js: Added.
2938         (shouldBe):
2939         (GeneratorFunction):
2940         (AsyncFunction.async):
2941         (AsyncGeneratorFunction.async):
2942         (anonymous):
2943         (async.anonymous):
2944         * test262/expectations.yaml:
2945
2946 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2947
2948         All users of ArrayBuffer should agree on the same max size
2949         https://bugs.webkit.org/show_bug.cgi?id=191771
2950
2951         Reviewed by Mark Lam.
2952
2953         * stress/big-wasm-memory-grow-no-max.js: Added.
2954         (foo):
2955         (catch):
2956         * stress/big-wasm-memory-grow.js: Added.
2957         (foo):
2958         (catch):
2959         * stress/big-wasm-memory.js: Added.
2960         (foo):
2961         (catch):
2962
2963 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2964
2965         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2966         run for each JSC config since they're regression tests for runtime bugs.
2967
2968         * stress/json-stringified-overflow-2.js:
2969         * stress/json-stringified-overflow.js:
2970
2971 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2972
2973         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2974         config since they're regression tests for runtime bugs.
2975
2976         * stress/large-unshift-splice.js:
2977         * stress/regress-185888.js:
2978
2979 2018-11-16  Saam Barati  <sbarati@apple.com>
2980
2981         KnownCellUse should also have SpecCellCheck as its type filter
2982         https://bugs.webkit.org/show_bug.cgi?id=191729
2983         <rdar://problem/45872852>
2984
2985         Reviewed by Filip Pizlo.
2986
2987         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2988         (C):
2989
2990 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2991
2992         Fix assertion failure on BytecodeGenerator::recordOpcode
2993         https://bugs.webkit.org/show_bug.cgi?id=191724
2994         <rdar://problem/45724395>
2995
2996         Reviewed by Saam Barati.
2997
2998         * stress/regress-187373-2.js: Added.
2999         (foo):
3000
3001 2018-11-15  Mark Lam  <mark.lam@apple.com>
3002
3003         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
3004         https://bugs.webkit.org/show_bug.cgi?id=191730
3005         <rdar://problem/46048517>
3006
3007         Reviewed by Saam Barati.
3008
3009         * stress/regress-187006.js: Removed.
3010           - this test is invalid because its sole purpose is to test for the non-spec
3011             compliant behavior that we just fixed.
3012
3013         * stress/regress-191730.js: Added.
3014
3015 2018-11-15  Mark Lam  <mark.lam@apple.com>
3016
3017         RegExp operations should not take fast patch if lastIndex is not numeric.
3018         https://bugs.webkit.org/show_bug.cgi?id=191731
3019         <rdar://problem/46017305>
3020
3021         Reviewed by Saam Barati.
3022
3023         * stress/regress-191731.js: Added.
3024
3025 2018-11-13  Saam Barati  <sbarati@apple.com>
3026
3027         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
3028         https://bugs.webkit.org/show_bug.cgi?id=191600
3029
3030         Reviewed by Mark Lam.
3031
3032         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
3033         (foo):
3034         (test):
3035         (bar):
3036
3037 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
3038
3039         Unreviewed, rolling out r238132.
3040
3041         The test added with this change is timing out on Debug JSC
3042         bots.
3043
3044         Reverted changeset:
3045
3046         "[BigInt] JSBigInt::createWithLength should throw when length
3047         is greater than JSBigInt::maxLength"
3048         https://bugs.webkit.org/show_bug.cgi?id=190836
3049         https://trac.webkit.org/changeset/238132
3050
3051 2018-11-13  Mark Lam  <mark.lam@apple.com>
3052
3053         Add OOM detection to StringPrototype's substituteBackreferences().
3054         https://bugs.webkit.org/show_bug.cgi?id=191563
3055         <rdar://problem/45720428>
3056
3057         Reviewed by Saam Barati.
3058
3059         * stress/regress-191563.js: Added.
3060
3061 2018-11-13  Mark Lam  <mark.lam@apple.com>
3062
3063         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
3064         https://bugs.webkit.org/show_bug.cgi?id=191579
3065         <rdar://problem/45942472>
3066
3067         Reviewed by Saam Barati.
3068
3069         * stress/regress-191579.js: Added.
3070
3071 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
3072
3073         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
3074         https://bugs.webkit.org/show_bug.cgi?id=190836
3075
3076         Reviewed by Saam Barati.
3077
3078         * stress/big-int-out-of-memory-tests.js: Added.
3079
3080 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
3081
3082         U+180E is no longer a whitespace character
3083         https://bugs.webkit.org/show_bug.cgi?id=191415
3084
3085         Reviewed by Saam Barati.
3086
3087         * ChakraCore/test/es5/regexSpace.baseline:
3088         * ChakraCore/test/es6/unicode_whitespace.js:
3089         Update tests to latest version.
3090         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
3091
3092         * test262.yaml:
3093         * test262/config.yaml:
3094         * test262/expectations.yaml:
3095         Update expectations.
3096
3097 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
3098
3099         [BigInt] Add support to BigInt into ValueAdd
3100         https://bugs.webkit.org/show_bug.cgi?id=186177
3101
3102         Reviewed by Keith Miller.
3103
3104         * stress/big-int-negate-jit.js:
3105         * stress/value-add-big-int-and-string.js: Added.
3106         * stress/value-add-big-int-prediction-propagation.js: Added.
3107         * stress/value-add-big-int-untyped.js: Added.
3108
3109 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
3110
3111         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
3112         https://bugs.webkit.org/show_bug.cgi?id=191184
3113
3114         Reviewed by Saam Barati.
3115
3116         Most tests were failing due to timeouts, since they are too slow to
3117         run on CLoop. The exceptions are:
3118
3119         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
3120         dont-crash-on-stack-overflow-when-parsing-builtin.js and
3121         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
3122         to change the stack size since CLoop requires it to be page aligned.
3123
3124         * microbenchmarks/array-push-1.js:
3125         * microbenchmarks/array-push-2.js:
3126         * microbenchmarks/elidable-new-object-dag.js:
3127         * microbenchmarks/elidable-new-object-roflcopter.js:
3128         * microbenchmarks/elidable-new-object-tree.js:
3129         * microbenchmarks/getter-richards.js:
3130         * microbenchmarks/sinkable-new-object-dag.js:
3131         * microbenchmarks/string-concat-long-convert.js:
3132         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
3133         * slowMicrobenchmarks/array-push-3.js:
3134         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
3135         * slowMicrobenchmarks/spread-small-array.js:
3136         * slowMicrobenchmarks/undefined-property-access.js:
3137         * stress/activation-sink-default-value-tdz-error.js:
3138         * stress/activation-sink-default-value.js:
3139         * stress/activation-sink-osrexit-default-value-tdz-error.js:
3140         * stress/activation-sink-osrexit-default-value.js:
3141         * stress/activation-sink-osrexit.js:
3142         * stress/activation-sink.js:
3143         * stress/allow-math-ic-b3-code-duplication.js:
3144         * stress/array-push-multiple-int32.js:
3145         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
3146         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
3147         * stress/arrowfunction-lexical-this-activation-sink.js:
3148         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
3149         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
3150         * stress/elide-new-object-dag-then-exit.js:
3151         * stress/materialize-regexp-cyclic.js:
3152         * stress/new-regex-inline.js:
3153         * stress/op_add.js:
3154         * stress/op_bitand.js:
3155         * stress/op_bitor.js:
3156         * stress/op_bitxor.js:
3157         * stress/op_div-ConstVar.js:
3158         * stress/op_div-VarConst.js:
3159         * stress/op_div-VarVar.js:
3160         * stress/op_lshift-ConstVar.js:
3161         * stress/op_lshift-VarConst.js:
3162         * stress/op_lshift-VarVar.js:
3163         * stress/op_mod-ConstVar.js:
3164         * stress/op_mod-VarConst.js:
3165         * stress/op_mod-VarVar.js:
3166         * stress/op_mul-ConstVar.js:
3167         * stress/op_mul-VarConst.js:
3168         * stress/op_mul-VarVar.js:
3169         * stress/op_rshift-ConstVar.js:
3170         * stress/op_rshift-VarConst.js:
3171         * stress/op_rshift-VarVar.js:
3172         * stress/op_sub-ConstVar.js:
3173         * stress/op_sub-VarConst.js:
3174         * stress/op_sub-VarVar.js:
3175         * stress/op_urshift-ConstVar.js:
3176         * stress/op_urshift-VarConst.js:
3177         * stress/op_urshift-VarVar.js:
3178         * stress/proxy-get-set-correct-receiver.js:
3179         * stress/regress-179562.js:
3180         * stress/rest-parameter-many-arguments.js:
3181         * stress/sampling-profiler-richards.js:
3182         * stress/splay-flash-access-1ms.js:
3183         * stress/tailCallForwardArguments.js:
3184         * stress/typed-array-get-by-val-profiling.js:
3185         * typeProfiler/getter-richards.js:
3186
3187 2018-11-06  Michael Saboff  <msaboff@apple.com>
3188
3189         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
3190         https://bugs.webkit.org/show_bug.cgi?id=191271
3191
3192         Reviewed by Saam Barati.
3193
3194         Added more test cases and made all test cases run with the same deeply recursive stack
3195         instead of finding that same point for each test case.
3196
3197         * stress/regexp-compile-oom.js:
3198         (prototype.runTest):
3199         (recurseAndTest):
3200         (testList.push.new.TestAndExpectedException):
3201
3202 2018-11-05  Michael Saboff  <msaboff@apple.com>
3203
3204         Unreviewed build fix for linux.
3205
3206         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
3207
3208 2018-11-02  Michael Saboff  <msaboff@apple.com>
3209
3210         Rolling in r237753 with unreviewed build fix.
3211
3212         Fixed issues with DECLARE_THROW_SCOPE placement.
3213
3214 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
3215
3216         Unreviewed, rolling out r237753.
3217
3218         Introduced JSC test failures
3219
3220         Reverted changeset:
3221
3222         "Running out of stack space not properly handled in
3223         RegExp::compile() and its callers"
3224         https://bugs.webkit.org/show_bug.cgi?id=191206
3225         https://trac.webkit.org/changeset/237753
3226
3227 2018-11-02  Michael Saboff  <msaboff@apple.com>
3228
3229         Running out of stack space not properly handled in RegExp::compile() and its callers
3230         https://bugs.webkit.org/show_bug.cgi?id=191206
3231
3232         Reviewed by Filip Pizlo.
3233
3234         New regression test.
3235
3236         * stress/regexp-compile-oom.js: Added.
3237         (recurseAndTest):
3238
3239 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
3240
3241         Skip tests on arm/mips that time out now we're running on CLoop
3242
3243         Unreviewed gardening.
3244
3245         Since the JIT is temporarily disabled on 32-bit platforms, these tests
3246         time out on the bots and need to be disabled. There's more tests
3247         disabled on arm because the timeout is longer on the mips bot (as the
3248         device is slower to start with), so many of the tests don't time out
3249         there.
3250
3251         * microbenchmarks/getter-richards.js: disable on arm and mips.
3252         * stress/op_add.js: disable on arm.
3253         * stress/op_bitand.js: disable on arm.
3254         * stress/op_bitor.js: disable on arm.
3255         * stress/op_bitxor.js: disable on arm.
3256         * stress/op_lshift-ConstVar.js: disable on arm.
3257         * stress/op_lshift-VarConst.js: disable on arm.
3258         * stress/op_lshift-VarVar.js: disable on arm.
3259         * stress/op_mod-ConstVar.js: disable on arm.
3260         * stress/op_mod-VarConst.js: disable on arm.
3261         * stress/op_mod-VarVar.js: disable on arm.
3262         * stress/op_mul-ConstVar.js: disable on arm.
3263         * stress/op_mul-VarConst.js: disable on arm.
3264         * stress/op_mul-VarVar.js: disable on arm.
3265         * stress/op_rshift-ConstVar.js: disable on arm.
3266         * stress/op_rshift-VarConst.js: disable on arm.
3267         * stress/op_rshift-VarVar.js: disable on arm.
3268         * stress/op_sub-ConstVar.js: disable on arm.
3269         * stress/op_sub-VarConst.js: disable on arm.
3270         * stress/op_sub-VarVar.js: disable on arm.
3271         * stress/op_urshift-ConstVar.js: disable on arm.
3272         * stress/op_urshift-VarConst.js: disable on arm.
3273         * stress/op_urshift-VarVar.js: disable on arm.
3274         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
3275         * stress/value-to-boolean.js: disable on arm and mips.
3276
3277 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
3278
3279         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
3280         https://bugs.webkit.org/show_bug.cgi?id=191108
3281         <rdar://problem/45690700>
3282
3283         Reviewed by Saam Barati.
3284
3285         * stress/wide-op_catch.js: Added.
3286         (catch):
3287
3288 2018-10-29  Mark Lam  <mark.lam@apple.com>
3289
3290         Correctly detect string overflow when using the 'Function' constructor.
3291         https://bugs.webkit.org/show_bug.cgi?id=184883
3292         <rdar://problem/36320331>
3293
3294         Reviewed by Saam Barati.
3295
3296         I've verified that this passes on 32-bit as well.
3297
3298         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
3299
3300 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3301
3302         Add support for GetStack FlushedDouble
3303         https://bugs.webkit.org/show_bug.cgi?id=191012
3304         <rdar://problem/45265141>
3305
3306         Reviewed by Saam Barati.
3307
3308         * stress/get-stack-double.js: Added.
3309         (bar):
3310         (noInline):
3311
3312 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
3313
3314         New bytecode format for JSC
3315         https://bugs.webkit.org/show_bug.cgi?id=187373
3316         <rdar://problem/44186758>
3317
3318         Reviewed by Filip Pizlo.
3319
3320         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3321
3322         * stress/maximum-inline-capacity.js: Added.
3323         (test1):
3324         (test3.Foo):
3325         (test3):
3326
3327 2018-10-26  Commit Queue  <commit-queue@webkit.org>
3328
3329         Unreviewed, rolling out r237479 and r237484.
3330         https://bugs.webkit.org/show_bug.cgi?id=190978
3331
3332         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
3333
3334         Reverted changesets:
3335
3336         "New bytecode format for JSC"
3337         https://bugs.webkit.org/show_bug.cgi?id=187373
3338         https://trac.webkit.org/changeset/237479
3339
3340         "Gardening: Build fix after r237479."
3341         https://bugs.webkit.org/show_bug.cgi?id=187373
3342         https://trac.webkit.org/changeset/237484
3343
3344 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
3345
3346         New bytecode format for JSC
3347         https://bugs.webkit.org/show_bug.cgi?id=187373
3348         <rdar://problem/44186758>
3349
3350         Reviewed by Filip Pizlo.
3351
3352         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
3353
3354         * stress/maximum-inline-capacity.js: Added.
3355         (test1):
3356         (test3.Foo):
3357         (test3):
3358
3359 2018-10-26  Mark Lam  <mark.lam@apple.com>
3360
3361         Fix missing edge cases with JSGlobalObjects having a bad time.
3362         https://bugs.webkit.org/show_bug.cgi?id=189028
3363         <rdar://problem/45204939>
3364
3365         Reviewed by Saam Barati.
3366
3367         * stress/regress-189028.js: Added.
3368
3369 2018-10-22  Mark Lam  <mark.lam@apple.com>
3370
3371         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3372         https://bugs.webkit.org/show_bug.cgi?id=190515
3373         <rdar://problem/45222379>
3374
3375         Rubber-stamped by Saam Barati.
3376
3377         Adding another test.
3378
3379         * stress/regress-190515-2.js: Added.
3380
3381 2018-10-22  Mark Lam  <mark.lam@apple.com>
3382
3383         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
3384         https://bugs.webkit.org/show_bug.cgi?id=190515
3385         <rdar://problem/45222379>
3386
3387         Reviewed by Saam Barati.
3388
3389         * stress/regress-190515.js: Added.
3390
3391 2018-10-19  Commit Queue  <commit-queue@webkit.org>
3392
3393         Unreviewed, rolling out r237254.
3394         https://bugs.webkit.org/show_bug.cgi?id=190760
3395
3396         "It regresses JetStream 2 by 5% on some iOS devices"
3397         (Requested by saamyjoon on #webkit).
3398
3399         Reverted changeset:
3400
3401         "[JSC] JSC should have "parseFunction" to optimize Function
3402         constructor"
3403         https://bugs.webkit.org/show_bug.cgi?id=190340
3404         https://trac.webkit.org/changeset/237254
3405
3406 2018-10-19  Saam Barati  <sbarati@apple.com>
3407
3408         vmCall should check if we exit before emitting an OSR exit due to exceptions
3409         https://bugs.webkit.org/show_bug.cgi?id=190740
3410         <rdar://problem/45220139>
3411
3412         Reviewed by Mark Lam.
3413
3414         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
3415         (foo):
3416
3417 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3418
3419         [ESNext][BigInt] Implement support for "^"
3420         https://bugs.webkit.org/show_bug.cgi?id=186235
3421
3422         Reviewed by Yusuke Suzuki.
3423
3424         * stress/big-int-bitwise-xor-general.js: Added.
3425         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
3426         * stress/big-int-bitwise-xor-type-error.js: Added.
3427         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
3428
3429 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
3430
3431         [BigInt] Add ValueSub into DFG
3432         https://bugs.webkit.org/show_bug.cgi?id=186176
3433
3434         Reviewed by Yusuke Suzuki.
3435
3436         * stress/big-int-subtraction-jit.js:
3437         * stress/value-sub-big-int-prediction-propagation.js: Added.
3438         * stress/value-sub-big-int-untyped.js: Added.
3439         * stress/value-sub-spec-none-case.js: Added.
3440
3441 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3442
3443         [JSC] JSC should have "parseFunction" to optimize Function constructor
3444         https://bugs.webkit.org/show_bug.cgi?id=190340
3445
3446         Reviewed by Mark Lam.
3447
3448         This patch fixes the line number of syntax errors raised by the Function constructor,
3449         since we now parse the final code only once. And we no longer use block statement
3450         for Function constructor's parsing.
3451
3452         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3453         * stress/function-cache-with-parameters-end-position.js: Added.
3454         (shouldBe):
3455         (shouldThrow):
3456         (i.anonymous):
3457         * stress/function-constructor-name.js: Added.
3458         (shouldBe):
3459         (GeneratorFunction):
3460         (AsyncFunction.async):
3461         (AsyncGeneratorFunction.async):
3462         (anonymous):
3463         (async.anonymous):
3464         * test262/expectations.yaml:
3465
3466 2018-10-18  Commit Queue  <commit-queue@webkit.org>
3467
3468         Unreviewed, rolling out r237242.
3469         https://bugs.webkit.org/show_bug.cgi?id=190701
3470
3471         it breaks "stress/sampling-profiler-basic.js" (Requested by
3472         caiolima on #webkit).
3473
3474         Reverted changeset:
3475
3476         "[BigInt] Add ValueSub into DFG"
3477         https://bugs.webkit.org/show_bug.cgi?id=186176
3478         https://trac.webkit.org/changeset/237242
3479
3480 2018-10-17  Keith Miller  <keith_miller@apple.com>
3481
3482         AI does not clear Phantom allocation nodes.
3483         https://bugs.webkit.org/show_bug.cgi?id=190694
3484
3485         Reviewed by Saam Barati.
3486
3487         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
3488         (Day):
3489         (DaysInYear):
3490         (TimeInYear):
3491         (TimeFromYear):
3492         (DayFromYear):
3493         (InLeapYear):
3494         (YearFromTime):
3495         (WeekDay):
3496         (DaylightSavingTA):
3497         (GetSecondSundayInMarch):
3498         (TimeInMonth):
3499
3500 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
3501
3502         [BigInt] Add ValueSub into DFG
3503         https://bugs.webkit.org/show_bug.cgi?id=186176
3504
3505         Reviewed by Yusuke Suzuki.
3506
3507         * stress/big-int-subtraction-jit.js:
3508         * stress/value-sub-big-int-prediction-propagation.js: Added.
3509         * stress/value-sub-big-int-untyped.js: Added.
3510
3511 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
3512
3513         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
3514         https://bugs.webkit.org/show_bug.cgi?id=190611
3515
3516         Reviewed by Saam Barati.
3517
3518         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
3519         to improve test runtime. On ARM/MIPS this test even timed out when running all
3520         tests.
3521
3522         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3523         (test):
3524
3525 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
3526
3527         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
3528
3529         Unreviewed gardening.
3530
3531         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
3532
3533 2018-10-15  Saam barati  <sbarati@apple.com>
3534
3535         Emit fjcvtzs on ARM64E on Darwin
3536         https://bugs.webkit.org/show_bug.cgi?id=184023
3537
3538         Reviewed by Yusuke Suzuki and Filip Pizlo.
3539
3540         * stress/double-to-int32-NaN.js: Added.
3541         (assert):
3542         (foo):
3543
3544 2018-10-15  Saam Barati  <sbarati@apple.com>
3545
3546         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
3547         https://bugs.webkit.org/show_bug.cgi?id=190262
3548         <rdar://problem/44986241>
3549
3550         Reviewed by Mark Lam.
3551
3552         * stress/array-prototype-concat-of-long-spliced-arrays.js:
3553         (test):
3554         * stress/slice-array-storage-with-holes.js: Added.
3555         (main):
3556
3557 2018-10-15  Commit Queue  <commit-queue@webkit.org>
3558
3559         Unreviewed, rolling out r237054.
3560         https://bugs.webkit.org/show_bug.cgi?id=190593
3561
3562         "this regressed JetStream 2 by 6% on iOS" (Requested by
3563         saamyjoon on #webkit).
3564
3565         Reverted changeset:
3566
3567         "[JSC] JSC should have "parseFunction" to optimize Function
3568         constructor"
3569         https://bugs.webkit.org/show_bug.cgi?id=190340
3570         https://trac.webkit.org/changeset/237054
3571
3572 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3573
3574         [JSC] JSON.stringify can accept call-with-no-arguments
3575         https://bugs.webkit.org/show_bug.cgi?id=190343
3576
3577         Reviewed by Mark Lam.
3578
3579         * stress/json-stringify-no-arguments.js: Added.
3580         (shouldBe):
3581
3582 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3583
3584         [JSC] JSC should have "parseFunction" to optimize Function constructor
3585         https://bugs.webkit.org/show_bug.cgi?id=190340
3586
3587         Reviewed by Mark Lam.
3588
3589         This patch fixes the line number of syntax errors raised by the Function constructor,
3590         since we now parse the final code only once. And we no longer use block statement
3591         for Function constructor's parsing.
3592
3593         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
3594         * stress/function-cache-with-parameters-end-position.js: Added.
3595         (shouldBe):
3596         (shouldThrow):
3597         (i.anonymous):
3598         * stress/function-constructor-name.js: Added.
3599         (shouldBe):
3600         (GeneratorFunction):
3601         (AsyncFunction.async):
3602         (AsyncGeneratorFunction.async):
3603         (anonymous):
3604         (async.anonymous):
3605         * test262/expectations.yaml:
3606
3607 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
3608
3609         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
3610         https://bugs.webkit.org/show_bug.cgi?id=190426
3611
3612         Unreviewed gardening.
3613
3614         * stress/sampling-profiler-richards.js:
3615
3616 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
3617
3618         [ESNext][BigInt] Implement support for "|"
3619         https://bugs.webkit.org/show_bug.cgi?id=186229
3620
3621         Reviewed by Yusuke Suzuki.
3622
3623         * stress/big-int-bitwise-and-jit.js:
3624         * stress/big-int-bitwise-or-general.js: Added.
3625         * stress/big-int-bitwise-or-jit-untyped.js: Added.
3626         * stress/big-int-bitwise-or-jit.js: Added.
3627         * stress/big-int-bitwise-or-memory-stress.js: Added.
3628         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
3629         * stress/big-int-bitwise-or-type-error.js: Added.
3630         * stress/big-int-bitwise-or-wrapped-value.js: Added.
3631
3632 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
3633
3634         Skip test on systems with limited memory
3635         https://bugs.webkit.org/show_bug.cgi?id=190310
3636
3637         Invoking runDefault adds test to runlist, skipping the test in the next
3638         line does not prevent the test from executing. Change order of lines such
3639         that runDefault is only executed if test is not executed.
3640
3641         Reviewed by Mark Lam.
3642
3643         * stress/regress-190187.js:
3644
3645 2018-10-03  Saam barati  <sbarati@apple.com>
3646
3647         lowXYZ in FTLLower should always filter the type of the incoming edge
3648         https://bugs.webkit.org/show_bug.cgi?id=189939
3649         <rdar://problem/44407030>
3650
3651         Reviewed by Michael Saboff.
3652
3653         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
3654         (foo):
3655         (test):
3656
3657 2018-10-03  Mark Lam  <mark.lam@apple.com>
3658
3659         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
3660         https://bugs.webkit.org/show_bug.cgi?id=190187
3661         <rdar://problem/42512909>
3662
3663         Reviewed by Michael Saboff.
3664
3665         * stress/regress-190187.js: Added.
3666
3667 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
3668
3669         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3670         https://bugs.webkit.org/show_bug.cgi?id=190033
3671
3672         Reviewed by Yusuke Suzuki.
3673
3674         * stress/big-int-to-string.js:
3675
3676 2018-10-01  Mark Lam  <mark.lam@apple.com>
3677
3678         Function.toString() should also copy the source code Functions that are class definitions.
3679         https://bugs.webkit.org/show_bug.cgi?id=190186
3680         <rdar://problem/44733360>
3681
3682         Reviewed by Saam Barati.
3683
3684         * stress/regress-190186.js: Added.
3685
3686 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
3687
3688         Split NaN-check into separate test
3689         https://bugs.webkit.org/show_bug.cgi?id=190010
3690
3691         Reviewed by Saam Barati.
3692
3693         DataView exposes NaN-representation, which is not necessarily the same on each
3694         architecture. Therefore move the check of the NaN-representation into its own
3695         file such that we can disable this test on MIPS where NaN-representation can be
3696         different on older CPUs.
3697
3698         * stress/dataview-jit-set-nan.js: Added.
3699         (assert):
3700         (test.storeLittleEndian):
3701         (test.storeBigEndian):
3702         (test.store):
3703         (test):
3704         * stress/dataview-jit-set.js:
3705         (test5):
3706
3707 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3708
3709         Unreviewed, rolling out r236647.
3710         https://bugs.webkit.org/show_bug.cgi?id=190124
3711
3712         Breaking test stress/big-int-to-string.js (Requested by
3713         caiolima_ on #webkit).
3714
3715         Reverted changeset:
3716
3717         "[BigInt] BigInt.proptotype.toString is broken when radix is
3718         power of 2"
3719         https://bugs.webkit.org/show_bug.cgi?id=190033
3720         https://trac.webkit.org/changeset/236647
3721
3722 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3723
3724         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3725         https://bugs.webkit.org/show_bug.cgi?id=190033
3726
3727         Reviewed by Yusuke Suzuki.
3728
3729         * stress/big-int-to-string.js:
3730
3731 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3732
3733         [ESNext][BigInt] Implement support for "&"
3734         https://bugs.webkit.org/show_bug.cgi?id=186228
3735
3736         Reviewed by Yusuke Suzuki.
3737
3738         * stress/big-int-bitwise-and-general.js: Added.
3739         (assert):
3740         (assert.sameValue):
3741         * stress/big-int-bitwise-and-jit.js: Added.
3742         (let.assert.sameValue):
3743         (bigIntBitAnd):
3744         * stress/big-int-bitwise-and-memory-stress.js: Added.
3745         (assert):
3746         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3747         (assert.sameValue):
3748         (let.o.Symbol.toPrimitive):
3749         (catch):
3750         * stress/big-int-bitwise-and-type-error.js: Added.
3751         (assert):
3752         (assertThrowTypeError):
3753         (let.o.valueOf):
3754         (o.valueOf):
3755         (o.toString):
3756         (o.Symbol.toPrimitive):
3757         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3758         (assert.sameValue):
3759         (testBitAnd):
3760         (let.o.Symbol.toPrimitive):
3761         (o.valueOf):
3762         (o.toString):
3763
3764 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3765
3766         JSC test stress/jsc-read.js doesn't support CRLF
3767         https://bugs.webkit.org/show_bug.cgi?id=190063
3768
3769         Reviewed by Yusuke Suzuki.
3770
3771         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3772
3773         * stress/jsc-read.js:
3774         (test):
3775
3776 2018-09-27  Saam barati  <sbarati@apple.com>
3777
3778         Verify the contents of AssemblerBuffer on arm64e
3779         https://bugs.webkit.org/show_bug.cgi?id=190057
3780         <rdar://problem/38916630>
3781
3782         Reviewed by Mark Lam.
3783
3784         * stress/regress-189132.js:
3785
3786 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3787
3788         Disable test without LLInt on ARMv7
3789         https://bugs.webkit.org/show_bug.cgi?id=190037
3790
3791         Reviewed by Mark Lam.
3792
3793         Test runs out of executable memory on ARMv7, do not run
3794         this test without LLInt enabled.
3795
3796         * stress/regress-169445.js:
3797
3798 2018-09-26  Keith Miller  <keith_miller@apple.com>
3799
3800         We should zero unused property storage when rebalancing array storage.
3801         https://bugs.webkit.org/show_bug.cgi?id=188151
3802
3803         Reviewed by Michael Saboff.
3804
3805         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3806
3807 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3808
3809         [JSC] Optimize Array#lastIndexOf
3810         https://bugs.webkit.org/show_bug.cgi?id=189780
3811
3812         Reviewed by Saam Barati.
3813
3814         * stress/array-lastindexof-array-prototype-trap.js: Added.
3815         (shouldBe):
3816         (AncestorArray.prototype.get 2):
3817         (AncestorArray):
3818         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3819         (shouldBe):
3820         * stress/array-lastindexof-hole-nan.js: Added.
3821         (shouldBe):
3822         (throw.new.Error):
3823         * stress/array-lastindexof-infinity.js: Added.
3824         (shouldBe):
3825         (throw.new.Error):
3826         * stress/array-lastindexof-negative-zero.js: Added.
3827         (shouldBe):
3828         (throw.new.Error):
3829         * stress/array-lastindexof-own-getter.js: Added.
3830         (shouldBe):
3831         (throw.new.Error.get array):
3832         (get array):
3833         * stress/array-lastindexof-prototype-trap.js: Added.
3834         (shouldBe):
3835         (DerivedArray.prototype.get 2):
3836         (DerivedArray):
3837
3838 2018-09-25  Saam Barati  <sbarati@apple.com>
3839
3840         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3841         https://bugs.webkit.org/show_bug.cgi?id=189940
3842         <rdar://problem/43640987>
3843
3844         Reviewed by Mark Lam.
3845
3846         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3847
3848 2018-09-24  Saam Barati  <sbarati@apple.com>
3849
3850         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3851         https://bugs.webkit.org/show_bug.cgi?id=189922
3852         <rdar://problem/44651275>
3853
3854         Reviewed by Mark Lam.
3855
3856         * stress/array-indexof-fast-path-effects.js: Added.
3857         * stress/array-indexof-cached-length.js: Added.
3858
3859 2018-09-24  Saam barati  <sbarati@apple.com>
3860
3861         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3862         https://bugs.webkit.org/show_bug.cgi?id=189682
3863         <rdar://problem/43557315>
3864
3865         Reviewed by Mark Lam.
3866
3867         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3868         (foo):
3869
3870 2018-09-22  Saam barati  <sbarati@apple.com>
3871
3872         The sampling should not use Strong<CodeBlock> in its machineLocation field
3873         https://bugs.webkit.org/show_bug.cgi?id=189319
3874
3875         Reviewed by Filip Pizlo.
3876
3877         * stress/sampling-profiler-richards.js: Added.
3878
3879 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3880
3881         [JSC] Optimize Array#indexOf in C++ runtime
3882         https://bugs.webkit.org/show_bug.cgi?id=189507
3883
3884         Reviewed by Saam Barati.
3885
3886         * stress/array-indexof-array-prototype-trap.js: Added.
3887         (shouldBe):
3888         (AncestorArray.prototype.get 2):
3889         (AncestorArray):
3890         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3891         (shouldBe):
3892         * stress/array-indexof-hole-nan.js: Added.
3893         (shouldBe):
3894         (throw.new.Error):
3895         * stress/array-indexof-infinity.js: Added.
3896         (shouldBe):
3897         (throw.new.Error):
3898         * stress/array-indexof-negative-zero.js: Added.
3899         (shouldBe):
3900         (throw.new.Error):
3901         * stress/array-indexof-own-getter.js: Added.
3902         (shouldBe):
3903         (throw.new.Error.get array):
3904         (get array):
3905         * stress/array-indexof-prototype-trap.js: Added.
3906         (shouldBe):
3907         (DerivedArray.prototype.get 2):
3908         (DerivedArray):
3909
3910 2018-09-19  Saam barati  <sbarati@apple.com>
3911
3912         AI rule for MultiPutByOffset executes its effects in the wrong order
3913         https://bugs.webkit.org/show_bug.cgi?id=189757
3914         <rdar://problem/43535257>
3915
3916         Reviewed by Michael Saboff.
3917
3918         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3919         (foo):
3920         (Foo):
3921         (g):
3922
3923 2018-09-17  Mark Lam  <mark.lam@apple.com>
3924
3925         Ensure that ForInContexts are invalidated if their loop local is over-written.
3926         https://bugs.webkit.org/show_bug.cgi?id=189571
3927         <rdar://problem/44402277>
3928
3929         Reviewed by Saam Barati.
3930
3931         * stress/regress-189571.js: Added.
3932
3933 2018-09-17  Saam barati  <sbarati@apple.com>
3934
3935         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3936         https://bugs.webkit.org/show_bug.cgi?id=189676
3937         <rdar://problem/39682897>
3938
3939         Reviewed by Michael Saboff.
3940
3941         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3942         (A):
3943         (K):
3944         (i.catch):
3945
3946 2018-09-14  Saam barati  <sbarati@apple.com>
3947
3948         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3949         https://bugs.webkit.org/show_bug.cgi?id=189628
3950         <rdar://problem/39481690>
3951
3952         Reviewed by Mark Lam.
3953
3954         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3955         (foo):
3956
3957 2018-09-11  Mark Lam  <mark.lam@apple.com>
3958
3959         Test for array initialization in arrayProtoFuncSplice.
3960         https://bugs.webkit.org/show_bug.cgi?id=170253
3961         <rdar://problem/31328773>
3962
3963         Rubber-stamped by Saam Barati.
3964
3965         * stress/regress-170253.js: Added.
3966
3967 2018-09-11  Mark Lam  <mark.lam@apple.com>
3968
3969         Test for IntlObject initialization.
3970         https://bugs.webkit.org/show_bug.cgi?id=170251
3971         <rdar://problem/31328419>
3972
3973         Rubber-stamped by Saam Barati.
3974
3975         * stress/regress-170251.js: Added.
3976
3977 2018-09-11  Mark Lam  <mark.lam@apple.com>
3978
3979         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3980         https://bugs.webkit.org/show_bug.cgi?id=169889
3981         <rdar://problem/31155607>
3982
3983         Reviewed by Saam Barati.
3984
3985         * stress/regress-169889-array-concat.js: Added.
3986         * stress/regress-169889-array-concat1.js: Added.
3987         * stress/regress-169889-array-slice.js: Added.
3988
3989 2018-09-11  Mark Lam  <mark.lam@apple.com>
3990
3991         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3992         https://bugs.webkit.org/show_bug.cgi?id=169445
3993         <rdar://problem/30957435>
3994
3995         Reviewed by Saam Barati.
3996
3997         * stress/regress-169445.js: Added.
3998         (let.gun.eval.A):
3999         (let.gun.eval.B.C):
4000         (let.gun.eval.B.C.prototype.trigger):
4001         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
4002         (let.gun.eval.B):
4003         (let.gun.eval):
4004
4005 == Rolled over to ChangeLog-2018-09-11 ==